Windows RDP - ESET Internet Security - Firewall blocking

jeffshead · ‎06-30-2022

I deployed Windows RDP on a PC for Windows logins. I can no longer login to that PC because traffic to the Duo server is being blocked. ESET Internet Security is installed on this PC. ESET is set to interactive mode so I normally get a pop-up showing any blocked traffic with an option to allow or block, permanently. Because the traffic is taking place before login, I do not get the ESET pop-up and the logs do not tell me exactly what is being blocked. I cannot tell if it is an exe, ps1, a specific port, etc.

I have already unregistered the Duo dll’s so that I can once again login to the PC. Is there any way to initiate or simulate the traffic to the Duo server after I’m logged in? If this can be done, I will get an ESET pop-up and be able to determin exactly what is being blocked and create a rule to allow the traffic or whatever it is that ESET is blocking.

DuoKristina · ‎06-30-2022

Ah, I misunderstood. You want to create an allowlist for the program itself.

The DLL for the Duo logon credential provider would be C:\Program Files\Duo Security\DuoCredProv\DuoCredProv.dll, but the actual process that calls the Duo provider might be winlogon.exe, logonui.exe, or lsass.exe.

That’s a good question and if those suggestions don’t help I’d suggest contacting Duo support.

Also, how often does the IP change?

Whenever we need to change it to maintain availability, which is why we don’t recommend firewall rules that use the resolved IP address instead of the API hostname.

Duo, not DUO.

jeffshead · ‎06-30-2022

Thank you.

I did try that but so far, the only work around is to create a broad firewall rule that is not application specific. I have to allow all traffic out to the IP of the Duo api host name so I am getting closer. If I try to limit the traffic to that IP so that only traffic originating from Powershell is allowed, it fails. Any ideas? Is the actual pre-login traffic from Duo originating from Powershell or does Duo use something else to ping the api server?

Also, how often does the IP change?

jeffshead · ‎06-30-2022

Thanks again!

Below is the rule that I am currently using:

ESET is a packet firewall so it can only deal with IP addresses, not domain names. This is going to be a problem if the Duo api server IP address changes because the only way that I will be able to login to the PC, is by first rebooting into safe-mode and disabling Duo.

I’m surprised this firewall issue hasn’t come up before.

DuoKristina · ‎07-07-2022

Our service experiences 99.99% availability and one of the reasons for that is the flexibility of our cloud service architecture.

I’m surprised this firewall issue hasn’t come up before.

It does come up for some customers who use firewalls that rely on IP addresses, which is why we make the IP address information for API hosts available with the warning that IP addresses to maintain service availability.

The Guide to Business Continuity has some strategies for managing service connectivity issues. You may consider enabling Offline Access for Windows Logon as a mitigation too.

Duo, not DUO.