Duo RD Gateway CAP/RAP Session timeout settings

Thanks everyone for keeping this topic alive. @DuoKristina I know we have all been asking for this feature with support and our Account Executives. My account executive didn’t make it sound like there is a way to be “added” to the feature request. Maybe someone at Duo can refer to this thread if they need proof of the need for this feature.


If your AE did not know how to add you to the existing feature request, contact Support. They definitely know how to do that.

Hey all,

Wanted to jump in and ensure we set some expectations around RDG and session timeout. It is a feature we would like to address in the future, but do not have a definitive timeline for beginning development.

To set some context about where we are today, we previously attempted to add this feature to our RDG application. The implementation did not work consistently and will be removed from the product in a future update. In the meantime, we continue to work to address this feature in the correct manner.

This may not be the answer you would like to read today but any registry setting to alter default timeout behavior may break in future updates and in its current state is unsupported.

We ask that the registry setting not be shared as this is an unsupported configuration and may result in unexpected behavior.

If you are looking to be added to the feature request around this, as @DuoKristina said please contact support and they will be more than happy to help.

1 Like

Any update on this at all?

Hi @thecalstanley,

Take a look at our @PatrickKnight 's last post to this thread.

1 Like

Has this been added to any release schedule? I ask because a client of mine is considering dumping Duo if they can’t get a timeline on this. They have a global consultancy that relies heavily on RDS and having them kicked out at 8 hours is an untenable situation. Installing Duo on session hosts is not an option.

1 Like

Ok so we also discovered this after implementing Duo in our environment.

I would like the option to turn this completely off, RD has it’s own timeout settings that can be controlled via policy.

Adding wait to argument - we have been evaluating products for our business, this NON feature is a show stopper.

Duo user and MSP. Our customer asks for new timeout values and copy/paste.
Customer is very impressed with DUO. But now I need to tell them that they cannot change something as simple as the timeout values.
What shall I tell the customer?

I work for an MSP and we just came across this issue with a new client.

This issue has caused a lot of frustration for users as well as us, we spent weeks trying to find the cause only to eventually find out that Duo RDGW takes over the CAP/RAP policies and hard sets the timeout, and the only mention of this in the documentation on the site is a footnote under Testing!, this is something which SHOULD be hightlighted in the documentation at the top Before even reading anything else about the RDGW implementation.

The fact that this is still an issue 18 months after the last Duo RD Gateway update was released is rediculous.
The date on the RDGW installer is from April 2018, and we’re still being told by support that the only workaround is to remove it and install it on the RDS hosts.

We also asked about the inability for this “Recommended Solution” to support the “Authorized Networks” functionality and were basically told that they cannot advise on that as they dont know our network. What’s there to know, you’re talking about removing the app from RDGW and installing the RDS one, this isn’t complicated.
Very disappointing considering you guys developed these various implementations but can’t advise on how they actually work!

Needless to say I will NOT be recommending Duo to any future clients.


Some kind of situation report would be nice, I was added to a feature request a couple of months ago but haven’t heard anything from that. Is there anyway to get this prioritised? It’s a major nuisance.

Is there any update to this Issue? We and our customer have the same Problem with the 8 hour Timeout.

Maybe, if it’s not configurable, it could be set to 14 hours or something by Duo? This would normaly be enough for a Workday.

Hi solae,

We don’t have an update at this time, other than what has been shared on this thread earlier. The issue has been documented, and our team will continue to work to address this feature for the future. We don’t have any timelines or ETAs currently.

Your account executive or customer success manager (CSM), if applicable, may be able to shed some more insight into this than we can provide publicly in the community. I encourage you to speak with them.

Still kinda sad that after 2 years! there is still no solution to fix an simple timeout change.
Youre the only one that has an nice MFA for RD Gateway. We still cant use this now.


Hi @NotKnown

Thank you for sharing your interest on this feature, and for your kind words about our solution for RD Gateway! We know how important this request is to all of you. Please rest assured that the moment we have an update to share here, we will do so.

As @PatrickKnight previously stated, we cannot share the registry setting as this is an unsupported configuration and may result in unexpected behavior. We also ask that you do not do so. (Please note: Any posts including these will be deleted by the mods here).

Anyone who is interested can be added to the feature request by contacting Duo support, your account executive (AE), or your customer success manager (CSM) if you are a Duo Care customer with a dedicated CSM.

If you’re already on the request, and you don’t want to wait for an update from us here, you are welcome to enquire as to the status of this request with your AE or CSM at any time. They usually can share more details than we can in a public forum :slight_smile:

I hope that helps!

Workaround supported or not, if it works = it works. If Engineers deliberately break the workaround then Duo becomes unsuitable as an MFA product for this use case. As it might as well be considered given the existing session limit.

Unfortunately, the lack of progress is sorely disappointing. As is the insistence to recommend installing Duo directly on Session Hosts. Has anyone at Duo ever tried this? It’s frustrating as anything for an end user to constantly have to re-MFA when their session locks.

This needs to be resolved and quickly, else I’m going to seriously begin to reconsider my position on Duo within our organisation. With a bit of time and effort, I can integrate a competitors product (which we get for free) across our systems and cease 250 Duo licenses in the process, saving $$$.

… it shouldn’t matter whether it’s 250 licenses at risk, 25,000 or 25. It’s time for Duo to deliver.


Hi everyone, I’m going to close this thread. As has been stated previously by Duo team members, we cannot share the registry setting as this is an unsupported configuration and may result in unexpected behavior. In addition, we ask that you please do not share this unsupported configuration.

As Amy stated on February 17, anyone who is interested can be added to the feature request by contacting Duo support, your account executive (AE), or your customer success manager (CSM) if you are a Duo Care customer with a dedicated CSM.

In light of COVID-19 and the exponential rise we’ve seen in RDGateway usage, we have updated our Knowledge Base article to include the necessary keys to edit the Max Sessions and Idle Timeout values. These options are still unsupported, but have been tested against Microsoft Server 2012R2 through Server 2019, so please utilize them at your own risk.

We know this has been a long-requested option that has gone unaddressed, and we hope offering these keys as an unsupported option will help improve your experience with Duo, but publishing these keys still does not live up to the expectation we’d like to offer around RDG. Hopefully this helps today and we’ll update the community with additional information we have to share around the future of RDG.

If you have any feedback please DM me here or reach out to me via email at pknight@duo.com



Thank you Patrick,

This has been a long running request. I am so happy that the unsupported work-around information is now being supplied publicly so that the end user can weigh up their options themselves. We can perform our own risk assessment and make a decision whether to implement an unsupported (although working) solution to resolve this issue.

I hope that the realization of how necessary it is for Duo’s RDGateway solution to have options to change these values means that development of a supported solution gains some traction by Duo’s dev team.

Stay safe,