Skip navigation

Duo Security is now a part of Cisco

About Cisco

Documentation

Duo Access Gateway - FAQ

Last Updated: February 12th, 2019

Duo Access Gateway (DAG) adds two-factor authentication, complete with inline self-service enrollment and Duo Prompt to popular cloud services like Salesforce and Google Apps using SAML 2.0 federation.

Can I run the Duo Access Gateway on Linux?

Yes, you can run the Duo Access Gateway on Linux using Docker and our published Duo Access Gateway image. See the full instructions for deploying Duo Access Gateway on Linux.

Can I update the IP addresses allowed to access the Duo Access Gateway for Windows admin console after installation?

Yes, you can add or remove allowed IP addresses at any time, even if you didn't specify additional IP addresses during the Duo Access Gateway install.

To maintain the security of your Duo Access Gateway deployment, restrict access to the admin console to as few additional IPs as possible, and never add any public Internet IPs not managed by your organization.

  1. From the Duo Access Gateway server console, open C:\inetpub\wwwroot\dag\www\web.config in a text editor.

  2. Scroll to the bottom of the file and locate the <additionalLocalIps> configuration section directly after </rules> :

    <additionalLocalIps>
      <add IP="1.2.3.4" />
    </additionalLocalIps>
    

    If the <additionalLocalIps> section does not exist, you can add it now. Be sure to copy the entire example above and paste it immediately after </rules> and before </DuoIpSecurity> near the end of the web.config file.

  3. Replace 1.2.3.4 (or your existing configured IP address) with the IP address of the new device permitted DAG admin console access.

    If you would like to permit access from more than one remote IP, insert additional <add IP="x.x.x.x" /> lines into the web.config file:

    <additionalLocalIps>
      <add IP="1.2.3.4" />
      <add IP="5.6.7.8" />    
    </additionalLocalIps>
    
  4. Save the changes to web.config. You can now access the Duo Access Gateway admin console from the specified additional IP address or addresses.

Can I back up my Duo Access Gateway settings?

Please refer to the "Backup and Restore" instructions for Duo Access Gateway for Windows or Linux to back up your Duo Access Gateway settings. These files can then be restored to their original locations when necessary.

How do I configure high-availability for Duo Access Gateway?

Please refer to the "High Availability" instructions for Duo Access Gateway for Windows or Linux to create a standby Duo Access Gateway server. You may also put two identically configured Duo Access Gateway servers behind a load balancer.

How do I enable Duo Access gateway debug logging and view the log?

  1. Log into the Duo Access Gateway admin console and navigate to Settings.

  2. Scroll down to the "General" section and check the box next to Debugging.

  3. Click Save Settings.

When enabled the Duo Access Gateway writes additional debug output to the existing log.

Windows The log file is found at C:\inetpub\wwwroot\dag\log\dag.log.

Linux Log into the Duo Access Gateway server and run the following command, replacing the example Duo Access Gateway YML name with your current file's actual name:

docker-compose -p access-gateway -f access-gateway-1.4.0.yml logs -f

How do I upgrade the PHP installation used by Duo Access Gateway for Windows 1.3.0 and higher?

You can update the PHP install used by Duo Access Gateway with our bundled DAG PHP updater utility. This utility registers the new PHP version in IIS on the DAG virtual site and removes mappings for the prior version from IIS.

To update PHP on your DAG server:

  1. Download a recent PHP 7.1.17 or greater x64 Non Thread Safe release to your DAG server.

  2. Launch an elevated command prompt (right-click "Command Prompt" and select the "Run as administrator" option) and change to the directory to C:\inetpub\wwwroot\dag\bin.

  3. Run the PhpUpgrade command file with the following syntax:

    PhpUpgrade.cmd [phpSource]

    Where [phpSource] is either the path to an x64 non thread safe (nts) PHP zip file, or the path to a directory containing the extracted contents of the PHP zip file.

    Example usage:

    • Update to PHP 7.1.17 using a zip file, extracting the PHP files to the default folder location C:\Program Files\Duo_Access_Gateway_PHP\7.1.17:
    PhpUpgrade.cmd php-7.1.17-nts-Win32-VC14-x64.zip
    • Update to PHP 7.1.17 using the PHP zip file contents already extracted to C:\PHP\7.1.17 as the source:
    PhpUpgrade.cmd C:\PHP\7.1.17
  4. After the Duo Access Gateway PHP updater completes successfully you should perform an iisreset to cycle web services on your server.

  5. Delete the older PHP version folder from your server to complete the update.

DAG PHP Updater

The DAG PHP update exits with an error message if it fails to extract the PHP zip file, if it is not run with elevated Administrator rights, or if any prerequisites are missing for the new PHP version.

How do I upgrade the PHP installation used by Duo Access Gateway for Windows 1.2.1?

You can update the PHP install used by Duo Access Gateway with our standalone DAG PHP updater utility. This utility registers the new PHP version in IIS on the DAG virtual site and optionally removes mappings for the prior version from IIS.

To update PHP on your DAG server:

  1. Download the DagPhpUpdater executable to your DAG server.

  2. Download a recent PHP x86 Non Thread Safe release to your DAG server.

    Be aware of new Visual Studio prerequisites for the PHP version you select! PHP 5.6.x required the Visual C++ Redistributable for Visual Studio 2012 x86 Update 4. If you choose to update from PHP 5.6.x to PHP 7.0.2 or later, you'll first need to install the Visual C++ Redistributable for Visual Studio 2015 x86.

    The Visual C++ Redistributable for Visual Studio 2015 package is itself dependent on the Windows 10 Universal C Runtime (CRT). Ensure that the Visual C++ Redistributable for Visual Studio 2015 x86 and all its requirements are present on your DAG server before you attempt to update PHP.

  3. Launch an elevated command prompt (right-click "Command Prompt" and select the "Run as administrator" option) and change to the directory where you've downloaded the DagPhpUpdater executable and the PHP x86 Non Thread Safe .zip file.

  4. Run the DagPhpUpdater utility with the following syntax:

    DagPhpUpdater-x.x.x.x.exe [phpSource] ([phpTargetInstallDirectory])

    Where [phpSource] is either the path to an x86 non thread safe (nts) PHP zip file, or the path to a directory containing the extracted contents of the PHP zip file.

    When using the Duo Access Gateway PHP updater utility with a zip file, the default target directory for extracting PHP files is C:\Program Files (x86)\PHP. To have the updater extract the PHP files to a different location, specify [phpTargetInstallDirectory].

    Example usage:

    • Update to PHP 7.0.3 using a zip file, extracting the PHP files to the default folder location C:\Program Files (x86)\PHP\7.0.3.0:
    DagPhpUpdater-1.2.2.126.exe php-7.0.3-nts-Win32-VC14-x86.zip
    • Update to PHP 7.0.3 using the PHP zip file contents already extracted to C:\PHP\7.0.3 as the source:
    DagPhpUpdater-1.2.2.126.exe C:\PHP\7.0.3
    • Update to PHP 7.0.3 using a zip file, extracting the PHP files to the specified folder location C:\PHP\7.0.3:
    DagPhpUpdater-1.2.2.126.exe php-7.0.3-nts-Win32-VC14-x86.zip C:\PHP\7.0.3
  5. The DAG PHP updater updates the existing PHP mappings at the DAG virtual site in IIS to use the new PHP version. If the updater finds any PHP mappings using the older PHP version elsewhere in IIS it asks if you'd like to remove them. If Duo Access Gateway is the only application using PHP on this server, respond y to remove all mappings for the previous PHP version.

  6. After the DAG PHP updater utility completes successfully you should perform an iisreset to cycle web services on your server.

  7. Delete the older PHP version folder from your server to complete the update.

DAG PHP Updater

The DAG PHP update exits with an error message if it fails to extract the PHP zip file, if it is not run with elevated Administrator rights, or if any prerequisites are missing for the new PHP version.

Is Office 2013 or 2016 rich client login or the Office 365 mobile app supported?

Office 2013 and 2016 desktop applications (including Outlook and Skype for Business) by default can no longer connect to Office 365 after federation with Duo Access Gateway. Office 365 customers must enable Microsoft's Modern Authentication to bring two-factor authentication to Office 2013 and 2016 client applications. More information about Modern Authentication, including a list of Office applications that support Modern Authentication, is available at the Office Blog.

  1. Modern Authentication may already be enabled on your Office 365 tenant. Follow these instructions to verify or enable Modern Authentication on your Exchange Online tenant and these instructions to do the same for your Skype for Business Online tenant.
  2. Apply registry updates for Office 2013 (Office 2016 natively supports Modern Authentication).
  3. Your Office applications should now provide you with your federated login page followed by the Duo Authentication prompt. Once you authenticate with Duo the session security token is cached and remains valid for eight hours.

When you log in to Office 365 using an Office 2016 or 2013 application with Modern Authentication, you'll see the Duo Access Gateway primary login page within the Office application, followed by the Duo authentication prompt.

Office 2016 ADFS Login and Authentication Prompt

For additional information please see the "Road map for multi-factor authentication in Office desktop applications" section in this blog post from Microsoft: Multi-Factor Authentication for Office 365 and the previous blog entries Office 2013 updated authentication enabling Multi-Factor Authentication and SAML identity providers and Office 2013 modern authentication public preview announced.

Duo does not natively support the creation of application specific passwords for bypassing multi-factor authentication for Office 365 tenants.

Additional Troubleshooting

Need more help? Try searching our Duo Access Gateway Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free