Gateway

Configure time-out settings

You can configure NetScaler Gateway to force a disconnection if there is no activity on the connection for a specified number of minutes. One minute before a session times out (disconnects), the user receives an alert indicating the session closes. If the session closes, the user must log on again.

The following time-out options are available.

  • Forced time-out. If you enable this setting, NetScaler Gateway disconnects the session after the timeout interval elapses regardless of what the user is doing. There is no action that the user can take to prevent the disconnection from occurring when the timeout interval elapses. This setting is enforced for users who connect with the Citrix Secure Access client, Citrix Workspace app, Secure Hub, or through a web browser. Minimum value is 1, and maximum value is 65535.
  • Session time-out. If you enable this setting, NetScaler Gateway disconnects the session if no network activity is detected for the specified interval. This setting is enforced for users who connect with the Citrix Secure Access client, Citrix Workspace app, Citrix Secure Hub, or through a web browser. The default timeout setting is 30 minutes. Minimum value is 1, and maximum value is 65535.
  • Idle session time-out. The duration after which the Citrix Secure Access client terminates an idle session if there is no user activity, such as from the mouse, keyboard, or touch for the specified interval. This setting is enforced for users who connect with the Citrix Secure Access client only. Minimum value is 1, and maximum value is 9999.

You can enable any of the timeout settings by entering a value between 1 and 65536 to specify the minutes for the time-out interval. If you enable more than one of these settings, the first time-out interval to elapse closes the user device connection.

You configure time-out settings by configuring global settings or by using a session profile. When you add the profile to a session policy, the policy is then bound to a user, group, or virtual server. When you configure the time-out settings globally, the settings are applied to all user sessions.

Note:

  • In Always On (service mode or user mode), the VPN client ignores all the timeouts. Forced timeout and session timeout decisions occur on the NetScaler appliance and therefore those timeouts work as intended. If such timeout occurs, the VPN plug-in tries to perform automatic authentication.

    In Always On, as the user device must be connected via the VPN tunnel all the time, do not configure forced timeout or client idle timeout. However, session timeout can be configured to get rid of stale sessions.

  • Some applications, such as Microsoft Outlook, automatically send network traffic probes to email servers without any user intervention. Citrix recommends that you configure Idle session time-out with session time-out to ensure that a session left unattended on a user device times out in a reasonable time.

Configure forced time-outs

A forced time-out disconnects the Citrix Secure Access client automatically after a specified amount of time. You can configure a forced time-out globally or as part of a session policy.

Configure a global forced time-out

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Network Configuration tab, click Advanced Settings.
  4. In Forced Time-out (mins), type the number of minutes users can stay connected.
  5. In Forced Time-out Warning (mins), type the number of minutes before users are warned that the connection is due to be disconnected and then click OK.

Configure a forced time-out within a session policy

If you want to have further control over who receives the forced time-out, create a session policy and then apply the policy to a user or group.

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session.
  2. In the details pane, click Add.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In Name, type a name for the profile.
  6. On the Network Configuration tab, click Advanced.
  7. Under Timeouts, click Override Global and in Forced Time-out (mins) type the number of minutes users can stay connected.
  8. Next to Forced Time-out Warning (mins), click Override Global and type the number of minutes users are warned that the connection is due to be disconnected. Click OK twice.
  9. In the Create Session Policy dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and then click Close.

Configure session or idle time-outs

You can use the NetScaler GUI to configure session and client time-out settings globally or to create a session policy. When you create a session policy and profile, set the expression to True.

Note:

If you do not explicitly override the global setting and set the session timeout in Client Experience > Session Time-out(mins), this can result in authentication loops that require relogin. This occurs even with the default session time-out of 30 minutes.

To configure a session or client idle time-out globally by using the GUI

  1. On the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change global settings.
  3. On the Client Experience tab, do one or both of the following:
    • In Session Time-out (mins), type the number of minutes.
    • In Client Idle Time-out (mins), type the number of minutes and then click OK.

To configure session or client idle time-out settings by using a session policy by using the GUI

  1. On the Configuration tab, in the navigation pane, expand NetScaler Gateway > Policies and then click Session
  2. In the NetScaler Gateway Session Policies and Profiles page, click Session Profiles, and then click Add.
  3. In Name, type a name for the profile.
  4. On the Client Experience tab, do one or both of the following:
    • Next to Session Time-out (mins), click Override Global and then type the number of minutes and then click Create.
    • Next to Client Idle Time-out (mins), click Override Global, type the number of minutes and then click Create.
    1. In the NetScaler Gateway Session Policies and Profiles page, click Sessions Policies, and then click Add.
  5. In the Create NetScaler Gateway Session Policy,
    • In Name, enter the name for the policy.
    • In Profile, select the profile that specifies the action to be applied by the new session policy if the rule criteria are met.
    • select Advanced policy.
    • In the Expression field, add your expression or name of a named expression, specifying the traffic that matches the policy.
    • Click Create, and then click Close.
Configure time-out settings