i could not find an article describing what im asked to do.
if there is a microsoft remote desktop server with the gateway service installed - is there a way to 2FA only connections using the gateway, but not ‘local rdp’ connections ?
Have you already read this?
Hello, thank you Kristina - no i have not, but now i did. (“protect an application” -> “rd gateway” ‘documentation’ redirects to Duo 2FA for Microsoft Remote Desktop Services | Duo Security )
So it is possible to use DUO for external (gateway) connections, but only regular logon for internal RDP sessions ?
There are separate apps for RD Gateway, RDWeb, and RDP. Note: if RDWeb is installed on you Gateway or otherwise publicly accessible you should install the RDWeb protection on that server too. The RDP app protection is for RDP logins to a specific server and optionally to protect console logins too.
If you only install the RD Gateway app protection on your RD Gateway then only the Gateway will prompt for MFA. The Session Hosts will not (unless you also install the RDP app protection)