WatchGuard Authpoint configure MFA for Computers, Servers, RDP en RD Gateway
Set Up the Logon App
The Logon app enables you to require authentication when users log in to a computer or server. This includes protection for RDP and RD Gateway.
There are two parts to the Logon app:
- The application you install on a computer or server
- The resource you configure in AuthPoint
Configure a resource for the Logon app in the AuthPoint management UI and then install the Logon app on each computer or server that you want to protect. When you install the Logon app, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication (push notification, one-time password, or QR code).
If your AuthPoint license expires or you delete your Logon app resource, users can log in to their computers with only their password.
You can download the Logon app from the Downloads page in the AuthPoint management UI.
Do not install the Logon app on computers that run Windows 7 or older or on servers that run Windows 2008 R2 or older.
Requirements
When you set up and deploy the Logon app, be aware of these requirements:
-
All domain and local users must have an active AuthPoint user account and be part of an AuthPoint group with an access policy for the Logon app to authenticate and log in
You can enable the option to allow specific non-AuthPoint users to log in without MFA for users that do not have an AuthPoint user account.
- The user name for local and domain users must be the same as their AuthPoint user name
- To log in as a local user (not part of the domain), you must have an AuthPoint user account with an active token
- If your local user has the same user name as your domain user, you can use the same AuthPoint user to authenticate and log in to both accounts
- If your local user name is different from your domain user name, you must have a separate AuthPoint user for each user account (one for the domain user and one for the local user)
- When you install the Logon app, the computer must be connected to the Internet before you log in for the first time
Add a Logon App Resource
To start, you must add a resource for the Logon app. After you add a Logon app resource in AuthPoint, you must add an access policy for the Logon app to any user groups that must authenticate to log in to their computers.
If you delete your Logon app resource, users can log in to their computers with only their password.
You do not need a separate Logon app resource for each computer that the Logon app is installed on. You can use one Logon app resource to create access policies for every group , regardless of the OS.
To add a Logon app resource:
- Select Resources.
- From the Choose a resource type drop-down list, select Logon App. Click Add Resource.
- On the Logon App page, in the Name text box, type a name for this resource.
- (Optional) In the Support Message text box, type a message to show on the logon screen.
- To allow specific users that do not have an AuthPoint user account to log in without MFA, enable the Allow specific users to log in without MFA toggle.
This is a beta feature. To try AuthPoint MFA with this feature, join the WatchGuard Beta test community.
- In the Add User Names text box, type the user name of each non-AuthPoint user that can log in without MFA.
- Click Save.
- Add an access policy for the Logon app resource to one or more user groups (see Access Policies). We recommend that the access policy for the Logon app includes the QR code or OTP authentication options so users can authenticate when they are not connected to the Internet.
Download and Install the Logon App
When you install the Logon app on a computer or server, authentication is required to log in. Users can log in with domain or local user accounts, but all users must have an active AuthPoint user account with an access policy for the Logon app. Users that do not have an AuthPoint user account with an access policy for the Logon app cannot authenticate and log in to a computer with the Logon app installed unless you have enabled the option to allow specific non-AuthPoint users to log in without MFA.
When you install the Logon app, the computer must be connected to the Internet before the user logs on for the first time. This is required so that the Logon app can communicate with AuthPoint to check the access policy. A copy of the access policy is stored locally on the computer. The Logon app uses this local policy when a user authenticates offline, and it is updated when the computer has an Internet connection.
To download and install the Logon app:
- Select Downloads.
The Downloads page appears. - In the Logon App section, next to your operating system, click Download Installer.
- To download the configuration file for the Logon app, click Download Config. You can use the same configuration file for every installation of the Logon app, regardless of the OS.
- On your computer, move the downloaded configuration file to the same directory as the Logon app installer (.msi file).
- Run the Logon app installer and install the Logon app.
To install the Logon app with the command line:
This is a beta feature. To try AuthPoint MFA with this feature, join the WatchGuard Beta test community.
- Select Downloads.
The Downloads page appears. - In the Logon App section, next to your operating system, click Download Installer.
- To download the configuration file for the Logon app, click Download Config. You can use the same configuration file for every installation of the Logon app, regardless of the OS.
- To run the Logon app installer, run one of these commands:
- To pass the path to the configuration file:
msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi CONFIG_PATH="C:/wlconfig.cfg" - To pass the content of the configuration file:
msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi CONFIG_CONTENT="config_file_content_without_spaces" - If the installer and the configuration file are in the same location:
msiexec -i AuthPoint_Agent_for_Windows_x64-2.1.0.218.msi
Make sure to update the command to match the version of the installer you want to run.
- To pass the path to the configuration file:
Uninstall the Logon App
You might uninstall the Logon app when you no longer need to protect a computer or server with AuthPoint MFA.
If your AuthPoint license expires and the Logon app is installed, users can log in to their computers with only their password.
Authentication with the Logon App
When the Logon app is installed on a computer, authentication is required to log in. On the login screen, users must type their password and then select one of the allowed methods of authentication. Which authentication methods are available is determined by the access policy of the Logon app for that user's AuthPoint group.
To log in to a computer with the Logon app installed:
- In the User name text box, type the user name for your domain user. To log in as a local user, type your user name as <hostname>\<username>.
- In the Password text box, type your Windows or Mac password. For Active Directory user accounts, type your AD password.
- Click Next.
If MFA is required, you see the authentication screen. If the access policy for your group only requires a password, you are logged in. - If MFA is required, below Sign-in options, select an authentication option. Push is the default authentication method. If you select a different authentication option, that becomes the default authentication method.
If your computer does not have an Internet connection and MFA is required, you must select the one-time password or QR code authentication options to authenticate offline.
- Press Enter or Return and authenticate.
- Push — Approve the push notification that is sent to your mobile device.
- QR Code — Use the AuthPoint mobile app to scan the QR code, then type the verification code shown in the app.
- One-Time Password — Type the one-time password for your token.
If you do not have your token, you must use the Forgot Token feature to log in to a computer with the Logon app installed.
