---
locale: "en"
updated_at: "2025-10-27T11:16:11.158Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/guides/installation/advanced/check-services-and-network-protocols-requirements"
---

# Check services and network protocols requirements

Verify network services and protocols required by UserLock.

> **📘 Useful resources**
>
> - For the full list of protocols, ports, and communication flows used by UserLock, see [Communication and required protocols](/userlock/docs/reference/modules/communication-protocols).
> - To learn how to configure the required firewall rules, see [Enforce firewall requirements](/userlock/docs/guides/installation/advanced/enforce-firewall-requirements).

## Overview and prerequisites

UserLock relies on standard Windows services and network protocols to communicate between the server, protected machines, and other components (SQL, IIS, Active Directory).
Before running the detailed tests below, verify the following conditions to ensure all communications can operate properly.

**What to check before you start:**

- ✅ The **UserLock service **[impersonation account](/userlock/docs/reference/server-settings/service#service-impersonation)  must have **administrative rights** on all protected computers.
  See [HTF005 – Impersonation account](/userlock/docs/support/troubleshooting/deployment-errors#htf005-impersonation-account).
- ✅ Review the [Requirements](/userlock/docs/getting-started/requirements) help page for the full list of ports and Windows services used by UserLock.
- ✅ The following communications must be allowed **both ways** between the server and workstations:
  - **ICMP (Ping)** — for basic network connectivity.
  - **SMB / File and Printer Sharing (TCP 445, 139)** — for admin$ access and agent deployment.
  - **RPC** — for remote registry access.
  - **DNS / FQDN resolution** — UserLock uses FQDN by default for reliability.
- ✅ Run all checks from the **UserLock server using the impersonation account**, to reproduce the same conditions as the UserLock service.

> **Note**
>
> For the complete list of required ports and protocols, see [Components communication and protocols](/userlock/docs/reference/core-concepts/components-communication-protocols).

## 1. Get the target computer FQDN

1. Open the **UserLock Console**.
2. Launch [UserLockPowerShell](/userlock/docs/build-with-userlock/powershell/userlock-powershell).
3. Run the following command (replace `COMPUTERNAME` with the NetBIOS name of the target):
  ```powershell
  (Get-UserLockAgentDistribution -Name COMPUTERNAME).Fqdn
  ```
4. Note the returned FQDN, for example: `WKS1.corp.local`.

![](https://a.storyblok.com/f/122374/910x171/6d5d0e3e6f/userlock-powershell-server.png)

## 2. Test connectivity and file sharing (server → workstation)

1. Log on to the UserLock server using the impersonation account.
2. Open **CMD** and run (replace `COMPUTERFQDN`):
  ```
  ping COMPUTERFQDN
  explorer \\COMPUTERFQDN
  ```
3. You should observe:
  - The workstation replies to ping.
    ![](https://a.storyblok.com/f/122374/456x276/62bf329706/1-windows-powershell.png)
  - File Explorer opens the remote computer view.
    ![](https://a.storyblok.com/f/122374/529x239/47c38c677e/2-wks1-computer.png)

> **FQDN note**
>
> UserLock connects via FQDN by default. 
> To use NetBIOS (not recommended), set **Use FQDN** to **No** in  **Server settings** → [Advanced settings ](/userlock/docs/reference/server-settings/advanced-settings)→ **Agents**.

## 3. Test connectivity (workstation → server)

1. On a workstation, log on as a standard user.
2. Open **CMD** and run:
  ```
  ping USERLOCKSERVERFQDN
  explorer \\USERLOCKSERVERFQDN
  ```
3. You should observe:
  - The UserLock server replies to ping.
    ![](https://a.storyblok.com/f/122374/453x306/e96534f76b/3-windows-powershell.png)
  - File Explorer opens the server shares.
    ![](https://a.storyblok.com/f/122374/549x241/578152179f/4-dc1-computer.png)

> **NetBIOS Note**
>
> Protected computers use the FQDN by default. 
> To use NetBIOS (not recommended), set **Deploy FQDN** to **No** in  **Server settings** → [Advanced settings ](/userlock/docs/reference/server-settings/advanced-settings)→ **Agents**.

## 4. Verify admin$ access

Check that the UserLock service impersonation account has administrative rights on the target computer.

1. On the UserLock server, log on as the service impersonation account.
2. Open **CMD** or **PowerShell** and run:
  ```powershell
  explorer \\COMPUTERFQDN\ADMIN$
  ```
3. You should see the **Admin$** share contents of the workstation.
  - If you get *Access Denied*, the account lacks administrative rights or SMB traffic is blocked.

![](https://a.storyblok.com/f/122374/438x115/d8fe58d598/windows-powershell.png)

![](https://a.storyblok.com/f/122374/661x244/573c5c8d54/admin-computer-explorer.png)

## 5. Verify remote registry access

Check that the UserLock service impersonation account has remote access to the registry of the target computer.

1. On the UserLock server, run **regedit**.
2. In the **File** menu, select **Connect Network Registry…**.
3. Type the FQDN of the target computer and click **OK**.
  ![](https://a.storyblok.com/f/122374/472x259/4b368c149c/select-computer.png)
4. You should see the remote registry hive
  - If the connection fails, check RPC permissions or firewall rules.

![](https://a.storyblok.com/f/122374/576x220/4a89017451/registry-editor.png)

## 6. Test full communication (functional test)

To confirm end-to-end communication:

1. Prepare a test user `USR1` and two workstations: `WRK1`, `WRK2`.
2. [Install the Desktop Agent](/userlock/docs/getting-started/deploying-agent) on both (reinstall if necessary).
3. Create a [Session limit policy](/userlock/docs/reference/access-policies/session-limit) for `USR1`:
  - Limit **Interactive** sessions to **1**.
  - Enable **Close previous session**.
4. Create a [Notifications policy](/userlock/docs/reference/access-policies/alerts-and-notifications) for  `USR1`:
  - Enable **Display welcome message**
5. Test the result:
  - Log on to `WRK1` as `USR1` → welcome message should appear.
  - Log on to `WRK2` as `USR1` → prompt to log off `WRK1` appears; confirm and continue.
  - If the session proceeds normally and the message displays, communication between components is working correctly..

## 7. Check detailed access rights 

1. From the UserLock Console, press **ALT + F6** to open **UlTerm**
2. Run:
  ```bash
  REMOTEACCESSTEST <target-computer-FQDN>
  ```
3. The command returns detailed diagnostics about remote access rights.
  - Save the output for support if needed.

![](https://a.storyblok.com/f/122374/571x571/b86fa44062/6-remote-access-test.png)

## 8. Verify communication from the agent side

1. On a workstation with the [Desktop Agent](/userlock/docs/getting-started/deploying-agent) installed, run:
  ```bash
  C:\Windows\SysWOW64\UlAgentExe.exe /REMOTEACCESSTEST
  ```
2. This test checks communication from the agent’s point of view and helps identify workstation-side issues.

![](https://a.storyblok.com/f/122374/1165x615/36d2335800/7-remoteaccesstest.png)
