A. When you install Windows Server 2008’s Terminal Services (TS) Gateway, you specify an initial configuration, which requires entering the computers and accounts that can connect via the TS Gateway and which resources can be accessed. In addition, you need to specify the certificate that will be used for the Secure Sockets Layer (SSL) connection, which could be generated by an internal public key infrastructure (PKI) solution if all TS Gateway clients are members of the domain and trust the internal root Certificate Authority (CA). If non-domain machines need to connect via TS Gateway or machines don't trust the certificate, you should purchase a third-party certificate that will be trusted by all clients.

To install TS Gateway, perform these steps:

1. From Server Manager, select the Roles navigation link and click the Add Roles link in the details pane.
2. Click Next at the wizard’s introduction screen.
3. Check the Terminal Services role option and click Next.
4. An introduction to Terminal Services screen is displayed; click Next.
5. Check the TS Gateway role service, as you can see in the screen below. You’ll then see a dialog box that requests to add the dependent role services (Web, NPAS, RPC over HTTP, and WPAS). Click Add Required Role Services. Then click Next in the Select Role Services dialog box.

6. Select the server-authentication certificate to use, as the following screen shows. (At this point, you can import the certificate if you haven’t already loaded it; if you import the certificate, accept the default to let the program select where to install the certificate). Click Next.

7. You’ll be prompted to configure authorization policies. Leave Now as the default and click Next.
8. You’ll see the first configuration screen, which lets you specify which users can connect via the TS Gateway. By default, only the Administrators group is enabled. You can add additional groups with users—for example, create a group named TS Gateway Users. Once you’ve added groups, click Next.
9. You’ll be asked to create a TS CAP (Terminal Services connection authorization policy), which by default will be called TS_CAP_01, as the following screen shows. Leave this default, and select whether you’ll use passwords and/or smart cards for the authentication. (Normally authentication will be password only.) Make your choices and click Next.

10. Next, you’ll create the Terminal Services resource authorization policy (TS RAP), which specifies which systems can be connected to via the TS Gateway. You can specify a group containing only those servers that may be connected to, or you can select to allow connection to any computer on the network. Click Next.
11. Click Next through the remainder of the role-installation screens; no other changes are required.

Once the installation is done, you might want to modify the TS CAP that was created, since by default the CAP restricts the users that connect via the TS Gateway but not the machines they’re connecting from. You might want to set additional connection restrictions, for example, that the machines must be a member of a domain. You can do so by using the TS Gateway Manager and modifying the TS CAP and specifying a group that the client computers must be a member of, as the following screen shows.