HA for Azure MFA server RRS feed

  • Question

  • Hello Team,

    The full RDS with MFA setup is deployed on Azure with Azure AD and Azure Azure Active Directory domain services. We have slave MFA server but it is disabled at the moment and not taking any replication.

    We have 2 load balanced RDS gateway servers and NPS installed on the same and both servers pointing to same radius client which is our MFA server.

    Now, we have to add another MFA server and load balance it. My question is which load balancer we should use, Azure internal load balancer or an NLB setup.

    Once the load balancer is setup, what all configurations I need to perform on NPS and MFA server.

    Akshay Vithalkar; MCTS(AD) MCTS(Network Infra) MCTS(Server Vitrtualization) MCITP(WindowsServer 2K8) MCSA(WindowsServer 2K8) MCTS(WindowsServer 2K12) MCTS(ExchangeServer 2013) MCTS(Office365 Identities and Requirements) MCTS(Enabling Office 365 Services)

    Thursday, July 16, 2020 7:48 PM

All replies

  • Hi,

    Kindly note that the forum supports discussion and queries on RDS related issues. Thus we have limited knowledge of MFA on Azure, you may post your questions in follow forum to get more effective assistance.


    MFA forum: https://docs.microsoft.com/en-us/answers/topics/azure-ad-multi-factor-authentication.html


    Moreover, below link instructs some points when considering to deploy HA of MFA servers.

    Quoted the RADIUS related one:


    Using RADIUS standard to achieve high availability.

    If you are using Azure MFA Servers as RADIUS servers, you can potentially configure one MFA Server as a primary RADIUS authentication target and other Azure MFA Servers as secondary authentication targets. However, this method to achieve high availability may not be practical because you must wait for a time-out period to occur when authentication fails on the primary authentication target before you can be authenticated against the secondary authentication target. It is more efficient to load balance the RADIUS traffic between the RADIUS client and the RADIUS Servers (in this case, the Azure MFA Servers acting as RADIUS servers) so that you can configure the RADIUS clients with a single URL that they can point to.


    Link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy-ha


    This "Remote Desktop Services (Terminal Services)" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.




    "Remote Desktop Services (Terminal Services)" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Remote Desktop Services (Terminal Services)"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    Friday, July 17, 2020 5:18 AM