Re: Cisco DUO Authention Proxy HA for External Directory Sync

davion-stewart · ‎10-24-2025

Good day,

We are going to deploy DUO in the environment to protect Windows Logon and RDP.

We will be using the Authentication Proxy (AP) to sync AD users to the DUO cloud.

We are considering using 2 APs for redundancy.

Do we simply configure both APs with the same ad_client setting and have one external directory on DUO and use the settings from that or do we configure 2 external directories and assign one per AP?

Also, how would we configure the load balancer for this configuration?

Ken Stieers · ‎10-24-2025

You just configure the [Cloud] section... in fact, you don't even have to do that, when you set it up in the webpage, it will give you the option to download a preconfigured file.
If you're setting up multiple proxies, the cloud section is the same for all of them
The Duo cloud manages which one it syncs with, and you configure which AD servers it talks to in the webpage as well. No need for a load balancer for this part...

If you start authenticating against the auth proxies, then you might use an LB... or often the apps allow you to point at multiple LDAP or RADIUS servers (the Auth Proxies), so you probably don't need an LB there either.

davion-stewart · ‎10-24-2025

Ah ok got it.

I should be configuring this next week so I will definitely let you know how it works out.

DuoKristina · ‎10-27-2025

You may want to review this guide: Best practices for setting up the Duo Authentication Proxy for high availability

Duo, not DUO.