Gozar for Windows Remote Desktop Gateway

Intro

Gozar supports multi-factor authentication on Windows Remote Desktop Gateway (RDG). There is no client installation or additional configuration. The admin only needs to install GozarAD on a Windows Server with RADIUS service which is called Network Policy Server feature in Windows Server.

The Windows RDG requests user authentication to the RADIUS server. Next, the RADIUS server authenticates the username and password internally and sends second-factor authentication request to the Gozar cloud to authenticate with user's smartphone.

So, you secure your remote desktop connections with multi-factor authentication. A hacker could not do remote desktop even a username and password has been compromised.

Installing Gozar for Windows RDG has following steps:

Install Gozar on NPS Server

Download GozarADSetup.exe and follow the steps bellow to install GozarAD. You need to install GozarNPS module but you may install GozarADFS module at the same time that is not required for RDG service.

If you do not have a jwt access token, please use your dashboard to obtain it or contact us at support@gozar.io.

After installation, you must add Gozar group into your Active Directory or local Windows users and groups. Next, add any user or group to Gozar group for multi-factor authentication. Keep in mind that the user need to use full username for authentication including Domain Controller name for Active Directory users, or machine name for local users like mydomain\myuser.

For firewall configuration, if you want to block users for direct remote desktop without NPS and two-factor authentication, you must disable Remote Desktop Protocol (RDP) port at TCP 3389. Remote Desktop Gateway ports are TCP 443 for SSL\TLS and UDP 3391 for Remote Desktop Connection.

The config file of GozarAD is under C:\GozarAD\config.txt and has the following syntax:

{
  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV...",
  "enabled": "true",
  "blind": "false",
  "debug": "false"
}

Field jwt stores your access token to the Gozar service. You may disable the Gozar multi-factor authentication by setting enabled to false.

You may set blind to true to enable blind authentication. In blind authentication, Gozar uses hashes instead of actual username and does not store any username. So, it is more secure since you do not send your username to the external network but it makes searching usernames hard in dashboard and the user sees a hash instead of his username in Gozar App. Is it not recommended to change blind setting in the middle of operation because it invalidates the previous usernames and you need to remove all previous users and register them again in Gozar service.

If debug is set to true, it stores debugging records at the log file. The log file of GozarAD is under C:\GozarAD\log.txt.

Configure NPS Server

Follow the below steps to configure a Windows Network Policy Server (NPS/RADIUS). Here is an example configuration and you may use different settings in your environment.

Configure RDG Server

Follow the below steps to configure a Windows Remote Desktop Gateway. Here is an example configuration and you may use different settings in your environment. If you have separated RDG server with local NPS, you need to set the local NPS timeout to 60 seconds to work with Gozar service. For simplicity, in the following example configuration, the RDG server and the target remote server are the same, but the target remote server can be any server that is under control of RDG server.

Test Remote Desktop Client

Follow the below steps to configure a Windows remote desktop client. Here is an example configuration and you may use different settings in your environment. You may use built-in Windows remote desktop client or any other similar tool. In this example, we use hosts file to resolve RDG server name to its IP address, but you may have a domain server in your environment and no need to define them locally.