Event ID 627 — RD Gateway Server Configuration

  • Article

Applies To: Windows Server 2008 R2

For remote clients to successfully connect to internal network resources (computers) through a Remote Desktop Gateway (RD Gateway) server, the RD Gateway server must be configured correctly. The RD Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Remote Desktop connection authorization policies (RD CAPs) specify who can connect to the RD Gateway server. Remote Desktop resource authorization policies (RD RAPs) specify the internal network resources that clients can connect to through an RD Gateway server.

Event Details

Product: Windows Operating System
ID: 627
Source: Microsoft-Windows-TerminalServices-Gateway
Version: 6.1
Symbolic Name: AAG_EVENT_LB_TSG_EXCEPTION_ENABLE_FAILED
Message: The Windows Firewall exception to allow network traffic through TCP port 3388 (so that Remote Desktop Services client connections can be directed to the appropriate RD Gateway servers when load balancing is used) could not be configured.

Resolve

Manually enable the Remote Desktop Gateway Server Farm exception

To resolve this issue, manually enable the Remote Desktop Gateway Server Farm exception in Windows Firewall. You can configure this exception by using Windows Firewall in Control Panel or by using Group Policy.

Note: The Remote Desktop Gateway Server Farm exception in Windows Firewall should be enabled for all RD Gateway servers that are members of an RD Gateway server farm. For optimal security, for RD Gateway servers that are not members of an RD Gateway server farm, consider disabling this exception.

Enable the Remote Desktop Gateway Server Farm exception by using Windows Firewall in Control Panel

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To enable the Remote Desktop Gateway Server Farm exception by using Windows Firewall in Control Panel:

  1. Open Windows Firewall. To open Windows Firewall, click Start, click Control Panel, and click Windows Firewall.
  2. Click Allow a program or feature through Windows Firewall.
  3. Select the Remote Desktop Gateway Server Farm check box, and then click OK.
  4. Close Windows Firewall.

Enable the Remote Desktop Gateway Server Farm exception by using Group Policy

To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins, Enterprise Admins, or the Group Policy Creator Owners group, or have been delegated the appropriate control over Group Policy.

To enable the Remote Desktop Gateway Server Farm exception by using Group Policy:

  1. On a computer running the Group Policy Management Console, start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the left pane, locate the OU that you want to edit.
  3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO.
  4. In the right pane, click the Settings tab.
  5. In the left pane, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security, and then click Inbound Rules.
  6. If the rules associated with the Remote Desktop Gateway Server Farm exception appear in the list of rules but are not enabled, proceed to step 7. If these rules do not appear in the list of rules, do the following to create and enable them:
    1. Right-click Inbound Rules, and then click New Rule.
    2. In the New Inbound Rule Wizard, on the Rule Type page, click Predefined, click Remote Desktop Gateway Server Farm, and then click Next.
    3. On the Predefined Rules page, verify that three inbound rules appear (one for RPC-EPMAP, one for TCP-In, and one for RPC HTTP Load Balancing Service), and then click Next.
    4. On the Action page, select Allow the connection or Allow the connection if it is secure (and specify any additional options if needed) as appropriate for your environment, and then click Finish.
  7. To enable the rules associated with the Remote Desktop Gateway Server Farm exception (if they appear in the list of rules and are disabled), right-click each of the following rules (TCP-In, RPC-EPMAP, and RPC HTTP Load Balancing Service), and then click Enable Rule.
  8. Close the Group Policy Management Console.
  9. Ensure that the update to Group Policy is applied by running the gpupdate /force command. To run the gpupdate /force command, click Start, click Run, type cmd, and then press ENTER. At the command prompt, type gpupdate /force and then press ENTER.

Verify

To verify that the RD Gateway server is configured correctly, examine Event Viewer logs and search for the following event messages. These event messages indicate that the Remote Desktop Gateway service is running, and that clients are successfully connecting to internal network resources through the RD Gateway server.

To perform this procedure, you do not need to have membership in the local Administrators group. Therefore, as a security best practice, consider performing this task as a user without administrative credentials.

To verify that the RD Gateway server is configured correctly:

  1. On the RD Gateway server, click Start, point to Administrative Tools, and then click Event Viewer.
  2. In the Event Viewer console tree, navigate to Application and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then search for the following events:
    • Event ID 101, Source TerminalServices-Gateway: This event indicates that the Remote Desktop Gateway service is running.
    • Event ID 200, Source TerminalServices-Gateway: This event indicates that the client is connected to the RD Gateway server.
    • Event ID 302, Source TerminalServices-Gateway: This event indicates that the client is connected to an internal network resource through the RD Gateway server.

RD Gateway Server Configuration

Remote Desktop Services