Gozar for Windows Remote Desktop Gateway
Intro
Gozar supports multi-factor authentication on Windows Remote Desktop Gateway (RDG). There is no client installation or additional configuration. The admin only needs to install GozarAD
on a Windows Server with RADIUS service which is called Network Policy Server
feature in Windows Server.
The Windows RDG requests user authentication to the RADIUS server. Next, the RADIUS server authenticates the username and password internally and sends second-factor authentication request to the Gozar cloud to authenticate with user's smartphone.
So, you secure your remote desktop connections with multi-factor authentication. A hacker could not do remote desktop even a username and password has been compromised.
Installing Gozar for Windows RDG has following steps:
Install Gozar on NPS Server
Download GozarADSetup.exe and follow the steps bellow to install GozarAD. You need to install GozarNPS
module but you may install GozarADFS
module at the same time that is not required for RDG service.
If you do not have a jwt
access token, please use your dashboard to obtain it or contact us at support@gozar.io.
After installation, you must add Gozar
group into your Active Directory or local Windows users and groups. Next, add any user or group to Gozar
group for multi-factor authentication. Keep in mind that the user need to use full username for authentication including Domain Controller name for Active Directory users, or machine name for local users like mydomain\myuser
.
For firewall configuration, if you want to block users for direct remote desktop without NPS and two-factor authentication, you must disable Remote Desktop Protocol (RDP) port at TCP 3389. Remote Desktop Gateway ports are TCP 443 for SSL\TLS and UDP 3391 for Remote Desktop Connection.
The config file of GozarAD is under C:\GozarAD\config.txt
and has the following syntax:
{
"jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV...",
"enabled": "true",
"blind": "false",
"debug": "false"
}
Field jwt
stores your access token to the Gozar service. You may disable the Gozar multi-factor authentication by setting enabled
to false
.
You may set blind
to true
to enable blind authentication. In blind authentication, Gozar uses hashes instead of actual username and does not store any username. So, it is more secure since you do not send your username to the external network but it makes searching usernames hard in dashboard and the user sees a hash instead of his username in Gozar App. Is it not recommended to change blind
setting in the middle of operation because it invalidates the previous usernames and you need to remove all previous users and register them again in Gozar service.
If debug
is set to true
, it stores debugging records at the log file. The log file of GozarAD is under C:\GozarAD\log.txt
.
Configure NPS Server
Follow the below steps to configure a Windows Network Policy Server (NPS/RADIUS). Here is an example configuration and you may use different settings in your environment.
Configure RDG Server
Follow the below steps to configure a Windows Remote Desktop Gateway. Here is an example configuration and you may use different settings in your environment. If you have separated RDG server with local NPS, you need to set the local NPS timeout to 60
seconds to work with Gozar service. For simplicity, in the following example configuration, the RDG server and the target remote server are the same, but the target remote server can be any server that is under control of RDG server.
Test Remote Desktop Client
Follow the below steps to configure a Windows remote desktop client. Here is an example configuration and you may use different settings in your environment. You may use built-in Windows remote desktop client or any other similar tool. In this example, we use hosts
file to resolve RDG server name to its IP address, but you may have a domain server in your environment and no need to define them locally.