RD Gateway and Central NPS server (with Azure MFA NPS Extension)

Scott Southgate 1 Reputation point
2021-03-16T15:34:09.8+00:00

Hi,

I am testing RD Gateway with Azure MFA NPS extension. So far I have managed to successfully get this to work using one RD Gateway server, a central NPS server and Azure MFA NPS extension installed on the central NPS server. I have tested this and all works fine, I RDP to a RD session host / collection via the gateway server, then I get prompted on phone to approve connection, then the connection resumes and desktop appears. However I need to add a second RD Gateway that has a different public facing SSL certificate to the one I have working, but it also needs to use Azure MFA, therefore what I am trying to achieve is having 2 RD Gateway servers, both talking to one central NPS server with the Azure extension installed and configured. Unfortunately I cannot seem to get this working. It works so far as I can initiate the connection, I receive prompt on phone to approve connection, but somehow this does not get back to the gateway server to continue the connection. Firstly has anyone else managed to setup more than one RD Gateway to work with a Central NPS server for Azure MFA? If not will it require a second NPS server for the additional RD gateway server?

Any help on this would be grateful.

  • RD Gateway Server(s) are Server 2019
  • Central NPS Server is Server 2019 - Using latest downloadable version of Azure MFA NPS Extension (1.0.1.37)
  • RD Session Host Server is Server 2016, which also has connection broker role installed and configured. Regards, Scott S.

Regards,

Scott S.

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,260 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
516 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karlie Weng 14,641 Reputation points Microsoft Vendor
    2021-03-17T06:52:33.54+00:00

    Hello @Scott Southgate

    I think this link would definitely help:
    Building A Highly Available Remote Desktop Gateway Farm integrated with Azure MFA

    Best Regards
    Karlie

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Scott Southgate 1 Reputation point
    2021-03-17T11:48:24.327+00:00

    Thank you Karlie,

    The document you provided is useful and very similar instructions to what I have used to configure one RD gateway and central NPS server successfully.

    My issue is this, the two gateway servers are not a HA pair. They are separate Gateways, with will have different public SSL certificates, which have different RAP policies pointing to different farms / resources.

    What I am having difficulty with is configuring the central NPS server so that if it receives requests from rdwebgw.domain.com it knows to send the Azure response back to rdwebgw.domain.com and if it receives request from rdwebgw2.domain.com it knows to send response back to rdwebgw2.domain.com.

    I cannot seem to find any example of how the rules should look on the NPS server.

    Perhaps I will need a central NPS server for each RD gateway, which is fine, just need to know whether I am wasting my time trying to get central NPS working with two completely separate RD Gateway servers.

    Regards,

    Scott.
    78700-central-nps-server.jpg