Authentication policy for RDP

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authentication policy for RDP

L5 Sessionator

I have succesfuly implemented auth policy for http and https (with decryption).

But I can't get it to work for RDP. Yes, I know I need GP client for non-browser protocols.


Customer is using MS MFA server. As it's not supported by PA as MFA server we configured it as Radius server.

I have auth profile which uses Radius server profile towards MS MFA.

Captive portal is enabled, in redirect mode, redirects to internal interface of PA, response pages are enabled in mgmt profile, and it uses configured auth profile for MFA (Radius).

We have an auth policy for any service to single server with authenticaon method web-form and same authentication profile for MFA (Radius).

I've  set Enable Inbound Authentication Prompts from MFA Gateways to Yes and I entered both PA interface with captive portal and MFA server address as Trusted MFA Gateways.


When we try a RDP connection; we see the connection in session browser, details say that it hits the correct auth rule, has value False for captive portal and nothing happens. Session isn't logged in traffic log, no new entries in authentication logs, nothing in authd.log. 

Packet capture  shows succesful TCP 3 way handshake and reset form server soon after.



L3 Networker

Did you open udp port 4501 on the host firewall of the host running the GP client? Only with that port open on the host will you see the authentication prompt pop up from the GP client. I had to do this for SSH auth policy. The service in the auth policy will be the TCP RDP port. 

Yeah I did. But didn't see any traffic on that port. Also didn't see that traffic in packet caprure I did on the PC from where I was testing.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!