I’m currently working on a new RDS farm with duo MFA and using HAProxy to pass connections to RD Gateway Servers.
The chain is something like this:
Client → HAProxy → RD-Gateway → RD-Host
Everything so far is working, however I can’t figure out how to pass the original Client IP to the RD-Gateway and/or DUO. Since all connections are identified as the proxy IP address, it’s not possible to differentiate clients or use whitelisting features. On top of that, the DUO Push notification will always list the client location as the HAProxy’s IP address.
I’ve searched all over the DUO forums as well as:
Duo Doco
HAProxy/Aloha doco
F5 load balancer doco
The only thing even remotely close I can find is an old post from 2016 here which went unanswered:
I think you would like The Duo RDG application to pass X-Forwarded-For as the client IP? This is not supported today, but you can contact your Duo account executive or customer success manager if you are working with one, or Duo Support, and ask to be added to the feature request for this.
Cheers for the response. This is in essence what I’d like to do. If I knew where the RDG Application derived the Client IP from then I could look into a way of munging the necessary headers to get that working.
The only things I’ve been able to discover is MS has their own ISA (forefront) system which “somehow” achieves this functionality and passes the original client IP into the RD Gateway Manager. However I can’t really find any documentation on the protocol or how it achieves it.
Alternatively, it may work if the proxy is configured in full passthrough mode, which requires the RD Gateway server to use the proxy as it’s gateway, which brings a whole host of issues with it.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
