CTX139600
XenMobile
XenMobile 8_6,XenMobile 8_7,XenMobile 9_0
Authentication,Configuration
2016-03-29
2014-12-03
This article provides information about tuning the timeout settings in XenMobile.

Information

This article provides information about tuning the timeout settings in XenMobile. Two configuration modes are provided:
  • First is for a typical deployment in which user experience is critical and the user is not required to re-authenticate at frequent intervals.??
  • The second configuration is for organizations that require the users to re-authenticate at a more frequent interval.

The following table provides Authentication Timeout Values for?? Optimal User Experience. These settings must be adjusted in a deployment for optimal user experience.

Table - 1

Setting

Component

Default Setting

Recommended Setting

Session Time-out

NetScaler Gateway

30 minutes

10080 minutes (7 days)

Forced Time-out

NetScaler Gateway

Off

10080 minutes (7 days)

Authentication

App Controller

Offline challenge only

Offline challenge only

Maximum offline period

App Controller

72 hours (3 days)

168 hours (7 days)

Reauthentication period

App Controller

480 minutes (8 hours)

1080 minutes (18 hours)

Background services ticket expiration

App Controller

168 hours (7 days)

168 hours (7 days)

The following table provides Authentication Timeout Values for Frequent Re-authentication Requests. These settings must be adjusted in a deployment with more frequent re-authentication requests.

Table-2

Setting

Component

Default Setting

Recommended Setting

Session Time-out

NetScaler Gateway

30 minutes

720 minutes (12 hours)

Forced Time-out

NetScaler Gateway

Off

720 minutes (12 hours)

Authentication

App Controller

Offline challenge only

Offline challenge only

Maximum offline period

App Controller

72 hours (3 days)

72 hours (3 days)

Reauthentication period

App Controller

480 minutes (8 hours)

60 minutes (1 hour)

Background services ticket expiration

App Controller

168 hours (7 days)

168 hours (7 days)

Authentication requirements are defined at the Application Layer and the Network Layer (that is, NetScaler).?? The application level settings can be set as per MDX application.

NetScaler Gateway – Session Time-out (minutes)

The NetScaler Gateway Session Profile controls the lifetime of the microVPN session.

When the mobile device connects to the NetScaler, Worx Home (or Receiver) tries to establish a TLS session with the NetScaler. This connection provides an authN token from the NetScaler to the mobile device when the user has successfully authenticated. The life of the authN token is managed by the Session Time-out setting. The following screen shot shows NetScaler Management Console > Configure NetScaler Gateway Session Profile > Session Time-out(mins).

Session Time-out setting

In this example, if the NetScaler has not seen any network traffic for more than 30 minutes, the NetScaler flushes that session from its memory. Therefore, the next time the device tries to establish a microVPN TLS session, the NetScaler will have no record of the session token that is provided by Worx Home (or Receiver) and the user is presented with an authentication prompt.

NetScaler Gateway – Forced Time-out (minutes)

The session timeout takes effect when the application is not continuously generating network traffic over microVPN. However, many applications constantly generate network chatter, which might cause the session to never timeout. An example of this is the WorxMail mobile application. ActiveSync pings will continue between WorxMail and the Exchange server over the microVPN session.?? Hence, the session never times out.?? To force the user to authenticate, even if the session has not timed out, the Forced Time-out setting should be used. This setting is available in the Session Profile/Network Configuration/Advanced Settings. When implementing this setting, it is important to consider using a high number. The reason the number should be high is that the intent of this setting is to provide one final security safety net to force all microVPN sessions from the device to disconnect. The following screen shot shows NetScaler Management Console – Configure NetScaler Gateway Session Profile – Forced Time-out(mins).

?? Session Profile/Network Configuration/Advanced Settings.

App Controller – Mobile Application Authentication Settings

If the Authentication value chosen is Offline challenge only, the value in the Maximum offline period field indicates how long the application can run in offline mode without the requirement for a network logon, and the Reauthentication period field indicates how often the user an authentication prompt. The following screen shot shows?? App Controller Management Console > Application Details > Authentication.

App Controller – Mobile Application Authentication Settings?? ??

If the application is configured as Offline challenge only, then the first prompt display's only the password to the user.?? If the application requires a microVPN session, then a second network logon prompt is displayed (Because the NetScaler session policy might have lapsed as well).

App Controller – Mobile Application Settings

The Background services ticket expiration identifies the time period for which the Secure Ticket Authority (STA) will remain valid.?? After expiration, a network logon is required to renew the ticket. The following screen shot shows App Controller Management Console > Application Details > Application Settings.

App Controller – Mobile Application Settings

Conclusion

Given the inter-dependencies between the multiple settings, the best user experience settings is to configure a re-authentication period that matches or exceeds the offline use period, and choose the offline challenge authentication type. Therefore, the user can continue to use the application without interruptions, and when the application needs to connect to the network, the microVPN session policy determines whether to display the authentication prompt to the user.
The value entered in this field should be from the Recommended Setting in Table-1 or Table-2 provided in this article, all other values are for example only.

Additional Resources

App Controller Policy Settings at a Glance
Setting App Policies on App Controller

Disclaimer

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Applicable Products


 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.