Microsoft RDS with Mideye+

Introduction

The purpose of this integration guide is to provide guidelines on how to integrate Mideye Touch-Accept with Remote Desktop Services 2012, 2016 and 2019.

Requirements and limitations

This implementation requires end-users to have Mideye+ app installed on their smartphones. Mideye Server release 4.7.2 is required, but it is recommended to update to latest release 5.

Prerequisites

This guide assumes that there is already a functional RDS-environment installed with a Remote Desktop Gateway.

Network Policy Server (NPS)

A NPS must be configured and added to the LDAP-profile on the Mideye Server. Please refer to section Network Policy Server in the reference guide how to add and configure a NPS. Be advised that this NPS is not the same NPS as the one installed on the Remote Desktop Gateway. Instead, the NPS used by the Mideye Server must be installed on any other server.

Configure the Remote Desktop Gateway (RD-gateway)

Open Remote Desktop Gateway manager and right click the server and select properties. Navigate to “RD CAP Store” and select “Central server running NPS”. Enter the hostname or IP-address of the Mideye Server and click “Add”. Add a shared secret. This shared secret should be noted down and later used when adding the RD-gateway as a RADIUS client.

Change authentication to “Central server running NPS” and add the Mideye Server.

Configure the NPS on the RD-Gateway

The RD Gateway uses its own NPS to send the RADIUS request to the Mideye-server. To configure NPS, first you change the timeout settings to prevent the RD Gateway from timing out before the two-step verification has completed. You also need to update the NPS to receive RADIUS
authentications from a Mideye Server.

On the RD-gateway server, open NPS and navigate to RADIUS Clients and Server menu in the left column and select “Remote RADIUS Server Groups”. Select the “TS GATEWAY SERVER GROUP”. Edit the RADIUS server and select the Load Balancing tab. Change both the number of seconds without response before request is considered dropped and the number of seconds between requests when server is identified as unavailable to
35 seconds.

Change the timeout to 35 seconds.

Go to the Authentication/Account tab and verify that the RADIUS-port matches the Mideye-servers RADIUS-ports.

Right-click RADIUS Clients under RADIUS Clients and Servers in the left column and select “New” and add the Mideye-server as a RADIUS client. Choose a Friendly name and specify a shared secret.

Add the Mideye Server as a RADIUS-client

Open the policies menu in the left column and select “Connection Request Policies”. Right-click “TS GATEWAY AUTHORIZATION POLICY” and select “Duplicate Policy”.

Duplicate the TS GATEWAY AUTHORIZATION POLICY

Open the new policy and go to the conditions tab. Add a condition that matches the Client Friendly Name with the Friendly name set previous for the Mideye Server RADIUS client.

Add the Mideye server as a client friendly name

Go to the settings tab and select Authentication. Change the Authentication Provider to Authenticate requests on this server. This is to prevent a loop when sending the request to the Mideye Server.

Modify the Mideye server

Navigate to the Mideye Servers web GUI and select “Configure” followed by “RADIUS clients”. Refer to section RADIUS clients in the reference guide on how to add RADIUS client and add a shared secret.

Add username filtering and force Mideye+

Edit the created RADIUS-client and navigate to “Username Filtering”. Select “Prefix” as a filter method and add a \ to the filter separator. This will automatically remove the domain\ for those users who still uses the NT-login format.

Add a filter separator

Navigate to “Client Configuration” and check the “Require Mideye+ app”.

Network Policy Server used by Mideye Server

When Mideye server receives RADIUS requests from the NPS located on the RD-Gateway, Mideye Server will send these requests to a second NPS server to validate the request. Make sure that the following steps are checked:

  1. The shared secret must be identical on all three RADIUS-servers. This means that the shared secret on the RD-gateway NPS, Mideye Server and Mideye Server NPS must be the same.
  2. Make sure that the firewall is opened for two-way communication on the RADIUS UDP port on all three servers.
  3. If not already configured, the LDAP-profile that is used by the RADIUS client on the Mideye Server must have a Network Policy Server configured. Refer to section Network Policy Server in the reference guide on how to set this up.

Modify the Network Policy Server used by Mideye Server

Open the Network Policy Server console used by the Mideye Server. Navigate to RADIUS clients and Servers and make sure that the Mideye Server is listed as a RADIUS client.

If not already added, add the Mideye Server as a RADIUS-client.

Navigate to Policies followed by “Connection Request Policys”. Right click and select “New”. Add the configuration as listed below:

  • Policy Name: Friendly name for the policy
  • Type of network access server: Remote Desktop Gateway
  • Conditions: NAS Port Type: Virtual (VPN)
  • Conditions: Client Friendly name: Friendly name of the RADIUS client (Mideye Server)
Add a NAS Port Type and a client friendly name
  • Authentication: Authenticate requests on this server
  • Authentication methods: Do not override (will be added in the Network Policy later in this guide)

Finish the wizard and navigate to “Network Policys”, right click and select “New”. Add the configuration as listed below:

  • Policy Name: Friendly name for the policy
  • Type of network access server: Remote Desktop Gateway
  • Conditions: Windows Group (Add user group(s) that should be allowed access)
  • Conditions: NAS Port Type: Virtual (VPN)
  • Access Permissions: Access granted
  • Configure authentication methods: Only check “Allow clients to connect without negotiating an authentication method”

Troubleshooting

For further support please contact Mideye support, support@mideye.com, +46854514750