Start a new topic
In Progress

MFA for Secure Gateway

=== Feature Enhancement Request ===

We're trying out the Multifactor Authentication (MFA, a.k.a, two-factor or 2FA) feature on the Document Store on Royal Server.  It works great!  But that's not quite what we needed.


Can we do MFA on the Royal Server Secure Gateway?  For instance, when the engineers arrive in the morning they would have to MFA to get their first connection through the Secure Gateway but after that, all new sessions would go through the Secure Gateway without re-checking the MFA.


There should probably be a setting for Maximum-Session-Time to time-out the session and force the MFA to repeat.  We'd probably set ours to 30 hours or something to let users get a full day's work in.  


We use Duo Security here but the Microsoft Authenticator is a valid second option for us.


Thank you.


11 people like this idea

2FA is a hard requirement from our security team. What progress or updates can you provide for this feature?


Thanks

Dan


2 people like this

This would be an awesome feature.


1 person likes this
We would definitely like to see this as well. Duo or google auth would work for us.

1 person likes this

This is already available, any idea hot to use this feature?


1 person likes this

Thanks, Dan. We will look into it and update this thread once we have something to share.


1 person likes this

Yeah, We've hit the MFA roadblock in our evaluation as well. I can't propose Royal TS as a solution without it, we've just deployed DUO on our jump environment as an audit requirement and it's non negotiable :(


I am thinking of trying to leverage a linux openssh securegateway with powershell core installed and use PSSession to scan Dynamic folder via SSH. In theory I should be able to use the duo linux client to protect sshd and have it fire that way. I'll report back if this approach is viable



1 person likes this

I am evaluating RoyalServer for use in our environment and MFA on the Secure Gateway is an absolute must for us as well. Has this feature been officially added to the product roadmap?


1 person likes this

Any news on this?


1 person likes this

This would be welcome on our side as well.

Will you have a true Multifactor Authentication (MFA, a.k.a, two-factor or 2FA) feature for your Royal Server Gateway?  One that works for Windows and Linux connections?  If so, when?  We are being pressured by our security team to MFA solution for RDP and SSH connection or to abandon Royal Server completely for another solution that has MFA.  We need firm dates and not "next major version release". My company has over 100K+ users with multiple Royal Server Gateways for multiple domains. We need MFA, because its an industry standard.

Hi Christopher,


yes the Google TOTP and Duo will be applicable to the Document Store AND Secure Gateway Connections. Regarding release date, I'm not sure what I can tell you, we can ship it when it's ready. Implementing something like this takes time and needs to be tested. I hope it will be on time for you.


Regards,
Stefan

I'm not sure if and when we can implement this. The 3rd party component we are using doesn't have an API we could hook into. We contacted the Vendor and asked for this but we haven't got a response yet.


Rest assured, as soon as this is possible, we will implement it.


Sorry for the bad news.

Looks like this is the Royal Server V5 BETA Version now.


I just want to say I've installed damn. I am so impressed with how this is implemented! Great work on this!


Only suggest I can think to make really is on the "Opening Tunnel....."  I would love to see a "Awaiting 2FA" or something like that. 


Other than this, honestly excellent job here. 

Thanks for the kind words, Robert! I'm glad the implementation works well for you.


Since the MFA code prompt is triggered by a custom authentication request on the SSH protocol level, we actually don't know if a MFA code will be requested until we get the authentication request on the client side. Therefore it will not be possible to figure this out beforehand and let the client display a different message at that point. Sorry!

Do you have details on how this MFA will work? [ yes the Google TOTP and Duo will be applicable to the Document Store AND Secure Gateway Connections. ]  We don't leverage the Document Store feature, because our various users are limited to specific servers within our environments. Each user runs RoyalTS locally from their laptops and connects to our many Royal Server URLs (different domains) to access PROD or DEV environments.  We obviously leverage our VPN to hit these URLs, but our security team is reporting the VPN requirement will not pass the new security standards.  We need VPN, two different domain accounts (one to pass the gateway and one to access the servers) and the RDP /SSH method has to be MFA.


Will your new enhancement to Royal Server afford us that level of MFA?


Do you have whitepapers on your MFA solution or a demo video>?

Login or Signup to post a comment