Global Policy is to Allow without MFA Until Enrolled
To set up a new customer with Duo:
First, reach out to the customer for a list of user email accounts and who to make their Duo user administrator.
While you wait on this info, you can install Duo on their VM:
For most customers we will need to add the IIS Scripts and Tools feature to their VM first (add Role Services for IIS Role > Check "IIS Management Scripts and Tools).
(Links below were provided in the documentation linked in the Application in Duo)
RDP Installer: https://dl.duosecurity.com/duo-win-login-latest.exe
RDP for ALL customers
(RD Web is redundant and only protects the portal; not the actual server access)
The documentation walks through the setup, but the main things are:
Run the RD Web msi from an elevated command prompt.
Run RDP installer as Administrator.
Sometimes takes a while to let you click first "Next" button. If it takes longer than 30 secs. It's sometimes faster to close and reopen.
Copy the integration/secret key/api host name from the dashboard to the installer.
Keep Bypass when Offline checked (this sets to bypass if Duo's servers cannot be reached; should only be a problem if there is an issue on Duo's end, so leave it checked to avoid calls if/when Duo's down; if we're not able to reach the internet, or customer can't reach the internet, they wouldn't be able to connect to us anyway)
Can use Generate new session key unless it's a dedicated customer with an RD Gateway
On the Microsoft RDP set up make sure to check to Only use for RDP connections (that way we can use console sessions in hyper-V to not authenticate to Duo every time)
Once you get the list of emails, set up a Group in AD with their users, name it CompanyName_Duo. You will also need to add the email addresses to each of their users in AD
Now we can use Active Directory Sync in Duo to pull in the group you made in the previous step.
Then we need to create an Administrative Unit that is assigned to manage their Group:
Administrators > Administrative Units > Create Administrative Unit
Give it their company name for Name and Description and assign their group from AD Sync to it.
Then you can create an administrator and add them to the Administrative Unit as a User Manager (only able to see/edit users; limited by AD Sync to adding/changing devices and bypass codes).
