Protecting RDS via RDGateway

I’m currently using the Duo Free edition, I believe we’ll need to move onto the Duo MFA edition as we have over 10 remote users to onboard eventually.

We’re looking to implement Duo for our remote users who currently connect via RD Gateway to an RDServer.
The RDGateway uses a CAP to decide who can/can’t connect through it.
I understand Duo replaces the CAP and RAP.

Whilst testing I want to only implement 2FA for those who are enrolled, letting the other remote users sign on as usual.
In replacing the CAP and RAP, that will remove the restriction for non-remote users connecting through the gateway won’t it?
How can I block non-authorised users from connecting remotely, whilst allowing non-enrolled users to connect and test 2FA for a handful of users?

TIA

Hi andf,
Welcome to the Duo community.

In replacing the CAP and RAP, that will remove the restriction for non-remote users connecting through the gateway won’t it?

How can I block non-authorised users from connecting remotely, whilst allowing non-enrolled users to connect and test 2FA for a handful of users?

  • Given CAP and RAP will not be an option, and given you wish to allow unenrolled users to be able to authenticate, then your only option would be to use log on restrictions on the session host itself rather than on the RDG.

It is possible to use RDGateway to protect your systems.

However it is recommended to use the RDP client instead if this is an option.

Please see the article below for further details:
https://help.duo.com/s/article/6701

The benefits are: