Duo integrates with Remote Desktop Web Access (previously Terminal Services) and Remote Desktop Gateway to add two-factor authentication to RD Web and RemoteApp logons.
Duo Authentication for Remote Desktop Gateway adds two-factor authentication to your RemoteApp Access logons, and blocks any connections to your Remote Desktop Gateway server(s) from users who have not completed two-factor authentication when all connection requests are proxied through a Remote Desktop Gateway. Users automatically receive a 2FA prompt in the form of a push request in Duo Mobile or a phone call when logging in. This configuration does not support passcodes or inline self-enrollment.
Installing Duo's RD Gateway plugin disables Remote Desktop Connection Authorization Policies (RD CAP) and Resource Authorization Policies (RD RAP). The CAPs and RAPs become inaccessible from the Remote Desktop Gateway Manager and previously configured policy settings are ignored by Remote Desktop Gateway. If operational requirements mandate continued use of RD CAPs/RAPs, you may want to consider installing Duo for Windows Logon at your RDS Session Hosts instead. This alternative also supports passcode authentication.
Before you begin deploying Duo in your RDS environment, please read our Duo 2FA for Microsoft Remote Desktop Services overview to understand the capabilities and limitations of the different deployment options.
If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access with Duo and/or RD Gateway with Duo. If clients can establish a direct connection to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two-factor authentication. Block direct RDP access to these hosts to mitigate the potential for bypass.
Duo Authentication for RD Gateway doesn't support inline self-service enrollment for new Duo users. Unenrolled users, that is, users that do not yet exist in Duo with an attached 2FA device, must be created manually by an administrator, imported by an administrator or self-enrolled through another application which supports Duo’s self-service enrollment (see Test Your Setup).
The Duo username (or username alias) should match the Windows username. When you create your new RD Gateway application in Duo the username normalization setting defaults to "Simple", which means that the if the application sends the usernames "jsmith," "DOMAIN\jsmith," and "firstname.lastname@example.org" to Duo at login these would all resolve to a single "jsmith" Duo user.
Duo for RDG Gateway supports Duo Push and phone callback authentication methods. Duo users must have one of these methods available to complete 2FA authentication.
Read the enrollment documentation to learn more about enrolling your users in Duo.
Make sure to complete these requirements before installing Duo Authentication for RD Gateway.
Check your server version. These instructions are for installing Duo Authentication for RD Web on Windows Server 2012 and later.
Make sure you have installed .NET Framework 4.5 on your RD Gateway server. You can do this, for example, by running the following PowerShell commands:
Import-Module ServerManager Add-WindowsFeature NET-Framework-Core
Also make sure you have installed ASP.NET 4.5 support for IIS. The PowerShell commands for this are:
Import-Module ServerManager Add-WindowsFeature NET-Framework-45-ASPNET
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Enrolled users that have Duo Push enabled on their smartphone will receive a push authentication prompt. Enrolled users that do not have Duo Push enabled will receive a phone call. Unenrolled users, that is, users that do not yet exist in Duo with an attached 2FA device, must be imported by an administrator or self-enrolled through another application which supports Duo’s self-service enrollment (see Test Your Setup).
Then (when you’re ready) change the "New user policy" to "Deny Access." This will cause unenrolled users to be denied access while requiring all enrolled users to authenticate with Duo after they type in their usernames and passwords.
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter the integration key, secret key, and API hostname from the properties page of the "Microsoft RD Gateway" application you created earlier.
If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Gateway login attempts will be denied if there is a problem contacting the Duo service.
If you enable the UPN username format option, you must also change the properties of your RD Gateway application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Gateway to our service, which may cause user mismatches or duplicate enrollment.
Complete the Duo installation. The Duo installer stops and then restarts the Remote Desktop Gateway service on your RD Gateway server automatically.
To test your setup, launch an application from RemoteApp and Desktop Connections or double-click a saved .RDP file for a published application or desktop. Enter your primary Windows credentials if prompted to do so by the Remote Desktop client. You will then automatically receive a push request in Duo Mobile or a phone call to confirm your identity. The app completes launch after approving the Duo authentication request.
Duo Authentication for Remote Desktop Gateway sets the idle timeout for a Remote Desktop session connecting through the protected RD Gateway server to two hours and the maximum RD session duration to eight hours. There are unsupported controls around idle and session timeout available in our Knowledge Base article here.
You can upgrade your Duo installation over the existing version; there's no need to uninstall first.
Follow the on-screen prompts to complete the upgrade installation. Note that the installer restarts the Remote Desktop Gateway service.
If the Duo application denies access to your users, ensure that you have enrolled them in Duo with a username or username alias that matches the username they use to log into Windows, and with a 2FA device attached that is activated for Duo Push or can receive phone calls from Duo, or if you applied a new user policy that allows access without 2FA and expect it to allow the blocked users through that the blocked users do not exist in Duo. Refer to these articles to learn more about user enrollment states and how they combine with policy settings to affect user logins.