Skip navigation
Documentation

Duo Authentication for Microsoft Remote Desktop Services

Duo integrates with Remote Desktop Web Access (formerly Terminal Services Web Access or TS Web Access) or Remote Desktop Gateway (formerly Terminal Services Gateway or TS Gateway) to add two-factor authentication to RD Web and RD Gateway logons.

Important: This document applies to current versions of Duo's RD Web and RD Gateway applications.

  • Duo for RD Web 2.2.0 and later
  • Duo for RD Gateway 2.2.0 and later

If you have questions about earlier versions, please contact Support.

Deployment Architecture

Duo Authentication v2.2.0 for RD Web and RD Gateway supports Windows Server 2008 R2, 2012, 2012 R2, and 2016.

If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access and RD Gateway. If users can establish a direct connection on port 3389 to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two­-factor authentication.

RD Web and RD Gateway

In this scenario Duo two-factor authentication protects logons via browser to the RD Web portal as well as logons via local RDP client and RemoteApp and Desktop Connections from the local system to an RD Gateway server. Users authenticate to Duo when logging on to the RD Web portal and then again when launching a RemoteApp connection through RD Gateway. Connecting to a computer directly from RD Web using the "Connect to a remote PC" feature with RD Gateway authentication is permitted. Downloaded RDP files may be saved for reuse. The RD Web and RD Gateway roles may be deployed on separate servers or on the same server.

When logging on to the RD Web portal users are presented with the Duo enrollment or authentication page after primary authentication. Users connecting to RemoteApp or RDP via RD Gateway from a local client receive an automatic push or phone call from Duo after primary authentication.

Install Duo Authentication for RD Web 2.2.0 (or later) onto your RD Web 2008 R2, 2012, and 2012 R2 servers then install Duo Authentication for RD Gateway 2.2.0 (or later) onto your RD Gateway servers.

RD Web and RD Gateway Architecture

Refer to the Duo Authentication for Remote Desktop Web and Remote Desktop Gateway instructions.

RD Web Only

In this scenario Duo protects logons via browser to the RD Web portal. Connections to RDS initiated outside a browser session (such as via double-clicking a configured RDP file) are blocked. RD Gateway connections do not require two-factor authentications.

After your remote users pass primary login to the RD Web portal, they receive the Duo enrollment or authentication page. When Duo authentication succeeds, the users proceed to the RemoteApp and Desktop Connection web console and see any published RemoteApp programs and virtual desktops.

Install Duo Authentication for RD Web 2.2.0 (or later) onto your RD Web 2008 R2, 2012, and 2012 R2 server. You may install Duo Authentication for RD Web onto a server hosting both the RD Web and RD Gateway roles but after completing installation only the RD Web portal will be protected with Duo two-factor authentication. To protect both RD Web and RD Gateway roles on the same server see RD Web and RD Gateway.

RD Web Only Architecture

Refer to the Duo Authentication for Remote Desktop Web instructions.

RD Gateway Only

In this scenario Duo protects logons via local RDP client and RemoteApp and Desktop Connections from the local system to an RD Gateway server. RD Web browser logons are not protected with two-factor authentication. However, RemoteApp connections initiated from an RD Web Access browser session that use the RD Gateway server with Duo installed are protected by Duo.

If the user has activated the Duo Mobile app, Duo initiates an automatic push to authenticate after primary login to RD Gateway succeeds. Otherwise, Duo will call the user's phone to complete two-factor authentication.

Install Duo Authentication for RD Gateway 2.2.0 (or later) onto your RD Gateway servers 2008 R2, 2012, and 2012 R2. You may install Duo Authentication for RD Gateway onto a server hosting both the RD Web and RD Gateway roles but after completing installation only RD Gateway connections will be protected with Duo two-factor authentication. To protect both RD Web and RD Gateway roles on the same server see RD Web and RD Gateway.

RD Gateway Only Architecture

Refer to the Duo Authentication for Remote Desktop Gateway instructions.

Known Issues

Please refer to the RDS FAQ for information about unsupported configurations and known issues.

Troubleshooting

Need some help? Take a look at the RDS Frequently Asked Questions (FAQ) page or try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free