Using DUO with RD Gateway breaks Redirected Printers

Hello all,

Were using DUO some time now and start implementing it as a MSP for all of our RDS environments. Not long after deployment customers complain that they were unable to use redirected printers. After some research with Microsoft Support this is because the CAP and RAP policies are missing that has been taken over when installing DUO on our RD Gateway servers.

We tried uninstalling, but this breaks the whole RD Gateway completely, I still have to look into this to get things moving to the DUO for RDS (On the session hosts). Were not happy about this as we can no longer use trusted IP’s. And we kinda need those to!

Those are the options, if you want to use redirected printers you can’t use trusted IP’s.

Anyone got around this?

(We could get a “ feature request” but as I read the topic of Duo RD Gateway CAP/RAP Session timeout settings that won’t fix it short term.)

DUO for RDS (On the session hosts)

we can no longer use trusted IP’s

Do you mean Duo Authentication for Windows Logon and Duo’s
Authorized Networks? That application does support Authorized Networks when not logging onto the session host local console.

Hello Kristina,

Correct, but in combination with Remote Gateway the ip logged is Always the internal ip of the Remote Gateway.

So for “internal” you could bypass the remote gateway. But as we mostly work with internal cloud, all servers are remote for the user and have to use the remote gateway.

It would be a solution for us is we could still in this case have users bypass 2FA when comming from a known public ip, as they are in the office.

Regards,

Dennis de Groot

So in short we would like to use:

  • External access
  • DUO
  • IP Whitelist (Authorized Networks)
  • Redirected Printers + Drives

If you haven’t already done so, please contact your account executive, MSP partner manager, or Duo Support to capture your use case as a feature request.