Updated: 19 Jun 2026
A Cisco Duo deployment has six prerequisite categories: Active Directory infrastructure, network connectivity, a server for the Authentication Proxy, application inventory, user population data, and a credential audit. These are the Cisco Duo requirements that determine whether a deployment succeeds from day one. Organisations that complete all six before configuration begins deploy faster, encounter fewer complications, and produce a compliance-ready evidence package from the start.
In India, Cisco Duo is deployed through authorised partners, including Proactive Data Systems, a Cisco Preferred Security Partner, which manages the full prerequisite phase as part of every engagement.
Cisco Duo integrates with Active Directory as its primary directory source. The Authentication Proxy connects to AD via LDAP or LDAPS. The minimum supported version is Windows Server 2012 R2. Windows Server 2016 or later is recommended.
For organisations using Azure Active Directory or Microsoft Entra ID, Duo integrates via SAML or the Authentication Proxy configured for Azure AD sync. Both on-premises AD and cloud-based Entra ID are supported simultaneously in hybrid environments, which describes most mid-market Indian enterprise environments.
For organisations using other LDAP directories such as OpenLDAP, Duo's Authentication Proxy supports generic LDAP integration. One common prerequisite gap in Indian enterprise environments: Active Directory that has not been formally reviewed since initial deployment. User accounts accumulate over the years. Stale accounts, orphaned groups, and accounts without owners create both a security risk and a deployment complication. The credential audit, described in its own section below, addresses this before Duo configuration begins.
The Duo Authentication Proxy is the software component that handles communication between on-premises infrastructure and Cisco Duo's cloud service. It is required for any deployment that includes VPN MFA, on-premises application MFA, or LDAP-based directory integration.
The server requirements are modest. A dedicated Windows Server 2016 or later, or a supported Linux distribution, with 4 GB RAM and 10 GB available disk space. A virtual machine within existing infrastructure is the standard deployment approach. A dedicated physical server is not required.
The Authentication Proxy server must reach the following outbound over HTTPS on port 443: api.duosecurity.com and the Cisco Duo cloud endpoints. It must also reach Active Directory domain controllers over LDAP port 389 or LDAPS port 636.
For Indian enterprises with CERT-In data residency requirements, the Authentication Proxy communicates with Cisco Duo's Mumbai data centre. All authentication data for Indian tenants is processed and stored in India.
Cisco Duo requires outbound HTTPS connectivity from the Authentication Proxy server to Cisco Duo's cloud service on port 443. No inbound firewall rules are required. Cisco Duo does not require opening any inbound ports on the corporate firewall.
For VPN MFA deployments, the VPN concentrator must support RADIUS authentication and must be able to reach the Authentication Proxy server over UDP port 1812. The majority of VPN platforms deployed in Indian enterprise environments - Cisco ASA, Cisco FTD, Palo Alto GlobalProtect, Fortinet FortiGate, and Check Point - support RADIUS and are compatible with Cisco Duo.
Network latency between the Authentication Proxy and the Duo cloud service affects authentication speed. Cisco Duo's Mumbai data centre reduces this latency for Indian deployments compared to MFA platforms without India-resident infrastructure.
Before deployment begins, every application requiring MFA protection must be identified and documented. This step is most frequently skipped and most frequently regretted.
Most Indian enterprise environments contain applications not in any formal IT asset register. Legacy applications provisioned by individual teams, vendor-specific tools installed for specific projects, and inherited applications from previous infrastructure migrations appear during deployment without warning.
The application inventory should capture: application name, authentication method (SAML, RADIUS, LDAP, or agent-based), hosting environment (cloud, on-premises, or SaaS), user population, and whether the application stores or processes personal data under DPDPA or regulated data under RBI, CERT-In, or SEBI frameworks.
An incomplete application inventory does not prevent deployment from starting. It prevents deployment from finishing correctly.
Accurate user population data determines the licence count, shapes the deployment phasing, and informs the enrolment communication plan.
The user population for a Cisco Duo deployment is not the total headcount. It is the number of individuals who will authenticate through Duo. This breaks into four groups: privileged administrators, remote access users, general workforce, and third-party vendors. Each group has different factor requirements, different enrolment approaches, and different compliance implications.
Privileged administrators require phishing-resistant MFA. Remote access users require RADIUS-based MFA on the VPN. The general workforce requires enrolment through the Duo self-service portal. Vendors require time-limited named credentials rather than permanent accounts.
User population data should come from the credential audit, not the HR system. The HR system records who is employed. The credential audit records who has active system access. These two lists are rarely identical.
The credential audit is the most important prerequisite for a Cisco Duo deployment. It is also the most frequently skipped. A credential audit maps every account with access to every system Duo will protect. It finds stale accounts from closed vendor engagements, shared credentials across multiple individuals, former-employee accounts never deactivated, and accounts with access scopes never reviewed after initial provisioning.
In Proactive's deployment experience across Indian enterprise environments in Delhi, Mumbai, Pune, Bengaluru, and Hyderabad, the credential audit finds accounts that should not exist in every engagement. The specific finding varies by sector and organisation size. The finding itself does not vary.
Deploying Cisco Duo without a credential audit first protects all existing accounts, including the ones that should not exist. The CERT-In auditor, the RBI examiner, and the breach investigator will find what the deployment did not address.
The audit also produces the access register that CERT-In and RBI examiners request. Building it as a deployment prerequisite rather than assembling it under examination pressure is the difference between an organisation that is audit-ready and one that is audit-exposed.
For Indian enterprises deploying Cisco Duo for CERT-In or RBI compliance, two additional prerequisites apply.
India-resident log storage. CERT-In CISG-2025-02 requires 180-day authentication log retention stored in India. A SIEM or log management platform with confirmed India-resident storage must be in place before deployment begins. Configuring log export from Cisco Duo to this platform on day one ensures the 180-day retention clock starts from the correct date. Retrofitting this after deployment creates a gap in the log record that an auditor will notice.
Compliance evidence package structure. The seven-element evidence package that RBI and CERT-In examiners request must be structured before configuration begins. The seven elements are: deployment architecture document, user population register, authentication log exports, vendor access register, break-glass procedure with bypass code log, device enrolment records, and signed access control policy. Each element is populated as the deployment progresses. Starting the structure at the end means key elements are missing or incomplete.
For a typical Indian enterprise with an existing Active Directory environment and functioning network infrastructure, the technical prerequisites take three to five days to complete.
The credential audit takes three to five days for an organisation with 500 to 2,000 users. Larger organisations or those with complex vendor access take longer.
India-resident log storage setup depends on whether a SIEM is already in place. Organisations with an existing SIEM configure the Duo log export in one to two days. Organisations without one need to select and deploy a log management platform first. This is the prerequisite most likely to affect the overall deployment timeline.
Total prerequisite phase: one to two weeks for most Indian enterprise environments. This phase is not overhead. It is the work that determines whether the deployment succeeds.
Quick answers to common questions about this topic.
We'll get back to you shortly.
