Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1981
Views
0
Helpful
5
Replies

I wish to add an additional Proxy to an Existing 'Directory Sync'

StavrosK1
Level 1
Level 1

‎05-19-2021 02:03 PM

We are new to Duo and we had 1 x Proxy Setup with 1 x Directory Sync. Everything was working well. I would like to have 2x Proxy Servers for High Availability, so I have a 2nd Proxy Server Setup and configured in Duo Admin Panel.

This 2nd Proxy is associatged with a 2nd ‘Directory Sync’ option. I have the correct ikey, SKey and api_host information on the configuration file and it can connect to Duo Admin Panel with the test connection option. However, we want to use the same AD-Group for our selected groups. When I add the group to teh 2nd Proxy the same group is removed from the 1st Proxy.

I now am understanding that a better design is to have the 2nd proxy server to be used by the same Directory Sync. instance. What and how can I achieve our goals to have 2 x Proxy Servers running side by side (Active/Active) and use the same AD group as well for the selected group option.

Labels:
0 Helpful
5 Replies 5

StavrosK1
Level 1
Level 1

‎05-19-2021 02:12 PM

I s the answer to edit the configuration file and simply have the same ikey, skey and api_host that is associated with the first Directory Sync option?

How will I know that both Radius servers are working correctly when I click the test button from the DUO Admin panel?

Can I use the same AD group for the Selected groups section with 2 separate Radius Servers running in a Active/Active HA capacity?

0 Helpful

StavrosK1
Level 1
Level 1

‎05-19-2021 02:27 PM

Or is the answer to create a new AD-Security Group. Then Just add the original AD group in the new Security group so it will nest the groups that are below it?

0 Helpful

Amy2
Level 5
Level 5

‎05-20-2021 06:59 AM

Hi @StravosK, welcome to the Duo Community and thank you for all of your great questions here! Have you read our Best practices guide for setting up the Duo Authentication Proxy for high availability and disaster recovery? If not, that’s a really great place to start, as it also links to other helpful articles related to the Duo Auth Proxy.

I would also recommend you take our free, 30-minute course on Duo Level Up “The Authentication Proxy in Action”. It covers everything you need to know in order to be able to successfully configure and troubleshoot the auth proxy for your given environment and situation.

Based on this article, “If running multiple Duo Authentication Proxies for high availability, can I have a [cloud] section for Directory Sync in each?”, I think you would use the same [cloud] section in each, so long as they are associated with the same ikey (integration key).

I’m not sure about the rest though. I’ll take this back to our internal team and see if I can get some more specific answers for you.

0 Helpful

StavrosK1
Level 1
Level 1
In response to Amy2

‎05-20-2021 07:26 AM

Hello,

To be clear that i understand the suggestion. I should try to configure both proxy Servers (Duo Proxy Server #1, Duo Proxy Server #2)'s configuration file to have the same information under the [cloud] section. So the [cloud] section will have the same:

  • ikey
  • skey
  • api_host

tieing it to 1 specific Directory Sync (from the DUO Admin Panel) instead of having each Proxy Server associated with its own separate Directory Sync in the DUO Admin Panel. If that is correct, I was thinking of trying that and I am glad that you emailed me this.

I will look at the links that you provided me as well. Thank yo and I will let you know how things work.

Peter J. Kafkas

**edited to remove personal identifying info per the Community Guidelines to protect your privacy and security

0 Helpful

Amy2
Level 5
Level 5
In response to StavrosK1

‎05-20-2021 08:06 AM

Hi Peter,
Heads up, I edited your post to remove your personal info since this is a public forum, and it could pose both a privacy and security risk.

I am not sure to be honest, let me check with the team and have someone who is better at this than I am verify I will follow up with you!

Edit/Update: Yes you will use the same exact [cloud] section with same:

  • ikey
  • skey
  • api_host

Your response is exactly correct. This will use one Directory Sync rather than having each Proxy Server associated with its own separate Directory Sync. The proxies don’t communicate with each other. The Auth Proxies will send a “heartbeat” signal to Duo every so often, and whichever one did that most recently will handle the request when it’s time to sync.

Hope that helps!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents