Session and traffic management

Session settings

After you configure your authentication, authorization, and auditing profiles, you configure session settings to customize your user sessions. The session settings are:

• The session timeout.

  Controls the period after which the user is automatically disconnected and must authenticate again to access your intranet.

• The default authorization setting.

  Determines whether the Citrix ADC appliance will by default allow or deny access to content for which there is no specific authorization policy.

• The single sign-on setting.

  Determines whether the Citrix ADC appliance will log users on to all web applications automatically after they authenticate, or will pass users to the web application logon page to authenticate for each application.

• The credential index setting.

  Determines whether the Citrix ADC appliance uses the primary or the secondary authentication credentials for single sign-on.

To configure the session settings, you can take one of two approaches. If you want different settings for different user accounts or groups, you create a profile for each user account or group for which you want to configure custom sessions settings. You also create policies to select the connections to which to apply particular profiles, and you bind the policies to users or groups. You can also bind a policy to the authentication virtual server that handles the traffic to which you want to apply the profile.

If you want the same settings for all sessions, or if you want to customize the default settings for sessions that do not have specific profiles and policies configured, you can simply configure the global session settings.

Session profiles

To customize your user sessions, you first create a session profile. The session profile allows you to override global settings for any of the session parameters.

Note

The terms “session profile” and “session action” mean the same thing.

To create a session profile by using the command line interface

At the command prompt, type the following commands to create a session profile and verify the configuration:

add tm sessionAction  [-sessTimeout ] [-defaultAuthorizationAction ( ALLOW | DENY )][-SSO ( ON | OFF )][-ssoCredential ( PRIMARY | SECONDARY )] [-ssoDomain ][-httpOnlyCookie ( YES | NO )] [-persistentCookie ( ENABLED | DISABLED )] [-persistentCookieValidity ] show tm sessionAction  

Example

> add tm sessionAction session-profile -sessTimeout 30 -defaultAuthorization ALLOW Done > show tm sessionAction session-profile 1) Name: session-profile Authorization action : ALLOW Session timeout: 30 minutes Done 

To modify a session profile by using the command line interface

At the command prompt, type the following commands to modify a session profile and verify the configuration:

set tm sessionAction  [-sessTimeout ] [-defaultAuthorizationAction ( ALLOW | DENY )][-SSO ( ON | OFF )][-ssoCredential ( PRIMARY | SECONDARY )] [-ssoDomain ][-httpOnlyCookie ( YES | NO )] [-persistentCookie ( ENABLED | DISABLED )] [-persistentCookieValidity ] show tm sessionAction 

Example

> set tm sessionAction session-profile -sessTimeout 30 -defaultAuthorization ALLOW Done > show tm sessionAction session-profile 1) Name: session-profile Authorization action : ALLOW Session timeout: 30 minutes Done 

To remove a session profile by using the command line interface

At the command prompt, type the following command to remove a session profile:

rm tm sessionAction  

To configure session profiles by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Session.
2. Navigate toSecurity > AAA - Application Traffic > Policies > Session.
3. In the details pane, click theProfilestab.
4. On theProfilestab, do one of the following:
   • To create a new session profile, clickAdd.
   • To modify an existing session profile, select the profile, and then clickEdit.
5. In the Create TM Session Profile or Configure TM Session Profile dialog, type or select values for the parameters.
   • Name*—actionname (Cannot be changed for a previously configured session action.)
   • Session Time-out—sesstimeout
   • Single sign-on to Web Applications—sso
   • Default Authorization Action—defaultAuthorizationAction
   • Credential Index—ssocredential
   • Single Sign-on Domain—ssoDomain
   • HTTPOnly Cookie—httpOnlyCookie
   • Enable Persistent Cookie—persistentCookie
   • Persistent Cookie Validity—persistentCookieValidity
6. ClickCreateorOK．The session profile that you created appears in the Session Policies and Profiles pane.

Session policies

After you create one or more session profiles, you create session policies and then bind the policies globally or to an authentication virtual server to put them into effect.

To create a session policy by using the command line interface

At the command prompt, type the following commands to create a session policy and verify the configuration:

- add tm sessionPolicy    - show tm sessionPolicy  

Example

> add tm sessionPolicy session-pol "URL == /*.gif" session-profile Done > show tm sessionPolicy session-pol 1) Name: session-pol Rule: URL == '/*.gif' Action: session-profile Done 

To modify a session policy by using the command line interface

At the command prompt, type the following commands to modify a session policy and verify the configuration:

- set tm sessionPolicy  [-rule ] [-action ] - show tm sessionPolicy  

Example

> set tm sessionPolicy session-pol "URL == /*.gif" session-profile Done > show tm sessionPolicy session-pol 1) Name: session-pol Rule: URL == '/*.gif' Action: session-profile Done 

To globally bind a session policy by using the command line interface

At the command prompt, type the following commands to globally bind a session policy and verify the configuration:

bind tm global -policyName  [-priority ] 

Example

> bind tm global -policyName session-pol Done > show tm sessionPolicy session-pol 1) Name: session-pol Rule: URL == '/*.gif' Action: session-profile Policy is bound to following entities 1) TM GLOBAL PRIORITY : 0 Done 

To bind a session policy to an authentication virtual server by using the command line interface

At the command prompt, type the following command to bind a session policy to an authentication virtual and verify the configuration:

bind authentication vserver  -policy  [-priority ] 

Example

bind authentication vserver auth-vserver-1 -policyName Session-Pol-1 -priority 1000 Done 

To unbind a session policy from an authentication virtual server by using the command line interface

At the command prompt, type the following commands to unbind a session policy from an authentication virtual server and verify the configuration:

unbind authentication vserver  -policy  

Example

unbind authentication vserver auth-vserver-1 -policyName Session-Pol-1 Done 

To unbind a globally bound session policy by using the command line interface

At the command prompt, type the following commands to unbind a globally bound session policy:

unbind tm global -policyName  

Example

unbind tm global -policyName Session-Pol-1 Done 

To remove a session policy by using the command line interface

First unbind the session policy from global, and then, at the command prompt, type the following commands to remove a session policy and verify the configuration:

rm tm sessionPolicy  

Example

rm tm sessionPolicy Session-Pol-1 Done 

To configure and bind session policies by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Session．
2. Navigate toSecurity > AAA - Application Traffic > Policies > Session．
3. In the details pane, on thePoliciestab, do one of the following:
   • To create a new session policy, clickAdd．
   • To modify an existing session policy, select the policy, and then clickEdit．
4. In theCreate Session PolicyorConfigure Session Policydialog, type or select the values for the parameters.
   • Name*—policyname (Cannot be changed for a previously configured session policy.)
   • Request Profile*—actionname
   • Expression*—rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression text area and then typing your expression directly into the expression text area, or by clickingAddto open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
5. ClickCreateorOK．您创建的政策,发表在《德泰ls pane of theSession PoliciesandProfilespage.
6. To globally bind a session policy, in the details pane, selectGlobal Bindingsfrom theActiondrop-down list, and fill in the dialog.
   • Select the name of the session policy you want to globally bind.
   • ClickOK．
7. To bind a session policy to an authentication virtual server, in the navigation pane, clickVirtual Servers,并添加that policy to the policies list.
   • In the details pane, select the virtual server, and then clickEdit．
   • In theAdvanced Selectionsto the right of the detail area, clickPolicies．
   • Select a policy, or click theplusicon to add a policy.
   • In thePrioritycolumn to the left, modify the default priority to ensure that the policy is evaluated in the proper order.
   • ClickOK．A message appears in the status bar, stating that the policy has been configured successfully.

Global session settings

In addition to or instead of creating session profiles and policies, you can configure global session settings. These settings control the session configuration when there is no explicit policy overriding them.

To configure the session settings by using the command line interface

At the command prompt, type the following commands to configure the global session settings and verify the configuration:

set tm sessionParameter [-sessTimeout ][-defaultAuthorizationAction ( ALLOW | DENY )][-SSO ( ON | OFF )][-ssoCredential ( PRIMARY | SECONDARY )][-ssoDomain ][-httpOnlyCookie ( YES | NO )][-persistentCookie ( ENABLED | DISABLED )] [-persistentCookieValidity ] 

Example

> set tm sessionParameter -sessTimeout 30 Done > set tm sessionParameter -defaultAuthorizationAction DENY Done > set tm sessionParameter -SSO ON Done > set tm sessionParameter -ssoCredential PRIMARY Done 

To configure the session settings by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic
2. In the details pane, underSettings, click Change global settings.
3. In theGlobal Session Settingsdialog, type or select values for the parameters.
   • Session Time-out—sessTimeout
   • Default Authorization Action—defaultAuthorizationAction
   • Single Sign-on to Web Applications—sso
   • Credential Index—ssoCredential
   • Single Sign-on Domain—ssoDomain
   • HTTPOnly Cookie—httpOnlyCookie
   • Enable Persistent Cookie—persistentCookie
   • Persistent Cookie Validity (minutes)—persistentCookieValidity
   • Home Page—home page
4. ClickOK．

Traffic settings

If you use forms-based or SAML single sign-on (SSO) for your protected applications, you configure that feature in the Traffic settings. SSO enables your users to log on once to access all protected applications, rather than requiring them to log on separately to access each one.

Forms-based SSO allows you to use a web form of your own design as the sign-on method instead of a generic pop-up window. You can therefore put your company logo and other information you might want your users to see on the logon form. SAML SSO allows you to configure one Citrix ADC appliance or virtual appliance instance to authenticate to another Citrix ADC appliance on behalf of users who have authenticated with the first appliance.

To configure either type of SSO, you first create a forms or SAML SSO profile. Next, you create a traffic profile and link it to the SSO profile you created. Next, you create a policy, link it to the traffic profile. Finally, you bind the policy globally or to an authentication virtual server to put your configuration into effect.

Traffic profiles

After creating at least one forms or SAML sso profile, you must next create a traffic profile.

Note:

In this feature, the terms “profile” and “action” mean the same thing.

To create a traffic profile by using the command line interface

At the command prompt, type:

add tm trafficAction  [-appTimeout ][-SSO ( ON | OFF ) [-formSSOAction ]][-persistentCookie ( ENABLED | DISABLED )][-InitiateLogout ( ON | OFF )] 

Example

add tm trafficAction Traffic-Prof-1 –appTimeout 10 -SSO ON -formSSOAction SSO-Prof-1 

To modify a session profile by using the command line interface

At the command prompt, type:

set tm trafficAction  [-appTimeout ] [-SSO ( ON | OFF ) [-formSSOAction ]] [-persistentCookie ( ENABLED | DISABLED )] [-InitiateLogout ( ON | OFF )] 

Example

set tm trafficAction Traffic-Prof-1 –appTimeout 10 -SSO ON -formSSOAction SSO-Prof-1 

To remove a session profile by using the command line interface

At the command prompt, type:

rm tm trafficAction  

Example

rm tm trafficAction Traffic-Prof-1 

To configure traffic profiles by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Traffic.
2. Navigate toSecurity > AAA - Application Traffic > Policies > Traffic.
3. In the details pane, click the Profiles tab.
4. On the Profiles tab, do one of the following:
   • To create a new traffic profile, clickAdd.
   • To modify an existing traffic profile, select the profile, and then clickEdit.
5. In theCreate Traffic ProfileorConfigure Traffic Profiledialog box, specify values for the parameters.
   • Name*—name (Cannot be changed for a previously configured session action.)
   • AppTimeout—appTimeout
   • Single Sign-On—SSO
   • Form SSO Action—formSSOAction
   • SAML SSO Action—samlSSOAction
   • Enable Persistent Cookie—persistentCookie
   • Initiate Logout—InitiateLogout
6. ClickCreateorOK．The traffic profile that you created appears in the Traffic Policies, Profiles, and either the Form SSO Profiles or SAML SSO Profiles pane, as appropriate.

Support for AAA.USER and AAA.LOGIN expressions

The AAA.USER expression is now implemented to replace the existing HTTP.REQ.USER expressions. The AAA.USER expression is applicable to handle non-HTTP traffic, such as the Secure Web Gateway (SWG) and role-based access (RBA) mechanism. The AAA.USER expressions are equivalent to HTTP.REQ.USER expressions.

You can use the expression at various actions or profiles configuration.

At the command prompt, type:

add tm trafficAction  [SSO (ON|OFF)] [-userExpression ] add tm trafficAction  [SSO (ON|OFF)] [-passwdExpression ] 

Example

add tm trafficAction tm_act -SSO ON -userExpression "AAA.USER.NAME" add tm trafficAction tm_act -SSO ON -userExpression "AAA.USER.PASSWD" add tm trafficPolicy tm_pol true tm_act bind lb vserver lb1 -policyName tm_pol -priority 2 

Note:

If you use HTTP.REQ.USER expression, a warning message “HTTP.REQ.USER has been deprecated. Use AAA.USER instead” appears on the command prompt.

• AAA.LOGIN Expression.The LOGIN expression represents pre-login, also known as the login request. The login request can be from Citrix Gateway, SAML IdP, or from OAuth authentication. The Citrix ADC will abstract the required attributes from the policy configuration. The AAA.LOGIN expression contains the attributes, which can be fetched based on the following:
  • AAA.LOGIN.USERNAME.The user name (if found) is fetched from the current login request. The same expression applied to a non-login request (determined by an authentication, authorization, and auditing) results in an empty string.
  • AAA.LOGIN.PASSWORD.The user password (if found) is fetched from the current login request. The expression results in an empty string if the password is not found.
  • AAA.LOGIN.PASSWORD2.The second password (if found) is fetched from the login request.
  • AAA.LOGIN.DOMAIN.The domain information is fetched from the login request.
• AAA.USER.ATTRIBUTE(“#”).The expression is used to store user attribute. Here # can either be an integer value (between 1 and 16) or a string value. You can use these index values by using the expression AAA.USER.ATTRIBUTE(“#”). The authentication, authorization, and auditing module looks up the user sessions attribute andAAA.USER.ATTRIBUTE("//m.giftsix.com/docs/en-us/citrix-adc/13/aaa-tm/#")would query the hash table for that particular attribute. For example, ifAttributes("samaccountname")is set,AAA.USER.ATTRIBUTE("samaccountname")would query the hash map and would fetch the value corresponding tosamaccountname．

Traffic policies

After you create one or more form SSO and traffic profiles, you create traffic policies and then bind the policies, either globally or to a traffic management virtual server, to put them into effect.

To create a traffic policy by using the command line interface

At the command prompt, type:

add tm trafficPolicy    

Example

add tm trafficPolicy Traffic-Pol-1 "HTTP.REQ.HEADER("Cookie").CONTAINS("login=true")" Traffic-Prof-1 

To modify a traffic policy by using the command line interface

At the command prompt, type:

set tm trafficPolicy    

Example

set tm trafficPolicy Traffic-Pol-1 "HTTP.REQ.HEADER("Cookie").CONTAINS("login=true")" Traffic-Prof-1 

To globally bind a traffic policy by using the command line interface

At the command prompt, type:

bind tm global -policyName  [-priority ] 

Example

bind tm global -policyName Traffic-Pol-1 

To bind a traffic policy to a load balancing or content switching virtual server by using the command line interface

At the command prompt, type one of the following commands:

bind lb vserver  -policy  [-priority ] bind cs vserver  -policy  [-priority ] 

Example

bind authentication vserver auth-vserver-1 -policyName Traffic-Pol-1 -priority 1000 

To unbind a globally bound traffic policy by using the command line interface

At the command prompt, type:

unbind tm global -policyName  

Example

unbind tm global -policyName Traffic-Pol-1 

To unbind a traffic policy from a load balancing or content switching virtual server by using the command line interface

At the command prompt, type one of the following commands:

unbind lb vserver  -policy  unbind cs vserver  -policy  

Example

unbind authentication vserver auth-vserver-1 -policyName Traffic-Pol-1 

To remove a traffic policy by using the command line interface

First unbind the session policy from global, and then, at the command prompt, type:

rm tm trafficPolicy  

Example

rm tm trafficPolicy Traffic-Pol-1 < !——NeedCopy >

To configure and bind traffic policies by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Traffic.
2. Navigate toSecurity > AAA - Application Traffic > Policies > Traffic.
3. In the details pane, do one of the following:
   • To create a new session policy, clickAdd.
   • To modify an existing session policy, select the policy, and then clickEdit.
4. In theCreate Traffic PolicyorConfigure Traffic Policydialog, specify values for the parameters.
   • Name*—policyName (Cannot be changed for a previously configured session policy.)
   • Profile*—actionName
   • Expression—rule (You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression text area and then typing your expression directly into the expression text area, or by clicking Add to open the Add Expression dialog box and using the drop-down lists in it to construct your expression.)
5. ClickCreateorOK．您创建的政策,发表在《德泰ls pane of theSession PoliciesandProfilespage.

Form SSO profiles

To enable and configure forms-based SSO, you first create an SSO profile.

Note

• Forms-based single sign-on does not work if the form is customized to include Javascript.
• In this feature, the terms “profile” and “action” mean the same thing.

To create a form SSO profile by using the command line interface

At the command prompt, type:

add tm formSSOAction  -actionURL  -userField  -passwdField  -ssoSuccessRule  [-nameValuePair ] [-responsesize ][-nvtype ( STATIC | DYNAMIC )][-submitMethod ( GET | POST )] show tm formSSOAction [] 

Example

add tm formSSOAction SSO-Prof-1 -actionURL "/logon.php" -userField "loginID" -passwdField "passwd" -nameValuePair "loginID passwd" -responsesize "9096" -ssoSuccessRule "HTTP.RES.HEADER("Set-Cookie").CONTAINS("LogonID")" -nvtype STATIC -submitMethod GET –sessTimeout 10 -defaultAuthorizationAction ALLOW 

To modify a form SSO by using the command line interface

At the command prompt, type:

set tm formSSOAction  -actionURL  -userField  -passwdField  -ssoSuccessRule  [-nameValuePair ] [-responsesize ][-nvtype ( STATIC | DYNAMIC )][-submitMethod ( GET | POST )] 

Example

set tm formSSOAction SSO-Prof-1 -actionURL "/logon.php" -userField "loginID" -passwdField "passwd" -ssoSuccessRule "HTTP.RES.HEADER("Set-Cookie").CONTAINS("LogonID")" -nameValuePair "loginID passwd" -responsesize "9096" -nvtype STATIC -submitMethod GET –sessTimeout 10 -defaultAuthorizationAction ALLOW 

To remove a form SSO profile by using the command line interface

At the command prompt, type:

rm tm formSSOAction  

Example

rm tm sessionAction SSO-Prof-1 

To configure form SSO profiles by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Policies > Traffic．
2. In the details pane, click theForm SSO Profilestab.
3. On the Form SSO Profiles tab, do one of the following:
   • To create a new form SSO profile, clickAdd．
   • To modify an existing form SSO profile, select the profile, and then click Edit.
4. In theCreate Form SSO ProfileorConfigure Form SSO Profiledialog, specify the values for the parameters:
   • Name*—name (Cannot be changed for a previously configured session action.)
   • 动作URL * -actionURL
   • User Name Field*—userField
   • Password Field*—passField
   • Expression*—ssoSuccessRule
   • Name Value Pair—nameValuePair
   • Response Size—responsesize
   • Extraction—nvtype
   • Submit Method—submitMethod
5. ClickCreateorOK, and then clickClose．The form SSO profile that you created appears in theTraffic Policies,Profiles, andForm SSO Profilespane.

SAML SSO profiles

To enable and configure SAML-based SSO, you first create a SAML SSO profile.

To create a SAML SSO profile by using the command line interface

At the command prompt, type:

add tm samlSSOProfile  -samlSigningCertName  -assertionConsumerServiceURL  -relaystateRule  -sendPassword (ON | OFF) [-samlIssuerName ] 

Example

add tm samlSSOProfile saml-SSO-Prof-1 -samlSigningCertName "Example, Inc." -assertionConsumerServiceURL "https://service.example.com" -relaystateRule "true" -sendPassword "ON" -samlIssuerName "Example, Inc." 

To modify a SAML SSO by using the command line interface

At the command prompt, type:

set tm samlSSOProfile  -samlSigningCertName  -assertionConsumerServiceURL  -relaystateRule  -sendPassword (ON | OFF) [-samlIssuerName ] 

Example

组tm samlSSOProfile saml-SSO-Prof-1 -samlSigningCertName "Example, Inc." -assertionConsumerServiceURL "https://service.example.com" -relaystateRule "true" -sendPassword "ON" -samlIssuerName "Example, Inc." 

To remove a SAML SSO profile by using the command line interface

At the command prompt, type:

rm tm samlSSOProfile  

Example

rm tm sessionAction saml-SSO-Prof-1 

To configure a SAML SSO profile by using the configuration utility

1. Navigate toSecurity > AAA - Application Traffic > Policies > Traffic.
2. In the details pane, click theSAML SSO Profilestab.
3. On theSAML SSO Profilestab, do one of the following:
   • To create a new SAML SSO profile, clickAdd.
   • To modify an existing SAML SSO profile, select the profile, and then clickOpenEdit．
4. In theCreate SAML SSO Profilesor theConfigure SAML SSO Profilesdialog box, set the following parameters:
   • Name*
   • Signing Certificate Name*
   • ACS URL*
   • Relay State Rule*
   • Send Password
   • Issuer Name
5. ClickCreateorOK, and then clickClose.The SAML SSO profile that you created appears in the Traffic Policies, Profiles, and SAML SSO Profiles pane.

Session timeout for OWA 2010

You can now force OWA 2010 connections to time out after a specified period of inactivity. OWA sends repeated keepalive requests to the server to prevent timeouts. Keeping the connections open can interfere with single sign-on.

To force OWA 2010 to time out after a specified period by using the command line interface

At the command prompt, type the following commands:

add tm trafficAction  [-forcedTimeout  -forcedTimeoutVal ] 

对< actname >,用一个名字代替你的流量policy. For , substitute the number of minutes after which to initiate a forced timeout. For , substitute one of the following values:

-START— Starts the timer for forced timeout if a timer has not already been started. If a running timer exists, has no effect. -STOP— Stops a running timer. If no running timer is found, has no effect. -RESET— Restarts a running timer. If no running timer is found, starts a timer as if the START option had been used.

add tm trafficPolicy    

For , substitute a name for your traffic policy. For , substitute a rule in Citrix ADC default syntax.

bind lb vserver  –policyName  -priority  

For , substitute the name of the authentication, authorization, and auditing traffic management virtual server. For , substitute an integer that designates the policy’s priority.

Example

add tm trafficAction act-owa2010timeout -forcedTimeout RESET -forcedTimeoutVal 10 add tm trafficPolicy pol-owa2010timeout true act-owa2010timeout bind lb vserver vs-owa2010 -policyName pol-owa2010timeout -priority 10