The Duo Blog

New Duo Feature Lets Users Skip the VPN Hassle

This article has been indexed from

The Duo Blog

It’s a new ending to a familiar story of frustration for users trying to access internal company resources. 

The Remote Desktop Protocol (RDP) feature for the Duo Network Gateway prompts users to authenticate only when necessary, instead of first having them try and fail, forcing them to try again after logging into the company’s virtual private network (VPN).

Now that this friction-reducing feature is in public preview, we wanted to share some inside perspective on how it works and what informed our design.

A Familiar Story

We are all very familiar with the current state of remote access with a VPN:

  • Try to access internal company website
  • Fail to access internal company website
  • Wonder why it’s failing for a moment
  • Log in to the VPN
  • Try to access internal company website again and hopefully succeed

The Duo Network Gateway (DNG), a VPN-less remote access proxy gateway, elegantly solves this problem for websites, streamlining the end user’s experience:

  • Try to access internal company website
  • Get prompted for authentication with your identity provider (IdP)
  • Get prompted for multi-factor authentication (MFA) with Duo
  • Proceed to internal company website

End users are only re-prompted to authenticate if their session expires or is terminated by an administrator.

A User-Centered Flow

We love this flow: Users do the thing they want to do, and they might get prompted to authenticate if necessary. We don’t love this flow: Users do the thing they want to do, but, if it fails, they have to think about what to do next. 

For SSH connections, the DNG and DuoConnect (our lightweight client for remote access) can leverage the SSH client’s “ProxyCommand” capability, which allows administrators to modify SSH configurations and specify that certain connections should be using DuoConnect with some specific arguments.

With the DNG, connecting to an SSH server is as simple and frictionless as accessing a web server: after initiating the SSH co

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: