Offline Access using Duo for Microsoft RDP -observations


#1

Good afternoon,

I have just installed offline access to a Windows 2016 server (stand alone server) within an AWS test environment. While the test instance I have does have outgoing Internet access, I have created the NACLs to the 5 DuO subnets to emulate the real environment there will be no Internet access. I have a few questions / my observations regarding the use of DuO in a truly offline environment:

a) The server needs to connect to the internet for the installation work? I have seen that you have to enter the API keys, etc. When it is offline, the enablement of the service cannot be achieved?

b) Follow on question from a) if the server is truly offline how can the server know how many authentications are permitted for a user/how many days the user has authenticated?

c) It appears that the server needs to be connected to the internet initially to support the activation of the users to enable them to move from online users to offline users. (I might have this wrong…)

d) I have configured the RDP server to support offline access. It does work, but there is a 15 second delay, before the RDP session prompts for the offline access. it seems to imply, that it is trying to communicate with the DuO servers and it then fails to connect and then prompts the user. Is there a setting that can reduce this delay so it just displays the offline authentication straight away.

It might be that the environment I have in a truly offline mode is not intended for the use of DuO, as the servers I am using are within a closed network with no internet access. It might be plausible to place a proxy in, to support the outgoing traffic to the DuO servers. I would need to know about the target DuO environment, and look to implement further security controls to support the connectivity to the your servers.

HTD.

Paul


#2

Hi Paul,

Thanks for your detailed observations!

You’re right, our Offline Access solution isn’t intended for a permanent offline use case.

We developed this feature in response to customers who were asking for a better option than the fail open/closed behavior the Duo application had while a system is temporarily offline (employees using their laptop while on a plane, a power outage in a data center that disrupts outbound networking, etc.).

I’ve shared your feedback about offline access with the product managers.

If you didn’t already locate this information, here are instructions for configuring Duo for Windows Logon to use an HTTP proxy just for the traffic to the Duo service.

Thanks for trying Duo!


#3

Good morning,
thank you for your response. To aid the discussion with the customer please can you provide details on the authentication mechanisms between the DUO server (onsite) and your DUO services. I am interested in mutual authentication, certificate pinning services, access controls and any additional information that you are able to provide that would allow me to deploy the proxy mechanism and enhance the security between my servers and your servers within the cloud.
Regards,
Paul