Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joe_Kanaszka
Collaborator
Jump to solution

How does everyone handle redundancy for a DUO Authentication Proxy?

Morning everyone.

 

We are running a two node GAIA cluster on R80.40 take 173.

We are planning on rolling out DUO for 2FA for our Check Point Mobile clients.

Small 25 person office.

 

Right now, I have one DUO Authentication Proxy Manager in a VM.  I am thinking about how I can make this redundant.

Simply clone it in VMware and keep it turned off?  I heard that you can configure the DUO Proxy to be active/active or active/standby.

 

Has anyone done this?

 

Just curious what everyone is doing for redundancy,

 

Thank you!

 

0 Kudos
1 Solution

Accepted Solutions
Sorin_Gogean
Advisor

Sure thing it would work, just make sure you will not have them powered at the same time, so you'll face some Duplicate IP errors.

Still I would look to have an real HA, and don't bother if the cleaning lady stops an ESX server.... 

Enjoy,

View solution in original post

(1)
6 Replies
Sorin_Gogean
Advisor

Hello @Joe_Kanaszka ,

Does this answers you ?

(https://help.duo.com/s/article/authentication-proxy-availability?language=en_US )

Redundancy

Network considerations
The Duo Authentication Proxy configuration file may need to be modified if the proxy is copied to a new environment. Any environment-specific parameters (IP or hostname attributes, shared secrets, port numbers, etc) need to be updated to reflect the values of the new environment. Proxies are not "aware" of each other, and need not communicate directly. In order to duplicate .cfg files, you will need to manually copy and paste the latest contents into each file, so they are identical.

Host considerations
If encrypting passwords or shared secrets, these are specific to the server where they were encrypted and will not work if copied to a different machine. The authproxy_passwd.exe tool will have to be run separately on each host.

Load balancing
Load balancing between Authentication Proxies (Active/Active) is recommended over a failover pool (Active/Passive). Load balancing distributes authentications between proxies, while a simple failover pool puts all load on one proxy while the others are not utilized unless the first is no longer available. Some appliances offer a native way to support both active/active and active/standby configurations, while others require a separate appliance like an F5 or Citrix Gateway or Netscaler to perform load balancing functions, typically utilizing a virtual IP (VIP). Note that for these integrated load-balancing applications, traffic will still be coming to the proxy from the real server IPs rather than the VIP. Sessions should be persistent or "sticky" when running in an Active/Active configuration. The basic configuration for HA load balancing Authentication Proxies is shown here:

rtaImage.png

 

Ty,

Joe_Kanaszka
Collaborator

Thank you Sorin.  Yes - I have seen this document.  However, I'm more interested in seeing if there is a way to load balance these DUO proxies within Check Point - or would we need a third-party load balancer?

 

Thank you again!

0 Kudos
Sorin_Gogean
Advisor

As far as I know, CheckPoint does not offer LB services, therefore you need you look elsewhere.

 

Enjoy,

PS: the VM replica would also work pretty well, but it's a manual redundancy...

Joe_Kanaszka
Collaborator

Thanks again Sorin.  I have thought about this...just cloning the existing DUO Proxy VM and keeping it turned off.  Do you think that this would work?

 

Thank you again!

 

-Joe

0 Kudos
Sorin_Gogean
Advisor

Sure thing it would work, just make sure you will not have them powered at the same time, so you'll face some Duplicate IP errors.

Still I would look to have an real HA, and don't bother if the cleaning lady stops an ESX server.... 

Enjoy,

(1)
Joe_Kanaszka
Collaborator

HA!  True.  Thanks Sorin!  Have a great weekend my friend.

 

-J

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events