If you perform pen tests on the TSplus server, you might get vulnerability reports.
Please find bellow how to fix them :

- You can generate/import an SSL certificate : https://docs.terminalserviceplus.com/tsplus/https-ssl-certificates-tutorial

- You can manage which protocol to use for HTTPS in AdminTool > Web > HTTPS.
- Adding custom HTTP headers can be done as documented here: https://support.tsplus.net/en/support/solutions/articles/44000038437-how-to-add-a-custom-http-header

- Reducing lockout direction can be done as documented here: https://docs.terminalserviceplus.com/tsplus/advanced-features-lockout 

- The cookie is actually used in JavaScript on client side so it cannot be marked as HTTP only. You can stop using this cookie by disabling "remember last login" in AdminTool > Web > Web Portal > Web Portal Preferences

- You can disable the existing web sessions listing from your AdminTool\ADVANCED\Security tab.

- You can disable specific HTTPS protocols and ciphers using this FAQ : https://support.tsplus.net/a/solutions/articles/44000038420?lang=en

- You can enforce HTTPS protocol using this FAQ : https://support.tsplus.net/a/solutions/articles/44001759115?lang=en

- We would strongly suggest you to try our security product: TSplus Advanced Security, which will enable you to further secure the published remote desktop / remote session as well as add geographic filtering and brute force protection. More on: https://tsplus.net/advanced-security 

- When using Load-Balancing and/or Farm configuration, with a Gateway server and several Application Servers, it is very important that you:

       - always assign an application (even if it is only "Full Desktop") to Administrators who could connect on the Gateway server.

       - always set the setting AdminTool > Advanced > Security > "Only Users With Applications" to "Yes"

to prevent any unauthaurized user to connect to the Gateway server.