Certificates are in dire need of a good PR agent. Lots of people think certificates are very complicated and tend to steer clear of them. That's really not necessary. Certificates are a very popular way for vendors to facilitate (SSL) encryption. This is true for the Quest Secure Gateway for the CSG and also for the TS Gateway. They all use certificates to secure the traffic. Therefore, the following universal wisdom applies to all these products. The three types of certificates involved in these products:

Trust is automatic if the following conditions are true:

1. Your organization uses the default Windows installation

2. The client software used in your organization also trusts the built-in third-party public root CAs

In this case, additional trust configuration is not required. Therefore, this is the recommended certificate option for your gateway.

2. Private CA certificate: A private trusted root CA is a root CA that has been deployed by a private or internal PKI. For example, when your organization has deployed an internal PKI with its own root certificate, you must make additional trust configurations. It is not a best practice to use certificates issued by a private PKI for your gateway that support external connections into your organization.

When a private root CA is used, you must update the Windows Trusted Root certificate store on all user devices where certificate authentication is required.

3. Self-signed certificate: A self-signed certificate costs essentially nothing, but it does have the following disadvantage.

Self-signed certificates are not trusted by default on the clients. The admin will have the added responsibility of distributing the certificates to the clients, and the clients need to put the certificates in their "Trusted" Certificate store, which can become a tedious task and is prone to mistakes.

Using self-signed certificates on your gateway is not recommended.

Read a full article specifically for the TS Gateway here .