The UserLock 'Desktop' agent is designed to audit, control and protect workstations, servers and terminal servers. This agent audits all interactive sessions activity on these machines and protects them by applying a user access control policy defined through protected account rules.
How does the agent find the server?
The UserLock Primary server always deploys its own network address and the network address of the Backup server to all agents. The agent will normally be able to contact a UserLock server without any problem.
The agent tries various ways to contact the UserLock servers in the following order:
- The UserLock Primary server (deployed address).
- The latest successfully contacted server (if different from the Primary server).
- The UserLock Backup server (deployed address) (if different from the latest successfully contacted server).
- If no primary UserLock server name is deployed (in Winlogon or GPO), the agent attempts to contact a server named "UserLock". In order to use this feature, you just need to add an entry in your DNS to link the "UserLock" name to your UserLock server.
- If no primary UserLock server name is deployed (in Winlogon or GPO), the agent attempts to contact a server named "UserLockBackup" (see previous line).
Note: If you used Group Policy deployment to deploy the primary server and / or backup server name: A setting configured through Group Policy deployment will override the value of the same setting deployed by the service or configured manually.
Protocols used to communicate
The agent tries to first ping the server before initiating the communication so the ICMP protocol should be allowed between clients and UserLock servers.
The agent communicates with the UserLock server via the 'Microsoft Print and File Sharing' protocol (SMB TCP 445). Typically client workstations need to be able to access shares on UserLock servers.
Agent contacts service over Internet directly
In the event of failure to connect using the procedure listed above, it is possible to an alternative method where the agent contacts the service via the Internet.
You can implement this option by following the procedure.