If your AD domain is visible in the public network and has a public DNS server, then follow the guide below to set up offsite logon

Add the A record below to your public DNS server. 

The "hostname" can be anything you like, such as "dsmfa". However, you need to be careful with the hotsname "dsagent" as it is used for onsite logon. If you need to deploy both onsite and offsite MFA logon, then you must not use "dsagent" as the public hostname for your computer logon agent. 

The example below created an A record with the hostname "dsmfa" in the domain "la.deepnetid.com"

hostname
dsmfa
domain name
la.deepnetid.com
ip address
the public IP of your Computer Logon Agent




Otherwise, follow the guide below to set up offsite logon

In the DualShield Admin Console, find the computer logon agent in Authentication | Agents

Click its context menu

Select "Edit"

Enter the Agent's Public URL in the format "tcp://hostname.domain-name", e.g. tcp://dsmfa.la.deepnetmfa.com

Click Save.

Important: if you have multiple Computer Logon Agents, then repeat the steps above on every Computer Logon Agent entry.


If you implement offsite Computer MFA logon with a public URL, then your users must make sure that they have completed an online MFA logon on their laptop computers before they take the laptop computers offsite. This is because the public URL of the logon agent has to be downloaded to the laptop computers, and download can only be carried out in an online MFA logon process. 

Every time a user logs their computer into the domain network with MFA, the computer will sync with the MFA server and download the latest policies and settings including the Public URL of the logon agents. In other words, the public URL of the logon agents is automatically downloaded to the user's computer, as long as the user has carried out a successful online login on the computer.

Users can check the list of logon agents that have been set up on the computer by visiting the User Console at http://localhost:12845

If for some reason the public URL of the logon agents has not been downloaded to the user's computer automatically, then the user can also add manually the logon agent's public URL using the User Console.

There are some cases where users will have to set up the off-site MFA logon manually. 

The public URL of the computer logon agent is downloaded to the logon client automatically when the logon client connects to the logon agent. Typically, this happens when the user makes an on-site login. However, in some cases where users  cannot make an on-site login at all, then the users have to manually enter the public URL of the logon agent in to their logon clients.

In the other case where you do not want to add an A record to your public DNS records, then your users will have to manually enter the public URL of the logon agent in to their logon clients.

In the User Console, click the "Agent" tab, then click the "Add Agent" button

In "Address" Enter the DNS name of the logon agent, e.g. dsmfa.la.deepnetid.com

Click SAVE

The logon client should be able to resolve the IP address of the newly added agent




  • No labels