Bypass the RD Gateway for local addresses - Direct Access + MFA RRS feed

  • Question

  • I've stumbled upon a problem regarding that Windows 10 (1803) Direct Access client does not utilize the function "Bypass the RD Gateway for local addresses" when using RDWeb Remote Apps. The reason why we want to utilize the bypass feature is because we enforce MFA for external users but don't want it for Direct Access clients.

    When using the same Direct Access client with a standalone mstsc.exe and entering the as the target computer and as the gateway with the setting "Bypass the RD Gateway for local addresses" it works, no MFA is enforced for the user.

    We have the following setup. The server names and IP-addresses are fictive.
    2 nodes RDGW & RDWeb (Server 2016) - and
    2 nodes RDCB (Server 2016) - and
    2 nodes Azure MFA Server (Server 2016) - and
    1 node Direct Access (Server 2016) -
    The MFA solution is setup using RADIUS + NPS.

    We use Split-DNS.
    (RDGW & RDWeb) - Externally points to Loadbalancer and internal points and (No LB).
    (Direct Access) - Externally points to Loadbalancer and no internal record.
    (Connection Broker) - Externally points to no record and internal points and whole * is present in the NRPT-table with and as the only excluded entries.
    We only use IP-HTTPS for Direct Access.

    When we use Test-NetConnection -ComputerName '' -Port 3389 from a Direct Access client the test is successful. When we disconnect the Direct Access tunnel and run the same cmdlet it's not successful. If we change the ComputerName/DNS to the test is also successful when the Direct Access tunnel is up.


    Can this be related?

    Thursday, January 3, 2019 11:25 AM


All replies