How to Limit One Session Per User on NetScaler Gateway?

How to Limit One Session Per User on NetScaler Gateway?

book

Article ID: CTX218066

calendar_today

Updated On:

Description

This article describes how to limit one session per user on NetScaler Gateway.

Use case

An administrator wants to ensure that at any point in time a given user can only have one active session with NetScaler Gateway. Administrators can use a session policy or the global NetScaler Gateway settings to control whether or not intranet IP addresses are assigned during a user session. They can configure address pools by using a session policy in one of the following three ways:
  • Nospillover. When you configure address pools and the mapped IP address is not used, the Transfer Login page appears for users who have used all available intranet IP addresses.
  • Spillover. When you configure address pools and the mapped IP is used as an intranet IP address, the mapped IP address is used when an intranet IP address cannot be assigned.
  • Off. Address pools are not configured.

For achieving the above use case (one session per user), administrators can define the IP address pool option as Nospillover. With this setting, when a user attempts to login while there is already a session (with IIP assigned) for this user from another device, a transfer login page appears. This page allows users to replace their existing NetScaler Gateway session with a new session. Below are the instructions for configuring the same. Note that for the "Transfer Login" option to appear, you must also set "Use Mapped IP" to NS.

Instructions

A. From the NetScaler GUI

I. Logon to the NetScaler GUI and follow this path: Configuration tab -> NetScaler Gateway -> Virtual Servers.

User-added image

II. Select the virtual server for which you want the client choices to be disabled and click on edit.

User-added image

III. Scroll down to policies section and click on Session Policy.

User-added image

IV. Select the bound policy and click on the Edit drop-down and select Edit Profile.

User-added image

V. Select Network Configuration tab, check the Advanced Settings check-box, and apply these 2 settings:

1. Select the Override Global check-box for the Mapped IP drop-down and set it to NS (it needs to be selected although the ‘NOSPILLOVER’ option is for us to not use the mapped IP address).
2. Select the Override Global check-box, as NetScaler and select NOSPILLOVER from the Intranet IP drop-down menu and click on OK.

image.png
 

B. Alternative way from NetScaler GUI

I. Another alternative is to edit the session profile is from Configuration tab - >NetScaler Gateway -> Policies-> Session.

User-added image

II. Select the Pencil icon next to Profile.

User-added image

III. Similar to step A.V above.

The session profile now has been modified.
 

C. From the CLI

I. Open a command line editor and login to the NetScaler
ssh nsroot@<NetScaler IP>

II. Run the following command
set vpn sessionaction <sessionname> -useMIP NS -useIIP NOSPILLOVER

 

Issue/Introduction

This article describes how to limit one session per user on NetScaler Gateway.
Powered by Wolken Software