This article provides information on one of the  logout mechanisms that Netscaler offers called “Forcedtimeout”, its usage and underlying configuration.

Use case and Solution

NetScaler offers multiple ways to timeout user session.

You can configure idleTimeout in “tm session policies/actions” such that if user is idle for a certain period, session gets removed.
You can also configure traffic policy based on-demand logout such that when a user hits certain page on backend, Netscaler removes it session (after serving that logout page).

Above approaches address majority of logout cases. However, some applications have background traffic, for monitoring. So, Netscaler does not remove session for those applications in a timely fashion assuming it is active traffic. One such Application is OWA. OWA is a peculiar application that opens up a bunch of tcp connections to keep the session alive. Today in  Netscaler, when the timer is fired, it sees that there are still active connections and therefore tries again after few minutes. Since OWA doesn’t close these monitoring connections, session keeps prolonging.
Therefore there is some more config required to logout user from such applications as OWA in order to essentially tell Netscaler what those monitoring sessions are .

It is due to the monitoring /keepalive messages from OWA that when a user tries to open the application in another tab, it still opens  up without asking for the user credentials again.

For such applications  and also for cases wherein an administrator wants to remove user session regardless of user activity, one could configure logout mechanism “forcedTimeout” such that a session lives  up a maximum specified time regardless of activity. This forcedtimer can be reset if needed. Otherwise, once started, it will remove session after stipulated time.

Configuration

Two new parameters are introduced in traffic action namely, ForcedTimeout and ForcedTimeoutVal as shown below in bold.
 
Usage: add tm trafficAction <name> [-appTimeout <mins>] [-SSO ( ON | OFF )
        [-formSSOAction <string>]] [-persistentCookie ( ON | OFF )]
        [-InitiateLogout ( ON | OFF )] [-kcdAccount <string>]
        [-samlSSOProfile <string>] [-forcedTimeout <forcedTimeout>
        -forcedTimeoutVal <mins> ]

ForcedTimeoutVal is a number in minutes to which force timer needs to be set. ForcedTimeout argument itself can take three values START, STOP and RESET. These options are explained below:

START: When a timer is not already started, START can be used to start a timer. However, once a timer is STARTed at a timestamp t1, another start at a later timestamp t2 is a NOOP. This means, once a timer is started, another start on that timer is ignored.
 
STOP: This option can be used to stop an already running timer. This means, if administrator as started a timer in the past, he could stop it based on another traffic pattern.
 
RESET: This option can be used to START or RESET a timer. If timer is not already running, this option would start it. If timer is already running, then this option will stop the timer and start it again.
One of the differences between START and RESET is that once a timer is started, START does not result in another start.
 
Above trafficaction needs to referenced in a traffic policy which in turns needs to be bound to TM vserver.
add tm trafficPolicy <name> <rule> <action>
bind lb vserver lbhttp –policyName <name> -priority <number>

Example Configuration

In case of rule as “true“ as below   after user session is created ,Netscaler registers a timer and when the timer is expired (2 mins here), the session gets killed regardless of user activity.
 
add tm trafficAction trafficact -SSO ON -forcedTimeout START -forcedTimeoutVal 2
add tm trafficPolicy trafficpol true trafficact
bind lb vs lbowa –policy tmowapol –priority 1
 
With rule as "HTTP.REQ.URL.CONTAINS(\"UA=0\")" in the example below, after the session is created , the timer will start as soon as there is a traffic pattern matching “UA=0”.This pattern matches the keepalives from OWA application  ;therefore as soon as this traffic pattern is matched,Netscaler will log -out the user from the application,
 
add tm trafficAction trafficact1 -SSO ON -forcedTimeout START -forcedTimeoutVal 2
add tm trafficPolicy trafficpol1 "HTTP.REQ.URL.CONTAINS(\"UA=0\")" trafficact1
bind lb vs lbowa –policy trafficpol1 –priority 1