NxFilter Tutorial
Tutorial Index

NxLocal for single user
You can identify users behind a router with NxLocal and apply different policies to those users.

What is NxLocal?
When you install NxFilter on cloud or use NxCloud, one problem is to differentiate users behind a router as you want to apply a different policy to some users. We have several solutions for that. You can use NxRelay for IP based authentication or AD integration over cloud. And you also can use NxClient for single user.

However, if it's about just several users or without Active Directory, running NxRelay might be too heavy as it requires an extra hardware to runs on. If you go with NxClient, another problem is that you have to set a different DNS server other than your NxFilter/NxCloud for it and it makes a loop hole for your users.

Now we offer NxLocal which is a local DNS server running on a client system. It's a scaled down NxRelay for single user. Since this one runs on a user system like NxClient, you don't need a dedicated system for it. And this one does 'DNS Over HTTPS' so you don't need to set any DNS server for it.

NxLocal is supported from v4.3.4.1 of NxFilter and NxCloud.

Installation of NxLocal
When you install it using NxLocal installer, you will see its setup program (C:/Program Files/nxlocal/setup.exe) running. There are 'Server IP', 'Login Token' parameters and you need to set them up with your own values.

On NxFilter, every user has a login token. You can find it on 'User > User > EDIT'.

After you modify the config values, test your setup first and then start it. You can check if it is working by viewing 'Logging > Signal' on NxFilter GUI. There will be signals from NxLocal.

You can add multiple server IP addresses separated by commas if you run a cluster of NxFilter.

Signals of NxLocal
We defined several signals with which you can find out what is going on a user system. NxLocal sends these signals.

  • START : When NxLocal starts, it sends START signal to NxFilter.
  • STOP : When NxLocal stops, it sends STOP signal to NxFilter.
  • PING : NxLocal sends PING signal to NxFilter every 5 minutes.

You can view these signals on 'Logging > Signal' on NxFilter GUI.

Policy and username
You set a login token for NxLocal setup and there's a user being tied to the token. So, it will be appeared on NxFilter log-view with the username of its token user and will be under the policy of its token user. However, regarding username, we want to show you the system logged-in username as well. So, NxLocal detects the currently logged-in username on the system it is running on and send it to its server. It will be look like 'tokenname_username'.

For example, you create a user 'nxlocal' on NxFilter side and there's user 'john100' on the client system on which NxLocal runs. Then the usernam on NxFilter log-view would be'nxlocal_john100' and it will be under the policy of 'nxlocal' user. With this feature, you can have group based filtering policy on NxCloud which doesn't have Group concept. You can create a user 'group1' and install several NxLocal with the token of 'group1' and then you get usernames like 'group1_john100' and 'group1_jane100' on your log-view under the same policy.

Fail-safe measure for NxLocal
NxLocal itself is a DNS server. So, when it stops working you can't resolve any DNS queries on the system it runs on. For NxLocal, NxFilter/NxCloud on cloud is just a policy server. Even if it can't connect its policy server it will be working as a DNS server forwarding its DNS queries to its upstream server through HTTPS protocol. We use 'DNS Over HTTPS' by Cloudflare as its upstream server. So, you are not going to lose your DNS resolving as long as it can do 'DNS Over HTTPS' against Cloudflare.

NxLocal as a remote filtering agent
You can use NxLocal as a remote filtering agent instead of NxClient. Its filtering will be working in any place while it can connect its policy server that is your NxFilter or NxCloud server. It might be better than NxClient as it works on DNS level and NxClient which only can block HTTP/HTTPS traffic. However, they may block 'DNS Over HTTPS' in some sites and in that case, you will lose DNS resolving.

Local DNS server and local domain
You may have some local domains to be resolved by your local DNS servers. In that case, you can bypass those domains to your local DNS server by setting some parameters on 'C:/Program Files/nxlocal/cfg.properties' file. When your local domain is 'mydomain.local' and your local DNS server IP is '' you can add the following lines to the file.

local_dns =
local_domain = mydomain.local

Uninstalling NxLocal
To prevent an accidental uninstallation by your user, NxLocal doesn't provide an uninstaller on 'Add/Remove programs'  in Windows control panel. When you uninstall NxLocal, you need to do it manually with the following steps.

1. Run 'C:/Program Files/nxlocal/bin/unstsvc.bat'.
2. Delete 'C:/Program Files/nxlocal' folder.

Silent install
For those of you wanting to install NxLocal on multiple PCs using GPO or PDQ deployment, we have silent install options.

For silent install,

/silent : Runs the installer in silent mode (The progress window will be displayed).
/verysilent : Very silent mode. No windows will be displayed.

And you can specify 'Server IP' and 'Login Token',


This is the final form of the command.

		nxlocal-1.0.1.exe /verysilent /server= /token=GKSYEJYG \
/local_dns= /local_domain=mydomain.local