Skip navigation

Duo Security is now a part of Cisco

About Cisco

Documentation

Duo Network Gateway

Duo Network Gateway allows your users to access your on-premises websites, web applications, and SSH servers without having to worry about managing VPN credentials, while also adding login security with the Duo Prompt.

Overview

With Duo Network Gateway your users can securely access your internal web applications from any device, using any browser, from anywhere in the world, without having to install or configure remote access software on their device. Users can also remotely SSH to configured hosts through Duo Network Gateway after installing Duo's connectivity tool, providing server access without a VPN.

Users first authenticate to Duo Network Gateway and approve a two-factor authentication request before they may access your different protected services. Session awareness minimizes repeated MFA prompts as users access additional services and hosts via your gateway.

Duo Network Gateway gives you granular access control per web application, set of SSH servers, and user groups. You can specify different policies to make sure only trusted users and endpoints are able to access your internal services. For example, you can require that SharePoint users complete two-factor authentication at every login, but only once every seven days when accessing Confluence. Duo checks the user, device, and network against an application's policy before allowing access to the application.

Application Access with Duo Network Gateway

Duo Network Gateway is part of the Duo Beyond plan.

Installation Overview Video

This video demonstrates the process of deploying Duo Network Gateway and using it to publish an internal web site for protected external access.

 

Prerequisites

Before you deploy the Duo Network Gateway, make sure to complete these requirements.

Deploy a SAML IdP

Duo Network Gateway requires a SAML 2.0 Identity Provider to use as its primary authentication source. You can use the Duo Access Gateway or another provider such as AD FS, OneLogin, or Okta.

Deploy a DMZ Server

  • Deploy a physical or virtual modern 64-bit Linux server in your perimeter network (or DMZ).

The size of your Duo Network Gateway server for web applications should relate to the requests per second or RPS of traffic that you expect to use with the Duo Network Gateway.

Learn more about how the Duo Network Gateway was performance tested by reading the How much traffic can the Duo Network Gateway handle? knowledge base article.

Requests per second Processor Cores Memory Disk Storage
400 RPS 1 core 2 GB 20 GB
800 RPS 2 cores 4 GB 20 GB
1800 RPS 4 cores 16 GB 20 GB
3500 RPS 8 cores 32 GB 20 GB
4500 RPS 16 cores 64 GB 20 GB

Sizing recommendations based on SSH connections and megabyte per second throughput for the Duo Network Gateway can be found below:

Maximum SSH Connections Throughput Processor Cores Memory Disk Storage
8000 35 MB/s 1 core 2 GB 20 GB
8000 55 MB/s 2 cores 4 GB 20 GB
Additional hardware does not increase connections or throughput
  • Open ports 80 and 443 in the perimeter firewall for HTTP and HTTPS external traffic to and from the server.
  • Port 8443 will be used for administrative purposes. Restrict traffic to this port to only authorized networks.
  • Allow the Duo Network Gateway server to communicate with your internal web applications via HTTP or HTTPS using the same ports as your internal application.
  • Allow the Duo Network Gateway server to communicate with your SSH servers over the SSH port they are configured to listen on.
  • Create an Internet resolvable fully qualified DNS entry for external access (e.g. yourserver.example.com).
  • Purchase an SSL certificate for your server from a commercial certificate authority (CA), using the fully qualified DNS name of your Duo Network Gateway server as the common name (e.g. yourserver.example.com). You may also use a wildcard SSL certificate. If you don't want to purchase a certificate you'll have the opportunity to generate a free, automatically renewing certificate from Let's Encrypt later during Network Gateway setup.

Install Docker

Docker is a tool that allows Duo Network Gateway to run inside its own self-contained environment, called a “container”, on top of your host operating system.

Click one of the tabs below to view Docker installation instructions for your Linux platform.

CentOS 7

These directions will walk you through installing the free Docker Community Edition for CentOS.

  1. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  2. Docker requires a 64-bit operating system. Please verify your installation of CentOS is 64-bit by typing:
    uname -r
    The output should contain x86_64 if the operating system is 64-bit. The output would be similar to:
    3.10.0-327.el7.x86_64
  3. Install yum-utils on your server. Type:
    sudo yum install -y yum-utils
  4. Add the Docker repository to your yum repository by typing:
    sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    The output should be similar to:
    Loaded plugins: fastestmirror
    adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
    grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
    repo saved to /etc/yum.repos.d/docker-ce.repo
  5. Make sure your existing packages are up to date. This may take a few minutes. Type:
    sudo yum makecache fast
    When packages are finished updating you should see output similar to:
    Metadata Cache Created!
  6. Install wget by typing:
    sudo yum install -y wget
    When wget is finished installing you should see output similar to:
    Running transaction
      Installing : wget-1.14-13.el7.x86_64                                                                                                           1/1
      Verifying  : wget-1.14-13.el7.x86_64                                                                                                           1/1
    Installed:
      wget.x86_64 0:1.14-13.el7                                                                                                                          
    Complete!
  7. Install Docker by typing:
    sudo yum install -y docker-ce
    When Docker is finished installing you should see output similar to:
    Complete!
  8. Enable the Docker service by typing:
    sudo systemctl enable docker.service
    You should see output similar to:
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
  9. Start the Docker daemon by typing:
    sudo systemctl start docker
  10. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  11. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  12. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  13. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Fedora 25

These directions will walk you through installing the free Docker Community Edition for Fedora.

  1. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  2. Docker requires a 64-bit operating system. Please verify your installation of CentOS is 64-bit by typing:
    uname -r
    The output should contain x86_64 if the operating system is 64-bit. The output would be similar to:
    4.8.16-300.fc25.x86_64
  3. Install dnf-plugins-core on your server. Type:
    sudo dnf -y install dnf-plugins-core
  4. Add the Docker repository to your dnf repository by typing:
    sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
    The output should be similar to:
    Adding repo from: https://download.docker.com/linux/fedora/docker-ce.repo
  5. Make sure your existing packages are up to date. This may take a few minutes. Type:
    sudo dnf makecache fast
    When packages are finished updating you should see output similar to:
    Metadata Cache Created!
  6. Install wget by typing:
    sudo dnf install -y wget
    When wget is finished installing you should see output similar to:
    Running transaction
      Installing : wget-1.14-13.el7.x86_64                                                                                                           1/1
      Verifying  : wget-1.14-13.el7.x86_64                                                                                                           1/1
    Installed:
      wget.x86_64 0:1.14-13.el7                                                                                                                          
    Complete!
  7. Install Docker by typing:
    sudo dnf install -y docker-ce
    When Docker is finished installing you should see output similar to:
    Complete!
  8. Enable the Docker service by typing:
    sudo systemctl enable docker.service
    You should see output similar to:
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
  9. Start the Docker daemon by typing:
    sudo systemctl start docker
  10. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  11. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  12. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  13. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Ubuntu 16.04

These directions will walk you through installing the free Docker Community Edition for Ubuntu.

  1. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  2. Add the official Docker repository GPG keys to your server by typing:
    wget -O- "https://download.docker.com/linux/ubuntu/gpg" | sudo apt-key add -
    You should see output similar to:
    --2017-05-18 21:49:26--  https://download.docker.com/linux/ubuntu/gpg
    Resolving download.docker.com (download.docker.com)... 54.192.192.40, 54.192.192.99, 54.192.192.116, ...
    Connecting to download.docker.com (download.docker.com)|54.192.192.40|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 3817 (3.7K) [binary/octet-stream]
    Saving to: ‘STDOUT’
    
    -                                 100%[==========================================================>]   3.73K  --.-KB/s    in 0s      
    
    2017-05-18 21:49:26 (956 MB/s) - written to stdout [3817/3817]
    
    OK
  3. Add the Docker repository to to your APT sources by typing:
    sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  4. Update your package database by typing:
    sudo apt-get update
    You should see output similar to:
    Reading package lists... Done
  5. Install Docker by typing:
    sudo apt-get install -y docker-ce
    You should see ouput similar to:
    Setting up cgroupfs-mount (1.2) ...
    Setting up libltdl7:amd64 (2.4.6-0.1) ...
    Setting up docker-engine (1.12.3-0~xenial) ...
    Processing triggers for libc-bin (2.23-0ubuntu3) ...
    Processing triggers for systemd (229-4ubuntu11) ...
    Processing triggers for ureadahead (0.100.0-19) ...
  6. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  7. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  8. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  9. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Debian 8.0

These directions will walk you through installing the free Docker Community Edition for Debian.

  1. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  2. Update your package database by typing:
    sudo apt-get update
    You should see output similar to:
    Reading package lists... Done
  3. Ensure that APT works with HTTPS and that CA certificates are installed. Type:
    sudo apt-get install -y apt-transport-https ca-certificates gnupg2 software-properties-common
    You should see output similar to:
    Processing triggers for libc-bin (2.19-18+deb8u7) ...
    Processing triggers for systemd (215-17+deb8u6) ...
    Processing triggers for dbus (1.8.22-0+deb8u1) ...
  4. Add the official Docker repository GPG keys to your server by typing:
    wget -O- "https://download.docker.com/linux/ubuntu/gpg" | sudo apt-key add -
    You should see output similar to:
    Resolving download.docker.com (download.docker.com)... 54.192.192.196, 54.192.192.15, 54.192.192.26, ...
    Connecting to download.docker.com (download.docker.com)|54.192.192.196|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 3817 (3.7K) [binary/octet-stream]
    Saving to: ‘STDOUT’
    
    -                                                           100%[===========================================================================================================================================>]   3.73K  --.-KB/s   in 0s     
    
    2017-05-19 12:07:50 (374 MB/s) - written to stdout [3817/3817]
    
    OK
  5. Add the Docker repository to to your APT sources by typing:
    sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
  6. Update your package database again by typing:
    sudo apt-get update
    You should see output similar to:
    Reading package lists... Done
  7. Install Docker by typing:
    sudo apt-get install docker-ce
    When the install is finished, you should see output similar to:
    Processing triggers for systemd (215-17+deb8u6) ...
    Processing triggers for initramfs-tools (0.120+deb8u2) ...
    update-initramfs: Generating /boot/initrd.img-3.16.0-4-amd64
    Processing triggers for dbus (1.8.22-0+deb8u1) ...
  8. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  9. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  10. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  11. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Red Hat Enterprise Linux 7

Using Red Hat Enterprise Linux requires a paid subscription of Docker Enterprise Edition for Red Hat Enterprise Linux.
  1. Log into your Docker subscriptions page.
  2. Click the Setup button for Docker Enterprise Edition for Red Hat Enterprise Linux.
  3. On the "Setup" page make note of the URL for your subscription located under Copy and paste this URL to download your Edition. We will reference this URL later as <DOCKERURL>.

    Example: https://storebits.docker.com/ee/rhel/sub-12345-abcd-4a33-bd73-1b123c45a6b7
  4. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  5. Docker requires a 64-bit operating system. Please verify your installation of Red Hat Enterprise Linux is 64-bit by typing:
    uname -r
    The output should contain x86_64 if the operating system is 64-bit. The output would be similar to:
    3.10.0-327.el7.x86_64
  6. Store Docker URL in yum repository by typing:
    sudo sh -c 'echo "<DOCKERURL>" > /etc/yum/vars/dockerurl'
  7. Store Red Hat version in yum repository by typing:
    sudo sh -c 'echo "7" > /etc/yum/vars/dockerosversion'
  8. Install yum-utils on your server. Type:
    sudo yum install -y yum-utils
  9. Add the Docker repository to your yum repository by typing:
    sudo yum-config-manager --add-repo <DOCKERURL>/docker-ee.repo
    The output should be similar to:
    repo saved to /etc/yum.repos.d/docker-ee.repo
  10. Make sure your existing packages are up to date. This may take a few minutes. Type:
    sudo yum makecache fast
    When packages are finished updating you should see output similar to:
    Metadata Cache Created!
  11. Install wget by typing:
    sudo yum install -y wget
    When wget is finished installing you should see output similar to:
    Running transaction
      Installing : wget-1.14-13.el7.x86_64                                                                                                           1/1
      Verifying  : wget-1.14-13.el7.x86_64                                                                                                           1/1
    Installed:
      wget.x86_64 0:1.14-13.el7                                                                                                                          
    Complete!
  12. Install Docker by typing:
    sudo yum install -y docker-ee
    When Docker is finished installing you should see output similar to:
    Complete!
  13. Enable the Docker service by typing:
    sudo systemctl enable docker.service
    You should see output similar to:
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
  14. Start the Docker daemon by typing:
    sudo systemctl start docker
  15. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  16. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  17. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  18. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

SUSE Enterprise Linux 12

Using SUSE Enterprise Linux requires a paid subscription of Docker Enterprise Edition for SUSE Enterprise Linux Server.
  1. Log into your Docker subscriptions page.
  2. Click the Setup button for Docker Enterprise Edition for SUSE Enterprise Linux Server.
  3. On the "Setup" page make note of the URL for your subscription located under Copy and paste this URL to download your Edition. We will reference this URL later as <DOCKERURL>.

    Example: https://storebits.docker.com/ee/sles/sub-12345-abcd-4a33-bd73-1b123c45a6b7
  4. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  5. Docker requires a 64-bit operating system. Please verify your installation of SUSE Enterprise Linux is 64-bit by typing:
    uname -a
    The output should contain x86_64 if the operating system is 64-bit. The output would be similar to:
    (42e0a66) x86_64 x86_64 x86_64 GNU/Linux
  6. Add the required repository to your server by typing:
    sudo zypper addrepo <DOCKERURL>/12.3/x86_64/stable-17.03 docker-ee-stable
    The output should be similar to:
    6_64/stable-17.03 docker-ee-stable
    Adding repository 'docker-ee-stable' ..........................................................................................[done]
    Repository 'docker-ee-stable' successfully added
  7. Import the repository GPG key by typing::
    sudo rpm --import <DOCKERURL>/gpg
  8. Refresh the zypper package index by typing:
    sudo zypper refresh
  9. Install Docker by typing:
    sudo zypper -y install docker-ee
    The output should be similar to:
    (5/5) Installing: docker-ee-17.03.1.ee.3-1.x86_64 .............................................................................[done]
  10. Enable the Docker service by typing:
    sudo systemctl enable docker.service
    You should see output similar to:
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
  11. Start the Docker daemon by typing:
    sudo service docker start
  12. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  13. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  14. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  15. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Install Docker Compose

  1. Download Docker Compose by typing:
    wget -O- "https://github.com/docker/compose/releases/download/1.16.1/docker-compose-$(uname -s)-$(uname -m)" > ./docker-compose
    You should see output similar to:
    Saving to: ‘STDOUT’
    100%[===========================================================================================================>] 7,986,086   43.9MB/s   in 0.2s   
    2016-12-22 13:32:15 (43.9 MB/s) - written to stdout [7986086/7986086]
  2. Change the permissions on Docker Compose to allow you to execute the file by typing:
    chmod +x ./docker-compose
  3. Move Docker Compose to your local bin folder by typing:
    sudo mv ./docker-compose  /usr/local/bin/
  4. Verify Docker Compose is working by typing:
    docker-compose --version
    You should see text similar to:
    docker-compose version 1.16.1, build 6d1ac21

Install Duo Network Gateway

  1. Download the Duo Network Gateway YML file and save it to your Duo Network Gateway server. Download the YML file by typing:

    wget --content-disposition https://dl.duosecurity.com/network-gateway-latest.yml

    You should see output similar to:

    --2016-12-21 14:15:16--  https://dl.duosecurity.com/network-gateway-latest.yml
    Resolving dl.duosecurity.com (dl.duosecurity.com)... 52.84.66.79, 52.84.66.236, 52.84.66.146, ...
    Connecting to dl.duosecurity.com (dl.duosecurity.com)|52.84.66.79|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1194 (1.2K) [application/octet-stream]
    Saving to: ‘network-gateway-1.4.1.yml’
    network-gateway-1.4.1.yml                   100%[======================================================================>]   1.17K  --.-KB/s    in 0s      
    2016-12-21 14:15:16 (124 MB/s) - ‘network-gateway-1.4.1.yml’ saved [1194/1194]
    

    Make note of the actual file name that was saved, you'll need this in future steps. View checksums for Duo downloads here.

    Save this YML file in a persistent directory location for future use; it will be required for later use when deploying, updating, or interacting with your Duo Network Gateway server.

  2. The following command instructs Docker Compose to download Duo Network Gateway and install it. Specify the YML file downloaded in the last step in the command. Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your downloaded YML file's actual name.

    Type:

    docker-compose -p network-gateway -f network-gateway-1.4.1.yml up -d

    This may take a few minutes. Once completed the text output will be similar to:

    Creating network-gateway-redis
    Creating network-gateway-admin
    Creating network-gateway-portal
  3. You can verify that your Duo Network Gateway containers are running by typing:

    docker ps

    You should see output showing all 3 containers with a status of "up" similar to:

    CONTAINER ID        IMAGE                                                                                                 COMMAND                  CREATED             STATUS              PORTS                                      NAMES
    3aea70b8e1a8        duosecurity/network-gateway@sha256:36b1e3a4198c9a386830599e64c99b181095f70cdb6e42e216031377a1c83155   "bash -c /bin/run-con"   4 minutes ago       Up 4 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   network-gateway-portal
    8c63f6a2aa2a        duosecurity/network-gateway@sha256:9277bf641f0d74cbd26914bda8257fc14fb9c7ec10b026a1cb1bc49326578375   "bash -c /bin/run-con"   4 minutes ago       Up 4 minutes        0.0.0.0:8443->443/tcp                      network-gateway-admin
    f04e00161738        duosecurity/network-gateway@sha256:f8d671839cd408dd0e97cae7333054074c80a5eaf23afdefd10f00e666a4928f   "docker-entrypoint.sh"   4 minutes ago       Up 4 minutes        6379/tcp                                   network-gateway-redis

Configure Duo Network Gateway

Duo Network Gateway can be configured using the Admin UI by following the directions below or by using scripted configuration which allows you to configure Duo Network Gateway with a configuration file.

Initial Duo Network Gateway Configuration

  1. In a browser navigate to https://URL-OF-NETWORK-GATEWAY:8443 from an internal network to log into the Duo Network Gateway admin console. Your browser will warn you about an untrusted certificate the first time you access the page. Dismiss the warning and continue onto the page.

  2. The first page of the Duo Network Gateway setup screen will ask you to choose a password for the Duo Network Gateway admin console. Once you've entered a password that meets the requirements, click Save and Continue.

    Duo Network Gateway Initial Set Admin Password page

  3. On the "Make Duo Network Gateway visible to the internet" page fill in the following fields. You can also click the "Already have a Duo Network Gateway configuration file? Import it now." link to restore settings from a backup.

    Option Description
    Admin Email Enter the e-mail address of an administrator who can be contacted if there is an issue. Currently this e-mail address will only be contacted if there are issues renewing the automatically generated certificates.
    Hostname Enter the fully-qualified external domain name (FQDN) of the server. This should be FQDN addressable to the Internet (eg. portal.example.com).
  4. If you will be supplying your own SSL certificate click Change Certificate to select Provide my own certificate. Configure the certificate using the table below and skip step 5. If you would like to automatically generate certificates, skip this step and proceed to step 5.

    Option Description
    Certificate Upload the certificate file you purchased earlier for the Duo Network Gateway server. The certificate should be Base64-encoded X.509 (pem, cer, or crt) and include the entire certificate bundle. The certificates should be ordered from top to bottom: certificate, issuing or intermediate certificates, and root certificate.
    Private Key Upload the private key file related to the certificate you purchased earlier for the Duo Network Gateway server. Private keys should formatted as Base64-encoded X.509 (pem, cer, or crt).

    Duo Network Gateway Initial Set Hostname Page

    If all information isn't entered completely and correctly or this initial configuration fails to save you'll need to re-enter the information again before proceeding, including selection of the certificate and key.

  5. If you'd like the Duo Network Gateway to automatically generate and renew a free SSL certificate using Let's Encrypt click Change Certificate and select Generate a certificate on save. Review the Let's Encrypt Terms of Service. If you accept, check the box next to I agree to the Let's Encrypt Terms of Service.

    Duo Network Gateway Initial Set Hostname Page with Let's Encrypt

    If all information isn't entered completely and correctly or this initial configuration fails to save you'll need to re-enter the information again before proceeding.

  6. Click Save and Continue. Saving your configuration redirects you to the Duo Network Gateway admin console.

    Duo Network Gateway Home Page

Configure the Duo Network Gateway Authentication Source

Duo Network Gateway uses SAML as its primary authentication source. You may use any SAML 2.0 IdP you'd like such as the Duo Access Gateway, Okta, OneLogin, or AD FS.

Deploy Duo Access Gateway

  1. Install Duo Access Gateway on a server in your DMZ. Follow our instructions for deploying the server, configuring Duo Access Gateway settings, and adding your primary authentication source.

  2. Add the attribute from the table below that corresponds to the Duo Username attribute in the "Attributes" field when configuring your Active Directory or OpenLDAP authentication source in the Duo Access Gateway admin console. For example, if Active Directory is your authentication source, enter sAMAccountName in the "Attributes" field.

    Duo Attribute Active Directory OpenLDAP
    Username attribute sAMAccountName uid

    If your organization uses another directory attribute than the ones listed here then enter that attribute name instead. If you've already configured the attributes list for another cloud service provider, append the additional attributes not already present to the list, separated by a comma.

  3. After completing the initial Duo Access Gateway configuration steps, click Applications on the left side of the Duo Access Gateway admin console.

  4. Scroll down the Applications page to the Metadata section. This is the information you need to provide to the Duo Network Gateway when configuring the Duo Access Gateway IdP. Click the Download Certificate link to obtain the token signing certificate (the downloaded file is named "dag.crt").

    Duo Access Gateway Metadata Information

Create the Duo Network Gateway Application in Duo

  1. Log on to the Duo Admin Panel from the Duo Access Gateway server console and navigate to Applications.

  2. Click Protect an Application, locate SAML - Duo Network Gateway in the applications list, and click Protect this Application. See Getting Started for help.

  3. The Domain name is the fully qualified external DNS of your Duo Network Gateway server. For example, if your Duo Network Gateway URL is https://portal.example.com then you would type in portal.example.com in the field.

  4. Duo Network Gateway uses the Username attribute when authenticating. We've mapped Username attribute to Duo Access Gateway supported authentication source attributes as follows:

    Duo Attribute Active Directory OpenLDAP SAML IdP Google Azure
    Username attribute sAMAccountName uid mail email mail
  5. Click Save Configuration to generate a downloadable configuration file.

    Duo Network Gateway Application Settings

  6. You can adjust additional settings for your new SAML application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish SSO setup. If you do update any settings, click the Save Changes button when done.

  7. Click the Download your configuration file link to obtain the Duo Network Gateway application settings (as a JSON file).

    Important: This file contains information that uniquely identifies this application to Duo. Secure this file as you would any other sensitive or password information. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Add the Duo Network Gateway Application to Duo Access Gateway

  1. Return to the Applications page of the Duo Access Gateway admin console session.

  2. Click the Choose File button in the "Add Application" section of the page and locate the Duo Network Gateway SAML application JSON file you downloaded from the Duo Admin Panel earlier. Click the Upload button after selecting the JSON configuration file.

  3. The Duo Network Gateway SAML application is added.

    Duo Network Gateway Application Added

Configure Duo Network Gateway IdP

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Scroll down to the Configure SAML Identity Provider section of the page.

  3. Copy the Entity ID URL from the Duo Access Gateway admin console metadata display and paste it into the Duo Network Gateway Entity ID or Issuer ID field.

    Example: https://yourserver.example.com/dag/saml2/idp/metadata.php

  4. Copy the SSO URL information from the Duo Access Gateway admin console Metadata display and paste it into the Duo Network Gateway Assertion Consumer Service URL or Single Sign-On URL field.

    Example: https://yourserver.example.com/dag/saml2/idp/SSOService.php

  5. Copy the Logout URL information from the Duo Access Gateway admin console Metadata display and paste it into the Duo Network Gateway Single Logout URL field.

    Example: https://yourserver.example.com/dag/saml2/idp/SingleLogoutService.php

  6. The "Certificate" is the Duo Access Gateway Metadata certificate. Click the Choose File button to select the dag.crt file you downloaded from the Duo Access Gateway admin console Application page earlier. Upload the certificate.

  7. Username Attribute is an optional setting. By default Duo Network Gateway will use the NameID field to populate the username. If your SAML IdP sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.

  8. Enforced Email Domain is an optional setting. Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using is an e-mail address.

  9. After you've entered all the required information click the Save Settings button.

    Duo Network Gateway Duo Access Gateway IdP Settings

  10. Now that you've configured Duo Network Gateway and the primary authentication source we are ready to protect a server with Duo Network Gateway. Duo Network Gateway supports protecting both web applications and SSH servers.

Configure the Duo Network Gateway app in OneLogin

  1. Log into OneLogin as an administrative user. Move your mouse over the APPS button at the top of the screen. A dropdown will appear, click Add Apps. You will be taken to a new page.

  2. On the "Find Applications" page type Duo Network Gateway into the search field. It should return only one result called "Duo Network Gateway". Click on this application to create it. You'll be taken to a new page.

  3. On the "Configuration" page click on the Visible in portal switch to toggle it to off.

  4. Click Save at the top of the screen. You'll be taken to a new page.

    Configure OneLogin

  5. Once you're on the Duo Network Gateway app page click the Configuration tab at the top of the screen. In the Hostname field enter in the fully-qualified domain name of your Duo Network Gateway server.

    Example: If your Duo Network Gateway URL is https://portal.example.com you would type portal.example.com.

    Configure OneLogin Duo Network Gateway Hostname

  6. Click the Save button.

  7. Click the SSO tab at the top of the screen. Under the "X.509 Certificate" click View Details, you'll be taken to a new page.

  8. On the "Standard Strength Certificate (2048-bit)" page under "X.509 Certificate" select X.509 PEM from the dropdown and click DOWNLOAD. This will download a onelogin.pem file that you'll need when configuring the Duo Network Gateway.

    OneLogin SSO Certificate Page

  9. Return to the OneLogin SSO page. You'll need to provide information from the "SSO" page for configuring the Duo Network Gateway.

    OneLogin SSO Page

  10. You can now assign users in OneLogin to have access to the Duo Network Gateway app.

Configure Duo Network Gateway IdP

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Scroll down to the Configure SAML Identity Provider section of the page.

  3. Copy the Issuer URL from the OneLogin SSO page and paste it into the Duo Network Gateway Entity ID or Issuer ID field.

    Example: https://app.onelogin.com/saml/metadata/123456

  4. Copy the SAML 2.0 Endpoint (HTTP) from the OneLogin SSO page and paste it into the Duo Network Gateway Assertion Consumer Service URL or Single Sign-On URL field.

    Example: https://company.onelogin.com/trust/saml2/http-post/sso/123456

  5. Copy the SLO Endpoint (HTTP) from the OneLogin SSO page and paste it into the Duo Network Gateway Single Logout URL field.

    Example: https://company.onelogin.com/trust/saml2/http-redirect/slo/123456

  6. The "Certificate" is the OneLogin certificate you downloaded earlier. Click the Choose File button to select the onelogin.pem file. Upload the certificate.

  7. Username Attribute is an optional setting. By default Duo Network Gateway will use the NameID field to populate the username. If your SAML IdP sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.

  8. Enforced Email Domain is an optional setting. Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using is an e-mail address.

  9. After you've entered all the required information click the Save Settings button.

    Duo Network Gateway OneLogin Configuration

  10. Now that you've configured Duo Network Gateway and the primary authentication source you are ready to protect a server with Duo Network Gateway. Duo Network Gateway supports protecting both web applications and SSH servers.

Configure the Duo Network Gateway app in Okta

  1. Log into Okta as an administrative user. Click on the Admin button in the top right hand corner of the screen.

  2. On the "Dashboard" page click Add Applications under "Shortcuts" on the right-hand side of the screen.

  3. On the "Add Application" page type Duo Network Gateway into the search field. It should return only one result called "Duo Network Gateway". Click Add on this application to create it. You'll be taken to a new page.

  4. On the "General Settings - Add Duo Network Gateway" page you can change the name of the application by modifying the text in the Application label field.

  5. In the Hostname field enter in the fully-qualified domain name of your Duo Network Gateway server.

    Example: If your Duo Network Gateway URL is https://portal.example.com you would type portal.example.com.

  6. Check both of the boxes next to Application Visibility.

  7. Click Next at the bottom of the screen. You'll be taken to a new page.

    Configure Okta

  8. On the "Assign to People - Add Duo Network Gateway" page you can check the box next to users to allow them to access the Duo Network Gateway application. Click Next when you've finished.

    Assign Okta Users

  9. The page will reload asking you to validate the username field. The username will be checked against Duo when completing two-factor authentication. Modify any usernames as needed and click Done. You'll be taken to a new page.

    Modify Okta Usernames

  10. On the "Duo Network Gateway" page click the Sign On tab. Click View Setup Instructions. You'll be taken to a new page.

  11. On the "How to Configure SAML 2.0 for Duo Network Gateway" page scroll down the page to Step 3. You'll need to provide information from this step to the Duo Network Gateway in the next section.

    Okta Metadata

Configure Duo Network Gateway IdP

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Scroll down to the Configure SAML Identity Provider section of the page.

  3. Copy the Entity ID or Issuer ID from the Okta SSO page and paste it into the Duo Network Gateway Entity ID or Issuer ID field.

    Example: http://www.okta.com/abc1a2bcd3efG4HIj5K6

  4. Copy the Assertion Consumer Service URL or Single Sign-On URL from the Okta SSO page and paste it into the Duo Network Gateway Assertion Consumer Service URL or Single Sign-On URL field.

    Example: https://example.okta.com/app/duonetworkgateway/abc1a2bcd3efG4HIj5K6/sso/saml

  5. Leave the Single Logout URL field blank.

  6. Click the Certificate link on the Okta SSO page to download the okta.cert file. Upload the certificate in the Duo Network Gateway Certificate section.

  7. Username Attribute is an optional setting. By default Duo Network Gateway will use the NameID field to populate the username. If your SAML IdP sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.

  8. Enforced Email Domain is an optional setting. Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using is an e-mail address.

  9. After you've entered all the required information click the Save Settings button.

    Duo Network Gateway Okta Configuration

  10. Now that you've configured Duo Network Gateway and the primary authentication source you are ready to protect a server with Duo Network Gateway. Duo Network Gateway supports protecting both web applications and SSH servers.

Using AD FS as your IdP requires Duo Network Gateway 1.2.4 or later.

Copy Metadata from the Duo Network Gateway

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Under the Metadata section copy the URL next to Entity ID or Issuer ID URL. You'll need this later in the setup.

Add the Duo Network Gateway Relying Party in AD FS

  1. Log into your AD FS serveras a Domain Admin or member of the server's local Administrators group and open the AD FS Management console.

  2. Click the arrow icon next to Trust Relationships on the left-hand side of the page to expand its options. Skip this step if you are using AD FS 4.

  3. Right click Relying Party Trusts and select Add Relying Party Trust... from the dropdown. A new window will appear.

  4. Review the information on the Welcome page and then click Start. In AD FS 4 leave the default choice of "Claims aware" selected and click Start.

  5. Select Import data about the relying party published online or on a local network on the Select Data Source Page. Copy the Entity ID or Issuer ID value from earlier and paste it into the text field. Click Next.

    Example: https://portal.example.com/metadata/

    Configure AD FS Data Source

  6. On the Specify Display Name page type a name that will help you identify this relying party easily later into the Display name field and click Next.

  7. On the Configure Multi-factor Authentication Now? page select I do not want to configure multi-factor authentication settings for this relying party trust at this time. and click Next. In AD FS 4 this page is called "Choose Access Control Policy". Select the access control policy for this application from the list. The simplest option is to choose the default "Permit everyone" policy, or if you want to restrict Duo Network Gateway access select the built-in or custom access control policy that meets your needs. After selecting an access control policy click Next.

  8. Click Next on the Ready to Add Trust page.

  9. Leave the "Open the Edit claim Rules dialog for this relying party trust when the wizard closes" checked and click Close. This setting is called "Configure claims issuance policy for this application." in AD FS 4. A new window will appear.

Configure the Duo Network Gateway Relying Party in AD FS

  1. On the Edit Claim Rules for ... page click Add Rule.... A new window will appear.

  2. On the Select Rule Template page select Send LDAP Attributes as Claims from the dropdown and click Next.

  3. On the Configure Rule page type NameID into the Claim rule name field.

  4. Select Active Directory from the Attribute store dropdown.

  5. Click the dropdown menu under LDAP Attribute and select SAM-Account-Name.

  6. Click the dropdown menu under Outgoing Claim Type and select Name ID.

  7. Click Finish. You'll be returned "Edit Claims Rules for ..." page.

  8. Click Apply and click OK. The page will close and you'll be returned to the AD FS Management console.

    Configure AD FS Claim Rules

Export AD FS Signing Certificate

  1. On the AD FS Management console click the arrow icon next to Service on the left-hand side of the page to expand its options. Click on Certificates.

  2. In the middle of the screen right-click the certificate under Token-signing and select View Certificate.... A new window will appear.

  3. On the Certificate window select the Details tab. Click the button Copy to File.... A new window will appear.

  4. Click Next on the Welcome page.

  5. On the Export Private Key page select No, do not export the private key and then click Next.

  6. Select Base-64 encoded X.509 (.CER) on the Export File Format page. Click Next.

    Configure AD FS Claim Rules

  7. On the File to Export page click Browse.... Name the file adfs and select a location to save it. You will need to use this certificate later. Click Finish.

Gather AD FS Metadata

  1. Open up a web browser and go to https://AD-FS-URL/FederationMetadata/2007-06/FederationMetadata.xml. This will download an XML file onto your computer.

  2. Open up the FederationMetadata.xml file using a text editor like NotePad or WordPad. You will need information from this file later.

Configure Duo Network Gateway IdP

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Scroll down to the Configure SAML Identity Provider section of the page.

  3. Copy the entityID value from the AD FS XML file and paste it into the Duo Network Gateway Entity ID or Issuer ID field.

    Example: http://AD-FS-URL/adfs/services/trust

  4. Copy the AssertionConsumerService value from the AD FS XML file and paste it into the Duo Network Gateway Assertion Consumer Service URL or Single Sign-On URL field.

    Example: https://AD-FS-URL/adfs/ls/

  5. The "Certificate" is the AD FS token-signing certificate file you downloaded earlier. Click the Choose File button to select the adfs.cer file. Upload the certificate.

  6. Username Attribute is an optional setting. By default Duo Network Gateway will use the NameID field to populate the username. If AD FS sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.

  7. Enforced Email Domain is an optional setting. Enabling this will allow you to enforce that only e-mail addresses or userPrincipalNames within a certain domain are allowed to log into Duo Network Gateway if you are using one of those attributes.

  8. After you've entered all the required information click the Save Settings button.

    Duo Network Gateway AD FS Configuration

  9. Now that you've configured Duo Network Gateway and the primary authentication source you are ready to protect a server with Duo Network Gateway. Duo Network Gateway supports protecting both web applications and SSH servers.

Other SAML Providers

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. On the "Primary Authentication" page scroll down to Metadata. You will need to provide this information about Duo Network Gateway to your primary authentication source.

    Duo Network Gateway Metadata Information

  3. Add Duo Network Gateway as a SAML Service Provider or Relying Party to the SAML Identity Provider (IdP) of your choice.

    1. Use the metadata to fill out information related to the Duo Network Gateway server during the setup.
    2. Configure your SAML IdP to send the NameIDFormat as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified with the NameID value containing the Duo username.
    3. Save the certificate generated by your SAML IdP, you will need this later.
  4. Once you've configured Duo Network Gateway as a SAML Service Provider on your SAML IdP you will need to configure the Duo Network Gateway server to use your IdP. Use the table below and fill in the follow fields:

    Option Description
    Entity ID or Issuer ID The global, unique name for your SAML entity. Obtain this from your SAML authentication identity provider.
    Assertion Consumer Service URL or Single Sign-On URL URL to use when performing primary authentication. This is provided by your primary authentication identity provider.
    Single logout URL Optional: URL to use when logging out. This is provided by your primary authentication identity provider.
    Certificate The Base64-encoded X.509 certificate provided by your SAML IdP.
    Username Attribute Optional: By default Duo Network Gateway will use the NameID field to populate the username. If your SAML IdP sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.
    Enforced Email Domain Optional: Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway.

    Duo Network Gateway Primary Authentication Configuration

  5. Once you've filled in all the required fields, click Save Settings.

  6. Now that you've configured Duo Network Gateway and the primary authentication source you are ready to protect a server with Duo Network Gateway. Duo Network Gateway supports protecting both web applications and SSH servers.

Protect a Web Application with Duo Network Gateway

Duo Network Gateway allows your users to access internal web applications without having to join a VPN. Users will be able to access the internal web application after verifying their identity with a first factor and Duo MFA.

Prerequisites

  • Identify the web application you'd like to protect with Duo Network Gateway and verify that Duo Network Gateway is able to communicate locally with the application.
  • Create or update the public DNS record of your application to point to the Duo Network Gateway server. Example: If the you have an internal wiki you're protecting you could create a public CNAME DNS record of "wiki.example.com" and point it at the Duo Network Gateway record.
  • Obtain an SSL certificate for your application from a commercial certificate authority (CA) using the fully qualified external DNS name of your application as the common name (e.g. yourinternalapp.example.com). This secures the connection between your external users and the Duo Network Gateway server. You can also generate a free, automatically renewing certificate from Let's Encrypt during setup.
  • If the application you'll be protecting is already communicating over HTTPS you will also need to obtain the Base64-encoded X.509 (pem, cer, or crt) formatted version of the application's certificate bundle including the issuing certificates and the root certificate. You may also use a wildcard SSL certificate.

Create a Duo Network Gateway Web Application in Duo

  1. Log in to the Duo Admin Panel and navigate to Applications.

  2. Click Protect an Application and locate Duo Network Gateway Web Application in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. You will need this information later. (See Getting Started for help.)

  3. You can adjust additional settings for your new Duo Network Gateway application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish setup. If you do update any settings, click the Save Changes button when done.

Configure an Application in Duo Network Gateway

  1. Return to the Duo Network Gateway admin console and click the Applications link on the left-hand side of the screen.

  2. On the "Applications" page click Add New... and select Web Application from the drop-down options. You will be taken to a new page.

  3. Under "Configure 2FA" enter the integration key, secret key, and API hostname you created earlier from the Duo Admin Panel.

    Option Description
    Integration key Copy and paste in the integration key from the Duo Network Gateway application you created earlier in the Duo Admin Panel.
    Secret key Copy and paste in the secret key from the Duo Network Gateway application you created earlier in the Duo Admin Panel.
    API hostname Copy and paste in the API hostname from the Duo Network Gateway application you created earlier in the Duo Admin Panel.

    Configure Duo Network Gateway application with Duo keys

  4. Scroll down to the "External Website Settings" section. In the External URL field enter the public facing URL of the web application Duo Network Gateway is protecting (eg. https://wiki.example.com). This URL can be the same as the internal application URL but is not required to match. Ensure that this hostname resolves to the external IP address of your Duo Network Gateway server.

    If you do reuse the same URL for internal and external, ensure that there is also an internal DNS record in place for this hostname that resolves to the application server's internal IP address.

  5. If you will be supplying your own SSL certificate select Provide my own certificate next to Certificate Source. Configure the certificate using the table below and skip step 7. If you would like to automatically generate certificates, skip this step and proceed to step 7.

    Option Description
    External SSL certificate Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external URL of the application. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate.
    External SSL certificate key Base64-encoded X.509 (pem, cer, or crt) private key for the application's external URL certificate.

    Configure external settings for Duo Network Gateway Application

  6. If you'd like the Duo Network Gateway to automatically generate and renew a free SSL certificate using Let's Encrypt select Generate a certificate on save next to Certificate Source. Review the Let's Encrypt Terms of Service. If you accept, check the box next to I agree to the Let's Encrypt Terms of Service.

    Configure external settings for Duo Network Gateway Application with Let's Encrypt

  7. URI Whitelisting is an optional feature. Check the box next to "URI Whitelisting" to display its options. Whitelisting URI prefixes or suffixes means that they don't require authentication through the Duo Network Gateway. You will still need to complete any authentication the internal application may have before accessing the resource. This may be required for certain applications that communicate to each other over APIs or other methods. Separate multiple values with spaces. You may also restrict the whitelist to specific IP addresses or IP ranges during configuration.

  8. Scroll down to the "Internal website settings" section. Configure the settings related to your internal application using the table below:

    Option Description
    Internal URL Enter the internal URL or IP address of the web application Duo Network Gateway is protecting (eg. https://wiki.local or https://10.1.10.123). If the internal application is communicating on a port other than 80 or 443 please specify the port using a colon (eg. https://wiki.local:8090). Your internal application can communicate over HTTP or HTTPS.

    If you used the same URL for the application's internal and external URLs, ensure that an internal DNS record for this hostname exists and points to the internal application server IP.
    Certificate Authority This will only appear if your internal URL uses HTTPS. Duo Network Gateway will automatically check your internal application's certificate against a list of trusted public certificate authorities. If you use a private certificate authority or still get an error when trying to access your application, please check this option next to I use a private Certificate Authority and upload an Internal SSL certificate.
    Internal SSL certificate Only required if the internal application is communicating over HTTPS and you've checked the box next to I use a private Certificate Authority. Provide a Base64-encoded X.509 (pem, cer, or crt) version of the Root CA's certificate that is at the top of the chain for the internal application certificate.
    Internal SSL validation name The drop-down options include the internal and external URLs you entered on this page. Select the one that matches the subject host name of your certificate used by the internal application.
    Session duration This field allows you to specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480.

    Configure Internal Settings Duo Network Gateway Application

  9. Once you've filled in all the required fields, click Add Application.

    If all information isn't entered completely and correctly or this new application configuration fails to save you'll need to re-enter the Duo application secret key and select the certificate and key files again for upload.

Test Duo Network Gateway with Web Applications

  1. Navigate to the external URL of the application that you just configured in Duo Network Gateway (eg. https://wiki.example.com).

  2. You'll be redirected to the SAML IdP you configured for use with Duo Network Gateway. The Duo authentication prompt appears after successful primary authentication. Completing secondary authentication with Duo grants access to your internal web application.

  3. The Duo Network Gateway doesn't pass any primary login credential information to the internal application, so you'll need to provide your username and password to the internal application separately.

Congratulations! You have successfully published your internal application with Duo Network Gateway. You can now remove any external firewall rules providing direct access to your internal application and allow all authorized users to access the application through Duo Network Gateway.

Protect SSH Servers with Duo Network Gateway

Duo Network Gateway allows you to remotely access your SSH servers by tunneling the connection through it using HTTPS. You can group access to a set of servers, after you've authenticated you'll be able to connect all servers in that group. You might decide to group servers by level of security or by departments within your organization. Each group of servers can have its own policies in the Duo Admin Panel.

SSH Installation Video Overview

This video demonstrates the process of configuring Duo Network Gateway for protected external access of an internal SSH server.

Prerequisites

  • Identify the SSH servers you'd like to protect with Duo Network Gateway and make sure that Duo Network Gateway is able to communicate locally with each server over the SSH ports they are configured to use.
  • Create a public DNS record related to your set of SSH servers and point it to the Duo Network Gateway server. This DNS record must be different from your SSH servers' records and from the Duo Network Gateway's DNS record, even if your SSH servers have a public DNS record already.
    • Example: If the group of servers you're protecting is for your engineering team you could create a public CNAME DNS record of "engineering-ssh.example.com" and point it to the Duo Network Gateway.
  • Obtain an SSL certificate for your external URL from a commercial certificate authority (CA) using the fully qualified external DNS name of your external URL as the common name (e.g. engineering-ssh.example.com). This secures the connection between your external users and the Duo Network Gateway server. You can also generate a free, automatically renewing certificate from Let's Encrypt during setup.

Create a Duo Network Gateway - SSH Servers Application in Duo

  1. Log in to the Duo Admin Panel and navigate to Applications.

  2. Click Protect an Application and locate Duo Network Gateway - SSH Servers in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. You will need this information later. (See Getting Started for help.)

  3. You can adjust additional settings for your new Duo Network Gateway application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish setup. If you do update any settings, click the Save Changes button when done.

Protect SSH Servers in Duo Network Gateway

  1. Navigate to the Duo Network Gateway admin console and click the Applications link on the left-hand side of the screen.

  2. On the "Applications" page click Add New... and select SSH Servers from the drop-down options. You will be taken to a new page.

  3. Under "Configure 2FA" enter the integration key, secret key, and API hostname you created earlier from the Duo Admin Panel.

    Option Description
    Duo Integration key Copy and paste in the Integration key from the "Duo Network Gateway - SSH Servers" application you created earlier in the Duo Admin Panel.
    Duo Secret key Copy and paste in the Secret key from the "Duo Network Gateway - SSH Servers" application you created earlier in the Duo Admin Panel.
    Duo API hostname Copy and paste in the API hostname from the "Duo Network Gateway - SSH Servers" application you created earlier in the Duo Admin Panel.

    Configure Duo Network Gateway SSH Application with Duo Keys

  4. Scroll down to the "External URL Settings" section. In the External URL field enter hostname of the external URL DNS record you created as part of the prerequisites. The external URL is where users' computers will communicate with the Duo Network Gateway. A group of SSH servers can be protected behind an external URL. An example of a external URL for SSH servers used by the engineering team might be "engineering-ssh.example.com".

  5. If you will be supplying your own SSL certificate select Provide my own certificate next to Certificate Source. Configure the certificate using the table below and skip step 6. If you would like to automatically generate certificates, skip this step and proceed to step 6.

    Option Description
    SSL certificate Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the "external URL" URL. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate.
    SSL certificate key Base64-encoded X.509 (pem, cer, or crt) private key for the "external URL" URL certificate.

    Configure External Website settings for Duo Network Gateway SSH server

  6. If you'd like the Duo Network Gateway to automatically generate and renew a free SSL certificate using Let's Encrypt select Generate a certificate on save next to Certificate Source. Review the Let's Encrypt Terms of Service. If you accept, check the box next to I agree to the Let's Encrypt Terms of Service.

    Configure Relay Host settings for Duo Network Gateway SSH server with Let's Encrypt

  7. Session duration allows you to specify the maximum user session duration for a external URL in minutes. Users must reauthenticate to the Duo Network Gateway the next time they attempt a connection when the limit is reached. This will not close currently open connections. The default value is 480.

  8. Scroll down to the "SSH Servers" section. Multiple SSH servers can be protected behind a external URL. Once a user authenticates through the external URL they can access any of the SSH servers behind the external URL without having to authenticate again. Users will need to reauthenticate on the next login attempt after their session has expired based on the Session Duration setting above. Users will still need to locally authenticate to the SSH servers.

  9. Configure the settings related to your internal SSH servers using the table below:

    Option Description
    Internal hosts Enter a hostname, a hostname with wildcards, an IP address, a range of IP addresses, or a CIDR block related to the internal SSH servers you want to protect. Wildcards will not match sub-domains (e.g. ".example.com" will match "server.example.com" but not "server.internal.example.com"). Wildcards will be used to match domain names, not IP addresses. For example, the pattern 192.168.1. will match the domain name 192.168.1.com but will not match the IP address 192.168.1.1
    Ports Enter the port(s) that the servers are listening on for SSH connections. You may enter a single port or a range of ports. You can also specify multiple ports or multiple ranges of ports by separating them with commas.
  10. Additional text fields will appear under Internal hosts. Repeat step 9 to protect additional SSH servers behind this external URL.

    Configure Internal Settings Duo Network Gateway Application

  11. Once you've filled in all the required fields, click Add SSH Servers.

    If all information isn't entered completely and correctly or this new external URL fails to save, you'll need to re-enter the Duo application secret key and select the certificate and key files again for upload.

  12. Once the page reloads you'll see a new section at the top of the page called SSH Client Configuration with SSH client configuration to provide to your users that they'll need after they configure DuoConnect.

    SSH Configuration Examples

Install & Configure DuoConnect Client

Using the Duo Network Gateway to protect SSH servers requires a small software install on the user's computer. We support 64-bit operating systems for the following platforms: Windows, macOS 10.11 - 10.13, and most Linux distributions.

You and your users can learn how to install and configure DuoConnect at the DuoConnect User's Guide using the information provided in step 12 of Protect SSH Servers in Duo Network Gateway.

Newer versions of DuoConnect will be released with new features, bug fixes, and security patches. When newer versions of DuoConnect are released there will be two different types of updates:

  • Optional updates will notify users there is a pending update but allow users to proceed past the message and continue their connection to the SSH server.
  • Required updates will notify users that there is a pending update and users will not be able to continue until they update DuoConnect.

    DuoConnect Upgrade Page

Additional Settings

You can change settings related to the Duo Network Gateway server by clicking the Settings link on the left-hand side navigation menu and clicking tabs at the top of the page.

Server Settings

This section allows you to change the Duo Network Gateway server settings that were set during Initial Duo Network Gateway Configuration. These values are the admin e-mail, hostname, and certificate that are used for the Duo Network Gateway website. This is the site that users are directed to when they are authenticating through Duo Network Gateway.

Configure Duo Network Gateway Server settings

Change Password

Set a new administrator password. We require a strong password that uses a mix of uppercase and lowercase letters, numbers, and special characters.

Change Duo Network Gateway admin password

Backup and Restore

Duo Network Gateway allows you to backup your current configuration and restore it at a later date or import on a different server for high-availability or migration. You can do this through the admin console using the directions below or you can also backup and restore from the command-line by using scripted backup and restore.

Backing up your configuration

  1. While logged into the Duo Network Gateway admin console click Settings on the left-hand side of the screen.

  2. On the "Settings" page click the Backup Configuration tab.

  3. Type your current admin password into the Current Admin Password field.

  4. Type a passphrase that will be used to encrypt your backup file into the File Encryption Passphrase and confirm the passphrase in the Confirm Encryption Passphrase field.

    Important: Secure this file as you would any other sensitive or password information. If you lose your passphrase you will not be able to restore the backup file.

  5. Click Backup Configuration. A backup CFG file will be downloaded to your computer. Store this file in a secure location.

Backup Duo Network Gateway configuration

Restoring from the Settings page

  1. While logged into the Duo Network Gateway admin console click Settings on the left-hand side of the screen.

  2. On the "Settings" page click the Restore Configuration tab.

  3. Type your current admin password into the Current Admin Password field.

  4. Select the backup CFG file you'd like to restore from and upload it in Saved Configuration File.

  5. Type the passphrase you chose when you created the backup in the Encryption Passphrase for Selected File field.

  6. Click Restore Configuration. The page will refresh and all previous configurations will be restored.

Restore Duo Network Gateway configuration

Restoring from the Initial config page

  1. While configuring a new Duo Network Gateway on the "Make Duo Network Gateway visible to the internet" page click the Already have a Duo Network Gateway configuration file? Import it now. link.

  2. Select the backup CFG file you'd like to restore from and upload it in Saved Configuration File.

  3. Type the passphrase you chose when you created the backup in the Encryption Passphrase for Selected File field.

  4. Click Import Configuration. The page will refresh and all previous configurations will be restored.

  5. You'll be taken to the homepage of the Duo Network Gateway admin console.

Restore Duo Network Gateway from initial configuration page

Logging

To view Duo Network Gateway's system logs, log into the Duo Network Gateway server and run the following command using your current Duo Network Gateway YML file:

docker-compose -p network-gateway -f network-gateway-1.4.1.yml logs -f

Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your current YML file's actual name.

The logs will output as a continuous stream. To exit viewing the logs use the keyboard combination CTRL + Z.

Upgrading Duo Network Gateway

Upgrading Duo Network Gateway preserves all your server settings and application configurations. To perform an upgrade:

  1. Before upgrading back up your configuration.

  2. Clean up older unused Duo Network Gateway Docker images by typing:

    docker rmi $(docker images --format "{{.Repository}} {{.ID}}" | grep duosecurity | cut -f 2 -d ' ')

    Ignore any error response messages you see. You should see output similar to:

    Untagged: duosecurity/network-gateway@sha256:16d5e71a3280c11766996de561b48b283b866ec93613f1bb65490def6ff29c64
    Deleted: sha256:6893259e27b3311895279cde328012879f4e92c9823245d05adf9926fed3c0b4
    Deleted: sha256:82dcf49fa7f5fe50b3193a60663e562e2980692e56cf50aed1e168807cc9ea96
    Deleted: sha256:0c9d75ad7dbad398c8382638effbfde7edc20c546c7dec392074716e80535897
    Error response from daemon: conflict: unable to delete 3f33419032e4 (cannot be forced) - image is being used by running container f596fdca3aad
    Error response from daemon: conflict: unable to delete 421ce10839ab (cannot be forced) - image is being used by running container f29e373adc26
    Error response from daemon: conflict: unable to delete 3627aad0d196 (cannot be forced) - image is being used by running container 2acb91f391a7
  3. Download the latest version of the Duo Network Gateway YML file by typing:

    wget --content-disposition https://dl.duosecurity.com/network-gateway-latest.yml

    You should see output similar to:

    --2016-12-21 14:15:16--  https://dl.duosecurity.com/network-gateway-latest.yml
    Resolving dl.duosecurity.com (dl.duosecurity.com)... 52.84.66.79, 52.84.66.236, 52.84.66.146, ...
    Connecting to dl.duosecurity.com (dl.duosecurity.com)|52.84.66.79|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1194 (1.2K) [application/octet-stream]
    Saving to: ‘network-gateway-1.4.1.yml’
    network-gateway-1.4.1.yml                   100%[======================================================================>]   1.17K  --.-KB/s    in 0s      
    2016-12-21 14:15:16 (124 MB/s) - ‘network-gateway-1.4.1.yml’ saved [1194/1194]
    

    Note the saved file name; you'll need this in future steps. View checksums for Duo downloads here.

  4. Pull down the new Duo Network Gateway image files using the YML file downloaded in the previous step.

    Type:

    docker-compose -f network-gateway-1.4.1.yml pull

    Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your downloaded YML file's actual name.

  5. Type the following command to upgrade your existing Duo Network Gateway to the new version from the YML file you downloaded:

    docker-compose -p network-gateway -f network-gateway-1.4.1.yml up -d

    Note that the new YML file names may reflect different versions than the example command shown. Replace the file name in the example with your newly downloaded YML file's actual name.

  6. The Duo Network Gateway server shuts down and starts up with the newer version; preserving your existing settings. The upgrade process is complete with no further action required. The output will look similar to:

    Recreating network "network-gateway_default" with the default driver
    Recreating network-gateway-redis
    Recreating network-gateway-portal
    Recreating network-gateway-admin

Troubleshooting

Need some help? Take a look at our Duo Network Gateway Knowledge Base articles or Community discussions. For further assistance, contact Support.

Scripted Backup and Restore

Scripted backup and restore requires Duo Network Gateway 1.3.2 or greater.

Duo Network Gateway offers a way to use the command-line to backup and restore Duo Network Gateway configuration. This allows you to use scripts or tools to automatically backup or restore Duo Network Gateway configuration without needing to log into the admin console.

Scripted Backup

The command for backing up your configuration is called backup-config. It accepts a password on its standard input, and provides the backup configuration on its standard output. This allows you to use scripts or tools to backup Duo Network Gateway configuration.

  1. While logged into the Duo Network Gateway server through the command-line with Duo Network Gateway running, create an environment variable called BACKUP_PASSWORD. The value of this variable should be the password you'd like to use to encrypt and decrypt the Duo Network Gateway backup file.

    We recommend setting this environment variable using a script or another tool so that the password is not stored in command-line history. This environment variable can usually be set with a command similar to:

    BACKUP_PASSWORD="The_Actual_Password"

    This environment variable will only persist until the command-line session is closed.

  2. Running the following command will backup the Duo Network Gateway to a file called dng.cfg that will be saved into your current directory:

    echo "$BACKUP_PASSWORD" | docker exec -i network-gateway-admin backup-config >dng.cfg

    You can change the file name that the backup is saved as by modifying the name at the end of the command.

  3. Upon successful run of the command you'll see the following output:

    Password:
    Backup completed.
  4. You can now move the dng.cfg file from your current directory to a backup location.

Scripted Restore

The command for restoring configuration is called restore-config. It accepts a password as the first line of its standard input, followed by the configuration file name you'd like to restore. This allows you to use scripts or tools to restore the Duo Network Gateway configuration.

  1. While logged into the Duo Network Gateway server through the command-line with Duo Network Gateway running, set the same BACKUP_PASSWORD environment variable and value you used in Scripted Backup.

  2. Running the following command will restore the Duo Network Gateway:

    (echo "$BACKUP_PASSWORD" && cat dng.cfg) | docker exec -i network-gateway-admin restore-config

    If you have changed the name of the backup file or it is located in a different directory you may need to modify the command.

  3. Upon successful run of the command you'll see the following output:

    Password:
    Configuration restored.
  4. Duo Network Gateway configuration has now been restored.

High Availability

We recommend some level of high availability in all Duo Network Gateway deployments. We support two configurations:

  • Active / Active: multiple servers can be used concurrently.
  • Active / Passive: a spare Duo Network Gateway server you can fail over to in the event that your active server goes down.

Active / Active

The Duo Network Gateway can be configured in an active / active deployment in Amazon Web Services (AWS) where multiple Duo Network Gateway servers can be used simultaneously.

Important: Active / Active deployment is only supported in Amazon Web Services. This configuration assumes previous experience building highly available services using AWS.

Architecture Overview

The Duo Network Gateway is traditionally deployed on a single server running Docker. Inside of Docker there are 3 separate containers running:

  • Portal: The worker container that serves requests from users and proxies the connection to internal services. Ports 80 and 443 are publicly exposed to this container.
  • Admin: The container where you modify your Duo Network Gateway configuration and administrative tasks take place. Port 8443 is sent to this container and should not be publicly exposed.
  • Redis: The database container where all configuration is stored. This container has no ports exposed to the internet.

In this active / active deployment we will have portal and admin containers running on separate servers and use AWS Elasticache for Redis. This allows running a portal container on multiple servers. The architecture layout looks similar to this:

  • Portal container servers: A number of dedicated portal servers that can serve requests to users.
  • Admin container server: A single admin server that will handle administrative tasks.
  • AWS ElastiCache Redis Cluster: A redis cluster that will hold configuration for the Duo Network Gateway.
  • AWS Application Load Balancer: A load balancer that will distribute connections between the Portal servers.

Duo Network Gateway HA Diagram

Create AWS Security Groups

We recommend that you create the following AWS Security Groups in the VPC where your Network Gateway resources will be hosted.

  • Redis Security Group: Security group that allows inbound connection to the redis traffic port (default is 6379). The Network Gateway Admin and Portal servers will need access to resources in this security group.

  • Network Gateway Portal Group: Security group that allows inbound traffic over TCP ports 80 and 443. Load Balancers should have access to this security group.

  • Internal Servers Group: Security group that allows inbound traffic over TCP ports where internal web and SSH servers you want to protect behind the Duo Network Gateway are hosted. The Network Gateway Portal servers will need access to resources in this security group.

  • Load Balancer Group: Security group that allows inbound traffic over ports 80 and 443. Public internet will need access to resouces in this security group.

Create AWS ElastiCache Redis Cluster

  • Create an AWS ElastiCache with cluster engine Redis.

  • Redis engine version compatibility should be set to 3.2.6.

  • Use Multi-AZ with Auto-Failover. Select a VPC where your Network Gateway Admin and Portal servers will be as the Subnet group.

  • Use the Redis Security Group you made above.

  • Use features Encryption at-rest, Encryption in-transit, Redis AUTH.

  • Type at least a 16 character password into the Redis AUTH Token field. This will be used later.

  • Finish configuring the other ElastiCache settings.

Create Network Gateway Admin server

  1. Configure a Linux server with a minimum of 1 CPU, 1 GB of memory, and 20GB of storage. Administrators will need to be able to access the administrative console over port 8443.

  2. Set the following environment variables on the server. These will be needed every time you start the Network Gateway Admin server. You'll use these same values later when configuring the Portal servers.

    Environment Variable Value
    REDIS_HOST Hostname of your ElastiCache cluster (e.g. dngcluster.abc1.0001.usw2.cache.amazonaws.com).
    REDIS_PORT Redis traffic port. This can be excluded if the default port 6379 is used.
    REDIS_AUTH Redis AUTH Token that you created earlier.
  3. Follow the instructions for Installing Docker and Installing Docker Compose.

  4. Download the Duo Network Gateway Admin HA YML file and save it to your Duo Network Gateway Admin server. Download the YML file by typing:

    wget --content-disposition https://dl.duosecurity.com/network-gateway-admin-ha-latest.yml

    You should see output similar to:

    --2016-12-21 14:15:16--  https://dl.duosecurity.com/network-gateway-admin-ha-latest.yml
    Resolving dl.duosecurity.com (dl.duosecurity.com)... 52.84.66.79, 52.84.66.236, 52.84.66.146, ...
    Connecting to dl.duosecurity.com (dl.duosecurity.com)|52.84.66.79|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1194 (1.2K) [application/octet-stream]
    Saving to: ‘network-gateway-1.4.1-ha.admin.yml’
    network-gateway-1.4.1-ha.admin.yml                   100%[======================================================================>]   1.17K  --.-KB/s    in 0s      
    2016-12-21 14:15:16 (124 MB/s) - ‘network-gateway-1.4.1-ha.admin.yml’ saved [1194/1194]
    

    Make note of the actual file name that was saved; you'll need this in future steps.

    Save this YML file in a persistent directory location for future use; it will be required for later use when deploying, updating, or interacting with your Duo Network Gateway server.

  5. The following command instructs Docker Compose to download Duo Network Gateway Admin and install it. Specify the YML file downloaded in the last step in the command. Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your downloaded YML file's actual name.

    Type:

    docker-compose -p network-gateway -f network-gateway-1.4.1-ha.admin.yml up -d

    This may take a few minutes. Once completed the text output will be similar to:

    Creating network-gateway-admin
  6. You can verify that your Duo Network Gateway containers are running by typing:

    docker ps

    You should see output showing the container with a status of "up" similar to:

    CONTAINER ID        IMAGE                                                                                                 COMMAND                  CREATED             STATUS              PORTS                                      NAMES
    8c63f6a2aa2a        duosecurity/network-gateway@sha256:9277bf641f0d74cbd26914bda8257fc14fb9c7ec10b026a1cb1bc49326578375   "bash -c /bin/run-con"   4 minutes ago       Up 4 minutes        0.0.0.0:8443->443/tcp                      network-gateway-admin

Create Network Gateway Portal servers

Duo Network Gateway Portal servers will process all the requests that users make when accessing internal services.

  1. Configure Linux servers. See the Duo Network Gateway Sizing Chart to determine the system resouces needed on each Network Gateway Portal server. Load balancers will need to be able to access these servers over ports 80 and 443.

  2. Set the following environment variables on the servers. These will be needed every time you start the Network Gateway Portal servers. These are the same values you set earlier on your Admin server.

    Environment Variable Value
    REDIS_HOST Hostname of your ElastiCache cluster (e.g. dngcluster.abc1.0001.usw2.cache.amazonaws.com).
    REDIS_PORT Redis traffic port. This can be excluded if the default port 6379 is used.
    REDIS_AUTH Redis AUTH Token that you created earlier.
  3. Follow the instructions for Installing Docker and Installing Docker Compose.

  4. Download the Duo Network Gateway Portal HA YML file and save it to your Duo Network Gateway Portal servers. Download the YML file by typing:

    wget --content-disposition https://dl.duosecurity.com/network-gateway-ha-latest.yml

    You should see output similar to:

    --2016-12-21 14:15:16--  https://dl.duosecurity.com/network-gateway-ha-latest.yml
    Resolving dl.duosecurity.com (dl.duosecurity.com)... 52.84.66.79, 52.84.66.236, 52.84.66.146, ...
    Connecting to dl.duosecurity.com (dl.duosecurity.com)|52.84.66.79|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1194 (1.2K) [application/octet-stream]
    Saving to: ‘network-gateway-1.4.1-ha.yml’
    network-gateway-1.4.1-ha.yml                   100%[======================================================================>]   1.17K  --.-KB/s    in 0s      
    2016-12-21 14:15:16 (124 MB/s) - ‘network-gateway-1.4.1-ha.yml’ saved [1194/1194]
    

    Make note of the actual file name that was saved; you'll need this in future steps.

    Save this YML file in a persistent directory location for future use; it will be required for later use when deploying, updating, or interacting with your Duo Network Gateway server.

  5. The following command instructs Docker Compose to download Duo Network Gateway Portal and install it. Specify the YML file downloaded in the last step in the command. Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your downloaded YML file's actual name.

    Type:

    docker-compose -p network-gateway -f network-gateway-1.4.1-ha.yml up -d

    This may take a few minutes. Once completed the text output will be similar to:

    Creating network-gateway-portal
  6. You can verify that your Duo Network Gateway containers are running by typing:

    docker ps

    You should see output showing the container with a status of "up" similar to:

    CONTAINER ID        IMAGE                                                                                                 COMMAND                  CREATED             STATUS              PORTS                                      NAMES
    3aea70b8e1a8        duosecurity/network-gateway@sha256:36b1e3a4198c9a386830599e64c99b181095f70cdb6e42e216031377a1c83155   "bash -c /bin/run-con"   4 minutes ago       Up 4 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   network-gateway-portal
  7. Repeat these steps on each Network Gateway Portal server.

Configure a Load Balancer

Duo Network Gateway configured for high availability was tested with the AWS Application Load Balancer but may work with other load balancers.

  • Configure the load balancer to accept HTTP and HTTPS traffic.
  • Put all Network Gateway portal servers behind the load balancer.
  • Perform health checks against Network Gateway Portal servers at /health-check on port 443.
  • Enable sticky sessions.
  • Point the external DNS records for the Duo Network Gateway hostname and all protected applications at the load balancer's CNAME.
  • Provision public SSL certificates on the load balancer for the Duo Network Gateway hostname and all protected applications.

Configure Duo Network Gateway

Now that the Duo Network Gateway infrastructure has been successfully deployed you can configure the Duo Network Gateway.

  1. In a browser navigate to https://URL-OF-NETWORK-GATEWAY-ADMIN:8443 from an internal network to log into the Duo Network Gateway admin console. Your browser may warn you about an untrusted certificate when you access the page. Dismiss the warning and continue onto the page.

  2. Continue the documentation from Initial Duo Network Gateway Configuration starting at step 2.

    Important: Let's Encrypt certificates are not supported when Duo Network Gateway is configured for high availability. This setting has been replaced with Present a self-signed certificate to incoming connections which will create a self-signed certificate.

Migrating from Standlone

If you've already configured a standalone Duo Network Gateway and would like to migrate to active / active high availability follow the instructions below.

  1. Create a backup of your current Duo Network Gateway configuration.

  2. Follow the instructions above to create your active / active high availability environment.

  3. Restore your standalone backup into your new high availability Duo Network Gateway.

  4. Load public SSL certificates used from your previous setup into your load balancer.

    Important: Let's Encrypt certificates are not supported when Duo Network Gateway is configured for high availability. This setting has been replaced with Present a self-signed certificate to incoming connections which will create a self-signed certificate.

  5. Modify your DNS entries to point from your standalone Duo Network Gateway to your load balancer.

Upgrading Duo Network Gateway configured for Active / Active

When upgrading Duo Network Gateway configured for active / active high availability you need upgrade all portal servers before upgrading the admin server.

  1. Before upgrading back up your configuration.

  2. Connect to one of your portal servers through a terminal.

  3. Clean up older unused Duo Network Gateway Docker images by typing:

    docker rmi $(docker images --format "{{.Repository}} {{.ID}}" | grep duosecurity | cut -f 2 -d ' ')

    Ignore any error response messages you see. You should see output similar to:

    Untagged: duosecurity/network-gateway@sha256:16d5e71a3280c11766996de561b48b283b866ec93613f1bb65490def6ff29c64
    Deleted: sha256:6893259e27b3311895279cde328012879f4e92c9823245d05adf9926fed3c0b4
    Error response from daemon: conflict: unable to delete 3627aad0d196 (cannot be forced) - image is being used by running container 2acb91f391a7
  4. Download the latest version of the Duo Network Gateway Portal HA YML file by typing:

    wget --content-disposition https://dl.duosecurity.com/network-gateway-ha-latest.yml

    You should see output similar to:

    --2016-12-21 14:15:16-- https://dl.duosecurity.com/network-gateway-ha-latest.yml
    Resolving dl.duosecurity.com (dl.duosecurity.com)... 52.84.66.79, 52.84.66.236, 52.84.66.146, ...
    Connecting to dl.duosecurity.com (dl.duosecurity.com)|52.84.66.79|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1194 (1.2K) [application/octet-stream]
    Saving to: ‘network-gateway-1.4.1-ha.yml’
    network-gateway-1.4.1-ha.yml                   100%[======================================================================>]   1.17K  --.-KB/s    in 0s      
    2016-12-21 14:15:16 (124 MB/s) - ‘network-gateway-1.4.1-ha.yml’ saved [1194/1194]

    Make note of the actual file name that was saved; you'll need this in future steps.

    Save this YML file in a persistent directory location for future use; it will be required for later use when deploying, updating, or interacting with your Duo Network Gateway server.

  5. Pull down the new Duo Network Gateway Portal HA image files using the YML file downloaded in the previous step.

    Type:

    docker-compose -f network-gateway-1.4.1-ha.yml pull

    Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your downloaded YML file's actual name.

  6. Type the following command to upgrade your existing Duo Network Gateway Portal server to the new version from the YML file you downloaded:

    docker-compose -p network-gateway -f network-gateway-1.4.1-ha.yml up -d

    Note that the new YML file names may reflect different versions than the example command shown. Replace the file name in the example with your newly downloaded YML file's actual name.

  7. The Duo Network Gateway Portal server shuts down and starts up with the newer version. The output will look similar to:

    Recreating network "network-gateway_default" with the default driver
    Recreating network-gateway-portal
    
  8. Repeat the above steps for every portal server.

  9. Once all portal servers are upgraded we will upgrade the admin server. Connect to your admin server through a terminal.

  10. Clean up older unused Duo Network Gateway Docker images by typing:

    docker rmi $(docker images --format "{{.Repository}} {{.ID}}" | grep duosecurity | cut -f 2 -d ' ')

    Ignore any error response messages you see. You should see output similar to:

    Untagged: duosecurity/network-gateway@sha256:16d5e71a3280c11766996de561b48b283b866ec93613f1bb65490def6ff29c64
    Deleted: sha256:6893259e27b3311895279cde328012879f4e92c9823245d05adf9926fed3c0b4
    Error response from daemon: conflict: unable to delete 3627aad0d196 (cannot be forced) - image is being used by running container 2acb91f391a7
  11. Download the latest version of the Duo Network Gateway Admin HA YML file by typing:

    wget --content-disposition https://dl.duosecurity.com/network-gateway-admin-ha-latest.yml

    You should see output similar to:

    --2016-12-21 14:15:16--  https://dl.duosecurity.com/network-gateway-admin-ha-latest.yml
    Resolving dl.duosecurity.com (dl.duosecurity.com)... 52.84.66.79, 52.84.66.236, 52.84.66.146, ...
    Connecting to dl.duosecurity.com (dl.duosecurity.com)|52.84.66.79|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1194 (1.2K) [application/octet-stream]
    Saving to: ‘network-gateway-1.4.1-ha.admin.yml’
    network-gateway-1.4.1-ha.admin.yml                   100%[======================================================================>]   1.17K  --.-KB/s    in 0s      
    2016-12-21 14:15:16 (124 MB/s) - ‘network-gateway-1.4.1-ha.admin.yml’ saved [1194/1194]
    

    Make note of the actual file name that was saved; you'll need this in future steps.

    Save this YML file in a persistent directory location for future use; it will be required for later use when deploying, updating, or interacting with your Duo Network Gateway server.

  12. Pull down the new Duo Network Gateway Admin HA image files using the YML file downloaded in the previous step.

    Type:

    docker-compose -f network-gateway-1.4.1-ha.admin.yml pull

    Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your downloaded YML file's actual name.

  13. Type the following command to upgrade your existing Duo Network Gateway Admin server to the new version from the YML file you downloaded:

    docker-compose -p network-gateway -f network-gateway-1.4.1-ha.admin.yml up -d

    Note that the new YML file names may reflect different versions than the example command shown. Replace the file name in the example with your newly downloaded YML file's actual name.

  14. The Duo Network Gateway admin server shuts down and starts up with the newer version. The output will look similar to:

    Recreating network "network-gateway_default" with the default driver
    Recreating network-gateway-admin
    

Active / Passive

You can quickly create a backup of your current Duo Network Gateway and restore it to a new system by following the Scripted Backup and Restore command-line instructions. You can also do these actions in the admin console by following the Backup and Restore instructions.

You can configure a load balancer in front of two identically configured Duo Network Gateway servers for active / passive high availability. Consult your load balancer documentation for guidance.

Network Diagram

Web Application Diagram

  1. Client HTTPS connection to Duo Network Gateway
  2. Primary authentication to SAML identity provider
  3. Duo Network Gateway connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Duo Network Gateway receives authentication response
  6. Duo Network Gateway session authenticated
  7. External SSL access to published internal web application via Duo Network Gateway reverse proxy

SSH Servers Diagram

  1. User starts SSH session and DuoConnect software on user’s computer opens a browser window
  2. DuoConnect sends information over the user’s browser to Duo Network Gateway over TCP port 443
  3. Primary authentication to SAML identity provider
  4. Duo Network Gateway connection established to Duo Security over TCP port 443
  5. Secondary authentication via Duo Security’s service
  6. Duo Network Gateway receives authentication response
  7. Duo Network Gateway checks if DuoConnect is up to date and prompts if update is available
  8. DuoConnect connects user’s SSH session through Duo Network Gateway to the SSH server
  9. User completes regular SSH authentication steps

Ready to Get Started?

Sign Up Free