Multi-Factor Authentication
for Remote Working

Secure machine, network and cloud access,
when users work remotely

Whenever users work remotely from outside the domain, UserLock can continue to protect access to machines, on connections back to the network and with direct connectivity to cloud-based resources.

Add multi-factor authentication (MFA), access management and single sign-on (SSO) for all Active Directory (AD) user identities, wherever they are used.

1. Using UserLock AnyWhere

With remote working, users do not always connect to a VPN. Implementing UserLock AnyWhere allows the UserLock agent installed on a machine to remain in contact with the UserLock service through the internet. This allows MFA and access management policies to continue to be enforced on login for any user, regardless of what (managed) machine the user is remotely working on.

How to set-up UserLock Anywhere

2. Configuring the UserLock Agent

When UserLock AnyWhere is not deployed, an offline access attempt on the machine can still be managed by the UserLock agent installed on the computer. Administrators can configure UserLock to always allow, always deny, or request MFA for all offline connections. An option to ‘Force MFA’ will deny access for users who are not yet enrolled in MFA.

How to set-up offline connections

How to manage logons without network connection

1. Apply MFA to VPN connections

OpenVPN

A VPN works by establishing encrypted connections between devices that remain private even if they stretch across public internet infrastructure.

UserLock’s MFA for VPN sessions supports the Remote Authentication Dial-In User Service (RADIUS) Challenge. The RADIUS Challenge can prompt for the one time password in a separate second step, after the user has successfully entered their login credentials.

  • VPN solutions that support “RADIUS Challenge” include Open VPN, Palo Alto, Fortinet, Pulse Secure Connect SSL...

How to apply MFA for VPN

2. Apply MFA to Windows RDP connections and Remote Desktop Services (RD Gateway)

The Microsoft Remote Desktop Protocol (also known as RDP) is used to allow remote desktop to a computer. Remote Desktop Gateway (RDG or RD Gateway) is a Windows server role that enhances control by providing a secure encrypted connection to the server via RDP.

With UserLock MFA, administrators can define under what circumstances MFA is asked for these different RDP connections.

MFA from outside

  • Administrators can first customize MFA on RDP logins based on whether an end-user is connecting to another machine from inside the network or from logons that originate from outside the corporate network.
  • Administrators can then choose to consider RDG connections as coming from inside or outside the network and define the circumstances for MFA.

How to apply MFA to RD Gateway

3. Apply MFA to Remote Desktop Web Access (RD Web Access)

RD Web Access is a way to connect to a remote desktop server – and access Remote Desktop Services - over the Internet without a VPN connection.

The RD Web connection component installs the necessary web pages and scripts to the Internet Information Services (IIS) server directory, giving users the Web page interface for their remote desktop. Users need just their AD credentials, a URL and a supported web browser to access desktops and applications.

With UserLock MFA for IIS, administrators can target any one or several web applications that need a second factor of authentication.

  • UserLock detects the servers where IIS is installed and can automatically deploy the UserLock IIS agent. The UserLock MFA feature must then be installed on the IIS Server and the UserLock MFA application added.
  • The website settings are then configured to redirect the user to enroll for MFA if not already done, and challenge for MFA before access to the IIS application is granted.

How to apply MFA for IIS

4. Apply MFA on Outlook Web Access for Microsoft Exchange Server

Outlook Web Access (OWA) allows users to access their own corporate mailbox over the internet- from outside the corporate domain - without having to log into a VPN.

With UserLock MFA for IIS, a second factor of authentication can be added to OWA connections as Exchange applications are supported by an IIS server.

  • UserLock detects the servers where IIS is installed and can automatically deploy the UserLock IIS agent. The UserLock MFA feature must then be installed on the IIS Server and the UserLock MFA application added.
  • The website settings are then configured to redirect the user to enroll for MFA if not already done, and challenge for MFA on all access to users email.

How to apply MFA for IIS

Note: UserLock can also protect Exchange Online (available as a standalone service or part of Office365) with MFA. See cloud-based resources.

5. MFA on Microsoft DirectAccess and AlwaysOn VPN

DirectAccess allows connectivity for remote users to organization network resources without the need for VPN connections. With DirectAccess connections, remote client computers are always connected to your organization - there is no need for remote users to start and stop connections, as is required with VPN connections.

AlwaysOn VPN – the replacement for DirectAccess – automatically establishes a VPN connection any time an authorized client has an active Internet connection.

Both of these methods help secure the machine’s remote connection. Unlike a traditional VPN there is no prompt for user credentials.

Therefore with UserLock, MFA can continue to be prompted when the remote user is asked to identify themselves.

Rather than backhauling these applications through the core network UserLock enables MFA combined with single sign-on (SSO) for secure and direct connectivity to cloud based applications.

By retaining Active Directory (AD) as the Identity Provider, UserLock SSO allows each user to log in only once - with their existing AD credentials. Combined with granular MFA, this ensures a second factor of authentication can be added to verify the identity of users, before they access the cloud.

MFA combined with single sign-on (SSO)

1. Access via a browser for users already authenticated to the Windows network

Access is immediately granted. UserLock SSO asserts the user’s identity to the cloud application and is authenticated without the user having to log in to the application. There is no difference whether inside the corporate network or working remotely.

(MFA can be requested again if required in the admin settings).

2. Access via a browser for users who are not authenticated to the Windows network

The user enters their corporate email address in the cloud application to login. UserLock SSO will then prompt the user for Windows domain login credentials (and a second authentication factor if enabled). The user is logged in successfully and redirected back to the application. There is no difference between a smartphone browser, a computer browser or a mobile app.

(MFA can be requested again if required in the admin settings).

3. Any attempt to then access a second, different cloud application

Access is immediately granted. Multi-factor authentication can however be requested at each logon if required in the administrative settings.

Examples include:

1. Restrict remote access to authorized machines

UserLock can restrict VPN access to just authorized company machines. Any other access attempt from any other machine is then denied.

Restrict remote access to authorized machines

2. Restrict remote access to certain countries

The geolocation restriction allows an administrator to restrict remote logons based on country (geolocation). The restriction will disallow/allow logons from a list of selectable countries.

Restrict remote access to certain countries

3. Enforce logoff times and working hours

The rapid adoption of home working has meant many organizations can no longer apply time policies for network logons to reduce security risks or reduce unauthorized overtime.

UserLock AnyWhere can continue to apply these restrictions even if the machine is outside the corporate network. The UserLock agent remains in contact with the service and can force the user to logoff if they have exceeded the working hours allowed.

Enforce logoff times and working hours

Ready to try UserLock?

Learn more Free trial

Download UserLock