question

ScottSouthgate-3070 avatar image
0 Votes"
ScottSouthgate-3070 asked MarileeTurscak-MSFT edited

RD Gateway and Central NPS server (with Azure MFA NPS Extension)

Hi,

I am testing RD Gateway with Azure MFA NPS extension. So far I have managed to successfully get this to work using one RD Gateway server, a central NPS server and Azure MFA NPS extension installed on the central NPS server. I have tested this and all works fine, I RDP to a RD session host / collection via the gateway server, then I get prompted on phone to approve connection, then the connection resumes and desktop appears. However I need to add a second RD Gateway that has a different public facing SSL certificate to the one I have working, but it also needs to use Azure MFA, therefore what I am trying to achieve is having 2 RD Gateway servers, both talking to one central NPS server with the Azure extension installed and configured. Unfortunately I cannot seem to get this working. It works so far as I can initiate the connection, I receive prompt on phone to approve connection, but somehow this does not get back to the gateway server to continue the connection. Firstly has anyone else managed to setup more than one RD Gateway to work with a Central NPS server for Azure MFA? If not will it require a second NPS server for the additional RD gateway server?

Any help on this would be grateful.

  • RD Gateway Server(s) are Server 2019

  • Central NPS Server is Server 2019 - Using latest downloadable version of Azure MFA NPS Extension (1.0.1.37)

  • RD Session Host Server is Server 2016, which also has connection broker role installed and configured. Regards, Scott S.


Regards,

Scott S.

remote-desktop-servicesazure-ad-multi-factor-authenticationwindows-server-infrastructure
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarlieWeng-MSFT avatar image
0 Votes"
KarlieWeng-MSFT answered

Hello @ScottSouthgate-3070

I think this link would definitely help:
Building A Highly Available Remote Desktop Gateway Farm integrated with Azure MFA

Best Regards
Karlie


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ScottSouthgate-3070 avatar image
0 Votes"
ScottSouthgate-3070 answered MarileeTurscak-MSFT edited

Thank you Karlie,

The document you provided is useful and very similar instructions to what I have used to configure one RD gateway and central NPS server successfully.

My issue is this, the two gateway servers are not a HA pair. They are separate Gateways, with will have different public SSL certificates, which have different RAP policies pointing to different farms / resources.

What I am having difficulty with is configuring the central NPS server so that if it receives requests from rdwebgw.domain.com it knows to send the Azure response back to rdwebgw.domain.com and if it receives request from rdwebgw2.domain.com it knows to send response back to rdwebgw2.domain.com.

I cannot seem to find any example of how the rules should look on the NPS server.

Perhaps I will need a central NPS server for each RD gateway, which is fine, just need to know whether I am wasting my time trying to get central NPS working with two completely separate RD Gateway servers.


Regards,

Scott.
78700-central-nps-server.jpg



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

With the different RAP policies and different SSL certificates, I'm not sure if it's possible. I have also only seen this done with HA scenarios. Steps required to configure multiple RD Gateways to work with one RADIUS/NPS:

  1. On RD Gateway, configured it to use Central NPS.

  2. Add RD Gateway as radius client.

  3. Configure shared secret on both sides.

  4. Test and configure policies.

Remote Desktop connection authorization policies (RDCAPS) can be centralized by pointing your RDG servers to same NPS server, but Remote Desktop resource authorization policies (RDRAPS) are stored in rap.xml file on each RD Gateway server.

Sources:

https://social.technet.microsoft.com/Forums/ie/en-US/d4351e8d-9193-4fd4-bde9-ba1d6aca94d1/rds-gateway-move-to-central-nps-server?forum=winserverTS

https://www.rdsgurus.com/creating-a-highly-available-windows-2012-r2-rd-gateway-environment-with-azure-multi-factor-authentication/

I will check with my other contacts to see their thoughts though.

0 Votes 0 ·