Deploying the IIS agent

The UserLock IIS agent allows UserLock to monitor, control, and enforce access policies on IIS (Internet Information Services) sessions.
It enables session tracking, multi-factor authentication (MFA) enforcement, and concurrent session control for web applications such as Outlook Web Access (OWA), RD Web, or SharePoint.

This guide explains how to manually install, configure, and maintain the IIS agent, as well as how to fine-tune its settings and known limitations.

You can install the IIS agent automatically from the UserLock console or manually on each IIS server.

💡️ The simplest way is to deploy the IIS agent directly from the UserLock console.
This automatically installs the correct module and registers it on the IIS server.

See: Install from the console

If you cannot deploy the IIS agent from the console, you can install it manually on each IIS server.

1. Copy and register the module

   1. Copy the corresponding DLL file from the UserLock installation folder to any local directory on the IIS server (for example, C:\Program Files\UserLock IIS Agent).

   2. Open an elevated Command Prompt (Run as Administrator).

   3. Run the registration command matching your IIS server architecture:

      IIS Server architecture	File to copy	Command to register
      32-bit	UlHttpModule.dll	regsvr32 [Path]\UlHttpModule.dll
      64-bit	UlHttpModule_x64.dll	regsvr32 [Path]\UlHttpModule_x64.dll

      👉️ Replace [Path] with the actual location where you copied the file.
      
      

2. Register communication settings

   Create the following registry key to allow the IIS agent to communicate with the UserLock servers:

   • Registry path:
     HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS

   • Keys:

     Value name	Type	Description
     UserLockServer	REG_SZ	Name of the Primary UserLock server
     UserLockServerBackup	REG_SZ	Name of the Backup UserLock server

Once the installation is complete, continue to configuration.

After deployment, configure the UserLock module within IIS Manager.

1. In IIS Manager, select the IIS server in the left pane.

2. Open the Modules section.

   

3. In the Actions panel, click Configure Native Modules….

   

4. Click Register, and browse to the UlHttpModule.dll file you copied.

   

   • Default locations:

     • C:\Windows\System32 (64-bit)

     • C:\Windows\SysWOW64 (32-bit)

5. Click OK to add it to the module list.

   

6. Uncheck the UserLock IIS agent before closing the wizard — this prevents it from being enabled for all web applications.

   

1. In the left pane, select the web application you want to protect.

2. Open the Modules section.

   

3. Click Configure Native Modules… in the Actions panel.

4. Check the box next to UserLock IIS Agent, then click OK.

   

The IIS agent is now active for that specific application.

The default configuration is suitable for most environments.

Use these optional settings only if you wish to fine-tune the behavior of the IIS agent after installation.

By default, UserLock considers an IIS session closed after 5 minutes of inactivity.
To change this:

1. Create a new registry value (REG_DWORD) on the IIS server:

   HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS\SessionTimeout

2. Set the timeout value in minutes (for example, 10).

3. Restart or recycle the IIS application pool.

By default, all IIS applications on a configured site are monitored. To restrict monitoring to certain application pools:

1. Create this registry key (REG_MULTI_SZ):

   HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS\ProtectedApplicationPools

2. List the names of the application pools to supervise (one per line).

You can exclude built-in or diagnostic accounts (e.g., “Health Mailbox” accounts) from being tracked.

Create the following registry values under:
HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS

Restart the protected application pools after editing these values.

The IIS agent can protect applications using either Windows or Forms authentication.

By default, Windows authentication is enabled.
To enable Forms authentication mode:

1. Create the registry value (REG_DWORD):

   HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS\EnableFormsAuthentication

2. Set its value to 1.

3. Restart or recycle the IIS application pool.

From the UserLock console, you can stop managing the IIS agent on a target server.
Important: This action does not unregister the module in IIS or remove files/registry entries on the server.

After using the console, you must complete the removal on each IIS server by following these steps.

1. Open IIS Manager.

2. For each web application where the UserLock IIS module is enabled:

   • Select the application.

   • Open Modules, and remove the UserLock IIS Agent entry.

3. At the server level, open Modules → Configure Native Modules…, select the UserLock IIS Agent, and click Unregister.

4. Apply the change (pick one):

   • No restart: delete the volatile key:

     HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS\Volatile

   • Or restart the server the flush the volatile data

5. Clean the persistent configuration key :

   HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS

6. Delete the DLL files:

   C:\Windows\System32\UlHttpModule.dll

   C:\Windows\SysWOW64\UlHttpModule.dll

• Browser close behavior:
  If a user closes their browser without logging off, the session remains open until the timeout expires.

• Concurrent session control:
  If concurrent IIS sessions are limited, a user may be blocked from reconnecting until the timeout elapses.

• Cookies:
  Cookies must be enabled in browsers. Deleting them on exit helps ensure clean session closure.

• Session naming:
  UserLock identifies sessions by IIS server name, web application, client IP address, and application pool.

Administrators can also close IIS sessions manually in the Activity ▸ Active sessions page of the UserLock console.