none
Avoid connecting clients over tcp/3389 RRS feed

  • Question


  • I have a KEMP load balancer with a 2012 R2 RDS farm consisting of 2 servers running gateway+web access, 2 brokers, and 2 hosts.  All servers and KEMP's eth1 ("farm" interface) in same trusted subnet while KEMP eth0 ("network" interface) is in the perimeter.

    When I connect a Win 7 client to KEMP's RDWeb virtual hostname and launch a RemoteApp, I see a direct tcp/3389 connection to the particular host serving the app.  One of the mandatory PCI-DSS requirements for RDS/RemoteApp is to strictly enforce multi-factor authentication (Duo) on every logon attempt; unfortunately clients can bypass the MFA mechanism if skip the Gateway and directly connect to the host via tcp/3389.

    According to this article all RDS connections can go through the Gateway via tcp/443 without the need of tcp/3389 across the firewall; how can we achieve this?

    https://redmondmag.com/articles/2013/12/24/rd-gateway-in-windows-server.aspx

    Thanks in advanced.

    *All servers running 2012 R2.

    Tuesday, September 13, 2016 11:09 PM

Answers

  • Hi,

    Try to uncheck the setting: Bypass RD Gateway server for local address on RD Gateway server.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by rwen915151515 Wednesday, September 14, 2016 4:52 PM
    Wednesday, September 14, 2016 5:42 AM
    Moderator

All replies

  • Hi,

    Try to uncheck the setting: Bypass RD Gateway server for local address on RD Gateway server.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by rwen915151515 Wednesday, September 14, 2016 4:52 PM
    Wednesday, September 14, 2016 5:42 AM
    Moderator
  • Thank you that worked perfectly!
    Wednesday, September 14, 2016 4:52 PM