Solved: Implementing Duo for RDGateway without affecting existing RemoteApp? - Page 2

solmssen · ‎11-19-2021

Hi all - looking for a little guidance here.

We have a Win2016 Hyper-V host that is not domain-attached running a Win2016 AD server VM called AD01 and a Win2016 RD server VM called ACT01. The ACT01 VM has all the RD roles – RD Gateway, RD Session Host, RD Web, RD Connection Broker, and RD Licensing, and is running a single LOB application – Act. Users in the same location as the server are running local copies of Act on their PCs to talk to the database on ACT01, and we have three branches that are on site-to-site VPN with 2-3 users each running Act via RemoteApp from the same server – not coming through the gateway, just doing straight RemoteApp sessions from their computers over the VPN. We also have about 4 users occasionally using the Remote Desktop Gateway for work-from-home – they are logging in through the gateway to either remote to their office PCs from home, or in one case, just run a RemoteApp session of Act. I also use the RD Gateway to administer ACT01 and the other VMs via RDP for full desktop sessions. I use a CAP/RAP policy to lock down the users that can use the RD Gateway and the machines they can talk to, and I make sure they have good passwords, etc., but it’s long past time to get everything all 2FAed up.

Also running on the Hyper-V server is a completely different virtualized network on a private virtual switch – I completely virtualized their 18-year-old accounting setup. It’s a separate AD domain with its own Win2008R2 AD server, a Win2003R2 server running MSSQL 2000 and Great Plains 8.0 ERP/Accounting, and 6 Win7 Great Plains clients. The users RDP into the Win7 clients from their desktop PCs and run Great Plains from there. I know, I know, but I did what I had to do to keep things running – this was all physical machines when I started with these folks. At least now it’s behind a pfSense firewall that doesn’t let anything in or out except the RDP sessions from the local office PCs to the GP client VMs. And now we are finally in the process of moving to a cloud-based ERP/accounting solution, and the people implementing that want access to the production accounting system. I was hoping to use ACT01 as a jump host – they RDP through the RD Gateway to ACT01, and from there RDP to a Win7 GP client VM that I’ve set up for them on the private virtual network.

What I want to do is 2FA the RD Gateway – so anyone using the gateway from the internet has to use 2FA. I don’t want to make the branch users using the RemoteApp version of Act from ACT01 to have to 2FA – they’re already on machines in the physical stores that are on the VPN, and presumably OK – if not I have bigger problems. But I want anyone coming into the RD Gateway from the internet have to 2FA to get an RD session, either to RemoteApp to ACT01 to run Act, to get a desktop session to use it as a jump host, or to connect to their desktop PCs.

I tried installing Duo for RD Gateway, and it worked pretty much the way I was hoping to talk to any of the other machines behind the gateway - I started the connection, got a push, OKed it, and was able to login to the AD01 server and a couple of other machines. But RDP sessions to the ACT01 server itself started and just died after the push notification was approved. It worked for other machines – I got the push, approved, and logged in. But attempts to login to the RD session host with a desktop session or a RemoteApp session even from within the network, not through the gateway, would send a push, I would approve, and then the session would just close. I thought maybe I needed to install Duo for RD Web as well, and I tried that, but the install just hung before I got to the part where it asks for the keys. I was running out of time in my maintenance window, so I rolled the machine back to a pre-Duo RDG install checkpoint and we’re back at square one.

Any thoughts about the inability to login to the machine Duo was running on? Any thoughts in general? Send brickbats and attaboys my way please…

BabbittJE · ‎12-20-2021

It’s been some time ago when I tried Duo for RDWeb. I am no longer sure but I thought one of the reason I removed Duo for RDWeb on my RDGateway was because I was prompted twice, once for RDWeb and once for RDP. At least externally. I don’t remember the result of internally, i.e., whether or not it prompted you. As for published RemoteApps on the internal side, mine doesn’t prompt but, then again, I don’t use Duo for RDWeb. It might prompt but only once instead of twice. Only thing you can do is try it and report back here your finding. I’d be curious. I only started using RemoteApp a month ago but had RDG/RDW with just Remote Desktop Connection (not RemoteApp) for decades. Good luck.

innovation5 · ‎12-29-2021

I’m curious if anyone knows what level of DUO license you have to have to do this. We have it setup for our RD Gateway and we have DUO Beyond, but I’m wondering if you can protect an RD Gateway with the DUO MFA license level as I’d like to set it up for another org who doesn’t have DUO yet and we’d like to use the cheaper license level if possible. The license options page doesn’t make this very clear.

DuoKristina · ‎01-10-2022

Duo for RD Gateway is included in all Duo plans. Usually we mention the plans that include an application or feature on the relevant docs page when it’s not the case that all plans include it (so when we don’t list the plans on the doc page that means everyone has it).

Duo, not DUO.

neatpinkshark · ‎02-17-2022

Hello all,

I am in the discovery phase of implementing Duo for RD Web in our environment. I unfortunately do not have the luxury of a test environment, so I have to discover any potential “gotchas” BEFORE I deploy anything in production. We have just one server fulfilling all the roles of RD Web, Gateway, Connection Broker, etc. and some of the comments I see here are concerning.

I frequently need to publish/unpublish Remote Apps in our deployment, and I REALLY don’t want to have to build a new RDG server every time I have to do so. Is this something I need to be concerned about? This could be a potential deal breaker for us if so.

solmssen · ‎02-17-2022

If you’re using RD Web and frequently publishing apps, Duo for RDG/RDWeb will be painful. I have confirmed that you can no longer publish apps once it’s installed. You will probably want to use Duo for Windows Login to protect the app server, not RD Web. Another option is AuthLite, which I use and like, but is a very different paradigm.

That said, build yourself a test environment - You can put together a decent VM server for about $1000-$1500 that will let you do anything you want. I have three different test networks on my lab VM server, it’s really helpful, and if it saves you one day of downtime it’s paid for itself…

neatpinkshark · ‎02-17-2022

Thank you for the quick response! I was thinking, if it is as simple as uninstalling Duo long enough to publish a new app, then reinstalling Duo, that might be…doable. But according to the comment above by @BabbittJE remote apps cannot be republished even after uninstalling Duo. Is this true?

solmssen · ‎02-17-2022

Yes - Duo RDG permanently removes the CAP/RAP policy and no further changes can be made to published apps even after it’s removed. I suppose it’s possible to restore a backup from before Duo was installed, or save a VM checkpoint or something, but once Duo is on the machine, that functionality is permanently broken.

neatpinkshark · ‎02-17-2022

Ouch. That seems like something the masses would be clamoring about getting fixed…or at the very least should be included in the official documentation. I’m working with a Duo support engineer who specifically told me that if I had any issues, simply removing the application would restore the CAPs/RAPs to their previous state, and nothing mentioned about inability to publish new apps after installation. It’s too bad because I really wanted to protect the web login itself, not the individual session hosts.

Based on your advice, I’ve spun up a clone of my gateway server and intend to do some additional testing on the clone. Just installing Duo for RD Web, is there any potential for modifications made to the session hosts themselves that might cause issues if/when I revert back to the original config/server?

solmssen · ‎02-17-2022

I honestly don’t know. I think uninstalling Duo for Windows Login will return the machines to their previous state, but I am not sure. My experience is mainly that installing Duo RDG permanently hoses CAP/RAP, and I was unable to publish new apps even after uninstalling.

neatpinkshark · ‎02-17-2022

@solmssen Thank you, very much appreciated…and very glad I checked here before moving forward. I’ve directed the support technician assigned to my case to this thread, will definitely keep you updated if we are able to arrive at a viable solution.

neatpinkshark · ‎02-23-2022

Just wanted to share the rest of my experience installing Duo for RD Web. After directing the assigned Duo support tech to this thread, I received the following response:

"Thanks for the reply.

I searched our case history and I wasn’t able to find much about Remote Apps not being able to be updated, published, etc. The only thing that I was able to find is this: https://help.duo.com/s/article/1403; Which I think that we discussed yesterday. I also reached out to my peers and none of them had experienced this issue.

I reviewed the community thread that you shared. I think there may have been some confusion from the author and the responding admins (especially when they confused RD Gateway with Duo Access Gateway). I do see the author of the post shared an update that re-installing fixed their issue. "

And with that, I decided to go ahead and give it a try. Out of an abundance of caution, I cloned ALL of my servers before making the attempt, powered down the production boxes, and started testing with the clones around 3 AM on a Monday morning. I am happy to report that everything went according to plan; install complete, configuration applied, and all aspects of the project fully tested and confirmed operational by 5 AM. Users can still authenticate, I can still publish apps, the user experience is exactly as I hoped it would be, and the policy is being applied as expected.

With that said, the only thing I am using is Duo for RD Web; I do NOT have Duo for RD Gateway or Duo Access Gateway currently in my environment, which may explain why my experience was different…mileage may vary depending on specific use case. Next I will be deploying Duo for my RRAS server, and I feel the combination of these products should offer sufficient coverage to satisfy our security requirements.

solmssen · ‎02-23-2022

I think your summary is complete - I would only add that it’s Duo for RD Gateway that’s the problem for CAP/RAP and therefore publishing new apps. My install is the exact opposite of yours, I have Duo for RD Gateway installed and not Duo for RD Web, and this has caused me to be unable to publish new apps, and according to @BabbittJE, uninstalling Duo for RD Gateway does not restore CAP/RAP. It’s been a while since I did it but I’m pretty sure I confirmed this with a test VM. Currently, on my test VM with both Duo RDG and Duo RDW installed, I am unable to publish new RemoteApps or unpublish old ones.

BabbittJE · ‎02-23-2022

I agree with @solmssen. It’s not Duo for RD Web that hoses up CAP/RAP. It’s Duo for RD Gateway. After that first experience, I had to create a new RDG/RDW/RDCB/RDLicensingServer, publish apps, clone it and store the cloned one safely somewhere else then install Duo for RDG on the original. All good. The next time I have new apps I need to publish, I’ll have to tear down the original, restore the cloned one, publish the new app, reclone that, then reinstall Duo for RDG. Since you are not using Duo for RDG, it’s not going to apply to you.