Start a new topic

MFA for Secure Gateway

=== Feature Enhancement Request ===

We're trying out the Multifactor Authentication (MFA, a.k.a, two-factor or 2FA) feature on the Document Store on Royal Server.  It works great!  But that's not quite what we needed.


Can we do MFA on the Royal Server Secure Gateway?  For instance, when the engineers arrive in the morning they would have to MFA to get their first connection through the Secure Gateway but after that, all new sessions would go through the Secure Gateway without re-checking the MFA.


There should probably be a setting for Maximum-Session-Time to time-out the session and force the MFA to repeat.  We'd probably set ours to 30 hours or something to let users get a full day's work in.  


We use Duo Security here but the Microsoft Authenticator is a valid second option for us.


Thank you.


8 people like this idea

Unfortunately we still have no ETA for the 3rd party vendor component. Not sure if we are able to implement it in the V4 release. Might be V4.1 or so.

I saw this the other day when i logged into the Royal Server.


We're looking for a similar solution to provide MFA to the secure gateway before being able to access remote sessions. This is a huge auditing item and would certainly be a selling point for us. I'm going to subscribe as well. Is there a formal place to put in feature requests, or is this the correct forum?

SAML or Radius would do. If we had Radius we could just use Windows NPS and AzureAD extension to do MFA. Either fits our requirements. 

RADIUS would be even better imo because you could proxy RADIUS requests to an MFA provider to still give you the MFA ability.

I'm going to be demoing RoyalTS / Royal Server to our security team, and I'm likely to get shot down over this missing feature.  I'll be waiting to see how this develops.

Would really love to see Duo or Google Auth on the gateway, or really any standard internet-based 2FA authenticator.

We'd love to see this feature too!

Any update on MFA for Royal Gateway?


It is now a security requirement for us to MFA all external URLs (even if pinned to VPN), so we need this feature ASAP.  What is the ETA?

We don't have yet an ETA as Rebex is still working on it. When we get a new version with MFA support we will provide a new version as soon as possible.

Yeah, We've hit the MFA roadblock in our evaluation as well. I can't propose Royal TS as a solution without it, we've just deployed DUO on our jump environment as an audit requirement and it's non negotiable :(


I am thinking of trying to leverage a linux openssh securegateway with powershell core installed and use PSSession to scan Dynamic folder via SSH. In theory I should be able to use the duo linux client to protect sshd and have it fire that way. I'll report back if this approach is viable



1 person likes this

I'm the exact same as Stephen, I love the solution as a whole but it's hard to justify without the 2FA upon connection

I'm sorry this has taken so long but I just wanted to let you know that we are working on this. Stay tuned...

Login or Signup to post a comment