(SoHo) Multi-Factor Authentication for Remote Desktop Gateway

Question

I am looking at implementing some sort of multi-factor authentication for a Remote Desktop Gateway at a small office (less than 20 users).

Where would be a good place to start for a quality, economically-feasible solution for a small office?

-Josh

I just want to clarify when you say Remote Desktop Gateway you are referring to the Windows Server 2008 R2 Remote Desktop Gateway, yes? — sdanelson, Dec 19 '10 at 03:18
@sdanelson, TS Web Access is not an option, as I need clients to connect back to their personal workstation, not run programs off of a TS — Josh Brower, Dec 19 '10 at 12:36
@Josh TS Web Access is not limited to just running programs off of the TS. See Remote Desktop Web Connection. — sdanelson, Dec 19 '10 at 14:45

score 5 · Accepted Answer · answered Dec 20 '10 at 12:04

We're running a TSG with client certificates configured to allow users to connect to their desktops. As long as you allow port 443 and properly configure the resource access policy, it works. There's a tutorial on technet on how to achieve this.

However, we're only using it for a small number of people, and we've not run into any of the licensing issues that I think sdnelson mentions. I would check this out before progressing any further.

score 2 · Answer 2 · answered Dec 19 '10 at 14:41

2

I would use Terminal Services Web Access with client certificates. With the scale you are talking about I think it is going to be the least cost.

answered Dec 19 '10 at 14:41

sdanelson

1,267
10
21

score 1 · Answer 3 · answered Jan 09 '11 at 04:46

1

Look into the new features of Windows 2008 R2 SP1 beta. Introduces some really nice remote desktop abilities. Some of these may apply/help/assist to you when its released.

answered Jan 09 '11 at 04:46

IrqJD

141
2

score 0 · Answer 4 · answered Dec 20 '19 at 14:11

SecureMFA Microsoft RD Gateway OTP Provider https://www.securemfa.com/downloads/mfa-rds-otp allows implementation of OTP functionality in RD Gateway. It allows to use MSTSC client (requires MS RDP client version 8.1 and above) for access with OTP and has its own web portal to allow access using browser interface.

score 0 · Answer 5 · answered Feb 07 '13 at 19:27

I believe TSG supports radius, so you can use any two-factor authentication server. Ours starts at $240, so the expense is not that great. You might have to run something else in front of RDP that supports radius and then run the MS radius plugin NPS on AD. Here's a (reg-free) white paper on how to add two-factor auth to your network http://www.wikidsystems.com/learn-more/two-factor-authentication-white-papers. RDP isn't mentioned, but it describes how to implement a number of services so you can get a good overview (or any service or 2FA server).

(SoHo) Multi-Factor Authentication for Remote Desktop Gateway

5 Answers5