Announcing General Availability of Server Message Block Protocol Support for Duo Network Gateway
Last year, Duo announced the General Availability of Remote Desktop Protocol (RDP) for the Duo Network Gateway (DNG), and today we are happy to share that we’ve now extended transmission control protocol (TCP) support to the Server Message Block (SMB) protocol. This capability is generally available for Duo Beyond customers.
This means that the DNG now enables users to access on-premises shares, without requiring a full VPN connection.
What is Duo Network Gateway?
For those unfamiliar with DNG, it is a remote access proxy security solution that enables organizations to provide zero-trust remote access to a broad variety of applications hosted on premises. It includes support for Web Applications over HTTP or HTTPs, Remote Desktops over RDP, Secure Shell (SSH) servers, and now file sharing over the Server Messaging Block. It also eliminates the need for full VPN and avoids exposing those applications directly to the internet.
DNG is part of the Duo Beyond edition and includes many other capabilities to protect customer environments based on zero trust principles. It begins with a device posture check by verifying the health of key operating system services. Then it verifies user identity with advanced multi-factor authentication (MFA). It continues monitoring trust and logging potential anomalies with machine-learning (ML) driven trust monitoring.
Why do I need DNG?
The SMB protocol is a network file sharing protocol integrated in Microsoft Windows operating systems. SMB is an application layer protocol that is transported over TCP/IP. Domain joined clients on the corporate networks who have established trust can connect seamlessly to shares on Windows servers using SMB. Untrusted remote users need a secure way to navigate the internet and corporate firewalls to establish trust and gain access.
How does DNG for SMB work?
1. On the Client: The user selects the Network Drive (for example, Windows Explorer)
2. On the Client: The Duo Connect Plugin intercepts the call and resolves the network domain name (for example, smb://SMBsharename.company.com/shared/Files)
3. The Company CNAM record directs “SMBsharename” to a DNG-hosted FQDN (for example, dngxyz.duo.com)
4. DNG returns a “Carrier” public IP address
5. On the Client: The Duo Connect Plugin sets up a secure TLS tunnel to the DNG
6. On the Client: The Duo Connect Plugin passes a SMB file request to DNG
7. DNG proxies request username and password, then initiates authentication with Duo SSO or other supported Security Assertion Markup Language (SAML) providers
8. Duo Cloud validates the user and responds with a SAML assertion
9. DNG resolves the server on Company Network and relays Client SMG commands
10. On the Client: The user is presented with the file (or pertinent SMB file operation output)
Who is using DNG?
Duo Network Gateway has already helped hundreds of organizations across multiple industries, including technology and IT services, education, finance, healthcare. It offers their workforces consistent and secure access to corporate resources from any device and location, and customers are already benefiting from adopting this solution.
“If you want to get rid of the VPN management burden, use the Duo Network Gateway to give access to your web and desktop applications. Users – and their access – are managed in the Duo Admin platform. No more firewall, no more AAA or whatsoever complicated thing. Once you go for DNG, you never go back.” – Antony Gallez, Operations Manager at Cameo Global, a New Era Technology Company
Where is DNG going?
Longer term, we will build upon this enhancement. We have developed an architecture for the DNG that facilitates protecting more TCP services over time. As we continue to learn from our customers which applications they are most interested in protecting with the DNG, we will support additional protocols.
Try Duo for Free
With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.