, you may be wondering how these products unlike some will be of the other products that are out there on XenMobile timeouts.
fair question and I'm glad you asked!
products like this that explain how the different NetScaler / MDX timeouts work and this one have been by my colleague Albert, as the inactivity timer works for a while. This item also starts them in condition to
In my (admittedly biased) opinion, they did a great job just that. explain what each timeout is doing and where it is configured. If you do not have these items not yet read, now is the time. To answer the question we started with, I will try not to explain how these timeouts work. You already know that because you already rated this article, right?
Instead, we want to focus on why we would configure one way or another to get the balance between usability and security that we have to
DISCLAIMER :. The values we understand to be Examples and starting points to discuss. Every environment is unique and has different security requirements. before production deployment, you may need to adjust these values to based on environment-specific applications and security requirements, and (of course), the all configuration changes should test in a non-production environment.
Now to the good stuff. an example of the desired user experience Let us discuss the timeouts for a second and look forget. After all, there are these timeouts only tune user experience with security in mind (to force or security lockdowns with user experience in mind - depending on who you ask :))
Example: "I want my users levers have WorxMail. as seamless email experience as possible. My security man said that if they use their company not apps for 15 minutes, we want them to be prompted for a type of credentials, so let's do that. I want to to enable offline access to the material that makes sense, but not forever, only for the "right" amount of time. I do not really care what happens to my user authentication example, if they want to access the WorxStore. you do not go there too often the day. Oh, and WorxWeb, which is great for us. When a user opens, I definitely want that for them to be easy. Last thing. If we updates to guidelines and applications push, I do not want to be more than one business day prior to that propagates to our end users manageable to keep things. "
Believe it or not, only that brief" conversation "we have most of what we need to launch decisions. From this information, we would probably something like the following at the end of the landing (
app passcode
: and no, no dart throwing was involved) Ononline session required: Off
inactivity timer: 15 minutes
Max offline period: 8 hours
background services ticket expiration (WorxMail):> 8 hours
NetScaler session timeout:> 480 minutes (8 hours)
NetScaler coercion timeout:. N / a
So, how do we get these values
they let us break it first, the "customer" is asked for a WorxMail experience is as seamless as possible. to do this, we want our "background services ticket delivery 'value is greater than (or at least equal) our' max offline time." the reason that if the maximum offline time expires, the user a perform forced 'online authentication' against the NetScaler Gateway. This renewed both its STA (background tasks) ticket and the NetScaler session cookie. As long as the user has a valid STA ticket, they should be getting email. PS if you are not familiar with WorxMail and STA, this is a must-read.
that still does not answer how we to 8 hours of landing 'max offline time' as we get it?
Well, it admitted that three parts. We wanted to allow for offline access' just the right amount of time. "That about as subjective as data comes, but not if it on what a mobile user could do. I fly a lot. That's when offline time for me is crucial. If I at the level I want to be able read his e-mails I've already downloaded, you will see cached browser pages, notes, etc., even if my flight does not have WiFi. But most domestic flights 8 hours is not long, and I promised, we do not have throw darts with these numbers come to. we ended up to 8 hours, because "if we push we do not want to be a working day more than app and policy updates it" before this change meets the end user. about 8 hours is a fairly typical day and online registration (forced when the maximum offline time is up) what WorxHome solves is to check with the back to see if there are MDX policy updates and / or application updates.
Now for NetScaler session timeout. For those of us who are fans of wizards (myself included), we will concentrate on the _OS and _WB session policies / creates profiles. We actually know this about covered. We want this value is greater than or equal to the maximum offline time, because as long as I have a valid NetScaler session, my WorxWeb (or any other app MVPN use) experience should be relatively seamless. I asked for a to inactivity based credential, but when I'm through, I'm going away. We do not want to make the session timeout unnecessarily large, because it can have the memory usage affect the NetScaler page.
At this point, all that remains of the imagination is the forced timeout. In a high security environment, in which we want to actively end NetScaler session at a specified interval, this setting is very useful. In your average use on the other side there is a setting that is often forgotten when adjustments and complexity that is often not necessary.
Last, but not least, the "App password" setting is really what determines whether MDX timeout settings as inactivity timer apply to the specific application in question.
something like the above is where our "balanced" Customers usually land. We would be at least at the stadium. But what about the ends of the spectrum? We have some customers who are extremely security conscious and others that 100% driven by the user experience. Here are two examples of how this policy might look like. The decision points would be no different than the ones we
driven security before the vote, the input data changes only
.:app passcode: On
online session required : from
inactivity timer: 10 minutes
Max offline period: 1 hour
background services ticket expiration (WorxMail):> 1 hour
NetScaler session timeout:> 60 minutes (1 hour)
NetScaler forced timeout: 60 minutes (1 hour)
workflow driven:
app passcode: from
online session Required: Off
inactivity timer: N / A
Max offline period: 168 hours
background services ticket expiration (WorxMail): > 168 hours (7 days)
NetScaler session timeout:> 10,080 minutes (7 days)
NetScaler forced timeout: N / A
In summary, it's really no right or wrong answer when it comes to how those settings are adjusted. We want to be sure that the maximum offline time period is shorter than the background services timeout and the NetScaler Gateway session timeout. We also want to be sure we timeouts user experience mapping requirements, administrative requirements and safety requirements. From there, you should bring a few tests and feedback iterations in order, where you want to be a predictable and consistent user experience.
If you. Questions or would like to share that have worked, feel free to drop me a note below timeout settings Happy mobilization
Ryan McClure
architect. | Citrix Consulting
0 Komentar