How to apply MFA to Remote Desktop Gateway sessions
The Remote Desktop Gateway server typically is located in a corporate or private network. It acts as the gateway into which RDP connections from an external network connects through to access target workstations located on the corporate or private network.
Pre-requisites
- Desktop agent must be installed on all target machines in RDP sessions
About the IP address of a client who accessed via RD Gateway
If the NPS agent is installed on the NPS server authenticating the RD Gateway, UserLock identifies the real IP address of the client who accessed via RD Gateway. To protect these sessions with MFA at the level of the protected account, configure the Connection types setting with the value corresponding to your needs:
- "All"
- "Remote"
- "From outside"
Otherwise UserLock identifies the gateway address for these sessions and this address is considered as "inside" the corporate or private network. To protect these sessions with MFA at the level of the protected account, you must therefore configure the "Connection types" setting with one of the following values:
- "All"
- "From outside" (please refer to the procedure below for this specific case).
How to consider the Remote Desktop Gateway IP address as outside
At the UserLock Server while using the console, press F7 to view the Advanced settings. Locate the value “IPConsideredOutside”. Ensure that the value of the RDS Gateway is entered.
NOTE:
By default all IP addresses outside of the following ranges will be considered as outside connections:
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
- fc00::/7
- fe80::/10