Add a Protected SSH Server Application

This section describes steps for adding protected SSH applications to a DNG deployed within Secure Firewall Cloud Native.

Before you begin

  • Identify the SSH application you'd like to protect with Duo Network Gateway.

  • Obtain an SSL certificate for your application from a commercial certificate authority (CA) using the fully qualified external DNS name of your application as the common name (e.g. This secures the connection between your external users and the Duo Network Gateway server.

  • If the application you'll be protecting is communicating over HTTPS you will also need to obtain the Base64-encoded X.509 (pem, cer, or crt) formatted version of the application's certificate bundle including the issuing certificates and the root certificate. You may also use a wildcard SSL certificate.

  • Ensure that a minimum of one Duo Admin Panel is onboarded into your CDO tenant.


Step 1

In the CDO navigation bar, choose Secure Connect Choice > Protected Applications.

Alternatively, you can select an SFCN DNG device and in the Management pane on the left, click Protected SSH Servers.


You can click the copy button () in the application row to create a new application from an existing one. When creating the application, you can modify the prepopulated fields.

Step 2

Click the SSH Server Applications tab, click + to add a SSH application.

The Add Protected Web Application screen provides normal and advanced views. The simple view displays the minimum parameters required for creating a SSH server application, whereas the advanced view displays advanced fields for SSH server creation.

You can move the Advanced View slider to the right to view the advanced fields required for application creation.

  • In the Select Region, choose a region in which you want to protect web applications.

  • Posture Policy (from Duo): Select a posture policy created in Duo Admin Panel.

    You can create a policy in the Duo Admin Panel. Click the web URL of the Duo Admin Panel provided in this field and then create it. Click the refresh icon to read the latest changes from the Duo Admin Panel. See Duo Administration - Protecting Applications.

Step 3

In the normal view, you can configure the following fields:

  • Automatically Create DNS Entries: Enable this check box to auto-create the DNS record for the external URL, which will be specified in the External URL field.

  • External URL: Specify the public facing URL of the SSH server application Duo Network Gateway is protecting.

    You must create a Canonical Name (CNAME) record in your DNS records to map the external URL specified here. The field displays the value of the record to be used in DNS records. In the following example, the value is "".

    A wildcard external URL such as https://* can also be used, which will automatically route all subdomains of to this application that are not already defined as a separate application in Duo Network Gateway. When using a wildcard URL the internal application must be able to distinguish between the various hostnames.

    You must create a Canonical Name (CNAME) record in your DNS records to map the external URL specified here. The field displays the value of the record to be used in DNS records.

  • Use Wildcard Certificate: Enable this check box to use wildcard certificate to present for the SSH server application. If enabled, you don't have to specify the external SSL certificate and its private key.

    We do not validate the Common Name (CN) of the wildcard certificate keypair to check whether it matches the managed domain name nor we check if it is a wildcard certificate.

    This certificate information is stored in the SFCN cluster's CRD metadata, so deleting and reonboarding a cluster will not require entering this information again.

  • External SSL Certificate: Click Browse and upload your own SSL certificate.

    Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external URL of the application. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate.

  • External SSL Certificate Key: Click Browse and upload the private key.

    Base64-encoded X.509 (pem, cer, or crt) private key for the application's external URL certificate.

  • Internal URL : Enter the IP address or DNS address of the SSH server application Duo Network Gateway is protecting.

    If you used the same URL for the application's internal and external URLs, ensure that an internal DNS record for this hostname exists and points to the internal application server IP.


    If you provided the DNS address, ensure you have added your internal DNS resolver to CDO and configured it to point to the internal IP address of the protected application. The DNS resolvers resolve the Fully Qualified Domain Name (FQDN) into IP addresses.

  • Internal Ports: If the internal application communicates on a port other than 80 or 443 specify the port. Your internal application can communicate over HTTP or HTTPS. For example, internal URL - https://wiki.local:8090.

Step 4

If you have enabled the advanced view, you can configure the following fields:

  • Enable Frameless slider to the right to provide frameless support for Duo Universal Prompt.

  • Session Duration (Minutes): Specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480.

Step 5

You can add multiple application's URL by clicking Add.

Step 6

If you want to create another SSH server application with the same values, click Create another.

Step 7

Click Save. A new SSH server application is created.

If you have opted to create another SSH server application, most of the common fields from the previous application are copied automatically to the next application created.

Step 8

Deploy the changes you made to the region. See Deploy the Configuration Changes.

The SSH server application is created and deployed on the device. You can click the application to see its details. You can also see the expiry date of the external certificate uploaded during the application creation.