none
RDS from Internet with MFA/RADIUS with exceptions from specific external IP-adresses RRS feed

  • Question

  • Hi all,

    I'm trying to set up an RDS environment where users who are connecting from the internet are provided with Multi-factor authentication, but with the possibility to bypass MFA when connecting from specific IP-addresses.

    The MFA-part is working, however, I can't seem to figure out how to bypass MFA for specific IP-addresses.Does any of you have experience with this?

    Regards,

    Sebastiaan

    Friday, January 8, 2016 4:12 PM

Answers

  • Hi Amy,

    Trusted IPs won't work with RADIUS-authentication, because the RD Gateway doesn't pass the access client IP to NPS/RADIUS.

    Currently we're working around the issue by having added another gateway-server, without redirecting authentication-requests to MFA, and using that one for the 'internal' connections. The other one is configured for use with MFA and is being redirected to from the web.

    Thursday, January 14, 2016 9:41 AM

All replies

  • I'm trying to set up an RDS environment where users who are connecting from the internet are provided with Multi-factor authentication

    Hi Sebastiaan,

    Which kind of Multi-Factor Authentication was configured?

    If it’s Azure Multi-Factor Authentication, please configure Trusted IPs to bypass multi-factor authentication for users that are signing in from the company’s local intranet.

    More information for you:

    Configuring Azure Multi-Factor Authentication

    https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-whats-next/

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 11, 2016 7:57 AM
    Moderator
  • Yes, it's Azure MFA, in combination with NPS and Remote Desktop Gateway.

    For Trusted IP's to work, RADIUS-attribute 66 needs to be passed on to the RADIUS-server, which isn't being propagated by NPS/RDGW. So this is no option.

    Monday, January 11, 2016 8:19 AM
  • Hi Sebastiaan,

    As far as I know, bypass via Trusted IPs only works from inside a company’s intranet.

    There isn’t any built-in method that I am aware of to achieve your goal.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 14, 2016 8:49 AM
    Moderator
  • Hi Amy,

    Trusted IPs won't work with RADIUS-authentication, because the RD Gateway doesn't pass the access client IP to NPS/RADIUS.

    Currently we're working around the issue by having added another gateway-server, without redirecting authentication-requests to MFA, and using that one for the 'internal' connections. The other one is configured for use with MFA and is being redirected to from the web.

    Thursday, January 14, 2016 9:41 AM
  • Hi Sebastiaan,

    Thank you very much for sharing the workaround!

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 18, 2016 3:40 AM
    Moderator
  • Check this check box in the RDGAteway configuration in the Server Manager "Bypass RD Gateway server for local addresses"

    Regards, Prabhat Nigam XHG and AD Architect and DR Expert Website: msexchangeguru.com VBC: https://www.mcpvirtualbusinesscard.com/VBCServer/wizkid/card

    Friday, February 10, 2017 5:54 AM
  • Hi Amy,

    Trusted IPs won't work with RADIUS-authentication, because the RD Gateway doesn't pass the access client IP to NPS/RADIUS.

    Currently we're working around the issue by having added another gateway-server, without redirecting authentication-requests to MFA, and using that one for the 'internal' connections. The other one is configured for use with MFA and is being redirected to from the web.

    Hi Sebastian
    We have the same situation: RDS from Internet with MFA/RADIUS with exceptions from specific external IP-adresses.

    Made a quick test with two RDGateway's and tried in each RDGW NPS to configure one with and the other without MFA function (on premises). 
    Thus it did not work as wanted. Either both got verified or neither of them. It looks like one server NPS config interfered with the other !!??

    Any tips what can be wrong, or any details of your double Gateway config ? Did it work ?

    Regards Jan

    Thursday, September 27, 2018 8:09 AM