To resolve this issue, ensure that the client meets the health policy requirements that are configured on the Network Policy Server (NPS).
Also, consider checking the event log for events that confirm that Network Access Protection (NAP) health policies were successfully applied and that the client met the requirements of the TS CAP. Doing this can help you confirm that the root cause of the problem is the failure for the client to meet NAP health policy requirements, rather than the client failing to meet TS CAP requirements.
Check the health policy requirements for the client
Perform this procedure on the NPS server that is configured to enforce NAP for TS Gateway access (the server where you have configured health policies, connection request policies, and network policies that enforce NAP for TS Gateway). To check health policy requirements, you must check the Windows Security Health Validator (WSHV) that is configured on the NPS server.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To check the health policy requirements for the client:
On the NPS server, open the Network Policy Server snap-in console. To open Network Policy Server, click Start, point to Administrative Tools, and then click Network Policy Server.
In the console tree, expand Network Access Protection, and then click System Health Validators.
In the details pane, right-click Windows Security Health Validator, and then click Properties.
In the Windows Security Health Validator Properties dialog box, on the Settings tab, click Configure.
On the Windows Vista and/or the Windows XP SP2 tab (depending on the operating system that the Terminal Services client is running), note which check boxes are cleared and which check boxes are selected, so that you can check the client configuration and determine whether the client meets the health policy requirements in the WSHV.
Click OK to close the Windows Security Health Validator Properties dialog box (with the Windows Vista and Windows XP tabs), and then click OK again to close the Windows Security Health Validator Properties dialog box (with the Settings tab).
Check the client configuration to confirm whether the client meets health policy requirements
After you note the health policy requirements configured in the WSHV on the NPS server, check the following settings on the client, and note whether the client configuration meets the requirements configured in the WSHV:
Whether Windows Firewall is enabled
Whether an anti-virus application is running and up to date
Whether an anti-spyware application is running and up to date
Whether automatic updating is enabled
Whether client access to internal network resources through TS Gateway is restricted if clients do not have all available security updates installed (and if so, what level of security updates must be installed)
How often the client must check for new security updates
Whether clients must receive updates from Windows Server Update Services and Windows Update, in addition to Microsoft Update
If the client settings and WSHV settings are not compatible, do one of the following:
Modify the client configuration to ensure that the client meets the health policy requirements.
Modify the settings of the existing WSHV.
For general information about Network Access Protection (NAP) health policies, see Network Access Protection Policies in Windows Server 2008 ( http://go.microsoft.com/fwlink/?LinkID=102394).
Search the event log to find relevant NPS events
If you have configured local Terminal Services connection authorization policies (TS CAPs), perform the following procedure on the TS Gateway server. If you have configured central TS CAPs, perform the following procedure on the NPS server where the central TS CAPs are stored.
To search the event log to find relevant NPS events:
On the TS Gateway server or the central NPS server, click Start, point to Administrative Tools, and then click Event Viewer.
Navigate to Windows Logs\Security, and then search for the following additional events that indicate that the client did not meet NAP health policy requirements:
Event ID 6276, Keyword: Audit Success. This event indicates that the client was denied access to the TS Gateway server and quarantined because the NAP health policy was successfully applied.
Event ID 6272, Keyword: Audit Success. This event indicates that the TS CAP granted full access to the client. This event is useful for isolating the root cause of the failure for the client to connect to the TS Gateway server. When it is logged in combination with event ID 6276, it indicates that the failure for the client to connect to the TS Gateway server is due to the failure for the client to meet NAP health policy requirements, not the failure of the client to meet TS CAP requirements.
| Target | Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TSGateway | ||
| Category | EventCollection | ||
| Enabled | False | ||
| Event_ID | 204 | ||
| Event Source | Microsoft-Windows-TerminalServices-Gateway | ||
| Alert Generate | True | ||
| Alert Severity | Error | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | Microsoft-Windows-TerminalServices-Gateway/Operational |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
Home
ENU <Rule ID="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TSGateway.EventCollection.204" Enabled="false" Target="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TSGateway" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Microsoft-Windows-TerminalServices-Gateway/Operational</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">204</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-TerminalServices-Gateway</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertName/>
<AlertDescription/>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2008.TerminalServicesRole.Service.TSGateway.EventCollection.204.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[1]$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>