For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeroen_131594's avatar
Jeroen_131594
Icon for Nimbostratus rankNimbostratus
Jan 11, 2016

Locking webtop, while continuing session

Hi,

 

Is it possible to lock the webtop after say 30 minutes, while continuing to use the session already created to the VMware Horizon and/or Citrix Farms ? If you would need to use the webstop after those 30 minutes you would have to re-authenticate on the webtop, but not losing or changing your session ID.

 

Thanks Regards Jeroen

 

BIG-IP Access Policy Manager (APM)
security

4 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jan 11, 2016

    From APM's perspective, you can simply adjust the idle timeout to > 30 mins. Unfortunately APM don't have timeout control over:

     Horizon View Client
 VMWare Server
 Citrix Presentation Server
 Citrix Receiver Client

    So these things may have their own timeouts that must be adjusted for your whole use case to work. Your best bet is to perform some testing around it to see what works.

    • Inet_Team's avatar
      Inet_Team
      Icon for Nimbostratus rankNimbostratus
      Jan 13, 2016
      That would mean that a client needs to be idle. What I want/need is that the webtop needs a re-auth after a certain time. But without losing your session. So imagine you are logged in on the APM webtop at 9:00 and started your vmware sessions, 15 min later you need a citrix connection, Go back to the webtop and I would like that the user would have to do at least a partial re-auth to be able to start something new from the webtop. Without losing the current session to vmware. See it as a lock-screen, a screensaver if you will Is that possible ?
    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Jan 13, 2016
      There is a reauthentication timeout function but it doesn't work how you describe. If the user is idle, the session is expired and if the reauth timeout is exceeded, same thing. As a gateway device, The headroom required to store a lot of idle user data like this would be too expensive. It sounds like what you said, a basic lock screen on the workstation which is usually implemented as a group policy setting on a managed PC.
    • Jeroen_131594's avatar
      Jeroen_131594
      Icon for Nimbostratus rankNimbostratus
      Jan 13, 2016
      For example : User connected to APM and VDI session VDI session will go into screensaver/lock mode within 5 min of no activity. But... by just closing the VDI session (either HTML5 or the Horizon client) and restarting it from the webtop will relogin and the desktop is accessible again. It is not idle user data, the user has a viable session to anything. It's just the APM webtop that needs a lock/screensaver mode. It should still invalidate the session after the max time allowed, even when used. But a function to require re-authentication for using the webtop after let's say 5 mins after the last click would be something making the webtop a lot more secure.