Duo with Netmotion Mobility

Installed Duo Authentication for Windows Logon on some Laptops, the devices also have Netmotion Mobility installed on them as well. When logging in, since we have are failing open and it bypasses the MFA prompt. Works great if we turn off the Netmotion “Load Client when Windows starts” check mark. The error in the log we are getting is:

1100 [Error] WINHTTP_CALLBACK_STATUS_REQUEST_ERROR notification from WinHttpSendRequest: 12007
1100 [Error] Failure during WinHttp call (WinHttpSendRequest): The server name or address could not be resolved
[12007]
1100 [Warning] WinHttp exception encountered ‘There was an error communicating with the Duo authentication server. Please try again. (12007)’
1100 [Info] WinHttp exception; retrying up to limit

Any help or suggestions would be appreciated!

It appears that the Duo Windows client isn’t able to contact Duo’s service from that log excerpt.

When you have the NetMotion “Load Client when Windows starts” option enabled, are you also enabling the “Connect on startup” NetMotion option? It could be that when the Mobility client is starting in that Windows pre-logon state, it isn’t connected to the Mobility server and blocks outbound Internet connections until a session to the Mobility server gets established. Is it possible your Mobility Passthrough settings are blocking that traffic to Duo? https://help.netmotionsoftware.com/support/docs/MobilityXG/1100/help/mobilityhelp.htm#page/Mobility%20Server%2Fconfig.05.097.html

You could also consider enabling offline access for the Duo Windows Logon client, so that even when traffic to Duo is blocked enrolled users need to complete 2FA.