TS Gateway Server Configuration
Applies To: Windows Server 2008
For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-TerminalServices-Gateway |
The Terminal Services Gateway service requires a valid Secure Sockets Layer (SSL) certificate to accept connections. Ensure that you have obtained a valid SSL certificate, and then bind (map) the certificate by using TS Gateway Manager. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help. The following error occurred: "%2" | |
Microsoft-Windows-TerminalServices-Gateway |
The Terminal Services Gateway service does not have sufficient permissions to access the Secure Sockets Layer (SSL) certificate that is required to accept connections. To resolve this issue, bind (map) a valid SSL certificate by using TS Gateway Manager. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
Logging was enabled for the following TS Gateway event: "%1". | |
Microsoft-Windows-TerminalServices-Gateway |
Logging could not be enabled for the following TS Gateway event: "%1". The following error occurred: "%2". To resolve this issue, ensure that the correct permissions have been granted to the LogEvents registry key and that the Remote Registry service is started. | |
Microsoft-Windows-TerminalServices-Gateway |
Logging was disabled for the following TS Gateway event: "%1". | |
Microsoft-Windows-TerminalServices-Gateway |
Logging could not be disabled for the following TS Gateway event: "%1". The following error occurred: "%2". To resolve this issue, ensure that the correct permissions have been granted to the LogEvents registry key and that the Remote Registry service is started. | |
Microsoft-Windows-TerminalServices-Gateway |
The value for the maximum number of connections allowed to the TS Gateway server was updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The value for the maximum number of simultaneous connections allowed to the TS Gateway server could not be updated. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy was enabled. | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy store could not be enabled. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and resolve any network connectivity issues. | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy was disabled. | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy store could not be disabled. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting is enabled on this TS Gateway server. Therefore, each time a client attempts to connect to this TS Gateway server, the client’s SoH will be requested. | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting could not be enabled on this TS Gateway server. To resolve this issue, ensure that the QuarantineEnabled registry key exists and that the System and Administrators groups are granted Full Control permissions to this key. The following error occurred: "%1". | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting is not enabled on this TS Gateway server. Therefore, the client’s SoH will not be requested when the client attempts to connect to this TS Gateway server. | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting could not be disabled on this TS Gateway server. To resolve this issue, ensure that the QuarantineEnabled registry key exists and that the System and Administrators groups are granted Full Control permissions to this key. The following error occurred: "%1". | |
Microsoft-Windows-TerminalServices-Gateway |
The "Request clients to send a statement of health" (SoH) setting could not be enabled on this TS Gateway server. This setting could not be enabled because the public key of the server certificate that is bound (mapped) to the Terminal Services Gateway service contains an object identifier (also known as OID) of 2.5.29.15, but does not support the Extended Key Usage (EKU) for encryption. To resolve this issue, if the certificate that you plan to use contains an OID of 2.5.29.15, you must ensure that one of the following key usage values for this certificate is also set: (1) CERT_KEY_ENCIPHERMENT_KEY_USAGE (2) CERT_KEY_AGREEMENT_KEY_USAGE (3) CERT_DATA_ENCIPHERMENT_KEY_USAGE. Bind (map) the certificate again by using TS Gateway Manager, and then attempt to enable the "Request clients to send a statement of health" setting again. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help. | |
Microsoft-Windows-TerminalServices-Gateway |
The server certificate is not valid because the public key of the certificate contains an object identifier (also known as OID) of 2.5.29.15, but does not support the Extended Key Usage (EKU) for encryption. For the "Request clients to send a statement of health" setting that is enabled on this TS Gateway server to function, if the certificate that you plan to use contains an OID of 2.5.29.15, you must ensure that one of the following key usage values for this certificate is also set: (1) CERT_KEY_ENCIPHERMENT_KEY_USAGE (2) CERT_KEY_AGREEMENT_KEY_USAGE (3) CERT_DATA_ENCIPHERMENT_KEY_USAGE. For more information, see "Obtain a certificate for the TS Gateway server" in the TS Gateway Help. | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" was created. | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" was deleted. | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" was updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" could not be created. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" could not be deleted. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The connection authorization policy "%1" could not be updated. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy "%1" was created. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy "%1" was deleted. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy "%1" was updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy (RAP) "%1" could not be created. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy (RAP) "%1" could not be deleted. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource authorization policy (RAP) "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" was created. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" was deleted. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" was updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" could not be created. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" could not be deleted. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The resource group "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key. | |
Microsoft-Windows-TerminalServices-Gateway |
The Network Policy Server (NPS) "%1" was added to the central connection authorization policy. | |
Microsoft-Windows-TerminalServices-Gateway |
The Network Policy Server (NPS) "%1" was deleted from the central connection authorization policy. | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy settings for the Network Policy Server (NPS) "%1" have been updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The Network Policy Server (NPS) "%1" could not be added to the central connection authorization policy. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and any resolve network connectivity issues. | |
Microsoft-Windows-TerminalServices-Gateway |
The Network Policy Server (NPS) "%1" could not be deleted from the central connection authorization policy. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The central connection authorization policy settings for the Network Policy Server "%1" could not be updated. The following error occurred: "%2". To resolve this issue, ensure that you have typed the name of the Network Policy Server (NPS) correctly and that the NPS exists on the network, and then try again. If the problem persists, then identify and resolve any network connectivity issues. | |
Microsoft-Windows-TerminalServices-Gateway |
The TS Gateway server "%1" was deleted from the list of servers in the TS Gateway server farm. | |
Microsoft-Windows-TerminalServices-Gateway |
The TS Gateway server "%1" was either added to the list of servers in the TS Gateway server farm or its settings were updated. | |
Microsoft-Windows-TerminalServices-Gateway |
The TS Gateway server "%1" could not be deleted from the list of servers in the TS Gateway server farm. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The TS Gateway server "%1" could not be added to the list of servers in the TS Gateway server farm or its settings could not be updated. The following error occurred: "%2". | |
Microsoft-Windows-TerminalServices-Gateway |
The TS Gateway server "%1" is not a member of a domain and therefore cannot be added to the TS Gateway server farm. To add this TS Gateway server to the farm, you must first add the server to a domain. | |
Microsoft-Windows-TerminalServices-Gateway |
A Windows Firewall exception for TS Gateway has been configured to allow data for Terminal Services client connections and RPC-HTTP load balancing to be sent between TS Gateway servers when load balancing is used. This exception is automatically configured when you add the first TS Gateway server to a TS Gateway server farm. | |
Microsoft-Windows-TerminalServices-Gateway |
The Windows Firewall exception for TS Gateway to allow network traffic comprising of Terminal Services client connections data and RPC-HTTP load balancing data (to be sent between TS Gateway servers when load balancing is used) has been disabled. This exception is automatically disabled when you remove all TS Gateway servers from a TS Gateway server farm. | |
Microsoft-Windows-TerminalServices-Gateway |
The Windows Firewall exception to allow network traffic through TCP port 3388 (so that Terminal Services client connections can be directed to the appropriate TS Gateway servers when load balancing is used) could not be configured. | |
Microsoft-Windows-TerminalServices-Gateway |
The Windows Firewall exception "TS Gateway Server Farm" that allows network traffic through TCP port 3388 (so that Terminal Services client connections can be directed to the appropriate TS Gateway servers when load balancing is used) could not be disabled. We recommend that you disable this exception manually by modifying Windows Firewall settings as needed. | |
Microsoft-Windows-TerminalServices-Gateway |
The policy and server configuration settings for the TS Gateway server "%1" have been successfully imported. | |
Microsoft-Windows-TerminalServices-Gateway |
The policy and server configuration settings for the TS Gateway server "%1" could not be imported. This problem might occur if the settings have become corrupted. | |
Microsoft-Windows-TerminalServices-Gateway |
The policy and server configuration settings for the TS Gateway server "%1" have been successfully exported. | |
Microsoft-Windows-TerminalServices-Gateway |
The policy and server configuration settings for the TS Gateway server "%1" could not be exported. The following error occurred: "%2". |