How do I verify that I have TLS/SSL connectivity to Duo's service?

自作多情 提交于 2019-12-23 10:04:39

From a browser
Attempt to reach https://api.duosecurity.com/auth/v2/ping via a web browser on the same network as your server. Successful access will result in a web page displaying a JSON response code. Example:
 

"response": {"time": 1445354727}, "stat": "OK"}

This indicates that port 443 is open, which is necessary for communication to our cloud service. Note: This browser test is specific to the device you're testing from and may not have the same egress point as a firewall or other device you're attempting to integrate with Duo.

  • If you are able to access the URL above, check the certificate used to access that site by clicking on the icon beside "https://"" in your browser bar. The certificate should be issued by *.duosecurity.com. If it is issued by some other site, then there is likely an SSL proxy. In that case, make an exception in the SSL proxy for *.duosecurity.com
  • If you are not able to access the URL above, or do not receive a JSON response code similar to the example, there may be a firewall rule in place preventing communication.
  • If you receive an error message when accessing the page via Internet Explorer, you need to download and install the following certificates from https://www.digicert.com/digicert-root-certificates.htm in the local certificate store for all users (Note: This most commonly affects Windows Server 2008 R2 or earlier, but it is possible that later server versions may also lack the proper certificates):
    • DigiCert High Assurance EV Root CA 
    • DigiCert SHA2 High Assurance Server CA


Via Telnet
This approach will provide accurate information regardless of network configuration.

From a command line, run:

telnet <IP address/API-hostname> 443


Successful connection is usually determined by a message such as "Connected to api.duosecurity.com," but may vary depending on the method used to establish the telnet connection. If the connection is not successful, there may be a firewall rule in place preventing communication.

Via PowerShell
This method is useful as it will also provide accurate information regardless of network configuration.

From a PowerShell Command line, run:

Invoke-WebRequest -Uri https://api.duosecurity.com/auth/v2/ping

Note: If you have TLS 1.0 disabled, run the following command before the command above:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

 

A successful response should look similar to the Content section below highlighted with italics:

StatusCode        : 200
StatusDescription : OK
Content           : {"response": {"time": 1481915427}, "stat": "OK"}
RawContent        : HTTP/1.1 200 OK
                    Connection: keep-alive
                    Pragma: no-cache
                    Strict-Transport-Security: max-age=31536000
                    Content-Security-Policy: default-src 'self'; img-src 'self' ; connect...
Forms             : {}
Headers           : {[Connection, keep-alive], [Pragma, no-cache], [Strict-Transport-Security, max-age=31536000],
                    [Content-Security-Policy, default-src 'self'; img-src 'self' ;
                    connect-src 'self']...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : System.__ComObject
RawContentLength  : 48


If you are running Powershell 2.0 on Server 2008R2, you may experience an issue trying to run invoke-webrequest due to the command not being found. This commandlet was not introduced until Powershell 3.0. You can install it on Powershell 2.0 from the following Microsoft page:
https://www.microsoft.com/en-gb/download/details.aspx?id=40855

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!