Issue with Client IP exclude list on MFA

Discussion in 'Parallels Remote Application Server' started by AndreaGiacomin, Feb 3, 2021.

  1. AndreaGiacomin

    AndreaGiacomin Bit Poster

    Messages:
    5
    Hi,
    I noticed a very strange behavior in the client IP exclusion list with the Google Authenticator MFA on two RAS 18 installation. It seeams that the MFA IP exclusion uses the IP address assigned on the client's NIC instead of the source IP address used for connectig to the RAS server.
    I'ill give a simple example of the potential issue.
    RAS server (192.168.10.10) is installed on a headquarter network (192.168.10.0/24) and I'd like to exclude from MFA connection coming from the same subnet. In this example I'll add an IP exclusion range 192.168.10.1-192.168.10.254 to prevent users inside corporate LAN to enter the OTP. This works great!

    But if a user connect from home (or another location) with a public IP, 1.1.1.1 in this example, and his network interface uses 192.168.10.20, he will not get ask to enter the OTP.
     
  2. JasonA6

    JasonA6 Bit Poster

    Messages:
    4
    The only way I was able to get this working for some of our clients was to create 2 gateways (really 4 with load balancers but simplifying for brevity).
    Gateway 1 is accessible internally
    Gateway 2 is in the DMZ and accessible externally
    Internal DNS points to Gateway 1
    External DNS points to Gateway 2
    We set the exclusion list in the RAS console to bypass 2FA for Gateway 1

    If there is a better method I would love to hear it but this was the only way I could get it to work consistently with both Full and HTML5 clients.
     
  3. AndreaGiacomin

    AndreaGiacomin Bit Poster

    Messages:
    5
    In the example above there is a single RAS instance in the DMZ.
     

Share This Page