I’m currently working on a new RDS farm with duo MFA and using HAProxy to pass connections to RD Gateway Servers.
The chain is something like this:
Client -> HAProxy -> RD-Gateway -> RD-Host
Everything so far is working, however I can’t figure out how to pass the original Client IP to the RD-Gateway and/or DUO. Since all connections are identified as the proxy IP address, it’s not possible to differentiate clients or use whitelisting features. On top of that, the DUO Push notification will always list the client location as the HAProxy’s IP address.
I’ve searched all over the DUO forums as well as:
- Duo Doco
- HAProxy/Aloha doco
- F5 load balancer doco
The only thing even remotely close I can find is an old post from 2016 here which went unanswered: