How to install and configure UserLock AnyWhere
In many cases of remote working, users do not always connect to VPN, and in this case, the desktop agent cannot communicate often enough with the UserLock service to log events, and enforce multi-factor authentication and contextual restrictions.
Implementing the UserLock AnyWhere provides an alternative method by allowing the agent to contact the service through the Internet when network connection is not established. By doing this, the desktop agent will communicate with the UserLock server at the time of login without the need to connect to VPN.
This allows UserLock to refuse unauthorized connections at the time of the logon, however it cannot remotely force a logoff due to a restriction. For example, forcing a logoff when a time restriction is reached.
- The UserLock AnyWhere feature must be installed on a server running IIS server. See specific section below.
- Public IP Address registered in DNS for IIS Server that hosting UserLock AnyWhere
The following Server Manager Roles:
- Web Server (IIS)/Security/Windows Authentification
- Web Server (IIS)/Application Development/.ASP.NET 4.5
- Install the UserLock Anywhere feature
- Add the UserLock Anywhere application in IIS
- Test the UserLock Anywhere connection
1. Install the UserLock Anywhere feature
The UserLock Anywhere feature must be installed on the IIS server allowing the agent to contact the service through the Internet when network connection is not established. Note that this feature is not installed if you chose “Standard” when you install UserLock.
- Log on the IIS server to which you want to install UserLock Anywhere.
If UserLock is already installed, open the Windows Control Panel, select "Uninstall a program", then "UserLock", and click on "Change"
If UserLock is not already installed, launch the UserLock installer and select the "Custom setup" option.
Open the “Web Applications” menu, click on “UserLock AnyWhere”, then “The feature will be installed….”
If no IIS application is protected by UserLock on this server and that you only want to configure UserLock AnyWhere in it:
- Run the UserLock console. In the "Agent distribution" view, select the “IIS” line of the IIS server to which you want to install UserLock Anywhere. Right click and select "Install", this will deploy UserLock server name(s) to the registry of that server.
Log on the target IIS server. Run Regedit. Delete the following registry value:
HKEY_LOCAL_MACHINE \ SOFTWARE \ ISDecisions \ UserLock \ IIS \ Volatile \ UlStatus
NOTE: If the IIS agent is already installed on the server to protect an IIS application, this step can be ignored.
2. Add the UserLock Anywhere application in IIS
In IIS Manager, create a new Application Pool with the following parameters:
- Name: 'UserLockProxyAppPool'
- .NET CLR version: Integrated
- Managed pipeline mode: CLR v4.0.30319
Navigate to Advanced Settings/Process Model/Set the value “Load User Profile” to True
At the default web site level, create a new application that uses the previously created application pool:
Configure this application with the Userlock Anywhere folder under the UserLock installation folder. By default: "%ProgramFiles(x86)%\ISDecisions\UserLock\Webproxy" . Click OK to continue
Select Application settings / Authentication:
- Disable "Anonymous Authentication"
- Enable "Windows Authentication"
Run the UserLock console. Press F7 in the UserLock console, and change the setting "UrlToContactOverInternet" with the path to the external URL.
In case the IIS server is not hosted on the same as the UserLock server, delegation must be enabled.
- In "Active Directory Users and Computers", open the properties of the machine where the IIS server is.
- Open the Delegation tab.
Select "Trust this computer for delegation to specified services only", "Use any authentication protocol" and click on "Add...".
- Click on "Users or Computers...", search for the machine where the UserLock server is located.
Select "cifs" service type and click on "Ok".
If you want to accelerate the contact process to the UseLock AnyWhere when the agent has not direct connection with the UserLock server, we advise to deploy the FQDN name of the UserLock server using a group policy as it is explained in here.
That will allow the agent to discard the connection to the UserLock server faster, and change the alternative through Internet to UserLock AnyWhere link.
3. Test the UserLock Anywhere connection
A simple test can be carried out to confirm is UserLock Anywhere is functioning; simply enter into a browser the URL entered in step 6. above (defined in the Advanced settings as "UrlToContactOverInternet").
You should receive a confirmation that the service is reachable: