Contents
Scripted Configuration allows you to configure Duo Network Gateway using a configuration file so that you can store your settings locally in source control, automatically deploy, and make changes to Duo Network Gateway without having to access the Admin console.
Getting started with Scripted Configuration
Duo Network Gateway can be configured by using the Admin console or by creating a configuration file and sending it to the Duo Network Gateway.
Using a configuration file will give you the option to manage your Duo Network Gateway configuration offline with source control and give you the ability to automatically deploy, configure, and update Duo Network Gateway using automation without having to access the Admin console.
The Duo Network Gateway configuration file uses the YAML Ain't Markup Language (YAML) format.
Configuration Options
The configuration file may contain up to four main YAML maps:
- network_gateway - Main Duo Network Gateway settings.
- primary_auth - First factor SAML authentication settings.
- web_applications - Protected web applications
- ssh_servers - Protected SSH servers
- application_relays - Protected RDP servers
- subdomains - DNS information for RDP
Network Gateway Settings
Create a network_gateway YAML map. This will contain configuration settings for the main Duo Network Gateway site such as hostname and SSL certificates.
These same settings can be configured in the Admin console. You can read how at Initial Duo Network Gateway Configuration.
Setting | Required | Description | Example Values |
---|---|---|---|
hostname | Y | Hostname of the Duo Network Gateway server. | 'dng.example.com' |
enable_ui | Y | Toggle if the Duo Network Gateway admin console is enabled. If false , the admin console will be disabled. |
true | false |
password | If enable_ui set to true |
Password that will be used for the Duo Network Gateway admin console login.
Minimum requirements:
|
'P@ssw0rd' |
admin_email | Y | Administrator e-mail. | 'admin@example.com' |
load_balancer_cidrs_ips | N | A list of IP addresses for load balancers in front of the Duo Network Gateway | load_balancer_cidrs_ips:
- '10.64.0.0/16'
- '10.65.0.0' |
ssl_cert
Create an ssl_cert map within the network_gateway
map. All settings listed below should be within the ssl_cert
map.
Setting | Required | Description | Example Values |
---|---|---|---|
source | Y | Type of SSL certificate that will be associated with the hostname of the DNG. |
|
cert | Only if source is own |
Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the hostname . We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate. |
-----BEGIN CERTIFICATE-----
MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
|
key | Only if cert_source is own |
Base64-encoded X.509 (pem, cer, or crt) private key for the hostname certificate. |
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w....
|
Example Duo Network Gateway Configuration
network_gateway:
hostname: 'dng.example.com'
enable_ui: true
password: 'P@ssw0rd'
admin_email: 'admin@example.com'
load_balancer_cidrs_ips:
- '10.64.0.0/16'
- '10.65.0.0'
ssl_cert:
source: 'own'
cert: |
-----BEGIN CERTIFICATE-----
MIIDQDCCAigCCQCL0eZVUgLJ5jANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJV
UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
CgwJQWNtZSBDb3JwMRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wHhcNMTgwOTE5
MTkyMTIzWhcNMTkwOTE5MTkyMTIzWjBiMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
TWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UECgwJQWNtZSBDb3Jw
MRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCmlYsofv+lTbZwiKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX
11vZE2OXHX6zYJpmaFgKo2KXICU0XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH359
3Co+EaaqEYfeyh5WnOCsXEEXKk9CiOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwT
o3hTcl7Y470Lwl58P2EfYGA6V7sSAAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+o
vbKkBdi2PrsJLzFn7ZTv9OD/plv+w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNz
aziaT6YDhFuWDAMhYtB5G1fGM7Zwi+O6uxqXAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAJEPxlCk/VrBNe5RSwEaNZxj/7YidEC+oxews+NXl4AxWaj5HtQNrDiVicS5
PDl7stlyFoE+AxLsPf1OW0wxePFukkptbGwnI7+8omMbTnJY0vWWnKVcqBK39IfK
sbaJfMTa0C9OsoUeFuvI6D5yI8x0PdZBK7hbKihr9UYZWD03rlRdflTNYRIKDCFf
SBehDZgkandk7sM2BNkAdvOmkCWCrZeG5dgsQo9VRaCQ8rCmzE+Hqxtcfj9yY0Zu
7t484BDWx0X52nFo4JxKYFvWKyVl3vXwWl3DAZ7gmzEATfrMQt9NVTKAZXHI80MF
UP9QURAtRcc/Zn1avcrZT+k1bl4=
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmlYsofv+lTbZw
iKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX11vZE2OXHX6zYJpmaFgKo2KXICU0
XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH3593Co+EaaqEYfeyh5WnOCsXEEXKk9C
iOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwTo3hTcl7Y470Lwl58P2EfYGA6V7sS
AAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+ovbKkBdi2PrsJLzFn7ZTv9OD/plv+
w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNzaziaT6YDhFuWDAMhYtB5G1fGM7Zw
i+O6uxqXAgMBAAECggEBAKEjuVfz+ZFKqjcTS111ytfDpZQntImWb2+kWZzCyh93
hCjrJm6pCRTj14tfIaecw95aAwhPYdg0ZSjSQSZU0IKOiR21S8T1xfkP16QW3Clu
UFej1HUlGsutwV1z1c2iEFTSLdcs6l3hNIh06k9Ve7BQchJIcu72I6x1DSVra7TN
MmJ8rry5zZAbf4J192+iMIpquuxSrDfszVZujMRCdpDePbB/69xVfUWaTm/iOA3E
U306W/7HjIhsSwIwR13eun6QfHmsYmIwOzAuwKQdcuDYundtAqs6TcC9ynqm8AxB
T4tfE53ALDReMNwAcWUM9s9akCf8M/dFbFPxVwgh20ECgYEAzpkGgJq7816ezxn5
Xr1jMvg4RYebqNTRsA3TxLeR9VbZSJhGbH2IwHMk6ccyaqQg060hQBTivorfWcQK
rHKHrKaqmkNMD/Pa3mnr0q+rtcUUQXlDeK3a3uBHWorxp2auknnQQqAPpxTVTEf+
BGoAXjBeRq/59SFoL0wD5trVL6ECgYEAzmsRTjnWiaUg932arOoyw/l6GPGPECMW
ZgoxvWknWwxo4H4sQm78YRxFxv9aUn+T2X8daA5wnnsjKaNDk9XjQwphhAUpHgDW
OwbQN7TFBOFDkh6O0EVjcdiR3dMQgbDJTLjJ7xUC26fyOQfWQia//2116nxPj+Go
JJwbXXUtfzcCgYBC1jrGTEjV2Ryjf5GvVrHLAYai59Yx7nfP7wk9sO2lY210EN9n
pc0iBZ5Bi1ICMgr0sCP7qUYZwq+zSLrzQzIlZt32fiMTXh7GqZnDVVXFvnZpICP1
3LjcNc6fuienso5zkLkRdNrbgN/oh7nkD68Cyb8WO0QwS5h7BKqWeuFRQQKBgQCo
x60PzIUaaVYKZ76YkqrNyWjHioSTCk2fQ8il+pw+e2gp36Eq9PsSIH8BlvvwpvZq
ieCum9gEDeWTfzabY/F+eLeBroKPUNnay9hnJD1QnyyUBr55l7MXfKDQw2sk0DvY
quQaxJBgsPODJGBSGMM3BPa8s8aOfFHzFV3ezhhUgwKBgGCx9pQ6NRK7LXJQ4NXA
IzRLIEwUrfp8aAHVrOw3CxNB5v25PWcPB/864rJDh6xtbq72XbgygFGK4kjH2Hh7
CaxivC48dkTiARirNDxR5XcJpVQQXl8BSRoRSiI8YBtZR2Lkg5NMiFASXplfNQKl
NILod7CVavIYKYmNtAGw7z4s
-----END PRIVATE KEY-----
Primary Authentication Settings
Create a primary_auth YAML map. This section contains setting for configuring Duo Network Gateway to authenticate with a SAML IdP.
These same settings can be configured in the Admin console. You can read how at Configure the Duo Network Gateway Authentication Source.
When configuring your SAML IdP to support Duo Network Gateway should use the following metadata information:
- Entity ID: https://DNG-HOSTNAME/metadata/
- Assertion Consumer Service URL: https://DNG-HOSTNAME/acs/
- Single Logout Service URL: https://DNG-HOSTNAME/sls/
- Audience Restriction: https://DNG-HOSTNAME/metadata/
Setting | Required | Description | Example Values |
---|---|---|---|
entity_id | Y | Entity ID/Issuer ID of the SAML IdP. | 'https://idp.example.com/metadata/' |
single_signon_url | Y | Single Sign On URL of the SAML IdP. | 'https://idp.example.com/sso' |
single_logout_url | Single Logout URL of the SAML IdP. | 'https://idp.example.com/slo' |
|
signing_cert | Y | File contents of the PEM formatted signing certificate. | -----BEGIN CERTIFICATE-----
MIICNTCCAZ4CCQD9Hx0iff2ZjjANBgk....
|
enforced_email_domain | Enabling this will allow you to enforce that only e-mail addresses within a certain domain are allowed to log into Duo Network Gateway if the username attribute you are using is an e-mail address. | 'example.com' |
|
username_attribute | By default Duo Network Gateway will use the NameID field your SAML IdP sends to populate the username. Use this option if your SAML IdP sends a different attribute that you'd like to use as your username attribute. | 'User.Username' |
Example Primary Authentication Configuration
primary_auth:
entity_id: 'https://idp.example.com/metadata/'
single_signon_url: 'https://idp.example.com/sso'
single_logout_url: 'https://idp.example.com/slo'
signing_cert: |
-----BEGIN CERTIFICATE-----
MIIDQDCCAigCCQCL0eZVUgLJ5jANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJV
UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
CgwJQWNtZSBDb3JwMRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wHhcNMTgwOTE5
MTkyMTIzWhcNMTkwOTE5MTkyMTIzWjBiMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
TWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UECgwJQWNtZSBDb3Jw
MRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCmlYsofv+lTbZwiKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX
11vZE2OXHX6zYJpmaFgKo2KXICU0XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH359
3Co+EaaqEYfeyh5WnOCsXEEXKk9CiOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwT
o3hTcl7Y470Lwl58P2EfYGA6V7sSAAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+o
vbKkBdi2PrsJLzFn7ZTv9OD/plv+w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNz
aziaT6YDhFuWDAMhYtB5G1fGM7Zwi+O6uxqXAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAJEPxlCk/VrBNe5RSwEaNZxj/7YidEC+oxews+NXl4AxWaj5HtQNrDiVicS5
PDl7stlyFoE+AxLsPf1OW0wxePFukkptbGwnI7+8omMbTnJY0vWWnKVcqBK39IfK
sbaJfMTa0C9OsoUeFuvI6D5yI8x0PdZBK7hbKihr9UYZWD03rlRdflTNYRIKDCFf
SBehDZgkandk7sM2BNkAdvOmkCWCrZeG5dgsQo9VRaCQ8rCmzE+Hqxtcfj9yY0Zu
7t484BDWx0X52nFo4JxKYFvWKyVl3vXwWl3DAZ7gmzEATfrMQt9NVTKAZXHI80MF
UP9QURAtRcc/Zn1avcrZT+k1bl4=
-----END CERTIFICATE-----
enforced_email_domain: 'example.com'
username_attribute: 'User.Username'
Web Applications Settings
The web_applications YAML map allows you to define internal web applications to protect with Duo Network Gateway. Create separate maps within web_applications
for each internal web application. An example name might be "Example Application 1"
. All settings listed below should be within each entry in the web_applications
map. All names must be unique; duplicate names will cause applications to override each other. You can repeat this for all the internal applications you want to protect.
These same settings can be configured in the Admin console. You can read how at Protect a Web Application with Duo Network Gateway.
External Settings
Below are a list of all the external settings for web applications.
Setting | Required | Description | Example Values |
---|---|---|---|
external_hostname | Y | Public facing hostname of the web application Duo Network Gateway is protecting (eg. wiki.example.com). This hostname can be the same as the internal application hostname but is not required to match. Ensure that this hostname resolves to the external IP address of your Duo Network Gateway server. A wildcard external URL such as https://*.example.com can also be used, which will automatically route all subdomains of example.com to this application that are not already defined as a separate application in Duo Network Gateway. When using a wildcard URL the internal application must be able to distinguish between the various hostnames. |
'wiki.example.com' |
allowlist_prefixes | Allows you to specify a list of allowed prefixes that will not require Duo Network Gateway authentication to access. | allowlist_prefixes:
- '/public'
- '/api/v1/' |
|
allowlist_suffixes | Allows you to specify a list of allowed suffixes that will not require Duo Network Gateway authentication to access. | allowlist_suffixes:
- '.jpg'
- '.woff2' |
|
allowlist_ips | Allows you to restrict the allowed suffixes and prefixes to specific IP addresses or IP ranges. | allowlist_ips:
- '10.0.0.8'
- '192.168.1.0/24'
- '192.168.2.10-192.168.2.50' |
|
session_duration | Allows you to specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480. | 960 |
external_ssl_cert
Create an external_ssl_cert map within the Example Application 1
map. All settings listed below should be within the external_ssl_cert
map.
Setting | Required | Description | Example Values |
---|---|---|---|
source | Y | Type of SSL certificate that will be used for the external hostname of the web application. |
|
cert | Only if source is own |
Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external_hostname . We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate. |
-----BEGIN CERTIFICATE-----
MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
|
key | Only if source is own |
Base64-encoded X.509 (pem, cer, or crt) private key for the external_hostname certificate. |
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w....
|
Internal Hostname Settings
Below are a list of all the internal settings for a web application. These settings must appear within each application map inside of the web_applications
map.
Setting | Required | Description | Example Values |
---|---|---|---|
internal_hostname | Y | Enter the internal hostname or IP address of the web application Duo Network Gateway is protecting. If you used the same hostname for the application's internal and external hostnames, ensure that an internal DNS record for this hostname exists and points to the internal application server IP. | 'wiki.internal.example.com' or '10.1.10.123' |
internal_port | Y | The port used by the internal application you're trying to protect. This will typically be port 80 for HTTP communication and 443 for HTTPS communication. | 443 |
internal_use_ssl | Y | If set to true Duo Network Gateway will use SSL to connect to the internal application. |
true |
internal_trusted_cert | Only if internal_use_ssl is set to true and you're not using a public certificate for the protected internal web application. |
Certificate file used to communicate with protected internal application. Duo Network Gateway will automatically check your internal application's certificate against a list of trusted public certificate authorities. If you use a private certificate authority or still get an error when trying to access your application provide a Base64-encoded X.509 (pem, cer, or crt) version of the Root CA's certificate that is at the top of the chain for the internal application certificate. | -----BEGIN CERTIFICATE-----
MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
|
proxy_buffer_size | This field allows you to specify the proxy buffer size. The default value is 64KB. We recommend keeping the default values, unless the protected application utilizes websockets and the DNG is hitting memory capacity limits. Refer to Duo KB article 8819 for more information about tuning. Requires Duo Network Gateway version 3.1.0 or later. | 64 |
|
use_internal_name_for_host_header | When set to true Duo Network Gateway will set the HTTP Host Header sent to the internal application to the same value as internal_hostname , otherwise it will use the external_hostname value. |
true |
|
use_internal_name_for_sni | Only used if internal_use_ssl is set to true . If set to true sends the internal_name as the SNI and Host header and uses this to validate the SSL certificate sent by the internal host. Default is false and the external_hostname value is used. If use_internal_name_for_host_header is defined its setting decides the host header value. |
true |
|
add_x_forwarded_host | This is required by some applications that generate absolute URLs, when the external_hostname and the internal_hostname are not the same. Note that applications will break if multiple proxies add this header. Default is false . |
true |
|
add_x_forwarded_proto | This is required by some applications that generate absolute URLs. Note that some applications will break if multiple proxies add this header. Default is false . |
true |
|
upstream_response_timeout | Allows you to specify the amount of time in seconds an upstream server is permitted to respond to a request. The default value is 180. | 180 |
|
client_max_body_size | Allows you to specify the maximum client to server upload size in megabytes an upstream server will allow. The default value is 128. Requires Duo Network Gateway version 1.5.12 or later. | 128 |
|
max_header_size | This field allows you to specify the maximum header size. The default value is 8KB. Requires Duo Network Gateway version 2.3.0 or later. | 8 |
Duo 2FA
Create a duo_2fa map within the "Example Application 1"
map. All settings listed below should be within the duo_2fa
map.
Setting | Required | Description | Example Values |
---|---|---|---|
ikey | Y | Integration key from the Duo Network Gateway - Web Application you created earlier in the Duo Admin Panel. | 'XXXXXXXXXXXXXXXXXXXX' |
skey | Y | Secret key from the Duo Network Gateway - Web Application you created earlier in the Duo Admin Panel. | 'XXXXXXXXXXXXXXXXX...' |
apihost | Y | API hostname from the Duo Network Gateway - Web Application you created earlier in the Duo Admin Panel. | 'api-xxxxxxxx.duosecurity.com' |
enable_frameless | N | Turns on frameless support for Duo Universal Prompt. Valid for Duo Network Gateway versions 1.5.10 to 3.1.0 and in those versions defaults to false . DNG 3.2.0 enables frameless authentication by default for all applications. |
true or false |
Example Web Application Configuration
web_applications:
"Example Application 1":
external_hostname: 'wiki.example.com'
allowlist_prefixes:
- '/public'
- '/api/v1'
allowlist_suffixes:
- '.jpg'
- '.woff2'
allowlist_ips:
- '10.0.0.8'
- '192.168.1.0/24'
- '192.168.2.10-192.168.2.50'
session_duration: 960
external_ssl_cert:
source: 'own'
cert: |
-----BEGIN CERTIFICATE-----
MIIDDDCCAfQCCQCmd1zYPnwo+TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEYMBYGA1UEAwwPYXBw
LmV4YW1wbGUuY29tMB4XDTE4MDkxOTIwMTk1N1oXDTE5MDkxOTIwMTk1N1owSDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGDAW
BgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMMVnbmWTcoYu+qt46kJ+ZflWdXqjI6KOl0sQrg0uHbsZ+9nJuLNdk65
d0a70Xqt2MwU0iX+X/TgTN33CIWO58pGNfGv/efaYRRC8jxZKSBlpL9DVEOuQbw/
VQX/OGM7S/ORtG2zFjRjz93ghG3mtLmpWURkeH/xYPlA5Vc7Eq1OUiWQ+sDF47jy
kbA4+2/dnTOf3StU6kg8O/RbXLI0bgNjVweczfYoQ9vHa8f7013/oPahI3IGcu/E
6dva7TLkayIQLODSWThADr1MiNcO7dO5FMRwGdiAqmzExNxhTcf88ow6H853jiwV
+ommH9L7uSgHJXDt4X8sjIZydQaCqe0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
vmF8wdyu2cbu1zH8xQfzpqY8Uces9VXOQGKcP076OpXvBTxMA0QixOJWwmzJjkIo
0a5gcbF0FeoU99t2wl0KRiOzorSdR2ULE4SLindtgjQMCZ2WHexLfs2cMnxTJlHW
uwN+CrP1zvLQPjXUaMrpKCnPNq0AHCEBGCWBhygsm4JJA4KviEzmrXkCxFCoZlRP
SpoDnpcCHDKDNKxYPY6TrH/2GxFF/vP8718NL7QCwMfJDXcC/7HIKzkaW0g0bwbY
j/uxU7FRDWNZGsNZZ0VsC4bWawpbWuvLK9l96j64/+fZ+Y4DAwPsAR/c698LHslv
PiaHEDNKPiOj+ZAJhHqEZg==
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDFZ25lk3KGLvq
reOpCfmX5VnV6oyOijpdLEK4NLh27GfvZybizXZOuXdGu9F6rdjMFNIl/l/04Ezd
9wiFjufKRjXxr/3n2mEUQvI8WSkgZaS/Q1RDrkG8P1UF/zhjO0vzkbRtsxY0Y8/d
4IRt5rS5qVlEZHh/8WD5QOVXOxKtTlIlkPrAxeO48pGwOPtv3Z0zn90rVOpIPDv0
W1yyNG4DY1cHnM32KEPbx2vH+9Nd/6D2oSNyBnLvxOnb2u0y5GsiECzg0lk4QA69
TIjXDu3TuRTEcBnYgKpsxMTcYU3H/PKMOh/Od44sFfqJph/S+7koByVw7eF/LIyG
cnUGgqntAgMBAAECggEAWvA6pAaSoIDDKHSCyYui09HP/M3nU5LP/hrhxyicTKOL
F6hIEjWgzrXaChkHX16mzwttotRfOrFMY7QCPvAM0NfF0bIuc+PymRVUAhm1+Cop
kBb8ssgKUIxdP/xm9qrvjsz/BJwU37sfbNh6IxkGaf2tZRpIqauFfutnfTBGVo55
j4USVZjpiuMKIJ+EBlNqUdgynyiQdnzqBBuWegBhq9k7NaSTIatmBtUVvr3SqwL4
hYZshQih5rjFJZe6qTw/ucKXGgpFs4vocaLOJoQQMGUiD4QxThwVqtanjdraz278
yTgIgVXS0yaH9omJHYu1K4EqabloXq7X/SRS9OLCAQKBgQDjRnTb5PyiXXMaqRTA
xBDKuQsxYIjOmCdBZRFSe4rE6L3+HFKrE8DlcuN3eNL5TkV6sY7X7dXftqmLSl03
cAMxI35cMrR9zZyZyuTr34rqgY1NA9HgqyrCzdzZr1QUohQtcNGD8+3tWBZF91kY
yTqHzh8vMAEaMigny0LGVyPsrQKBgQDbvZ6G2FcMEG15PjL9IcHsU/q/rJqJeEuL
DQE/toekRoOzzE2h6y5n9e2nN6ZVnx+qR4+JpeZoKCQI/eIygp3YfPMc8mqeC4yD
Zbc9KLPnzFYG5XyUkEnKIhiNGeRokyYXPkLnBmCiJNoFV8f+g+g4LcrikhNTCkEX
JunC4wIaQQKBgAPOyGJuwbTOsAEAWDKqlkVvODrJjUE411+HG/Uv0LFf3N8HBnOL
Ty4I8LqtsYsvvoZBt0zy1SR8YPbOdiVZoRQPrixJRTDeYwNInPE+u4sWRJHHwJpt
A7hjzpFvGI+H76KbQ0dcrN3PHgBqFnoN1Qc1ctxNh5cyw+12wFWmXBm5AoGBAIDK
Cz7HT4V/n1ofTW01Ot6TffSXal/GBKiz75ZzGd77gTeBN8L9/03pQuft4uxt/fYk
SQmJFZjYZf5rJwcprO/0k9zUbA7DgBCHLjWHRKJIDeeu2yyLwOPaxf71PPzZucqH
sFiNUVfXN31ILKyMjS9YD4Bp0y+pY+r44Ktbt6DBAoGBANXBik7QIV0NMAzPjCGH
tKmCJV4lXUkLcrfVAhc02zrx1jAnwrP2RezWccITRhxZaOc8NhWEl3+xYGf6nPDZ
h6x5gVq10DyXld9ZpA81MeJD9Kfkk4MReRfksgXtngWC+73rQ4V8ONyF4ED57sEr
uZs4L5+q9LruO8eWf7U2KD7N
-----END PRIVATE KEY-----
internal_hostname: 'wiki.internal.example.com'
internal_port: '443'
internal_use_ssl: true
internal_trusted_cert: |
-----BEGIN CERTIFICATE-----
MIIDDDCCAfQCCQCmd1zYPnwo+TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEYMBYGA1UEAwwPYXBw
LmV4YW1wbGUuY29tMB4XDTE4MDkxOTIwMTk1N1oXDTE5MDkxOTIwMTk1N1owSDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGDAW
BgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMMVnbmWTcoYu+qt46kJ+ZflWdXqjI6KOl0sQrg0uHbsZ+9nJuLNdk65
d0a70Xqt2MwU0iX+X/TgTN33CIWO58pGNfGv/efaYRRC8jxZKSBlpL9DVEOuQbw/
VQX/OGM7S/ORtG2zFjRjz93ghG3mtLmpWURkeH/xYPlA5Vc7Eq1OUiWQ+sDF47jy
kbA4+2/dnTOf3StU6kg8O/RbXLI0bgNjVweczfYoQ9vHa8f7013/oPahI3IGcu/E
6dva7TLkayIQLODSWThADr1MiNcO7dO5FMRwGdiAqmzExNxhTcf88ow6H853jiwV
+ommH9L7uSgHJXDt4X8sjIZydQaCqe0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
vmF8wdyu2cbu1zH8xQfzpqY8Uces9VXOQGKcP076OpXvBTxMA0QixOJWwmzJjkIo
0a5gcbF0FeoU99t2wl0KRiOzorSdR2ULE4SLindtgjQMCZ2WHexLfs2cMnxTJlHW
uwN+CrP1zvLQPjXUaMrpKCnPNq0AHCEBGCWBhygsm4JJA4KviEzmrXkCxFCoZlRP
SpoDnpcCHDKDNKxYPY6TrH/2GxFF/vP8718NL7QCwMfJDXcC/7HIKzkaW0g0bwbY
j/uxU7FRDWNZGsNZZ0VsC4bWawpbWuvLK9l96j64/+fZ+Y4DAwPsAR/c698LHslv
PiaHEDNKPiOj+ZAJhHqEZg==
-----END CERTIFICATE-----
use_internal_name_for_host_header: false
use_internal_name_for_sni: true
add_x_forwarded_host: false
add_x_forwarded_proto: false
upstream_response_timeout: 180
duo_2fa:
ikey: 'XXXXXXXXXXXXXXXXXXXX'
skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
apihost: 'api-xxxxxxxx.duosecurity.com'
enable_frameless: true
SSH Servers Settings
The ssh_servers YAML map allows you to define SSH servers to protect with Duo Network Gateway. Create separate maps within ssh_servers
for each set of SSH servers you'd like to protect. An example name might be "Engineering SSH Servers"
. All settings listed below should be within each entry in the ssh_servers map. All names must be unique; duplicate names will cause sets of SSH servers to override each other. You can repeat this for all the SSH server sets you want to protect.
These same settings can be configured in the Admin console. You can read how at Protect SSH Servers with Duo Network Gateway.
External Settings
Below are a list of all the external settings for protecting SSH servers.
Setting | Required | Description | Example Values |
---|---|---|---|
external_hostname | Y | The external hostname is where users' computers will communicate with the Duo Network Gateway. A group of SSH servers can be protected behind an external hostname. An example of an external hostname for SSH servers used by the engineering team might be "engineering-ssh.example.com" | 'engineering-ssh.example.com' |
session_duration | Allows you to specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480. | 960 |
external_ssl_cert
Create an external_ssl_cert
map within the Engineering SSH Servers
map. All settings listed below should be within each entry in the ssh_servers
map.
Setting | Required | Description | Example Values |
---|---|---|---|
source | Y | Type of SSL certificate that will be used for the external hostname of the web application. |
|
cert | Only if source is own |
Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external_hostname . We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate. |
-----BEGIN CERTIFICATE-----
MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
|
key | Only if source is own |
Base64-encoded X.509 (pem, cer, or crt) private key for the external_hostname certificate. |
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w....
|
Internal SSH Server Settings
Create an internal_servers YAML list within each entry in the ssh_servers
map. Below are settings for defining which SSH servers you will be protecting with this application.
Setting | Required | Description | Example Values |
---|---|---|---|
host_pattern | Y | You can use a hostname, a hostname with wildcards, an IP address, a range of IP addresses, or a CIDR block related to the internal SSH servers you want to protect. Wildcards will not match sub-domains (e.g. "*.example.com" will match "server.example.com" but not "server.internal.example.com"). Wildcards will be used to match domain names, not IP addresses. For example, the pattern 192.168.1.* will match the domain name 192.168.1.com but will not match the IP address 192.168.1.1 | '*.example.com' |
ports | Y | You can enter port(s) that the servers are listening on for SSH connections. You may enter a single port or a range of ports. You can also specify multiple ports or multiple ranges of ports by separating them with commas. | '22, 23-30' |
Duo 2FA
Create a duo_2fa map within each entry in the ssh_servers
map. All settings listed below should be within the duo_2fa
map.
Setting | Required | Description | Example Values |
---|---|---|---|
ikey | Y | Integration key from the Duo Network Gateway - SSH Relay application you created earlier in the Duo Admin Panel. | 'XXXXXXXXXXXXXXXXXXXX' |
skey | Y | Secret key from the Duo Network Gateway - SSH Relay application you created earlier in the Duo Admin Panel. | 'XXXXXXXXXXXXXXXXX...' |
apihost | Y | API hostname from the Duo Network Gateway - SSH Relay application you created earlier in the Duo Admin Panel. | 'api-xxxxxxxx.duosecurity.com' |
enable_frameless | N | Turns on frameless support for Duo Universal Prompt. Valid for Duo Network Gateway versions 1.5.10 to 3.1.0 and in those versions defaults to false . DNG 3.2.0 enables frameless authentication by default for all applications. |
true or false |
Example SSH Servers Configuration
ssh_servers:
"Engineering Servers":
external_hostname: 'engineering-ssh.example.com'
external_ssl_cert:
source: 'letsencrypt'
internal_servers:
- host_pattern: '*.example.com'
ports: '22, 2300-3000'
- host_pattern: '192.168.3.0/24'
ports: '22, 2300-3000'
- host_pattern: '192.168.1.8'
ports: '3334'
duo_2fa:
ikey: 'XXXXXXXXXXXXXXXXXXXX'
skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
apihost: 'api-xxxxxxxx.duosecurity.com'
enable_frameless: true
Application Relays Settings
The application_relays YAML map allows you to define Remote Desktop Protocol (RDP) servers to protect with Duo Network Gateway. Create separate maps within application_relays
for each set of RDP servers to protect. An example name might be "Engineering RDP Servers"
. All settings listed below should be within each entry in the application_relays
map. All names must be unique; duplicate names will cause RDP server sets to override each other. You can repeat this for all the RDP server sets you want to protect.
These same settings can be configured in the Admin console. You can read how at Protect RDP Servers with Duo Network Gateway.
Requires Duo Network Gateway version 1.6.0 or later.
External Settings
Below are a list of all the external settings for application relays.
Setting | Required | Description | Example Values |
---|---|---|---|
application_type | Y | Pre-populates the ports parameter if the parameter is not definedSupported application types:
|
'custom' or 'rdp' |
external_hostname | Y | The external hostname is where users' computers will communicate with the Duo Network Gateway. A group of RDP hosts can be protected behind an external hostname. An example of an external hostname for SSH servers used by the engineering team might be "engineering-rdp.example.com" | 'engineering-rdp.example.com' |
session_duration | Allows you to specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480. | 960 |
external_ssl_cert
Create an external_ssl_cert
map within the "Engineering RDP Servers"
map. All settings listed below should be within each entry in the application_relays
map.
Setting | Required | Description | Example Values |
---|---|---|---|
source | Y | Type of SSL certificate that will be used for the external hostname of the RDP application relay. |
|
cert | Only if source is own |
Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external_hostname . We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate. |
-----BEGIN CERTIFICATE-----
MIICNTCCAZ4CCQD9Hx0iff2ZjjAN...
|
key | Only if source is own |
Base64-encoded X.509 (pem, cer, or crt) private key for the external_hostname certificate. |
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w....
|
Internal RDP Server Settings
Create an internal_servers YAML list within each entry in the application_relays
map. Below are settings for defining which RDP hosts you will be protecting with this application.
Setting | Required | Description | Example Values |
---|---|---|---|
host_pattern | Y | You can use a hostname or a hostname with wildcards. Wildcards will not match sub-domains (e.g. "*.example.com" will match "rdp.example.com" but not "rdp.internal.example.com"). | 'rdp.internal.example.com' |
ports | Only if application_type is not defined as 'rdp' |
If application_type was set to 'rdp' then port 3389, the default port for Remote Desktop, is used and the 'ports' does not to be defined.You can enter port(s) that the servers are listening on for RDP connections. You may enter a single port or a range of ports. You can also specify multiple ports or multiple ranges of ports by separating them with commas. |
'3389, 3391-3395' |
Duo 2FA
Create a duo_2fa map within each entry in the application_relays
map. All settings listed below should be within the duo_2fa
map.
Setting | Required | Description | Example Values |
---|---|---|---|
ikey | Y | Integration key from the Duo Network Gateway - RDP Relay application you created earlier in the Duo Admin Panel. | 'XXXXXXXXXXXXXXXXXXXX' |
skey | Y | Secret key from the Duo Network Gateway - RDP Relay application you created earlier in the Duo Admin Panel. | 'XXXXXXXXXXXXXXXXX...' |
apihost | Y | API hostname from the Duo Network Gateway - RDP Relay application you created earlier in the Duo Admin Panel. | 'api-xxxxxxxx.duosecurity.com' |
enable_frameless | N | Turns on frameless support for Duo Universal Prompt. Valid for Duo Network Gateway versions 1.5.10 to 3.1.0 and in those versions defaults to false . DNG 3.2.0 enables frameless authentication by default for all applications. |
true or false |
Example Application Relays Configuration
application_relays:
"Engineering RDP Servers":
application_type: 'rdp'
external_hostname: 'engineering-rdp.example.com'
external_ssl_cert:
source: 'letsencrypt'
internal_servers:
- host_pattern: 'rdp1.internal.example.com'
- host_pattern: 'rdp2.internal.example.com'
ports: '3389, 3390'
duo_2fa:
ikey: 'XXXXXXXXXXXXXXXXXXXX'
skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
apihost: 'api-xxxxxxxx.duosecurity.com'
enable_frameless: true
Subdomains Settings
The subdomains YAML map allows you to define "external" subdomains for which your Duo Network Gateway will expect to receive Domain Name Service (DNS) and correlate them with another "internal" subdomain which is resolvable within your local network.
These same settings can be configured in the Admin console. You can read how at Protect RDP Servers with Duo Network Gateway.
Requires Duo Network Gateway version 1.6.0 or later.
Feature Flag Settings
The feature flag YAML map allows you to enable on-demand features.
These same settings can be configured in the CLI and API.
Requires Duo Network Gateway version 3.1.0 or later.
Setting | Required | Description | Example Values |
---|---|---|---|
worker_thread_shutdown_timer | N | This field allows you to configure a timeout for a forceful shutdown of worker processes. This field by default is not set; by default, NGINX will gracefully shut down old worker processes and will not terminate the process until all connections have closed. When configured and once the timeout has expired, NGINX will forcibly close any remaining connections in the old worker process. This setting is configured in minutes. A value of 0 will unset and return this feature to the default behavior (as noted earlier). | 1 |
External Settings
Each entry in the subdomains YAML array includes two keys:
Setting | Required | Description | Example Values |
---|---|---|---|
external_subdomain | Y | A subdomain delegated to Duo Network Gateway through an NS record. | 'external.example.com' or 'eng-ext.example.com' |
internal_subdomain | Y | The corresponding internal subdomain to which protected RDP hosts belong. | 'internal.example.com' or 'eng.example.com' |
Example Subdomains Configuration
subdomains:
- external_subdomain: 'external.example.com'
internal_subdomain: 'internal.example.com'
- external_subdomain: 'eng-ext.example.com'
internal_subdomain: 'eng.example.com'
Example Configuration
Below is a complete configuration file using all of the examples from above, compatible with Duo Network Gateway 1.6.0 and later:
network_gateway:
hostname: 'dng.example.com'
enable_ui: true
password: 'P@ssw0rd'
admin_email: 'admin@example.com'
load_balancer_cidrs_ips:
- '10.64.0.0/16'
- '10.65.0.0'
ssl_cert:
source: 'own'
cert: |
-----BEGIN CERTIFICATE-----
MIIDQDCCAigCCQCL0eZVUgLJ5jANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJV
UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
CgwJQWNtZSBDb3JwMRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wHhcNMTgwOTE5
MTkyMTIzWhcNMTkwOTE5MTkyMTIzWjBiMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
TWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UECgwJQWNtZSBDb3Jw
MRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCmlYsofv+lTbZwiKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX
11vZE2OXHX6zYJpmaFgKo2KXICU0XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH359
3Co+EaaqEYfeyh5WnOCsXEEXKk9CiOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwT
o3hTcl7Y470Lwl58P2EfYGA6V7sSAAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+o
vbKkBdi2PrsJLzFn7ZTv9OD/plv+w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNz
aziaT6YDhFuWDAMhYtB5G1fGM7Zwi+O6uxqXAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAJEPxlCk/VrBNe5RSwEaNZxj/7YidEC+oxews+NXl4AxWaj5HtQNrDiVicS5
PDl7stlyFoE+AxLsPf1OW0wxePFukkptbGwnI7+8omMbTnJY0vWWnKVcqBK39IfK
sbaJfMTa0C9OsoUeFuvI6D5yI8x0PdZBK7hbKihr9UYZWD03rlRdflTNYRIKDCFf
SBehDZgkandk7sM2BNkAdvOmkCWCrZeG5dgsQo9VRaCQ8rCmzE+Hqxtcfj9yY0Zu
7t484BDWx0X52nFo4JxKYFvWKyVl3vXwWl3DAZ7gmzEATfrMQt9NVTKAZXHI80MF
UP9QURAtRcc/Zn1avcrZT+k1bl4=
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmlYsofv+lTbZw
iKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX11vZE2OXHX6zYJpmaFgKo2KXICU0
XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH3593Co+EaaqEYfeyh5WnOCsXEEXKk9C
iOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwTo3hTcl7Y470Lwl58P2EfYGA6V7sS
AAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+ovbKkBdi2PrsJLzFn7ZTv9OD/plv+
w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNzaziaT6YDhFuWDAMhYtB5G1fGM7Zw
i+O6uxqXAgMBAAECggEBAKEjuVfz+ZFKqjcTS111ytfDpZQntImWb2+kWZzCyh93
hCjrJm6pCRTj14tfIaecw95aAwhPYdg0ZSjSQSZU0IKOiR21S8T1xfkP16QW3Clu
UFej1HUlGsutwV1z1c2iEFTSLdcs6l3hNIh06k9Ve7BQchJIcu72I6x1DSVra7TN
MmJ8rry5zZAbf4J192+iMIpquuxSrDfszVZujMRCdpDePbB/69xVfUWaTm/iOA3E
U306W/7HjIhsSwIwR13eun6QfHmsYmIwOzAuwKQdcuDYundtAqs6TcC9ynqm8AxB
T4tfE53ALDReMNwAcWUM9s9akCf8M/dFbFPxVwgh20ECgYEAzpkGgJq7816ezxn5
Xr1jMvg4RYebqNTRsA3TxLeR9VbZSJhGbH2IwHMk6ccyaqQg060hQBTivorfWcQK
rHKHrKaqmkNMD/Pa3mnr0q+rtcUUQXlDeK3a3uBHWorxp2auknnQQqAPpxTVTEf+
BGoAXjBeRq/59SFoL0wD5trVL6ECgYEAzmsRTjnWiaUg932arOoyw/l6GPGPECMW
ZgoxvWknWwxo4H4sQm78YRxFxv9aUn+T2X8daA5wnnsjKaNDk9XjQwphhAUpHgDW
OwbQN7TFBOFDkh6O0EVjcdiR3dMQgbDJTLjJ7xUC26fyOQfWQia//2116nxPj+Go
JJwbXXUtfzcCgYBC1jrGTEjV2Ryjf5GvVrHLAYai59Yx7nfP7wk9sO2lY210EN9n
pc0iBZ5Bi1ICMgr0sCP7qUYZwq+zSLrzQzIlZt32fiMTXh7GqZnDVVXFvnZpICP1
3LjcNc6fuienso5zkLkRdNrbgN/oh7nkD68Cyb8WO0QwS5h7BKqWeuFRQQKBgQCo
x60PzIUaaVYKZ76YkqrNyWjHioSTCk2fQ8il+pw+e2gp36Eq9PsSIH8BlvvwpvZq
ieCum9gEDeWTfzabY/F+eLeBroKPUNnay9hnJD1QnyyUBr55l7MXfKDQw2sk0DvY
quQaxJBgsPODJGBSGMM3BPa8s8aOfFHzFV3ezhhUgwKBgGCx9pQ6NRK7LXJQ4NXA
IzRLIEwUrfp8aAHVrOw3CxNB5v25PWcPB/864rJDh6xtbq72XbgygFGK4kjH2Hh7
CaxivC48dkTiARirNDxR5XcJpVQQXl8BSRoRSiI8YBtZR2Lkg5NMiFASXplfNQKl
NILod7CVavIYKYmNtAGw7z4s
-----END PRIVATE KEY-----
primary_auth:
entity_id: 'https://idp.example.com/metadata/'
single_signon_url: 'https://idp.example.com/sso'
single_logout_url: 'https://idp.example.com/slo'
signing_cert: |
-----BEGIN CERTIFICATE-----
MIIDQDCCAigCCQCL0eZVUgLJ5jANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJV
UzERMA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UE
CgwJQWNtZSBDb3JwMRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wHhcNMTgwOTE5
MTkyMTIzWhcNMTkwOTE5MTkyMTIzWjBiMQswCQYDVQQGEwJVUzERMA8GA1UECAwI
TWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjESMBAGA1UECgwJQWNtZSBDb3Jw
MRgwFgYDVQQDDA9kbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCmlYsofv+lTbZwiKlhVCUHO/4TuDQ+N02JixmWGLN3LVnpZDqX
11vZE2OXHX6zYJpmaFgKo2KXICU0XmNdm9ct+pRW2LwXUIdrYur7JOPFMrLHH359
3Co+EaaqEYfeyh5WnOCsXEEXKk9CiOWtGHBp8jDlq07qZ3Xnqzy1L+KaX4enHDwT
o3hTcl7Y470Lwl58P2EfYGA6V7sSAAmSSUxlMzSSOoF0gccfJVCbdP+G6LiyK4+o
vbKkBdi2PrsJLzFn7ZTv9OD/plv+w9JKGo75XceyfMbq/DjzE78O6Q7aNvMIKeNz
aziaT6YDhFuWDAMhYtB5G1fGM7Zwi+O6uxqXAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAJEPxlCk/VrBNe5RSwEaNZxj/7YidEC+oxews+NXl4AxWaj5HtQNrDiVicS5
PDl7stlyFoE+AxLsPf1OW0wxePFukkptbGwnI7+8omMbTnJY0vWWnKVcqBK39IfK
sbaJfMTa0C9OsoUeFuvI6D5yI8x0PdZBK7hbKihr9UYZWD03rlRdflTNYRIKDCFf
SBehDZgkandk7sM2BNkAdvOmkCWCrZeG5dgsQo9VRaCQ8rCmzE+Hqxtcfj9yY0Zu
7t484BDWx0X52nFo4JxKYFvWKyVl3vXwWl3DAZ7gmzEATfrMQt9NVTKAZXHI80MF
UP9QURAtRcc/Zn1avcrZT+k1bl4=
-----END CERTIFICATE-----
enforced_email_domain: 'example.com'
username_attribute: 'User.Username'
web_applications:
"Example Application 1":
external_hostname: 'wiki.example.com'
allowlist_prefixes:
- '/public'
- '/api/v1'
allowlist_suffixes:
- '.jpg'
- '.woff2'
allowlist_ips:
- '10.0.0.8'
- '192.168.1.0/24'
- '192.168.2.10-192.168.2.50'
session_duration: 960
external_ssl_cert:
source: 'own'
cert: |
-----BEGIN CERTIFICATE-----
MIIDDDCCAfQCCQCmd1zYPnwo+TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEYMBYGA1UEAwwPYXBw
LmV4YW1wbGUuY29tMB4XDTE4MDkxOTIwMTk1N1oXDTE5MDkxOTIwMTk1N1owSDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGDAW
BgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMMVnbmWTcoYu+qt46kJ+ZflWdXqjI6KOl0sQrg0uHbsZ+9nJuLNdk65
d0a70Xqt2MwU0iX+X/TgTN33CIWO58pGNfGv/efaYRRC8jxZKSBlpL9DVEOuQbw/
VQX/OGM7S/ORtG2zFjRjz93ghG3mtLmpWURkeH/xYPlA5Vc7Eq1OUiWQ+sDF47jy
kbA4+2/dnTOf3StU6kg8O/RbXLI0bgNjVweczfYoQ9vHa8f7013/oPahI3IGcu/E
6dva7TLkayIQLODSWThADr1MiNcO7dO5FMRwGdiAqmzExNxhTcf88ow6H853jiwV
+ommH9L7uSgHJXDt4X8sjIZydQaCqe0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
vmF8wdyu2cbu1zH8xQfzpqY8Uces9VXOQGKcP076OpXvBTxMA0QixOJWwmzJjkIo
0a5gcbF0FeoU99t2wl0KRiOzorSdR2ULE4SLindtgjQMCZ2WHexLfs2cMnxTJlHW
uwN+CrP1zvLQPjXUaMrpKCnPNq0AHCEBGCWBhygsm4JJA4KviEzmrXkCxFCoZlRP
SpoDnpcCHDKDNKxYPY6TrH/2GxFF/vP8718NL7QCwMfJDXcC/7HIKzkaW0g0bwbY
j/uxU7FRDWNZGsNZZ0VsC4bWawpbWuvLK9l96j64/+fZ+Y4DAwPsAR/c698LHslv
PiaHEDNKPiOj+ZAJhHqEZg==
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDDFZ25lk3KGLvq
reOpCfmX5VnV6oyOijpdLEK4NLh27GfvZybizXZOuXdGu9F6rdjMFNIl/l/04Ezd
9wiFjufKRjXxr/3n2mEUQvI8WSkgZaS/Q1RDrkG8P1UF/zhjO0vzkbRtsxY0Y8/d
4IRt5rS5qVlEZHh/8WD5QOVXOxKtTlIlkPrAxeO48pGwOPtv3Z0zn90rVOpIPDv0
W1yyNG4DY1cHnM32KEPbx2vH+9Nd/6D2oSNyBnLvxOnb2u0y5GsiECzg0lk4QA69
TIjXDu3TuRTEcBnYgKpsxMTcYU3H/PKMOh/Od44sFfqJph/S+7koByVw7eF/LIyG
cnUGgqntAgMBAAECggEAWvA6pAaSoIDDKHSCyYui09HP/M3nU5LP/hrhxyicTKOL
F6hIEjWgzrXaChkHX16mzwttotRfOrFMY7QCPvAM0NfF0bIuc+PymRVUAhm1+Cop
kBb8ssgKUIxdP/xm9qrvjsz/BJwU37sfbNh6IxkGaf2tZRpIqauFfutnfTBGVo55
j4USVZjpiuMKIJ+EBlNqUdgynyiQdnzqBBuWegBhq9k7NaSTIatmBtUVvr3SqwL4
hYZshQih5rjFJZe6qTw/ucKXGgpFs4vocaLOJoQQMGUiD4QxThwVqtanjdraz278
yTgIgVXS0yaH9omJHYu1K4EqabloXq7X/SRS9OLCAQKBgQDjRnTb5PyiXXMaqRTA
xBDKuQsxYIjOmCdBZRFSe4rE6L3+HFKrE8DlcuN3eNL5TkV6sY7X7dXftqmLSl03
cAMxI35cMrR9zZyZyuTr34rqgY1NA9HgqyrCzdzZr1QUohQtcNGD8+3tWBZF91kY
yTqHzh8vMAEaMigny0LGVyPsrQKBgQDbvZ6G2FcMEG15PjL9IcHsU/q/rJqJeEuL
DQE/toekRoOzzE2h6y5n9e2nN6ZVnx+qR4+JpeZoKCQI/eIygp3YfPMc8mqeC4yD
Zbc9KLPnzFYG5XyUkEnKIhiNGeRokyYXPkLnBmCiJNoFV8f+g+g4LcrikhNTCkEX
JunC4wIaQQKBgAPOyGJuwbTOsAEAWDKqlkVvODrJjUE411+HG/Uv0LFf3N8HBnOL
Ty4I8LqtsYsvvoZBt0zy1SR8YPbOdiVZoRQPrixJRTDeYwNInPE+u4sWRJHHwJpt
A7hjzpFvGI+H76KbQ0dcrN3PHgBqFnoN1Qc1ctxNh5cyw+12wFWmXBm5AoGBAIDK
Cz7HT4V/n1ofTW01Ot6TffSXal/GBKiz75ZzGd77gTeBN8L9/03pQuft4uxt/fYk
SQmJFZjYZf5rJwcprO/0k9zUbA7DgBCHLjWHRKJIDeeu2yyLwOPaxf71PPzZucqH
sFiNUVfXN31ILKyMjS9YD4Bp0y+pY+r44Ktbt6DBAoGBANXBik7QIV0NMAzPjCGH
tKmCJV4lXUkLcrfVAhc02zrx1jAnwrP2RezWccITRhxZaOc8NhWEl3+xYGf6nPDZ
h6x5gVq10DyXld9ZpA81MeJD9Kfkk4MReRfksgXtngWC+73rQ4V8ONyF4ED57sEr
uZs4L5+q9LruO8eWf7U2KD7N
-----END PRIVATE KEY-----
internal_hostname: 'wiki.internal.example.com'
internal_port: '443'
internal_use_ssl: true
internal_trusted_cert: |
-----BEGIN CERTIFICATE-----
MIIDDDCCAfQCCQCmd1zYPnwo+TANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTUkxEjAQBgNVBAcMCUFubiBBcmJvcjEYMBYGA1UEAwwPYXBw
LmV4YW1wbGUuY29tMB4XDTE4MDkxOTIwMTk1N1oXDTE5MDkxOTIwMTk1N1owSDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1JMRIwEAYDVQQHDAlBbm4gQXJib3IxGDAW
BgNVBAMMD2FwcC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMMVnbmWTcoYu+qt46kJ+ZflWdXqjI6KOl0sQrg0uHbsZ+9nJuLNdk65
d0a70Xqt2MwU0iX+X/TgTN33CIWO58pGNfGv/efaYRRC8jxZKSBlpL9DVEOuQbw/
VQX/OGM7S/ORtG2zFjRjz93ghG3mtLmpWURkeH/xYPlA5Vc7Eq1OUiWQ+sDF47jy
kbA4+2/dnTOf3StU6kg8O/RbXLI0bgNjVweczfYoQ9vHa8f7013/oPahI3IGcu/E
6dva7TLkayIQLODSWThADr1MiNcO7dO5FMRwGdiAqmzExNxhTcf88ow6H853jiwV
+ommH9L7uSgHJXDt4X8sjIZydQaCqe0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
vmF8wdyu2cbu1zH8xQfzpqY8Uces9VXOQGKcP076OpXvBTxMA0QixOJWwmzJjkIo
0a5gcbF0FeoU99t2wl0KRiOzorSdR2ULE4SLindtgjQMCZ2WHexLfs2cMnxTJlHW
uwN+CrP1zvLQPjXUaMrpKCnPNq0AHCEBGCWBhygsm4JJA4KviEzmrXkCxFCoZlRP
SpoDnpcCHDKDNKxYPY6TrH/2GxFF/vP8718NL7QCwMfJDXcC/7HIKzkaW0g0bwbY
j/uxU7FRDWNZGsNZZ0VsC4bWawpbWuvLK9l96j64/+fZ+Y4DAwPsAR/c698LHslv
PiaHEDNKPiOj+ZAJhHqEZg==
-----END CERTIFICATE-----
use_internal_name_for_host_header: false
use_internal_name_for_sni: true
add_x_forwarded_host: false
add_x_forwarded_proto: false
upstream_response_timeout: 180
duo_2fa:
ikey: 'XXXXXXXXXXXXXXXXXXXX'
skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
apihost: 'api-xxxxxxxx.duosecurity.com'
enable_frameless: true
ssh_servers:
"Engineering Servers":
external_hostname: 'engineering-ssh.example.com'
external_ssl_cert:
source: 'letsencrypt'
internal_servers:
- host_pattern: '*.example.com'
ports: '22, 2300-3000'
- host_pattern: '192.168.3.0/24'
ports: '22, 2300-3000'
- host_pattern: '192.168.1.8'
ports: '3334'
duo_2fa:
ikey: 'XXXXXXXXXXXXXXXXXXXX'
skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
apihost: 'api-xxxxxxxx.duosecurity.com'
enable_frameless: true
application_relays:
"Engineering RDP Servers":
application_type: 'rdp'
external_hostname: 'engineering-rdp.example.com'
external_ssl_cert:
source: 'letsencrypt'
internal_servers:
- host_pattern: 'rdp1.internal.example.com'
- host_pattern: 'rdp2.internal.example.com'
ports: '3389, 3390'
duo_2fa:
ikey: 'XXXXXXXXXXXXXXXXXXXX'
skey: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
apihost: 'api-xxxxxxxx.duosecurity.com'
enable_frameless: true
subdomains:
- external_subdomain: 'external.example.com'
internal_subdomain: 'internal.example.com'
- external_subdomain: 'eng-ext.example.com'
internal_subdomain: 'eng.example.com'
Scripted Configuration Template
Download a scripted configuration template YAML file with comments to help get started in creating your scripted configuration file.
Using Scripted Configuration
Once you have a complete configuration file, you are ready to load it into Duo Network Gateway.
-
Copy your scripted configuration YAML file to your Duo Network Gateway server.
Important: Secure this file as you would any other sensitive or password information. Don't share it with unauthorized individuals or email it to anyone under any circumstances! -
Connect to your Duo Network Gateway server through a terminal.
- Note: If you're running your Duo Network Gateway in Active / Active High Availability you will need to connect to the Admin server.
-
Run the following command to load the configuration file into the Duo Network Gateway:
docker exec -i network-gateway-admin set-config < dng_config.yml
-
If the terminal returns no errors messages than the configuration was successfully loaded.