Citrix ADC

Session and traffic management

Session settings

After you configure your authentication, authorization, and auditing profiles, you configure session settings to customize your user sessions. The session settings are:

  • The session timeout.

    Controls the period after which the user is automatically disconnected and must authenticate again to access your intranet.

  • The default authorization setting.

    Determines whether the Citrix ADC appliance will by default allow or deny access to content for which there is no specific authorization policy.

  • The single sign-on setting.

    Determines whether the Citrix ADC appliance will log users on to all web applications automatically after they authenticate, or will pass users to the web application logon page to authenticate for each application.

  • The credential index setting.

    Determines whether the Citrix ADC appliance uses the primary or the secondary authentication credentials for single sign-on.

To configure the session settings, you can take one of two approaches. If you want different settings for different user accounts or groups, you create a profile for each user account or group for which you want to configure custom sessions settings. You also create policies to select the connections to which to apply particular profiles, and you bind the policies to users or groups. You can also bind a policy to the authentication virtual server that handles the traffic to which you want to apply the profile.

If you want the same settings for all sessions, or if you want to customize the default settings for sessions that do not have specific profiles and policies configured, you can simply configure the global session settings.

Session profiles

To customize your user sessions, you first create a session profile. The session profile allows you to override global settings for any of the session parameters.

Note

The terms “session profile” and “session action” mean the same thing.

To create a session profile by using the command line interface

At the command prompt, type the following commands to create a session profile and verify the configuration:

add tm sessionAction <name> [-sessTimeout <mins>] [-defaultAuthorizationAction ( ALLOW | DENY )][-SSO ( ON | OFF )][-ssoCredential ( PRIMARY | SECONDARY )] [-ssoDomain <string>][-httpOnlyCookie ( YES | NO )] [-persistentCookie ( ENABLED | DISABLED )] [-persistentCookieValidity <minutes>]

show tm sessionAction <name>

Example

> add tm sessionAction session-profile -sessTimeout 30 -defaultAuthorization ALLOW
 Done
> show tm sessionAction session-profile
1)      Name: session-profile
        Authorization action : ALLOW
        Session timeout: 30 minutes
 Done

To modify a session profile by using the command line interface

At the command prompt, type the following commands to modify a session profile and verify the configuration:

set tm sessionAction <name> [-sessTimeout <mins>] [-defaultAuthorizationAction ( ALLOW | DENY )][-SSO ( ON | OFF )][-ssoCredential ( PRIMARY | SECONDARY )] [-ssoDomain <string>][-httpOnlyCookie ( YES | NO )] [-persistentCookie ( ENABLED | DISABLED )] [-persistentCookieValidity <minutes>]

show tm sessionAction

Example


> set tm sessionAction session-profile -sessTimeout 30 -defaultAuthorization ALLOW
 Done
> show tm sessionAction session-profile
1)      Name: session-profile
        Authorization action : ALLOW
        Session timeout: 30 minutes
 Done

To remove a session profile by using the command line interface

At the command prompt, type the following command to remove a session profile:

rm tm sessionAction <name>

To configure session profiles by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Session.
  2. Navigate to Security > AAA - Application Traffic > Policies > Session.
  3. In the details pane, click the Profiles tab.
  4. On the Profiles tab, do one of the following:
    • To create a new session profile, click Add.
    • To modify an existing session profile, select the profile, and then click Edit.
  5. In the Create TM Session Profile or Configure TM Session Profile dialog, type or select values for the parameters.
    • Name*—actionname (Cannot be changed for a previously configured session action.)
    • Session Time-out—sesstimeout
    • Single sign-on to Web Applications—sso
    • Default Authorization Action—defaultAuthorizationAction
    • Credential Index—ssocredential
    • Single Sign-on Domain—ssoDomain
    • HTTPOnly Cookie—httpOnlyCookie
    • Enable Persistent Cookie—persistentCookie
    • Persistent Cookie Validity—persistentCookieValidity
  6. Click Create or OK. The session profile that you created appears in the Session Policies and Profiles pane.

Session policies

After you create one or more session profiles, you create session policies and then bind the policies globally or to an authentication virtual server to put them into effect.

To create a session policy by using the command line interface

At the command prompt, type the following commands to create a session policy and verify the configuration:

-  add tm sessionPolicy <name> <rule> <action>
-  show tm sessionPolicy <name>

Example

> add tm sessionPolicy session-pol "URL == /*.gif" session-profile
Done
> show tm sessionPolicy session-pol
1)      Name: session-pol       Rule: URL == '/*.gif'
        Action: session-profile
 Done

To modify a session policy by using the command line interface

At the command prompt, type the following commands to modify a session policy and verify the configuration:

-  set tm sessionPolicy <name> [-rule <expression>] [-action <action>]
-  show tm sessionPolicy <name>

Example

> set tm sessionPolicy session-pol "URL == /*.gif" session-profile
 Done
> show tm sessionPolicy session-pol
1)      Name: session-pol       Rule: URL == '/*.gif'
        Action: session-profile
 Done

To globally bind a session policy by using the command line interface

At the command prompt, type the following commands to globally bind a session policy and verify the configuration:

bind tm global -policyName <policyname> [-priority <priority>]

Example

> bind tm global -policyName session-pol
 Done

> show tm sessionPolicy session-pol
1)      Name: session-pol       Rule: URL == '/*.gif'
        Action: session-profile
        Policy is bound to following entities
        1) TM GLOBAL    PRIORITY : 0
 Done

To bind a session policy to an authentication virtual server by using the command line interface

At the command prompt, type the following command to bind a session policy to an authentication virtual and verify the configuration:

bind authentication vserver <name> -policy <policyname> [-priority <priority>]

Example

bind authentication vserver auth-vserver-1 -policyName Session-Pol-1 -priority 1000
Done

To unbind a session policy from an authentication virtual server by using the command line interface

At the command prompt, type the following commands to unbind a session policy from an authentication virtual server and verify the configuration:

unbind authentication vserver <name> -policy <policyname>

Example

unbind authentication vserver auth-vserver-1 -policyName Session-Pol-1
Done

To unbind a globally bound session policy by using the command line interface

At the command prompt, type the following commands to unbind a globally bound session policy:

unbind tm global -policyName <policyname>

Example

unbind tm global -policyName Session-Pol-1
Done

To remove a session policy by using the command line interface

First unbind the session policy from global, and then, at the command prompt, type the following commands to remove a session policy and verify the configuration:

rm tm sessionPolicy <name>

Example


rm tm sessionPolicy Session-Pol-1
Done

To configure and bind session policies by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Session.
  2. Navigate to Security > AAA - Application Traffic > Policies > Session.
  3. In the details pane, on the Policies tab, do one of the following:
    • To create a new session policy, click Add.
    • To modify an existing session policy, select the policy, and then click Edit.
  4. In the Create Session Policy or Configure Session Policy dialog, type or select the values for the parameters.
    • Name*—policyname (Cannot be changed for a previously configured session policy.)
    • Request Profile*—actionname
    • Expression*—rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression text area and then typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
  5. Click Create or OK. The policy that you created appears in the details pane of the Session Policies and Profiles page.
  6. To globally bind a session policy, in the details pane, select Global Bindings from the Action drop-down list, and fill in the dialog.
    • Select the name of the session policy you want to globally bind.
    • Click OK.
  7. To bind a session policy to an authentication virtual server, in the navigation pane, click Virtual Servers, and add that policy to the policies list.
    • In the details pane, select the virtual server, and then click Edit.
    • In the Advanced Selections to the right of the detail area, click Policies.
    • Select a policy, or click the plus icon to add a policy.
    • In the Priority column to the left, modify the default priority to ensure that the policy is evaluated in the proper order.
    • Click OK. A message appears in the status bar, stating that the policy has been configured successfully.

Global session settings

In addition to or instead of creating session profiles and policies, you can configure global session settings. These settings control the session configuration when there is no explicit policy overriding them.

To configure the session settings by using the command line interface

At the command prompt, type the following commands to configure the global session settings and verify the configuration:

set tm sessionParameter [-sessTimeout <mins>][-defaultAuthorizationAction ( ALLOW | DENY )][-SSO ( ON | OFF )][-ssoCredential ( PRIMARY | SECONDARY )][-ssoDomain <string>][-httpOnlyCookie ( YES | NO )][-persistentCookie ( ENABLED | DISABLED )] [-persistentCookieValidity <minutes>]

Example

> set tm sessionParameter -sessTimeout 30
  Done
> set tm sessionParameter -defaultAuthorizationAction DENY
  Done
> set tm sessionParameter -SSO ON
  Done
> set tm sessionParameter -ssoCredential PRIMARY
  Done

To configure the session settings by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic
  2. In the details pane, under Settings, click Change global settings.
  3. In the Global Session Settings dialog, type or select values for the parameters.
    • Session Time-out—sessTimeout
    • Default Authorization Action—defaultAuthorizationAction
    • Single Sign-on to Web Applications—sso
    • Credential Index—ssoCredential
    • Single Sign-on Domain—ssoDomain
    • HTTPOnly Cookie—httpOnlyCookie
    • Enable Persistent Cookie—persistentCookie
    • Persistent Cookie Validity (minutes)—persistentCookieValidity
    • Home Page—home page
  4. Click OK.

Traffic settings

If you use forms-based or SAML single sign-on (SSO) for your protected applications, you configure that feature in the Traffic settings. SSO enables your users to log on once to access all protected applications, rather than requiring them to log on separately to access each one.

Forms-based SSO allows you to use a web form of your own design as the sign-on method instead of a generic pop-up window. You can therefore put your company logo and other information you might want your users to see on the logon form. SAML SSO allows you to configure one Citrix ADC appliance or virtual appliance instance to authenticate to another Citrix ADC appliance on behalf of users who have authenticated with the first appliance.

To configure either type of SSO, you first create a forms or SAML SSO profile. Next, you create a traffic profile and link it to the SSO profile you created. Next, you create a policy, link it to the traffic profile. Finally, you bind the policy globally or to an authentication virtual server to put your configuration into effect.

Traffic profiles

After creating at least one forms or SAML sso profile, you must next create a traffic profile.

Note:

In this feature, the terms “profile” and “action” mean the same thing.

To create a traffic profile by using the command line interface

At the command prompt, type:

add tm trafficAction <name> [-appTimeout <mins>][-SSO ( ON | OFF ) [-formSSOAction <string>]][-persistentCookie ( ENABLED | DISABLED )][-InitiateLogout ( ON | OFF )]

Example

add tm trafficAction Traffic-Prof-1 –appTimeout 10 -SSO ON -formSSOAction SSO-Prof-1

To modify a session profile by using the command line interface

At the command prompt, type:

set tm trafficAction <name> [-appTimeout <mins>] [-SSO ( ON | OFF ) [-formSSOAction <string>]] [-persistentCookie ( ENABLED | DISABLED )] [-InitiateLogout ( ON | OFF )]

Example

set tm trafficAction Traffic-Prof-1 –appTimeout 10 -SSO ON -formSSOAction SSO-Prof-1

To remove a session profile by using the command line interface

At the command prompt, type:

rm tm trafficAction <name>

Example

rm tm trafficAction Traffic-Prof-1

To configure traffic profiles by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Traffic.
  2. Navigate to Security > AAA - Application Traffic > Policies > Traffic.
  3. In the details pane, click the Profiles tab.
  4. On the Profiles tab, do one of the following:
    • To create a new traffic profile, click Add.
    • To modify an existing traffic profile, select the profile, and then click Edit.
  5. In the Create Traffic Profile or Configure Traffic Profile dialog box, specify values for the parameters.
    • Name*—name (Cannot be changed for a previously configured session action.)
    • AppTimeout—appTimeout
    • Single Sign-On—SSO
    • Form SSO Action—formSSOAction
    • SAML SSO Action—samlSSOAction
    • Enable Persistent Cookie—persistentCookie
    • Initiate Logout—InitiateLogout
  6. Click Create or OK. The traffic profile that you created appears in the Traffic Policies, Profiles, and either the Form SSO Profiles or SAML SSO Profiles pane, as appropriate.

Support for AAA.USER and AAA.LOGIN expressions

The AAA.USER expression is now implemented to replace the existing HTTP.REQ.USER expressions. The AAA.USER expression is applicable to handle non-HTTP traffic, such as the Secure Web Gateway (SWG) and role-based access (RBA) mechanism. The AAA.USER expressions are equivalent to HTTP.REQ.USER expressions.

You can use the expression at various actions or profiles configuration.

At the command prompt, type:

add tm trafficAction <name> [SSO (ON|OFF) [-userExpression <string>]

Example

add tm trafficAction tm_act -SSO ON -userExpression "AAA.USER.NAME"

add tm trafficPolicy tm_pol true tm_act

bind lb vserver lb1 -policyName tm_pol -priority 2

Note:

If you use HTTP.REQ.USER expression, a warning message “HTTP.REQ.USER has been deprecated. Use AAA.USER instead” appears on the command prompt.

  • AAA.LOGIN Expression. The LOGIN expression represents pre-login, also known as the login request. The login request can be from Citrix Gateway, SAML IdP, or from OAuth authentication. The Citrix ADC will abstract the required attributes from the policy configuration. The AAA.LOGIN expression contains the attributes, which can be fetched based on the following:
    • AAA.LOGIN.USERNAME. The user name (if found) is fetched from the current login request. The same expression applied to a non-login request (determined by an authentication, authorization, and auditing) results in an empty string.
    • AAA.LOGIN.PASSWORD. The user password (if found) is fetched from the current login request. The expression results in an empty string if the password is not found.
    • AAA.LOGIN.PASSWORD2. The second password (if found) is fetched from the login request.
    • AAA.LOGIN.DOMAIN. The domain information is fetched from the login request.
  • AAA.USER.ATTRIBUTE. The AAA.USER.ATTRIBUTE expressions have now an integer associated with it. The attributes can be grouped and name the string with an appropriate name. The authentication, authorization, and auditing module looks up the user sessions attribute and AAA.USER.ATTRIBUTE("string") would query the hash table for that particular attribute. For example, if Attributes("samaccountname") is set, AAA.USER.ATTRIBUTE("samaccountname") would query the hash map and would fetch the value corresponding to samaccountname.

Traffic policies

After you create one or more form SSO and traffic profiles, you create traffic policies and then bind the policies, either globally or to a traffic management virtual server, to put them into effect.

To create a traffic policy by using the command line interface

At the command prompt, type:

add tm trafficPolicy <name> <rule> <action>

Example

add tm trafficPolicy Traffic-Pol-1 "HTTP.REQ.HEADER("Cookie").CONTAINS("login=true")" Traffic-Prof-1

To modify a traffic policy by using the command line interface

At the command prompt, type:

set tm trafficPolicy <name> <rule> <action>

Example

set tm trafficPolicy Traffic-Pol-1 "HTTP.REQ.HEADER("Cookie").CONTAINS("login=true")" Traffic-Prof-1

To globally bind a traffic policy by using the command line interface

At the command prompt, type:

bind tm global -policyName <string> [-priority <priority>]

Example

bind tm global -policyName Traffic-Pol-1

To bind a traffic policy to a load balancing or content switching virtual server by using the command line interface

At the command prompt, type one of the following commands:

bind lb vserver <name> -policy <policyName> [-priority <priority>]

bind cs vserver <name> -policy <policyName> [-priority <priority>]

Example

bind authentication vserver auth-vserver-1 -policyName Traffic-Pol-1 -priority 1000

To unbind a globally bound traffic policy by using the command line interface

At the command prompt, type:

unbind tm global -policyName <policyname>

Example

unbind tm global -policyName Traffic-Pol-1

To unbind a traffic policy from a load balancing or content switching virtual server by using the command line interface

At the command prompt, type one of the following commands:

unbind lb vserver <name> -policy <policyname>

unbind cs vserver <name> -policy <policyname>

Example

unbind authentication vserver auth-vserver-1 -policyName Traffic-Pol-1

To remove a traffic policy by using the command line interface

First unbind the session policy from global, and then, at the command prompt, type:

rm tm trafficPolicy <name>

Example

rm tm trafficPolicy Traffic-Pol-1

To configure and bind traffic policies by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Traffic.
  2. Navigate to Security > AAA - Application Traffic > Policies > Traffic.
  3. In the details pane, do one of the following:
    • To create a new session policy, click Add.
    • To modify an existing session policy, select the policy, and then click Edit.
  4. In the Create Traffic Policy or Configure Traffic Policy dialog, specify values for the parameters.
    • Name*—policyName (Cannot be changed for a previously configured session policy.)
    • Profile*—actionName
    • Expression—rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression text area and then typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
  5. Click Create or OK. The policy that you created appears in the details pane of the Session Policies and Profiles page.

Form SSO profiles

To enable and configure forms-based SSO, you first create an SSO profile.

Note

  • Forms-based single sign-on does not work if the form is customized to include Javascript.
  • In this feature, the terms “profile” and “action” mean the same thing.

To create a form SSO profile by using the command line interface

At the command prompt, type:

add tm formSSOAction <name> -actionURL <URL> -userField <string> -passwdField <string> -ssoSuccessRule <expression> [-nameValuePair <string>] [-responsesize <positive_integer>][-nvtype ( STATIC | DYNAMIC )][-submitMethod ( GET | POST )]

show tm formSSOAction [<name>]

Example

add tm formSSOAction SSO-Prof-1 -actionURL "/logon.php"
-userField "loginID" -passwdField "passwd"
-nameValuePair "loginID passwd" -responsesize "9096"
-ssoSuccessRule "HTTP.RES.HEADER("Set-Cookie").CONTAINS("LogonID")"
-nvtype STATIC -submitMethod GET
–sessTimeout 10 -defaultAuthorizationAction ALLOW

To modify a form SSO by using the command line interface

At the command prompt, type:

set tm formSSOAction <name> -actionURL <URL> -userField <string> -passwdField <string> -ssoSuccessRule <expression> [-nameValuePair <string>] [-responsesize <positive_integer>][-nvtype ( STATIC | DYNAMIC )][-submitMethod ( GET | POST )]

Example

set tm formSSOAction SSO-Prof-1 -actionURL "/logon.php"
-userField "loginID" -passwdField "passwd"
-ssoSuccessRule "HTTP.RES.HEADER("Set-Cookie").CONTAINS("LogonID")"
-nameValuePair "loginID passwd" -responsesize "9096"
-nvtype STATIC -submitMethod GET
–sessTimeout 10 -defaultAuthorizationAction ALLOW

To remove a form SSO profile by using the command line interface

At the command prompt, type:

rm tm formSSOAction <name>

Example

rm tm sessionAction SSO-Prof-1

To configure form SSO profiles by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Policies > Traffic.
  2. In the details pane, click the Form SSO Profiles tab.
  3. On the Form SSO Profiles tab, do one of the following:
    • To create a new form SSO profile, click Add.
    • To modify an existing form SSO profile, select the profile, and then click Edit.
  4. In the Create Form SSO Profile or Configure Form SSO Profile dialog, specify the values for the parameters:
    • Name*—name (Cannot be changed for a previously configured session action.)
    • Action URL*—actionURL
    • User Name Field*—userField
    • Password Field*—passField
    • Expression*—ssoSuccessRule
    • Name Value Pair—nameValuePair
    • Response Size—responsesize
    • Extraction—nvtype
    • Submit Method—submitMethod</span>
  5. Click Create or OK, and then click Close. The form SSO profile that you created appears in the Traffic Policies, Profiles, and Form SSO Profiles pane.

SAML SSO profiles

To enable and configure SAML-based SSO, you first create a SAML SSO profile.

To create a SAML SSO profile by using the command line interface

At the command prompt, type:

add tm samlSSOProfile <name> -samlSigningCertName <string> -assertionConsumerServiceURL <URL> -relaystateRule <expression> -sendPassword (ON | OFF) [-samlIssuerName <string>]

Example

add tm samlSSOProfile saml-SSO-Prof-1 -samlSigningCertName "Example, Inc."  -assertionConsumerServiceURL "https://service.example.com" -relaystateRule "true"  -sendPassword "ON" -samlIssuerName "Example, Inc."

To modify a SAML SSO by using the command line interface

At the command prompt, type:

set tm samlSSOProfile <name> -samlSigningCertName <string> -assertionConsumerServiceURL <URL> -relaystateRule <expression> -sendPassword (ON | OFF) [-samlIssuerName <string>]

Example

set tm samlSSOProfile saml-SSO-Prof-1 -samlSigningCertName "Example, Inc."  -assertionConsumerServiceURL "https://service.example.com" -relaystateRule "true"  -sendPassword "ON" -samlIssuerName "Example, Inc."

To remove a SAML SSO profile by using the command line interface

At the command prompt, type:

rm tm samlSSOProfile <name>

Example

rm tm sessionAction saml-SSO-Prof-1

To configure a SAML SSO profile by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Policies > Traffic.
  2. In the details pane, click the SAML SSO Profiles tab.
  3. On the SAML SSO Profiles tab, do one of the following:
    • To create a new SAML SSO profile, click Add.
    • To modify an existing SAML SSO profile, select the profile, and then click OpenEdit.
  4. In the Create SAML SSO Profiles or the Configure SAML SSO Profiles dialog box, set the following parameters:
    • Name*
    • Signing Certificate Name*
    • ACS URL*
    • Relay State Rule*
    • Send Password
    • Issuer Name
  5. Click Create or OK, and then click Close. The SAML SSO profile that you created appears in the Traffic Policies, Profiles, and SAML SSO Profiles pane.

Session timeout for OWA 2010

You can now force OWA 2010 connections to time out after a specified period of inactivity. OWA sends repeated keepalive requests to the server to prevent timeouts. Keeping the connections open can interfere with single sign-on.

To force OWA 2010 to time out after a specified period by using the command line interface

At the command prompt, type the following commands:

add tm trafficAction <actname> [-forcedTimeout <forcedTimeout> -forcedTimeoutVal <mins>]

For <actname>, substitute a name for your traffic policy. For <mins>, substitute the number of minutes after which to initiate a forced timeout. For <forcedTimeout>, substitute one of the following values:

-START — Starts the timer for forced timeout if a timer has not already been started. If a running timer exists, has no effect. -STOP — Stops a running timer. If no running timer is found, has no effect. -RESET — Restarts a running timer. If no running timer is found, starts a timer as if the START option had been used.

add tm trafficPolicy <polname> <rule> <actname>

For <polname>, substitute a name for your traffic policy. For <rule>, substitute a rule in Citrix ADC default syntax.

bind lb vserver <vservername> –policyName <name> -priority <number>

For <vservername>, substitute the name of the authentication, authorization, and auditing traffic management virtual server. For <priority>, substitute an integer that designates the policy’s priority.

Example

add tm trafficAction act-owa2010timeout -forcedTimeout RESET -forcedTimeoutVal 10
add tm trafficPolicy pol-owa2010timeout true act-owa2010timeout
bind lb vserver vs-owa2010 -policyName pol-owa2010timeout -priority 10
Session and traffic management