Installing TS Gateway

  • Article

Applies To: Windows Server 2008

Follow these steps to install the TS Gateway role service. Optionally, during the role service installation process, you can select an existing certificate (or create a new self-signed certificate), and you can create a Terminal Services connection authorization policy (TS CAP) and a Terminal Services resource authorization policy (TS RAP).

Install the TS Gateway role service

Use the following procedure to install the TS Gateway role service.

To install the TS Gateway role service

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.

  2. If the Terminal Services role is not already installed:

    1. In Server Manager, under Roles Summary, click Add roles.

    2. In the Add Roles Wizard, if the Before You Begin page appears, click Next. This page will not appear if you have already installed other roles and you have selected the Skip this page by default check box.

    3. On the Select Server Roles page, under Roles, select the Terminal Services check box, and then click Next.

    4. On the Terminal Services page, click Next.

    5. On the Select Role Services page, in the Role services list, select the TS Gateway check box.

    6. If prompted to specify whether you want to install the additional role services required for TS Gateway, click Add Required Role Services.

    7. On the Select Role Services page, confirm that TS Gateway is selected, and then click Next.

    If the Terminal Services role is already installed:

    1. Under Roles Summary, click Terminal Services.

    2. Under Role Services, click Add Role Services.

    3. On the Select Role Services page, select the TS Gateway check box, and then click Next.

    4. If prompted to specify whether you want to install the additional role services required for TS Gateway, click Add Required Role Services.

    5. On the Select Role Services page, click Next.

  3. On the Choose a Server Authentication Certificate for SSL Encryption page, specify whether to choose an existing certificate for SSL encryption (recommended), create a self-signed certificate for SSL encryption, or choose a certificate for SSL encryption later. If you are completing an installation for a new server that does not yet have certificates, see Obtain a Certificate for the TS Gateway Server for certificate requirements and information about how to obtain and install a certificate.

    Under the Choose an existing certificate for SSL encryption (recommended) option, only certificates that have the intended purpose (server authentication) and Enhanced Key Usage (EKU) [Server Authentication (1.3.6.1.5.5.7.3.1)] that are appropriate for the TS Gateway role service will appear in the list of certificates. If you select this option, click Import, and then import a new certificate that does not meet these requirements, the imported certificate will not appear in the list.

  4. On the Create Authorization Policies for TS Gateway page, specify whether you want to create authorization policies (a TS CAP and a TS RAP) during the TS Gateway role service installation process or later. If you select Later, follow the procedures in Creating a Terminal Services Connection Authorization Policy to create this policy. If you select Now, do the following:

    1. On the Select User Groups That Can Connect Through TS Gateway page, click Add to specify additional user groups. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box.

    2. To specify more than one user group, do either of the following: Type the name of each user group, separating the name of each group with a semi-colon; or add additional groups from different domains by repeating the first part of this step for each group.

    3. After you finish specifying additional user groups, on the Select User Groups that Can Connect Through TS Gateway page, click Next.

    4. On the Create a TS CAP for TS Gateway page, accept the default name for the TS CAP (TS_CAP_01) or specify a new name, select one or more supported Windows authentication methods, and then click Next.

    5. On the Create a TS RAP for TS Gateway page, accept the default name for the TS RAP (TS_RAP_01) or specify a new name, and then do one of the following: Specify whether to allow users to connect only to computers in one or more computer groups, and then specify the computer groups; or specify that users can connect to any computer on the network. Click Next.

  5. On the Network Policy and Access Services page (which appears if this role service is not already installed), review the summary information, and then click Next.

  6. On the Select Role Services page, verify that Network Policy Server is selected, and then click Next.

  7. On the Web Server (IIS) page (which appears if this role service is not already installed), review the summary information, and then click Next.

  8. On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next.

  9. On the Confirm Installation Options page, verify that the following roles, role services, and features will be installed:

    • Terminal Services\TS Gateway

    • Network Policy and Access Services\Network Policy Server

    • Web Server (IIS)\Web Server\Management Tools

    • RPC over HTTP Proxy

    • Windows Process Activation Service\Process Model\Configuration APIs

  10. Click Install.

  11. On the Installation Progress page, installation progress will be noted.

    If any of these roles, role services, or features has already been installed, installation progress will be noted only for the new roles, role services, or features that are being installed.

  12. On the Installation Results page, confirm that installation was successful, and then click Close.

Verify successful role service installation and TS Gateway service status

Use the following procedure to verify that the TS Gateway role service and dependent roles, role services, and features are installed correctly and running.

To verify that installation was successful

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.

  2. In the console tree, expand Roles, and then double-click Terminal Services.

  3. On the Terminal Services summary page, in the System Services area, verify that the status of Terminal Services Gateway is Running and that the startup type is set to Auto.

  4. Close Server Manager.

  5. Open Internet Information Services (IIS) Manager. To open IIS Manager, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  6. In the console tree, expand <TS Gateway_Server_Name>\Sites\Default Web Site, and then click Default Web Site.

  7. Right-click Default Web Site, point to Manage Web Site, and then click Advanced Settings.

  8. In the Advanced Settings dialog box, under (General), verify that Start Automatically is set to True. If it is not set to True, click the drop-down arrow to display the list, and then click True.

  9. Click OK.

  10. Close IIS Manager.