We have a Remote Desktop Session (RDS) collection with all of our servers running Windows Server 2016.
We currently have Duo installed on our RD Web Access so that our users get prompted with Duo when they login to the web portal. This is not enough security for us. The web portal downloads .RDP files that log into our session hosts. A user could easily save an .RDP on their computer to log into for next time (or worse, an attacker obtains it) so that they bypass the web portal. Because of this, we either have to have Duo on our RD Gateway or RD Session hosts to prevent the web portal bypass.
We have been trying out Duo on our RD Gateway but have come across into a HUGE issue. Our users are being disconnected after 8 hours, no matter if they’re active or idle. It seems like several customers of Duo have been experiencing this issue but the issue has not been resolved since October 2018. Link here: Duo RD Gateway CAP/RAP Session timeout settings .
A potential workaround is to install Duo right on our session hosts. While this would work, it’s extremely frustrating for our users to have to use Duo every time they open an application. RDS gives us the capability to publish apps into a “Work Resources” folder on the users start menu. When they click the app, it logs them into the server and opens the app. But when we install Duo on the session host, it asks them to authenticate every time. Since this is not a web-based application, we cannot use the “remembered devices” feature. We also cannot use the “authorized networks” feature because all connections are being made come from the RD web access/gateway, thus appearing from an internal IP.
Both of these options greatly affect our users and we don’t want to have to choose our poison. Does any one have any suggestions on how to implement Duo in an RDS environment that’s not invasive to users?
If the Duo on RD Gateway bug was fixed, all of this would be a non-issue.