This article provides guidelines on how basic redundancy is configured in when an organization is authenticating through Duo MFA.
Based on my experience in setting up Duo Proxy Server redundancy, the MFA request will only failover to the backup server if:
-
- LAN interface is down or Duo Proxy Server is totally unreachable (Scenario01)
- Duoauthproxy service is not running (Scenario02)
If the Duo Proxy does not have internet or does not have connection to the DUO API Host, but LAN interface is up, the failover does not work.
In order to address this, a Powershell script can be placed in Windows Task scheduler that will run every 5 minutes. Basically, it checks the internet connection, and if it detects that connection to the DUO API Host is not happening, it turns off the duoauthproxy service. By doing so, we are in Scenario02 mentioned above, therefore failover will take place.
#DECLARATIONS
#LOG FILE DESTINATION
$dddd = get-date -Format 'yyyy-MM-dd HH:mm:ss'
$logfile = $("PATH\FILE" + $ddd + "_monitor_internet.csv")
$smtpserver="SMTPSERVER IP"
$smtpport="SMTP_PORT"
#CHECK IF LOG FILE IS CREATED
$checkfile = Get-ChildItem $logfile
#IF NOT CREATED, CREATE LOG FILE WITH HEADER
if(!$checkfile){ "TIMESTAMP,HOSTNAME,TESTSITE,RESULT" | Add-Content $logfile }
$target = "YOUR DUO API HOSTNAME"
$ServiceName = 'duoauthproxy'
$host1 = hostname
#TESTING INTERNET CONNECTION FOR 3 MINUTES WITH 10SECONDS INTERVAL
$x = 0
while($x -lt 19){
$testinternet = ""
$now1 = get-date -Format 'yyyy-MM-dd HH:mm:ss'
$now = $now1.ToString()
$testinternet = Test-Connection -ComputerName $target
sleep 10
if($testinternet) {
$("$now" + "," + $host1 + "," + $target + "," + "INTERNET CONNECTION: SUCCESSFUL") | Add-Content $logfile
}
$x = $x+1
}
$arrService = Get-Service -Name $ServiceName
#IF INTERNET IS WORKING BUT DUO SERVICE WAS STOPPED
if($testinternet -AND $arrService.Status -eq 'Stopped'){
#IF INTERNET CONNECTION IS WORKING AND DUOAUTHPROXY WAS NOT YET STARTED - START SERVICE AND SEND EMAIL TO DUO ADMINISTRATORS
if($arrService.Status -eq 'Stopped'){
net start duoauthproxy
$($dddd + "," + $host1 + "," + "DUOAUTHPROXY SERVICE" + "," + "DUOAUTHPROXYSERVICE: STARTED") | Add-Content $logfile
$Sender = "SENDER@YOURCOMPANY.COM"
$ServerParams = @{ SmtpServer = $smtpserver; From = $Sender; Port = $smtpport; }
$MessageParams = @{
'To' = "DUOADMINS@YOURCOMPANY.COM"
'Subject' = $("DUO PROXY CONNECTIVITY ALERT: "+ $host1 + " internet access is restored." )
'Body' = "Hi Duo Admins, this monitoring runs every 5 minutes on the server mentioned in the subject. Duo Proxy Internet Connection and duoauthproxy service have been restored. If you have questions about this script, please contact AUTHOR. Thanks."}
Send-MailMessage @ServerParams @MessageParams
}
}
#IF NO INTERNET, ATTEMPT SENDING EMAIL ALERT TO DUO ADMINS
if(!$testinternet){
$Sender = "SENDER@YOURCOMPANY.COM"
$ServerParams = @{ SmtpServer = $smtpserver; From = $Sender; Port = $smtpport; }
$MessageParams = @{
'To' = "DUOADMINS@YOURCOMPANY.COM"
'Subject' = $("DUO PROXY CONNECTIVITY ALERT: "+ $host1 + " lost internet access." )
'Body' = "Hi Duo Admins, this monitoring runs every 5 minutes on the server mentioned in the subject. This email is sent if connection to DUO_API_HOST is lost during time of checking. Please check ASAP. NOTE: duoauthproxy service in this server has been stopped to trigger failover. If you have questions about this script, please contact AUTHOR. Thanks."}
Send-MailMessage @ServerParams @MessageParams
#ADD LOG
$($dddd + "," + $host1 + "," + $target + "," + "INTERNET CONNECTION: FAILED - Cannot connect to Duo Host.") | Add-Content $logfile
#CHECKSERVICE
$ServiceName = 'duoauthproxy';
$arrService = Get-Service -Name $ServiceName
if($arrService.Status -eq 'Running' -OR $arrService.Status -eq 'Started'){
net stop duoauthproxy
$($dddd + "," + $host1 + "," + "DUOAUTHPROXY SERVICE" + "," + "DUOAUTHPROXYSERVICE: STOPPED") | Add-Content $logfile
}
}
Project Puchufy 