topic Re: Off-internet servers on network authenticate via proxy in Managing Users

Off-internet servers on network authenticate via proxy

pcs.dwjacobs — Thu, 16 Jun 2022 21:00:50 GMT

We have installed a DUO proxy on our network that we are using for a variety of devices. We would like our servers that exist without Internet access to perform MFA via the DUO Proxy server. The servers and the DUO Proxy server are in the same network.

Is there documentation for this use case?

Re: Off-internet servers on network authenticate via proxy

Amy2 — Wed, 22 Jun 2022 14:47:16 GMT

Hi @pcs.dwjacobs, welcome to the Duo Community! Thanks for sharing your question here with us. I understand that you’d like to use the Duo Authentication Proxy to authenticate for your servers without internet access, which are in the same network as the Auth Proxy.

There is a use case that might work for this, which sort of addresses what you are trying to accomplish. The Auth Proxy can be set up to act as an http proxy, but only for traffic to Duo.
The primary use case is when you have something like Duo Unix or an auth API integration set up on a server without internet access. With this configuration, API calls to Duo can be proxied through the Auth Proxy. The Auth Proxy itself would need to be able to reach Duo over the internet to complete authentication though. Here is the documentation for that: Authentication Proxy Reference - Duo | Duo Security

Since the Authentication Proxy communicates with Duo’s service on TCP Port 443, the Auth Proxy must always be able to reach the internet in order to complete multi-factor authentication.
I hope that helps!

Re: Off-internet servers on network authenticate via proxy

pcs.dwjacobs — Wed, 22 Jun 2022 15:57:36 GMT

Amy,

Thanks for your response. To reduce or vulnerability risks, we typically keep some Windows servers off the Internet entirely. They get licensing from a Microsoft KMS server and Windows patches from WSUS. We already have a Duo Auth Proxy on the network that we use for MFA with network appliances. The Duo Auth Proxy is connected to the Internet.

Another MFA product our company uses has an a network server that proxies authentication out to the Internet. We were considering replacing that product with Duo, but cannot until we resolve this problem.

Re: Off-internet servers on network authenticate via proxy

Amy2 — Wed, 22 Jun 2022 16:04:47 GMT

Thank you for providing some more context! That definitely makes sense.

In that case, the above documentation I linked should work for this! Let me know if you have additional questions, and I can loop one of our team members in to help.

Re: Off-internet servers on network authenticate via proxy

pcs.dwjacobs — Wed, 22 Jun 2022 18:12:14 GMT

Amy,

Thanks. I do not see a link. Perhaps it got stripped off?

Re: Off-internet servers on network authenticate via proxy

Amy2 — Wed, 22 Jun 2022 18:49:22 GMT