While the Windows offline logon 2FA function provided by DualShield offers the convenience and security to users while working offline, some users might be concerned about the fact that their token credentials are cached locally. Moreover, only tokens such as OTP tokens, FIDO keys, smart cards etc can be used for offline logon, but SMS on-demand password and mobile push to accept etc cannot be used. Nowadays, 3G/4G mobile networks and WIFI networks are present almost everywhere. If a customer makes their DualShield Windows Logn agent accessible on the public network, then their customers can turn their offline logon experience into online logon experience. They can offline logon to their Windows machine (disconnected from their corporate networks) but be authenticated online with 2FA! Basically, they can logon with 2FA anywhere at any time. This is what we call "Windows Logon Anywhere", a new feature introduced in DualShield v5.9.2. (Technically speaking, Logon Anywhere means offline logon with online authentication, whereas the conventional offline logon means offline logon with offline authentication).

To enable Logon Anywhere, you need to publish your DualShield Windows Logon agent in the public network. Please follow the steps below:

Login to DualShield Management Console, navigate to "Authentication | Agent", select the Windows Agent, i.e. "Windows Logon", select "Edit" from the context menu:

Enter the "Agent Public URL", By default, Windows Logon Agents runs on port 14282 for HTTP and 14284 for HTTPS.

i.e. https://FQDN:14284/xmlrpc or http://FQDN:14282/xmlrpc

Next, make sure that the Agent Public URL is accessible from the public network. You will need to configure your firewall to forward or tunnel the traffic on port 14282 or 14284.

You can verify the connection by visiting https://FQDN:14284/xmlrpc or http://FQDN:14282/xmlrpc  from both internal and external (internet) access.


PLEASE NOTE:  If testing on an Apple Mac device, Safari may give you the result as below:


Once you have successfully published your DualShield Windows logon agent, each of your users must first logon to your corporate network at least once before they go offline. This is necessary as they will have to first download the Agent public URL and other settings.

Now, users can login anywhere with two-factor authentication as if they were online at all times.