Within my RAP policy on my Remote Desktop Gateway, I specified an active directory group containing the computer accounts of all VMs that comprise my VDI pooled collection, my connection broker and my RDVH computer.
When I try and connect, it fails and in the event log I see it is being rejected based on the target IP address:
The user "DOMAIN\user", on client computer "sourceIP", did not meet resource authorization policy requirements and was therefore not authorized to resource "VDI IP". The following error occurred: "23002".
If I configure the RAP to allow access to any resource it works.
Then I tried configuring the RAP using a local RD Gateway managed group instead, I added the FQDN of my VDI VM and Netbios name. No luck I get the same rejection.
If I add the IP address of the VM also, it works.
Therefore using a RD gateway to connect to a pooled VDI do I need to specify both the machine names and IP addresses, or am I missing some configuration setting?
The machine names of the VMs in the VDI pool have both forward and reverse DNS entries and can be resolved by the Gateway successfully.
So to summarise :
RAP Policy with AD group - rejects access based on IP
RAP Policy with Local RD Gateway managed group with Machine name - doesn't work
RAP Policy with Local RD Gateway managed group with Machine name & IP address - works
This wouldn't be a problem but my VDI pool is sitting on a /23 DHCP range shared with fixed desktops. I don't want to enter every single IP address in, I would like to restrict the gateway to just my pilot VDI collection for now.
Anyone have any ideas?
Thanks,
Paul.