Duo integrates with Remote Desktop Web Access (previously Terminal Services) and Remote Desktop Gateway to add two-factor authentication to RD Web and RemoteApp logons.
Important: This document applies to current versions of Duo's RD Gateway applications.
If you have questions about earlier versions, please contact Support.
Duo Authentication for Remote Desktop Gateway adds two-factor authentication to your RemoteApp Access logons, and blocks any connections to your Remote Desktop Gateway server(s) from users who have not completed two-factor authentication when all connection requests are proxied through a Remote Desktop Gateway. This configuration does not support passcodes or inline self-enrollment.
If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access and/or RD Gateway. if they can establish a direct connection on port 3389 to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two-factor authentication.
Installing Duo's RD Gateway plugin disables Remote Desktop Connection Authorization Policies (RD CAP) and Resource Authorization Policies (RD RAP). The CAPs and RAPs become inaccessible from the Remote Desktop Gateway Manager and previously configured policy settings are ignored by Remote Desktop Gateway.
Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be required to authenticate with Duo, while all other users will be transparently let through.
Enrolled users that have Duo Push enabled on their smartphone will receive a push authentication prompt. Enrolled users that do not have Duo Push enabled will receive a phone call. Unenrolled users must be imported by an administrator or self-enrolled through another application which supports Duo’s self-service enrollment (see Test Your Setup).
Then (when you’re ready) change the "New user policy" to "Deny Access." This will cause unenrolled users to be denied access while requiring all enrolled users to authenticate with Duo after they type in their usernames and passwords.
Make sure to complete these requirements before installing Duo Authentication for RD Gateway.
Check your server version. Duo Authentication for RD Gateway supports Windows Server 2008 R2, 2012, 2012 R2, and 2016.
Download and install .NET Framework 4 if not already present on your server.
This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter the integration key, secret key, and API hostname from the properties page of the "Microsoft RD Gateway" application you created earlier.
If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all login attempts will be denied if there is a problem contacting the Duo service.
Complete the Duo installation.
To test your setup, launch an application from RemoteApp and Desktop Connections or double-click a saved .RDP file for a published application or desktop. Enter your primary Windows credentials if prompted to do so by the Remote Desktop client. You will then automatically receive a push request in Duo Mobile or a phone call to confirm your identity. The app completes launch after approving the Duo authentication request.
Duo Authentication for Remote Desktop Gateway sets the idle timeout for a Remote Desktop session connecting through the protected RD Gateway server to two hours and the maximum RD session duration to eight hours. To change these defaults, see the FAQ.