Duo- MFA on RDWEB/RD Gateway environment


I tried the duo-mfa- rdp and wanted to get some details around our use case scenario to get some inputs before we purchase the product.

-We have two servers hosted in AWS cloud.
-Both servers have their own rdweb and gateway configured.
-User use the rdweb access and download the remote desktop connection file to connect every time.

Q: Will duo-MFA solution for RDP work in this scenario?
QWill it present a challenge right after they have crossed rdweb and connect to the machine using their server credentials, just before the server session loads?

Hi @anmoldangwal, welcome to the Duo Community! Thanks for asking your question here. Duo Authentication for Windows Logon and RDP will work in that scenario, and users will be prompted for two-factor authentication upon logging in to the RDP session with their credentials.

You could also potentially use the Duo integrations for RD Web and RD Gateway, depending on the other constraints you have in your environment. The Duo for Microsoft Remote Desktop Services documentation gives a nice overview with diagrams and explanations for different RDS deployment options. It also explains when 2FA will or will not be required for browser and downloaded RDP files.

If CAP/RAP policies are important to you and/or you would like to have the Duo Authentication Prompt for end-users, you’ll want to use Duo for Windows Logon. You can read about the benefits of using Duo Authentication for Windows Logon over Duo for RD Gateway here.

1 Like

Hello Amy,

Thank you so much for the information. So from the setup that I have and the solution which I am planning to implement, I have developed the following understanding:

-Duo authentication for windows logon will prompt even if the users connections are coming from RD Web > RD Gatweay (via remote desktop file published as remote app).

I would like to explain a bit more on the setup:

-The two servers are under different domains, however there will be common users in both the servers.
-Based on the POC which I was doing all these while, I understand that we can setup users in duo admin panel and then associate them with these servers.

Q:Do I have to pay for this common user two times, or only one license is sufficient?


Hi Anmol, apologies for the delay in reply! I missed your follow up question here. No, you would not have to pay for the user two times. A user only needs to complete enrollment and activation in Duo once to gain access to any or all of your Duo applications. Hope that helps!