How to configure Duo Two-Factor Authentication with Sub-Virtual Services
Scope
Allow Duo Two-Factor Authentication requests to pass through your Virtual Service which contains Sub-Virtual Services (SubVSs).
A common scenario is where you have configured an Exchange environment using our Exchange Template, which contains multiple SubVSs, for example, OWA, ECP and RPC.
Each of these SubVSs contain content rules which match your exchange requests, such as OWA.
When a request for OWA hits the Virtual Service, the LoadMaster examines the HTTP requests, for example, https://mail.kemptest.com/owa. It sees /owa and forwards to the correct SubVS.
If Duo Two-Factor Authentication is in use, the client will be redirected to, for example, https://mail.kemptest.com/duo. Because there is no content rule to match this request "/duo", the connection will be dropped.
Solution
Create a content rule to allow "/duo" in the HTTP request, and assign this rule to the OWA SubVS.
1. Create the Content Rule
Rules & Checking > Content Rules
Match String: /^\/duo.*/
2. Assign Rule to OWA
View/Modify Services > Modify > Sub Virtual Services > OWA > Rules
Assign the Duo2Factor Content Rule to the OWA SubVS.
3. Add DUO directory To OWA ESP
You will also need to allow "DUO" traffic under the ESP settings on your OWA SubVS.
4. X-Forwarded-For & X-Forwarded-Proto
You may also need to configure X-Forwarded-For and X-Forwarded-Proto headers to your request, please refer to the Duo knowledgebase: https://help.duo.com/s/article/1700?language=en_US
Navigate to OWA Sub VS > Advanced Properties > Add Header to Request & Add HTTP Headers.
5. Enable Persistence
Virtual Service > OWA Sub VS > Standard Options > Persistence = Super HTTP
This is only required if you receive an error something similar to the below
6. Enable Shared Sub VS Persistence
System Configuration > Misc Options > L7 Configuration > "Share Sub VS Persistence"