When RDP is launched through Remote Desktop Gateway (RDG), the Windows Logon component only sees the IP address of the RD Gateway itself, not the original client’s IP. This behavior is inherent to how RD Gateway works: it terminates the HTTPS tunnel and initiates the RDP session on behalf of the client.
Because the true source IP is not passed through to the destination server, Rublon MFA cannot correctly evaluate any policy that relies on the user’s real IP address. This affects both:
• Authorized Networks Policy - the server always reports the RD Gateway’s IP, so the client’s network cannot be matched.
• Geolocation Policy - the user’s actual geographic location cannot be determined, because the IP belongs to the RD Gateway, not the user.
As a result, both policies will always evaluate based on the RD Gateway’s IP address rather than the client’s real IP.
Can RD Gateway be configured to pass the real client IP?
Unfortunately, no. The RDP host will always see the RD Gateway’s IP as the source. This is not a limitation of Rublon MFA, but rather a consequence of RD Gateway’s architecture, which masks the client IP for security and routing purposes.
Helpful Links
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article