RD Gateway Implementation Ideas

I know the 3 levels of protection that Duo offers for protecting and RDP farm. But has anyone worked out a less annoying process than any of these options I see? I want to eliminate the VPN.

  • Being double prompted when connecting through RD Web (Duo on RD Web, Gateway)
  • Allowing public web traffic to authenticate without MFA (Only protecting RD Gateway)
  • Allowing public traffic to bypass MFA with and RDP client (Only protecting the RD Web)
  • Allowing all sorts of public traffic to bypass MFA (Only using RDP DUO client)

I was really hoping there was a solution with the DNG, but support tells me there’s not.

Anyone found a cool way of doing things that I didn’t list above?

Hi @krknopp,
I’m sorry to see that no one has replied to this yet with some suggestions for you. Hoping that by bumping the thread, we may be able to get a response here.
Thank you for sharing this question with the community, and welcome! We love to see these types of best practice questions or calls for recommendations and ideas.

You may have come across this article already, and it’s possible the solution won’t work for you, but what we usually recommend to folks is to install Duo only on the endpoint where users are forced to connect during each authentication. See “How often will I be prompted for 2FA when Duo for RD Gateway and Duo for RD Web are both installed?” for more details. Depending on which integration you use, you could then further reduce this so users are not prompted on subsequent remote desktop connections by using Remembered Devices to generate a persisting cookie following an initial authentication.

Since you specifically mention that using one or the other won’t work in your scenario, I take it there’s something I am missing here, but just thought I’d reply and attempt to help anyway!