Gozar for Windows VPN

Intro

Gozar supports multi-factor authentication on Windows VPN Server. There is no client installation or additional configuration. The admin only needs to install GozarAD on a Windows Server with RADIUS service which is called Network Policy Server feature in Windows Server.

The Windows VPN Server requests user authentication to the RADIUS server. Next, the RADIUS server authenticates the username and password internally and sends second-factor authentication request to the Gozar cloud to authenticate with user's smartphone.

So, you protect your network with VPN connection and secure your VPN with multi-factor authentication. A hacker could not enter your network even a username and password has been compromised.

Installing Gozar for Windows VPN has following steps:

Install Gozar on NPS Server

Download GozarADSetup.exe and follow the steps bellow to install GozarAD. You need to install GozarNPS module but you may install GozarADFS module at the same time that is not required for VPN service.

If you do not have a jwt access token, please use your dashboard to obtain it or contact us at support@gozar.io.

After installation, you mast add Gozar group into your Active Directory or local Windows users and groups. Next, add any user or group to Gozar group for multi-factor authentication.

The config file of GozarAD is under C:\GozarAD\config.txt and has the following syntax:

{
  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV...",
  "enabled": "true",
  "blind": "false",
  "debug": "false"
}

Field jwt stores your access token to the Gozar service. You may disable the Gozar multi-factor authentication by setting enabled to false.

You may set blind to true to enable blind authentication. In blind authentication, Gozar uses hashes instead of actual username and does not store any username. So, it is more secure since you do not send your username to the external network but it makes searching usernames hard in dashboard and the user sees a hash instead of his username in Gozar App. Is it not recommended to change blind setting in the middle of operation because it invalidates the previous usernames and you need to remove all previous users and register them again in Gozar service.

If debug is set to true, it stores debugging records at the log file. The log file of GozarAD is under C:\GozarAD\log.txt.

Configure NPS Server

Follow the below steps to configure a Windows Network Policy Server (NPS/RADIUS). Here is an example configuration and you may use different settings in your environment.

Configure VPN Server

Follow the below steps to configure a Windows VPN Server. Here is an example configuration and you may use different settings in your environment. You need only use RADIUS Authentication as Authentication provider and set the timeout to 60 seconds to work with Gozar service.

Test VPN Client

Follow the below steps to configure a Windows VPN client. Here is an example configuration and you may use different settings in your environment. You may use built-in Windows VPN client or any VPN client tool.

You may register a user using dashboard, but the user can register himself by VPN client directly. To do that, after you add the user or his group to Gozar group, the user can enter his phone number in the VPN username field to receive the registration link by text (SMS). The acceptable format is username.09xxxxxxxxx which is username plus . character plus phone number starts with 09. Next, the user gets VPN access denied but receives the registration link in his smartphone.