This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 27%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA3%3C/text%3E%3C/svg%3E)
So I am in the process of building an on premise Windows RDS implementation on Server 2019. Complete with redundant servers for all roles, including the RD Broker. I opted to go with the Azure hosted database for the broker rather than building an on-premise SQL cluster.
The RD Gateway and RD Web roles are installed on the same set of servers. I've actually implemented DUO MFA for the Gateway service and it is working well.
One concern I have with pointing the internet directly at our RD Web services using TCP:443 is the monitoring of failed username and password attempts against IIS. It's crazy to me that Microsoft hasn't included any out of the box comparison to the Linux Fail2Ban product. Can anyone suggest methods of automatically banning IPs after so many failed login attempts against IIS (/rdweb) or perhaps automatically throttling bw for sources that have a certain number of failed login attempts?
What if I wanted to take this a step further, not allow any computer that doesn't meet certain security requirements to login to RD Web or GW? Say the computer has to have Sophos AV and it has to be up to date. Or only computers joined to specific domains can connect, etc..
Regards,
Adam Tyler
No one responded to this. Best option I could come up with is putting a reverse proxy out in front of the IIS /Rdweb site. Azure has something called the Azure AD Reverse proxy now that allows you to do M365 pre-authentication before logging into this IIS site. I'm having some trouble getting it fully working, but may be worth a look.
