Some concrete examples:

  • RDP authentication: Place terminal servers or hosts that you must RDP to in the top list marked “These computers may initiate & share the window”.  If you need to RDP to DCs, also put "" in the top list, because DCs authenticate to themselves over loopback.  Place your entire LAN IP range (or whatever subset will be initiating RDP connections) into the bottom list marked “these computers may only initiate the window”. 
  • RDP with RD Gateway (RDG): You would specify each server that will participate in the authentications together: the RDG server and all its possible terminal servers should share the same Replay window. Add them to the top "initiate & share" list. If clients are also coming from the LAN, then you should add the IP range of possible clients to the bottom "only initiate" list.

You can use groups or IP ranges rather than placing individual computer names into the lists directly. You can specify servers and IPs in more than one replay window if needed.

For an RDP/RDG scenario, a short window value of 20 seconds is probably long enough to allow all the authentications (RDG, RPC, Network Layer Authentication, remote desktop session) to complete. And after those initial connections, no more authentications need to be performed. If you are not able to connect, check your AuthLite Log on your DCs for recent replay events, and increase the associated replay window if needed.