Redundancy

Network considerations
The Duo Authentication Proxy configuration file may need to be modified if the proxy is copied to a new environment. Any environment-specific parameters (IP or hostname attributes, shared secrets, port numbers, etc) need to be updated to reflect the values of the new environment. Proxies are not "aware" of each other, and need not communicate directly. In order to duplicate .cfg files, you will need to manually copy and paste the latest contents into each file, so they are identical.

Host considerations
If encrypting passwords or shared secrets, these are specific to the server where they were encrypted and will not work if copied to a different machine. The authproxy_passwd.exe tool will have to be run separately on each host.

Load balancing
Load balancing between Authentication Proxies (Active/Active) is recommended over a failover pool (Active/Passive). Load balancing distributes authentications between proxies, while a simple failover pool puts all load on one proxy while the others are not utilized unless the first is no longer available. Some appliances offer a native way to support both active/active and active/standby configurations, while others require a separate appliance like an F5 or Citrix Gateway or Netscaler to perform load balancing functions, typically utilizing a virtual IP (VIP). Note that for these integrated load-balancing applications, traffic will still be coming to the proxy from the real server IPs rather than the VIP. Sessions should be persistent or "sticky" when running in an Active/Active configuration. The basic configuration for HA load balancing Authentication Proxies is shown here: