DUO Auth proxy via http proxy fails to connect


#1

Hello,

I did a POC with a Windows server and DUO auth proxy with direct internet connection successfully. However in production, the DUO auth proxy requires to connect to internet via an http proxy. The auth config is updated with proxy parameters in the [main] section, but it would simply not use http proxy for some reason. The error with connectivity tool looks like below:

[duoauthproxy.lib.log#warn] The LDAP Server has connectivity problems.
[duoauthproxy.lib.log#info] There are no configuration problems related to connectivity.
[duoauthproxy.lib.log#error] The Auth Proxy was not able to ping Duo at api-xxxxxxxxx.duosecurity.co
[duoauthproxy.lib.log#error] Please check that the api host is correct and that outgoing HTTPS conn
are not blocked, possibly by a firewall.

Additionally, from the same server, I did use the link “https://■■■■/auth/v2/ping” to verify whether port 443 to the api host is allowed via the http proxy which returned status as OK. So I do not see any issue with the http proxy.

{“response”: {“time”: 1543420891}, “stat”: “OK”}

Any pointers on why DUO Auth proxy is not passing traffic via the http proxy will be greatly appreciated.


#2

The connectivity tool unfortunately doesn’t use the proxy parameters in the [main] section to then test the rest of the sections present in authproxy.cfg, giving a potentially misleading result from that tool. We definitely have plans to fix this.

Did you actually try to authenticate and see that the outbound traffic to Duo didn’t respect the configured proxy settings? A good next step is to enable debug logging on your Duo authentication proxy server. Then you can reproduce the issue and check the log file to see what’s happening.


#3

Well yes, I did try to RDP to the server ignoring the connectivity tool output but in vain. Debug mode is enabled in the authproxy.cfg file. Here are some last logs in authproxy.log file before connection termination:

Duo Security Authentication Proxy 2.10.1 - Init Complete
(TCP Port 389 Closed)
(TLS Port 636 Closed)
[duoauthproxy.modules.ldap_server_auto.■■■■tory#info] Stopping factory <duoauthproxy.modules.ldap_server_auto.■■■■tory instance at 0x02C1B7D8>
Main loop terminated.


#4

The log output you pasted is just from the Duo proxy service shutting down.

I am not sure what “RDP to the server” and “in vain” means? The Duo proxy service should not interfere with your ability to RDP to the server where the Duo proxy is installed.

I did a POC with a Windows server and DUO auth proxy

Does that mean you did a POC of the Duo proxy installed on a Windows server? Or does that mean you did a POC of Duo for Windows Logon, which is in turn configured to use an http proxy for the outbound connection to Duo, and you have also set up the Duo Authentication proxy on a different system to act as the http proxy used by Duo for Windows Logon?

It might be easier for you to contact Duo Support and work through your use case, configuration, and troubleshooting with one of our support engineers than it would be to try to figure this out in the community forum.