F5 Loadbalancer/Authorized Networks/ RDS Gateway


#1

Has anyone had problems configuring Authorized Networks in DUO when the RDS Gateway is behind a F5 Loadbalancer?

Because the F5 loadbalancer is proxying the connection between the user and the RDS Gateway. DUO only sees the IP address of the F5 loadbalancer in the DUO logs.


#2

I would be interested to know the answer to this as well. Same configuration except we use Kemp LBs.

We have our LBs and gateway in a DMZ. The session hosts are in a different subnet. We are trialling the Duo Remote desktop app install on all session hosts. We have whitelisted the internal LAN but not the DMZ. This means internal users dont get 2FA’d but external users via the gateway do.

Still in trial phase at the moment…


#3

Duo for RDG does not utilize the host name or IP from x-forwarded-for as the client IP. Please contact Duo Support, your CSM, or your AE to open a feature request for this.


#4

Thanks for update Kristina.

Would you recommend going around the f5 to get Authorized locations to work?


#5

If you want the Authorized Networks feature to work reliably with Duo for RDG then the client IP received at the RDG server needs to be the actual client IP (which would likely be accomplished by bypassing your load balancer).


#6

Thanks DUOKristina for your response.