Documentation

Duo Network Gateway - Release Notes

Last Updated: July 31st, 2024

Duo Network Gateway provides users with secure remote access to your on-premises private applications and internal servers without having to worry about managing VPN credentials. It also offers inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.

Download the current release from the Checksums and Downloads page.

Version 3.2.0 - July 31, 2024

Logging enhancements.
Frameless authentication now enabled by default for all applications due to the Duo traditional prompt reaching end-of-support on March 30, 2024. Learn more about Duo Universal Prompt and traditional Duo Prompt end of support.
Fixes an issue where single page apps (SPAs) cache portions of the DNG authentication path. DNG auth path now sends no-cache headers.
Updated Dependencies: Supervisord to 4.2.5, cffi to 1.16.0, Setuptools-rust to 1.9.0, and Hatchling to 1.22.5.

Version 3.1.0 - April 18, 2024

New web application setting to configure Proxy buffer size.
New feature flag to enable worker thread shutdown timer in DNG scripted configurations.
Updated lxml to 5.2.1 to address CVE-2022-1873.
Updated golang.org/x/text to 0.14.0 address CVE-2022-32149.
Updated Python to 3.10.13 to address CVE-2022-2464, CVE-2022-4568, CVE-2015-0814, CVE-2018-2503.
Updated Dependencies: Rust to 1.76.0, Openresty to 1.25.3, isodate to 0.6.1, pbr to 6.0.0, Node to 20.11.1, and Go to 1.22.0.

Version 3.0.0 - February 15, 2024

General availability of Custom Application Relay support for all TCP ports and protocols.
General availability of Duo Network Gateway API for DNG administration.
Upgraded bundled OpenSSL to 3.0.12.
Upgraded bundled Redis version to 6.2.14.
Updated libxml2 to 2.12.3 to address CVE-2022-40304.
Increase validation for CA certificate renewal process.

Version 2.3.0 - August 7, 2023

Early Access of Custom Application Relay support: Secure, protect, and tunnel additional protocols like SFTP, FTP, Telnet, SQL, etc.
Fixes an issue where non-RSA certificate keys would get logged (ECDSA certificate keypairs and other non-RSA keypairs are unsupported at this time).
Fixes an issue where the Maximum header size default was 128KB instead of 8KB.
Fixes an issue where if the certificate uploaded for the Duo Network Gateway didn't match the Duo Network Gateway URL no warning was emitted.
Upgraded bundled OpenSSL to 1.1.1t.
Added support for CentOS Stream 9.
Fixes incorrect OpenAPI specifications.

Version 2.2.0 - January 19, 2023

Public preview of Duo Network Gateway API for DNG administration.
General availability of SMB/File share access protected by Duo Network Gateway.
Prevention of Server-Side Request Forgery (SSRF) attacks where an upstream DNS entry is pointed at the AWS metadata service at 169.254.169.254.
Supports proxying upstream TLSv1.3 connections.
Permits setting the maximum header size of a request to a value beyond the previously-fixed maximum of 8 KB.
Fixes an issue with setting a port for the external URL of a web application in DNG admin console.
Fixes an issue where browsing to an SSH or Application relay application in a web browser would present an OpenResty page.
Updated dependencies: Python to 3.9.6, PCRE to 10.40, libxml2 to 2.10.2, cryptography to 36.0.2, pyOpenSSL to 22.0.0, and libxslt to 1.1.37.

Version 2.1.0 - August 17, 2022

Updated dependencies to address CVE-2022-21712
Upgraded bundled Redis version to 6.2.6.
Updated the Redis image to Debian 11 LTS.
Cookies now use HMAC_SHA256 instead of HMAC_SHA1 for signing and verification.
Added support for the PROXY protocol for customers with high-availability deployments featuring load balancers that do not terminate TLS and add a X-Forwarded-For header.
Supports TLS 1.3 for incoming connections.
Performance enhancements to requests per second (RPS) after users have logged in to DNG.
A password reset is now required on initial Duo Network Gateway setup. DNG administrators performing initial configuration must have shell access to the server hosting the Docker containers to complete this step.
The DNG admin panel now lists sessions for all users connected through the DNG and offers the ability to terminate a user's sessions.

Version 2.0.0 - April 5, 2022

General availability of Remote Desktop access protected by Duo Network Gateway.
Updated OpenSSL to version 1.1.1n to address CVE-2022-0778.
Added configuration checking capabilities to the DNG Admin UI.
No longer executes connectivity checks between the DNG and the internal hosts for RDP and SSH relays.
General fixes to RDP features for issues encountered during the public preview phase.
Reworded help text around "Subdomains" and "App Relay" RDP configuration sections in the UI.
Added anti-caching headers in the DNG Admin Panel to prevent browser caching of potentially sensitive information.
Updated Portal, Admin, and DNS containers to use Debian 11 LTS.
Replaced NGINX with OpenResty version 1.19.9.1.

Version 1.6.1 - February 22, 2022

Fixed issue with dngdns DNS container for RDP to make it pass DNS delegation check performed by Windows Server.
Improved logging output for dngdns DNS container for RDP.
Fixed issues that treated RDP and SSH internal hostnames as case-sensitive.
Offboarding a user now also terminates active SSH and RDP sessions.

Version 1.6.0 - November 18, 2021

Public preview of Remote Desktop access protected by Duo Network Gateway. This feature requires a new additional DNS container, created with network-gateway-1.6.0-subzero.yml.
New configuration checker check-config command line tool too assist with troubleshooting. See the Duo knowledge base for more info about using this tool.
Updated terminology from "SSH Servers" to "SSH Relay"in the admin UI.

Version 1.5.14 - September 29, 2021

Addresses the Let's Encrypt "DST Root CA X3" root certificate expiration on September 30, 2021.
Bug fixes.

Version 1.5.13 - August 24, 2021

Updates NGINX to version v1.20.1 to address CVE-2021-23017.
Improves performance and robustness when updating configuration.
Renames "URI Whitelisting" to "URI Allowlist" in the DNG admin UI with corresponding changes in the scripted config sample and template to use allowlist_* instead of whitelist_*.
Additional bug fixes.

Version 1.5.12 - May 11, 2021

Now reports errors using a password-protected SSL key in either the DNG admin console or scripted configuration instead of causing the admin container to become unresponsive.
Permits setting the maximum body size of a POST request to a value beyond the previously-fixed maximum of 128 MB via the DNG admin console and scripted configuration.

Version 1.5.10 - January 27, 2021

Improved performance under high loads
Disables TLS 1.0 and TLS 1.1 support for improved security.
Adds support for the Duo Universal Prompt with OIDC standards-based redirects. The Duo Prompt no longer loads in an iframe. Learn more about the move to frameless authentication in preparation for Duo Universal Prompt. Toggle the "Enable Frameless" option for Web and SSH applications after installation.

Version 1.5.9 - October 21, 2020

Obscures SAML response signatures in logs so that they cannot be replayed.
Improved logging.
Enables future support for the Duo Universal Prompt.

Version 1.5.8 - July 16, 2020

A disabled login page will now show when the admin UI is disabled using scripted config instead of an error page.
Bug fixes.

Version 1.5.7 - June 8, 2020

For Duo Network Gateways behind load balancers, added the option to specify the addresses of the load balancers so that Duo Network Gateway can trust the X-Forwarded-For header from the load balancer and use the true client IP address for logging, IP restrictions, and passing upstream to protected applications.
Increased the maximum permissible size of Duo Network Gateway restore files to 128MB.

Version 1.5.6 - March 25, 2020

Modified SameSite cookie settings to account for some specialized Duo Network Gateway deployments.
Increased NGINX buffer size to support bigger headers sent from protected applications.

Version 1.5.5 - February 17, 2020

Added support for Google Chrome version 80 SameSite cookie change.
Updated the way Duo Network Gateway generates self-signed certs to conform to macOS 10.15 requirements. Self-signed certs are used during initial setup of the DNG.

Version 1.5.4 - January 8, 2020

Addressed a potential security risk due to the recent NGINX bug fix on incorrect handling of redirection with "error_page" directive.

Version 1.5.3 - November 2019

Fixed bug that would not honor session durations for greater than 24 hours.
Added support for choosing the Host header sent to the protected application.
Added support for using a wildcard in the subdomain for external URLs to be redirected to a specific internal application. Read more at Configure an Application in Duo Network Gateway

Version 1.5.0 - May 2019

Add support for X-Forwarded-Host and X-Forwarded-Proto headers to be sent in requests to protected applications.
Changes to Let's Encrypt to support future requirements from the service.

Version 1.4.4 - March 2019

Containers now get their resolver from the system /etc/resolv.conf at startup
Support for customizing upstream response timeout on web applications
Disabled insecure SSL/TLS versions
Secure TLS redis connections by validating certificates. See the following KB article if you must use a certificate not signed by an authority in the Mozilla CA bundle.

Version 1.4.3 - November 2018

Added support for larger headers from protected web applications.

Version 1.4.2 - October 2018

Fixed bug that would cause Duo Network Gateway to not correctly establish a successful SSH connection in some situations.
Fixed Scripted Configuration bug that would cause Scripted Restore to fail in some cases.

Version 1.4.1 - October 2018

Fixed Scripted Configuration bug that would cause an extra period to be prepended to permitted suffixes

Version 1.4.0 - September 2018

Added the ability to configure Duo Network Gateway without having to use the Admin UI. Read more at Scripted Configuration for Duo Network Gateway
Fixed Let's Encrypt bug that would cause Duo Network Gateway to not renew certificates

Version 1.3.5 - August 2018

Added the ability for Active / Active High Availability
Bug fixes

Version 1.3.2 - April 2018

Added the ability for Scripted Backup and Restore

Version 1.3.1 - April 2018

Bug fixes

Version 1.3.0 - March 2018

Added the ability to protect SSH servers behind the Duo Network Gateway
UI improvements
Now requires minimum version of Docker v1.12 and Docker Compose v1.10

Version 1.2.10 - December 2017

Security patches to address CVE-2018-7340 (DUO-PSA-2017-003)
Bug fixes

Version 1.2.6 - October 2017

Improved experience when using an internal certificate
Only need to accept Let's Encrypt EULA once
Bug fixes

Version 1.2.5 - September 2017

Bug fixes
Updated UI in the Duo Network Gateway admin console

Version 1.2.4 - September 2017

Bug fixes

Version 1.2.3 - August 2017

Performance improvements
Updated UI in the Duo Network Gateway admin console

Version 1.2.2 - July 2017

Bug fixes

Version 1.2.1 - June 2017

Added support for free, automatically renewing certificates from Let's Encrypt
Updated UI in the Duo Network Gateway admin console
Bug fixes

Version 1.1.0 - March 2017

Added Backup and Restore capabilities
Bug fixes

Version 1.0.0 - February 2017

Initial Release