Restricting access to RDG or Proxying from NPS and using Duo


#1

Hello

I’m trying to provide 2FA to a small subet of users to specific computers using RDG but found that all connection and authorization policies are no longer available if using Duo for RDG. So I attempted to install the DuoProxy and direct attempts from RDG to the DuoProxy for 2FA, so I could continue to use RAPs and CAPs in RDG. I’ve had some success but am getting an odd error message about “none objects can be quoted” when the proxy forwards the authentication info that it receives from the RDG to Duo.

I could not find any documentation around either further scoping the users and resources in RDG when using Duo, nor any about forwarding RDG NPS auth requests from RDG to Duo, then back to RDG for connection. Is there any guidance around these scenarios?

Todd


#2

Hi Moter,

Unfortunately the Duo Authentication Proxy doesn’t support the type of RADIUS authentication requests sent by RD Gateway’s NPS.

You could install Duo Authentication for Windows Logon on the target computers. In this scenario RDG authentication uses a single factor, and then the Duo MFA prompt is seen when logging on to the remote computer.

Another option might be to publish RDG using TMG, and then add Duo RADIUS authentication to TMG (https://duo.com/docs/tmg) instead of at the RD Gateway.

We’re aware of the issues that come with disabling RDG CAPs and RAPs and plan to address this in a future release of our RD Gateway plugin. Please reach out to Duo Support to add your contact information to the feature request.


#3

Hi there, sorry to bump an old thread.

I am encountering a similar issue where disabling the RD RAPs isn’t ideal for our organization. We need to implement 2FA for External Users only but we also use Terminal Servers in our Interior Network. Most External Users connect to a Terminal Server, however I believe if we install Duo RDP on the Terminal Server, it will require 2FA for both Internal Network RDP and External RDP.

I’ve also tried Duo RD Gateway, but disabling the RD RAP allows anyone who passes the 2FA to connect to any server with Remote Access enabled, which isn’t ideal.

Is there any way around this yet?


#4

Hi Sensuki,

The state of CAPs and RAPs with the Duo RD Gateway application is still the same. If you install Duo’s Windows Logon application on your session hosts you can try whitelisting your internal networks with the Trusted Networks feature.

Thanks for trying Duo!


#5

Cheers, that works fine.