Hi, we installed a SA4500 box with only Network Connect (6.4.0). The users don't start up with the portal, rather, they start up with the Network Connect icon from Program Manager -> Juniper ... -> Network Connect.
We use ESP as transport and our security people wants to disconnect users after they are idle for 1 hour (session limit at 8 hours)
I've read that the idle timeout setting does not really affect NC. So, has anyone found a way to disconnect users after x minutes of idle?
There are a few options to consider, but they're at the Role Level. Edit your Network Connect Role, General, Session Options, and configure the "Idle Timeout", "Max Session Length", and "Reminder Time". I beleive this is where you want to make your changes and test.
Thanks. I did set the idle timeout and session limit to 1 hr and 8 hr respectively in their role's session options settings.
Also, I enabled the "Idle Timeout applications activity" option in their session options.
What I see in the logs is that every so often the ESP session changes the key (I set it every 2 hours) and the client ends and restarts the session every 2 hours, while all the time the machine was in screenlock idling with the VPN connection on and the connection only dropped after 8 hours (the max session limit).
OK, one thing to note is that idle time for Network Connect means no data is being routed and encrypted over the Virtual Adapter. Unless it's an extreme short window, it's difficult to have NC timeout due to inactivity (idle). I have a feeling if you connect, lock the workstation and enable Session Recording (Troubleshooting, User Sessions, and Session Recording, you will see in the Trace File that there is activity while it's locked.
If your 'idle timeout application activity' is set to Disabled under Roles->[specific role]->General->Session Options, any traffic from the client PC that transits the NC tunnel will reset the idle timer. This includes all MS NetBIOS traffic (specifically the host announcements every 12 minutes), so in this case the tunnel will not drop until the maximum time is exceeded.
One other 'usual suspect' is http keepalives or http auto-refresh pages.
Also, I believe that if you allow Multicast through the tunnel, MS will announce itself the the multicast groups via the NC interface in addtion to the active NICs.
your mileage may vary.
Thanks. The "Idle timeout application activity" was set to enabled.
If http keepalives and auto refresh pages can be considered as "activity triggers", then it's very easy to fool the system for idleness...
It's not a matter of 'being fooled', currently the IVE has no built-in mechanism to differentiate between network traffic from 'your application' or 'background noise'
Now theoritically, it has all of the necessary information, i.e. access control lists, and should be able to only 'count' traffic to/from destination addresses that are in the ACL.. Of course, if you have your DHCP lease time set to 30 minutes, then every 15 minutes, your NC client is going to renew the address, generating 'counable' traffic...
Typically, NC is not deployed to normal users whose applications can be run through the J/WSAM client, or via the browser itself, so you might want to take a look at how you are deploying applications via your IVE.
Typically, the IVE is configured to best fit a company's needs. That does not mean that typically NC is not used, it just means that is how you may typically configure it for your customers. We use NC for 400+ concurrent users on a daily basis, but we also only allow NC from company owned PCs that meet our security requirements. NC works great for apps like ip softphones and other apps that may require two way communication.
stine wrote: Typically, NC is not deployed to normal users whose applications can be run through the J/WSAM client, or via the browser itself, so you might want to take a look at how you are deploying applications via your IVE.