APM Citrix tidy session termination
Hi,
I have used the f5.citrix_xenapp_xendesktop.2012_06_27 iApp to migrate remote access to our Citrix Xenapp and Xendesktop environment through F5's running APM and 11.3 HF6. We have kept the Citrix Web Interface in place as the business had already invested in the Storefront upgrade (I initally was connecting to web interface but the Storefront upgrade has now been rolled out).
I am confused about how the iApp achieves a tidy close down of a remote session. Obviously there is an iRule that looks for a URI to be passed back from the web interface \ Storefront that contains "loggedout". I am fine with the mechanics of how this works but what I am confused about is that this doesnt seem the most intuitive way of doing things. Also Storefront does not redirect to a URI that contains "loggedout" it just dynamically changes the web page to say "logged out" in the body of the page.
The reason i think this is not intuitive is that we had a 20 minute timeout on our Web Interface - ie. you get redirected to the "loggedout" URI after 20 minutes....so if you had a remote desktop session running but idle you get thrown off after 20 minutes. Our citrix session idle timeout is 3 hours......so ok fine change the timeout on Web Interface to be 3 hours.....but isnt this a bit of a security risk?....somebody could be working on a public machine and close down their remote session but forget to logoff from Web Interface.
The imperfect workaround I have in place at the moment is to reduce the inactivity timeout under the access policy to 60 seconds. This gives users enough time to select a remote session upon logon, the timeout gets constantly reset during their session, it also gives them enough time to logoff from a session and select another one and also is sufficently low so that it doesnt matter whether they click logoff from Web-UI \ Storefront or close the browser...after 60 seconds the session is dead. The downside of this is that test users have noticed that they can click logoff but then immediately re-target the URL and get straight back in without authenticating which obviously isnt great.
I am happy to hear if I am missing the point or something obvious it just seems that the iRule to check for a URI that contains "loggedout" will not work for us. Also, as mentioned, I do not think this will work at all with Storefront.
Any advice greatly appreciated!