Network Gateway port forwarding


#1

Looking at the documentation and network diagram at Duo Network Gateway | Duo Security It looks like only the DNG needs to communicate with the outside world and proxies requests to the SAML identity provider? Is this correct or can it be configured this way? I’m using the Duo Access Gateway as the SAML provider.

I would like to use DNG but I only have one external IP so with simple port forwarding 80/443 to the DNG I could only expose one host.

So can DNG proxy requests to the SAML provider and only require one IP for port forwarding or has anyone configured DNG and DAG behind another proxy system to work behind only one IP?


#2

Hello there @sean.brown

Both the Duo Network Gateway and the Duo Access Gateway need to be accessible to your users on external networks. Primary authentication for Network Gateway happens interactively at the Access Gateway.

I suspect you might be able to get around this by publishing one of them on a different port for SSL (like move DAG to 4443 or something), but that could have other complications.


#3

I think I’m missing a location where I can change that. In DNG, under Primary Authentication > Configure SAML Identity Provider I can set Entity ID or Issuer ID, Assertion Consumer Service URL or Single Sign-On URL and Single Logout URL to https://host.domain:444 but under the access gateway Applications > Metadata I can’t change the urls.

When trying to access an application, it eventually redirects to https://host.domain/dag/module.php/cor/loginuserpass.php?BLAH - obviously without the alternate port.

I can’t see anywhere in DAG to set a master URL.


#4

Ah, by “move” I might have actually meant “redeploy it from scratch using a different port and update all your service providers”. Sorry to make that sound easier than it would actually be. You’re correct in that there isn’t just a field in your existing DAG’s admin UI to change it.

Not sure why you’re limited to just one external IP (ISP limitation?) but the easiest solution is to add another for the DNG.