Solved: Duo RD Gateway CAP/RAP Session timeout settings - Page 2

GaryDoven · ‎10-18-2018

Duo is installed and working well on our RD Gateway server. RD Gateway Manager shows

“Due to pluggable authorization, Remote connection authorization policies and Remote Desktop resource authorization policies are no longer used to manage authentication and authorization on this system. Use the appropriate administrative tool to manage these services.”

That is fine and we knew that would be the case from the installation doc.
There is no Duo admin tool for managing this.
My problem now is that since installing and rolling out Duo to users, everyone now has an 8 hour active session limit enforced. That is, the user is actively working and using the computer at the 8 hour mark after they logged in and they are booted out.

How can I lift this limit? Is there an admin section in Duo that I am not aware of?
Cheers

DuoKristina · ‎03-20-2019

Any customer interested in improvements to the Duo RDG plugin should definitely contact their account exec or sales engineer, customer success manager, or Duo Support to submit a feature request.

Duo, not DUO.

Flyer1 · ‎03-22-2019

You are repeating yourself ;). I guess this means, DUO still doesnot have an option for this problem… ?

DuoKristina · ‎03-22-2019

The new poster, who commented two months after the last round of discussion, specifically asked “how do we get that option to be put on a roadmap” in their comment.

I responded to that question, and as the answer for how to get something on the roadmap hasn’t changed, someone who had read the thread in its entirety would indeed note that it was repeated information.

Duo, not DUO.

Flyer1 · ‎03-22-2019

True… But was hoping for a new answer :).

Support told me they found something and are investigating how to fix it, but don’t have any timeframe. Problem is… I can’t stall this much longer for a lot of my customers… Would like to use DUO (as a happy customer of it). But it looks like i’m losing the patience of my customers… so if still nothing to report… no timeframe or even a small indication when we can expect something, we will going investigate the other software option, starting next week. Options like Google Athenticator. So please… tell me … there is more to say about this problem then install it on a session host…

DuoKristina · ‎03-22-2019

It sounds like you have the most up-to-date information. I do hope that during your contacts with Support you’ve submitted your feature requests so they can be considered as we plan future work on the Windows integrations.

Duo, not DUO.

Flyer1 · ‎03-22-2019

My information is also already old. I guess about 2 month… but no updates after that.

Well, will email them again… and otherwise… shame… but like I said… probably that we will dump duo.

Last update, was that the latest DUO (2.3.0) is set the limit to 8 hours. But, because of change of things, it is not easy to fix that without changing something in the authentication framework…

as I have read… installing the duo-rdgateway on our session host, will give someproblems with the duo trusted ip policy?

GaryDoven · ‎03-26-2019

Yes I agree, installing on the session host means that Duo is not aware of the originating IP address, all sessions originate from the gateway… So you cannot have trusted IP. That is the reason we cannot use it on the session hosts. We need trusted IP because there are many shared computers at head office and these computers are locked down.

Maybe this is a push from their sales team to get you to license every single user of shared computers at a trusted site?

M.feld · ‎04-02-2019

I have send support an email about the register keys.
There reaction:

“Currently there is not a way to adjust this timeout. I can add you to the feature request for supporting a configurable session timeout if you would like.”

jholly · ‎04-04-2019

Hi Gary,

What version of windows server are you currently using? I’m having timeout issues with a Windows Server 2012 R2 gateway server with DUO Authentication for Remote Desktop Gateway 2.2.0.16.

jstevens440 · ‎04-10-2019

Duo support advise there is no fix, this is just not acceptable for our users, we are getting so many complaints. Suggestions to use the RDSH agent don’t really work for us, as this doesn’t pass through the IP so we cannot do location whitelisting.

dcustard · ‎04-10-2019

We have the same issue for RD Gateway 2.3.0.18.

GaryDoven · ‎04-10-2019

Thanks everyone for keeping this topic alive. @DuoKristina I know we have all been asking for this feature with support and our Account Executives. My account executive didn’t make it sound like there is a way to be “added” to the feature request. Maybe someone at Duo can refer to this thread if they need proof of the need for this feature.
Thanks

DuoKristina · ‎04-11-2019

@GaryDoven

If your AE did not know how to add you to the existing feature request, contact Support. They definitely know how to do that.

Duo, not DUO.

PatrickKnight · ‎04-11-2019

Hey all,

Wanted to jump in and ensure we set some expectations around RDG and session timeout. It is a feature we would like to address in the future, but do not have a definitive timeline for beginning development.

To set some context about where we are today, we previously attempted to add this feature to our RDG application. The implementation did not work consistently and will be removed from the product in a future update. In the meantime, we continue to work to address this feature in the correct manner.

This may not be the answer you would like to read today but any registry setting to alter default timeout behavior may break in future updates and in its current state is unsupported.

We ask that the registry setting not be shared as this is an unsupported configuration and may result in unexpected behavior.

If you are looking to be added to the feature request around this, as @DuoKristina said please contact support and they will be more than happy to help.

thecalstanley · ‎04-17-2019

Any update on this at all?