Skip navigation
Documentation

Duo Access Gateway - FAQ

Last Updated: January 19th, 2024

Duo Access Gateway (DAG) adds two-factor authentication, complete with inline self-service enrollment and Duo Prompt to popular cloud services like Salesforce and Google G Suite using SAML 2.0 federation.

Duo Access Gateway reached Last Day of Support on October 26, 2023 for Duo Essentials, Advantage, and Premier customers. As of that date, Duo Support may only assist with the migration of existing Duo Access Gateway applications to Duo Single Sign-On. Please see the Guide to Duo Access Gateway end of life for more details.

Learn more about Duo Single Sign-On, our cloud-hosted identity provider featuring Duo Central and the Duo Universal Prompt.

Will Duo Access Gateway support Universal Prompt?

No, Duo Access Gateway will not support the Universal Prompt for Duo commercial plan customers (Essentials, Advantage, and Premier). We recommend deploying or migrating to Duo Single Sign-On, which does include support for the Duo Universal Prompt.

Can I run the Duo Access Gateway on Linux?

Yes, you can run the Duo Access Gateway on Linux using Docker and our published Duo Access Gateway image. See the full instructions for deploying Duo Access Gateway on Linux.

Can I update the IP addresses allowed to access the Duo Access Gateway for Windows admin console after installation?

Windows

Yes, you can add or remove allowed IP addresses at any time, even if you didn't specify additional IP addresses during the Duo Access Gateway install.

To maintain the security of your Duo Access Gateway deployment, restrict access to the admin console to as few additional IPs as possible, and never add any public Internet IPs not managed by your organization.
  1. From the Duo Access Gateway server console, open C:\inetpub\wwwroot\dag\www\web.config in a text editor.

  2. Scroll to the bottom of the file and locate the <additionalLocalIps> configuration section directly after </rules> :

    <additionalLocalIps>
      <add IP="1.2.3.4" />
    </additionalLocalIps>
    

    If the <additionalLocalIps> section does not exist, you can add it now. Be sure to copy the entire example above and paste it immediately after </rules> and before </DuoIpSecurity> near the end of the web.config file.

  3. Replace 1.2.3.4 (or your existing configured IP address) with the IP address of the new device permitted DAG admin console access.

    If you would like to permit access from more than one remote IP, insert additional <add IP="x.x.x.x" /> lines into the web.config file:

    <additionalLocalIps>
      <add IP="1.2.3.4" />
      <add IP="5.6.7.8" />
    </additionalLocalIps>
    
  4. Save the changes to web.config. You can now access the Duo Access Gateway admin console from the specified additional IP address or addresses.

Linux

A configuration setting for AdditionalLocalIPs is not available for the Linux Duo Access Gateway (DAG) because its admin console is accessible on port 8443. You can use network-level controls to regulate access to port 8443 as needed.

This optional configuration is only necessary for the Windows Duo Access Gateway because it only allows the local Windows server to access the DAG admin console by default.

Can I back up my Duo Access Gateway settings?

Please refer to the "Backup and Restore" instructions for Duo Access Gateway for Windows or Linux to back up your Duo Access Gateway settings. These files can then be restored to their original locations when necessary.

How do I configure high-availability for Duo Access Gateway?

Please refer to the "High Availability" instructions for Duo Access Gateway for Windows or Linux to create a standby Duo Access Gateway server. You may also put two identically configured Duo Access Gateway servers behind a load balancer.

How do I enable Duo Access Gateway debug logging and view the log?

Duo Access Gateway records the following events:

  • Administrator console logons
  • Primary user authentication success and failure
  • Secondary user authentication success
  • Errors

The default logging level does not include additional troubleshooting information.

Windows

To enable DAG debug logging:

  1. Log into the Duo Access Gateway admin console and navigate to Settings.

  2. Scroll down to the "General" section and check the box next to Debugging.

  3. Click Save Settings.

When enabled the Duo Access Gateway writes additional debug output to the existing log.

The log file is found at C:\inetpub\wwwroot\dag\log\dag.log.

Linux

To view the log output updating in real time, log into the Duo Access Gateway server and run the following command, replacing the example Duo Access Gateway YML name with your current file's actual name:

docker-compose -p access-gateway -f access-gateway-x.x.x.yml logs -f

To export all logs to a log file, enter:

docker-compose -p access-gateway -f access-gateway-x.x.x.yml logs -f > dag.log

To specify how many lines to export, see the following example, which will export the last 5000 lines:

docker-compose -p access-gateway -f access-gateway-x.x.x.yml logs --tail=5000 > dag.log

You can use the command below to find the location of your YML file on your system:

sudo find / -name "access-gateway-*.yml"

How do I upgrade Duo Access Gateway to a newer version?

Refer to the Duo Access Gateway upgrade instructions for Windows ir Linux installations.

How do I upgrade the PHP installation used by Duo Access Gateway for Windows 1.3.0 and higher?

When installing or upgrading Duo Access Gateway to a newer version, the DAG installer handles installing the required PHP for that DAG version. There may be occasions where you need to update PHP separately from upgrading DAG, such as if a security vulnerability is discovered in the PHP version you have installed.

You can update the PHP install used by Duo Access Gateway with our bundled DAG PHP updater utility. This utility registers the new PHP version in IIS on the DAG virtual site and removes mappings for the prior version from IIS.

  • As of version 1.5.11, Duo Access Gateway supports PHP 7.4.12 and later 7.4 releases.
  • Duo Access Gateway 1.5.7 - 1.5.10 support PHP 7.3 versions only.
  • Duo Access Gateway 1.5.3 - 1.5.6 support PHP 7.1 versions only.

Do not update your PHP install beyond the supported major version that corresponds with your Duo Access Gateway version (i.e. do not upgrade to PHP 8.x).

To update PHP on your DAG server:

  1. Download the recent PHP 7.3 or 7.4 x64 Non Thread Safe release you require to your DAG server.

  2. Launch an elevated command prompt (right-click "Command Prompt" and select the "Run as administrator" option) and change to the directory to C:\inetpub\wwwroot\dag\bin.

  3. Run the PhpUpgrade command file with the following syntax:

    PhpUpgrade.cmd [phpSource]

    Where [phpSource] is either the path to an x64 non thread safe (nts) PHP zip file, or the path to a directory containing the extracted contents of the PHP zip file.

    Example usage (an update to PHP 7.3.8):

    • Update to PHP 7.3.8 using a zip file, extracting the PHP files to the default folder location C:\Program Files\Duo_Access_Gateway_PHP\7.3.8:
    PhpUpgrade.cmd php-7.3.8-nts-Win32-VC14-x64.zip
    • Update to PHP 7.3.8 using the PHP zip file contents already extracted to C:\PHP\7.3.8 as the source:
    PhpUpgrade.cmd C:\PHP\7.3.8
  4. After the Duo Access Gateway PHP updater completes successfully you should perform an iisreset to cycle web services on your server.

  5. Delete the older PHP version folder from your server to complete the update.

DAG PHP Updater

The DAG PHP update exits with an error message if it fails to extract the PHP zip file, if it is not run with elevated Administrator rights, or if any prerequisites are missing for the new PHP version.

How do I upgrade the PHP installation used by Duo Access Gateway for Windows 1.2.1?

You can update the PHP install used by Duo Access Gateway with our standalone DAG PHP updater utility. This utility registers the new PHP version in IIS on the DAG virtual site and optionally removes mappings for the prior version from IIS.

To update PHP on your DAG server:

  1. Download the DagPhpUpdater executable to your DAG server.

  2. Download a recent PHP x86 Non Thread Safe release to your DAG server.

    Be aware of new Visual Studio prerequisites for the PHP version you select! PHP 5.6.x required the Visual C++ Redistributable for Visual Studio 2012 x86 Update 4. If you choose to update from PHP 5.6.x to PHP 7.0.2 or later, you'll first need to install the Visual C++ Redistributable for Visual Studio 2015 x86.

    The Visual C++ Redistributable for Visual Studio 2015 package is itself dependent on the Windows 10 Universal C Runtime (CRT). Ensure that the Visual C++ Redistributable for Visual Studio 2015 x86 and all its requirements are present on your DAG server before you attempt to update PHP.

  3. Launch an elevated command prompt (right-click "Command Prompt" and select the "Run as administrator" option) and change to the directory where you've downloaded the DagPhpUpdater executable and the PHP x86 Non Thread Safe .zip file.

  4. Run the DagPhpUpdater utility with the following syntax:

    DagPhpUpdater-x.x.x.x.exe [phpSource] ([phpTargetInstallDirectory])

    Where [phpSource] is either the path to an x86 non thread safe (nts) PHP zip file, or the path to a directory containing the extracted contents of the PHP zip file.

    When using the Duo Access Gateway PHP updater utility with a zip file, the default target directory for extracting PHP files is C:\Program Files (x86)\PHP. To have the updater extract the PHP files to a different location, specify [phpTargetInstallDirectory].

    Example usage:

    • Update to PHP 7.0.3 using a zip file, extracting the PHP files to the default folder location C:\Program Files (x86)\PHP\7.0.3.0:
    DagPhpUpdater-1.2.2.126.exe php-7.0.3-nts-Win32-VC14-x86.zip
    • Update to PHP 7.0.3 using the PHP zip file contents already extracted to C:\PHP\7.0.3 as the source:
    DagPhpUpdater-1.2.2.126.exe C:\PHP\7.0.3
    • Update to PHP 7.0.3 using a zip file, extracting the PHP files to the specified folder location C:\PHP\7.0.3:
    DagPhpUpdater-1.2.2.126.exe php-7.0.3-nts-Win32-VC14-x86.zip C:\PHP\7.0.3
  5. The DAG PHP updater updates the existing PHP mappings at the DAG virtual site in IIS to use the new PHP version. If the updater finds any PHP mappings using the older PHP version elsewhere in IIS it asks if you'd like to remove them. If Duo Access Gateway is the only application using PHP on this server, respond y to remove all mappings for the previous PHP version.

  6. After the DAG PHP updater utility completes successfully you should perform an iisreset to cycle web services on your server.

  7. Delete the older PHP version folder from your server to complete the update.

DAG PHP Updater

The DAG PHP update exits with an error message if it fails to extract the PHP zip file, if it is not run with elevated Administrator rights, or if any prerequisites are missing for the new PHP version.

Is Office 2013 or 2016 rich client login or the Office 365 mobile app supported?

Office 2013 and 2016 desktop applications (including Outlook and Skype for Business) by default can no longer connect to Office 365 after federation with Duo Access Gateway. Office 365 customers must enable Microsoft's Modern Authentication to bring two-factor authentication to Office 2013 and 2016 client applications. More information about Modern Authentication, including a list of Office applications that support Modern Authentication, is available at the Office Blog.

  1. Modern Authentication may already be enabled on your Office 365 tenant. Follow these instructions to verify or enable Modern Authentication on your Exchange Online tenant and these instructions to do the same for your Skype for Business Online tenant.
  2. Apply registry updates for Office 2013 (Office 2016 natively supports Modern Authentication).
  3. Your Office applications should now provide you with your federated login page followed by the Duo Authentication prompt. Once you authenticate with Duo the session security token is cached and remains valid for eight hours.

When you log in to Office 365 using an Office 2016 or 2013 application with Modern Authentication, you'll see the Duo Access Gateway primary login page within the Office application, followed by the Duo authentication prompt.

Office 2016 DAG Login and Authentication Prompt

For additional information please see the "Road map for multi-factor authentication in Office desktop applications" section in this blog post from Microsoft: Multi-Factor Authentication for Office 365 and the previous blog entries Office 2013 updated authentication enabling Multi-Factor Authentication and SAML identity providers and Office 2013 modern authentication public preview announced.

Duo does not natively support the creation of application specific passwords for bypassing multi-factor authentication for Office 365 tenants.

Additional Troubleshooting

Need more help? Try searching our Duo Access Gateway Knowledge Base articles or Community discussions. For further assistance, contact Support.