Firewall ports to open so secure duo works correctly?


Hello !

I am new to the solution. I need to secure 4 servers, those servers have no access to the internet whatsoever. I need the solution to work, what is the bare minimum I need to open on my firewall so the solution works correctly ? the servers are allowed to talk only to the internet for this solution to work only.

Thank you :slight_smile:



You should only need https (tcp port 443) open outbound to


I figured out the TCP 443 part. But I created the ACL toward the single IP of my API.

Instead of

Do you have a /16 or /24 I could restrain the destination ? Your API are maybe all on the same public subnet ? I will be challenge internally for opening 443 to

Thank you for your reply. I understand I’m using the free version because I only need 7 account secured, but I would pay for this fantastic solution if you would tell me to.


that’s a question for Duo support if they have ranges you can lock down to. My guess is they don’t have ranges or static IPs which is why they are telling you to open to


Hey there!

We have a public knowledge base at that has answers to frequently asked questions like this one.

What are Duo’s IP ranges?

The article reiterates that we may change the IP ranges at any time, so to avoid disruption it is better to permit traffic using Duo API hostname FQDN if your firewall has that option.