Remote Desktop Gateway and ESA RADIUS

A Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer.

Use ESA RADIUS to secure the authentication through Remote Desktop Gateway (RD Gateway) with a second factor - approval of push notification.

Prerequisites

Authentication Server and RADIUS installed

Functional Remote Desktop Gateway (RD Gateway)

 

Integration of ESA RADIUS with RD Gateway

The integration consists of two parts, RD Gateway configuration and ESA configuration.

RD Gateway configuration - Use NPS (recommended)

1.Open the Remote Desktop Manager Gateway application.

a.In the navigation tree, right-click the computer name and click Properties.

b.Click RD CAP Store and select Central server running NPS.

c.Enter the IP address of the NPS server, click Add > OK.

2.Open the Network Policy Server application.

a.In the navigation tree, expand RADIUS Clients and Servers, right-click Remote RADIUS Server Groups > New.

b.Define the desired Group name.

c.Click Add.

i.In the Address tab, type the IP address of ESA RADIUS in the Server field.

ii.In the Authentication/Accounting tab:

A.Leave the default value of 1812 in the Authentication port field.

B.Define a desired Shared secret, type it also to Confirm shared secret.

C.Select the check box next to Request must contain the message authenticator attribute.

iii.In the Load balancing tab, set a reasonably high number (e.g., 120) for both the Number of seconds without response before request is considered dropped and Number of seconds between requests when server is identified as unavailable fields. This is to avoid NPS retrying the authentication while the push request is being handled (it can take some time).

iv.Click OK.

d.Click OK.

e.In the navigation tree, expand Policies, select Connection Request Policies, double-click TS GATEWAY AUTHORIZATION POLICY.

i.In the Settings tab, select Authentication > Forward requests to the following remote RADIUS server group for authentication, select the ESA group created in the previous steps.

ii.Click OK.

RD Gateway configuration - Direct integration (not recommended)

When this type of integration is applied, there can be a problem with a very short RADIUS communication timeout. Meaning, more push notifications would be received for the same authentication request.

1.Open Remote Desktop Manager Gateway application.

2.In the navigation tree, right-click the computer name, click Properties.

3.Click RD CAP Store, select Central server running NPS.

4.Enter the ESA RADIUS IP address, which is the IP address of the host computer where the ESA RADIUS component is installed, including the port number. Click Add.

5.Define a desired Shared secret, click OK.

6.Click OK.

ESA Configuration

1.Log in to the ESA Web Console.

2.Navigate to Components > RADIUS, click the RADIUS server you use.

3.Click Create new RADIUS client.

4.Type a desired Name.

5.Enter the IP address of the the client (NSP or RD Gateway depending on the chosen integration method) as the RADIUS server sees it.

a.The IP address of the client can be found in: C:\ProgramData\ESET Secure Authentication\logs\Radius.log

b.Search for the following string in that log file: "Invalid Auth. packet received from : <IP address>:<port>"
The <IP address> and <port> will represent the real IP address and port number.

6.In the Shared secret field, enter the same shared secret you configured in the Remote Desktop Manager Gateway.

7.In the Client Type drop-down menu, select Client validates user name and password.

8.Select the check box next to Mobile Application Push.

9.For Realm, select Current AD domain or Current AD domain and domains in trust.


note

Non-2FA users

If you want to allow users not configured for any 2FA type to be able to log in, select Non-2FA users too.

10.Click Save.

How it works

1.The user enters their domain login credentials (first factor) in the RD Gateway log in dialog.

2.The user receives and approves the push notification (second factor) on their mobile phone.

3.In the subsequent log in dialog, the user enters their login credentials for the target computer.