Terminal Services (TS) gateway is not configured properly

  • Article

Applies To: Windows SBS 2008

Problem   The Terminal Services (TS) Gateway role service is not configured properly.

Features affected   The Connect Computer feature in Remote Web Workplace does not work.

Solution   To resolve this issue, you must manually configure TS Gateway as follows:

  1. Configure the RPC application for TS Gateway.

  2. Configure the RpcWithCert application for TS Gateway.

  3. Configure the certificate for TS Gateway.

  4. Repair TS Gateway policies.

  5. Configure Connection Authorization policies.

  6. Configure Resource Authorization policies.

To configure the RPC application for Terminal Services Gateway

  1. Click Start, click All Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the User Account Control window, click Continue.

  3. In the Internet Information Services (IIS) Manager console, double-click ServerName, double-click Sites, and then double-click SBS Web Applications.

  4. Select the RPC application, and then, in the IIS section of the center pane, double-click SSL Settings.

  5. Select Require SSL and Require 128-bit SSL.

  6. In the Actions pane, click Apply.

  7. Select the RPC application, and then, in the IIS section of the center pane, double-click Authentication.

  8. For Windows Authentication, select Enable. For Anonymous Authentication, select Disable.

To configure the RpcWithCert application for Terminal Services Gateway

  1. Click Start, click All Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the User Account Control window, click Continue.

  3. In the Internet Information Services (IIS) Manager console, double-click ServerName, double-click Sites, and then double-click SBS Web Applications.

  4. Select the RPC application, and then, in the IIS section of the center pane, double-click SSL Settings.

  5. Select Require SSL and Require 128-bit SSL. For Client Certificates, select Require

  6. In the Actions pane, click Apply.

  7. Select the RpcWithCert application, and then, in the IIS section of the center pane, double-click Authentication.

  8. For Anonymous Authentication, select Disabled.

To configure the certificate for Terminal Services Gateway

  1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

  2. Right-click <ServerName> (Local), and then click Properties.

  3. In the ServerName Properties window, click the SSL Certificate tab

  4. Select Select an existing certificate for SSL encryption, and then click Browse Certificates.

  5. In the certificate list, select Sites.

  6. Click Install, and then click OK.

To repair the Terminal Services Gateway policies

  1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

  2. Expand <ServerName> (Local), and then expand Policies.

  3. Delete all the policies in Connection Authorization Policies and in Resource Authorization Policies.

To configure the Connection policies

  1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

  2. Expand <ServerName> (Local), and then expand Policies.

  3. Right-click Connection Authorization Policies, click Create New Policy, and then click Custom.

  4. In the Create New Policy window, do the following:

    1. On the General tab, in Policy, type General Connection Authorization Policy.

  5. On the Requirements tab, in Supported Windows authentication methods, select Password and Smart card. For User group membership, add “<Domain>/Domain Users”.

  6. On the Device Redirection tab, keep the default options.

  7. To create the policy, click OK.

To configure the Resource Authorization policy (1)

  1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

  2. Expand <servername>(Local), expand Policies.

  3. Right-click Resource Authorization Policies select Create New Policy, and then click Custom.

  4. In the Create New Policy window, do the following:

    1. On the General tab, for Policy name, type General Resource Authorization Policy (1). For description, type Allow authorized users to access all company network resources.

  5. On the User Groups tab, for User group membership, add “<domain>/Domain Users”.

  6. On the Computer tab do the following:

    1. Select the Select an existing Active Directory security group option and click Browse.

    2. In the Select Users, Computers and Groups, for Enter the object name to select, type Domain Controllers, click Check Names, and then click OK.

To configure the Resource Authorization policy (2)

  1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

  2. Expand <servername>(Local), expand Policies.

  3. Right-click Resource Authorization Policies select Create New Policy, and then click Custom.

  4. In the Create New Policy window, do the following:

    1. On the General tab, for Policy name, type General Resource Authorization Policy (2). For description, type Allow authorized users to access all company network resources.

  5. On the User Groups tab, for User group membership, add “<domain>/Domain Users”.

  6. On the Computer tab do the following:

    1. Select the Select an existing Active Directory security group option and click Browse.

    2. In the Select Users, Computers and Groups, for Enter the object name to select, type Domain Computers, click Check Names, and then click OK.

To read the most recent version of this topic, see the Microsoft Web site (https://go.microsoft.com/FWLink/?LinkID=119487). The most recent version might contain additional information that was not available when Windows SBS 2008 was released.