Auth Proxy Construct with multiple domains and sites

LarsG1 · ‎06-21-2023

Hi Community,

I have a customer with multiple sites and domains. After a PoC, we are now in the process of planning the rollout across all sites. The remote sites are connected to the HQ via IPSec. Some sites have their own DC, the DC at HQ has all domains. All sites have SSL VPN (FortiGate) configured locally.

Now I am undecided on the best way to proceed in the planning.
However, the following thought has occurred to me:
The AD sync for the domains is configured at HQ. For a failure of the IPSec VPN, the DCs of the external sites are also deposited with their own AuthProxy. This is how I would create the failover security.
My question now is, if it works to store different DCs in the AD-Sync in the Admin Portal and to store the parameters (IKEY, SKEY, Api key) at several AuthProxys at different locations. I have actually not tried that yet.

DuoKristina · ‎06-21-2023

Yes, you can have multiple Authentication Proxy servers and domain controllers configured with Duo AD Sync for redundancy. See these Duo Knowledge Base articles for more information:

Best practices for setting up the Duo Authentication Proxy for high availability
If running multiple Duo Authentication Proxies for high availability, can I have a [cloud] section for Directory Sync in each?

Duo, not DUO.