The gateway service should not be exposed to the public internet.
The gateway service includes an API which allows you to programmatically provision remote agents (and channels, packages, etc.).
To enable the gateway api service, update the “EnableGatewayApi” in the AppSettings.config file located in the gateway executable directory:
<appSettings> ... <add key="EnableGatewayApi" value="true"/> </appSettings>
In order to provide authentication (and TLS traffic encryption), each client which will access this API must provide a certificate. This certificate must be installed within the “Trusted People” folder of the gateway host machine.
The recommended approach is to create a unique self-signed certificate for each distinct API client. See https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate for information on creating self-signed certificates in Windows.
Once you have created a client certificate, install it into the “Trusted People” folder of the Gateway Host. Note that you must be using the Local Computer Certificates store.