Hi All,
Not to long ago we decided to upgrade our older 2008 R2 Terminal services to 2012 R2 remote apps. Originally we had planned on having one machine with the RD Web and RD Broker roles installed and then two Session host machines. Something else different about this setup than our previous is we wanted to use two-factor authentication.
We setup two-factor authentication on the RD Web server and it works fine. The problem is once a user has downloaded an RDP file, they can run it and get around our two-factor authentication and just have username/password authentication.
After some reading I found that a way to fix this was to add the RD Gateway role to our RD Broker / RD Web server to force the connections to go through it and then block 3389 to the session hosts from anyway besides the RD Gateway / RD Broker / RD Web server.
One thing I have noticed that is quite odd, in the settings for the RD Gateway, if I have the "Bypass RD Gateway for local addresses" checked, everything seems to work (as long as I am not blocking 3389 to the sessions hosts from anywhere but the gateway, which is something I should be able to do if the gateway was working correctly) but I still have the same problem of the rd app files being usable to get around the two-factor. Then, when I have the same thing unchecked, I seem to be unable to run the apps. This leaves me to believe I have the RD Gateway configured incorrectly?
I have a valid certificate from a known issuer configured on the server. The vendor we are using for two-factor is Duo Security.
Any input / thoughts are appreciated. If there is a way to get RD Web to work on it's own and have the rdp file's only be usable once or something I would also be okay with that solution.
Thanks,