cancel
Showing results for 
Search instead for 
Did you mean: 

Network Connect idle timeout setting

careless_
Occasional Contributor

Network Connect idle timeout setting

Hi, we installed a SA4500 box with only Network Connect (6.4.0). The users don't start up with the portal, rather, they start up with the Network Connect icon from Program Manager -> Juniper ... -> Network Connect.

We use ESP as transport and our security people wants to disconnect users after they are idle for 1 hour (session limit at 8 hours)

I've read that the idle timeout setting does not really affect NC. So, has anyone found a way to disconnect users after x minutes of idle?

8 REPLIES 8
firewall72_
Frequent Contributor

Re: Network Connect idle timeout setting

Hi,


There are a few options to consider, but they're at the Role Level. Edit your Network Connect Role, General, Session Options, and configure the "Idle Timeout", "Max Session Length", and "Reminder Time". I beleive this is where you want to make your changes and test.

-John

careless_
Occasional Contributor

Re: Network Connect idle timeout setting

Thanks. I did set the idle timeout and session limit to 1 hr and 8 hr respectively in their role's session options settings.

Also, I enabled the "Idle Timeout applications activity" option in their session options.

What I see in the logs is that every so often the ESP session changes the key (I set it every 2 hours) and the client ends and restarts the session every 2 hours, while all the time the machine was in screenlock idling with the VPN connection on and the connection only dropped after 8 hours (the max session limit).

firewall72_
Frequent Contributor

Re: Network Connect idle timeout setting

Hi,

OK, one thing to note is that idle time for Network Connect means no data is being routed and encrypted over the Virtual Adapter. Unless it's an extreme short window, it's difficult to have NC timeout due to inactivity (idle). I have a feeling if you connect, lock the workstation and enable Session Recording (Troubleshooting, User Sessions, and Session Recording, you will see in the Trace File that there is activity while it's locked.

-John

stine_
Super Contributor

Re: Network Connect idle timeout setting

If your 'idle timeout application activity' is set to Disabled under Roles->[specific role]->General->Session Options, any traffic from the client PC that transits the NC tunnel will reset the idle timer. This includes all MS NetBIOS traffic (specifically the host announcements every 12 minutes), so in this case the tunnel will not drop until the maximum time is exceeded.

One other 'usual suspect' is http keepalives or http auto-refresh pages.

Also, I believe that if you allow Multicast through the tunnel, MS will announce itself the the multicast groups via the NC interface in addtion to the active NICs.

your mileage may vary.

careless_
Occasional Contributor

Re: Network Connect idle timeout setting

Thanks. The "Idle timeout application activity" was set to enabled.

If http keepalives and auto refresh pages can be considered as "activity triggers", then it's very easy to fool the system for idleness...

stine_
Super Contributor

Re: Network Connect idle timeout setting

It's not a matter of 'being fooled', currently the IVE has no built-in mechanism to differentiate between network traffic from 'your application' or 'background noise'

Now theoritically, it has all of the necessary information, i.e. access control lists, and should be able to only 'count' traffic to/from destination addresses that are in the ACL.. Of course, if you have your DHCP lease time set to 30 minutes, then every 15 minutes, your NC client is going to renew the address, generating 'counable' traffic...

Typically, NC is not deployed to normal users whose applications can be run through the J/WSAM client, or via the browser itself, so you might want to take a look at how you are deploying applications via your IVE.

df_
Contributor

Re: Network Connect idle timeout setting


stine wrote: Typically, NC is not deployed to normal users whose applications can be run through the J/WSAM client, or via the browser itself, so you might want to take a look at how you are deploying applications via your IVE.
Typically, the IVE is configured to best fit a company's needs. That does not mean that typically NC is not used, it just means that is how you may typically configure it for your customers. Smiley Happy We use NC for 400+ concurrent users on a daily basis, but we also only allow NC from company owned PCs that meet our security requirements. NC works great for apps like ip softphones and other apps that may require two way communication.
stine_
Super Contributor

Re: Network Connect idle timeout setting

Very true. However, If the users' have soft-phones, I would think that having any idle-timeout would be a bad thing. Of course, this would mean that you would have to have a 1-to-1 ratio between users and NC licenses.