You are allowing RDP into a Windows 10 computer from the Internet without a Remote Desktop Gateway. What I have is RDG+DAG and RDSH. When one logs in from the Internet, it goes through the RDG+DAG. When one logs in from within internal network, it goes directly to the RDSH, bypassing RDG+DAG. For your situation, if you have the resources, set up a RDG with DAG+SSO and make that Windows 10 one of the computers you can access through RDG. Then for external DNS, use the public IP address that points to your RDG, and for internal DNS, use the private IP address to point to same. As long as the RDP has “Bypass RD Gateway server for local addresses” is enabled, it’ll bypass the RDG+DAG server, thus, won’t prompt internal users.

With Duo on Win10 instead of a RDG, you may have to work it differently. You need to authorize the public IP address/subnet of your internal users so that Duo would be bypassed. And, in the internal DNS, point that Win10 to a public IP address. Have the user route out of the firewall so it can register with a public IP address then back into the public IP address of the Win10 PC.

I do not recommend having a Win10 PC directly reachable over the Internet. I use RDG for security reason.

We use RDG for external connections (from the internet). I never said it was open to the internet.

It’s internal connections from within our network (desktop/server RDP to desktop/server within corp network) that I want to bypass MFA, which we don’t use RDG for it’s just a direct RDP connection.

I’m not sure what you mean by having the user “route out of the firewall so it can register with a public IP”. If you have any resources you can point me to I’d greatly appreciate it.

Since you do have RDG, never mind about “route out of the firewall…”. So, set up DAG on RDG. Uninstall Duo from Win10 computer. Diagram:

Duo support’s reply on using Duo Access Gateway

“The Duo Access Gateway wouldn’t be expected to be implemented at all and doing so wouldn’t change how the authentication policies affect your RDP logins. The Duo Access Gateway is our on-premise SAML 2.0 IDP solution and neither RDP nor RD Gateway utilizes SAML when authenticating users.”

You’ve used this implementation successfully?

Sorry. I have DAG, SSO and Duo for Microsoft Remote Desktop Gateway. The latter is likely what you need. Try looking at Two-Factor Authentication for Microsoft RD Gateway on Windows 2012 and Later | Duo Security.

Did you try adding your internal IP to the authorized networks policy?

Duo support stated internal IPs are not allowed for the Authorized Network rules for security reasons. The configuration also states as much:

Specify networks using a comma-separated list of IP addresses, IP ranges, or CIDRs. These must be public IP addresses, and not local or private IP addresses.

Have you been able to use private/internal IPs in the auth network rules?

@acomadmin give it a try. It doesn’t work with all integrations which is why the UI message says that, but for some applications that do not show the web-based Duo interactive 2FA prompt in a browser it is possible to specify a private or internal IP, and Duo for Windows Logon is one of them.

Here’s a Duo KB article that talks a bit more about this.

@BabbittJE nothing you said is unexpected.