Link to home
Create AccountLog in
Avatar of sglee
sglee

asked on

Setting up 2FA on RD Gateway

Hi,

 

 I have Remote Desktop Gateway Server set up on Windows 2019 Network.

 Using Remote Desktop program, Users at home connect to their domain-joined computers whether it is their office PC or Remote Desktop/Terminal Server.

 

 I need to implement 2FA on RD Gateway Server to enhance the security level.

 How do I go about doing this?


Thanks.


Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

DUO offers this.  I have a client using the free version (small client).  You install the Duo application for RD Gateway and then enroll users.
You need to pick a MFA provider. Most support RD Gateway, one way or another. If you have Azure AD P1, you can use Microsoft Azure NPS. Otherwise Duo is a great choice, but virtually every MFA vendor will work (I have found only 1 that didn't).
Avatar of sglee
sglee

ASKER

@kevinhsieh 
What is Azure AD P1?
How do I know if I have Azure AD P1?
It sounds like Duo is a highly recommended vendor, but I like to implement a Microsoft solution if possible unless Duo or any other MFA provider is better than what Microsoft provides.
Azure AD P1 is part of the Microsoft Azure suite of services that are a part of Microsoft O365/M365 service offerings.
Avatar of sglee

ASKER

Since I am new to this, let me ask you.
Which product between Duo and Microsoft AD P1 is easier to implement?
Cisco DUO is much easier to purchase and implement.
Avatar of sglee

ASKER

Thanks for the recommendation.
Is there a youtube video that I can watch to understand the product and how it is set up for RD Gateway?
There are probably 100+ videos on YouTube. Have you searched?
Avatar of sglee

ASKER

No, but I am going to search.
ASKER CERTIFIED SOLUTION
Avatar of Kimputer
Kimputer

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of sglee

ASKER

@Kimputer
I saw product demo on YouTube and read reviews on ESET Security Authentication.
I like it very much just as much as CISCO DUO, but ESA is cheaper thanks to its annual flat fee of $69. Everyone praises the product because it is simple to set up and use. However it received quite a few negative reviews because tech support is useless or non existent when ESA fails to work.

Would you share your personal experience regarding having to contact ESET tech support?
What do you do when ESA fails to work when tech support is not available or effective?
ESET normally builds on resellers who have knowledge of their products. This is your first line, of already very capable experts. In case they can't solve (not very often), they themselves have a direct line with their ESET support.
It does mean when searching on their website for your local ESET resellers, it's best you check the website of those resellers and choose accordingly. Don't choose the webshop only sites, and when you see a site you like, call them to know how quickly you'll get a personal call, and you can ask how big or intimate their team is. During this initial talk you can gauge how professional they are, and how deep their ESET knowledge is.
Avatar of sglee

ASKER

@Kimputer 
Thanks for the information.
Based on your experience, does ESA go down a lot?
When it stops working, do you usually restart the domain controller, restart ESA service or reinstall ESA itself?

 If it is prone to cause problems, I like to stay away from it.
 I have seen reviews like "When it works fine, when it does not I have found support is useless" or "It seems like ESET does not know what both hands are doing," and it is concering.
It did not go down for the past year. I had one country with problems, but I suspect it was a inter/telecoms issue (as PUSH messages are to be sent over the 3/4/5G data networks, and hence not fully ESET's fault), as the other country did not have any problems.
The problem was solved the next day, and you always have a whitelist IP function so users in the office or at home can continue working.
Avatar of sglee

ASKER

Thanks for sharing experience and I appreciate it.
Can you elaborate on "you always have a whitelist IP function"?
If for any reason a person can't do 2FA (phone broken, forgotten, network error), just get his IP address where he's at (office PC IP nr, or home public IP nr) and put it in the whitelist. That person will log in without 2FA until the problem is resolved.
Avatar of sglee

ASKER

It is good to know there is an option to accept the connection based on IP address.
I will try ESA.
Thanks for your insight.