RD-Gateway with NPS Server and NPS Extension, Windows Firewall issue. Azure MFA

Question

Hi!

We recently configured a new NPS Server with the NPS extension for our Remote Desktop Gateway to do a MFA against the AzureAD.

The odd thing is, we can only get it to work when we disable the Windows Firewall on the NPS server.

All ports necessary for NPS; UDP ports 1812, 1813, 1645 are open but when the Windows Firewall on the NPS is enabled we cannot do a MFA to Azure.

Is there a port or application that we are missing?

Best regards,

Tim

Answer 1

is the MFA failing with Windows Firewall but works with firewall disabled. for the NPS extensions to support secondary MFA it needs to communicate with the following MS URLs on 443

• https://strongauthenticationservice.auth.microsoft.com (for Azure Public cloud customers).
• https://strongauthenticationservice.auth.microsoft.us (for Azure Government customers).
• https://strongauthenticationservice.auth.microsoft.cn (for Azure China 21Vianet customers).
• https://adnotifications.windowsazure.com
• https://login.microsoftonline.com
• https://credentials.azure.com

if that is not the case then i would recommend you to enable Wireshark or similar and look at the traffic being blocked. or if you have firewall logging enabled you could look at what traffic is filtered