Symptoms
This issue occurs when you use a Security Compliance Manager or Security Configuration Wizard tool to harden on a Windows Server 2012 R2-based server. Additionally, you may receive the following error message:
Information <date & time> Microsoft Windows security auditing. 5157 Filtering Platform Connection
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: <PID>
Application Name: \device\harddiskvolume2\windows\system32\tssdis.exe
Network Information:
Direction: Outbound
Source Address: <some IP>
Source Port: <some port>
Destination Address: <some IP>
Destination Port: 1434
Protocol: 17
To check for Event 5157 in the Security event logs, you may have to enable auditing for Windows Filtering Platform (WFP). To check the current auditing status and to set the correct auditing for Object Access, use the following command:
auditpol /get /subcategory:"Filtering Platform Connection"
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
If you use a netsh wfp show filters command to inspect WFP filters, the Filter.xml file shows the following active filter:
<name>WSH Default Outbound Block</name>
<description>Blocks all outbound traffic for services who have been network hardened</description>
Cause
The Remote Desktop Connection Broker (RD Connection Broker) has to enable the UDP port 1434 to connect to the SQL Server. However, the UDP port 1434 is also required for SQL instance searches. Therefore, the UDP port 1434 is not automatically enabled.
Resolution
To resolve this issue, add a WFP rule to enable the RD Connection Broker service to use UDP port 1434.
More Information
Check out how to add a WFP rule to enable the RD Connection Broker to use UDP port 1434.
