Remote Desktop Gateway and Duo: A Winning Combo
RD Gateway is a solution to allow your employees to connect to office desktops and servers remotely. The connection is secured with the same technology that is used in shopping and banking sites (HTTPS).
Duo Mobile is a smartphone and tablet app that will send a notification to an employee’s phone or tablet when their account connects to the RD Gateway. They will be required to approve or decline the connection
This ensures that the person who is connecting to your company resources is the person who is connecting. For example, if the employee’s password is known by someone else, the bad actor won’t be able to connect because the employee of the compromised account can decline the connection.
Why Not VPN
VPN, when properly configured, is still a safe and secure way for some employees to connect to work resources. However, many employees run into the following issues:
- VPN connection requires more steps: If an employee is just trying to connect to their work desktop, they must connect to VPN and then the remote computer.
- VPN can slow the connection down more than RD Gateway: VPN allows all traffic to and from the work network. Depending on setup and rules, it’s possible that VPN traffic could cause the internet traffic at the office to slow down.
- It can leave your connection more vulnerable to viruses: if the employee’s home computer gets a virus it’s quite possible for the virus to go over the VPN connection and infect the office network.
- Network IP space and existing home equipment may create unforeseen challenges: The employee’s home equipment, configuration, Internet provider restrictions and connection quality can frequently interfere with establishing a successful and/or reliable connection.
Here is a quick outline of the process for an employee to setup their connection:
- An employee will receive a text to download and activate the Duo Mobile app.
- They will receive an email with the remote connection and instructions on how to set it up. These steps are typically only a few steps and can be completed by most people within a few minutes.
Once an employee is setup to remote into an office computer, they will do the following each time:
- Open the remote connection on their home computer (They may have to type in their password).
- Approve the connection on the Duo Mobile app.
- They will then be connected to the office computer with all the installed software, shares and office resources they are used to having on their machines.
Setting up the Entire Solution – a Guideline for Your Techs
These are the steps to take to prepare your environment for the use of the Remote Gateway. With a proper skillset and available computer resources, this should take no more than 2 hours to configure:
- A small Windows Server instance running Remote
Desktop Gateway Services
- On a current and fully patched Windows server, add the RD Gateway Role
- Install a valid, 3rd-party signed SSL certificate for your RD Services (namecheap.com is a great option for inexpensive certificates).
- Setup a Duo Security Account (duo.com)
- Install and configure an AD Proxy, for large-user implementations, or setup or import users for smaller ones. We recommend using the AD Proxy and adding your authorized users to a special Duo group to maintain strict security and account control
- Install RD Gateway Proxy service on your new RD Gateway server
- Configure your firewall – add a firewall rule and NAT policy to allow https traffic to your RD gateway server
- Push an AD Group Policy to add your gateway users as remote users and add a Remote Desktop Firewall Exception from the IP address of the Gateway server to the necessary PCs or Remote Desktop servers.
- Preparing to deploy to the end-users. Following the steps in detail alone will save
countless hours on support calls.
- Draft and send a simple email introducing staff to the use of Duo, provide a screenshot of the enrollment email (or text) they are to expect, and instruct them to install the Duo Mobile app from their App or Play Store PRIOR to attempting to activate their account. As part of the introduction, be sure to tell them to ignore the codes they’ll see in the app and still use their Active Directory password to login. People using a 2FA app for the first time assume the code replaces their password. Not the case. Reiterate the Duo app’s purpose is to ALLOW the login attempt, and itself is not the remote solution.
- Provide an RDS shortcut for each user, pre-configured with their computer or remote server name, gateway and domain\username, but do not send out until AFTER they have enrolled in Duo – this action cuts unnecessary support calls.
- Grab a cup of coffee, put your feet up on your desk, and be amazed at the simplicity and great feedback you get from your end-users as they are fascinated and relieved to see their office desktop from home in such a seamless way.
Let us know if you run into challenges with the implementation of this solution. . You can schedule a free call with us here – https://calendly.com/edgesg/30min