TS Gateway Installation Prerequisites

Applies To: Windows Server 2008

For TS Gateway to function correctly, you must meet these prerequisites:

  • You must have a server with Windows Server 2008 installed.

  • You must be a member of the Administrators group on the computer that you want to configure as a TS Gateway server.

  • You must obtain a Secure Sockets Layer (SSL) certificate for the TS Gateway server if you do not have one already. By default, on the TS Gateway server, the RPC/HTTP Load Balancing service and the Internet Information Services (IIS) service use Transport Layer Security (TLS) 1.0 to encrypt communications between clients and TS Gateway servers over the Internet. For TLS to function correctly, you must install an SSL certificate on the TS Gateway server.


You do not need a certification authority (CA) infrastructure within your organization if you can use another method to obtain an externally trusted certificate that meets the requirements for TS Gateway. If your company does not maintain a stand-alone CA or an enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purposes. For more information, see Create a Self-Signed Certificate for the TS Gateway Server.

For information about certificate requirements for TS Gateway and how to obtain and install a certificate, see [Obtain a Certificate for the TS Gateway Server](cc725949\(v=ws.10\).md).  
  • If you configure a TS Gateway authorization policy that requires that users on client computers be members of an Active Directory security group to connect to the TS Gateway servers or if you are deploying a load-balanced TS Gateway server farm, the TS Gateway servers must also be members of an Active Directory Domain Services domain.

Role, role service, and feature dependencies

To function correctly, TS Gateway requires several role services and features to be installed and running. When you use Server Manager to install the TS Gateway role service, the following additional roles, role services, and features are automatically installed and started, if they are not already installed:

  • Remote procedure call (RPC) over HTTP Proxy

  • Web Server (IIS) [Internet Information Services 7.0]

    IIS 7.0 must be installed and running for the RPC over HTTP Proxy feature to function.

  • Network Policy and Access Services

    You can also configure TS Gateway to use Terminal Services connection authorization policies that are stored on another server that runs the Network Policy Server (NPS) service. By doing this, you are using the NPS server—formerly known as a Remote Authentication Dial-In User Service (RADIUS) server—to centralize the storage, management, and validation of TS CAPs. If you have already deployed an NPS server for remote access scenarios such as VPN and dial-up networking, using the existing NPS server for TS Gateway scenarios as well can enhance your deployment.