---
locale: "en"
updated_at: "2026-06-19T10:43:58.117Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/guides/mfa-implementation/remote-desktop-gateway"
---

# Apply MFA to Remote Desktop Gateway sessions

Configuration, NPS agent, advanced settings.

## Introduction

The Remote Desktop Gateway (RD Gateway) allows users to access internal resources over HTTPS without requiring a VPN.
While this makes remote access easier, it also **exposes a potential entry point** to the corporate network.

UserLock can enforce MFA when users connect through RD Gateway, adding a **strong layer of identity verification** before granting access.

The following sections explain how to enable MFA for RD Gateway connections, why installing the NPS Agent is recommended, and what to do if the agent cannot be deployed.

## Configure MFA for RD Gateway sessions

To apply MFA to users connecting through RD Gateway:

1. **[Install the UserLock Desktop Agent](/userlock/docs/guides/deploying-agents/desktop-agent)** on all target machines that users connect to via RDP.
Without it, UserLock cannot enforce MFA or session protection.
2. **Create or edit an MFA access policy**
If needed, refer to the guide [Configure an access policy](/userlock/docs/getting-started/configuration-access-policy) for step-by-step details.
3. In the MFA policy rules, **enable MFA**.
4. Select the **connection type** to choose where MFA should apply:
  | Value | Description | Note |
  | --- | --- | --- |
  | **All** | Enforce MFA on all connections | Local, remote and from outside sessions |
  | **Remote** | MFA applies to remote sessions | ⚠️** Requires the NPS Agent** *(see below)* |
  | **From outside** | MFA applies only to external connections | ⚠️** Requires the NPS Agent or the advanced IP setting** *(see below)* |
5. Save your changes and verify that MFA is triggered when connecting through RD Gateway.

## About the NPS Agent

When users authenticate through RD Gateway, the request is handled by a Network Policy Server (NPS) installed locally with the RD Gateway.

Installing the **UserLock NPS Agent** on this NPS server allows UserLock to detect the **real external IP address** of the remote client.

| Situation | What UserLock sees | Impact |
| --- | --- | --- |
| ✅ **NPS Agent installed** on the RD Gateway server | The **real public IP address** of the remote client | MFA can be applied automatically based on “From outside” or “Remote” |
| ❌ **NPS Agent not installed** | The **IP of the RD Gateway** | - The session is considered “inside” the network. - MFA won't trigger for "Remote" connections - MFA won’t trigger for “From outside” connections unless you apply the advanced setting below. |

## How to consider the RD Gateway IP address as outside

If the NPS Agent cannot be deployed, you can manually tell UserLock to treat the RD Gateway IP address as external.

**To do this:**

1. Open the UserLock console.
2. Go to **Server settings ▸ Advanced settings**.
3. Find the option **IP considered outside**.
4. Add the IP address of your RD Gateway.
5. Save the configuration.

This ensures that MFA applies even though the RD Gateway’s IP belongs to your internal network.

> **Note**
>
> By default all IP addresses outside of the following ranges will be considered as outside connections:
> 
> - 10.0.0.0 - 10.255.255.255
> - 172.16.0.0 - 172.31.255.255
> - 192.168.0.0 - 192.168.255.255
> - fc00::/7
> - fe80::/10
