UserLock Documentation
UserLock Documentation
You are here: Use cases > Advanced use cases > How to install and configure UserLock Anywhere

How to install and configure UserLock Anywhere

In many cases of remote working, users are not always connected to VPN, and in this case, the desktop agent cannot communicate often enough with the UserLock service to log events, and enforce multi-factor authentication and contextual restrictions.

Implementing the UserLock Anywhere provides an alternative method by allowing the agent to contact the service through the Internet when network connection is not established. By doing this, the desktop agent will communicate with the UserLock server at the time of login without the need to connect to VPN.

This allows UserLock to refuse unauthorized connections at the time of the logon. To remotely force a logoff due to a restriction, for example enforcing logon hours on remote user machines, you will have to use an advanced setting. This is explained at the end of this page.

To view the video, please accept all cookies.

Procedure

Prerequisites

  • The UserLock Anywhere feature must be installed and configured on a server running IIS server. See specific sections below.
  • Public IP Address registered in DNS for IIS Server that hosting UserLock Anywhere
  • The following Server Manager Roles:
    • Web Server (IIS)/Security/Windows Authentication
    • Web Server (IIS)/Application Development/.ASP.NET 4.5
  • The UserLock Anywhere feature must be installed on a server that is part of the domain.

1. Install the UserLock Anywhere feature

The UserLock Anywhere feature must be installed on the IIS server allowing the agent to contact the service through the Internet when network connection is not established. Note that this feature is not installed if you chose “Standard” when you install UserLock.

  1. Log on the IIS server to which you want to install UserLock Anywhere.

    • If UserLock is already installed, open the Windows Control Panel, select "Uninstall a program", then "UserLock", and click on "Change"

    • If UserLock is not already installed, launch the UserLock installer and select the "Custom setup" option.

  3. Open the “Web Applications” menu, click on “UserLock Anywhere”, then “The feature will be installed….”

  4. If no IIS application is protected by UserLock on this server and that you only want to configure UserLock Anywhere in it:

    • Run the UserLock console. In the "Agent distribution" view, select the “IIS” line of the IIS server to which you want to install UserLock Anywhere. Right click and select "Install", this will deploy UserLock server name(s) to the registry of that server.

    • Log on the target IIS server. Run Regedit. Delete the following registry key:

      HKEY_LOCAL_MACHINE \ SOFTWARE \ ISDecisions \ UserLock \ IIS \ Volatile

    NOTE: If the IIS agent is already installed on the server to protect an IIS application, this step can be ignored.

2. Add the UserLock Anywhere application in IIS

To add UserLock Anywhere application in IIS there are three possibilities. You can install it through the configuration wizard (12.1 beta only), through a command line tool or via the IIS Manager console.

2.1: Configuration wizard (12.1 beta only)

  1. Launch the configuration wizard by searching for it in the start menu. Click on "Configure" next to UserLock Anywhere.

  2. The wizard will check if all Windows components are installed. If some are missing, you will be prompted to install them.

  3. Choose the website where you want to add the application.

  4. Once the application is successfully installed, you can insert the URL in the server properties.

2.2: Command line tool

To install it with a command line tool : Run UserLockInstaller.exe (%ProgramFiles(x86)%\ISDecisions\UserLock\UserLockInstaller)

2.3 Manually through the IIS Manager console

  1. In IIS Manager, create a new Application Pool with the following parameters:
    • Name: 'UserLockProxyAppPool'
    • .NET CLT version: .NET CLR version v4.0.30319
    • Managed pipeline mode: Integrated

  2. Navigate to Advanced Settings/Process Model/Set the value “Load User Profile” to True

  3. At the default web site level, create a new application that uses the previously created application pool:

  4. Configure this application with the Userlock Anywhere folder under the UserLock installation folder. By default: "%ProgramFiles(x86)%\ISDecisions\UserLock\Webproxy". Click OK to continue.

    NOTE: If using delegated mode, please refer to prerequisite below.

  5. Select Application settings / Authentication:
    • Disable "Anonymous Authentication"
    • Enable "Windows Authentication"

Delegated Mode

In case the IIS server is not hosted on the same as the UserLock server, delegation must be enabled.

Prerequisite:

A customized install of UserLock is required on the delegated server (the same one where IIS is installed), using the same executable file as for the primary UserLock server, however the only feature to be installed should be UserLock Anywhere.

  1. In "Active Directory Users and Computers", open the properties of the machine where the IIS server is.
  2. Open the Delegation tab.

  3. Select "Trust this computer for delegation to specified services only", "Use any authentication protocol" and click on "Add...".

  4. Click on "Users or Computers...", search for the machine where the UserLock server is located.

  5. Select "cifs" service type and click on "Ok".

Optionally

If you want to accelerate the contact process to UserLock Anywhere when the agent does not have direct connection with the UserLock server, we advise to deploy the FQDN name of the UserLock server using a group policy as explained here.

This will allow the agent to discard the connection to the UserLock server faster, and change the alternative through Internet to UserLock Anywhere link.

3. Add the URL in the Server Properties

Open the menu Server Properties in the tab General change the setting Public URL with the path to the external URL.

4. Make sure that on the target computers the Desktop Agent is installed and the UserLock Anywhere URL is deployed

For UserLock Anywhere to work on a target computer, the Desktop Agent must be installed and the URL must be registered.

Once UserLock Anywhere is configured, UserLock will deploy its URL to all computers in the site.

For computers without network connection, you will need to deploy this URL. There are two different ways to do this:

  • Manual creation of the registry value:
    Open the registry on the target machine.
    Navigate to the key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
    Create the registry value 'UserLockInternetUrl' (type REG_SZ) and write the URL in its content.
  • Or deploy the URL using Group Policy as explained here.

5. Test the UserLock Anywhere connection

A simple test can be carried out to confirm UserLock Anywhere is functioning; simply enter into a browser the URL entered in step 6. above (defined in Server Properties in the tab General).

You should receive a confirmation that the service is reachable:

Disconnect and lock user sessions over the Internet

This feature, available since UserLock 11.0.1 and based on UserLock Anywhere, can be activated by configuring the new advanced setting "SessionsWithoutNetworkLogoffAgentInternet" (from the UserLock console, press the F7 keyboard key to display the advanced settings dialog). This allows logon hours or time quotas to be respected; even if a computer is not connected to the corporate network.

Configure "SessionsWithoutNetworkLogoffAgentInternet" with the number of minutes the Desktop agent will wait between each request for the list of sessions to interact with. We recommend that you do not configure with less than 10 minutes so as not to increase the workload of UserLock. By default, this feature is disabled (-1). If required, this setting can be configured through group policies (see here for details).

TroubleShooting

What to do if connections are slow with UserLock Anywhere

Connections to workstations used at home by end users and via UserLock Anywhere may be slow after entering the password and before or after entering the MFA code.

This is due to a problem with the caching of DNS entries that do not exist in the Internet Service Provider's DNS servers used by the internet router.

One way to solve this problem is to modify the configuration of the DNS servers of the internet router, for example by configuring the Google DNS servers (8.8.8.8 and 8.8.4.4).