Terminal Services Gateway, useful for corporations where large numbers of remote users would still need to be able to take advantage of RDP-based application deployment, allows users to access hosted applications from a centralized web portal accessible over Port 443 (or any other port you choose) via an encrypted HTTPS channel.

To further control access, there are connection authorization policies, or CAPs, that administrators can create to define user groups that are permitted to access TS through the TS Gateway machine, and resource authorization policies, or RAPs, that grant access to resources like an application or a server to only certain groups. So, you can limit hosted application use to only those users that need it while still deploying full-client copies of your programs to users with desktops, laptops, and other devices that can support them.

When you add the TS Gateway role, you are prompted to choose certificates for SSL encryption—either one you already have, one that is created on the fly and self-signed, or one you may choose later. You'll also be asked what types of authorization policies you would like to create—you can defer this selection as well depending on your needs. You should create one of each type of policy in order to get the maximum effect from TS Gateway.

You can create CAPs and RAPs from with Server Manager. Here's how: