Multiple authentication proxies and with AD via LDAPS port 636


I have an intention to have duo clients spread across different domains for the same directory. Sync of this directory will be done centrally in one place, while as there will be several authenticators distributed on different locations. Transport to MS AD will be via LDAPS port 636.
In the proxy documentation I saw that port setting can be used, but it doesn’t seem to allow to use port 636 solely for the authentication backend purposes. I use the same ikey to have several clients connecting to the same service.
Is this configuration supported, or I should do something else?


Hi @Blade1024, let me see if I can help you! First, I need a little more information.

Are the domains in a parent/child relationship in the same forest? For ex:
Parent domain =
Child domain =

If they are, you can sync them using the Global Catalog Port. Please note you’ll have to use one of the Global Catalog ports numbers instead of the standard LDAP 389 or LDAPS 636 port number. More instructions on how to sync an entire forest using Active Directory Sync can be found in the help article linked here.

If you wish to sync users from different domains that are not in a parent/child relationship (even if they are in the same forest), you will need a separate Directory Sync configured for each of these domains.

If you want to authenticate RADIUS or LDAP applications against domains in different forests, you have to create a separate [ad_client] section for each forest domain and then create a separate radius_server or ldap_server application sections for each domain.

Hope that helps! Let me know if you have additional questions, and be sure to check out the help articles for more info: