Skip navigation
Documentation

Duo Network Gateway

Duo Network Gateway allows your users to access your on-premises websites and web applications without having to worry about managing VPN credentials or installing software on their devices, while also adding login security with the Duo Prompt.

Overview

With Duo Network Gateway your users can securely access your internal web applications from any device, using any browser, from anywhere in the world, without having to install or configure remote access software on their device. Users first authenticate to Duo Network Gateway and approve a two-factor authentication request before they may access your application.

Duo Network Gateway gives you granular access control per web application or user group. You can specify different policies per application to make sure only the right users and endpoints are able to access your internal applications. For example, you can require that SharePoint users complete two-factor authentication at every login, but only once every seven days when accessing Confluence. Duo checks the user, device, and network against an application's policy before allowing access to the application.

Application Access with Duo Network Gateway

Duo Network Gateway is part of the Duo Beyond plan.

Installation Overview Video

 

Prerequisites

Before you deploy the Duo Network Gateway, make sure to complete these requirements.

Deploy a SAML IdP

Duo Network Gateway requires a SAML 2.0 Identity Provider to use as its primary authentication source. You can use the Duo Access Gateway or another provider such as AD FS, OneLogin, or Okta.

Deploy a DMZ Server

  • Deploy a physical or virtual modern 64-bit Linux server in your perimeter network (or DMZ). The minimum system requirements for the Duo Network Gateway host are:

    • Form Factor: Physical or virtual machine
    • Processor: Two processors of 2 GHz or faster
    • Memory: 4 GB RAM or greater
    • Disk Storage: 20 GB or greater
    • Operating System: See the Install Docker section of this document for supported Linux flavors and versions
  • Open ports 80 and 443 in the perimeter firewall for HTTP and HTTPS external traffic to and from the server.

  • Port 8443 will be used for administrative purposes. Restrict traffic to this port to only authorized networks.
  • Allow the Duo Network Gateway server to communicate with your internal web applications via HTTP or HTTPS using the same ports as your internal application.
  • Create an Internet resolvable fully qualified DNS entry for external access (e.g. yourserver.example.com).
  • Purchase an SSL certificate for your server from a commercial certificate authority (CA), using the fully qualified DNS name of your Duo Network Gateway server as the common name (e.g. yourserver.example.com). You may also use a wildcard SSL certificate. You can also generate a free, automatically renewing certificate from Let's Encrypt during setup.

Install Docker

Docker is a tool that allows Duo Network Gateway to run inside its own self-contained environment, called a “container”, on top of your host operating system.

Click one of the tabs below to view Docker installation instructions for your Linux platform.

CentOS 7

These directions will walk you through installing the free Docker Community Edition for CentOS.

  1. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  2. Docker requires a 64-bit operating system. Please verify your installation of CentOS is 64-bit by typing:
    uname -r
    The output should contain x86_64 if the operating system is 64-bit. The output would be similar to:
    3.10.0-327.el7.x86_64
  3. Install yum-utils on your server. Type:
    sudo yum install -y yum-utils
  4. Add the Docker repository to your yum repository by typing:
    sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    The output should be similar to:
    Loaded plugins: fastestmirror
    adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
    grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
    repo saved to /etc/yum.repos.d/docker-ce.repo
  5. Make sure your existing packages are up to date. This may take a few minutes. Type:
    sudo yum makecache fast
    When packages are finished updating you should see output similar to:
    Metadata Cache Created!
  6. Install wget by typing:
    sudo yum install -y wget
    When wget is finished installing you should see output similar to:
    Running transaction
      Installing : wget-1.14-13.el7.x86_64                                                                                                           1/1
      Verifying  : wget-1.14-13.el7.x86_64                                                                                                           1/1
    Installed:
      wget.x86_64 0:1.14-13.el7                                                                                                                          
    Complete!
  7. Install Docker by typing:
    sudo yum install -y docker-ce
    When Docker is finished installing you should see output similar to:
    Complete!
  8. Enable the Docker service by typing:
    sudo systemctl enable docker.service
    You should see output similar to:
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
  9. Start the Docker daemon by typing:
    sudo systemctl start docker
  10. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  11. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  12. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  13. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Fedora 25

These directions will walk you through installing the free Docker Community Edition for Fedora.

  1. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  2. Docker requires a 64-bit operating system. Please verify your installation of CentOS is 64-bit by typing:
    uname -r
    The output should contain x86_64 if the operating system is 64-bit. The output would be similar to:
    4.8.16-300.fc25.x86_64
  3. Install dnf-plugins-core on your server. Type:
    sudo dnf -y install dnf-plugins-core
  4. Add the Docker repository to your dnf repository by typing:
    sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
    The output should be similar to:
    Adding repo from: https://download.docker.com/linux/fedora/docker-ce.repo
  5. Make sure your existing packages are up to date. This may take a few minutes. Type:
    sudo dnf makecache fast
    When packages are finished updating you should see output similar to:
    Metadata Cache Created!
  6. Install wget by typing:
    sudo dnf install -y wget
    When wget is finished installing you should see output similar to:
    Running transaction
      Installing : wget-1.14-13.el7.x86_64                                                                                                           1/1
      Verifying  : wget-1.14-13.el7.x86_64                                                                                                           1/1
    Installed:
      wget.x86_64 0:1.14-13.el7                                                                                                                          
    Complete!
  7. Install Docker by typing:
    sudo dnf install -y docker-ce
    When Docker is finished installing you should see output similar to:
    Complete!
  8. Enable the Docker service by typing:
    sudo systemctl enable docker.service
    You should see output similar to:
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
  9. Start the Docker daemon by typing:
    sudo systemctl start docker
  10. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  11. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  12. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  13. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Ubuntu 16.04

These directions will walk you through installing the free Docker Community Edition for Ubuntu.

  1. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  2. Add the official Docker repository GPG keys to your server by typing:
    wget -O- "https://download.docker.com/linux/ubuntu/gpg" | sudo apt-key add -
    You should see output similar to:
    --2017-05-18 21:49:26--  https://download.docker.com/linux/ubuntu/gpg
    Resolving download.docker.com (download.docker.com)... 54.192.192.40, 54.192.192.99, 54.192.192.116, ...
    Connecting to download.docker.com (download.docker.com)|54.192.192.40|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 3817 (3.7K) [binary/octet-stream]
    Saving to: ‘STDOUT’
    
    -                                 100%[==========================================================>]   3.73K  --.-KB/s    in 0s      
    
    2017-05-18 21:49:26 (956 MB/s) - written to stdout [3817/3817]
    
    OK
  3. Add the Docker repository to to your APT sources by typing:
    sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
  4. Update your package database by typing:
    sudo apt-get update
    You should see output similar to:
    Reading package lists... Done
  5. Install Docker by typing:
    sudo apt-get install -y docker-ce
    You should see ouput similar to:
    Setting up cgroupfs-mount (1.2) ...
    Setting up libltdl7:amd64 (2.4.6-0.1) ...
    Setting up docker-engine (1.12.3-0~xenial) ...
    Processing triggers for libc-bin (2.23-0ubuntu3) ...
    Processing triggers for systemd (229-4ubuntu11) ...
    Processing triggers for ureadahead (0.100.0-19) ...
  6. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  7. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  8. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  9. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Debian 8.0

These directions will walk you through installing the free Docker Community Edition for Debian.

  1. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  2. Update your package database by typing:
    sudo apt-get update
    You should see output similar to:
    Reading package lists... Done
  3. Ensure that APT works with HTTPS and that CA certificates are installed. Type:
    sudo apt-get install -y apt-transport-https ca-certificates gnupg2 software-properties-common
    You should see output similar to:
    Processing triggers for libc-bin (2.19-18+deb8u7) ...
    Processing triggers for systemd (215-17+deb8u6) ...
    Processing triggers for dbus (1.8.22-0+deb8u1) ...
  4. Add the official Docker repository GPG keys to your server by typing:
    wget -O- "https://download.docker.com/linux/ubuntu/gpg" | sudo apt-key add -
    You should see output similar to:
    Resolving download.docker.com (download.docker.com)... 54.192.192.196, 54.192.192.15, 54.192.192.26, ...
    Connecting to download.docker.com (download.docker.com)|54.192.192.196|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 3817 (3.7K) [binary/octet-stream]
    Saving to: ‘STDOUT’
    
    -                                                           100%[===========================================================================================================================================>]   3.73K  --.-KB/s   in 0s     
    
    2017-05-19 12:07:50 (374 MB/s) - written to stdout [3817/3817]
    
    OK
  5. Add the Docker repository to to your APT sources by typing:
    sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
  6. Update your package database again by typing:
    sudo apt-get update
    You should see output similar to:
    Reading package lists... Done
  7. Install Docker by typing:
    sudo apt-get install docker-ce
    When the install is finished, you should see output similar to:
    Processing triggers for systemd (215-17+deb8u6) ...
    Processing triggers for initramfs-tools (0.120+deb8u2) ...
    update-initramfs: Generating /boot/initrd.img-3.16.0-4-amd64
    Processing triggers for dbus (1.8.22-0+deb8u1) ...
  8. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  9. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  10. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  11. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Red Hat Enterprise Linux 7

Using Red Hat Enterprise Linux requires a paid subscription of Docker Enterprise Edition for Red Hat Enterprise Linux.
  1. Log into your Docker subscriptions page.
  2. Click the Setup button for Docker Enterprise Edition for Red Hat Enterprise Linux.
  3. On the "Setup" page make note of the URL for your subscription located under Copy and paste this URL to download your Edition. We will reference this URL later as <DOCKERURL>.

    Example: https://storebits.docker.com/ee/rhel/sub-12345-abcd-4a33-bd73-1b123c45a6b7
  4. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  5. Docker requires a 64-bit operating system. Please verify your installation of Red Hat Enterprise Linux is 64-bit by typing:
    uname -r
    The output should contain x86_64 if the operating system is 64-bit. The output would be similar to:
    3.10.0-327.el7.x86_64
  6. Store Docker URL in yum repository by typing:
    sudo sh -c 'echo "<DOCKERURL>" > /etc/yum/vars/dockerurl'
  7. Store Red Hat version in yum repository by typing:
    sudo sh -c 'echo "7" > /etc/yum/vars/dockerosversion'
  8. Install yum-utils on your server. Type:
    sudo yum install -y yum-utils
  9. Add the Docker repository to your yum repository by typing:
    sudo yum-config-manager --add-repo <DOCKERURL>/docker-ee.repo
    The output should be similar to:
    repo saved to /etc/yum.repos.d/docker-ee.repo
  10. Make sure your existing packages are up to date. This may take a few minutes. Type:
    sudo yum makecache fast
    When packages are finished updating you should see output similar to:
    Metadata Cache Created!
  11. Install wget by typing:
    sudo yum install -y wget
    When wget is finished installing you should see output similar to:
    Running transaction
      Installing : wget-1.14-13.el7.x86_64                                                                                                           1/1
      Verifying  : wget-1.14-13.el7.x86_64                                                                                                           1/1
    Installed:
      wget.x86_64 0:1.14-13.el7                                                                                                                          
    Complete!
  12. Install Docker by typing:
    sudo yum install -y docker-ee
    When Docker is finished installing you should see output similar to:
    Complete!
  13. Enable the Docker service by typing:
    sudo systemctl enable docker.service
    You should see output similar to:
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
  14. Start the Docker daemon by typing:
    sudo systemctl start docker
  15. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  16. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  17. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  18. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

SUSE Enterprise Linux 12

Using SUSE Enterprise Linux requires a paid subscription of Docker Enterprise Edition for SUSE Enterprise Linux Server.
  1. Log into your Docker subscriptions page.
  2. Click the Setup button for Docker Enterprise Edition for SUSE Enterprise Linux Server.
  3. On the "Setup" page make note of the URL for your subscription located under Copy and paste this URL to download your Edition. We will reference this URL later as <DOCKERURL>.

    Example: https://storebits.docker.com/ee/sles/sub-12345-abcd-4a33-bd73-1b123c45a6b7
  4. Log into your Duo Network Gateway server locally or through SSH with a user that has sudo permissions. Any time you use the sudo command you may be prompted to enter your password.
  5. Docker requires a 64-bit operating system. Please verify your installation of SUSE Enterprise Linux is 64-bit by typing:
    uname -a
    The output should contain x86_64 if the operating system is 64-bit. The output would be similar to:
    (42e0a66) x86_64 x86_64 x86_64 GNU/Linux
  6. Add the required repository to your server by typing:
    sudo zypper addrepo <DOCKERURL>/12.3/x86_64/stable-17.03 docker-ee-stable
    The output should be similar to:
    6_64/stable-17.03 docker-ee-stable
    Adding repository 'docker-ee-stable' ..........................................................................................[done]
    Repository 'docker-ee-stable' successfully added
  7. Import the repository GPG key by typing::
    sudo rpm --import <DOCKERURL>/gpg
  8. Refresh the zypper package index by typing:
    sudo zypper refresh
  9. Install Docker by typing:
    sudo zypper -y install docker-ee
    The output should be similar to:
    (5/5) Installing: docker-ee-17.03.1.ee.3-1.x86_64 .............................................................................[done]
  10. Enable the Docker service by typing:
    sudo systemctl enable docker.service
    You should see output similar to:
    Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
  11. Start the Docker daemon by typing:
    sudo service docker start
  12. Check that Docker has installed properly by typing:
    sudo docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  13. Add your user to the Docker group so Docker commands don't require sudo. Type:
    sudo usermod -aG docker $(whoami)
  14. Log out of your Duo Network Gateway box and back in for the group changes to take effect.
  15. Check that Docker is functioning without using sudo by typing:
    docker ps
    You should see output similar to:
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Install Docker Compose

  1. Download Docker Compose by typing:
    wget -O- "https://github.com/docker/compose/releases/download/1.16.1/docker-compose-$(uname -s)-$(uname -m)" > ./docker-compose
    You should see output similar to:
    Saving to: ‘STDOUT’
    100%[===========================================================================================================>] 7,986,086   43.9MB/s   in 0.2s   
    2016-12-22 13:32:15 (43.9 MB/s) - written to stdout [7986086/7986086]
  2. Change the permissions on Docker Compose to allow you to execute the file by typing:
    chmod +x ./docker-compose
  3. Move Docker Compose to your local bin folder by typing:
    sudo mv ./docker-compose  /usr/local/bin/
  4. Verify Docker Compose is working by typing:
    docker-compose --version
    You should see text similar to:
    docker-compose version 1.16.1, build 6d1ac21

Install Duo Network Gateway

  1. Download the Duo Network Gateway YML file and save it to your Duo Network Gateway server. Download the YML file by typing:

    wget --content-disposition https://dl.duosecurity.com/network-gateway-latest.yml

    You should see output similar to:

    --2016-12-21 14:15:16--  https://dl.duosecurity.com/network-gateway-latest.yml
    Resolving dl.duosecurity.com (dl.duosecurity.com)... 52.84.66.79, 52.84.66.236, 52.84.66.146, ...
    Connecting to dl.duosecurity.com (dl.duosecurity.com)|52.84.66.79|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1194 (1.2K) [application/octet-stream]
    Saving to: ‘network-gateway-1.2.6.yml’
    network-gateway-1.2.6.yml                   100%[======================================================================>]   1.17K  --.-KB/s    in 0s      
    2016-12-21 14:15:16 (124 MB/s) - ‘network-gateway-1.2.6.yml’ saved [1194/1194]
    

    Make note of the actual file name that was saved, you'll need this in future steps.

    Save this YML file in a persistent directory location for future use; it will be required for later use when deploying, updating, or interacting with your Duo Network Gateway server.

  2. The following command instructs Docker Compose to download Duo Network Gateway and install it. Specify the YML file downloaded in the last step in the command. Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your downloaded YML file's actual name.

    Type:

    docker-compose -p network-gateway -f network-gateway-1.2.6.yml up -d

    This may take a few minutes. Once completed the text output will be similar to:

    Creating network-gateway-redis
    Creating network-gateway-admin
    Creating network-gateway-portal
  3. You can verify that your Duo Network Gateway containers are running by typing:

    docker ps

    You should see output showing all 3 containers with a status of "up" similar to:

    CONTAINER ID        IMAGE                                                                                                 COMMAND                  CREATED             STATUS              PORTS                                      NAMES
    3aea70b8e1a8        duosecurity/network-gateway@sha256:36b1e3a4198c9a386830599e64c99b181095f70cdb6e42e216031377a1c83155   "bash -c /bin/run-con"   4 minutes ago       Up 4 minutes        0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   network-gateway-portal
    8c63f6a2aa2a        duosecurity/network-gateway@sha256:9277bf641f0d74cbd26914bda8257fc14fb9c7ec10b026a1cb1bc49326578375   "bash -c /bin/run-con"   4 minutes ago       Up 4 minutes        0.0.0.0:8443->443/tcp                      network-gateway-admin
    f04e00161738        duosecurity/network-gateway@sha256:f8d671839cd408dd0e97cae7333054074c80a5eaf23afdefd10f00e666a4928f   "docker-entrypoint.sh"   4 minutes ago       Up 4 minutes        6379/tcp                                   network-gateway-redis

Configure Duo Network Gateway

Initial Duo Network Gateway Configuration

  1. In a browser navigate to https://URL-OF-NETWORK-GATEWAY:8443 from an internal network to log into the Duo Network Gateway admin console. Your browser will warn you about an untrusted certificate the first time you access the page. Dismiss the warning and continue onto the page.

  2. The first page of the Duo Network Gateway setup screen will ask you to choose a password for the Duo Network Gateway admin console. Once you've entered a password that meets the requirements, click Save and Continue.

    Duo Network Gateway Initial Set Admin Password page

  3. On the "Make Duo Network Gateway visible to the internet" page fill in the following fields. You can also click the "Already have a Duo Network Gateway configuration file? Import it now." link to restore settings from a backup.

    Option Description
    Admin Email Enter the e-mail address of an administrator who can be contacted if there is an issue. Currently this e-mail address will only be contacted if there are issues renewing the automatically generated certificates.
    Hostname Enter the fully-qualified external domain name (FQDN) of the server. This should be FQDN addressable to the Internet (eg. portal.yourcompany.com).
  4. If you will be supplying your own SSL certificate click Change Certificate to select Provide my own certificate. Configure the certificate using the table below and skip step 5. If you would like to automatically generate certificates, skip this step and proceed to step 5.

    Option Description
    Certificate Upload the certificate file you purchased earlier for the Duo Network Gateway server. The certificate should be Base64-encoded X.509 (pem, cer, or crt) and include the entire certificate bundle. The certificates should be ordered from top to bottom: certificate, issuing or intermediate certificates, and root certificate.
    Private Key Upload the private key file related to the certificate you purchased earlier for the Duo Network Gateway server. Private keys should formatted as Base64-encoded X.509 (pem, cer, or crt).

    Duo Network Gateway Initial set hostname page

    If all information isn't entered completely and correctly or this initial configuration fails to save you'll need to re-enter the information again before proceeding, including selection of the certificate and key.

  5. If you'd like the Duo Network Gateway to automatically generate and renew a free SSL certificate using Let's Encrypt click Change Certificate and select Generate a certificate on save. Review the Let's Encrypt Terms of Service. If you accept, check the box next to I agree to the Let's Encrypt Terms of Service.

    Duo Network Gateway Initial set hostname page with Let's Encrypt

    If all information isn't entered completely and correctly or this initial configuration fails to save you'll need to re-enter the information again before proceeding.

  6. Click Save and Continue. Saving your configuration redirects you to the Duo Network Gateway admin console.

    Duo Network Gateway home page

Configure the Duo Network Gateway Authentication Source

Duo Network Gateway uses SAML as its primary authentication source. You may use any SAML 2.0 IdP you'd like such as the Duo Access Gateway, Okta, OneLogin, or AD FS.

Deploy Duo Access Gateway

  1. Install Duo Access Gateway on a server in your DMZ. Follow our instructions for deploying the server, configuring Duo Access Gateway settings, and adding your primary authentication source.

  2. Add the attribute from the table below that corresponds to the Duo Username attribute in the "Attributes" field when configuring your Active Directory or OpenLDAP authentication source in the Duo Access Gateway admin console. For example, if Active Directory is your authentication source, enter sAMAccountName in the "Attributes" field.

    Duo Attribute Active Directory OpenLDAP
    Username attribute sAMAccountName uid

    If your organization uses another directory attribute than the ones listed here then enter that attribute name instead. If you've already configured the attributes list for another cloud service provider, append the additional attributes not already present to the list, separated by a comma.

  3. After completing the initial Duo Access Gateway configuration steps, click Applications on the left side of the Duo Access Gateway admin console.

  4. Scroll down the Applications page to the Metadata section. This is the information you need to provide to the Duo Network Gateway when configuring the Duo Access Gateway IdP. Click the Download Certificate link to obtain the token signing certificate (the downloaded file is named "dag.crt").

    Duo Access Gateway Metadata Information

Create the Duo Network Gateway Application in Duo

  1. Log on to the Duo Admin Panel from the Duo Access Gateway server console and navigate to Applications.

  2. Click Protect an Application, locate SAML - Duo Network Gateway in the applications list, and click Protect this Application. See Getting Started for help.

  3. The Domain name is the fully qualified external DNS of your Duo Network Gateway server. For example, if your Duo Network Gateway URL is https://dng.yourcompany.com than you would type in dng.yourcompany.com in the field.

  4. Duo Network Gateway uses the Username attribute when authenticating. We've mapped Username attribute to Duo Access Gateway supported authentication source attributes as follows:

    Duo Attribute Active Directory OpenLDAP SAML IdP Google Azure
    Username attribute sAMAccountName uid mail email mail
  5. Click Save Configuration to generate a downloadable configuration file.

    Duo Network Gateway Application Settings

  6. You can adjust additional settings for your new SAML application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish SSO setup. If you do update any settings, click the Save Changes button when done.

  7. Click the Download your configuration file link to obtain the Duo Network Gateway application settings (as a JSON file).

    Important: This file contains information that uniquely identifies this application to Duo. Secure this file as you would any other sensitive or password information. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Add the Duo Network Gateway Application to Duo Access Gateway

  1. Return to the Applications page of the Duo Access Gateway admin console session.

  2. Click the Choose File button in the "Add Application" section of the page and locate the Duo Network Gateway SAML application JSON file you downloaded from the Duo Admin Panel earlier. Click the Upload button after selecting the JSON configuration file.

  3. The Duo Network Gateway SAML application is added.

    Duo Network Gateway Application Added

Configure Duo Network Gateway IdP

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Scroll down to the Configure SAML Identity Provider section of the page.

  3. Copy the Entity ID URL from the Duo Access Gateway admin console metadata display and paste it into the Duo Network Gateway Entity ID or Issuer ID field.

    Example: https://yourserver.example.com/dag/saml2/idp/metadata.php

  4. Copy the SSO URL information from the Duo Access Gateway admin console Metadata display and paste it into the Duo Network Gateway Assertion Consumer Service URL or Single Sign-On URL field.

    Example: https://yourserver.example.com/dag/saml2/idp/SSOService.php

  5. Copy the Logout URL information from the Duo Access Gateway admin console Metadata display and paste it into the Duo Network Gateway Single Logout URL field.

    Example: https://yourserver.example.com/dag/saml2/idp/SingleLogoutService.php

  6. The "Certificate" is the Duo Access Gateway Metadata certificate. Click the Choose File button to select the dag.crt file you downloaded from the Duo Access Gateway admin console Application page earlier. Upload the certificate.

  7. Username Attribute is an optional setting. By default Duo Network Gateway will use the NameID field to populate the username. If your SAML IdP sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.

  8. Enforced Email Domain is an optional setting. Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using is an e-mail address.

  9. After you've entered all the required information click the Save Settings button.

    Duo Network Gateway Duo Access Gateway IdP Settings

Configure the Duo Network Gateway app in OneLogin

  1. Log into OneLogin as an administrative user. Move your mouse over the APPS button at the top of the screen. A dropdown will appear, click Add Apps. You will be taken to a new page.

  2. On the "Find Applications" page type Duo Network Gateway into the search field. It should return only one result called "Duo Network Gateway". Click on this application to create it. You'll be taken to a new page.

  3. On the "Configuration" page click on the Visible in portal switch to toggle it to off.

  4. Click Save at the top of the screen. You'll be taken to a new page.

    Configure OneLogin

  5. Once you're on the Duo Network Gateway app page click the Configuration tab at the top of the screen. In the Hostname field enter in the fully-qualified domain name of your Duo Network Gateway server.

    Example: If your Duo Network Gateway URL is https://portal.yourcompany.com you would type portal.yourcompany.com.

    Configure OneLogin Duo Network Gateway Hostname

  6. Click the Save button.

  7. Click the SSO tab at the top of the screen. Under the "X.509 Certificate" click View Details, you'll be taken to a new page.

  8. On the "Standard Strength Certificate (2048-bit)" page under "X.509 Certificate" select X.509 PEM from the dropdown and click DOWNLOAD. This will download a onelogin.pem file that you'll need when configuring the Duo Network Gateway.

    OneLogin SSO certificate page

  9. Return to the OneLogin SSO page. You'll need to provide information from the "SSO" page for configuring the Duo Network Gateway.

    OneLogin SSO page

  10. You can now assign users in OneLogin to have access to the Duo Network Gateway app.

Configure Duo Network Gateway IdP

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Scroll down to the Configure SAML Identity Provider section of the page.

  3. Copy the Issuer URL from the OneLogin SSO page and paste it into the Duo Network Gateway Entity ID or Issuer ID field.

    Example: https://app.onelogin.com/saml/metadata/123456

  4. Copy the SAML 2.0 Endpoint (HTTP) from the OneLogin SSO page and paste it into the Duo Network Gateway Assertion Consumer Service URL or Single Sign-On URL field.

    Example: https://company.onelogin.com/trust/saml2/http-post/sso/123456

  5. Copy the SLO Endpoint (HTTP) from the OneLogin SSO page and paste it into the Duo Network Gateway Single Logout URL field.

    Example: https://company.onelogin.com/trust/saml2/http-redirect/slo/123456

  6. The "Certificate" is the OneLogin certificate you downloaded earlier. Click the Choose File button to select the onelogin.pem file. Upload the certificate.

  7. Username Attribute is an optional setting. By default Duo Network Gateway will use the NameID field to populate the username. If your SAML IdP sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.

  8. Enforced Email Domain is an optional setting. Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using is an e-mail address.

  9. After you've entered all the required information click the Save Settings button.

    Duo Network Gateway OneLogin configuration

Configure the Duo Network Gateway app in Okta

  1. Log into Okta as an administrative user. Click on the Admin button in the top right hand corner of the screen.

  2. On the "Dashboard" page click Add Applications under "Shortcuts" on the right-hand side of the screen.

  3. On the "Add Application" page type Duo Network Gateway into the search field. It should return only one result called "Duo Network Gateway". Click Add on this application to create it. You'll be taken to a new page.

  4. On the "General Settings - Add Duo Network Gateway" page you can change the name of the application by modifying the text in the Application label field.

  5. In the Hostname field enter in the fully-qualified domain name of your Duo Network Gateway server.

    Example: If your Duo Network Gateway URL is https://portal.yourcompany.com you would type portal.yourcompany.com.

  6. Check both of the boxes next to Application Visibility.

  7. Click Next at the bottom of the screen. You'll be taken to a new page.

    Configure Okta

  8. On the "Assign to People - Add Duo Network Gateway" page you can check the box next to users to allow them to access the Duo Network Gateway application. Click Next when you've finished.

    Assign Okta

  9. The page will reload asking you to validate the username field. The username will be checked against Duo when completing two-factor authentication. Modify any usernames as needed and click Done. You'll be taken to a new page.

    Modify Okta Usernames

  10. On the "Duo Network Gateway" page click the Sign On tab. Click View Setup Instructions. You'll be taken to a new page.

  11. On the "How to Configure SAML 2.0 for Duo Network Gateway" page scroll down the page to Step 3. You'll need to provide information from this step to the Duo Network Gateway in the next section.

    Okta Metadata

Configure Duo Network Gateway IdP

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Scroll down to the Configure SAML Identity Provider section of the page.

  3. Copy the Entity ID or Issuer ID from the Okta SSO page and paste it into the Duo Network Gateway Entity ID or Issuer ID field.

    Example: http://www.okta.com/abc1a2bcd3efG4HIj5K6

  4. Copy the Assertion Consumer Service URL or Single Sign-On URL from the Okta SSO page and paste it into the Duo Network Gateway Assertion Consumer Service URL or Single Sign-On URL field.

    Example: https://yourcompany.okta.com/app/duonetworkgateway/abc1a2bcd3efG4HIj5K6/sso/saml

  5. Leave the Single Logout URL field blank.

  6. Click the Certificate link on the Okta SSO page to download the okta.cert file. Upload the certificate in the Duo Network Gateway Certificate section.

  7. Username Attribute is an optional setting. By default Duo Network Gateway will use the NameID field to populate the username. If your SAML IdP sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.

  8. Enforced Email Domain is an optional setting. Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using is an e-mail address.

  9. After you've entered all the required information click the Save Settings button.

    Duo Network Gateway Okta configuration

Using AD FS as your IdP requires Duo Network Gateway 1.2.4 or later.

Copy Metadata from the Duo Network Gateway

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Under the Metadata section copy the URL next to Entity ID or Issuer ID URL. You'll need this later in the setup.

Add the Duo Network Gateway Relying Party in AD FS

  1. Log into your AD FS serveras a Domain Admin or member of the server's local Administrators group and open the AD FS Management console.

  2. Click the arrow icon next to Trust Relationships on the left-hand side of the page to expand its options. Skip this step if you are using AD FS 4.

  3. Right click Relying Party Trusts and select Add Relying Party Trust... from the dropdown. A new window will appear.

  4. Review the information on the Welcome page and then click Start. In AD FS 4 leave the default choice of "Claims aware" selected and click Start.

  5. Select Import data about the relying party published online or on a local network on the Select Data Source Page. Copy the Entity ID or Issuer ID value from earlier and paste it into the text field. Click Next.

    Example: https://portal.yourcompany.com/metadata/

    Configure AD FS Data Source

  6. On the Specify Display Name page type a name that will help you identify this relying party easily later into the Display name field and click Next.

  7. On the Configure Multi-factor Authentication Now? page select I do not want to configure multi-factor authentication settings for this relying party trust at this time. and click Next. In AD FS 4 this page is called "Choose Access Control Policy. Select the access control policy for this application from the list. The simplest option is to choose the default "Permit everyone" policy, or if you want to restrict Network Gateway access select the built-in or custom access control policy that meets your needs. After selecting an access control policy click Next.

  8. Click Next on the Ready to Add Trust page.

  9. Leave the "Open the Edit claim Rules dialog for this relying party trust when the wizard closes" checked and click Close. This setting is called "Configure claims issuance policy for this application." in AD FS 4. A new window will appear.

Configure the Duo Network Gateway Relying Party in AD FS

  1. On the Edit Claim Rules for ... page click Add Rule.... A new window will appear.

  2. On the Select Rule Template page select Send LDAP Attributes as Claims from the dropdown and click Next.

  3. On the Configure Rule page type NameID into the Claim rule name field.

  4. Select Active Directory from the Attribute store dropdown.

  5. Click the dropdown menu under LDAP Attribute and select SAM-Account-Name.

  6. Click the dropdown menu under Outgoing Claim Type and select Name ID.

  7. Click Finish. You'll be returned "Edit Claims Rules for ..." page.

  8. Click Apply and click OK. The page will close and you'll be returned to the AD FS Management console.

    Configure AD FS Claim Rules

Export AD FS Signing Certificate

  1. On the AD FS Management console click the arrow icon next to Service on the left-hand side of the page to expand its options. Click on Certificates.

  2. In the middle of the screen right-click the certificate under Token-signing and select View Certificate.... A new window will appear.

  3. On the Certificate window select the Details tab. Click the button Copy to File.... A new window will appear.

  4. Click Next on the Welcome page.

  5. On the Export Private Key page select No, do not export the private key and then click Next.

  6. Select Base-64 encoded X.509 (.CER) on the Export File Format page. Click Next.

    Configure AD FS Claim Rules

  7. On the File to Export page click Browse.... Name the file adfs and select a location to save it. You will need to use this certificate later. Click Finish.

Gather AD FS Metadata

  1. Open up a web browser and go to https://AD-FS-URL/FederationMetadata/2007-06/FederationMetadata.xml. This will download an XML file onto your computer.

  2. Open up the FederationMetadata.xml file using a text editor like NotePad or WordPad. You will need information from this file later.

Configure Duo Network Gateway IdP

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. Scroll down to the Configure SAML Identity Provider section of the page.

  3. Copy the entityID value from the AD FS XML file and paste it into the Duo Network Gateway Entity ID or Issuer ID field.

    Example: http://AD-FS-URL/adfs/services/trust

  4. Copy the AssertionConsumerService value from the AD FS XML file and paste it into the Duo Network Gateway Assertion Consumer Service URL or Single Sign-On URL field.

    Example: https://AD-FS-URL/adfs/ls/

  5. The "Certificate" is the AD FS token-signing certificate file you downloaded earlier. Click the Choose File button to select the adfs.cer file. Upload the certificate.

  6. Username Attribute is an optional setting. By default Duo Network Gateway will use the NameID field to populate the username. If AD FS sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.

  7. Enforced Email Domain is an optional setting. Enabling this will allow you to enforce that only e-mail addresses or userPrincipalNames within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using one of those attributes.

  8. After you've entered all the required information click the Save Settings button.

    Duo Network Gateway AD FS configuration

Other SAML Providers

  1. On the Duo Network Gateway admin console home page click the Authentication Source link under Step 2.

  2. On the "Primary Authentication" page scroll down to Metadata. You will need to provide this information about Duo Network Gateway to your primary authentication source.

    Duo Network Gateway metadata information

  3. Add Duo Network Gateway as a SAML Service Provider or Relying Party to the SAML Identity Provider (IdP) of your choice.

    1. Use the metadata to fill out information related to the Duo Network Gateway server during the setup.
    2. Configure your SAML IdP to send the NameIDFormat as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified with the NameID value containing the Duo username.
    3. Save the certificate generated by your SAML IdP, you will need this later.
  4. Once you've configured Duo Network Gateway as a SAML Service Provider on your SAML IdP you will need to configure the Duo Network Gateway server to use your IdP. Use the table below and fill in the follow fields:

    Option Description
    Entity ID or Issuer ID The global, unique name for your SAML entity. Obtain this from your SAML authentication identity provider.
    Assertion Consumer Service URL or Single Sign-On URL URL to use when performing primary authentication. This is provided by your primary authentication identity provider.
    Single logout URL Optional: URL to use when logging out. This is provided by your primary authentication identity provider.
    Certificate The Base64-encoded X.509 certificate provided by your SAML IdP.
    Username Attribute Optional: By default Duo Network Gateway will use the NameID field to populate the username. If your SAML IdP sends a different attribute that you'd like to use as your username attribute, you can select the check box and specify the name of the attribute you'd like to use instead.
    Enforced Email Domain Optional: Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway.

    Duo Network Gateway Primary Authentication Configuration

  5. Once you've filled in all the required fields, click Save Settings.

Protect an Application with Duo Network Gateway

Now that we've configured Duo Network Gateway and the primary authentication source we are ready to protect an application with Duo Network Gateway.

Prerequisites

  • Identify the application you'd like to protect with Duo Network Gateway and make sure that Duo Network Gateway is able to communicate locally with the application.
  • Create or update the public DNS record of your application to point to the Duo Network Gateway server
  • Obtain an SSL certificate for your application from a commercial certificate authority (CA) using the fully qualified external DNS name of your application as the common name (e.g. yourinternalapp.example.com). This secures the connection between your external users and the Duo Network Gateway server. You can also generate a free, automatically renewing certificate from Let's Encrypt during setup.
  • If the application you'll be protecting is already communicating over HTTPS you will also need to obtain the Base64-encoded X.509 (pem, cer, or crt) formatted version of the application's certificate bundle including the issuing certificates and the root certificate. You may also use a wildcard SSL certificate.

Create a Duo Network Gateway Web Application in Duo

  1. Log in to the Duo Admin Panel and navigate to Applications.

  2. Click Protect an Application and locate Duo Network Gateway Web Application in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. You will need this information later. (See Getting Started for help.)

  3. You can adjust additional settings for your new Duo Network Gateway application at this time — like changing the application's name from the default value, enabling self-service, or assigning a group policy — or come back and change the application's policies and settings after you finish setup. If you do update any settings, click the Save Changes button when done.

Configure an Application in Duo Network Gateway

  1. Return to the Duo Network Gateway admin console and click the Applications link on the left-hand side of the screen.

  2. On the "Applications" page click Add a Web Application. The page will refresh with new options.

  3. On the "Duo Network Gateway Applications - Add" page enter your integration key, secret key, and API hostname you created earlier from the Duo Admin Panel.

    Option Description
    Integration key Copy and paste in the integration key from the Duo Network Gateway application you created earlier in the Duo Admin Panel.
    Secret key Copy and paste in the secret key from the Duo Network Gateway application you created earlier in the Duo Admin Panel.
    API hostname Copy and paste in the API hostname from the Duo Network Gateway application you created earlier in the Duo Admin Panel.

    Configure Duo Network Gateway application with Duo keys

  4. Scroll down to the "External website settings" section. In the External URL field enter the public facing external URL of the web application Duo Network Gateway is protecting (eg. https://wiki.yourdomain.com). This URL can be the same as the internal application URL but is not required.

  5. If you will be supplying your own SSL certificate select Provide my own certificate next to Certificate Source. Configure the certificate using the table below and skip step 6. If you would like to automatically generate certificates, skip this step and proceed to step 6.

    Option Description
    External SSL certificate Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external URL of the application. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate.
    External SSL certificate key Base64-encoded X.509 (pem, cer, or crt) private key for the application's external URL certificate.

    Configure external settings for Duo Network Gateway application

  6. If you'd like the Duo Network Gateway to automatically generate and renew a free SSL certificate using Let's Encrypt select Generate a certificate on save next to Certificate Source. Review the Let's Encrypt Terms of Service. If you accept, check the box next to I agree to the Let's Encrypt Terms of Service.

    Configure external settings for Duo Network Gateway application with Let's Encrypt

  7. URI Whitelisting is an optional feature. Check the box next to "URL Whitelisting" to display its options. Whitelisting URI prefixes or suffixes means that they don't require authentication through the Duo Network Gateway. You will still need to complete any authentication the internal application may have before accessing the resource. This may be required for certain applications that communicate to each other over APIs or other methods. Separate multiple values with spaces. You may also restrict the whitelist to specific IP addresses or IP ranges during configuration.

  8. Scroll down to the "Internal website settings" section. Configure the settings related to your internal application using the table below:

    Option Description
    Internal URL Enter the internal URL or IP address of the web application Duo Network Gateway is protecting (eg. https://wiki.local or https://10.1.10.123). If the internal application is communicating on a port other than 80 or 443 please specify the port using a semicolon (eg. https://wiki.local:8090). Your internal application can communicate over HTTP or HTTPS.
    Certificate Authority This will only appear if your internal URL uses HTTPS. Duo Network Gateway will automatically check your internal application's certificate against a list of trusted public certificate authorities. If you use a private certificate authority or still get an error when trying to access your application, please check this option next to I use a private Certificate Authority and upload an Internal SSL certificate.
    Internal SSL certificate Only required if the internal application is communicating over HTTPS and you've checked the box next to I use a private Certificate Authority. Provide a Base64-encoded X.509 (pem, cer, or crt) version of the Root CA's certificate that is at the top of the chain for the internal application certificate.
    Internal SSL validation name The drop-down options include the internal and external URLs you entered on this page. Select the one that matches the subject host name of your certificate used by the internal application.
    Session duration This field allows you to specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480.

    Configure internal settings Duo Network Gateway application

  9. Once you've filled in all the required fields, click Add Application.

    If all information isn't entered completely and correctly or this new application configuration fails to save you'll need to re-enter the Duo application secret key and select the certificate and key files again for upload.

Test Duo Network Gateway

  1. Navigate to the external URL of the application that you just configured in Duo Network Gateway (eg. https://wiki.yourcompany.com).

  2. You'll be redirected to the SAML IdP you configured for use with Duo Network Gateway. The Duo authentication prompt appears after successful primary authentication. Completing secondary authentication with Duo grants access to your internal web application.

  3. The Duo Network Gateway doesn't pass any primary login credential information to the internal application, so you'll need to provide your username and password to the internal application separately.

Congratulations! You have successfully published your internal application with Duo Network Gateway. You can now remove any external firewall rules providing direct access to your internal application and allow all authorized users to access the application through Duo Network Gateway.

Additional Settings

You can change settings related to the Duo Network Gateway server by clicking the Settings link on the left-hand side navigation menu and clicking tabs at the top of the page.

Server Settings

This section allows you to change the Duo Network Gateway server settings that were set during Initial Duo Network Gateway Configuration. These values are the admin e-mail, hostname, and certificate that are used for the Duo Network Gateway website. This is the site that users are directed to when they are authenticating through Duo Network Gateway.

Configure Duo Network Gateway Server settings

Change Password

Set a new administrator password. We require a strong password that uses a mix of uppercase and lowercase letters, numbers, and special characters.

Change Duo Network Gateway admin password

Backup and Restore

Duo Network Gateway allows you to backup your current configuration and restore it at a later date or import on a different server for high-availability or migration.

Backing up your configuration

  1. While logged into the Duo Network Gateway admin console click Settings on the left-hand side of the screen.

  2. On the "Settings" page click the Backup Configuration tab.

  3. Type your current admin password into the Current Admin Password field.

  4. Type a passphrase that will be used to encrypt your backup file into the File Encryption Passphrase and confirm the passphrase in the Confirm Encryption Passphrase field.

    Important: Secure this file as you would any other sensitive or password information. If you lose your passphrase you will not be able to restore the backup file.

  5. Click Backup Configuration. A backup CFG file will be downloaded to your computer. Store this file in a secure location.

Backup Duo Network Gateway configuration

Restoring from the Settings page

  1. While logged into the Duo Network Gateway admin console click Settings on the left-hand side of the screen.

  2. On the "Settings" page click the Restore Configuration tab.

  3. Type your current admin password into the Current Admin Password field.

  4. Select the backup CFG file you'd like to restore from and upload it in Saved Configuration File.

  5. Type the passphrase you chose when you created the backup in the Encryption Passphrase for Selected File field.

  6. Click Restore Configuration. The page will refresh and all previous configurations will be restored.

Restore Duo Network Gateway configuration

Restoring from the Initial config page

  1. While configuring a new Duo Network Gateway on the "Make Duo Network Gateway visible to the internet" page click the Already have a Duo Network Gateway configuration file? Import it now. link.

  2. Select the backup CFG file you'd like to restore from and upload it in Saved Configuration File.

  3. Type the passphrase you chose when you created the backup in the Encryption Passphrase for Selected File field.

  4. Click Import Configuration. The page will refresh and all previous configurations will be restored.

  5. You'll be taken to the homepage of the Duo Network Gateway admin console.

Restore Duo Network Gateway from initial configuration page

Logging

To view Duo Network Gateway's system logs, log into the Duo Network Gateway server and run the following command using your current Duo Network Gateway YML file:

docker-compose -p network-gateway -f network-gateway-1.2.6.yml logs -f

Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your current YML file's actual name.

The logs will output as a continuous stream. To exit viewing the logs use the keyboard combination CTRL + Z.

Upgrading Duo Network Gateway

Upgrading Duo Network Gateway preserves all your server settings and application configurations. To perform an upgrade:

  1. Download the latest version of the Duo Network Gateway YML file by typing:

    wget --content-disposition https://dl.duosecurity.com/network-gateway-latest.yml

    You should see output similar to:

    --2016-12-21 14:15:16--  https://dl.duosecurity.com/network-gateway-latest.yml
    Resolving dl.duosecurity.com (dl.duosecurity.com)... 52.84.66.79, 52.84.66.236, 52.84.66.146, ...
    Connecting to dl.duosecurity.com (dl.duosecurity.com)|52.84.66.79|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1194 (1.2K) [application/octet-stream]
    Saving to: ‘network-gateway-1.2.6.yml’
    network-gateway-1.2.6.yml                   100%[======================================================================>]   1.17K  --.-KB/s    in 0s      
    2016-12-21 14:15:16 (124 MB/s) - ‘network-gateway-1.2.6.yml’ saved [1194/1194]
    

    Note the saved file name; you'll need this in future steps.

  2. Pull down the new Duo Network Gateway image files using the YML file downloaded in the previous step. Note that your YML file name may reflect a different version than the example command shown. Replace the file name in the example with your downloaded YML file's actual name.

    Type:

    docker-compose -f network-gateway-1.2.6.yml pull
  3. Type the following command to upgrade your existing Duo Network Gateway to the new version from the YML file you downloaded:

    docker-compose -p network-gateway -f network-gateway-1.2.6.yml up -d

    Note that the new YML file names may reflect different versions than the example command shown. Replace the file name in the example with your newly downloaded YML file's actual name.

  4. The Duo Network Gateway server shuts down and starts up with the newer version; preserving your existing settings. The upgrade process is complete with no further action required. The output will look similar to:

    Stopping network-gateway-admin ... done
    Stopping network-gateway-portal ... done
    Stopping network-gateway-redis ... done
    Removing network-gateway-admin ... done
    Removing network-gateway-portal ... done
    Removing network-gateway-redis ... done
    Removing network network-gateway_default
    Creating network "network-gateway_default" with the default driver
    Creating network-gateway-redis
    Creating network-gateway-portal
    Creating network-gateway-admin

Troubleshooting

Need some help? Take a look at our Duo Network Gateway Knowledge Base articles or Community discussions. For further assistance, contact Support.

High Availability

We recommend deploying a second Duo Network Gateway server identical to your original to serve as a standby replacement for the primary Duo Network Gateway server. You can quickly create a backup of your current Duo Network Gateway and restore it to a new system by following the Backup and Restore instructions.

You can configure a load balancer in front of two identically configured Duo Network Gateway servers for active/active or active/passive high availability. In this scenario we recommend 24 hour persistence to match the lifetime of the Duo Network Gateway session. Consult your load balancer solution documentation for guidance.

Network Diagram

  1. Client HTTPS connection to Duo Network Gateway
  2. Primary authentication to SAML identity provider
  3. Duo Network Gateway connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Duo Network Gateway receives authentication response
  6. Duo Network Gateway session authenticated
  7. External SSL access to published internal web application via Duo Network Gateway reverse proxy

Ready to Get Started?

Sign Up Free