Cannot connect RDP with RD gateway via Devolutions GW

Hello,

Thank you for reaching out to our forum. When the session traverses Microsoft RD Gateway, the RDGW rejects the request with error 23002 and logs that the user did not meet the Resource Authorization Policy (RAP). The resource shown is the Devolutions Gateway address rather than the intended RDP host. This indicates that RDGW is attempting to authorize access to the DG address, which is not included in the RAP scope.

Likely cause
There is a policy scope mismatch on the RD Gateway side. The RAP is not permitting the DG endpoint as a valid target, or RDGW is not resolving the intended backend host when the connection is tunneled through DG.

I would also highlight a setting related to RD Gateway. When you edit your RDP entry in RDM under the General tab > RD Gateway, you can see that by default it automatically detects the RD Gateway server settings. You may want to try adjusting this option to set the RD Gateway server settings manually.

Let me know how it goes.

Best regards,

I get the same error even if I add the DG-address in RAP on the RDGW-server.
RD Gateway setting in RDM is already manually set to the RDGW-address.

When I connect to RDP-server without a RDGW I only see the DG-address and not my public IP as the connected client IP on the RDP-server. Should it not be the same when connecting to a RDGW-server so that it is only seeing the DG adress?

Hello,
Thank you for the update and for testing with RAP adjustments.
The key difference you pointed out that with a direct RDP the target sees the DG address, but with RDGW it still sees the original public IP suggests that Microsoft RD Gateway is terminating the connection before DG fully proxies it. As a result, the RDGW is evaluating both the source client and the target resource differently, which explains why the RAP validation is still failing with error 23002.
When you tunnel RDP through both DG and RDGW, the RDGW enforces its own policies independently of DG. This means RAP validation will apply to the DG endpoint as well as the requested backend host. Even if you add DG into RAP, RDGW may still not resolve the intended backend because it interprets the DG endpoint as the resource.
The fact that RDGW sees the public IP rather than DG indicates that the traffic is not fully NATed or re-proxied at the point RDGW evaluates it. This is by design on the Microsoft side RDGW enforces access control earlier in the connection pipeline.

As a troubleshooting step, try creating a RAP on RDGW that allows the entire backend subnet or a test group of servers instead of just the DG endpoint. This will help confirm if the issue is specifically scope-related.

Best regards,

Hi
I did some more troubleshooting and if I create a RAP allowing all addresses and ports 7171,8181 I instead get below error in RDM.

This make me think that RDM is handling the gateways in the wrong order by first connecting to the RDGW and then to the DG instead of DG->RDGW->RDS.

Hello TN,

I shared what you encountered with our development team, and unfortunately the setup of RDM with Devolutions Gateway and RDS is not a compatible configuration.
As mentioned by our developers, if this is something you are interested in, I would suggest submitting it as a feature request under Gateway forum.

Best regards,