This is handy in scenario's where for instance careless employees get their chromebook stolen from the car while a chromebook typically allows the 'lucky finder' to immediately reconnect to and take over an existing Citrix session because of default Chromebook behaviour. So using nr 1 and 2 alone I was able to enforce that -regardless of which device or connection or scenario- people are always enforced to (re)authenticate after X minutes. I consider this optional since even when you define this value up to infinity (or not at all which means default = 20 minutes), the previous defined parameter The Netscaler Gateway session Time-out defined above here will already be sufficient and complete in order to make sure that people clicking the visible icons will have to re-authenticate again. More specific this option even only applies to a single exact storefront website you set it for while typically multiple will be needed in order to handle all scenario's. I consider this option partial or incomplete because: As opposed to the previous option this one only applies to websites that people log on to, not to any of all the workspace/receiver apps scenario's out there. This is essentially what causes the logged on website to redirect itself to an empty page with the words "Your session has timed out due to invactivity" or "you have been logged off.". (= the "validity lifetime" of the website you are logging on to). (optional) The Storefront "Receiver for website" session. So add 2 minutes at least when testing.ģ. However if you define 1 minute and wait 180 seconds on your chronometer you will always get the authentication prompt as it should. For instance if you define 1 minute and start testing by clicking the icon again after you timing 60 seconds on your chronometer you will see your setting does not take effect (yet) and reconnect still happens immediately without re-authentication. This is a big caveat and set me on the wrong foot causing me to wrongfully conclude and dismiss this field as not-working-properly during my initial testings. Note also that there is a random extra timer automatically being added to the timer you define of up to a few minutes due to internal gateway working in mysterious ways. Note that besides defining this timer at the "global settings" level you could consider instead defining it in the specific equivalent session profiles in case you want this restriction to only apply to specific scenario's such as for instance connections coming from workspace/receiver apps (but not from logons through website). Internal connections go directly to the storefront server and come from internal computers that are subject to policies where we have full control over these timers so they are out of scope for this case. In other words all external connections where the risk is largest and control least. By setting it there it will apply to all scenario's and sessions coming in through Netscaler gateway. This timer value is set and defined in the Netscaler Gateway "Global Settings" section under the "Client Experience" tab in the "Session Time-out" field. This is essentially the period of time during which clicking the icon of your published application/desktop will reconnect to an existing HDX session or start a new HDX session before the icon becomes considered 'expired' and immediately returns a re-authentication prompt instead. (essential) The Netscaler Gateway session (= the "validity lifetime" of your icons). Practically it means that regardless of which client device or way of connecting remotely or internally, any Citrix session where no input has been detected for X minutes will be disconnected (but remains available for instant reconnecting after for instance a lunch break)Ģ. For this I found the only true working -under all conditions- solution to be The Citrix policy "Server Idle Timer interval". (essential) The Actual Citrix HDX session (= the published desktop you are working in) needs to become automatically disconnected after x minutes of user inactivity. To summarize there are 3 levels that can be controlled of which 2 are essential and necessary as well as sufficient while the third one can be considered optional as well as incomplete:ġ. Update, solution and conclusion for future reference to all that it may concern or interest:Īfter more rigorous testing and searching I have found my remaining answers to enforce a strict security plan against Session hijacking after a computer theft for people connecting to your Citrix session from any possible external resources (Android, Ipad, Windows laptops and computers, Chromebooks.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |