Publish RDS with Azure Application Proxy without exposing RDGateway

Robert Amartinesei 1 Reputation point


I was recommended to publish my question here instead of twitter:

Is there any way I can publish RDS with Azure Application Proxy and avoid exposing the RD Gateway on the internet?
As far as I can tell.. If I want to use Azure Application proxy and leverage SSO then I have to set the authentication mode to passhtrough. This works but completely defeats the purpose. I want to preauthenticate using Azure AD (to use with MFA and Conditional Access) and also have SSO to RDGateway.

right now I can set it up so that I can preauthenticate with Azure AD but the RDGateway is still exposed on the public internet.

Would love to hear a response from you!

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,781 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Kannan S 6 Reputation points

    Microsoft is planning to release any update on Azure Web Application Proxy Connector version to Support 3rd Party browser or not ?

    1 person found this answer helpful.
    0 comments No comments

  2. AmanpreetSingh-MSFT 55,541 Reputation points

    @Robert Amartinesei I have tried to answer both your questions below:

    SSO in case of Pre-authentication via Azure AD:

    SSO is supported if Azure App Proxy is setup to perform pre-authentication using Azure AD. This is well documented here:

    Also, for SSO you need to host both the RD Web and RD Gateway endpoints on the same machine with a common root. For example, if root url is, RD Web url will be and RD Gateway url will be Now while configuring app proxy, you need to create mapping only for url and not for /rdweb or /rpc.

    RDGateway exposed on the public internet:

    In an RDS deployment, the RD Web role and the RD Gateway role run on Internet-facing machines. These endpoints are exposed for the following reasons:

    RD Web provides the user a public endpoint to sign in and view the various on-premises applications and desktops they can access. Upon selecting a resource, an RDP connection is created using the native app on the OS.
    RD Gateway comes into the picture once a user launches the RDP connection. The RD Gateway handles encrypted RDP traffic coming over the internet and translates it to the on-premises server that the user is connecting to. In this scenario, the traffic the RD Gateway is receiving comes from the Azure AD Application Proxy.


    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    0 comments No comments

  3. seth bestulic 96 Reputation points

    There is no way to integrate full SSO with preauth in this setup. Essentially you need to authenticate with azure once and then login to the web portal once and then you're fully authenticated. The few custom configurations I've seen people post about that leverage Azure SSO actually break the security of the pre-auth since they allow for RDP files that have been created to simply be re-used without triggering MFA, which means that a custom RDP file could be worked up to sneak in this way too.

    Microsoft's document on configuring RDS with pre-auth and app proxy specifically configure for the two sign-ins as I described above-

    So I don't know what Amanpreetsingh was talking about there.

    0 comments No comments