I've stumbled upon a problem regarding that Windows 10 (1803) Direct Access client does not utilize the function "Bypass the RD Gateway for local addresses" when using RDWeb Remote Apps. The reason why we want to utilize the bypass feature is because
we enforce MFA for external users but don't want it for Direct Access clients.
When using the same Direct Access client with a standalone mstsc.exe and entering the rdcb.contoso.com as the target computer and rds.contoso.com as the gateway with the setting "Bypass the RD Gateway for local addresses" it works, no MFA is enforced for the user.
We have the following setup. The server names and IP-addresses are fictive.
2 nodes RDGW & RDWeb (Server 2016) - SE003.contoso.com and SE004.contoso.com
2 nodes RDCB (Server 2016) - SE005.contoso.com and SE006.contoso.com
2 nodes Azure MFA Server (Server 2016) - SE008.contoso.com and SE009.contoso.com
1 node Direct Access (Server 2016) -SE010.contoso.com
The MFA solution is setup using RADIUS + NPS.
We use Split-DNS.
(RDGW & RDWeb) rds.contoso.com - Externally points to Loadbalancer 12.13.14.15 and internal points 10.1.1.3 and 10.1.1.4 (No LB).
(Direct Access) da.contoso.com - Externally points to Loadbalancer 12.13.14.20 and no internal record.
(Connection Broker) rdcb.contoso.com - Externally points to no record andinternal points 10.1.1.5 and 10.1.1.6The whole *.contoso.com is present in the NRPT-table with nls.contoso.com and da.contoso.com as the only excluded entries.
We only use IP-HTTPS for Direct Access.
When we use Test-NetConnection -ComputerName 'rds.contoso.com' -Port 3389 from a Direct Access client the test is successful. When we disconnect the Direct Access tunnel and run the same cmdlet it's not successful.If we change the ComputerName/DNS to rdcb.contoso.com the test is also successful when the Direct Access tunnel is up.
Anyone?
Can this be related?
https://social.technet.microsoft.com/Forums/es-ES/e23a8b8d-f84d-4bb5-aad6-211d83a9aa89/windows-10-1703-breaks-remoteapp-remote-desktop-gateway?forum=winserverTS