Install the TS Gateway Role Service
Applies To: Windows Server 2008
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To install the TS Gateway role service
Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
If the Terminal Services role is not already installed:
In Server Manager, under Roles Summary, click Add Roles.
In the Add Roles Wizard, if the Before You Begin page appears, click Next. This page will not appear if you have already installed other roles and you have selected the Skip this page by default check box.
On the Select Server Roles page, under Roles, select Terminal Services, and then click Next.
On the Terminal Services page, click Next.
On the Select Role Services page, select the TS Gateway check box.
If prompted to specify whether you want to install the additional role services required for TS Gateway, click Add Required Role Services.
On the Select Role Services page, click Next.
If the Terminal Services role is already installed:
Under Roles Summary, click Terminal Services.
Under Role Services, click Add Role Services.
On the Select Role Services page, select the TS Gateway check box, and then click Next.
If prompted to specify whether you want to install the additional role services required for TS Gateway, click Add Required Role Services.
On the Select Role Services page, click Next.
On the Choose a Server Authentication Certificate for SSL Encryption page, specify whether to choose an existing certificate for SSL encryption (recommended), create a self-signed certificate for SSL encryption, or choose a certificate for SSL encryption later. If you are completing an installation for a new server that does not yet have certificates, see Obtain a Certificate for the TS Gateway Server for certificate requirements and information about how to obtain and install a certificate.
Under the Choose an existing certificate for SSL encryption (recommended) option, only certificates that have the intended purpose (server authentication) and Enhanced Key Usage (EKU) [Server Authentication (1.3.6.1.5.5.7.3.1)] that are appropriate for the TS Gateway role service will appear in the list of certificates. If you select this option, click Import, and then import a new certificate that does not meet these requirements, the imported certificate will not appear in the list.
On the Create Authorization Policies for TS Gateway page, specify whether you want to create authorization policies (a TS CAP and a TS RAP) during the TS Gateway role service installation process or later. If you select Later, follow the procedures in Create a TS CAP to create this policy. If you select Now, do the following:
On the Select User Groups That Can Connect Through TS Gateway page, click Add to specify additional user groups. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box.
To specify more than one user group, do either of the following: Type the name of each user group, separating the name of each group with a semi-colon; or add additional groups from different domains by repeating the first part of this step for each group.
After you finish specifying additional user groups, on the Select User Groups That Can Connect Through TS Gateway page, click Next.
On the Create a TS CAP for TS Gateway page, accept the default name for the TS CAP (TS_CAP_01) or specify a new name, select one or more supported Windows authentication methods, and then click Next.
On the Create a TS RAP for TS Gateway page, accept the default name for the TS RAP (TS_RAP_01) or specify a new name, and then do one of the following: Specify whether to allow users to connect only to computers in one or more computer groups, and then specify the computer group; or specify that users can connect to any computer on the network. Click Next.
On the Network Policy and Access Services page (which appears if this role service is not already installed), review the summary information, and then click Next.
On the Select Role Services page, verify that Network Policy Server is selected, and then click Next.
On the Web Server (IIS) page (which appears if this role service is not already installed), review the summary information, and then click Next.
On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next.
On the Confirm Installation Selections page, verify that the following role services will be installed:
Terminal Services\TS Gateway
Network Policy and Access Services\Network Policy Server
Web Server (IIS)
RPC over HTTP Proxy
Click Install.
On the Installation Progress page, installation progress will be noted.
If any of these roles, role services, or features has already been installed, installation progress will be noted only for the new roles, role services, or features that are being installed.
On the Installation Results page, confirm that installation for these roles, role services, and features was successful, and then click Close.