This object monitors the configuration of the Remote Desktop Gateway server.
For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.
To resolve this issue, check the event ID, and then view the troubleshooting information for that event in the sections below.
Resolution steps for the following event IDs: 563, 564, 565
Ensure that security groups and RD Gateway-managed groups are configured correctly
To resolve this issue, do the following:
Ensure that security groups and if applicable, RD Gateway-managed groups are configured correctly by checking security group and RD Gateway-managed computer group settings in the Remote Desktop resource authorization policy (RD RAP).
If the problem still occurs, ensure that the required permissions are granted to rap.xml.
If the problem still occurs, ensure that the correct value is set and the required permissions are granted for the RAPStore registry key.
Check security group and RD Gateway-managed computer group settings in the RD RAP
Note: In addition to meeting the requirements of the RD RAP, users on clients must have the right to log on locally to the computer to which they are trying to connect.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To check security group and RD Gateway-managed computer group settings in the RD RAP:
1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
2. In the Remote Desktop Gateway Manager console tree, select the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
3. In the console tree, expand Policies, and then click Resource Authorization Policies.
4. In the results pane, in the list of RD RAPs, right-click the RD RAP that you want to check, and then click Properties.
5. On the Network Resource tab, check whether Allow users to connect to any network resource is selected. If so, proceed to the procedure "Ensure that the required permissions are granted to rap.xml" later in this topic. If not, do one of the following:
6. If Select an existing Active Directory Domain Services network resource group is selected, note the name of the security group, so that you can ensure that the specified security group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the computer that the client is trying to connect to is a member of this group.
7. If Select existing RD Gateway-managed computer group or create a new one is selected, ensure that the name of the RD Gateway-managed computer group is correct, and that the computers in this group exist and can be contacted on the network.
8. Click OK to close the Properties dialog box for the RD RAP.
9. If an incorrect security group is specified or if the RD Gateway-managed computer group is not correctly configured, modify the settings of the existing RD RAP or create a new RD RAP. For information about how to create an RD RAP, see "Create an RD RAP" in the RD Gateway Manager Help in the Windows Server Technical Library ( http://technet.microsoft.com/en-us/library/cc772397.aspx).
To perform these procedures, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials.
Confirm that the Active Directory security group specified in the RD RAP exists, and check account membership for the client in this group
To confirm that the Active Directory security group specified in the RD RAP exists:
1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
2. In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
3. Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the RD RAP, and then click Find Now.
4. If the group exists, it will appear in the search results.
5. Close the Find Users, Contacts, and Groups dialog box.
To check account membership for the client in this security group:
1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
2. In the console tree, expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer that the client is trying to connect to belongs.
3. In the details pane, right-click the computer name, and then click Properties.
4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD RAP.
Confirm that the local security group specified in the RD RAP exists, and check account membership for the client in this group
To confirm that the local security group specified in the RD RAP exists, and to check account membership for the client in this group:
1. On the RD Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
2. In the console tree, expand Local Users and Groups, and then click Groups.
3. In the results pane, locate the local security group that contains the computers that the client can access through the RD Gateway server (the group name or description should indicate whether the group has been created for this purpose).
4. Right-click the group name, and then click Properties.
5. On the General tab of the Properties dialog box for the group, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the RD RAP.
6. Click OK.
If this does not resolve the issue, ensure that the correct permissions are granted to the rap.xml file.
Ensure that the required permissions are granted to rap.xml
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To ensure that the required permissions are granted to rap.xml:
1. On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the folder in which Windows operating system is installed.
2. Right-click rap.xml.
3. In the rap.xml Properties dialog box, click the Security tab.
4. Click Edit, and then do the following:
5. In the Permissions for rap dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
6. Under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
7. Under Group or user names, click Users. Under Permissions for Users, if Read and Execute and Read are not allowed, select the Allow check box adjacent to these two permissions.
8. Under Group or user names, click Network Service. Under Permissions for Network Service, if Read is not allowed, select the Allow check box adjacent to Read.
9. Click OK.
Rename rap.xml and start Remote Desktop Gateway Manager
If granting the required permissions to rap.xml does not resolve the problem, try renaming rap.xml to rapbak.xml, and then starting Remote Desktop Gateway Manager. Starting the console will create a new rap.xml file.
To rename rap.xml:
1. On the RD Gateway server, navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the folder in which Windows operating system is installed.
2. Right-click rap.xml, type rapbak.xml, and then press ENTER.
Note: After you rename rap.xml and restart Remote Desktop Gateway Manager, no RD RAPs will appear when you open the console (to confirm that no RD RAPs appear, open Remote Desktop Gateway Manager, click to expand the node that represents your RD Gateway server, expand Policies, and then click Resource Authorization Policies).
To start Remote Desktop Gateway Manager:
On the RD Gateway server, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
If this does not resolve the issue, ensure that the correct value is set for the RAPStore registry key, and that the required permissions are granted to this registry key.
Ensure that the correct value is set and the required permissions are granted for the RAPStore registry key
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To set the correct value and grant the required permissions for the RAPStore registry key:
1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core\ subkey, right-click the subkey, and then click Permissions.
3. In the Permissions for Core dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control, and then click OK.
5. Click the Core registry subkey.
6. In the details pane, right-click RAPStore, and then click Modify.
7. In the Edit String dialog box, in Value data, verify that the value is set to msxml://%SystemRoot%\System32\rap.xml. If the value is different, modify it as required, and then click OK.
Resolution steps for the following event IDs: 2002
Check whether settings are associated with local security groups on another RD Gateway server
To resolve this issue, ensure that the settings that you are attempting to import to an RD Gateway server are not associated with local security groups on the RD Gateway server from which you exported the settings. If the settings are not associated with local security groups on the RD Gateway server from which you have exported the settings, try exporting and then importing the file that contains these settings again.
If you export policies from one RD Gateway server that contain references to local security groups (user or computer groups in Local Users and Computers) on that server, you cannot import these settings to another RD Gateway server, because the local security groups might not exist on the RD Gateway server to which you are attempting to import the settings. For example, if you export settings from RD Gateway Server 1, and then try to import these settings to RD Gateway Server 2 and these settings are associated with local security groups on RD Gateway Server 1, the attempt to import the settings will not succeed.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Check whether RD Gateway server policy settings are associated with local user or computer groups on another RD Gateway server
To check whether RD Gateway server policy settings are associated with local user or computer groups on another RD Gateway server:
1. On the RD Gateway server from which you are trying to export policy and configuration settings, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
2. In the Remote Desktop Gateway Manager console tree, select the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
3. In the console tree, expand Policies, and then click Connection Authorization Policies.
4. In the results pane, in the list of Remote Desktop connection authorization policies (RD CAPs), for each RD CAP, check for local security groups. To do this, check the following, on the Requirements tab:
5. Check whether a local user group appears under User group membership (required). If so, the policy and configuration settings cannot be imported to another RD Gateway server.
6. Check whether a local computer group appears under Client Computer group membership (optional). If so, the policy and configuration settings cannot be imported to another RD Gateway server.
7. In the console tree, expand Policies, and then click Resource Authorization Policies.
8. In the results pane, in the list of Remote Desktop resource authorization policies (RD RAPs), for each RD RAP, check for local security groups. To do this, check for the following:
9. On the User Groups tab, check whether a local user group appears under User Groups. If so, the policy and configuration settings cannot be imported to another RD Gateway server.
10. On the Computer Group tab, check whether a local computer group appears. If so, the policy and configuration settings cannot be imported to another RD Gateway server.
If no user groups associated with the RD CAPs or RD RAPs are local user or computer groups, try exporting the settings from this RD Gateway server, and importing them to another RD Gateway server again. In such a case, it is possible that the .xml file that contains the policy settings and that you exported from the other RD Gateway server was corrupted. Exporting, and then importing the file that contains these settings again can help resolve the problem.
Export settings from the local RD Gateway server and then import them to another RD Gateway server
Important: Importing policy settings to an RD Gateway server will cause any existing policy settings on that server to be overwritten. If you want to save the existing policy settings on that RD Gateway server, we recommend that you create a backup copy of those settings before attempting to import new policy settings to the server.
To export settings from the local RD Gateway server and then import them to another RD Gateway server:
1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
2. In the Remote Desktop Gateway Manager console tree, right-click the local RD Gateway server, which is named for the computer on which the RD Gateway server is running, and then click Export policy and configuration settings.
3. Specify a name and location for the file, and then click OK.
4. A message will appear to indicate that the settings have been successfully exported to the location that you have specified.
5. Click OK.
6. Close Remote Desktops Gateway Manager.
7. On the target Remote Desktop Gateway server (the Remote Desktop Gateway server on which you want to import the settings), open Remote Desktop Gateway Manager.
8. In the Remote Desktop Gateway Manager console tree, right-click the local RD Gateway server, and then click Import policy and configuration settings.
9. In the Import Policy and Server Configuration Settings dialog box, specify the file that you want to import, and then click OK.
10. A message will appear stating that importing the file will cause existing policy and configuration settings for the RD Gateway server to be overwritten. To proceed, click Yes, and then proceed to step 11. To cancel the procedure, click No.
11. After the settings have been imported, another message will appear to indicate that the settings have been succesfully imported to the local RD Gateway server, from the location that you have specified.
12. Click OK.
Resolution steps for the following event IDs: 509, 517, 515
Ensure that the required permissions are granted to the Core registry key
To resolve this issue, ensure that the required permissions are granted to the Core registry key.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To grant the required permissions to the Core registry key:
1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core subkey, right-click the subkey, and then click Permissions.
3. In the Permissions for Core dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
5. Click OK.
Resolution steps for the following event ID 628
Manually disable the Remote Desktop Gateway Server Farm exception in Windows Firewall
To resolve this issue, manually disable the Remote Desktop Gateway Server Farm exception in Windows Firewall. You can configure this exception by using Windows Firewall in Control Panel or by using Group Policy.
Note: For optimal security, ensure that the Remote Desktop Gateway Server Farm exception is disabled for all RD Gateway servers that are not members of an RD Gateway server farm.
Disable the Remote Desktop Gateway Server Farm exception by using Windows Firewall in Control Panel
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To disable the Remote Desktop Gateway Server Farm exception by using Windows Firewall in Control Panel:
1. Open Windows Firewall. To open Windows Firewall, click Start, click Control Panel, and double-click Windows Firewall.
2. In Windows Firewall, click Change Settings.
3. On the Exceptions tab, disable the Remote Desktop Gateway Server Farm exception by clearing the Remote Desktop Gateway Server Farm check box. If this check box is dimmed, Group Policy has been applied to control this exception. To modify Group Policy to disable this exception, see "Disable the Remote Desktop Gateway Server Farm exception by using Group Policy" later in this topic.
4. Click OK.
5. Close Windows Firewall.
Disable the Remote Desktop Gateway Server Farm exception by using Group Policy
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.
To disable the Remote Desktop Gateway Server Farm exception by using Group Policy:
1. On a computer running the Group Policy Management Console, start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the left pane, locate the OU that you want to edit.
3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
4. In the right pane, click the Settings tab.
5. In the left pane, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Inbound Rules.
6. Right-click each of the following rules (TCP-In, RPC-EPMAP, and RPC HTTP Load Balancing Service), and then click Disable Rule.
7. Close the Group Policy Management Console.
8. Ensure that the update to Group Policy is applied by running the gpupdate /force command. To run the gpupdate /force command, click Start, click Run, type cmd, and then press ENTER. At the command prompt, type gpupdate /force and then press ENTER.
Resolution steps for the following event ID: 2004
Ensure that the required permissions are granted to the Core registry key, and if needed, delete and recreate RD CAPs and RD RAPs
To resolve this issue, ensure that the required permissions are granted to the Core registry key. If the problem persists, you might have to delete and recreate the Remote Desktop resource authorization policies (RD RAPs) and the Remote Desktop connection authorization policies (RD CAPs) on the RD Gateway server.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Grant the required permissions to the Core registry key
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To grant the required permissions to the Core registry key:
1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core subkey, right-click the subkey, and then click Permissions.
3. In the Permissions for Core dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
5. Click OK.
6. Try exporting the policy and configuration settings again.
7. If the export is successful, the rest of the resolution steps in this topic do not apply.
If granting the required permissions to the Core registry key does not resolve the problem, try deleting and then recreating the RD RAPs and the RD CAPs on the RD Gateway server.
Delete and recreate the RD RAPs on the RD Gateway server
Note: After you rename rap.xml and restart Remote Desktop Gateway Manager, no RD RAPs will appear, so you must reconfigure the RD RAP settings.
To back up and delete rap.xml and then open the Remote Desktop Gateway Manager console:
1. Navigate to %windir%\System32\tsgateway\rap.xml, where %windir% is the folder in which Windows operating system is installed.
2. Save a backup copy of rap.xml by renaming rap.xml to rapbak.xml.
3. Delete rap.xml.
4. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
5. Reconfigure the RD RAP settings as needed.
6. Try exporting the policy and configuration settings again.
Delete and recreate the RD CAPs on the Remote Desktop Gateway server
If backing up and removing the current copy of Rap.xml and recreating the RD RAP settings does not resolve the problem, try renaming IAS.xml to IASbak.xml, and then starting Remote Desktop Gateway Manager. Opening the console will create a new IAS.xml file.
Note: After you rename IAS.xml and restart Remote Desktop Gateway Manager, no RD CAPs will appear, so you must reconfigure the RD CAP settings.
To back up and delete IAS.xml and then open Remote Desktop Gateway Manager:
1. Navigate to %windir%\System32\ias\ias.xml, where %windir% is the folder in which Windows operating system is installed.
2. Save a backup copy of IAS.xml by renaming IAS.xml to IASbak.xml.
3. Delete IAS.xml.
4. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
5. Reconfigure the RD CAP settings as needed.
6. Try exporting the policy and configuration settings again.
Resolution steps for the following event IDs: 507, 505
Ensure that the required permissions are granted to the LogEvents registry key and that the Remote Registry service started
To resolve this issue, ensure that the correct permissions are granted to the LogEvents registry key. If this does not resolve the problem, ensure that the Remote Registry service is started.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Grant the required permissions to the LogEvents registry key
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To grant the required permissions to the LogEvents registry key:
1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core\LogEvents subkey, right-click the subkey, and then click Permissions.
3. In the Permissions for LogEvents dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
5. Click OK.
If the problem persists, determine whether the Remote Registry service is started, and if it is not, start it.
Determine whether the Remote Registry service is started
If you enable or disable a service and you encounter a problem starting the computer, you might be able to start the computer in Safe Mode. Then you can change the service configuration or restore the default configuration.
If you stop, start, or restart a service, any dependent services are also affected.
To determine whether the Remote Registry Service is started:
1. Click Start, point to Administrative Tools, and then click Services.
2. In the Services snap-in, find Remote Registry, and then confirm that Started appears in the Status column.
3. If the status is not Started, right-click Remote Registry, and then click Start.
4. If the attempt to start only the service fails, restart the computer. This forces all related and dependent services to restart.
5. If you want the service to always start automatically after the server is restarted, right-click Remote Registry, click Properties, and in Startup type, select Automatic.
Resolution steps for the following event IDs: 402, 404
Remote Desktop Gateway registers an Active Directory Domain Services service connection point each time the Remote Desktop Gateway service is started.
Note: Restarting the Remote Desktop Gateway service also restarts all dependent services.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To restart the Remote Desktop Gateway service:
1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Services. In the Name column of the Services snap-in, right-click Remote Desktop Gateway, and then click Restart.
2. If the attempt to restart only the service fails, restart the computer. This forces all related and dependent services to restart.
3. If you want the service to always start automatically after the server is restarted, in the Name column of the Services snap-in, right-click Remote Desktop Gateway, click Properties, and in Startup type, select Automatic, and then click OK.
Resolution steps for the following event IDs: 528, 532
To resolve this issue, ensure that the required permissions are granted to the TSGMessaging registry key.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To grant the required permissions to the TSGMessaging registry key:
1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core\TSGMessaging subkey, right-click the subkey, and then click Permissions.
3. In the Permissions for Core dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
5. Click OK.
Resolution steps for the following event IDs: 623, 622, 630
To resolve this issue, ensure that the required permissions are granted to the RPC registry key.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To ensure that the required permissions are granted to the RPC registry key:
1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc subkey, right-click the subkey, and then click Permissions.
3. In the Permissions for Rpc dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
5. Click OK.
Resolution steps for the following event IDs: 3001, 103
To resolve this issue, ensure that required permissions are granted to the private key of the SSL certificate.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To grant the required permissions to the private key of the SSL certificate:
1. On the RD Gateway server, open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
5. In the Certificates snap-in dialog box, click Computer account, and then click Next.
6. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
7. In the Add or Remove Snap-ins dialog box, click OK.
8. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Personal, and then navigate to the SSL certificate for the RD Gateway server.
9. Right-click the certificate, point to All Tasks, and then click Manage Private Keys.
10. In the Permissions for <Name> private keys dialog box, under Group or user names, click NETWORK SERVICE. Under Permissions for NETWORK SERVICE, if Read is not allowed, select the Allow check box adjacent to Read.
11. Click OK.
Resolution steps for the following event ID: 530
A logon message is displayed to users when they log on to the remote computer. To ensure that the logon message is properly configured, do the following:
Ensure that the logon message box is not empty.
Ensure that the logon message text file is less than 64 kilobytes.
Ensure that the logon message text file exists in the specified path.
Grant the required permissions on the TSGMessaging registry key.
To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Ensure that the logon message box is not empty
Use Remote Desktop Gateway Manager to ensure that the logon message box is not empty.
To ensure that the logon message box is not empty:
1. On the RD Gateway server, open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
2. In the Remote Desktop Gateway Manager console tree, right-click the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running, and then click Properties.
3. Click the Messaging tab.
4. Check that the Enable logon message check box is selected, and that a text file is appropriately assigned.
Ensure that the logon message text file is less than 64 kilobytes
You can ensure that the logon message is less than 64 kilobytes by using Windows Explorer.
To ensure that the logon message text file is less than 64 kilobytes:
On the RD Gateway server, find the location of the logon message text file.
1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
2. In the Remote Desktop Gateway Manager console tree, right-click the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running, and then click Properties.
3. Click the Messaging tab.
Locate the text file location under the Enable logon message check box.
1. On the RD Gateway server, navigate to the folder where the logon message text file is located by using Windows Explorer.
2. Right-click the text file, and then click Properties.
3. In the Properties sheet of the text file, ensure that the value of Size is less than 64 KB.
Grant the required permissions on the TSGMessaging registry key
You can check the permissions on the TSGMessaging registry key by using Registry Editor.
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
To grant the required permissions to the TSGMessaging registry key:
1. On the RD Gateway server, click Start, click Run, type regedit, and then press ENTER.
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core\TSGMessaging subkey, right-click the subkey, and then click Permissions.
3. In the Permissions for Core dialog box, under Group or user names, click SYSTEM. Under Permissions for SYSTEM, if Full control is not allowed, select the Allow check box adjacent to Full control.
4. In the same dialog box, under Group or user names, click Administrators. Under Permissions for Administrators, if Full control is not allowed, select the Allow check box adjacent to Full control.
5. Click OK.
Resolution steps for the following event IDs: 543, 544, 545
To resolve this issue, do the following:
Ensure that the Remote Desktop resource authorization policy (RD RAP) is configured correctly by checking the settings in the RD RAP.
If the problem still occurs, ensure that the required permissions are granted to rap.xml.
If the problem still occurs, ensure that the correct value is set and the required permissions are granted for the RAPStore registry key.
Note: In addition to meeting the requirements of the RD RAP, users on clients must have the right to log on locally to the computer to which they are trying to connect.
Important: If users are connecting to members of an RD Session Host server farm, you must configure an RD RAP that explicitly specifies the name of the Remote Desktop Session Host (RD Session Host) server farm. If the name of the RD Session Host server farm is not explicitly specified, users will not be able to connect to members of the farm. For optimal security and ease of administration, to specify the RD Session Host servers that are members of the farm, create a second RD RAP. For more information, see "Create a new RD RAP that specifies the name of an RD Session Host server farm" later in this topic.
Check RD RAP settings on the RD Gateway server
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
Note: When you associate an RD Gateway-managed computer group with an RD RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the RD Gateway-managed computer group separately. When you associate an Active Directory security group with an RD RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the RD Gateway server. If the internal network computer belongs to a different domain than the RD Gateway server, users must specify the FQDN of the internal network computer.
To check RD RAP settings on the RD Gateway server:
1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
2. In the Remote Desktop Gateway Manager console tree, select the node that represents the local RD Gateway server, which is named for the computer on which the RD Gateway server is running.
3. In the console tree, expand Policies, and then click Resource Authorization Policies.
4. In the results pane, in the list of RD RAPs, right-click the RD RAP that you want to check, and then click Properties.
5. On the User Groups tab, note the name of the user group, so that you can ensure that the specified user group exists in Active Directory or Local Users and Computers. Then, check whether the user account for the client is a member of this group. For instructions for Active Directory security groups, see "Confirm that the Active Directory security group specified in the RD CAP exists, and check account membership for the client in this group." For instructions for local security groups, see "Confirm that the local security group specified in the RD CAP exists, and check account membership for the client in this group" later in this topic.
6. On the Computer Group tab, if Allow users to connect to any network resource is selected, proceed to step 7. If Allow users to connect to any network resource is not selected, do one of the following:
7. If Select an existing Active Directory Domain Services network resource group is selected, note the name of the network resource group, so that you can ensure that the specified group exists in Active Directory Domain Services or Local Users and Computers. Then, check whether the computer account for the computer that the client is trying to connect to is a member of this group.
8. If Select existing RD Gateway-managed computer group or create a new one is selected, ensure that the name of the RD Gateway-managed computer group is correct, and that the computers in this group exist and can be contacted on the network.
9. Click OK to close the Properties dialog box for the RD RAP.
10. If an incorrect network resource group is specified or if the RD Gateway-managed computer group is not correctly configured, modify the settings of the existing RD RAP or create a new RD RAP. For information about how to create an RD RAP, see "Create an RD RAP" in the RD Gateway Manager Help in the Windows Server Technical Library ( http://technet.microsoft.com/en-us/library/cc772397.aspx).
After you check RD RAP settings, ensure that the local or Active Directory Domain Services network resource group specified in the RD RAP exists, and that the user account for the client is a member of the appropriate security group. Also, ensure that the computer group specified in the RD RAP exists.
To perform these procedures, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing these tasks as a user without administrative credentials.
Confirm that the Active Directory Domain Services network resource group specified in the RD RAP exists, and check account membership for the client in this group
To confirm that the Active Directory Domain Services network resource group specified in the RD RAP exists:
1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
2. In the console tree, expand Active Directory Users and Computers/DomainNode/, where the DomainNode is the domain to which the security group belongs.
3. Right-click the domain, and then click Find. In the Find Users, Contacts, and Groups dialog box, type the name of the security group that is specified in the RD RAP, and then click Find Now.
4. If the group exists, it will appear in the search results.
5. Close the Find Users, Contacts, and Groups dialog box.
To check account membership for the client in this network resource group:
1. On a computer running Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then click OK.
2. In the console tree, expand Active Directory Users and Computers/DomainNode/Users, where the DomainNode is the domain to which the user belongs.
3. In the details pane, right-click the user name, and then click Properties.
4. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD RAP, and then click OK.
5. Expand Active Directory Users and Computers/DomainNode/Computers, where the DomainNode is the domain to which the computer that the client is trying to connect to belongs.
6. In the details pane, right-click the computer name, and then click Properties.
7. On the Member Of tab, confirm that one of the groups listed matches one of the groups that is specified in the RD RAP.
Confirm that the local security group specified in the RD RAP exists, and check account membership for the client and the target computer in this group
To confirm that the local security group specified in the RD RAP exists, and to check account membership for the client and the target computer in this group:
1. On the RD Gateway server, open Computer Management. To open Computer Management, click Start, point to Administrative Tools, and then click Computer Management.
2. In the console tree, expand Local Users and Groups, and then click Groups.
3. In the results pane, locate the local security group that has been created to grant members access to internal network resources (computers) through the RD Gateway server. The group name or description should indicate whether the group has been created for this purpose.
4. Right-click the group name, and then click Properties.
5. On the General tab, confirm that the user account is a member of this group, and that this group is one of the groups that is specified in the RD RAP.
6. Click OK to close the Properties dialog box for this group.
7. In the results pane, locate the local security group that contains the computers that clients can access through the RD Gateway server.
8. Right-click the group name, and then click Properties.
9. On the General tab, confirm that the computer account of the target computer (the computer that the client is trying to connect to) is a member of this group.
Create a new RD RAP that specifies the name of an RD Session Host server farm
Complete the steps in the following procedure if this error occurs when clients are connecting to members of an RD Session Host server farm.
Important: If users are connecting to members of an RD Session Host server farm, you must configure an RD RAP that explicitly specifies the name of the RD Session Host server farm. If the name of the RD Session Host server farm is not explicitly specified, users will not be able to connect to members of the farm. For optimal security and ease of administration, to specify the RD Session Host servers that are members of the farm, create a second RD RAP.
When you create a second RD RAP to specify the RD Session Host servers that are members of the farm, complete the steps in the following procedure, but for step 9, do the following instead: On the Computer Group, select the Select an Active Directory Domain Services network resource group option, and then specify the group that contains the RD Session Host servers in the farm. Doing this optimizes security by ensuring that the members of the farm are trusted members of an Active Directory Domain Services group.
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To create a new RD RAP that specifies the name of an RD Session Host server farm:
1. Open Remote Desktop Gateway Manager. To open Remote Desktop Gateway Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.
2. In the console tree, click to select the node that represents your RD Gateway server, which is named for the computer on which the RD Gateway server is running.
3. In the console tree, expand Policies, and then click Resource Authorization Policies.
4. In the console tree, right-click the Resource Authorization Policies folder, click Create New Policy, and then click Custom.
5. On the General tab, in the Policy name box, enter a name that is no longer than 64 characters.
6. In the Description box, enter a description for the new RD RAP.
7. On the User Groups tab, click Add to select the user groups to which you want this RD RAP to apply.
8. In the Network Resource dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following: 9. Type the name of each user group, separating the name of each group with a semi-colon.
10. Add additional groups from different domains by repeating step 7 for each group.
11. On the Network Resource tab, do the following:
12. Click Select an existing RD Gateway-managed computer group or create a new one, and then click Browse.
13. In the Select an RD Gateway-managed computer group dialog box, click Create New Group.
14. On the General tab, type a name and description for the new group.
15. On the Network Resources tab, type the name of the RD Session Host server farm that you want to add, click Add, and then click OK to close the New RD Gateway-Managed Computer Group dialog box.
16. In the Select an RD Gateway-managed computer group dialog box, click the name of the new computer group, and then click OK to close the dialog box.
17. On the Allowe
| Target | Microsoft.Windows.Server.2012.R2.RemoteDesktopServicesRole.Service.RDGateway | ||
| Parent Monitor | System.Health.ConfigurationState | ||
| Category | Custom | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | MatchMonitorHealth | ||
| Alert Priority | Normal | ||
| Alert Auto Resolve | True | ||
| Monitor Type | Microsoft.Windows.2SingleEventLogManualReset3StateMonitorType | ||
| Remotable | True | ||
| Accessibility | Public | ||
| Alert Message |
| ||
| RunAs | Default |
Home<UnitMonitor ID="Microsoft.Windows.Server.RemoteDesktopServices.2012.R2.NewUnitMonitor_7" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.Server.2012.R2.RemoteDesktopServicesRole.Service.RDGateway" ParentMonitorID="SystemHealth!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLogManualReset3StateMonitorType" ConfirmDelivery="true">
<Category>Custom</Category>
<AlertSettings AlertMessage="Microsoft.Windows.Server.RemoteDesktopServices.2012.R2.NewUnitMonitor_7_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDisplayNumber$</AlertParameter1>
<AlertParameter2>$Data/Context/EventDescription$</AlertParameter2>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="UIGeneratedOpStateIdcd71a3bf13bd4c028a651cd3b3b1072a" MonitorTypeStateID="ManualResetEventRaised" HealthState="Success"/>
<OperationalState ID="UIGeneratedOpStateId605bfb045a154b08be3363dae67413be" MonitorTypeStateID="SecondEventRaised" HealthState="Warning"/>
<OperationalState ID="UIGeneratedOpStateId174997ff5ffb4977a7c103ea8069f74d" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<FirstComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>
<FirstLogName>Microsoft-Windows-TerminalServices-Gateway/Admin</FirstLogName>
<FirstExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Channel</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-TerminalServices-Gateway/Admin</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">505</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">507</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">509</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">511</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">513</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">515</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">517</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">518</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">519</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">523</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">524</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">530</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">532</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">628</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">526</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">528</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">525</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">543</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">544</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">545</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">563</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">564</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">565</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">583</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">584</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">585</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">622</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">623</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">624</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">627</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">630</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">701</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">702</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2002</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2004</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">3001</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</FirstExpression>
<SecondComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>
<SecondLogName>Microsoft-Windows-TerminalServices-Gateway/Operational</SecondLogName>
<SecondExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Channel</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-TerminalServices-Gateway/Operational</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">402</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">404</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">103</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">102</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</SecondExpression>
</Configuration>
</UnitMonitor>