Start a new topic
In Progress

MFA for Secure Gateway

=== Feature Enhancement Request ===

We're trying out the Multifactor Authentication (MFA, a.k.a, two-factor or 2FA) feature on the Document Store on Royal Server.  It works great!  But that's not quite what we needed.

Can we do MFA on the Royal Server Secure Gateway?  For instance, when the engineers arrive in the morning they would have to MFA to get their first connection through the Secure Gateway but after that, all new sessions would go through the Secure Gateway without re-checking the MFA.

There should probably be a setting for Maximum-Session-Time to time-out the session and force the MFA to repeat.  We'd probably set ours to 30 hours or something to let users get a full day's work in.  

We use Duo Security here but the Microsoft Authenticator is a valid second option for us.

Thank you.

11 people like this idea

@Wolfgang Bäck: right now we plan to enable the already existing MFA providers we support for the document store. Regarding Azure MFA: I'm not sure if we can easily integrate it like the other providers but I kindly ask you to create a dedicated feature request for that and if you happen to know resources like docs for SDKs on how to integrate it in other apps, please include that as well. Thanks!

Any news on when this will arrive?

This will be in the next major version of Royal Server. A beta version will be available in the next few weeks.

Will you have a true Multifactor Authentication (MFA, a.k.a, two-factor or 2FA) feature for your Royal Server Gateway?  One that works for Windows and Linux connections?  If so, when?  We are being pressured by our security team to MFA solution for RDP and SSH connection or to abandon Royal Server completely for another solution that has MFA.  We need firm dates and not "next major version release". My company has over 100K+ users with multiple Royal Server Gateways for multiple domains. We need MFA, because its an industry standard.

Hi Christopher,

yes the Google TOTP and Duo will be applicable to the Document Store AND Secure Gateway Connections. Regarding release date, I'm not sure what I can tell you, we can ship it when it's ready. Implementing something like this takes time and needs to be tested. I hope it will be on time for you.


Do you have details on how this MFA will work? [ yes the Google TOTP and Duo will be applicable to the Document Store AND Secure Gateway Connections. ]  We don't leverage the Document Store feature, because our various users are limited to specific servers within our environments. Each user runs RoyalTS locally from their laptops and connects to our many Royal Server URLs (different domains) to access PROD or DEV environments.  We obviously leverage our VPN to hit these URLs, but our security team is reporting the VPN requirement will not pass the new security standards.  We need VPN, two different domain accounts (one to pass the gateway and one to access the servers) and the RDP /SSH method has to be MFA.

Will your new enhancement to Royal Server afford us that level of MFA?

Do you have whitepapers on your MFA solution or a demo video>?

Hi Christopher,

the MFA feature for Secure Gateway will work the same same as it works currently for our Document Store:

You can enroll a user for MFA by specifying for which feature this MFA configuration is valid (required for Document Store, required for Secure Gateway) and a caching time for a successful second factor code (in order to not bother users too much. On the Royal TS/X side: If you try to open a connection that has a Secure Gateway connection configured the Royal Server requests the code from the second factor (TOTP, Duo) if this user is configured for MFA and Secure Gateway. If the user is not able to enter the correct MFA code within 3 tries, the connection request is rejected. The caching time is configurable on a per-user-basis (in order to restrict e.g. external employees to a much smaller timeframe)

Let me know if this helps for now.



Do you have a demo\video of this MFA feature for Secure Gateway currently pinned to the Document Store?

How its setup and configured?


Thank you again for assisting all of us with this need.  If possible, please see that all the folks on this thread are given the opportunity to test the BETA version that will be available in the next few weeks.  I'm sure that we are all ready and willing to test this new feature, but also, testing the solution and having a tangible solution onsite, in our labs, will assist in keeping the wolves at bay that REQUIRE an MFA RDP solution ASAP.

Thank you again,

Looks like this is the Royal Server V5 BETA Version now.

I just want to say I've installed damn. I am so impressed with how this is implemented! Great work on this!

Only suggest I can think to make really is on the "Opening Tunnel....."  I would love to see a "Awaiting 2FA" or something like that. 

Other than this, honestly excellent job here. 

Login or Signup to post a comment