3

I have been looking into how to secure a publicly-available RDP endpoint and want to implement our two-factor authentication RADIUS server, PhoneFactor. I would like to implement the following process:

  1. User opens up web app in browser
  2. In web app, user enters username + password, initiates RADIUS auth
  3. Phone factor calls user to complete auth
  4. Once user is authenticated, port 3389 is opened on user's IP on pfSense firewall.
  5. After some amount of time, firewall rule is removed for that IP

I would like to know the following:

  1. Is this a typical setup? If it is a bad idea, please explain why.
  2. If it is possible, are there any packages that assist with this? Specifically, the third step, where the appropriate firewall rule would need to be added...

Edit: I am aware of TS Web Gateway, but I want the users to be able to use the traditional RDP client...

tacos_tacos_tacos
  • 3,220
  • 16
  • 58
  • 97
  • 2
    You know there's a plugin for phone factor that integrates with Terminal Services right? Gives you two (well, three) factor authentication as a valid Windows logon is required before the Phone Factor authentication (phone call) happens. Plus, not only must the phone call be answered, but you need to know a PIN as well. – gravyface Sep 04 '12 at 23:13

1 Answers1

3

You want to look in to setting up a Network Policy Server (NPS).

Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. In addition, you can use NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a server running NPS or other RADIUS servers that you configure in remote RADIUS server groups.

It pretty much does exactly what you are looking for, just connect your RADIUS server (PhoneFactor) to the NPS server then have Remote Desktop use the NPS for authorizing remote connections.

You will need to set up a Remote Desktop Gateway also, but I think you where using the wrong term in your OP, and you where not referring to not wanting to set up a RD Gateway, but instead referring to RD Web Access.

Scott Chamberlain
  • 1,445
  • 2
  • 21
  • 37