In our RDS dev/test environment, i have been testing with a KEMP load balancer with MFA (radius) integration. The goal is to route users in an untrusted environment (that i define) to a different website then users in a trusted environement (for example business locations). This can be done with different virtual sub services (VSubs) and content switch rules.

First create a Virtual service: View/Edit Virtual Services > Add New. Choose  port 443 (TCP), name the virtual service as you like (for example: rdgw.customer.com)  and select “Add this Virtual Services”

Go to real servers > Add SubVS (create two). Name the two newly created Sub Virtual Services by selecting modify > SubVS Name > Set Nickname. I have named them “SUBVS_WITH_MFA” and “SUBVS_NO_MFA”.

On both the Sub Virtual Services enable ESP.

Create LDAP Configuration in Certificate & Security > Add new LDAP Endpoint. Name the LDAP endpoint and select Add. You could name it as the domain name.

Modify the newly created LDAP Endpoint and add the domain controlers and click LDAP Server(s). Multiple LDAP Servers can be added by adding a space between the multiple IP adresses.

Add a user with password that has read rights in the active directory and set them.

Create two client side configurations > Manage SSO > Add Client Side Configurations > Name them and select Add (if have named them MFA & NO_MFA). On the MFA SSO the Authentication Protocol is radius which if pointing to a dedicated NPS server with the Azure MFA NPS extension installed. (link) On that server the KEMP load balancer is created as a radius client.

Edit the two created Sub Virtual Services, on both of the created  Sub Virtual Services  select Form Based as client authentication mode. On the “SUBVS_WITH_MFA” select the SSO Domain: MFA and on the “SUBVS_NO_MFA” select the SSO Domain: NO_MFA.

NO_MFA:

WITH_MFA:

Because the KEMP does not support single sign on with “Form Based Authentication” the client Server Authentication Mode must be set to Basic Authentication. ( the adjustments on the RDWeb page will be explained later).

We need to create the real servers for each Sub Virtual Services which will point to the servers which have the RDWeb services installed.

Virtual service: View/Edit Virtual Services > Modify > Real Servers > Add New…

To route the users to the different Sub Virtual Services we have to create a content switch rule and assign the rule to a Sub Virtual Service.

Go to Rules & Checking > Content Rules > Create New…

  • Name: SourceIPMatch (or WAN_John)
  • Header: src-ip
  • Match string: IP-addres.

Asign this rule to the Sub Virtual Service  “SUBVS_NO_MFA”. Virtual service: View/Edit Virtual Services > Modify > Rules > Select Rule: SourceIPMatch > Add.

Asign the default rule to the Sub Virtual Service “SUBVS_WITH_MFA” Virtual service: View/Edit Virtual Services > Modify > Rules > Select Rule: default> Add.

Now when a user comes from the IP-Address which matches the content rule “SourceIPMatch” they will not get prompted with MFA.

The users that match the default rule (the rest) get prompted with MFA.

The adjustments for the RDWeb page on the Remote Desktop Web Server:

Default Website > Authentication > Anonymous Authentication Enabled > The rest Disabled
Default Website\RDWeb > Authentication > Anonymous Authentication Enabled > The rest Disabled
Default Website\RDWeb\Pages > Authentication > Anonymous & Basic Authentication Enabled > The rest Disabled

After configuring this KEMP virtual services the only thing that is not working is the Single Sign On to the Remote desktop Brokers. The users get an extra pop-up where the should enter their credentials for the second time.

KEMP has released the latest firmware on the second of august link, in this firmware KEMP has resolved some issues with slow RDS sessions. In previous versions it was not simple to deploy the KEMP SPLA-edition in Azure. But now it is available in the Azure marketplace under the name “KEMP 360 Central for Metered Licensing (MELA) and License Agreements (SPLA)”