Mar 22 2020 11:21 PM - last edited on Feb 10 2023 04:51 PM by Allen
Mar 22 2020 11:21 PM - last edited on Feb 10 2023 04:51 PM by Allen
Microsoft and many other Tech vendors start to provide different aspects to help people to work from home with more productivity.
The following parts have been implemented:
The following table shows the required ports between RD Gateway, NPS Server, Internal network and WAN, and these ports must be opened for outbound and inbound
Source | Destination | Protocol/Port |
Internet | Gateway WAN NIC | TCP: 443, 80 UDP: 3391 (You have to enable UDP on the RD Gateway) |
Gateway LAN NIC | Internal network | TCP / UDP: 3389 TCP: 5504 TCP: 5985 |
Gateway LAN NIC | Domain Controllers | TCP / UDP: 88 TCP: 135 UDP: 123 UDP 137 TCP: 139 TCP / UDP: 389 TCP: 3268 TCP / UDP: 53 TCP / UDP: 445 TCP: 5985 TCP Dynamic Ports (NTDS RPC service) |
RD Gateway | NPS Server | UDP: 1812 UDP: 1813 |
RD Gateway | Perimeter network, should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server in the perimeter network. | TCP/ 443, 80 |
Public Certificate will be required that should contain the following SAN Names.
Item |
SAN Names |
Domain Certificate |
RDS.3TALLAH.COM |
The following table shows the required subscription and license that should be provided by the time of the deployment:
Product Name |
QTY |
Microsoft 365 subscription (E3 plan) or equivalent (MFA License) |
All users |
Microsoft Windows Server 2016 Standard Edition |
3 |
The following table summarizes Microsoft products that will be deployed
Product Name |
QTY |
Microsoft Windows Server 2016 Standard Edition |
3 |
Network Policy and Access Services (NPS) role |
2 |
Remote Desktop Gateway (RD Gateway) infrastructure |
2 |
Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the HTTPS Protocol to create a secure encrypted connection.
RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel.
All the following accounts have been used.
Account or group name | Source | Description |
Guest001 | Local AD | Account for RD Gateway Access |
Office365 - EndUsers | Local AD | M365 Users License group |
Guest001@3tallah.Com | Local AD | Account to connect with Azure AD |
Server details.
Server Name | IP Address | Role |
RDG01P | 192.168.1.16 |
Remote Desktop Gateway server role Network Policy Server (NPS) role |
RDG02P | 192.168.1.17 |
Remote Desktop Gateway server role Network Policy Server (NPS) role |
The Network Policy Server (NPS) extension for Azure Multi-Factor-Authentication (Azure MFA) provides a simple way to add cloud-based MFA capabilities to your authentication infrastructure using your existing NPS servers. With the NPS extension, you'll be able to add phone call, SMS, or phone app MFA to your existing authentication flow without having to significantly increase your existing authentication infrastructure.
Server details.
Server Name | IP Address | Role |
NPSEx01 | 192.168.1.18 |
Network Policy Server (NPS) role NPS Extension for Azure MFA |
The next steps will install the NPS role in your new server:
As a part of the configuration of the NPS extension, you need to supply admin credentials and the Azure AD ID for your Azure AD tenant. The following steps show you how to get the tenant ID:
In this step, you need to configure certificates for the NPS extension to ensure secure communications. The NPS components include a Windows PowerShell script that configures a self-signed certificate for use with NPS.
This script performs the following actions:
To use the script, provide the extension with your Azure AD Admin credentials and the Azure AD tenant ID that you copied earlier. Run the script on each NPS server where you installed the NPS extension. Then do the following:
Once you have an NPS server running on your RDS environment, you need to configure the RD Gateway connection authorization policies to work with the NPS server. The authentication flow requires that RADIUS messages be exchanged between the RD Gateway and the NPS server. This means that RADIUS client settings must be configured on both RD Gateway and NPS server.
Remote Desktop connection authorization policies (RD CAPs) specify the requirements for connecting to a RD Gateway server. By default, RD CAPs are stored locally, and MFA requires that they be stored in a central RD CAP store that is running NPS. Follow the steps below to configure the use of a central store.
On the RD Gateway server, open Server Manager.
The NPS server with the NPS extension for Azure needs to be able to exchange messages with the RD Gateway. To enable this message exchange, you need to configure the NPS components on the NPS server.
Hence you must define an NPS client on the RD Gateway server to allow it to communicate to the NPS server with the NPS extension.
To ensure there is time to validate users' credentials, perform two-step verification, receive responses, respond to RADIUS messages, and if necessary, adjust the RADIUS timeout value.
By default, when you configure the RD Gateway to use a central policy store for connection authorization policies, the RD Gateway is configured to forward CAP requests to the NPS server. The NPS server, along with the Azure MFA extension, processes the RADIUS access request. You need to perform the following tasks:
Once you have added the two new policies and disabled the default one, you need to ensure that the policies' status and processing order are correct. Your policy list should look like the picture below:
For the NPS server to function properly in this scenario, it needs to be registered in Active Directory.
The RD Gateway needs to be configured as a RADIUS client to the NPS server.
You need a RADIUS server group to establish communication with the RD Gateway server.
Just like with the RD Gateway server, you must define policies to handle messaging exchange to/from the RD Gateway server.
Once you have added the two new policies, you need to ensure that the policies' status and processing order are correct. Your policy list should look like the picture below:
Because the NPS server with the MFA extension was designated as the central policy store for RD CAPs, you need to implement a new policy on the NPS server to authorize valid connections requests.
To verify the configuration, you need to connect to your RD deployment through the RD Gateway server. Be sure to use an account that is allowed by your RD CAP.
Open any of the available resources It may ask you to enter your credentials.
PDF Copy: Here
The following articles are references used in this design document:
Title |
Reference |
Azure Active Directory |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis |
Custom Domain Name |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain |
Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD |
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg |
Remote Desktop Services - Multi-Factor Authentication |
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-mfa |
Add high availability to the RD Web and Gateway web front |
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-rdweb-gateway-ha |
Remote Desktop Services - High availability | |
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication |
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension |
END OF DOCUMENT
May 13 2020 08:15 AM
Thank you for this article. Where can one find documentation for the TCP or UDP ports needed between a pair of Remote Desktop Gateway servers?
May 30 2020 08:05 AM
Hi @evon3
For RD Gateway usually, I'm hosting them in the same subnet with the default RDG windows firewall rules ( 3390, 3391), refer to the blow post
https://redmondmag.com/Articles/2013/12/24/RD-Gateway-in-Windows-Server.aspx?Page=1
Feb 27 2023 02:28 PM
Hi there, I've followed your guide (and other documentation on Microsoft) but I am having trouble getting the NPS extension/server to trigger the MFA prompt to the user. I can use the RD shortcut to access a workstation successfully, but it never prompts for MFA.
How can I ensure that the NPS server is sending the authentication request to AzureMFA?