UserLock availability
This page explains how UserLock handles availability and continuity in case of server issues. It describes what happens if the Primary or Backup servers are unavailable, and outlines recommended disaster recovery strategies to ensure uninterrupted protection across your network.
If both the Primary and Backup servers are unavailable, UserLock will by default allow users to open sessions (click here to learn how to require MFA or deny connections instead).
All session events will be logged locally on the machines and sent back to the server once communication is restored.
In addition to the Primary server, you can install a UserLock Backup server on your network.
The Primary and Backup servers are automatically synchronized every minute by default. This interval can be modified in the UserLock console on the Backup server (in the Synchronization menu of the server settings).
The Backup server can be installed on another member server within your protected zone.
Any restrictions defined in the access policies will still be applied to user accounts.
If the agent cannot contact the Primary server, it will try to contact the Backup server. The agent will switch back to the Primary server once the connection is restored.
If both the Primary and Backup servers are down, there won’t be any UserLock protection (including MFA).
If both servers are unreachable (due to missing prerequisites or no network connection), the agent will by default allow users to open sessions (click here to learn how to require MFA or deny connections instead).
In both cases (servers down or unreachable), all session events will be logged locally. Once communication is restored between the agents and the UserLock server (Primary or Backup), all events will be recorded in the Primary server database.
When the network is reestablished after a failure, time restrictions (hour restrictions, time quotas) are automatically enforced. You can also ensure that access policy restrictions (all except MFA) are enforced by enabling Logoff disallowed sessions and configuring Disallowed sessions logoff order in the General menu of the server settings.
In addition to the Primary server, you can install a UserLock Backup server on your network. The Backup server can be installed on another member server in your protected zone.
If necessary, you can configure a separate database for your UserLock Backup server. In this case, you must use a different database than the one used by the Primary UserLock server.
If your Primary server encounters an issue, UserLock agents will automatically switch to the Backup server and maintain protection, giving you time to install a new Primary server (or to promote the Backup server to Primary and install a new Backup server).
Primary and Backup servers will automatically stay synchronized without any additional action.
For disaster recovery, include the following in your server backup process:
The folders located in
%ALLUSERSPROFILE%\ISDecisions\UserLock\Configcontaining the UserLock configuration files.The database file, named UserLock.mdb if you use the default database provided with the package, located in
%ALLUSERSPROFILE%\ISDecisions\UserLock\Database.The client database containing all your views and user configurations, named UserLockConfigs.db, located in
%ALLUSERSPROFILE%\ISDecisions\UserLock\WebData\Configs.
The UserLock Backup server does not need to be included in your backup procedure since its information is synchronized from the Primary server.
If you experience a physical failure on the Primary server:
Install UserLock on the new server.
Please launch the configuration wizard tool, select the ‘Primary server' role and stop at the ‘Service impersonation account’ step. Leave the wizard on standby.
Copy the folders containing UserLock settings from your backup system to
%ALLUSERSPROFILE%\ISDecisions\UserLock\Configand the client database to%ALLUSERSPROFILE%\ISDecisions\UserLock\WebData\Configs.Click Next in the UserLock configuration wizard on the new server. The service will start automatically.
Register your license key in the console under Server Settings > License.
Configure the database in Server Settings > Database if you are not using the default UserLock.mdb Access database.
If you have a UserLock backup server, you will have to register the new name of the primary server (even though the name of the new primary server remained the same) on the UserLock backup server.
To do this:On the Backup server, launch the Configuration wizard.
On the home page, click Modify, choose Backup Server, and specify the name of the new Primary server—even if it's the same name.
Follow the wizard steps to the end to validate.
An alternative exists if you have a UserLock backup server of installed at the moment of the disaster, instead of reinstalling a new Userlock primary server (or if you do not have a new server available to install the new primary server), you also have the possibility to switch the Backup server role to Primary server role.
To do this:
Ensure that synchronization was working properly.
Launch the Configuration wizard on the Backup server.
Choose the Primary Server role and follow the steps. Once complete, the Backup server will become the new Primary server.
You will then need to install a new Backup server on another member server in your protected zone.
If there is a general network issue or both the Primary and Backup servers are unreachable, agents will automatically disable session rules to allow users to log on. All session events will be stored locally in agent logs and sent to the server once communication is restored.
This ensures you can still audit session connections during that period through reports.