Why doesn’t Rublon’s Authorized Networks policy work with RDP via RD Gateway?

Modified on Tue, 7 Oct at 8:53 AM

When RDP is launched through Remote Desktop Gateway (RDG), the Windows Logon component only sees the IP address of the RD Gateway itself, not the original client’s IP. This behavior is inherent to how RD Gateway works: it terminates the HTTPS tunnel and initiates the RDP session on behalf of the client.


As a result, Rublon MFA cannot apply the Authorized Networks policy based on the true source IP, because that information is not passed through to the destination server. The reported IP address will always be the IP address of the Remote Desktop Gateway server.


Can RD Gateway be configured to pass the real client IP?

Unfortunately, no. The RDP host will always see the RD Gateway’s IP as the source. This is not a limitation of Rublon MFA, but rather a consequence of RD Gateway’s architecture, which masks the client IP for security and routing purposes.


Helpful Links

Rublon MFA for Windows Logon and RDP - Documentation

Rublon MFA for RD Gateway - Documentation

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article