Last updated on June 17, 2025
Overview of MFA for Remote Desktop Gateway
Multi-Factor Authentication (MFA) for Remote Desktop Gateway is a secure extra layer of authentication for Microsoft Remote Desktop Gateway logons. During the authentication process, Rublon sends a Mobile Push login request to the user if they have the Rublon Authenticator app installed. Apart from the Mobile Push authentication method, Email Link, Phone Call, and SMS Link can also be used. Users who do not complete the Two-Factor Authentication process are denied access.
Rublon MFA integrates with Remote Desktop Gateway via a dedicated connector called Rublon MFA for Remote Desktop Gateway.
Note
Rublon MFA for Remote Desktop Gateway makes Resource Authorization Policies (RAP) and Remote Desktop Connection Authorization Policies (CAP) unreachable from the Remote Desktop Gateway Manager. Policy settings configured before are ignored by Remote Desktop Gateway. If, for some reason, you have to continue using Remote Desktop RAPs or CAPs, install Rublon MFA for Windows Logon on your RDS Session Hosts. Rublon MFA for Windows supports more authentication methods and allows you to secure access to both local and remote logins.
Rublon MFA for RD Gateway has no impact on the SSL Certificate tab in the Remote Desktop Gateway Manager. In case you are experiencing issues with certificates, restart the IISS server and RDG service.
RD Gateway users who will be authenticated by Rublon should be informed before deployment that additional Two-Factor Authentication is required during login because they will not receive any message about this fact. It is recommended that users use the Rublon Authenticator app.
Rublon MFA for Microsoft RD Gateway supports the following operating systems:
- Windows Server 2008 R2
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Note
All editions of Windows Server are supported, including Windows Server Essentials.
Demo Video
Supported Authentication Methods
| Authentication Method | Supported | Comments |
| Mobile Push | ✔ | N/A |
| WebAuthn/U2F Security Key | – | N/A |
| Passcode | – | N/A |
| SMS Passcode | – | N/A |
| SMS Link | ✔ | N/A |
| Phone Call | ✔ | N/A |
| QR Code | – | N/A |
| Email Link | ✔ | N/A |
| YubiKey OTP Security Key | – | N/A |
Before you start
IMPORTANT
Before installing Rublon MFA for RD Gateway, ensure that every user has an email address defined in the Properties of this user in Active Directory Users and Computers.
Otherwise, users with no email address in Active Directory will have no way to authenticate or self-enroll their devices, and the administrator will not be able to send them an Enrollment Email because there would be no email address to send it to.
- Ensure that you have a well-tested, working, and running RDG before installing Rublon MFA for RD Gateway.
- Note that Rublon MFA for RD Gateway overwrites your current device redirections and timeouts. We recommend you write down the current settings of these RD Connection Authorization Policies. You can set them again in the Rublon MFA for RD Gateway configuration file.
- We recommend you familiarize yourself with the available methods for enrolling Rublon users. You can set and edit these methods in the Settings section of the Rublon Admin Console.
- Before moving on, make sure that your Windows is up to date and that you have installed the latest updates.
Pre-Installation Steps
1. Sign in to the Rublon Admin Console.
2. Click Applications on the left.
3. Click Add Application.
4. Set a name for your application, e.g., RD Gateway.
5. Set Type to Remote Desktop Gateway.
6. Decide if you want to enable username normalization and the Manage Authenticators view. For more information, look at How to add an application.
7. Click Save to create a new application.
8. Copy and save the values of System Token and Secret Key. You are going to need them later.
9. Download the Rublon MFA for RD Gateway installer.
Installation of Rublon MFA for Remote Desktop Gateway (GUI Installation)
1. Run the installer with administrator rights.
2. On the first page of the installer, read about the product you are about to install.
- If this is the first time you are installing the connector, click Next.
- If this is not the first time you are installing the connector on this endpoint, you will be able to either update the current installation or do a clean installation.
- Update current installation: If you choose to update the current installation, you will not be able to change any old options in the installer. However, if a new option has been introduced in this version of the installer, you will be able to change its value before the installation begins. The Update current installation option is recommended for those who want to update the connector to a newer version but want to keep all current settings.
- Clean installation: If you choose to do a clean installation, continue with the steps in this section.
3. Enter the API credentials (System Token and Secret Key) from your application of type Remote Desktop Gateway in the Applications tab of the Rublon Admin Console and click Next.
| Option | Description |
| API Server | Enter https://core.rublon.net unless you want to explicitly change the Rublon API Server URL. |
| System Token | System Token of your application in the Rublon Admin Console. Paste the value you noted down before. |
| Secret Key | Secret Key of your application in the Rublon Admin Console. Paste the value you noted down before. |
4. Check the configuration options you want and click Next. Refer to the following image and table.
| Option | Description |
| Use proxy | Check this option to enable proxy. When checked, the next page, after clicking Next, will ask you for more details about the proxy. When unchecked, the page that asks for proxy details will not appear. |
5. If you checked Use proxy on the previous page, you will see an additional page asking you to enter proxy details. After filling in the details, click Next. Refer to the following image and table.
| Option | Description |
| Proxy Host | The address of the proxy server. |
| Proxy Port | The port on which the proxy server is operating. |
| Proxy Username | The username of the HTTP proxy server user. Optional. Fill in if verification by username is required. |
| Proxy Password | The password of the HTTP proxy server user. Optional. Fill in if required for verification. |
6. Check the bypass options you want and click Next. Refer to the following image and table.
| Option | Description |
| Bypass MFA when it cannot be performed | Check to bypass MFA when the Rublon API is reachable but cannot perform MFA (e..g, too many requests). We recommend you keep this option checked if you’re installing Rublon for the first time so that you can access your machine in case of any issues (e.g., incorrect System Token/Secret Key or firewall blocks Rublon). |
7. Rublon MFA for RD Gateway is ready to install.
Rublon MFA for Remote Desktop Gateway performs the following steps during installation:
- Adds configuration settings to Windows Registry.
- Installs the application on the system in a defined location. It is not possible to change this path.
- Starts the installer of the required additional packages: Microsoft Visual C++ 2015-2019 Redistributable (x64). Rublon for RD Web requires the Microsoft Visual C ++ 2015-2019 Redistributable (x64) package to work. The RD Gateway installer will install this package automatically if it does not exist in the system.
8. Click Install to install Rublon MFA for Remote Desktop Gateway.
9. After a successful installation, the installer informs you that your installation is complete. Check View log if you want and click Finish.
10. Check whether you have installed the plugin properly. Go to C:\ProgramData\Rublon\RDG\Logs and open the Rublon-RDG.log file. Look for a line that starts like this:
[info] “Rublon RDG Authentication Plugin version:
If you do not see the preceding line, wait a minute. Perhaps you are too fast for the software to keep up.
11. Your installation is complete. We recommend you see the Configuration section to learn about parameters you can change.
Note
Ensure that the firewall on the server on which you have installed RD Gateway does not restrict Rublon communication on TCP port 443.
Installation of Rublon MFA for Remote Desktop Gateway (Silent Mode Installation)
1. Run the installer from a command prompt, for example, cmd or PowerShell.
Note
To successfully install Rublon MFA for Remote Desktop Gateway in Silent Mode, you need to have administrator privileges and include the /verysilent option in the installation command.
2. Prepare an installation command based on the following form:
.\Rublon-RDG-1.6.0.exe /verysilent /rublonApiServer=https://core.rublon.net /token={token} /key={key} /failMode=bypass
Where each option is set in the following way: /<OptionName>=<OptionValue>
For example:
.\Rublon-RDG-1.6.0.exe /verysilent /rublonApiServer=https://core.rublon.net /token=9BBD412E91594D39BD6FCB841D396C4X /key=97df2dced39aa615a0235819116893
Note
If you would like to use a proxy, enter a command in the following form:
.\Rublon-RDG-1.6.0.exe /verysilent /rublonApiServer=https://core.rublon.net /token=9BBD412E91594D39BD6FCB841D396C4X /key=97df2dced39aa615a0235819116893 /proxyHost=123.123.123.123 /proxyPort=80
Specify proxyUsername and proxyPassword only if these values are required for verification:
.\Rublon-RDG-1.6.0.exe /verysilent /rublonApiServer=https://core.rublon.net /token=9BBD412E91594D39BD6FCB841D396C4X /key=97df2dced39aa615a0235819116893 /proxyHost=123.123.123.123 /proxyPort=80 /proxyUsername=user /proxyPassword=pass
Refer to the following table for descriptions of parameters.
| Parameter | Description | Required |
| token | System Token of your application in the Rublon Admin Console. Paste the value you noted down before. | Yes |
| key | Secret Key of your application in the Rublon Admin Console. Paste the value you noted down before. | Yes |
| verysilent | Runs the installer without the graphical user interface (GUI). | Yes, to run the installer in Silent Mode. If the installation command does not include this parameter, the installer will run in GUI mode. |
| silent | Runs the installer, bypassing most of the graphical user interface (GUI) while still displaying an installation progress bar. If an error occurs during installation, a graphical message will be displayed requiring user interaction. | No |
| suppressmsgboxes | When an error occurs, instead of displaying a pop-up as seen in the GUI installation, the error is recorded in the log files instead. | No |
| failMode | Bypass MFA for logins if Rublon servers are unreachable. Set to bypass to bypass the user. Set to deny to deny the user. Recommended: bypass | No |
| proxyHost | The address of the proxy server. | No |
| proxyPort | The port on which the proxy server is operating. | No |
| proxyUsername | The password of the HTTP proxy server user. | No |
| proxyPassword | The password of the http proxy server user. | No |
| rublonApiServer | The server of the Rublon API. | No |
| NORESTART | Prevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart. | No |
3. Execute the command you prepared.
4. Check whether you have installed the connector properly. Go to C:\ProgramData\Rublon\RDG\Logs and open the Rublon-RDG.log file. Look for a line that starts like this:
[info] “Rublon RDG Authentication Plugin version:
If you do not see the preceding line, wait a minute. Perhaps you are too fast for the software to keep up.
Note
Ensure that the firewall on the server on which you have installed RD Gateway does not restrict Rublon communication on TCP port 443.
5. Your installation is complete. We recommend you see the Configuration section to learn about parameters you can change.
Configuration of MFA for RD Gateway
You can change the settings of Rublon MFA for RD Gateway in Windows Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\RDG. You do not have to stop the RD Gateway server before making any changes. The changes you made will be applied automatically during the next login.
The following table describes all values:
|
|
|
|
|
|
||
| rublonApiServer | The domain of the Rublon authentication server. | https://core.rublon.net |
| systemToken | A string value gathered from Rublon Admin Console, for the Remote Desktop Gateway application type. | |
| secretKey | A string value gathered from Rublon Admin Console, for the Remote Desktop Gateway application type. | |
| failMode | Defines whether the user is to be logged in when the 2FA authentication cannot be performed due to technical reasons. Possible values: bypass – user is logged in deny – user is blocked |
bypass |
| sendUPN | If set to 1, Rublon looks up the Universal Principal Name (UPN) in the Active Directory and sends the UPN to the Rublon API as Rublon username (e.g., user@domain.com). If set to 0, Rublon sends sAMAccountName as Rublon username, e.g., Domain\user. Possible values: 1 – enables sending UPN to Rublon 0 – disables sending UPN to Rublon Suppose you set sendUPN to 1, but Rublon cannot find the User Principal Name (UPN) for a given user in Active Directory. In that case, Rublon denies access and adds appropriate information to the logs. |
0 |
| skipADUserDataSearch | If set to 1, Rublon will not read user data from Active Directory (UPN, email) during MFA authentication. The connector will only send usernames in the Down-Level Logon Name form (DOMAIN\username) to the Rublon API. Setting skipADUserDataSearch to 1 can speed up MFA. If set to 0, Rublon will read UPN and email during authentication and use these values if needed. Possible values: 1 – disables reading the user’s UPN and email during each authentication 0 – enables reading the user’s UPN and email during each authentication Note that if you set both sendUPN and skipADUserDataSearch to 1, you will receive an authentication error. This is because the connector will not be able to match the username. |
0 |
| authenticationMethods | Defines the order of execution of the authentication methods. You can set a single method (push, email, smsLink, or phoneCall) or a sequence (e.g., email,push or push,smsLink,email). If a method fails, the connector moves to the next in the sequence. If all authentication methods defined in a sequence fail, the user is either bypassed or denied, depending on the value of failMode. Important: When configuring Rublon Policies for an application of type Remote Desktop Gateway in the Rublon Admin Console, ensure that the authentication methods set in the Rublon Policy assigned to this application are consistent with the authentication methods configured in authenticationMethods. For example, if you set authenticationMethods to push,email, make sure you also select Email Link and Mobile Push as the available methods in the policy. |
push,email,smsLink,phoneCall |
| severityLevel | Defines the logging level. May have one of the following values: trace, debug, info, warning, error, fatal |
info |
|
|
||
| allowOnlySDRServers | Allow only SDR servers. | false |
| disableDriveRedirection | Disable drive redirection. | false |
| disablePrinterRedirection | Disable printer redirection. | false |
| disablePortRedirection | Disable port redirection. | false |
| disableClipboardRedirection | Disable clipboard redirection. | false |
| disablePnpRedirection | Disable Pnp redirection. | false |
| idleTimeout | Idle timeout in minutes. If set to 0, there will be no idle timeout. |
120 |
| sessionTimeout | Session timeout in minutes. If set to 0, there will be no session timeout. |
480 |
| sessionTimeoutAction | The action to be performed after the session expires. Possible values: disconnect – session disconnects silentreauth – reauthorization attempt; this parameter depends on the RDP client, e.g., for mstsc.exe, this parameter is not taken into account and in case of timeout the user is disconnected (without re-authentication) while, for example, in the case of RD Web Client, after timeout, the user must complete the Rublon challenge (that is, using an authentication method, e.g., Mobile Push is automatically sent, and the RDP session will be restored only after completing secondary authentication) |
disconnect |
|
|
||
| httpProxyHost | The address of the proxy server. | |
| httpProxyPort | The port on which the proxy server is operating. | |
| httpProxyUser | The name of the user for proxy server authentication. | |
| httpProxyPassword | The password of the http proxy server user. | |
Note
The maximum waiting times for completing authentication methods for RD Gateway are as follows:
• Mobile Push: 3 minutes
• Email Link & SMS Link: 16 minutes
These times cannot be changed. After the given time has elapsed, the user will be denied access or bypassed depending on the failMode parameter.
MFA for Remote Desktop Gateway Login Example (RDP file)
This example portrays MFA for RD Gateway using an RDP file added to your Start menu using RD Web Feed (RemoteApp and Desktop connections) or downloaded from Remote Desktop Web Access. Refer to the following to learn how Multi-Factor Authentication works in them:
Once you have the RDP file:
1. Open the file.
2. If necessary, provide your login credentials and click Connect.
3. Remote Desktop will start connecting and launching the app you selected.
4. You will receive a Mobile Push authentication request. Tap APPROVE.
5. Your app will open.
MFA for Remote Desktop Gateway Login Example (Web Client)
This example portrays MFA for RD Gateway by way of the Remote Desktop Web Client. If you wish to open multiple apps using the Web Client, you have to undergo Multi-Factor Authentication only when opening the first app. Then, all other apps will open without MFA as long as your session is active.
1. Log in to RD Web Client. (Example of MFA for RD Web Client login)
2. Select an app you would like to connect to and click it.
3. RD Web Client will start connecting and launching the app you selected.
4. You will receive a Mobile Push authentication request. Tap APPROVE.
5. Your app will open.
Updating MFA for RD Gateway
To update your Rublon MFA for RD Gateway connector, download and install the new version on the machine where you have installed the old version before.
You can simply run the installer and select Update current installation.
If the new installer introduces a new option that was not available in previous versions of the connector, you will be able to change that option after clicking Next. Otherwise, your update will start right away.
Uninstallation of MFA for RD Gateway
Note
Be aware that uninstalling Rublon MFA for RD Gateway will temporarily shut down the TS Gateway service, leading to any open connections being terminated and users losing progress. For that reason, we recommend you inform your users well in advance of planned maintenance/service downtime, restrict access to your RDS server, and only then proceed with the uninstallation of Rublon MFA for Remote Desktop Gateway.
Run unins000.exe located in C:\Program Files\Rublon\RDG\ as administrator to uninstall Rublon MFA for RD Gateway.
Alternatively, open Apps & features, select Rublon for RD Gateway and click Uninstall.
Troubleshooting MFA for Remote Desktop Gateway
If you have a problem or question, refer to Rublon MFA for RD Gateway – FAQ first.
In case you did not find a solution for your problem in our FAQ, look up your log files located in C:\ProgramData\Rublon\RDG\Logs by default and send both Rublon-RDG.log and Rublon-RDG-Setup.log to Rublon Support along with a description of your problem.
If you encounter any issues with your Rublon integration, please contact Rublon Support.
Related Posts
Rublon MFA for Remote Desktop Gateway – Release Notes
