I’m going to be demoing RoyalTS / Royal Server to our security team, and I’m likely to get shot down over this missing feature. I’ll be waiting to see how this develops.
Would really love to see Duo or Google Auth on the gateway, or really any standard internet-based 2FA authenticator.
We’d love to see this feature too!
Any update on MFA for Royal Gateway?
It is now a security requirement for us to MFA all external URLs (even if pinned to VPN), so we need this feature ASAP. What is the ETA?
We don’t have yet an ETA as Rebex is still working on it. When we get a new version with MFA support we will provide a new version as soon as possible.
Yeah, We’ve hit the MFA roadblock in our evaluation as well. I can’t propose Royal TS as a solution without it, we’ve just deployed DUO on our jump environment as an audit requirement and it’s non negotiable 
I am thinking of trying to leverage a linux openssh securegateway with powershell core installed and use PSSession to scan Dynamic folder via SSH. In theory I should be able to use the duo linux client to protect sshd and have it fire that way. I’ll report back if this approach is viable
I’m the exact same as Stephen, I love the solution as a whole but it’s hard to justify without the 2FA upon connection
I’m sorry this has taken so long but I just wanted to let you know that we are working on this. Stay tuned…
We too need the 2FA component. We’re searching vendors for solutions and I’ve been a RoyalTS user for 8+ years. Please let your engineering and pm teams understand how important this is in today’s network environment. We’d love to rollout RoyalTS as our solution for MFA SSH and RDP.
We would love to see an Azure MFA integration or Microsoft authenticator.
@Wolfgang Bäck: right now we plan to enable the already existing MFA providers we support for the document store. Regarding Azure MFA: I’m not sure if we can easily integrate it like the other providers but I kindly ask you to create a dedicated feature request for that and if you happen to know resources like docs for SDKs on how to integrate it in other apps, please include that as well. Thanks!
Any news on when this will arrive?
This will be in the next major version of Royal Server. A beta version will be available in the next few weeks.
Will you have a true Multifactor Authentication (MFA, a.k.a, two-factor or 2FA) feature for your Royal Server Gateway? One that works for Windows and Linux connections? If so, when? We are being pressured by our security team to MFA solution for RDP and SSH connection or to abandon Royal Server completely for another solution that has MFA. We need firm dates and not “next major version release”. My company has over 100K+ users with multiple Royal Server Gateways for multiple domains. We need MFA, because its an industry standard.
Hi Christopher,
yes the Google TOTP and Duo will be applicable to the Document Store AND Secure Gateway Connections. Regarding release date, I’m not sure what I can tell you, we can ship it when it’s ready. Implementing something like this takes time and needs to be tested. I hope it will be on time for you.
Regards,
Stefan
Do you have details on how this MFA will work? [ yes the Google TOTP and Duo will be applicable to the Document Store AND Secure Gateway Connections. ] We don’t leverage the Document Store feature, because our various users are limited to specific servers within our environments. Each user runs RoyalTS locally from their laptops and connects to our many Royal Server URLs (different domains) to access PROD or DEV environments. We obviously leverage our VPN to hit these URLs, but our security team is reporting the VPN requirement will not pass the new security standards. We need VPN, two different domain accounts (one to pass the gateway and one to access the servers) and the RDP /SSH method has to be MFA.
Will your new enhancement to Royal Server afford us that level of MFA?
Do you have whitepapers on your MFA solution or a demo video>?
Hi Christopher,
the MFA feature for Secure Gateway will work the same same as it works currently for our Document Store:
You can enroll a user for MFA by specifying for which feature this MFA configuration is valid (required for Document Store, required for Secure Gateway) and a caching time for a successful second factor code (in order to not bother users too much. On the Royal TS/X side: If you try to open a connection that has a Secure Gateway connection configured the Royal Server requests the code from the second factor (TOTP, Duo) if this user is configured for MFA and Secure Gateway. If the user is not able to enter the correct MFA code within 3 tries, the connection request is rejected. The caching time is configurable on a per-user-basis (in order to restrict e.g. external employees to a much smaller timeframe)
Let me know if this helps for now.
cheers,
Michael
Do you have a demo\video of this MFA feature for Secure Gateway currently pinned to the Document Store?
How its setup and configured?
Stefan,
Thank you again for assisting all of us with this need. If possible, please see that all the folks on this thread are given the opportunity to test the BETA version that will be available in the next few weeks. I’m sure that we are all ready and willing to test this new feature, but also, testing the solution and having a tangible solution onsite, in our labs, will assist in keeping the wolves at bay that REQUIRE an MFA RDP solution ASAP.
Thank you again,
Looks like this is the Royal Server V5 BETA Version now.
I just want to say I’ve installed damn. I am so impressed with how this is implemented! Great work on this!
Only suggest I can think to make really is on the “Opening Tunnel…” I would love to see a “Awaiting 2FA” or something like that.
Other than this, honestly excellent job here.