How to apply MFA to Remote Desktop Gateway sessions
The Remote Desktop Gateway server typically is located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access target workstations located on the corporate or private network.
- Desktop agent must be installed on all target machines in RDP sessions
UserLock identifies the gateway address for these sessions and this address is considered as “inside” the corporate or private network. To protect these sessions at the level of the protected account, you must therefore configure either:
- MFA for all,
- RDP, or
- RDP from outside (Please refer to the procedure below).
How to consider the Remote Desktop Gateway IP address as outside
At the UserLock Server while using the console, press F7 to view the Advanced settings. Locate the value “IPConsideredOutside”. Ensure that the value of the RDS Gateway is entered.
By default all IP addresses outside of the following ranges will be considered as outside connections:
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255