In our environment we restrict all incoming and outgoing internet to a server we want to protect. DUO for RDP works perfectly to restrict logons but we need to determine what IP addresses we need to enable on the host firewall (Win 2012 R2) to call home to DUO.
I would direct you to Duo IPs listed in Duo’s KB article 1337 (https://help.duo.com/s/article/1337?language=en_US).
I would recommend to whitelist source/dest. IP pairs over port 443 protocol HTTPS to allow the endpoint Windows 2012 systems to communicate to your org.'s Duo SaaS tenant.
If you are still encountering issues after that I would reach out to your account representative or support to troubleshoot at that point.
Hopefully the above helps.