Event ID 628 — TS Gateway Server Configuration
Applies To: Windows Server 2008
For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server.
Event Details
Product: | Windows Operating System |
ID: | 628 |
Source: | Microsoft-Windows-TerminalServices-Gateway |
Version: | 6.0 |
Symbolic Name: | AAG_EVENT_LB_TSG_EXCEPTION_DISABLE_FAILED |
Message: | The Windows Firewall exception "TS Gateway Server Farm" that allows network traffic through TCP port 3388 (so that Terminal Services client connections can be directed to the appropriate TS Gateway servers when load balancing is used) could not be disabled. We recommend that you disable this exception manually by modifying Windows Firewall settings as needed. |
Resolve
Manually disable the Terminal Services Gateway Server Farm exception in Windows Firewall
To resolve this issue, manually disable the Terminal Services Gateway Server Farm exception in Windows Firewall. You can configure this exception by using Windows Firewall in Control Panel or by using Group Policy.
Note: For optimal security, ensure that the Terminal Services Gateway Server Farm exception is disabled for all TS Gateway servers that are not members of a TS Gateway server farm.
Disable the Terminal Services Gateway Server Farm exception by using Windows Firewall in Control Panel
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To disable the Terminal Services Gateway Server Farm exception by using Windows Firewall in Control Panel:
- Open Windows Firewall. To open Windows Firewall, click Start, click Control Panel, and double-click Windows Firewall.
- In Windows Firewall, click Change Settings.
- On the Exceptions tab, disable the Terminal Services Gateway Server Farm exception by clearing the Terminal Services Gateway Server Farm check box. If this check box is dimmed, Group Policy has been applied to control this exception. To modify Group Policy to disable this exception, see "Disable the Terminal Services Gateway Server Farm exception by using Group Policy" later in this topic.
- Click OK.
- Close Windows Firewall.
Disable the Terminal Services Gateway Server Farm exception by using Group Policy
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.
To disable the Terminal Services Gateway Server Farm exception by using Group Policy:
- On a computer running the Group Policy Management Console, start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
- In the left pane, locate the OU that you want to edit.
- To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
- In the right pane, click the Settings tab.
- In the left pane, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Inbound Rules.
- Right-click each of the following rules (TCP-In, RPC-EPMAP, and RPC HTTP Load Balancing Service), and then click Disable Rule.
- Close the Group Policy Management Console.
- Ensure that the update to Group Policy is applied by running the gpupdate /force command. To run the gpupdate /force command, click Start, click Run, type cmd, and then press ENTER. At the command prompt, type gpupdate /force and then press ENTER.
For more information about configuring Group Policy settings by using GPMC, see the GPMC Help in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=101634).
Verify
To verify that the TS Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.
To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To verify that the TS Gateway server is configured correctly:
- On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
- In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
- Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
- Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
- Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.