RDS Gateway with Azure MFA

I recently worked on setting up an RDS Gateway with the NPS Extension for Azure MFA for remote access. I’m not going to reiterate the steps to get this set up as they are well documented and it is fairly easy to get working. The caveat here is when you move the RDS Gateway to a DMZ with the central NPS server on the internal network.

Here are a couple of gotchas:

• Make sure you have ports 1812 and 1813 open from the gateway server to the central NPS server.
• I was using the FQDN of the Gateway server in the Radius client section on the central NPS server. When I moved the Gateway server to the DMZ I updated DNS, waited a bit and then went into the Radius client section and hit Verify and it did resolve to the new IP address so I thought it was good. However, I kept getting messages on the central NPS server that the Radius client was invalid. I changed the Radius client from the FQDN to the IP and restarted the NPS server and that fixed it.
• On the Gateway server I was getting an event log message that my user account did not meet the resource authorization policy requirements. Ended up that the Resource Authroization Policy (RAP) User group I had added was missing. Even though I could select it from the domain it would not let me add it back in. Also local groups were showing the SID of the AD groups instead of the display names. I had forgotten to add the Gateway server into the RODC Allow Password Replication group. Once I added it there I was able to add my AD group back to the RAP and everything worked perfectly!