Skip navigation
Duo Blog
Admin Login
Documentation

Scripted Configuration for Duo Network Gateway

Last Updated: April 22nd, 2024

Contents

Related

Scripted Configuration allows you to configure Duo Network Gateway using a configuration file so that you can store your settings locally in source control, automatically deploy, and make changes to Duo Network Gateway without having to access the Admin console.

Scripted Configuration requires Duo Network Gateway version 1.4.0 or greater.

Getting started with Scripted Configuration

Duo Network Gateway can be configured by using the Admin console or by creating a configuration file and sending it to the Duo Network Gateway.

Using a configuration file will give you the option to manage your Duo Network Gateway configuration offline with source control and give you the ability to automatically deploy, configure, and update Duo Network Gateway using automation without having to access the Admin console.

The Duo Network Gateway configuration file uses the YAML Ain't Markup Language (YAML) format.

Configuration Options

The configuration file may contain up to four main YAML maps:

  • network_gateway - Main Duo Network Gateway settings.
  • primary_auth - First factor SAML authentication settings.
  • web_applications - Protected web applications
  • ssh_servers - Protected SSH servers
  • application_relays - Protected RDP servers
  • subdomains - DNS information for RDP

Network Gateway Settings

Create a network_gateway YAML map. This will contain configuration settings for the main Duo Network Gateway site such as hostname and SSL certificates.

These same settings can be configured in the Admin console. You can read how at Initial Duo Network Gateway Configuration.

Setting Required Description Example Values
hostname Y Hostname of the Duo Network Gateway server. 'dng.example.com'
enable_ui Y Toggle if the Duo Network Gateway admin console is enabled. If false, the admin console will be disabled. true | false
password If enable_ui set to true Password that will be used for the Duo Network Gateway admin console login.

Minimum requirements:
  • 8 of more characters
  • 1 number
  • 1 uppercase letter
  • 1 lowercase letter
  • 1 special character
 'P@ssw0rd'
admin_email Y Administrator e-mail. 'admin@example.com'
load_balancer_cidrs_ips N A list of IP addresses for load balancers in front of the Duo Network Gateway load_balancer_cidrs_ips:
   - '10.64.0.0/16'
   - '10.65.0.0'

ssl_cert

Create an ssl_cert map within the network_gateway map. All settings listed below should be within the ssl_cert map.

Setting Required Description Example Values
source Y Type of SSL certificate that will be associated with the hostname of the DNG.
  • 'own': Certificate provided in the configuration file.
  • 'letsencrypt': Use Let's Encrypt service to generate certificate. Only works in standalone mode.
  • 'selfsigned': Generates a self-signed certificate. Only works in High Availability mode.
cert Only if source is own Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the hostname. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate. -----BEGIN CERTIFICATE----- MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
-----END CERTIFICATE-----
key Only if cert_source is own Base64-encoded X.509 (pem, cer, or crt) private key for the hostname certificate. -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w....
-----END PRIVATE KEY-----

Example Duo Network Gateway Configuration

network_gateway:
  hostname: 'dng.example.com'
  enable_ui: true
  password: 'P@ssw0rd'
  admin_email: 'admin@example.com'
  load_balancer_cidrs_ips:
    - '10.64.0.0/16'
    - '10.65.0.0'
  ssl_cert:
    source: 'own'
    cert: |
      -----BEGIN CERTIFICATE-----
      MIIDQDCCAigCCQCL0eZVUgLJ5jANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJV
      UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
      CgwJQWNtZSBDb3JwMRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wHhcNMTgwOTE5
      MTkyMTIzWhcNMTkwOTE5MTkyMTIzWjBiMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
      TWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UECgwJQWNtZSBDb3Jw
      MRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
      DwAwggEKAoIBAQCmlYsofv+lTbZwiKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX
      11vZE2OXHX6zYJpmaFgKo2KXICU0XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH359
      3Co+EaaqEYfeyh5WnOCsXEEXKk9CiOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwT
      o3hTcl7Y470Lwl58P2EfYGA6V7sSAAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+o
      vbKkBdi2PrsJLzFn7ZTv9OD/plv+w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNz
      aziaT6YDhFuWDAMhYtB5G1fGM7Zwi+O6uxqXAgMBAAEwDQYJKoZIhvcNAQELBQAD
      ggEBAJEPxlCk/VrBNe5RSwEaNZxj/7YidEC+oxews+NXl4AxWaj5HtQNrDiVicS5
      PDl7stlyFoE+AxLsPf1OW0wxePFukkptbGwnI7+8omMbTnJY0vWWnKVcqBK39IfK
      sbaJfMTa0C9OsoUeFuvI6D5yI8x0PdZBK7hbKihr9UYZWD03rlRdflTNYRIKDCFf
      SBehDZgkandk7sM2BNkAdvOmkCWCrZeG5dgsQo9VRaCQ8rCmzE+Hqxtcfj9yY0Zu
      7t484BDWx0X52nFo4JxKYFvWKyVl3vXwWl3DAZ7gmzEATfrMQt9NVTKAZXHI80MF
      UP9QURAtRcc/Zn1avcrZT+k1bl4=
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmlYsofv+lTbZw
      iKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX11vZE2OXHX6zYJpmaFgKo2KXICU0
      XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH3593Co+EaaqEYfeyh5WnOCsXEEXKk9C
      iOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwTo3hTcl7Y470Lwl58P2EfYGA6V7sS
      AAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+ovbKkBdi2PrsJLzFn7ZTv9OD/plv+
      w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNzaziaT6YDhFuWDAMhYtB5G1fGM7Zw
      i+O6uxqXAgMBAAECggEBAKEjuVfz+ZFKqjcTS111ytfDpZQntImWb2+kWZzCyh93
      hCjrJm6pCRTj14tfIaecw95aAwhPYdg0ZSjSQSZU0IKOiR21S8T1xfkP16QW3Clu
      UFej1HUlGsutwV1z1c2iEFTSLdcs6l3hNIh06k9Ve7BQchJIcu72I6x1DSVra7TN
      MmJ8rry5zZAbf4J192+iMIpquuxSrDfszVZujMRCdpDePbB/69xVfUWaTm/iOA3E
      U306W/7HjIhsSwIwR13eun6QfHmsYmIwOzAuwKQdcuDYundtAqs6TcC9ynqm8AxB
      T4tfE53ALDReMNwAcWUM9s9akCf8M/dFbFPxVwgh20ECgYEAzpkGgJq7816ezxn5
      Xr1jMvg4RYebqNTRsA3TxLeR9VbZSJhGbH2IwHMk6ccyaqQg060hQBTivorfWcQK
      rHKHrKaqmkNMD/Pa3mnr0q+rtcUUQXlDeK3a3uBHWorxp2auknnQQqAPpxTVTEf+
      BGoAXjBeRq/59SFoL0wD5trVL6ECgYEAzmsRTjnWiaUg932arOoyw/l6GPGPECMW
      ZgoxvWknWwxo4H4sQm78YRxFxv9aUn+T2X8daA5wnnsjKaNDk9XjQwphhAUpHgDW
      OwbQN7TFBOFDkh6O0EVjcdiR3dMQgbDJTLjJ7xUC26fyOQfWQia//2116nxPj+Go
      JJwbXXUtfzcCgYBC1jrGTEjV2Ryjf5GvVrHLAYai59Yx7nfP7wk9sO2lY210EN9n
      pc0iBZ5Bi1ICMgr0sCP7qUYZwq+zSLrzQzIlZt32fiMTXh7GqZnDVVXFvnZpICP1
      3LjcNc6fuienso5zkLkRdNrbgN/oh7nkD68Cyb8WO0QwS5h7BKqWeuFRQQKBgQCo
      x60PzIUaaVYKZ76YkqrNyWjHioSTCk2fQ8il+pw+e2gp36Eq9PsSIH8BlvvwpvZq
      ieCum9gEDeWTfzabY/F+eLeBroKPUNnay9hnJD1QnyyUBr55l7MXfKDQw2sk0DvY
      quQaxJBgsPODJGBSGMM3BPa8s8aOfFHzFV3ezhhUgwKBgGCx9pQ6NRK7LXJQ4NXA
      IzRLIEwUrfp8aAHVrOw3CxNB5v25PWcPB/864rJDh6xtbq72XbgygFGK4kjH2Hh7
      CaxivC48dkTiARirNDxR5XcJpVQQXl8BSRoRSiI8YBtZR2Lkg5NMiFASXplfNQKl
      NILod7CVavIYKYmNtAGw7z4s
      -----END PRIVATE KEY-----

Primary Authentication Settings

Create a primary_auth YAML map. This section contains setting for configuring Duo Network Gateway to authenticate with a SAML IdP.

These same settings can be configured in the Admin console. You can read how at Configure the Duo Network Gateway Authentication Source.

When configuring your SAML IdP to support Duo Network Gateway should use the following metadata information:

  • Entity ID: https://DNG-HOSTNAME/metadata/
  • Assertion Consumer Service URL: https://DNG-HOSTNAME/acs/
  • Single Logout Service URL: https://DNG-HOSTNAME/sls/
  • Audience Restriction: https://DNG-HOSTNAME/metadata/
Setting Required Description Example Values
entity_id Y Entity ID/Issuer ID of the SAML IdP. 'https://idp.example.com/metadata/'
single_signon_url Y Single Sign On URL of the SAML IdP. 'https://idp.example.com/sso'
single_logout_url Single Logout URL of the SAML IdP. 'https://idp.example.com/slo'
signing_cert Y File contents of the PEM formatted signing certificate. -----BEGIN CERTIFICATE----- MIICNTCCAZ4CCQD9Hx0iff2ZjjANBgk....
-----END CERTIFICATE-----
enforced_email_domain Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using is an e-mail address. 'example.com'
username_attribute By default Duo Network Gateway will use the NameID field your SAML IdP sends to populate the username. Use this option if your SAML IdP sends a different attribute that you'd like to use as your username attribute. 'User.Username'

Example Primary Authentication Configuration

primary_auth:
  entity_id: 'https://idp.example.com/metadata/'
  single_signon_url: 'https://idp.example.com/sso'
  single_logout_url: 'https://idp.example.com/slo'
  signing_cert: |
    -----BEGIN CERTIFICATE-----
    MIIDQDCCAigCCQCL0eZVUgLJ5jANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJV
    UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
    CgwJQWNtZSBDb3JwMRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wHhcNMTgwOTE5
    MTkyMTIzWhcNMTkwOTE5MTkyMTIzWjBiMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
    TWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UECgwJQWNtZSBDb3Jw
    MRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
    DwAwggEKAoIBAQCmlYsofv+lTbZwiKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX
    11vZE2OXHX6zYJpmaFgKo2KXICU0XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH359
    3Co+EaaqEYfeyh5WnOCsXEEXKk9CiOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwT
    o3hTcl7Y470Lwl58P2EfYGA6V7sSAAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+o
    vbKkBdi2PrsJLzFn7ZTv9OD/plv+w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNz
    aziaT6YDhFuWDAMhYtB5G1fGM7Zwi+O6uxqXAgMBAAEwDQYJKoZIhvcNAQELBQAD
    ggEBAJEPxlCk/VrBNe5RSwEaNZxj/7YidEC+oxews+NXl4AxWaj5HtQNrDiVicS5
    PDl7stlyFoE+AxLsPf1OW0wxePFukkptbGwnI7+8omMbTnJY0vWWnKVcqBK39IfK
    sbaJfMTa0C9OsoUeFuvI6D5yI8x0PdZBK7hbKihr9UYZWD03rlRdflTNYRIKDCFf
    SBehDZgkandk7sM2BNkAdvOmkCWCrZeG5dgsQo9VRaCQ8rCmzE+Hqxtcfj9yY0Zu
    7t484BDWx0X52nFo4JxKYFvWKyVl3vXwWl3DAZ7gmzEATfrMQt9NVTKAZXHI80MF
    UP9QURAtRcc/Zn1avcrZT+k1bl4=
    -----END CERTIFICATE-----
  enforced_email_domain: 'example.com'
  username_attribute: 'User.Username'

Web Applications Settings

The web_applications YAML map allows you to define internal web applications to protect with Duo Network Gateway. Create separate maps within web_applications for each internal web application. An example name might be "Example Application 1". All settings listed below should be within each entry in the web_applications map. All names must be unique; duplicate names will cause applications to override each other. You can repeat this for all the internal applications you want to protect.

These same settings can be configured in the Admin console. You can read how at Protect a Web Application with Duo Network Gateway.

External Settings

Below are a list of all the external settings for web applications.

Setting Required Description Example Values
external_hostname Y Public facing hostname of the web application Duo Network Gateway is protecting (eg. wiki.example.com). This hostname can be the same as the internal application hostname but is not required to match. Ensure that this hostname resolves to the external IP address of your Duo Network Gateway server.

A wildcard external URL such as https://*.example.com can also be used, which will automatically route all subdomains of example.com to this application that are not already defined as a separate application in Duo Network Gateway. When using a wildcard URL the internal application must be able to distinguish between the various hostnames.		 'wiki.example.com'
allowlist_prefixes Allows you to specify a list of allowed prefixes that will not require Duo Network Gateway authentication to access. allowlist_prefixes:
   - '/public'
   - '/api/v1/'
allowlist_suffixes Allows you to specify a list of allowed suffixes that will not require Duo Network Gateway authentication to access. allowlist_suffixes:
   - '.jpg'
   - '.woff2'
allowlist_ips Allows you to restrict the allowed suffixes and prefixes to specific IP addresses or IP ranges. allowlist_ips:
   - '10.0.0.8'
   - '192.168.1.0/24'
   - '192.168.2.10-192.168.2.50'
session_duration Allows you to specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480. 960

external_ssl_cert

Create an external_ssl_cert map within the Example Application 1 map. All settings listed below should be within the external_ssl_cert map.

Setting Required Description Example Values
source Y Type of SSL certificate that will be used for the external hostname of the web application.
  • 'own': Certificate provided in the configuration file.
  • 'letsencrypt': Use Let's Encrypt service to generate certificate. Only works in standalone mode and does not work with wildcard exernal URLs.
  • 'selfsigned': Generates a self-signed certificate. Only works in High Availability mode.
cert Only if source is own Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external_hostname. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate. -----BEGIN CERTIFICATE----- MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
-----END CERTIFICATE-----
key Only if source is own Base64-encoded X.509 (pem, cer, or crt) private key for the external_hostname certificate. -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w....
-----END PRIVATE KEY-----

Internal Hostname Settings

Below are a list of all the internal settings for a web application. These settings must appear within each application map inside of the web_applications map.

Setting Required Description Example Values
internal_hostname Y Enter the internal hostname or IP address of the web application Duo Network Gateway is protecting.

If you used the same hostname for the application's internal and external hostnames, ensure that an internal DNS record for this hostname exists and points to the internal application server IP.		 'wiki.internal.example.com' or '10.1.10.123'
internal_port Y The port used by the internal application you're trying to protect. This will typically be port 80 for HTTP communication and 443 for HTTPS communication. 443
internal_use_ssl Y If set to true Duo Network Gateway will use SSL to connect to the internal application. true
internal_trusted_cert Only if internal_use_ssl is set to true and you're not using a public certificate for the protected internal web application. Certificate file used to communicate with protected internal application. Duo Network Gateway will automatically check your internal application's certificate against a list of trusted public certificate authorities.

If you use a private certificate authority or still get an error when trying to access your application provide a Base64-encoded X.509 (pem, cer, or crt) version of the Root CA's certificate that is at the top of the chain for the internal application certificate.		 -----BEGIN CERTIFICATE----- MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
-----END CERTIFICATE-----
proxy_buffer_size This field allows you to specify the proxy buffer size. The default value is 64KB. We recommend keeping the default values, unless the protected application utilizes websockets and the DNG is hitting memory capacity limits. Refer to Duo KB article 8819 for more information about tuning. Requires Duo Network Gateway version 3.1.0 or later. 64
use_internal_name_for_host_header When set to true Duo Network Gateway will set the HTTP Host Header sent to the internal application to the same value as internal_hostname, otherwise it will use the external_hostname value. true
use_internal_name_for_sni Only used if internal_use_ssl is set to true. If set to true sends the internal_name as the SNI and Host header and uses this to validate the SSL certificate sent by the internal host. Default is false and the external_hostname value is used. If use_internal_name_for_host_header is defined its setting decides the host header value. true
add_x_forwarded_host This is required by some applications that generate absolute URLs, when the external_hostname and the internal_hostname are not the same. Note that applications will break if multiple proxies add this header. Default is false. true
add_x_forwarded_proto This is required by some applications that generate absolute URLs. Note that some applications will break if multiple proxies add this header. Default is false. true
upstream_response_timeout Allows you to specify the amount of time in seconds an upstream server is permitted to respond to a request. The default value is 180. 180
client_max_body_size Allows you to specify the maximum client to server upload size in megabytes an upstream server will allow. The default value is 128. Requires Duo Network Gateway version 1.5.12 or later. 128

Duo 2FA

Create a duo_2fa map within the "Example Application 1" map. All settings listed below should be within the duo_2fa map.

Setting Required Description Example Values
ikey Y Integration key from the Duo Network Gateway - Web Application you created earlier in the Duo Admin Panel. 'XXXXXXXXXXXXXXXXXXXX'
skey Y Secret key from the Duo Network Gateway - Web Application you created earlier in the Duo Admin Panel. 'XXXXXXXXXXXXXXXXX...'
apihost Y API hostname from the Duo Network Gateway - Web Application you created earlier in the Duo Admin Panel. 'api-xxxxxxxx.duosecurity.com'
enable_frameless N Turns on frameless support for Duo Universal Prompt. Defaults to false. Requires Duo Network Gateway version 1.5.10 or later. true or false

Example Web Application Configuration

web_applications:
  "Example Application 1":
    external_hostname: 'wiki.example.com'
    allowlist_prefixes:
        - '/public'
        - '/api/v1'
    allowlist_suffixes:
      - '.jpg'
      - '.woff2'
    allowlist_ips:
      - '10.0.0.8'
      - '192.168.1.0/24'
      - '192.168.2.10-192.168.2.50'
    session_duration: 960
    external_ssl_cert:
      source: 'own'
      cert: |
        -----BEGIN CERTIFICATE-----
        MIIDDDCCAfQCCQCmd1zYPnwo+TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJV
        UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEYMBYGA1UEAwwPYXBw
        LmV4YW1wbGUuY29tMB4XDTE4MDkxOTIwMTk1N1oXDTE5MDkxOTIwMTk1N1owSDEL
        MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGDAW
        BgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
        AQoCggEBAMMVnbmWTcoYu+qt46kJ+ZflWdXqjI6KOl0sQrg0uHbsZ+9nJuLNdk65
        d0a70Xqt2MwU0iX+X/TgTN33CIWO58pGNfGv/efaYRRC8jxZKSBlpL9DVEOuQbw/
        VQX/OGM7S/ORtG2zFjRjz93ghG3mtLmpWURkeH/xYPlA5Vc7Eq1OUiWQ+sDF47jy
        kbA4+2/dnTOf3StU6kg8O/RbXLI0bgNjVweczfYoQ9vHa8f7013/oPahI3IGcu/E
        6dva7TLkayIQLODSWThADr1MiNcO7dO5FMRwGdiAqmzExNxhTcf88ow6H853jiwV
        +ommH9L7uSgHJXDt4X8sjIZydQaCqe0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
        vmF8wdyu2cbu1zH8xQfzpqY8Uces9VXOQGKcP076OpXvBTxMA0QixOJWwmzJjkIo
        0a5gcbF0FeoU99t2wl0KRiOzorSdR2ULE4SLindtgjQMCZ2WHexLfs2cMnxTJlHW
        uwN+CrP1zvLQPjXUaMrpKCnPNq0AHCEBGCWBhygsm4JJA4KviEzmrXkCxFCoZlRP
        SpoDnpcCHDKDNKxYPY6TrH/2GxFF/vP8718NL7QCwMfJDXcC/7HIKzkaW0g0bwbY
        j/uxU7FRDWNZGsNZZ0VsC4bWawpbWuvLK9l96j64/+fZ+Y4DAwPsAR/c698LHslv
        PiaHEDNKPiOj+ZAJhHqEZg==
        -----END CERTIFICATE-----
      key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDFZ25lk3KGLvq
        reOpCfmX5VnV6oyOijpdLEK4NLh27GfvZybizXZOuXdGu9F6rdjMFNIl/l/04Ezd
        9wiFjufKRjXxr/3n2mEUQvI8WSkgZaS/Q1RDrkG8P1UF/zhjO0vzkbRtsxY0Y8/d
        4IRt5rS5qVlEZHh/8WD5QOVXOxKtTlIlkPrAxeO48pGwOPtv3Z0zn90rVOpIPDv0
        W1yyNG4DY1cHnM32KEPbx2vH+9Nd/6D2oSNyBnLvxOnb2u0y5GsiECzg0lk4QA69
        TIjXDu3TuRTEcBnYgKpsxMTcYU3H/PKMOh/Od44sFfqJph/S+7koByVw7eF/LIyG
        cnUGgqntAgMBAAECggEAWvA6pAaSoIDDKHSCyYui09HP/M3nU5LP/hrhxyicTKOL
        F6hIEjWgzrXaChkHX16mzwttotRfOrFMY7QCPvAM0NfF0bIuc+PymRVUAhm1+Cop
        kBb8ssgKUIxdP/xm9qrvjsz/BJwU37sfbNh6IxkGaf2tZRpIqauFfutnfTBGVo55
        j4USVZjpiuMKIJ+EBlNqUdgynyiQdnzqBBuWegBhq9k7NaSTIatmBtUVvr3SqwL4
        hYZshQih5rjFJZe6qTw/ucKXGgpFs4vocaLOJoQQMGUiD4QxThwVqtanjdraz278
        yTgIgVXS0yaH9omJHYu1K4EqabloXq7X/SRS9OLCAQKBgQDjRnTb5PyiXXMaqRTA
        xBDKuQsxYIjOmCdBZRFSe4rE6L3+HFKrE8DlcuN3eNL5TkV6sY7X7dXftqmLSl03
        cAMxI35cMrR9zZyZyuTr34rqgY1NA9HgqyrCzdzZr1QUohQtcNGD8+3tWBZF91kY
        yTqHzh8vMAEaMigny0LGVyPsrQKBgQDbvZ6G2FcMEG15PjL9IcHsU/q/rJqJeEuL
        DQE/toekRoOzzE2h6y5n9e2nN6ZVnx+qR4+JpeZoKCQI/eIygp3YfPMc8mqeC4yD
        Zbc9KLPnzFYG5XyUkEnKIhiNGeRokyYXPkLnBmCiJNoFV8f+g+g4LcrikhNTCkEX
        JunC4wIaQQKBgAPOyGJuwbTOsAEAWDKqlkVvODrJjUE411+HG/Uv0LFf3N8HBnOL
        Ty4I8LqtsYsvvoZBt0zy1SR8YPbOdiVZoRQPrixJRTDeYwNInPE+u4sWRJHHwJpt
        A7hjzpFvGI+H76KbQ0dcrN3PHgBqFnoN1Qc1ctxNh5cyw+12wFWmXBm5AoGBAIDK
        Cz7HT4V/n1ofTW01Ot6TffSXal/GBKiz75ZzGd77gTeBN8L9/03pQuft4uxt/fYk
        SQmJFZjYZf5rJwcprO/0k9zUbA7DgBCHLjWHRKJIDeeu2yyLwOPaxf71PPzZucqH
        sFiNUVfXN31ILKyMjS9YD4Bp0y+pY+r44Ktbt6DBAoGBANXBik7QIV0NMAzPjCGH
        tKmCJV4lXUkLcrfVAhc02zrx1jAnwrP2RezWccITRhxZaOc8NhWEl3+xYGf6nPDZ
        h6x5gVq10DyXld9ZpA81MeJD9Kfkk4MReRfksgXtngWC+73rQ4V8ONyF4ED57sEr
        uZs4L5+q9LruO8eWf7U2KD7N
        -----END PRIVATE KEY-----
    internal_hostname: 'wiki.internal.example.com'
    internal_port: '443'
    internal_use_ssl: true
    internal_trusted_cert: |
      -----BEGIN CERTIFICATE-----
      MIIDDDCCAfQCCQCmd1zYPnwo+TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJV
      UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEYMBYGA1UEAwwPYXBw
      LmV4YW1wbGUuY29tMB4XDTE4MDkxOTIwMTk1N1oXDTE5MDkxOTIwMTk1N1owSDEL
      MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGDAW
      BgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
      AQoCggEBAMMVnbmWTcoYu+qt46kJ+ZflWdXqjI6KOl0sQrg0uHbsZ+9nJuLNdk65
      d0a70Xqt2MwU0iX+X/TgTN33CIWO58pGNfGv/efaYRRC8jxZKSBlpL9DVEOuQbw/
      VQX/OGM7S/ORtG2zFjRjz93ghG3mtLmpWURkeH/xYPlA5Vc7Eq1OUiWQ+sDF47jy
      kbA4+2/dnTOf3StU6kg8O/RbXLI0bgNjVweczfYoQ9vHa8f7013/oPahI3IGcu/E
      6dva7TLkayIQLODSWThADr1MiNcO7dO5FMRwGdiAqmzExNxhTcf88ow6H853jiwV
      +ommH9L7uSgHJXDt4X8sjIZydQaCqe0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
      vmF8wdyu2cbu1zH8xQfzpqY8Uces9VXOQGKcP076OpXvBTxMA0QixOJWwmzJjkIo
      0a5gcbF0FeoU99t2wl0KRiOzorSdR2ULE4SLindtgjQMCZ2WHexLfs2cMnxTJlHW
      uwN+CrP1zvLQPjXUaMrpKCnPNq0AHCEBGCWBhygsm4JJA4KviEzmrXkCxFCoZlRP
      SpoDnpcCHDKDNKxYPY6TrH/2GxFF/vP8718NL7QCwMfJDXcC/7HIKzkaW0g0bwbY
      j/uxU7FRDWNZGsNZZ0VsC4bWawpbWuvLK9l96j64/+fZ+Y4DAwPsAR/c698LHslv
      PiaHEDNKPiOj+ZAJhHqEZg==
      -----END CERTIFICATE-----
    use_internal_name_for_host_header: false
    use_internal_name_for_sni: true
    add_x_forwarded_host: false
    add_x_forwarded_proto: false
    upstream_response_timeout: 180
    duo_2fa:
      ikey: 'XXXXXXXXXXXXXXXXXXXX'
      skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
      apihost: 'api-xxxxxxxx.duosecurity.com'
      enable_frameless: true

SSH Servers Settings

The ssh_servers YAML map allows you to define SSH servers to protect with Duo Network Gateway. Create separate maps within ssh_servers for each set of SSH servers you'd like to protect. An example name might be "Engineering SSH Servers". All settings listed below should be within each entry in the ssh_servers map. All names must be unique; duplicate names will cause sets of SSH servers to override each other. You can repeat this for all the SSH server sets you want to protect.

These same settings can be configured in the Admin console. You can read how at Protect SSH Servers with Duo Network Gateway.

External Settings

Below are a list of all the external settings for protecting SSH servers.

Setting Required Description Example Values
external_hostname Y The external hostname is where users' computers will communicate with the Duo Network Gateway. A group of SSH servers can be protected behind an external hostname. An example of an external hostname for SSH servers used by the engineering team might be "engineering-ssh.example.com" 'engineering-ssh.example.com'
session_duration Allows you to specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480. 960

external_ssl_cert

Create an external_ssl_cert map within the Engineering SSH Servers map. All settings listed below should be within each entry in the ssh_servers map.

Setting Required Description Example Values
source Y Type of SSL certificate that will be used for the external hostname of the web application.
  • 'own': Certificate provided in the configuration file.
  • 'letsencrypt': Use Let's Encrypt service to generate certificate. Only works in standalone mode.
  • 'selfsigned': Generates a self-signed certificate. Only works in High Availability mode.
cert Only if source is own Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external_hostname. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate. -----BEGIN CERTIFICATE----- MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
-----END CERTIFICATE-----
key Only if source is own Base64-encoded X.509 (pem, cer, or crt) private key for the external_hostname certificate. -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w....
-----END PRIVATE KEY-----

Internal SSH Server Settings

Create an internal_servers YAML list within each entry in the ssh_servers map. Below are settings for defining which SSH servers you will be protecting with this application.

Setting Required Description Example Values
host_pattern Y You can use a hostname, a hostname with wildcards, an IP address, a range of IP addresses, or a CIDR block related to the internal SSH servers you want to protect. Wildcards will not match sub-domains (e.g. "*.example.com" will match "server.example.com" but not "server.internal.example.com"). Wildcards will be used to match domain names, not IP addresses. For example, the pattern 192.168.1.* will match the domain name 192.168.1.com but will not match the IP address 192.168.1.1 '*.example.com'
ports Y You can enter port(s) that the servers are listening on for SSH connections. You may enter a single port or a range of ports. You can also specify multiple ports or multiple ranges of ports by separating them with commas. '22, 23-30'

Duo 2FA

Create a duo_2fa map within each entry in the ssh_servers map. All settings listed below should be within the duo_2fa map.

Setting Required Description Example Values
ikey Y Integration key from the Duo Network Gateway - SSH Relay application you created earlier in the Duo Admin Panel. 'XXXXXXXXXXXXXXXXXXXX'
skey Y Secret key from the Duo Network Gateway - SSH Relay application you created earlier in the Duo Admin Panel. 'XXXXXXXXXXXXXXXXX...'
apihost Y API hostname from the Duo Network Gateway - SSH Relay application you created earlier in the Duo Admin Panel. 'api-xxxxxxxx.duosecurity.com'
enable_frameless N Turns on frameless support for Duo Universal Prompt. Defaults to false. Requires Duo Network Gateway version 1.5.10 or later. true or false

Example SSH Servers Configuration

ssh_servers:
  "Engineering Servers":
    external_hostname: 'engineering-ssh.example.com'
    external_ssl_cert:
      source: 'letsencrypt'
    internal_servers:
      - host_pattern: '*.example.com'
        ports: '22, 2300-3000'
      - host_pattern: '192.168.3.0/24'
        ports: '22, 2300-3000'
      - host_pattern: '192.168.1.8'
        ports: '3334'
    duo_2fa:
      ikey: 'XXXXXXXXXXXXXXXXXXXX'
      skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
      apihost: 'api-xxxxxxxx.duosecurity.com'
      enable_frameless: true

Application Relays Settings

The application_relays YAML map allows you to define Remote Desktop Protocol (RDP) servers to protect with Duo Network Gateway. Create separate maps within application_relays for each set of RDP servers to protect. An example name might be "Engineering RDP Servers". All settings listed below should be within each entry in the application_relays map. All names must be unique; duplicate names will cause RDP server sets to override each other. You can repeat this for all the RDP server sets you want to protect.

These same settings can be configured in the Admin console. You can read how at Protect RDP Servers with Duo Network Gateway.

Requires Duo Network Gateway version 1.6.0 or later.

External Settings

Below are a list of all the external settings for application relays.

Setting Required Description Example Values
application_type Y Pre-populates the ports parameter if the parameter is not defined

Supported application types:
  • 'custom': port(s) must be defined in the 'ports' field for all internal_servers entries in the application_relays map.
  • 'rdp': will use the RDP default of 3389 as the value of the 'ports' field for all internal entries in the application_relays map. This can be overridden with custom port values if needed.
 'custom' or 'rdp'
external_hostname Y The external hostname is where users' computers will communicate with the Duo Network Gateway. A group of RDP hosts can be protected behind an external hostname. An example of an external hostname for SSH servers used by the engineering team might be "engineering-rdp.example.com" 'engineering-rdp.example.com'
session_duration Allows you to specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480. 960

external_ssl_cert

Create an external_ssl_cert map within the "Engineering RDP Servers" map. All settings listed below should be within each entry in the application_relays map.

Setting Required Description Example Values
source Y Type of SSL certificate that will be used for the external hostname of the RDP application relay.
  • 'own': Certificate provided in the configuration file.
  • 'letsencrypt': Use Let's Encrypt service to generate certificate. Only works in standalone mode.
  • 'selfsigned': Generates a self-signed certificate. Only works in High Availability mode.
cert Only if source is own Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external_hostname. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate. -----BEGIN CERTIFICATE----- MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
-----END CERTIFICATE-----
key Only if source is own Base64-encoded X.509 (pem, cer, or crt) private key for the external_hostname certificate. -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w....
-----END PRIVATE KEY-----

Internal RDP Server Settings

Create an internal_servers YAML list within each entry in the application_relays map. Below are settings for defining which RDP hosts you will be protecting with this application.

Setting Required Description Example Values
host_pattern Y You can use a hostname or a hostname with wildcards. Wildcards will not match sub-domains (e.g. "*.example.com" will match "rdp.example.com" but not "rdp.internal.example.com"). 'rdp.internal.example.com'
ports Only if application_type is not defined as 'rdp' If application_type was set to 'rdp' then port 3389, the default port for Remote Desktop, is used and the 'ports' does not to be defined.
You can enter port(s) that the servers are listening on for RDP connections. You may enter a single port or a range of ports. You can also specify multiple ports or multiple ranges of ports by separating them with commas.		 '3389, 3391-3395'

Duo 2FA

Create a duo_2fa map within each entry in the application_relays map. All settings listed below should be within the duo_2fa map.

Setting Required Description Example Values
ikey Y Integration key from the Duo Network Gateway - RDP Relay application you created earlier in the Duo Admin Panel. 'XXXXXXXXXXXXXXXXXXXX'
skey Y Secret key from the Duo Network Gateway - RDP Relay application you created earlier in the Duo Admin Panel. 'XXXXXXXXXXXXXXXXX...'
apihost Y API hostname from the Duo Network Gateway - RDP Relay application you created earlier in the Duo Admin Panel. 'api-xxxxxxxx.duosecurity.com'
enable_frameless N Turns on frameless support for Duo Universal Prompt. Defaults to false. Requires Duo Network Gateway version 1.5.10 or later. true or false

Example Application Relays Configuration

application_relays:
  "Engineering RDP Servers":
    application_type: 'rdp'
    external_hostname: 'engineering-rdp.example.com'
    external_ssl_cert:
      source: 'letsencrypt'
    internal_servers:
      - host_pattern: 'rdp1.internal.example.com'
      - host_pattern: 'rdp2.internal.example.com'
        ports: '3389, 3390'
    duo_2fa:
      ikey: 'XXXXXXXXXXXXXXXXXXXX'
      skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
      apihost: 'api-xxxxxxxx.duosecurity.com'
      enable_frameless: true

Subdomains Settings

The subdomains YAML map allows you to define "external" subdomains for which your Duo Network Gateway will expect to receive Domain Name Service (DNS) and correlate them with another "internal" subdomain which is resolvable within your local network.

These same settings can be configured in the Admin console. You can read how at Protect RDP Servers with Duo Network Gateway.

Requires Duo Network Gateway version 1.6.0 or later.

Feature Flag Settings

The feature flag YAML map allows you to enable on-demand features.

These same settings can be configured in the CLI and API.

Requires Duo Network Gateway version 3.1.0 or later.

Setting Required Description Example Values
worker_thread_shutdown_timer N This field allows you to configure a timeout for a forceful shutdown of worker processes. This field by default is not set; by default, NGINX will gracefully shut down old worker processes and will not terminate the process until all connections have closed. When configured and once the timeout has expired, NGINX will forcibly close any remaining connections in the old worker process. This setting is configured in minutes. A value of 0 will unset and return this feature to the default behavior (as noted earlier). 1

External Settings

Each entry in the subdomains YAML array includes two keys:

Setting Required Description Example Values
external_subdomain Y A subdomain delegated to Duo Network Gateway through an NS record. 'external.example.com' or 'eng-ext.example.com'
internal_subdomain Y The corresponding internal subdomain to which protected RDP hosts belong. 'internal.example.com' or 'eng.example.com'

Example Subdomains Configuration

subdomains:
  - external_subdomain: 'external.example.com'
    internal_subdomain: 'internal.example.com'  
  - external_subdomain: 'eng-ext.example.com'
    internal_subdomain: 'eng.example.com'

Example Configuration

Below is a complete configuration file using all of the examples from above, compatible with Duo Network Gateway 1.6.0 and later:

network_gateway:
  hostname: 'dng.example.com'
  enable_ui: true
  password: 'P@ssw0rd'
  admin_email: 'admin@example.com'
  load_balancer_cidrs_ips:
    - '10.64.0.0/16'
    - '10.65.0.0'
  ssl_cert:
    source: 'own'
    cert: |
      -----BEGIN CERTIFICATE-----
      MIIDQDCCAigCCQCL0eZVUgLJ5jANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJV
      UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
      CgwJQWNtZSBDb3JwMRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wHhcNMTgwOTE5
      MTkyMTIzWhcNMTkwOTE5MTkyMTIzWjBiMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
      TWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UECgwJQWNtZSBDb3Jw
      MRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
      DwAwggEKAoIBAQCmlYsofv+lTbZwiKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX
      11vZE2OXHX6zYJpmaFgKo2KXICU0XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH359
      3Co+EaaqEYfeyh5WnOCsXEEXKk9CiOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwT
      o3hTcl7Y470Lwl58P2EfYGA6V7sSAAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+o
      vbKkBdi2PrsJLzFn7ZTv9OD/plv+w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNz
      aziaT6YDhFuWDAMhYtB5G1fGM7Zwi+O6uxqXAgMBAAEwDQYJKoZIhvcNAQELBQAD
      ggEBAJEPxlCk/VrBNe5RSwEaNZxj/7YidEC+oxews+NXl4AxWaj5HtQNrDiVicS5
      PDl7stlyFoE+AxLsPf1OW0wxePFukkptbGwnI7+8omMbTnJY0vWWnKVcqBK39IfK
      sbaJfMTa0C9OsoUeFuvI6D5yI8x0PdZBK7hbKihr9UYZWD03rlRdflTNYRIKDCFf
      SBehDZgkandk7sM2BNkAdvOmkCWCrZeG5dgsQo9VRaCQ8rCmzE+Hqxtcfj9yY0Zu
      7t484BDWx0X52nFo4JxKYFvWKyVl3vXwWl3DAZ7gmzEATfrMQt9NVTKAZXHI80MF
      UP9QURAtRcc/Zn1avcrZT+k1bl4=
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmlYsofv+lTbZw
      iKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX11vZE2OXHX6zYJpmaFgKo2KXICU0
      XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH3593Co+EaaqEYfeyh5WnOCsXEEXKk9C
      iOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwTo3hTcl7Y470Lwl58P2EfYGA6V7sS
      AAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+ovbKkBdi2PrsJLzFn7ZTv9OD/plv+
      w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNzaziaT6YDhFuWDAMhYtB5G1fGM7Zw
      i+O6uxqXAgMBAAECggEBAKEjuVfz+ZFKqjcTS111ytfDpZQntImWb2+kWZzCyh93
      hCjrJm6pCRTj14tfIaecw95aAwhPYdg0ZSjSQSZU0IKOiR21S8T1xfkP16QW3Clu
      UFej1HUlGsutwV1z1c2iEFTSLdcs6l3hNIh06k9Ve7BQchJIcu72I6x1DSVra7TN
      MmJ8rry5zZAbf4J192+iMIpquuxSrDfszVZujMRCdpDePbB/69xVfUWaTm/iOA3E
      U306W/7HjIhsSwIwR13eun6QfHmsYmIwOzAuwKQdcuDYundtAqs6TcC9ynqm8AxB
      T4tfE53ALDReMNwAcWUM9s9akCf8M/dFbFPxVwgh20ECgYEAzpkGgJq7816ezxn5
      Xr1jMvg4RYebqNTRsA3TxLeR9VbZSJhGbH2IwHMk6ccyaqQg060hQBTivorfWcQK
      rHKHrKaqmkNMD/Pa3mnr0q+rtcUUQXlDeK3a3uBHWorxp2auknnQQqAPpxTVTEf+
      BGoAXjBeRq/59SFoL0wD5trVL6ECgYEAzmsRTjnWiaUg932arOoyw/l6GPGPECMW
      ZgoxvWknWwxo4H4sQm78YRxFxv9aUn+T2X8daA5wnnsjKaNDk9XjQwphhAUpHgDW
      OwbQN7TFBOFDkh6O0EVjcdiR3dMQgbDJTLjJ7xUC26fyOQfWQia//2116nxPj+Go
      JJwbXXUtfzcCgYBC1jrGTEjV2Ryjf5GvVrHLAYai59Yx7nfP7wk9sO2lY210EN9n
      pc0iBZ5Bi1ICMgr0sCP7qUYZwq+zSLrzQzIlZt32fiMTXh7GqZnDVVXFvnZpICP1
      3LjcNc6fuienso5zkLkRdNrbgN/oh7nkD68Cyb8WO0QwS5h7BKqWeuFRQQKBgQCo
      x60PzIUaaVYKZ76YkqrNyWjHioSTCk2fQ8il+pw+e2gp36Eq9PsSIH8BlvvwpvZq
      ieCum9gEDeWTfzabY/F+eLeBroKPUNnay9hnJD1QnyyUBr55l7MXfKDQw2sk0DvY
      quQaxJBgsPODJGBSGMM3BPa8s8aOfFHzFV3ezhhUgwKBgGCx9pQ6NRK7LXJQ4NXA
      IzRLIEwUrfp8aAHVrOw3CxNB5v25PWcPB/864rJDh6xtbq72XbgygFGK4kjH2Hh7
      CaxivC48dkTiARirNDxR5XcJpVQQXl8BSRoRSiI8YBtZR2Lkg5NMiFASXplfNQKl
      NILod7CVavIYKYmNtAGw7z4s
      -----END PRIVATE KEY-----

primary_auth:
  entity_id: 'https://idp.example.com/metadata/'
  single_signon_url: 'https://idp.example.com/sso'
  single_logout_url: 'https://idp.example.com/slo'
  signing_cert: |
    -----BEGIN CERTIFICATE-----
    MIIDQDCCAigCCQCL0eZVUgLJ5jANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJV
    UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
    CgwJQWNtZSBDb3JwMRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wHhcNMTgwOTE5
    MTkyMTIzWhcNMTkwOTE5MTkyMTIzWjBiMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
    TWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UECgwJQWNtZSBDb3Jw
    MRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
    DwAwggEKAoIBAQCmlYsofv+lTbZwiKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX
    11vZE2OXHX6zYJpmaFgKo2KXICU0XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH359
    3Co+EaaqEYfeyh5WnOCsXEEXKk9CiOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwT
    o3hTcl7Y470Lwl58P2EfYGA6V7sSAAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+o
    vbKkBdi2PrsJLzFn7ZTv9OD/plv+w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNz
    aziaT6YDhFuWDAMhYtB5G1fGM7Zwi+O6uxqXAgMBAAEwDQYJKoZIhvcNAQELBQAD
    ggEBAJEPxlCk/VrBNe5RSwEaNZxj/7YidEC+oxews+NXl4AxWaj5HtQNrDiVicS5
    PDl7stlyFoE+AxLsPf1OW0wxePFukkptbGwnI7+8omMbTnJY0vWWnKVcqBK39IfK
    sbaJfMTa0C9OsoUeFuvI6D5yI8x0PdZBK7hbKihr9UYZWD03rlRdflTNYRIKDCFf
    SBehDZgkandk7sM2BNkAdvOmkCWCrZeG5dgsQo9VRaCQ8rCmzE+Hqxtcfj9yY0Zu
    7t484BDWx0X52nFo4JxKYFvWKyVl3vXwWl3DAZ7gmzEATfrMQt9NVTKAZXHI80MF
    UP9QURAtRcc/Zn1avcrZT+k1bl4=
    -----END CERTIFICATE-----
  enforced_email_domain: 'example.com'
  username_attribute: 'User.Username'

web_applications:
  "Example Application 1":
    external_hostname: 'wiki.example.com'
    allowlist_prefixes:
        - '/public'
        - '/api/v1'
    allowlist_suffixes:
      - '.jpg'
      - '.woff2'
    allowlist_ips:
      - '10.0.0.8'
      - '192.168.1.0/24'
      - '192.168.2.10-192.168.2.50'
    session_duration: 960
    external_ssl_cert:
      source: 'own'
      cert: |
        -----BEGIN CERTIFICATE-----
        MIIDDDCCAfQCCQCmd1zYPnwo+TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJV
        UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEYMBYGA1UEAwwPYXBw
        LmV4YW1wbGUuY29tMB4XDTE4MDkxOTIwMTk1N1oXDTE5MDkxOTIwMTk1N1owSDEL
        MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGDAW
        BgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
        AQoCggEBAMMVnbmWTcoYu+qt46kJ+ZflWdXqjI6KOl0sQrg0uHbsZ+9nJuLNdk65
        d0a70Xqt2MwU0iX+X/TgTN33CIWO58pGNfGv/efaYRRC8jxZKSBlpL9DVEOuQbw/
        VQX/OGM7S/ORtG2zFjRjz93ghG3mtLmpWURkeH/xYPlA5Vc7Eq1OUiWQ+sDF47jy
        kbA4+2/dnTOf3StU6kg8O/RbXLI0bgNjVweczfYoQ9vHa8f7013/oPahI3IGcu/E
        6dva7TLkayIQLODSWThADr1MiNcO7dO5FMRwGdiAqmzExNxhTcf88ow6H853jiwV
        +ommH9L7uSgHJXDt4X8sjIZydQaCqe0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
        vmF8wdyu2cbu1zH8xQfzpqY8Uces9VXOQGKcP076OpXvBTxMA0QixOJWwmzJjkIo
        0a5gcbF0FeoU99t2wl0KRiOzorSdR2ULE4SLindtgjQMCZ2WHexLfs2cMnxTJlHW
        uwN+CrP1zvLQPjXUaMrpKCnPNq0AHCEBGCWBhygsm4JJA4KviEzmrXkCxFCoZlRP
        SpoDnpcCHDKDNKxYPY6TrH/2GxFF/vP8718NL7QCwMfJDXcC/7HIKzkaW0g0bwbY
        j/uxU7FRDWNZGsNZZ0VsC4bWawpbWuvLK9l96j64/+fZ+Y4DAwPsAR/c698LHslv
        PiaHEDNKPiOj+ZAJhHqEZg==
        -----END CERTIFICATE-----
      key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDFZ25lk3KGLvq
        reOpCfmX5VnV6oyOijpdLEK4NLh27GfvZybizXZOuXdGu9F6rdjMFNIl/l/04Ezd
        9wiFjufKRjXxr/3n2mEUQvI8WSkgZaS/Q1RDrkG8P1UF/zhjO0vzkbRtsxY0Y8/d
        4IRt5rS5qVlEZHh/8WD5QOVXOxKtTlIlkPrAxeO48pGwOPtv3Z0zn90rVOpIPDv0
        W1yyNG4DY1cHnM32KEPbx2vH+9Nd/6D2oSNyBnLvxOnb2u0y5GsiECzg0lk4QA69
        TIjXDu3TuRTEcBnYgKpsxMTcYU3H/PKMOh/Od44sFfqJph/S+7koByVw7eF/LIyG
        cnUGgqntAgMBAAECggEAWvA6pAaSoIDDKHSCyYui09HP/M3nU5LP/hrhxyicTKOL
        F6hIEjWgzrXaChkHX16mzwttotRfOrFMY7QCPvAM0NfF0bIuc+PymRVUAhm1+Cop
        kBb8ssgKUIxdP/xm9qrvjsz/BJwU37sfbNh6IxkGaf2tZRpIqauFfutnfTBGVo55
        j4USVZjpiuMKIJ+EBlNqUdgynyiQdnzqBBuWegBhq9k7NaSTIatmBtUVvr3SqwL4
        hYZshQih5rjFJZe6qTw/ucKXGgpFs4vocaLOJoQQMGUiD4QxThwVqtanjdraz278
        yTgIgVXS0yaH9omJHYu1K4EqabloXq7X/SRS9OLCAQKBgQDjRnTb5PyiXXMaqRTA
        xBDKuQsxYIjOmCdBZRFSe4rE6L3+HFKrE8DlcuN3eNL5TkV6sY7X7dXftqmLSl03
        cAMxI35cMrR9zZyZyuTr34rqgY1NA9HgqyrCzdzZr1QUohQtcNGD8+3tWBZF91kY
        yTqHzh8vMAEaMigny0LGVyPsrQKBgQDbvZ6G2FcMEG15PjL9IcHsU/q/rJqJeEuL
        DQE/toekRoOzzE2h6y5n9e2nN6ZVnx+qR4+JpeZoKCQI/eIygp3YfPMc8mqeC4yD
        Zbc9KLPnzFYG5XyUkEnKIhiNGeRokyYXPkLnBmCiJNoFV8f+g+g4LcrikhNTCkEX
        JunC4wIaQQKBgAPOyGJuwbTOsAEAWDKqlkVvODrJjUE411+HG/Uv0LFf3N8HBnOL
        Ty4I8LqtsYsvvoZBt0zy1SR8YPbOdiVZoRQPrixJRTDeYwNInPE+u4sWRJHHwJpt
        A7hjzpFvGI+H76KbQ0dcrN3PHgBqFnoN1Qc1ctxNh5cyw+12wFWmXBm5AoGBAIDK
        Cz7HT4V/n1ofTW01Ot6TffSXal/GBKiz75ZzGd77gTeBN8L9/03pQuft4uxt/fYk
        SQmJFZjYZf5rJwcprO/0k9zUbA7DgBCHLjWHRKJIDeeu2yyLwOPaxf71PPzZucqH
        sFiNUVfXN31ILKyMjS9YD4Bp0y+pY+r44Ktbt6DBAoGBANXBik7QIV0NMAzPjCGH
        tKmCJV4lXUkLcrfVAhc02zrx1jAnwrP2RezWccITRhxZaOc8NhWEl3+xYGf6nPDZ
        h6x5gVq10DyXld9ZpA81MeJD9Kfkk4MReRfksgXtngWC+73rQ4V8ONyF4ED57sEr
        uZs4L5+q9LruO8eWf7U2KD7N
        -----END PRIVATE KEY-----
    internal_hostname: 'wiki.internal.example.com'
    internal_port: '443'
    internal_use_ssl: true
    internal_trusted_cert: |
      -----BEGIN CERTIFICATE-----
      MIIDDDCCAfQCCQCmd1zYPnwo+TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJV
      UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEYMBYGA1UEAwwPYXBw
      LmV4YW1wbGUuY29tMB4XDTE4MDkxOTIwMTk1N1oXDTE5MDkxOTIwMTk1N1owSDEL
      MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGDAW
      BgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
      AQoCggEBAMMVnbmWTcoYu+qt46kJ+ZflWdXqjI6KOl0sQrg0uHbsZ+9nJuLNdk65
      d0a70Xqt2MwU0iX+X/TgTN33CIWO58pGNfGv/efaYRRC8jxZKSBlpL9DVEOuQbw/
      VQX/OGM7S/ORtG2zFjRjz93ghG3mtLmpWURkeH/xYPlA5Vc7Eq1OUiWQ+sDF47jy
      kbA4+2/dnTOf3StU6kg8O/RbXLI0bgNjVweczfYoQ9vHa8f7013/oPahI3IGcu/E
      6dva7TLkayIQLODSWThADr1MiNcO7dO5FMRwGdiAqmzExNxhTcf88ow6H853jiwV
      +ommH9L7uSgHJXDt4X8sjIZydQaCqe0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
      vmF8wdyu2cbu1zH8xQfzpqY8Uces9VXOQGKcP076OpXvBTxMA0QixOJWwmzJjkIo
      0a5gcbF0FeoU99t2wl0KRiOzorSdR2ULE4SLindtgjQMCZ2WHexLfs2cMnxTJlHW
      uwN+CrP1zvLQPjXUaMrpKCnPNq0AHCEBGCWBhygsm4JJA4KviEzmrXkCxFCoZlRP
      SpoDnpcCHDKDNKxYPY6TrH/2GxFF/vP8718NL7QCwMfJDXcC/7HIKzkaW0g0bwbY
      j/uxU7FRDWNZGsNZZ0VsC4bWawpbWuvLK9l96j64/+fZ+Y4DAwPsAR/c698LHslv
      PiaHEDNKPiOj+ZAJhHqEZg==
      -----END CERTIFICATE-----
    use_internal_name_for_host_header: false
    use_internal_name_for_sni: true
    add_x_forwarded_host: false
    add_x_forwarded_proto: false
    upstream_response_timeout: 180
    duo_2fa:
      ikey: 'XXXXXXXXXXXXXXXXXXXX'
      skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
      apihost: 'api-xxxxxxxx.duosecurity.com'
      enable_frameless: true

ssh_servers:
  "Engineering Servers":
    external_hostname: 'engineering-ssh.example.com'
    external_ssl_cert:
      source: 'letsencrypt'
    internal_servers:
      - host_pattern: '*.example.com'
        ports: '22, 2300-3000'
      - host_pattern: '192.168.3.0/24'
        ports: '22, 2300-3000'
      - host_pattern: '192.168.1.8'
        ports: '3334'
    duo_2fa:
      ikey: 'XXXXXXXXXXXXXXXXXXXX'
      skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
      apihost: 'api-xxxxxxxx.duosecurity.com'
      enable_frameless: true

application_relays:
  "Engineering RDP Servers":
    application_type: 'rdp'
    external_hostname: 'engineering-rdp.example.com'
    external_ssl_cert:
      source: 'letsencrypt'
    internal_servers:
      - host_pattern: 'rdp1.internal.example.com'
      - host_pattern: 'rdp2.internal.example.com'
        ports: '3389, 3390'
    duo_2fa:
      ikey: 'XXXXXXXXXXXXXXXXXXXX'
      skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
      apihost: 'api-xxxxxxxx.duosecurity.com'
      enable_frameless: true

subdomains:
  - external_subdomain: 'external.example.com'
    internal_subdomain: 'internal.example.com'  
  - external_subdomain: 'eng-ext.example.com'
    internal_subdomain: 'eng.example.com'

Scripted Configuration Template

Download a scripted configuration template YAML file with comments to help get started in creating your scripted configuration file.

Using Scripted Configuration

Once you have a complete configuration file, you are ready to load it into Duo Network Gateway.

Scripted configuration will override all previous data saved in the Duo Network Gateway. Please make sure your scripted configuration file is complete with all settings and applications you'd like to use. You may want to create a backup of your existing Duo Network Gateway configuration before continuing.

  1. Copy your scripted configuration YAML file to your Duo Network Gateway server.

    Important: Secure this file as you would any other sensitive or password information. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

  2. Connect to your Duo Network Gateway server through a terminal.

    • Note: If you're running your Duo Network Gateway in Active / Active High Availability you will need to connect to the Admin server.

  3. Run the following command to load the configuration file into the Duo Network Gateway:

    docker exec -i network-gateway-admin set-config < dng_config.yml

  4. If the terminal returns no errors messages than the configuration was successfully loaded.