Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
5
Replies

Off-internet servers on network authenticate via proxy

pcs.dwjacobs
Level 1
Level 1

‎06-16-2022 02:00 PM

We have installed a DUO proxy on our network that we are using for a variety of devices. We would like our servers that exist without Internet access to perform MFA via the DUO Proxy server. The servers and the DUO Proxy server are in the same network.

Is there documentation for this use case?

0 Helpful
5 Replies 5

Amy2
Level 5
Level 5

‎06-22-2022 07:47 AM

Hi @pcs.dwjacobs, welcome to the Duo Community! Thanks for sharing your question here with us. I understand that you’d like to use the Duo Authentication Proxy to authenticate for your servers without internet access, which are in the same network as the Auth Proxy.

There is a use case that might work for this, which sort of addresses what you are trying to accomplish. The Auth Proxy can be set up to act as an http proxy, but only for traffic to Duo.
The primary use case is when you have something like Duo Unix or an auth API integration set up on a server without internet access. With this configuration, API calls to Duo can be proxied through the Auth Proxy. The Auth Proxy itself would need to be able to reach Duo over the internet to complete authentication though. Here is the documentation for that: Authentication Proxy Reference - Duo | Duo Security

Since the Authentication Proxy communicates with Duo’s service on TCP Port 443, the Auth Proxy must always be able to reach the internet in order to complete multi-factor authentication.
I hope that helps!

0 Helpful

pcs.dwjacobs
Level 1
Level 1
In response to Amy2

‎06-22-2022 08:57 AM

Amy,

Thanks for your response. To reduce or vulnerability risks, we typically keep some Windows servers off the Internet entirely. They get licensing from a Microsoft KMS server and Windows patches from WSUS. We already have a Duo Auth Proxy on the network that we use for MFA with network appliances. The Duo Auth Proxy is connected to the Internet.

Another MFA product our company uses has an a network server that proxies authentication out to the Internet. We were considering replacing that product with Duo, but cannot until we resolve this problem.

2X_5_5405953d8d6abe1ae201c9716132ed5c4b3b629f.png

2X_a_a7462d8032b3c64183cba9814baf6141196c6bcd.png

0 Helpful

Amy2
Level 5
Level 5
In response to pcs.dwjacobs

‎06-22-2022 09:04 AM

Thank you for providing some more context! That definitely makes sense.

In that case, the above documentation I linked should work for this! Let me know if you have additional questions, and I can loop one of our team members in to help.

0 Helpful

pcs.dwjacobs
Level 1
Level 1
In response to Amy2

‎06-22-2022 11:12 AM

Amy,

Thanks. I do not see a link. Perhaps it got stripped off?

2X_5_5405953d8d6abe1ae201c9716132ed5c4b3b629f.png

2X_a_a7462d8032b3c64183cba9814baf6141196c6bcd.png

0 Helpful

Amy2
Level 5
Level 5
In response to pcs.dwjacobs

‎06-22-2022 11:49 AM

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents