Event ID 2002 — TS Gateway Server Configuration

Applies To: Windows Server 2008

For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.

Event Details

Resolve

Check whether settings are associated with local security groups on another TS Gateway server

To resolve this issue, ensure that the settings that you are attempting to import to a TS Gateway server are not associated with local security groups on the TS Gateway server from which you exported the settings. If the settings are not associated with local security groups on the TS Gateway server from which you have exported the settings, try exporting and then importing the file that contains these settings again.

If you export policies from one TS Gateway server that contain references to local security groups (user or computer groups in Local Users and Computers) on that server, you cannot import these settings to another TS Gateway server, because the local security groups might not exist on the TS Gateway server to which you are attempting to import the settings. For example, if you export settings from TS Gateway Server 1, and then try to import these settings to TS Gateway Server 2 and these settings are associated with local security groups on TS Gateway Server 1, the attempt to import the settings will not succeed.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Check whether TS Gateway server policy settings are associated with local user or computer groups on another TS Gateway server

To check whether TS Gateway server policy settings are associated with local user or computer groups on another TS Gateway server:

1. On the TS Gateway server from which you are trying to export policy and configuration settings, open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
2. In the TS Gateway Manager console tree, select the node that represents the local TS Gateway server, which is named for the computer on which the TS Gateway server is running.
3. In the console tree, expand Policies, and then click Connection Authorization Policies.
4. In the results pane, in the list of Terminal Services connection authorization policies (TS CAPs), for each TS CAP, check for local security groups. To do this, check the following, on the Requirements tab:
   • Check whether a local user group appears under User group membership (required). If so, the policy and configuration settings cannot be imported to another TS Gateway server.
   • Check whether a local computer group appears under Client Computer group membership (optional). If so, the policy and configuration settings cannot be imported to another TS Gateway server.
5. In the console tree, expand Policies, and then click Resource Authorization Policies.
6. In the results pane, in the list of Terminal Services resource authorization policies (TS RAPs), for each TS RAP, check for local security groups. To do this, check for the following:
   • On the User Groups tab, check whether a local user group appears under User Groups. If so, the policy and configuration settings cannot be imported to another TS Gateway server.
   • On the Computer Group tab, check whether a local computer group appears. If so, the policy and configuration settings cannot be imported to another TS Gateway server.
7. If no user groups associated with the TS CAPs or TS RAPs are local user or computer groups, try exporting the settings from this TS Gateway server, and importing them to another TS Gateway server again. In such a case, it is possible that the .xml file that contains the policy settings and that you exported from the other TS Gateway server was corrupted. Exporting, and then importing the file that contains these settings again can help resolve the problem.

Export settings from the local TS Gateway server and then import them to another TS Gateway server

Important:  Importing policy settings to a TS Gateway server will cause any existing policy settings on that server to be overwritten. If you want to save the existing policy settings on that TS Gateway server, we recommend that you create a backup copy of those settings before attempting to import new policy settings to the server.

To export settings from the local TS Gateway server and then import them to another TS Gateway server:

1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
2. In the TS Gateway Manager console tree, right-click the local TS Gateway server, which is named for the computer on which the TS Gateway server is running, and then click Export policy and configuration settings.
3. Specify a name and location for the file, and then click OK.
4. A message will appear to indicate that the settings have been successfully exported to the location that you have specified.
5. Click OK.
6. Close TS Gateway Manager.
7. On the target TS Gateway server (the TS Gateway server on which you want to import the settings), open TS Gateway Manager.
8. In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Import policy and configuration settings.
9. In the Import Policy and Server Configuration Settings dialog box, specify the file that you want to import, and then click OK.
10. A message will appear stating that importing the file will cause existing policy and configuration settings for the TS Gateway server to be overwritten. To proceed, click Yes, and then proceed to step 11. To cancel the procedure, click No.
11. After the settings have been imported, another message will appear to indicate that the settings have been succesfully imported to the local TS Gateway server, from the location that you have specified.
12. Click OK.

Verify

To verify that the TS Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the TS Gateway server is configured correctly:

1. On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
   • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
   • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
   • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.

Related Management Information

TS Gateway Server Configuration

Terminal Services