Authorized networks and Microsoft RDP

CraigR1 · ‎10-18-2018

Hi Friends,

I’m having a little trouble understanding authorized networks and using the microsoft rdp application.

Looking at this page https://help.duo.com/s/article/2155?language=en_US it says Windows Logon (RDP sessions only) is supported, I’m assuming that is the microsoft rdp application.

Now I have the login client installed on the rdp server and that all works fine. What I do notice is in the auth logs on the admin site it reports the internal IP of the server when a user rdp’s and duo auths to the server.

Over to the authorized networks policy part.
If I add the external ip of the client connecting to the rdp server, it doesn’t seem to do anything (still pops up for duo).
If I add the internal ip of the rdp SERVER for testing it stops asking for duo for everyone since it always will be the server ip not the client so not all that useful. (I know it says to only use external ip’s for the authorized networks so im guessing this is not the way).

Am I missing something here?

Thanks folks,
Craig

DuoKristina · ‎10-22-2018

The whitelisted IP is the one sent to Duo, which is the IP of the system where the Duo application was installed. So, it is correct that the IP sent to Duo is the IP of your RDP server. You cannot whitelist the RDP client IPs.

Duo, not DUO.

bjames · ‎01-28-2020

Working a similar issue, I did figure out the IP sent to Duo is the NATted one for the server, but when we put it in Authorized networks, the client still gets prompted (Application Policy), the other questions is if you do not want MFA if the client is on an internal network how do you do that?