Hi
I have RDS/VDI running internally on Windows Server 2016. I have configured MFA for external RDS users using Azure MFA and Azure Application Proxy with Azure Enterprise Application.
I have created two Enterprise applications: one for RD Web and one for RD Gateway. Only the application for RD Web is being used directly by RDS users. MFA works just fine for external RDS users but there is some security issues with this solution. If a user saves a .rdf file they can use this to connect (rdp) to a server without being prompted for MFA - they are still prompted for password though. Furthermore - It a user knows the url of the RD Gateway server they can connect without being prompted for MFA - but still need to supply their user name and password.
Obviously this is a security issues and I wnated to know if anyone has "simple" solution for this. I am thinking about redirecting the url (DNS pointer) of the RD Gateway to Azure, the same way that I did with the RD Web. Has anyone tried that approach?
This is basically what I am thinking of trying:
Another approach is using NPS (Network Policy Server) but this solution is not very user friendly because the end user will not be prompted to use MFA - they will need to know that they should check their phone/authenticator app.
Kind regards,
Michael Buchardt