Duo integrates with Remote Desktop Web Access (previously Terminal Services) and Remote Desktop Gateway to add two-factor authentication to RD Web and RemoteApp logons.
Duo Authentication for Remote Desktop Gateway adds two-factor authentication to your RemoteApp Access logons, and blocks any connections to your Remote Desktop Gateway server(s) from users who have not completed two-factor authentication when all connection requests are proxied through a Remote Desktop Gateway. This configuration does not support passcodes or inline self-enrollment.
Installing Duo's RD Gateway plugin disables Remote Desktop Connection Authorization Policies (RD CAP) and Resource Authorization Policies (RD RAP). The CAPs and RAPs become inaccessible from the Remote Desktop Gateway Manager and previously configured policy settings are ignored by Remote Desktop Gateway.
If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access with Duo and/or RD Gateway with Duo. If clients can establish a direct connection to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two-factor authentication. Block direct RDP access to these hosts to mitigate the potential for bypass.
Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be required to authenticate with Duo, while all other users will be transparently let through.
Enrolled users that have Duo Push enabled on their smartphone will receive a push authentication prompt. Enrolled users that do not have Duo Push enabled will receive a phone call. Unenrolled users must be imported by an administrator or self-enrolled through another application which supports Duo’s self-service enrollment (see Test Your Setup).
Then (when you’re ready) change the "New user policy" to "Deny Access." This will cause unenrolled users to be denied access while requiring all enrolled users to authenticate with Duo after they type in their usernames and passwords.
Make sure to complete these requirements before installing Duo Authentication for RD Gateway.
Check your server version. This supports RD Gateway on Windows Server 2008 R2 only. If you are running Windows 2012 or later, see the RD Gateway 2012 and later instructions.
Download and install .NET Framework 4 if not already present on your server.
Install ASP.NET 3.5 support if not already present at Web Server → Add Role Services → Web Server → Application Development → ASP.NET.
You can also do this from PowerShell when run as an administrator:
import-module servermanager add-windowsfeature Web-Asp-Net
If you receive an error about missing source for install you may need to mount your Windows Server ISO on your server VM or insert the Windows DVD and rerun the
add-windowsfeature command, appending
-source D:\sources\sxs (replacing D: with the actual drive letter) to the end. See your virtualization vendor's documentation for help mounting the Windows installer ISO on your virtual server.
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Launch the Duo Security installer MSI from an elevated command prompt (right-click "Command Prompt" and select the "Run as Administrator" option). Accept the license agreement and continue.
Enter the integration key, secret key, and API hostname from the properties page of the "Microsoft RD Gateway" application you created earlier.
If you leave the "Bypass Duo authentication when offline" box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Gateway login attempts will be denied if there is a problem contacting the Duo service.
If you enable the UPN username format option, you must also change the properties of your RD Gateway application in the Duo Admin Panel to change the "Username normalization" setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Gateway to our service, which may cause user mismatches or duplicate enrollment.
Complete the Duo installation. The Duo installer stops and then restarts the Remote Desktop Gateway service on your RD Gateway server automatically.
To test your setup, launch an application from RemoteApp and Desktop Connections or double-click a saved .RDP file for a published application or desktop. Enter your primary Windows credentials if prompted to do so by the Remote Desktop client. You will then automatically receive a push request in Duo Mobile or a phone call to confirm your identity. The app completes launch after approving the Duo authentication request.
Duo Authentication for Remote Desktop Gateway sets the idle timeout for a Remote Desktop session connecting through the protected RD Gateway server to two hours and the maximum RD session duration to eight hours.
You can upgrade your Duo installation over the existing version; there's no need to uninstall first.
Follow the on-screen prompts to complete the upgrade installation. Note that the installer restarts the Remote Desktop Gateway service.