How to configure and install VPN Connect for MFA

If using a Windows VPN connection, you can install this tool ("UserLock.VPN.Connect.msi", available in UserLock installation folder of the UserLock server) on the end user computers to allow users a better user experience for authenticating to VPN sessions with MFA. This tool also allows enrollment in MFA via a VPN connection.

• For Admins

• For End Users

For Admins:

Requirements:

VPN Microsoft pre-configured

UserLock Anywhere and UserLock IIS MFA features have to be installed.

If you have not already installed these components to protect IIS sessions with MFA or remote connections with UserLock Anywhere, you will need to install them. You do not need to complete the entire installation, just the following steps in the links below:

• UserLock Anywhere steps 1&2
• UserLock IIS MFA steps 2&3

Group Policy settings

UserLock VPN Connect can be configured manually or automatically.

However you can configure automatically UserLock VPN Connect through Microsoft Group Policies.

It is also possible to deploy settings parameters through Microsoft Group Policies using a 'Group Policy Administrative Template' that we provide (compatible with Desktop Agents installed through the console, automatically, through MSI, manually...).

In the UserLock installation folder (by default 'c:\Program files[ (x86)]\ISDecisions\UserLock'), you will find this 'Group Policy Administrative template' named 'VpnConnect.adm'. Install the template in the 'Group policy' you want to use to deploy settings parameters of UserLock VPN Connect.

Once the template has been added, you can go to 'Administrative templates' and display 'UserLock' then ‘VPN Connect’ (use 'Classic administrative templates' in Windows Server 2008 and higher).

For End Users

Open UserLock VPN Connect

Configuration:

Information page: This page will be already set if VPN Connect is configured by your administrator via a Group policy and you will not be able to modify it. If the information is not already filled in, you will need to complete it with the information below:

VPN Windows Connection = MyVPN
Domain = MyDomain
MFA URL = http://Server1.MyDomain.intra/ulproxy/Probing - ask your admin to provide this link

Yours account credentials page: (Warning: Do not put the domain name in the user field)

Connection = MyVPN
User name = User1
Password = mypassword

Click on Connect

If MFA is required for the user:

If MFA is not yet configured, the user will need to enroll by clicking on "register". This will open a page in the web browser to enroll via IIS.

With Push notifications, the user can validate the MFA with one click:

When using TOTP, the user simply enters the code:

Click on Close.

• Multi-Factor Authentication
  • Implementing Multi-Factor Authentication
  • UserLock Push App
  • How to apply MFA for VPN
  • How to configure and install VPN Connect for MFA
  • How to apply MFA for IIS Apps such as OWA, RDWeb and Sharepoint
  • How to enable MFA for SSO
  • How to apply MFA for RemoteApp
  • How to apply MFA to Remote Desktop Gateway sessions
  • How to enroll remote users
  • Onboarding for End Users - Push Notifications with UserLock Push
  • Onboarding for End Users – with an Authenticator Application
  • Onboarding for End Users – with a Token2 programmable token
  • Onboarding for End Users – with HOTP Token2
  • Onboarding for End Users – with YubiKey
  • Onboarding for End Users - Recovery codes