Where do you configure idle logoff timer for "Workspace app for windows" when connecting through Netscaler Gateway ?

[Andy Vanderbeken]

I'm currently testing a new setup which uses storefront 1906 + Netscaler gateway (latest)  + Workspace app for windows 1905 that I just finished setting up.

 

I then configured -for testing and validation purposes- in Storefront that logons to this website should timeout and logoff 1 minute after no activity as follows:

 

 

 

 

 

When testing logging in from for instance a Chromebook from an external internet line through the Netscaler Gateway I validated succesfully that I get the "logoff successful" page after 1 minute inactivity but when testing the same from a Windows 1905 app for windows I cannot get authentication to pop-up.

 

For the record I'm aware that the windows app never gives a "log off" message and that your apps and desktops remain visible but -according to the documentation- I'm supposed to at least get the authentication pop-up to happen when clicking the app/desktop past the timeout.

 

No authentication pop-up happens. Instead the workspace app for windows reconnects to the existing (previously disconnected) Citrix session immediately which is a potential security breach according to our company policy. I need to ensure that re-authentication is enforced whenever people -past the timeout- manually click the icon in Workspace app for windows to start/reconnect Citrix apps and desktops

[Andy Vanderbeken]

Update, solution and conclusion for future reference to all that it may concern or interest:

 

After more rigorous testing and searching I have found my remaining answers to enforce a strict security plan against Session hijacking after a computer theft for people connecting to your Citrix session from any possible external resources (Android, Ipad, Windows laptops and computers, Chromebooks, ....). To summarize there are 3 levels that can be controlled of which 2 are essential and necessary as well as sufficient while the third one can be considered optional as well as incomplete:

 

1. (essential) The Actual Citrix HDX session (= the published desktop you are working in) needs to become automatically disconnected after x minutes of user inactivity. For this I found the only true working -under all conditions- solution to be The Citrix policy "Server Idle Timer interval". Practically it means that regardless of which client device or way of connecting remotely or internally, any Citrix session where no input has been detected for X minutes will be disconnected (but remains available for instant reconnecting after for instance a lunch break)

 

2. (essential) The Netscaler Gateway session (= the "validity lifetime" of your icons) . This is essentially the period of time during which clicking the icon of your published application/desktop will reconnect to an existing HDX session or start a new HDX session before the icon becomes considered 'expired' and immediately returns a re-authentication prompt instead. This timer value is set and defined in the Netscaler Gateway "Global Settings" section under the "Client Experience" tab in the "Session Time-out" field.  By setting it there it will apply to all scenario's and sessions coming in through Netscaler gateway. In other words all external connections where the risk is largest and control least. Internal connections go directly to the storefront server and come from internal computers that are subject to policies where we have full control over these timers so they are out of scope for this case.

 

Note that besides defining this timer at the "global settings" level you could consider instead defining it  in the specific equivalent session profiles in case you want this restriction to only apply to specific scenario's such as for instance connections coming from workspace/receiver apps (but not from logons through website).

 

Note also that there is a random extra timer automatically being added to the timer you define of up to a few minutes due to internal gateway working in mysterious ways. This is a big caveat and set me on the wrong foot causing me to wrongfully conclude and dismiss this field as not-working-properly during my initial testings. For instance if you define 1 minute and start testing by clicking the icon again after you timing 60 seconds on your chronometer you will see your setting does not take effect (yet) and reconnect still happens immediately without re-authentication. However if you define 1 minute and wait 180 seconds on your chronometer you will always get the authentication prompt as it should. So add 2 minutes at least when testing.

 

 

3. (optional) The Storefront "Receiver for website" session. (= the "validity lifetime" of the website you are logging on to). This is essentially what causes the logged on website to redirect itself to an empty page with the words "Your session has timed out due to invactivity" or "you have been logged off...". I consider this option partial or incomplete because: As opposed to the previous option this one only applies to websites that people log on to, not to any of all the workspace/receiver apps scenario's out there. More specific this option even only applies to a single exact storefront website you set it for while typically multiple will be needed in order to handle all scenario's. I consider this optional since even when you define this value up to infinity (or not at all which means default = 20 minutes), the previous defined parameter The Netscaler Gateway session Time-out defined above here will already be sufficient and complete in order to make sure that people clicking the visible icons will have to re-authenticate again.

 

 

So using nr 1 and 2 alone I was able to enforce that -regardless of which device or connection or scenario- people are always enforced to (re)authenticate after X minutes. This is handy in scenario's where for instance careless employees get their chromebook stolen from the car while a chromebook typically allows the 'lucky finder' to immediately reconnect to and take over an existing Citrix session because of default Chromebook behaviour. I'm sure you can think of many other possible scenario's that will be considered a 'potential security leak' by your company policy. Screenshots below. Feel free to leave a comment or vote up if you find this solution useful.

 

 

[James Kindon]

I don't believe this is, or has ever been possible.... I am with Dennis in being very curious

[Dennis Parker]

Thanks for doing all the research and testing. Your finding are what I found as well, with the additional information about the "random extra timer" that I didn't know about. The biggest issue we have with the setting though is that number 2 is not an idle timer, but a hard timeout. It doesn't matter if the user clicks an icon during the time, they will be force to re-authenticate at X minutes. There is no "inactivity" timer. It is better than nothing.

[Dennis Parker]

I am very interested in what you come up with this testing. My testing has shown there isn't an "inactive" timeout for the Full Workspace/Receiver app and have the same experience you have. Citrix support hasn't been much assistance here because they say that full receiver should only be used for internal use and thus managed by the workstation lock and logout policies.

 

What I did come up with though is in the Session Profile for Full Workspace/Receiver there is a setting in the Network Configuration tab --> Advanced Settings for "Forced Timeout". This however will time out the session (at least in previous testing, it may have changed in newer releases...) at that specific number of minutes, regardless of activity. 
 

I do, however, see a new setting after recent NetScaler upgrades for Forced Time Out Warning which hasn't been there previously, so they may have improved the functionality and I haven't tested it yet. 

 

I am interested in hearing how things work for you in your testing. I will look for some time to test this again as well. 

[Andy Vanderbeken]

hey Dennis,

 

I had tried those already in fact. The new ones apply to the "Netscaler gateway plugin" which is not the same so doesn't apply here. 3 tabs further you have the general "session timeout" timers. I had already tried all of those to no avail before posting here.

 

I'm going nuts on this little thing that seems so simple yet I cannot get it to work. I do see however that if I wait long enough (or is it just random ??), a re-authentication pop-up does in fact appear (for instance when waiting roughly 40min) but definitely not in accordance with the Storefront timers I have set. Perhaps the workspace for windows app has a built-in timer (for instance default 20min) that cannot be effected through Netscaler Gateway + Storefront (only through internal policies) in any way.

[Andy Vanderbeken]

12 minutes ago, Dennis Parker said:

Thanks for doing all the research and testing. Your finding are what I found as well, with the additional information about the "random extra timer" that I didn't know about. The biggest issue we have with the setting though is that number 2 is not an idle timer, but a hard timeout. It doesn't matter if the user clicks an icon during the time, they will be force to re-authenticate at X minutes. There is no "inactivity" timer. It is better than nothing.

 

You are right. It is indeed a hard timer. The "after X minutes idle" timer should have been the option just below it or at least I guess, because I tested that one rigorously as well but I every time I tested -no matter how long I waited- the icons would simply immediately reconnect. In other words this field does not seem to affect anything at all.

 

That being said a hard timeout is fine for the Netscaler gateway session since it's only a 1-time-hurdle-to-pass while the actual Citrix HDX session itself can have many periods of user inactivity so there we do need an idle timer that resets itself when the user continues. Luckily that specific policy provides just that.

[Joe Robinson]

@ftruyens1

I just wanted to drop a note and thank you for your detailed post.  It saved me a lot of time!

[DDimitrov]

@ftruyens1

Thank you for time and efforts for the update. I'm on the same boat but still no luck with the timeout of Citrix Workspace app. I took the nr.1 approach and applying GPO (decided not to use Studio) to Storefront server did not have any effect, or I'm wrong to target Storefront server.

In our case we have several HP t430 thin clients NOT part of a domain, so this is the only option to control inactivity of the Citrix Workspace.

 

I did tried the guide here regarding the Citrix App but still no success.: https://docs.citrix.com/en-us/storefront/current-release/manage-citrix-receiver-for-web-site/communication-timeout.html
 

Edited August 11, 2020 by ddimitr167