This document details the installation steps for the Duo Windows RDP (Remote Desktop Protocol) client. Install this to set up two-factor authentication using Duo for your Windows server.
- Today, I am going to show you how to deploy simple Remote Desktop Gateway on the Microsoft Windows Server 2019 without complete Remote Desktop Services Infrastructure. It means I don't have a farm of RD session host servers sitting behind and I don't want to deploy Connection broker, web access and session host server (e.g. Complete infrastructure).
- May 06, 2018 Download DirectX End-User Runtime Web Installer CloseDirectX End-User Runtime Web Installer On the Windows PC you want to connect to remotely, download the Microsoft Remote Desktop assistant to configure your PC for remote access.
Use the Microsoft Remote Desktop app to connect to a remote PC or virtual apps and desktops made available by your admin. The app helps you be productive no matter where you are. This blog post shows how to install and configure Remote Desktop Services. This same step applies to Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019. Install Remote Desktop Gateway Service Role. In Server Manager, click Manage, and then click Add Roles and Features. The Add Roles and Features Wizard opens.
Request Duo Application Keys for Your Server
Each server should have its own Integration Key (i-Key) and Secret Key (s-Key). To request a key set for your server, contact the ITS Service Center and ask that your request be directed to the ITS Identity and Access Management (IAM) Operations team. Submit your application creation request as soon as possible in advance. The application registration process will take one-three days from the time the service request is received by ITS IAM.
In the ticket, include your preferred application name. Most requests follow the format below. See Duo Naming Conventions for a more detailed explanation.
- Application Name: (Unit's AD Prefix) (SSH/RDP) (server hostname)
- Example: ITS SSH dodo.dsc.umich.edu
ITS IAM will communicate the i-Key, s-Key, and application host name back to the system administrator via U-M Box. These should be protected like any other key information used on your server.
Standalone Installer Download
Server Setup for Windows RDP
To set up a server, download the Windows installer: Duo RDP installer
The remainder of this document explains the adjustable and recommended settings based on University policy. You may also wish to read Duo's official installation guide for more details about each setting: Duo installation guide for RDP
Interactive Installation Process
The installation wizard will take you through the installation process.
Here are some things to keep in mind as you perform the installation:
- You must use the Integration Key, Secret Key, and API Hostname provided to you by ITS Identity and Access Management, because they match settings on the Duo side. Refer to Duo Application Creation and Migration Process if you do not have this information yet.
- Uncheck Bypass Duo authentication when offline for better security. You can still reboot the server into Safe Mode to bypass Duo, when necessary.
- Use auto push to authenticate if available has no security impact. It does, however, make the logon process faster, if you have the Duo phone app, so it is recommended.
- Leave Only prompt for Duo authentication when logging in via RDP unchecked. You can still use Safe Mode to bypass Duo.
Silent (Automated) Installation Process
For bulk deployments, the installer also supports command-line arguments.
Here is an example with the recommended settings previously mentioned:
Note the quote after /V and the double quote at the end. The settings are all part of one giant /V parameter.
Proxy Setup for Servers With No Internet Access
Servers that do not have direct Internet access (private IP space, and no NAT) will need to use an HTTP proxy to authenticate through Duo.
The Windows installer does not prompt for proxy settings, so you will need to edit the registry settings directly.
HKEY_LOCAL_MACHINESOFTWAREDuo SecurityDuoCredProv
Non-Production: HttpProxyHost (String): duo-proxy-test.dsc.umich.edu
Production: HttpProxyHost (String): duo-proxy.dsc.umich.edu
The registry setting is only read during authentication, so no restart is required.
Skip to end of metadataGo to start of metadataFree online excel worksheet. These instructions are for users who need to access their Windows computer that is on campus from a Windows computer that is off campus. It assumes they are already connected to the Remote Access VPN. (See How to Connect Remotely using the Remote Access VPN (Staff/Faculty)) It also assumes Remote Desktop has been enabled on the computer the user will connect to remotely, which can be done by going to Software Center and installing 'UMS Enable Remote Desktop'.
Step-by-step guide
- Ensure the VPN is Connected.
Install Microsoft Remote Desktop.
Search for Microsoft Store in the Search Bar.
Then Search the Microsoft Store for Microsoft Remote Desktop. Select the Microsoft Remote Desktop App, but don't select the one that says Preview.
Click Get.
Wait for the application to download and install.
When it finishes, click the Launch button.
Configure the Remote Desktop Connection
Once Microsoft Remote Desktop opens, Click the Add button in the upper right corner.
Under Choose what to add menu that appears, click Desktop.
Fill in the hostname for the PC will connect to remotely. For computers in UAD it will be the Serial #. Fill in a friendly name that will help you identify it.
Connect to the remote PC
Click on the PC with the friendly name for the connection just configured.
Authenticate when prompted with the username and password for the remote PC, although ensure to put 'uad' in front of the username.
The remote computer's desktop will appear on the local computer, usually in full screen mode.
To exit full screen you can press Ctrl + Alt + Break on a Desktop computer or Ctrl + Alt +Fn + B on a laptop computer.
Microsoft Remote Desktop Download
Steps-to-take if this does not work
- Ensure the Windows PC is connected to the Remote Access VPN
- Ensure the Desktop Computer that the user is trying to connect to has Remote Desktop enabled for that user
- Create a ticket with the Help Desk
whether the computer user is connecting from is University-owned or non-University owned
If the PC the user wants to install Microsoft Remote Desktop is University-owned, they will need to Install from Software Center or get an exception issued to allow them to access the Microsoft Store
- Operating System and version
- Serial #/hostname of computer that the user is trying to connect to remotely
- User account experiencing problem
- ..any other specifics necessary to the nature of this problem
Related articles
Windows Remote Desktop Installer
Content by labelThere is no content with the specified labels