https://community.cisco.com/t5/protecting-applications/getting-client-ip-with-rd-gateway-and-load-balancer/m-p/4880440#M2139 <DIV class="duo-migrated-content"><P>Hi All</P> <P>I’m currently working on a new RDS farm with duo MFA and using HAProxy to pass connections to RD Gateway Servers.</P> <P>The chain is something like this:<BR /> Client → HAProxy → RD-Gateway → RD-Host</P> <P>Everything so far is working, however I can’t figure out how to pass the original Client IP to the RD-Gateway and/or DUO. Since all connections are identified as the proxy IP address, it’s not possible to differentiate clients or use whitelisting features. On top of that, the DUO Push notification will always list the client location as the HAProxy’s IP address.</P> <P>I’ve searched all over the DUO forums as well as:</P> <UL> <LI>Duo Doco</LI> <LI>HAProxy/Aloha doco</LI> <LI>F5 load balancer doco</LI> </UL> <P>The only thing even remotely close I can find is an old post from 2016 here which went unanswered:</P><ASIDE class="quote quote-modified" data-post="1" data-topic="3494"> <DIV class="title"> <DIV class="quote-controls"></DIV> <IMG width="20" height="20" src="https://community.cisco.com/legacyfs/online/ciscoduo/letters/k_e19b73.png" style="display : inline;" /> <A href="https://community.duo.com/t/duo-for-rds-gateway-behind-load-balancer/3494">DUO for RDS Gateway behind load balancer</A> <A class="badge-wrapper bullet" href="https://community.cisco.com/c/protecting-applications-forum/20"><SPAN class="badge-category-bg" style="background-color: #F7941D;"></SPAN><SPAN style="" data-drop-close="true" class="badge-category clear-badge" title="Duo helps you reduce risks by setting and enforcing policies and app access. Visit the forum for Q-and-A on access policies.">Protecting Applications forum</SPAN></A> </DIV> <BLOCKQUOTE> Hi, We are currently running an HAProxy infront of 2 RDS Gateways, and are using DUO authentication for RDS Gateway. As expected when we connect through the HAProxy to the RDS Gateways, the client IP address isnt forwarded, and all the clients are listed as connected with the HAProxy IP address. This is expected. We want to be able to forward the Client IP address to the RDS Gateway, which ofcourse isnt DUOs “fault”, that its not happening be default. But wanted to reach out, and hear anyon… </BLOCKQUOTE> </ASIDE> <P>Any thoughts?</P> <P>Cheers,</P></DIV> Thu, 01 Aug 2019 03:56:49 GMT lateralplains 2019-08-01T03:56:49Z https://community.cisco.com/t5/protecting-applications/getting-client-ip-with-rd-gateway-and-load-balancer/m-p/4880440#M2139 <DIV class="duo-migrated-content"><P>Hi All</P> <P>I’m currently working on a new RDS farm with duo MFA and using HAProxy to pass connections to RD Gateway Servers.</P> <P>The chain is something like this:<BR /> Client → HAProxy → RD-Gateway → RD-Host</P> <P>Everything so far is working, however I can’t figure out how to pass the original Client IP to the RD-Gateway and/or DUO. Since all connections are identified as the proxy IP address, it’s not possible to differentiate clients or use whitelisting features. On top of that, the DUO Push notification will always list the client location as the HAProxy’s IP address.</P> <P>I’ve searched all over the DUO forums as well as:</P> <UL> <LI>Duo Doco</LI> <LI>HAProxy/Aloha doco</LI> <LI>F5 load balancer doco</LI> </UL> <P>The only thing even remotely close I can find is an old post from 2016 here which went unanswered:</P><ASIDE class="quote quote-modified" data-post="1" data-topic="3494"> <DIV class="title"> <DIV class="quote-controls"></DIV> <IMG width="20" height="20" src="https://community.cisco.com/legacyfs/online/ciscoduo/letters/k_e19b73.png" style="display : inline;" /> <A href="https://community.duo.com/t/duo-for-rds-gateway-behind-load-balancer/3494">DUO for RDS Gateway behind load balancer</A> <A class="badge-wrapper bullet" href="https://community.cisco.com/c/protecting-applications-forum/20"><SPAN class="badge-category-bg" style="background-color: #F7941D;"></SPAN><SPAN style="" data-drop-close="true" class="badge-category clear-badge" title="Duo helps you reduce risks by setting and enforcing policies and app access. Visit the forum for Q-and-A on access policies.">Protecting Applications forum</SPAN></A> </DIV> <BLOCKQUOTE> Hi, We are currently running an HAProxy infront of 2 RDS Gateways, and are using DUO authentication for RDS Gateway. As expected when we connect through the HAProxy to the RDS Gateways, the client IP address isnt forwarded, and all the clients are listed as connected with the HAProxy IP address. This is expected. We want to be able to forward the Client IP address to the RDS Gateway, which ofcourse isnt DUOs “fault”, that its not happening be default. But wanted to reach out, and hear anyon… </BLOCKQUOTE> </ASIDE> <P>Any thoughts?</P> <P>Cheers,</P></DIV> Thu, 01 Aug 2019 03:56:49 GMT https://community.cisco.com/t5/protecting-applications/getting-client-ip-with-rd-gateway-and-load-balancer/m-p/4880440#M2139 lateralplains 2019-08-01T03:56:49Z https://community.cisco.com/t5/protecting-applications/getting-client-ip-with-rd-gateway-and-load-balancer/m-p/4880441#M2140 <DIV class="duo-migrated-content"><P>I think you would like The Duo RDG application to pass X-Forwarded-For as the client IP? This is not supported today, but you can contact your Duo account executive or customer success manager if you are working with one, or Duo Support, and ask to be added to the feature request for this.</P></DIV> Fri, 02 Aug 2019 14:24:57 GMT https://community.cisco.com/t5/protecting-applications/getting-client-ip-with-rd-gateway-and-load-balancer/m-p/4880441#M2140 DuoKristina 2019-08-02T14:24:57Z https://community.cisco.com/t5/protecting-applications/getting-client-ip-with-rd-gateway-and-load-balancer/m-p/4880442#M2141 <DIV class="duo-migrated-content"><P>Hi DuoKristina,</P> <P>Cheers for the response. This is in essence what I’d like to do. If I knew where the RDG Application derived the Client IP from then I could look into a way of munging the necessary headers to get that working.</P> <P>The only things I’ve been able to discover is MS has their own ISA (forefront) system which “somehow” achieves this functionality and passes the original client IP into the RD Gateway Manager. However I can’t really find any documentation on the protocol or how it achieves it.<BR /> Alternatively, it may work if the proxy is configured in full passthrough mode, which requires the RD Gateway server to use the proxy as it’s gateway, which brings a whole host of issues with it.</P></DIV> Mon, 05 Aug 2019 06:27:37 GMT https://community.cisco.com/t5/protecting-applications/getting-client-ip-with-rd-gateway-and-load-balancer/m-p/4880442#M2141 lateralplains 2019-08-05T06:27:37Z