Installing and Configuring UserLock Anywhere on IIS

When employees connect outside the corporate network, the UserLock Desktop Agent cannot always reach the UserLock service via VPN.

UserLock Anywhere solves this problem by allowing the agent to contact the UserLock server over the Internet at logon.

• Unauthorized connections can be refused at logon.

• With an advanced setting, administrators can also remotely disconnect users based on logon hours or quotas.

Before installing UserLock Anywhere, ensure the following:

• A server running IIS with a public IP address registered in DNS.

• Server Manager roles installed:

  • Web Server (IIS) → Security → Windows Authentication

  • Web Server (IIS) → Application Development → .ASP.NET 4.5

• The IIS server must be joined to the domain.

• (Delegated mode only) Additional delegation configuration in Active Directory.

• For best performance, use a dedicated IIS server with a valid SSL certificate.

The UserLock Anywhere feature is now included in the default UserLock installation.

If UserLock is not installed on the server:

1. Run the UserLock installer and select Custom setup.

2. From Modules, select UserLock Anywhere.

If UserLock is already installed:

1. Open Control Panel → Programs → UserLock → Change.

2. Add the UserLock Anywhere feature.

You can add the application using the Configuration Wizard:

1. Launch the configuration wizard.

2. Select Configure next to UserLock Anywhere.

3. The wizard checks Windows components and prompts for missing ones.

4. Choose the target website.

In the UserLock console:

1. Go to ⚙️ Server Properties → General → UserLock Anywhere

2. Enable the On-premise solution.

3. Update Application URL with the external IIS address.

For UserLock Anywhere to function, each target computer must:

• Have the UserLock Desktop Agent installed.

• Contain the UserLock Anywhere URL registered in the system.

👉️ Once UserLock Anywhere is configured, UserLock automatically deploys this URL to all managed computers in the site.

If a computer is not connected to the network during deployment, the URL must be added manually or via Group Policy.

1. Open the registry on the target machine.

2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

3. Create a string value (REG_SZ) named UserLockInternetUrl.

4. Enter the UserLock Anywhere URL as its value.

For large environments or offline machines, you can distribute this registry key through Group Policy. See agent deployment guide for detailed steps.

Open a browser on a client machine and enter the public URL configured in Step 3.

• If reachable, a confirmation page appears with the following information:
  

  

• If not, verify IIS and DNS settings.

If IIS is not on the same machine as UserLock:

1. Install only UserLock Anywhere on the delegated IIS server.

2. In Active Directory Users and Computers → Machine properties → Delegation tab:

   • Select Trust this computer for delegation to specified services only.

   • Choose Use any authentication protocol.

   • Add the UserLock server → Service type cifs.

Since v11.0.1, UserLock Anywhere can enforce logoff remotely.

• In the console, go to ⚙️ Server Properties → Advanced Settings.

• In Agents section, configure Sessions without network logoff agent internet:

• Value = interval in minutes between agent requests.

  • Default: -1 (disabled).

  • Recommended: ≥ 10 minutes.

This allows UserLock to apply logon hours and quotas, even if the device is outside the corporate network.

This setting can also be deployed through Group Policy.

Symptom: Login delays before or after MFA when using UserLock Anywhere.

Cause: DNS caching issues with the ISP DNS.
Solution: Change DNS servers on the home router to a public DNS (e.g. Google DNS: 8.8.8.8 and 8.8.4.4).