Gozar for Windows VPN
Intro
Gozar supports multi-factor authentication on Windows VPN Server. There is no client installation or additional configuration. The admin only needs to install GozarAD
on a Windows Server with RADIUS service which is called Network Policy Server
feature in Windows Server.
The Windows VPN Server requests user authentication to the RADIUS server. Next, the RADIUS server authenticates the username and password internally and sends second-factor authentication request to the Gozar cloud to authenticate with user's smartphone.
So, you protect your network with VPN connection and secure your VPN with multi-factor authentication. A hacker could not enter your network even a username and password has been compromised.
Installing Gozar for Windows VPN has following steps:
Install Gozar on NPS Server
Download GozarADSetup.exe and follow the steps bellow to install GozarAD. You need to install GozarNPS
module but you may install GozarADFS
module at the same time that is not required for VPN service.
If you do not have a jwt
access token, please use your dashboard to obtain it or contact us at support@gozar.io.
After installation, you mast add Gozar
group into your Active Directory or local Windows users and groups. Next, add any user or group to Gozar
group for multi-factor authentication.
The config file of GozarAD is under C:\GozarAD\config.txt
and has the following syntax:
{
"jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV...",
"enabled": "true",
"blind": "false",
"debug": "false"
}
Field jwt
stores your access token to the Gozar service. You may disable the Gozar multi-factor authentication by setting enabled
to false
.
You may set blind
to true
to enable blind authentication. In blind authentication, Gozar uses hashes instead of actual username and does not store any username. So, it is more secure since you do not send your username to the external network but it makes searching usernames hard in dashboard and the user sees a hash instead of his username in Gozar App. Is it not recommended to change blind
setting in the middle of operation because it invalidates the previous usernames and you need to remove all previous users and register them again in Gozar service.
If debug
is set to true
, it stores debugging records at the log file. The log file of GozarAD is under C:\GozarAD\log.txt
.
Configure NPS Server
Follow the below steps to configure a Windows Network Policy Server (NPS/RADIUS). Here is an example configuration and you may use different settings in your environment.
Configure VPN Server
Follow the below steps to configure a Windows VPN Server. Here is an example configuration and you may use different settings in your environment. You need only use RADIUS Authentication
as Authentication provider
and set the timeout to 60
seconds to work with Gozar service.
Test VPN Client
Follow the below steps to configure a Windows VPN client. Here is an example configuration and you may use different settings in your environment. You may use built-in Windows VPN client or any VPN client tool.
You may register a user using dashboard, but the user can register himself by VPN client directly. To do that, after you add the user or his group to Gozar
group, the user can enter his phone number in the VPN username field to receive the registration link by text (SMS). The acceptable format is username.09xxxxxxxxx
which is username plus .
character plus phone number starts with 09
. Next, the user gets VPN access denied but receives the registration link in his smartphone.