TS Gateway Server Configuration

Applies To: Windows Server 2008

For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.

Events

Event ID Source Message

102

Microsoft-Windows-TerminalServices-Gateway

The Terminal Services Gateway service requires a valid Secure Sockets Layer (SSL) certificate to accept connections. Ensure that you have obtained a valid SSL certificate, and then bind (map) the certificate by using TS Gateway Manager. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help. The following error occurred: "%2"

103

Microsoft-Windows-TerminalServices-Gateway

The Terminal Services Gateway service does not have sufficient permissions to access the Secure Sockets Layer (SSL) certificate that is required to accept connections. To resolve this issue, bind (map) a valid SSL certificate by using TS Gateway Manager. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help. The following error occurred: "%2".

504

Microsoft-Windows-TerminalServices-Gateway

Logging was enabled for the following TS Gateway event: "%1".

505

Microsoft-Windows-TerminalServices-Gateway

Logging could not be enabled for the following TS Gateway event: "%1". The following error occurred: "%2". To resolve this issue, ensure that the correct permissions have been granted to the LogEvents registry key and that the Remote Registry service is started.

506

Microsoft-Windows-TerminalServices-Gateway

Logging was disabled for the following TS Gateway event: "%1".

507

Microsoft-Windows-TerminalServices-Gateway

Logging could not be disabled for the following TS Gateway event: "%1". The following error occurred: "%2". To resolve this issue, ensure that the correct permissions have been granted to the LogEvents registry key and that the Remote Registry service is started.

508

Microsoft-Windows-TerminalServices-Gateway

The value for the maximum number of connections allowed to the TS Gateway server was updated.

509

Microsoft-Windows-TerminalServices-Gateway

The value for the maximum number of simultaneous connections allowed to the TS Gateway server could not be updated. The following error occurred: "%2".

510

Microsoft-Windows-TerminalServices-Gateway

The central connection authorization policy was enabled.

511

Microsoft-Windows-TerminalServices-Gateway

The central connection authorization policy store could not be enabled. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and resolve any network connectivity issues.

512

Microsoft-Windows-TerminalServices-Gateway

The central connection authorization policy was disabled.

513

Microsoft-Windows-TerminalServices-Gateway

The central connection authorization policy store could not be disabled. The following error occurred: "%2".

514

Microsoft-Windows-TerminalServices-Gateway

The "Request clients to send a statement of health" (SoH) setting is enabled on this TS Gateway server. Therefore, each time a client attempts to connect to this TS Gateway server, the client’s SoH will be requested.

515

Microsoft-Windows-TerminalServices-Gateway

The "Request clients to send a statement of health" (SoH) setting could not be enabled on this TS Gateway server. To resolve this issue, ensure that the QuarantineEnabled registry key exists and that the System and Administrators groups are granted Full Control permissions to this key. The following error occurred: "%1".

516

Microsoft-Windows-TerminalServices-Gateway

The "Request clients to send a statement of health" (SoH) setting is not enabled on this TS Gateway server. Therefore, the client’s SoH will not be requested when the client attempts to connect to this TS Gateway server.

517

Microsoft-Windows-TerminalServices-Gateway

The "Request clients to send a statement of health" (SoH) setting could not be disabled on this TS Gateway server. To resolve this issue, ensure that the QuarantineEnabled registry key exists and that the System and Administrators groups are granted Full Control permissions to this key. The following error occurred: "%1".

518

Microsoft-Windows-TerminalServices-Gateway

The "Request clients to send a statement of health" (SoH) setting could not be enabled on this TS Gateway server. This setting could not be enabled because the public key of the server certificate that is bound (mapped) to the Terminal Services Gateway service contains an object identifier (also known as OID) of 2.5.29.15, but does not support the Extended Key Usage (EKU) for encryption. To resolve this issue, if the certificate that you plan to use contains an OID of 2.5.29.15, you must ensure that one of the following key usage values for this certificate is also set: (1) CERT_KEY_ENCIPHERMENT_KEY_USAGE (2) CERT_KEY_AGREEMENT_KEY_USAGE (3) CERT_DATA_ENCIPHERMENT_KEY_USAGE. Bind (map) the certificate again by using TS Gateway Manager, and then attempt to enable the "Request clients to send a statement of health" setting again. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help.

519

Microsoft-Windows-TerminalServices-Gateway

The server certificate is not valid because the public key of the certificate contains an object identifier (also known as OID) of 2.5.29.15, but does not support the Extended Key Usage (EKU) for encryption. For the "Request clients to send a statement of health" setting that is enabled on this TS Gateway server to function, if the certificate that you plan to use contains an OID of 2.5.29.15, you must ensure that one of the following key usage values for this certificate is also set: (1) CERT_KEY_ENCIPHERMENT_KEY_USAGE (2) CERT_KEY_AGREEMENT_KEY_USAGE (3) CERT_DATA_ENCIPHERMENT_KEY_USAGE. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help.

520

Microsoft-Windows-TerminalServices-Gateway

The connection authorization policy "%1" was created.

521

Microsoft-Windows-TerminalServices-Gateway

The connection authorization policy "%1" was deleted.

522

Microsoft-Windows-TerminalServices-Gateway

The connection authorization policy "%1" was updated.

523

Microsoft-Windows-TerminalServices-Gateway

The connection authorization policy "%1" could not be created. The following error occurred: "%2".

524

Microsoft-Windows-TerminalServices-Gateway

The connection authorization policy "%1" could not be deleted. The following error occurred: "%2".

525

Microsoft-Windows-TerminalServices-Gateway

The connection authorization policy "%1" could not be updated. The following error occurred: "%2".

540

Microsoft-Windows-TerminalServices-Gateway

The resource authorization policy "%1" was created.

541

Microsoft-Windows-TerminalServices-Gateway

The resource authorization policy "%1" was deleted.

542

Microsoft-Windows-TerminalServices-Gateway

The resource authorization policy "%1" was updated.

543

Microsoft-Windows-TerminalServices-Gateway

The resource authorization policy (RAP) "%1" could not be created. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

544

Microsoft-Windows-TerminalServices-Gateway

The resource authorization policy (RAP) "%1" could not be deleted. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

545

Microsoft-Windows-TerminalServices-Gateway

The resource authorization policy (RAP) "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

560

Microsoft-Windows-TerminalServices-Gateway

The resource group "%1" was created.

561

Microsoft-Windows-TerminalServices-Gateway

The resource group "%1" was deleted.

562

Microsoft-Windows-TerminalServices-Gateway

The resource group "%1" was updated.

563

Microsoft-Windows-TerminalServices-Gateway

The resource group "%1" could not be created. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

564

Microsoft-Windows-TerminalServices-Gateway

The resource group "%1" could not be deleted. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

565

Microsoft-Windows-TerminalServices-Gateway

The resource group "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

580

Microsoft-Windows-TerminalServices-Gateway

The Network Policy Server (NPS) "%1" was added to the central connection authorization policy.

581

Microsoft-Windows-TerminalServices-Gateway

The Network Policy Server (NPS) "%1" was deleted from the central connection authorization policy.

582

Microsoft-Windows-TerminalServices-Gateway

The central connection authorization policy settings for the Network Policy Server (NPS) "%1" have been updated.

583

Microsoft-Windows-TerminalServices-Gateway

The Network Policy Server (NPS) "%1" could not be added to the central connection authorization policy. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and any resolve network connectivity issues.

584

Microsoft-Windows-TerminalServices-Gateway

The Network Policy Server (NPS) "%1" could not be deleted from the central connection authorization policy. The following error occurred: "%2".

585

Microsoft-Windows-TerminalServices-Gateway

The central connection authorization policy settings for the Network Policy Server "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and resolve any network connectivity issues.

620

Microsoft-Windows-TerminalServices-Gateway

The TS Gateway server "%1" was deleted from the list of servers in the TS Gateway server farm.

621

Microsoft-Windows-TerminalServices-Gateway

The TS Gateway server "%1" was either added to the list of servers in the TS Gateway server farm or its settings were updated.

622

Microsoft-Windows-TerminalServices-Gateway

The TS Gateway server "%1" could not be deleted from the list of servers in the TS Gateway server farm. The following error occurred: "%2".

623

Microsoft-Windows-TerminalServices-Gateway

The TS Gateway server "%1" could not be added to the list of servers in the TS Gateway server farm or its settings could not be updated. The following error occurred: "%2".

624

Microsoft-Windows-TerminalServices-Gateway

The TS Gateway server "%1" is not a member of a domain and therefore cannot be added to the TS Gateway server farm. To add this TS Gateway server to the farm, you must first add the server to a domain.

625

Microsoft-Windows-TerminalServices-Gateway

A Windows Firewall exception for TS Gateway has been configured to allow data for Terminal Services client connections and RPC-HTTP load balancing to be sent between TS Gateway servers when load balancing is used. This exception is automatically configured when you add the first TS Gateway server to a TS Gateway server farm.

626

Microsoft-Windows-TerminalServices-Gateway

The Windows Firewall exception for TS Gateway to allow network traffic comprising of Terminal Services client connections data and RPC-HTTP load balancing data (to be sent between TS Gateway servers when load balancing is used) has been disabled. This exception is automatically disabled when you remove all TS Gateway servers from a TS Gateway server farm.

627

Microsoft-Windows-TerminalServices-Gateway

The Windows Firewall exception to allow network traffic through TCP port 3388 (so that Terminal Services client connections can be directed to the appropriate TS Gateway servers when load balancing is used) could not be configured.

628

Microsoft-Windows-TerminalServices-Gateway

The Windows Firewall exception "TS Gateway Server Farm" that allows network traffic through TCP port 3388 (so that Terminal Services client connections can be directed to the appropriate TS Gateway servers when load balancing is used) could not be disabled. We recommend that you disable this exception manually by modifying Windows Firewall settings as needed.

2001

Microsoft-Windows-TerminalServices-Gateway

The policy and server configuration settings for the TS Gateway server "%1" have been successfully imported.

2002

Microsoft-Windows-TerminalServices-Gateway

The policy and server configuration settings for the TS Gateway server "%1" could not be imported. This problem might occur if the settings have become corrupted.

2003

Microsoft-Windows-TerminalServices-Gateway

The policy and server configuration settings for the TS Gateway server "%1" have been successfully exported.

2004

Microsoft-Windows-TerminalServices-Gateway

The policy and server configuration settings for the TS Gateway server "%1" could not be exported. The following error occurred: "%2".

TS Gateway

Terminal Services