RD Gateway limitation for MFA with DUO


A major issue we now have with RD Gateway and DUO is the limitation of authentication options with RD Gateway. We have to provide the push, pass code, and phone options to our users due to limited cell coverage areas. We cannot protect the RD Gateway from non-Duo access since all anyone needs to do is configure an RDP session with the gateway settings and go directly to the RDP session w/o MFA. We direct our users to RD Web for access, but the single factor option is not hard to figure out. How can we protect the RD Gateway from allowing access directly or can Duo develop a way to provide the pass code access option to RD Gateway?

David Spyros


Hi dspy11,

You’re correct in your observation that Duo’s protection for RD Gateway limits the factor selection for your users.

A popular alternative that provides more authentication options is to install Duo Authentication for Windows Logon on the target computers. In this scenario RDG authentication uses a single factor (password), and then the interactive Duo MFA prompt is seen when logging on to the remote computer, so users could enter a passcode.

Another option might be to publish RDG using TMG, and then add Duo RADIUS authentication to TMG (https://duo.com/docs/tmg) instead of at the RD Gateway. Duo’s RADIUS authentication lets users append a passcode to the password (password,123456) when logging in.

I hope one of these solutions helps you. Thanks for trying Duo!