Installation Prerequisites for TS Gateway

Applies To: Windows Server 2008

For TS Gateway to function correctly, you must meet these prerequisites:

  • You must have a server running Windows Server 2008.

  • You must obtain an SSL certificate for the TS Gateway server if you do not have one already. By default, on the TS Gateway server, the RPC/HTTP Load Balancing service and the IIS service use Transport Layer Security (TLS) 1.0 to encrypt communications between clients and TS Gateway servers over the Internet. For TLS to function correctly, you must install an SSL certificate on the TS Gateway server.


You do not need a certification authority (CA) infrastructure within your organization if you can use another method to obtain an externally trusted certificate that meets the requirements for TS Gateway. If your company does not maintain a stand-alone CA or an enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purposes.

For information about certificate requirements for TS Gateway and how to obtain and install a certificate, see "Obtain a certificate for the TS Gateway server" in [Configuring the TS Gateway Core Scenario](cc754252\(v=ws.10\).md).  
  • TS Gateway servers must be joined to an Active Directory domain in the following cases:

    • If you configure a TS Gateway authorization policy that requires that users be domain members to connect to the TS Gateway server.

    • If you configure a TS Gateway authorization policy that requires that client computers be domain members to connect to the TS Gateway server.

    • If you are deploying a load-balanced TS Gateway server farm.

Role, role service, and feature dependencies

To function correctly, TS Gateway requires several role services and features to be installed and running. When you use Server Manager to install the TS Gateway role service, the following additional roles, role services, and features are automatically installed and started, if they are not already installed:

  • Remote Procedure Call (RPC) over HTTP Proxy

  • Web Server (IIS) [Internet Information Services 7.0]

    IIS 7.0 must be installed and running for the RPC over HTTP Proxy feature to function.

  • Network Policy and Access Services

    You can also configure TS Gateway to use Terminal Services connection authorization policies (TS CAPs) that are stored on another server that runs the Network Policy Server (NPS) service. By doing this, you are using the server that is running Network Policy Server (NPS)—formerly known as a Remote Authentication Dial-In User Service (RADIUS) server—to centralize the storage, management, and validation of TS CAPs. If you have already deployed a server running NPS for remote access scenarios such as VPN and dial-up networking, using the existing server running NPS for TS Gateway scenarios as well can enhance your deployment.

Administrative credentials

You must be a member of the Administrators group on the computer that you want to configure as a TS Gateway server.