Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2120
Views
0
Helpful
3
Replies

Network Gateway port forwarding

sean.brown
Level 1
Level 1

‎08-23-2018 06:30 AM

Looking at the documentation and network diagram at Duo Network Gateway | Duo Security It looks like only the DNG needs to communicate with the outside world and proxies requests to the SAML identity provider? Is this correct or can it be configured this way? I’m using the Duo Access Gateway as the SAML provider.

I would like to use DNG but I only have one external IP so with simple port forwarding 80/443 to the DNG I could only expose one host.

So can DNG proxy requests to the SAML provider and only require one IP for port forwarding or has anyone configured DNG and DAG behind another proxy system to work behind only one IP?

Labels:
0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎08-29-2018 01:50 PM

Hello there @sean.brown

Both the Duo Network Gateway and the Duo Access Gateway need to be accessible to your users on external networks. Primary authentication for Network Gateway happens interactively at the Access Gateway.

I suspect you might be able to get around this by publishing one of them on a different port for SSL (like move DAG to 4443 or something), but that could have other complications.

Duo, not DUO.
0 Helpful

sean.brown
Level 1
Level 1
In response to DuoKristina

‎08-31-2018 11:59 AM

I think I’m missing a location where I can change that. In DNG, under Primary Authentication > Configure SAML Identity Provider I can set Entity ID or Issuer ID, Assertion Consumer Service URL or Single Sign-On URL and Single Logout URL to https://host.domain:444 but under the access gateway Applications > Metadata I can’t change the urls.

When trying to access an application, it eventually redirects to https://host.domain/dag/module.php/cor/loginuserpass.php?BLAH - obviously without the alternate port.

I can’t see anywhere in DAG to set a master URL.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to sean.brown

‎08-31-2018 12:44 PM

Ah, by “move” I might have actually meant “redeploy it from scratch using a different port and update all your service providers”. Sorry to make that sound easier than it would actually be. You’re correct in that there isn’t just a field in your existing DAG’s admin UI to change it.

Not sure why you’re limited to just one external IP (ISP limitation?) but the easiest solution is to add another for the DNG.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents