TS Gateway

  • Article

Applies To: Windows Server 2008

Policy settings in this node control configuration to access a TS Gateway server.

The full path of this node in the Group Policy Management Console is:

User Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\TS Gateway

Note

If you are using the Local Group Policy Editor, Policies is not part of the node path.

Available policy settings

Name Explanation Requirements

Enable connection through TS Gateway

If you enable this policy setting, when Terminal Services clients cannot connect directly to a remote computer (a terminal server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through a TS Gateway server. In this case, the clients will attempt to connect to the TS Gateway server that is specified in the Set TS Gateway server address policy setting.

You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the Use these TS Gateway server settings option on the client.

Note
To enforce this policy setting, you must also specify the address of the TS Gateway server by using the Set TS Gateway server address policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the Set TS Gateway authentication method policy setting. If you do not specify an authentication method by using this policy setting, you can use either the NTLM protocol that is enabled on the client or a smart card.

To allow users to overwrite this policy setting, select the Allow users to change this setting check box. When you do this, users on the client can choose not to connect through the TS Gateway server by selecting the Do not use a TS Gateway server option. Users can specify a connection method by configuring settings on the client, by using an RDP file, or by using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default.

If you disable or do not configure this policy setting, clients will not use the TS Gateway server address that is specified in the Set TS Gateway server address policy setting. If a TS Gateway server is specified by the user, a client connection attempt will be made through that TS Gateway server.

At least Windows XP Professional with Service Pack 2 or Windows Server 2003 with Service Pack 1

Set TS Gateway authentication method

This policy setting allows you to specify the authentication method that clients must use when attempting to connect to a terminal server through a TS Gateway server.

You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the Use these TS Gateway server settings option on the client.

To allow users to overwrite this policy setting, select the Allow users to change this setting check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, by using an RDP file, or by using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.

If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the NTLM protocol that is enabled on the client or a smart card can be used for authentication.

At least Windows XP Professional with Service Pack 2 or Windows Server 2003 with Service Pack 1

Set TS Gateway server address

This policy setting allows you to specify the address of the TS Gateway server that clients must use when attempting to connect to a terminal server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the Use these TS Gateway server settings option on the client.

Note

It is highly recommended that you also specify the authentication method by using the Set TS Gateway authentication method policy setting. If you do not specify an authentication method by using this setting, you can use either the NTLM protocol that is enabled on the client or a smart card.

To allow users to overwrite the Set TS Gateway server address policy setting and connect to another TS Gateway server, you must select the Allow users to change this setting check box and users will be allowed to specify an alternate TS Gateway server. Users can specify an alternative TS Gateway server by configuring settings on the client, by using an RDP file, or by using an HTML script. If users do not specify an alternate TS Gateway server, the server that you specify in this policy setting is used by default.

Note

If you disable or do not configure this policy setting, but enable the Enable connections through TS Gateway policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If a TS Gateway server is specified by the user, a client connection attempt will be made through that TS Gateway server.

At least Windows XP Professional with Service Pack 2 or Windows Server 2003 with Service Pack 1