Apply MFA to Remote Desktop Gateway sessions

Apply Multi-Factor Authentication (MFA) to Remote Desktop Gateway (RD Gateway) connections to protect remote access to internal workstations and servers.

Published October 9, 2025

Introduction

The Remote Desktop Gateway (RD Gateway) allows users to access internal resources over HTTPS without requiring a VPN.
While this makes remote access easier, it also exposes a potential entry point to the corporate network.

UserLock can enforce MFA when users connect through RD Gateway, adding a strong layer of identity verification before granting access.

The following sections explain how to enable MFA for RD Gateway connections, why installing the NPS Agent is recommended, and what to do if the agent cannot be deployed.

Configure MFA for RD Gateway sessions

To apply MFA to users connecting through RD Gateway:

  1. Install the UserLock Desktop Agent on all target machines that users connect to via RDP.
    Without it, UserLock cannot enforce MFA or session protection.

  2. Create or edit an MFA access policy
    If needed, refer to the guide Configure an access policy for step-by-step details.

  3. In the MFA policy rules, enable MFA.

  4. Select the connection type to choose where MFA should apply:

    Value

    Description

    Note

    All

    Enforce MFA on all connections

    Local, remote and from outside sessions

    Remote

    MFA applies to remote sessions

    ⚠️ Requires the NPS Agent
    (see below)

    From outside

    MFA applies only to external connections

    ⚠️ Requires the NPS Agent or the advanced IP setting
    (see below)

  5. Save your changes and verify that MFA is triggered when connecting through RD Gateway.

About the NPS Agent

When users authenticate through RD Gateway, the request is handled by a Network Policy Server (NPS).
Installing the UserLock NPS Agent on this NPS server allows UserLock to detect the real external IP address of the remote client.

Situation

What UserLock sees

Impact

NPS Agent installed on the NPS authenticating the Gateway

The real public IP address of the remote client

MFA can be applied automatically based on “From outside” or “Remote”

NPS Agent not installed

The IP of the RD Gateway

  • The session is considered “inside” the network.

  • MFA won't trigger for "Remote" connections

  • MFA won’t trigger for “From outside” connections unless you apply the advanced setting below.

How to consider the RD Gateway IP address as outside

If the NPS Agent cannot be deployed, you can manually tell UserLock to treat the RD Gateway IP address as external.

To do this:

  1. Open the UserLock console.

  2. Go to Server settings ▸ Advanced settings.

  3. Find the option IP considered outside.

  4. Add the IP address of your RD Gateway.

  5. Save the configuration.

This ensures that MFA applies even though the RD Gateway’s IP belongs to your internal network.

Note

By default all IP addresses outside of the following ranges will be considered as outside connections:

  • 10.0.0.0 - 10.255.255.255

  • 172.16.0.0 - 172.31.255.255

  • 192.168.0.0 - 192.168.255.255

  • fc00::/7

  • fe80::/10