Duo Two-Factor Authentication with Sub-Virtual Services

Scope

Allow Duo Two-Factor Authentication requests to pass through your Virtual Service which contains Sub-Virtual Services (SubVSs).

A common scenario is where you have configured an Exchange environment using our Exchange Template, which contains multiple SubVSs, for example, OWA, ECP and RPC.

Each of these SubVSs contain content rules which match your exchange requests, such as OWA.

When a request for OWA hits the Virtual Service, the LoadMaster examines the HTTP requests, for example, https://mail.kemptest.com/owa. It sees /owa and forwards to the correct SubVS.

If Duo Two-Factor Authentication is in use, the client will be redirected to, for example, https://mail.kemptest.com/duo. Because there is no content rule to match this request "/duo", the connection will be dropped.

 

Solution

Create a content rule to allow "/duo" in the HTTP request, and assign this rule to the OWA SubVS.

1. Create the Content Rule

Rules & Checking > Content Rules

Match String:  /^\/duo.*/

2. Assign Rule to OWA

View/Modify Services > Modify > Sub Virtual Services > OWA > Rules

Assign the Duo2Factor Content Rule to the OWA SubVS.

 

3. Add DUO directory To OWA ESP

You will also need to allow "DUO" traffic under the ESP settings on your OWA SubVS.

 

4. X-Forwarded-For & X-Forwarded-Proto

You may also need to configure X-Forwarded-For and X-Forwarded-Proto headers to your request, please refer to the Duo knowledgebase: https://help.duo.com/s/article/1700?language=en_US

 

Navigate to OWA Sub VS > Advanced Properties > Add Header to Request & Add HTTP Headers.

 

 5. Enable Persistence

 Virtual Service > OWA Sub VS > Standard Options > Persistence = Super HTTP

This is only required if you receive an error something similar to the below

 

6. Enable Shared Sub VS Persistence

System Configuration > Misc Options > L7 Configuration > "Share Sub VS Persistence"

 

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments