Setup (2FA/MFA) for RD Gateway on Windows Server
Remote Desktop Gateway (RD Gateway) Multi Factor authentication (2FA/MFA) configuration adds additional 2FA security for secure access to your Remote Desktop, RDWeb, RemoteApp Access logons on top of Microsoft Entra ID logins. It also blocks connections to your Remote desktop protocol (RDP) servers if users have not passed Multi-factor/two-factor authentication where connection requests are proxied through a Remote Desktop Gateway (RD Gateway). Because RD (Remote Desktop) Gateway gives public network users access to critical resources located within companies, it only makes sense to add layers of access security to RD Gateway access via multi-factor authentication (2FA/MFA) on top of Microsoft Entra ID logins.
Using the miniOrange RD (Remote Desktop) gateway MFA solution with Microsoft Entra ID logins, you can configure 15+ MFA methods like Push Notification through miniOrange authenticator, and out of band methods like SMS and Email link to secure access for users.
Once you have configured the miniOrange MFA solution for the Remote Desktop (RD) gateway, you will have to enter your computer name/username or address and the username along with the password. This can be your Microsoft Entra ID login credentials. Based on your 2FA method, you will receive a notification or SMS/Email link. Once you click on the link, you will be logged in. You can also provide secure access to your Windows and Linux machines with Microsoft Entra ID login using our Windows MFA Solution. Checkout the additional resources (at the bottom of this page) for more details.
Following are the types to secure access for Remote Desktop Services
A user can try to connect to RDS (Remote Desktop Services) via 2 ways:
- Remote Desktop Client (RDC):
If the RemoteApp is launched through a Remote Desktop client application, the users validate their two-factor authentication (2FA) while they enter the username and password (Microsoft Entra ID credentials) to get secure access to the resources. (as this method doesn't support access-challenge response, only out of band authentication methods are supported ).
Check the guide to setup Remote desktop protocol MFA (RDP 2FA/MFA)
- Remote Desktop (RD) WebAccess - Remote Desktop (RD) login page via browser:
If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD (Microsoft Entra ID credentials), after which miniOrange challenges the user for two factor authentication(2FA) via a RADIUS challenge request. After the users correctly authenticate themselves, they get secure access to their resources.
Check the guide to setup Remote desktop Web MFA (RD Web 2FA/MFA)
Remote Desktop Gateway (RD Gateway) Multi factor authentication (2FA/MFA) - Authentication Flow:
- User Attempts to access a Remote Machine using the Remote Desktop Client with Username and Password.
- The Username and Password are verified against the Active Directory / Azure AD or any Identity source. (First Factor Authentication)
- Radius Request is sent from the Remote Desktop (RD) Gateway to the Network Policy Server (NPS).
- Based on the policies defined in the NPS, the Radius request is forwarded to the Radius Server (miniOrange Server) for validation.
- miniOrange receives the Radius requests and sends an Two/Multi Factor authentication (Out of Band) request to the user device.
- User validates the Out of Band Request (Email, SMS, Push-Notification MFA / 2FA method). On Success, miniOrange sends back a success response to NPS Server.
- NPS Server redirects it to Remote Desktop (RD) Gateway.
- The user is granted secure access to the Remote Machine.
miniOrange Credential Providers can be installed on Microsoft Windows client and server operating systems to add Multi/two factor Authentication to Remote Desktop. In this way you can get secure access to our 2FA/MFA solution for Remote Desktop (RD) Gateway.
miniOrange supports following Authentication Methods for Multi-Factor Authentication (2FA/MFA):
| Authentication Type | Method | Supported |
|---|
| miniOrange Authenticator |
miniOrange Push Notification |
|
| SMS |
SMS with Link |
|
| Email |
Email with Link |
|
Get Free Installation Help - Book a Slot
miniOrange offers free help through a consultation call with our System Engineers to Install or Setup secure access using Two-Factor Authentication for Remote Desktop (RD) Gateway with Microsoft Entra ID login solution in your environment with 30 days trial.
For this, you need to just send us an email at idpsupport@xecurify.com to book a slot and we'll help you setting it up in no time.
Prerequisites
Follow the Step-by-Step Guide given below to configure Two factor authentication (2FA/MFA) for Remote Desktop (RD) Gateway
1. Configure Remote Desktop (RD) Gateway
- Open the RD Gateway Manager from your Start Menu.
- Right click on your RD server in the left sidebar and click on Properties.
- Select the RD CAP Store tab.
- Select the Central server running NPS radio button and enter the IP address of miniOrange Radius Server and press Add button.
- Enter the DNS: radius.xecurify.com in the host and configure the shared secret and remember this shared secret as it will be required further in the setup.
- Click the Apply button and the click on OK button.
- Open the Network Policy Server manager.
- Expand RADIUS Clients and Servers in the left sidebar
- Select Remote RADIUS Server
- Right click on TS GATEWAY SERVER GROUP and click on Properties
- Select your RADIUS server and press Edit.
- Select the Load Balancing tab and set the timeout settings to 120 seconds
- Click on the Apply button and then click OK button to close the dialog
- Expand Policies in the left sidebar and click on Connection Request Policies
- Right click on TS GATEWAY AUTHORIZATION POLICY and click on Properties
- Click on Settings tab and select Authentication and ensure that it’s set to Forward requests to the remote RADIUS server
- Click on Policies –> Network Policies.
- Double click on your RDG CAP policy
- Click on the Conditions tab
- Select the Called Station ID attribute and press the Edit… button
- Set the value to UserAuthType:(PW|CA)
- Click on the OK button and click on the Apply button
2. Add RADIUS Client in miniOrange
- Login to miniOrange dashboard from the Admin Console.
- Go to Apps. Click on Add Application button.
- From the Choose Application section, select RADIUS (VPN) in the All Apps dropdown.
- Search for RADIUS and click on RADIUS Client to configure the application.
- Click on View RADIUS IPs to get the Radius server IPs.
- Copy and save the Radius server IP which will be required to configure your Radius client.
- Configure the below details to add Radius Client.
| Display Name: |
Any name for your reference. |
| Client IP: |
IP address of VPN server which will send Radius authentication request. |
| Shared Secret: |
Security key.
For Eg. "sharedsecret"
(Keep this with you, you will need to configure same on VPN Server). |
- Click on Save to continue. You will be automatically redirected to the Policies section.
- Click on the Assign group button. A new Configure Group Assignment Modal will open.
- Assign Group: Select the groups you want to link with the application. You can select up to 20 groups at a time.
- If you need to create new group. Click on Add New Group button.
- Enter the Group name and click on Create Group.
- Click on Next.
- Assign Policies: Add the required policies to the selected groups. Enter the following details:
- First Factor: Select the login method from the dropdown.
- If you select Password as the login method, you can enable 2-Factor Authentication (MFA) and Adaptive Authentication, if needed.
- If you select Password-less as login method, you can enable 2-Factor Authentication (MFA) if needed.
- Click on Save. Policies will be created for all the selected groups.
- Once submitted, the newly added policy will appear in the list.
- Navigate to Advanced settings and enable the Include Password & OTP in same Request as shown below.
- Configure the following Advanced settings details for the Radius App.
| Include Password & OTP in same Request |
Keep this option Disabled |
| Send Groups in Response |
Enable this to send user groups as Vendor-Specific Group Attributes. |
- Click on Save.
Step 3: Configure Second Factor for End-Users
3.1: Configure Branding from miniOrange Admin Dashboard.
3.2: Configure 2FA for Users of Remote Desktop (RD) Gateway.
- End users can login to the End-User Portal using the Login Page URL
- Once the End-User is logged in, Click on Setup 2FA from the left pane.
- Here the End-User is provided the option to select the Out of Band Notification Method of his choice.
- Here we have configured SMS Link as a 2FA method for an example.
4. Test your Remote Desktop (RD) Gateway 2FA Setup
- Open Remote Desktop settings. Go to the Advanced tab and click on Settings. Choose the radio button which says, Use these RD Gateway Settings
- Enter your Computer Name/Address and the User Name.
- Enter the Password for RD Gateway.
- You will receive a Notification or message. If you Accept it, then you will be logged in successfully to your Windows RD Gateway .
External References
