Share via

RDS with NPS & Azure MFA

yasser Mohamed AbdelMoneim 291 Reputation points
2021-10-30T20:31:23.63+00:00

Hello

in order to configure RDS with Azure MFA we have to install NPS as the below:
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg

where shall we install NPS , it is not clear at all.

What are the firewall ports required for NPS to contact Azure MFA and RDS infrastructure servers?

Are there any communication between NPS and Domain controllers?

"" Don't install the NPS extension on your Remote Desktop Gateway (RDG) server. The RDG server doesn't use the RADIUS protocol with its client, so the extension can't interpret and perform the MFA.

When the RDG server and NPS server with NPS extension are different servers, RDG uses NPS internally to talk to other NPS servers and uses RADIUS as the protocol to correctly communicate.""

Thanks

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marco Schiavon 711 Reputation points
    2021-10-31T17:01:07.42+00:00

    You need to implement the NPS on prem (see this guide where i explain ho to integrate the UNIFI APs with NPS... there i describe how install it).
    After that, You have to download and install the NPS Extension for Azure MFA on the server where you have the on prem NPS. :
    1. On the NPS server where you want to install the extension, enable the NPS component, then download and run NpsExtnForAzureMfaInstaller.exe 2. Run the PowerShell script from C:\Program Files\Microsoft\AzureMfa\Config

    About the network requirements:

    Network requirements
    The NPS server must be able to communicate with the following URLs over ports 80 and 443:
    https://adnotifications.windowsazure.com
    https://login.microsoftonline.com
    https://credentials.azure.com
    Additionally, connectivity to the following URLs is required to complete the setup of the adapter using the provided PowerShell script:
    https://login.microsoftonline.com
    https://provisioningapi.microsoftonline.com
    https://aadcdn.msauth.net
    https://www.powershellgallery.com
    https://go.microsoft.com
    https://aadcdn.msftauthimages.net

    About your question : Are there any communication between NPS and Domain controllers?

    Azure doesn't need to comunicate with your DCs because it is in place the ADConnect.
    Finally, your on prem NPS obviously need to communicate with your DC.

    see this simple schema form Microsoft that explains the communications between the Azure, NPS and the user.145210-screenshot-2021-10-31-at-175652.jpg

    0 comments
  2. yasser Mohamed AbdelMoneim 291 Reputation points
    2021-10-31T18:04:55.887+00:00

    I would thank you for informative response.

    what are the required firewall ports between Onprmise AD and NPS?

    As per microsoft document we should install NPS on RDS Gateway and another server located in internal network but the NPS Extension should install on the NPS server in the internal network only and we shouldn't install the NPS extension on RDS Gateway.

    what are the required ports between NPS installed on RDS Gateway and NPS on separate server?

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#install-the-nps-extension

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.