Event ID - 628

Event Id628
SourceMicrosoft-Windows-TerminalServices-Gateway
DescriptionThe Windows Firewall exception "TS Gateway Server Farm" that allows network traffic through TCP port 3388 (so that Terminal Services client connections can be directed to the appropriate TS Gateway servers when load balancing is used) could not be disabled. We recommend that you disable this exception manually by modifying Windows Firewall settings as needed.
Event InformationAccording to Microsoft :
Cause :
This event is logged when the Windows Firewall exception to allow network traffic through TCP port 3388 could not be disabled.
Resolution :
Manually disable the Terminal Services Gateway Server Farm exception in Windows Firewall
To resolve this issue, manually disable the Terminal Services Gateway Server Farm exception in Windows Firewall. You can configure this exception by using Windows Firewall in Control Panel or by using Group Policy.
Note : For optimal security, ensure that the Terminal Services Gateway Server Farm exception is disabled for all TS Gateway servers that are not members of a TS Gateway server farm.
Disable the Terminal Services Gateway Server Farm exception by using Windows Firewall in Control Panel
To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.
To disable the Terminal Services Gateway Server Farm exception by using Windows Firewall in Control Panel:
  1. Open Windows Firewall. To open Windows Firewall, click Start, click Control Panel, and double-click Windows Firewall.
  2. In Windows Firewall, click Change Settings.
  3. On the Exceptions tab, disable the Terminal Services Gateway Server Farm exception by clearing the Terminal Services Gateway Server Farm check box. If this check box is dimmed, Group Policy has been applied to control this exception.
  4. Click OK.
  5. Close Windows Firewall.
Disable the Terminal Services Gateway Server Farm exception by using Group Policy
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.
To disable the Terminal Services Gateway Server Farm exception by using Group Policy:
  1. On a computer running the Group Policy Management Console, start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the OU that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Inbound Rules.
  6. Right-click each of the following rules (TCP-In, RPC-EPMAP, and RPC HTTP Load Balancing Service), and then click Disable Rule.
  7. Close the Group Policy Management Console.
  8. Ensure that the update to Group Policy is applied by running the gpupdate /force command. To run the gpupdate /force command, click Start, click Run, type cmd, and then press ENTER. At the command prompt, type gpupdate /force and then press ENTER.
Verify :
To verify that the TS Gateway server is available for client connections, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Terminal Services Gateway service is running, and that clients are successfully connecting to internal network resources through the TS Gateway server.
To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.
To verify that the TS Gateway server is available for client connections:
  1. On the TS Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Terminal Services Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client connected to the TS Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client connected to an internal network resource through the TS Gateway server.
Reference LinksEvent ID 628 from Source Microsoft-Windows-TerminalServices-Gateway

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh