I have just installed offline access to a Windows 2016 server (stand alone server) within an AWS test environment. While the test instance I have does have outgoing Internet access, I have created the NACLs to the 5 DuO subnets to emulate the real environment there will be no Internet access. I have a few questions / my observations regarding the use of DuO in a truly offline environment:
a) The server needs to connect to the internet for the installation work? I have seen that you have to enter the API keys, etc. When it is offline, the enablement of the service cannot be achieved?
b) Follow on question from a) if the server is truly offline how can the server know how many authentications are permitted for a user/how many days the user has authenticated?
c) It appears that the server needs to be connected to the internet initially to support the activation of the users to enable them to move from online users to offline users. (I might have this wrong…)
d) I have configured the RDP server to support offline access. It does work, but there is a 15 second delay, before the RDP session prompts for the offline access. it seems to imply, that it is trying to communicate with the DuO servers and it then fails to connect and then prompts the user. Is there a setting that can reduce this delay so it just displays the offline authentication straight away.
It might be that the environment I have in a truly offline mode is not intended for the use of DuO, as the servers I am using are within a closed network with no internet access. It might be plausible to place a proxy in, to support the outgoing traffic to the DuO servers. I would need to know about the target DuO environment, and look to implement further security controls to support the connectivity to the your servers.