Forum Discussion

vinocalk's avatar
vinocalk
Icon for Nimbostratus rankNimbostratus
Nov 27, 2013

APM Citrix tidy session termination

Hi,

 

I have used the f5.citrix_xenapp_xendesktop.2012_06_27 iApp to migrate remote access to our Citrix Xenapp and Xendesktop environment through F5's running APM and 11.3 HF6. We have kept the Citrix Web Interface in place as the business had already invested in the Storefront upgrade (I initally was connecting to web interface but the Storefront upgrade has now been rolled out).

 

I am confused about how the iApp achieves a tidy close down of a remote session. Obviously there is an iRule that looks for a URI to be passed back from the web interface \ Storefront that contains "loggedout". I am fine with the mechanics of how this works but what I am confused about is that this doesnt seem the most intuitive way of doing things. Also Storefront does not redirect to a URI that contains "loggedout" it just dynamically changes the web page to say "logged out" in the body of the page.

 

The reason i think this is not intuitive is that we had a 20 minute timeout on our Web Interface - ie. you get redirected to the "loggedout" URI after 20 minutes....so if you had a remote desktop session running but idle you get thrown off after 20 minutes. Our citrix session idle timeout is 3 hours......so ok fine change the timeout on Web Interface to be 3 hours.....but isnt this a bit of a security risk?....somebody could be working on a public machine and close down their remote session but forget to logoff from Web Interface.

 

The imperfect workaround I have in place at the moment is to reduce the inactivity timeout under the access policy to 60 seconds. This gives users enough time to select a remote session upon logon, the timeout gets constantly reset during their session, it also gives them enough time to logoff from a session and select another one and also is sufficently low so that it doesnt matter whether they click logoff from Web-UI \ Storefront or close the browser...after 60 seconds the session is dead. The downside of this is that test users have noticed that they can click logoff but then immediately re-target the URL and get straight back in without authenticating which obviously isnt great.

 

I am happy to hear if I am missing the point or something obvious it just seems that the iRule to check for a URI that contains "loggedout" will not work for us. Also, as mentioned, I do not think this will work at all with Storefront.

 

Any advice greatly appreciated!

 

BIG-IP Access Policy Manager (APM)
citrix
deployment
security
storefront

15 Replies

Sort By
  • ipman_1988_5418's avatar
    ipman_1988_5418
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2015
    when ACCESS_ACL_ALLOWED {

    if {[string tolower [HTTP::uri]] eq "/citrix//authentication/logoff"} {

            table add "ctxloggedoutsessions_[ACCESS::session sid]" 1 28800 28800
    }
}

when HTTP_REQUEST {

set sessionstatus [table lookup "ctxloggedoutsessions_[ACCESS::session sid]"]

     if { $sessionstatus == 1 } {


            HTTP::respond 302 Location "https://www.yourcitrixapm.com/my.logout.php3"

            unset sessionstatus
            table delete "ctxloggedoutsessions_[ACCESS::session sid]"

    }

}
    • SLGizmo_219768's avatar
      SLGizmo_219768
      Icon for Nimbostratus rankNimbostratus
      Jan 22, 2016
      Does not work for me. If I wait for the 5 min timeout of the StoreFront page or I select Logoff from the StoreFront page it kills my running session. Sorry.
  • apm_user_138559's avatar
    apm_user_138559
    Icon for Nimbostratus rankNimbostratus
    Dec 17, 2013

    Hello Greg,

     

    And sorry for the late response. I changed my iRules in the old iApp, and then I got what I wanted, the timeout is controlled from the XenApp server.

     

    In regards to your questions in the end:

     

    I did create a new iApp instance. Several times.. As well - deleted it - and recreated. Got the same error all the time. As soon as I revert back to the older iApp the WI renders okay again.

     

  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account
    Nov 29, 2013

    Yes, you can modify your existing iRule to whatever delay value you would like. However, it sounds like you want to modify the APM policies idle timeout value rather then the iRules delay timer. The only purpose of the irule is to terminate the users APM session when they log off the Citrix WEB server. In some cases, the behavior of the irule is not desired and can be removed. Check out the properties page of your access policy and you will note a 900 second idle timeout value, modify this value to match your web interface idle timeout value.

     

    It surprises me that you had trouble with the new iApp, did you apply the template to your existing iApp deployment or create a separate iApp instance?

     

  • apm_user_138559's avatar
    apm_user_138559
    Icon for Nimbostratus rankNimbostratus
    Nov 28, 2013

    Hi, I am in the same boat as vinocalc. Also I have tried the new iApp (1.1.0RC4), but I am unable to test it since when using that to NOT replace the Web INterface (I am using WI 5.4) The Web INterface page is blank after logging in.

     

    As soon as I revert back to the older iApp there is no problem showing the WI 5.4 interface - but then I don't have the possibility to change the timeout...

     

    But I could just check the iRule in the new iApp and then mimic that to the older iApp? Would that be possible?

     

  • Greg_Crosby_319's avatar
    Greg_Crosby_319
    Historic F5 Account
    Nov 27, 2013

    Hi Vinocalk,

     

    Their is a newer iApp on Devcentral that includes additional support for storefront, it will have the correct uri within the "logged out" irule that is generated by the iApp for when users log out of their storefront session. The iApp also gives you the option to not use the iRule to log users off their sessions if that is desired. The APM policy has a idle timeout value that will end idle session after a certain number of minutes, the iApp sets this value to 15 minutes and can be modified to whatever value meets your needs.

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Nov 27, 2013

    Storefront always makes a request that ends with Logoff(i.e. /Citrix/Storeweb/Authentication/Logoff) - so you can easily modify the iRule to trap workd "Logoff" instead of "loggedout" and that should solve the issue for you.

     

    • vinocalk's avatar
      vinocalk
      Icon for Nimbostratus rankNimbostratus
      Nov 28, 2013
      Michael thanks again. Admittedly I did not dig too deep regarding the Storefront logoff. I have used Chrome Developer Tools and can see what you are talking about. Apologies. Also after the upgrade to Storefront from Web Interface I forgot to re-enable the iRule in question so in fact (after re-enabling it and testing more) my issue is the same with both Web Interface and Storefront. I have tested it again today so here is my issue again (I will try not to waffle this time I hope!): - The iapp deploys an irule that searches for "loggedout" in a URI and uses this to kill access sessions (irule below so we know we are talking about the same thing) - Our deployment of both web interface and strorefront has a 20 minute timeout so, as expected the URI is passed that contains "loggedout" (web interface) of "Logoff" (Storefront) after 20 minutes (I modified the irule for Storefront like you said) - When this happens my access session is killed and my Citrix remote desktop is obviously killed too. My testing today has proved that this is not just idle sessions but sessions that I am very much using! (apologies I previously intimated that it was just idle sessions that this happened too - that was obviously inaccurate of me - the irule logic is obviously not monitoring the idle state) - I need to work out another solution as this irule is obviously great for monitoring for when a user purposefully clicks logoff from Web Interface \ Storefront but is no good for the above reason. And I personally cannot work out how it is any good for anyone but maybe it is my set-up somewhere else that is at fault? the irule in question (URI modified for Storefront): when ACCESS_ACL_ALLOWED { if {[HTTP::uri] contains "Logoff" } { after 2000 { ACCESS::session remove} } }
    • Michael_Koyfma1's avatar
      Michael_Koyfma1
      Icon for Cirrus rankCirrus
      Nov 27, 2013
      Sorry, your second posts confuses me even more. :( How is the idle timeout related to the forceful session termination such as initiating a Logoff from the StoreFront interface? As to the second part of your message, Citrix is using iFrames in the StoreFront implementation, so you will not see the explicit call to that URI that I mentioned in my post - but it most certainly is being made - you can observe it using your favorite tool such as Fiddler/HTTPWatch/HTTPFox, etc.
    • vinocalk's avatar
      vinocalk
      Icon for Nimbostratus rankNimbostratus
      Nov 27, 2013
      Michael thank you for your response. As mentioned my main issue is that I do not think using the Storefront \ Web Interface logoff as the trigger that kills the F5 access session will work in our case as our policy on Storefront \ Web Interface idle timeout is only 20 minutes (also im sure that with our implementation when I click on "logout" on Storefront the URI does not change :-) ). Sorry if I waffled on a bit in my OP!
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Nov 27, 2013

    Storefront always makes a request that ends with Logoff(i.e. /Citrix/Storeweb/Authentication/Logoff) - so you can easily modify the iRule to trap workd "Logoff" instead of "loggedout" and that should solve the issue for you.

     

    • vinocalk's avatar
      vinocalk
      Icon for Nimbostratus rankNimbostratus
      Nov 28, 2013
      Michael thanks again. Admittedly I did not dig too deep regarding the Storefront logoff. I have used Chrome Developer Tools and can see what you are talking about. Apologies. Also after the upgrade to Storefront from Web Interface I forgot to re-enable the iRule in question so in fact (after re-enabling it and testing more) my issue is the same with both Web Interface and Storefront. I have tested it again today so here is my issue again (I will try not to waffle this time I hope!): - The iapp deploys an irule that searches for "loggedout" in a URI and uses this to kill access sessions (irule below so we know we are talking about the same thing) - Our deployment of both web interface and strorefront has a 20 minute timeout so, as expected the URI is passed that contains "loggedout" (web interface) of "Logoff" (Storefront) after 20 minutes (I modified the irule for Storefront like you said) - When this happens my access session is killed and my Citrix remote desktop is obviously killed too. My testing today has proved that this is not just idle sessions but sessions that I am very much using! (apologies I previously intimated that it was just idle sessions that this happened too - that was obviously inaccurate of me - the irule logic is obviously not monitoring the idle state) - I need to work out another solution as this irule is obviously great for monitoring for when a user purposefully clicks logoff from Web Interface \ Storefront but is no good for the above reason. And I personally cannot work out how it is any good for anyone but maybe it is my set-up somewhere else that is at fault? the irule in question (URI modified for Storefront): when ACCESS_ACL_ALLOWED { if {[HTTP::uri] contains "Logoff" } { after 2000 { ACCESS::session remove} } }
    • Michael_Koyfman's avatar
      Michael_Koyfman
      Icon for Cirrocumulus rankCirrocumulus
      Nov 27, 2013
      Sorry, your second posts confuses me even more. :( How is the idle timeout related to the forceful session termination such as initiating a Logoff from the StoreFront interface? As to the second part of your message, Citrix is using iFrames in the StoreFront implementation, so you will not see the explicit call to that URI that I mentioned in my post - but it most certainly is being made - you can observe it using your favorite tool such as Fiddler/HTTPWatch/HTTPFox, etc.
    • vinocalk's avatar
      vinocalk
      Icon for Nimbostratus rankNimbostratus
      Nov 27, 2013
      Michael thank you for your response. As mentioned my main issue is that I do not think using the Storefront \ Web Interface logoff as the trigger that kills the F5 access session will work in our case as our policy on Storefront \ Web Interface idle timeout is only 20 minutes (also im sure that with our implementation when I click on "logout" on Storefront the URI does not change :-) ). Sorry if I waffled on a bit in my OP!