RDS PowerShell : TFM – Part V : Configuring a RD Gateway using PowerShell

Now that we have our RDS Farm setup, let’s extend our RDS Farm over the internet by configuring the RD Gateway Role Service.

We will use our PYRAMID Server as our RD Gateway Server.

Using the Add-WindowsFeature, we will install the RD-Gateway Role Service.



Now that we have the RD Gateway Role Installed, it’s time to a configure it using PowerShell. Start by importing the RemoteDesktopServices Module and then by navigating to the RDS: PS Drive.


As you can see in the screenshot above, there are many settings you can configure via the GatewayServer container. In this blog post, I am going to concentrate on a few important ones.

Creating a Connection Authorization Policy (CAP)

RD CAP has the following configurations


Let’s take a quick look at some of the mandatory properties, AuthMethod and UserGroups



Alright, based on the description and information given above, let’s quickly create a CAP Policy which uses Password Authentication and grants Domain Users access to connect to RD Gateway Server


You can then further drill down and configure additional settings by navigating to the TestCAP Container.

Creating a RAP (Resource Authorization Policies)

RAP has the following configuration Settings


We will take a closer look at the ComputerGroupType Setting


Based on the above information, let’s create a RAP Policy using PowerShell


You can further drill down on the DemoRAP container to configure additional settings.

Comments (8)

  1. Cory Wood says:

    I'm running into an issue when trying to create a new RAP using PowerShell. When I attempt to create one with the command below, I get the error "New-Item : A parameter cannot be found that matches parameter name 'description'."

    PS RDS:GatewayServerrap> new-item -name test -usergroups "test@domain" -computergroup test_resources -description test

    Is there a bug with setting the Description parameter on a RAP with the RemoteDesktopServices PowerShell module? I'm able to set the Description parameter on the RD Gateway Managed Computer Groups that I've created via PowerShell.



  2. Cory Wood says:

    I figured it out – you need to set the Description parameter by changing to the "RDS:GatewayServerRapRap_Name" container and running the command below after the RAP has been created:

    Set-Item Description "Enter Description Here"

    I'm confused as to why you have to set it this way since setting it on the RD Gateway Managed Computer Groups is much more intuitive.

  3. Ronald C says:


    I am dealing with RemoteDesktopServices on Win2008R2, I want to ask if you know how to create a RAP in 2008R2. I tried

    New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Credential $Credential -Force

    New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Force

    New-Item -Name $RAPName -UserGroups $DomainUserGroup -ComputerGroupType 1 -Credential $Credential

    And keep receiving this:

    "New-Item : Access to the object at RDS:GatewayServerRAP is denied for the cmdlet New-Item."

    I also tried creating the value for $Credential with the Get-Credential cmdlet but didn't worked. I am running PS with elevated privilegeds. Any ideas?

  4. japi says:

    If you run into the error described above:

    "New-Item : Access to the object at RDS:GatewayServerCAP[…] is denied for the cmdlet New-Item.The supplied value is not valid, or you do not have sufficient permissions."

    In my case it was caused by using a wrong usergroup.

    If you want to use Domain Groups, you have to use "Groupname@Domain".

    If you want to use local Groups, you must use "Groupname@." i.e. "Administrators@."

    Using your local Hostname, ip or "localhost" won't do it. Using "." seems to be the only way.

    To set additional options, you have to use set-item. My test environment setup looks like this:


    Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools

    Import-Module RemoteDesktopServices

    New-Item -Path "RDS:GatewayServerCAP" -Name "Allow Admins" -UserGroups "Administrators@." -AuthMethod 1

    Set-Item -Path "RDS:GatewayServerCAPAllow AdminsIdleTimeout" -Value 120

    Set-Item -Path "RDS:GatewayServerCAPAllow AdminsSessionTimeout" -Value 480 -SessionTimeoutAction 0

    New-Item -Path "RDS:GatewayServerRAP" -Name "Allow Connections To Everywhere" -UserGroups "Administrators@." -ComputerGroupType 2

    Set-Item -Path "RDS:GatewayServerRAPAllow Connections To EverywherePortNumbers" -Value 3389,3390


  5. Ufuk says:

    What is the value for Allow connections to any port? I can’t find it. Tnx!

    Set-Item -Path "RDS:GatewayServerRAPAllow Connections To EverywherePortNumbers" -Value ????

  6. Ufuk says:

    What is the value for Allow connections to any port? I can’t find it. Tnx!

    Set-Item -Path "RDS:GatewayServerRAPAllow Connections To EverywherePortNumbers" -Value ????

  7. ALF says:

    I am looking for a way to export all existing policies to xml file that would be the same as using the GUI option "Export policy and configuration settings" and i’m stuck, any ideas?

  8. NickDrew says:

    @Alf – The settings are already in an XML file: %SystemRoot%System32tsgatewayrap.xml

Skip to main content