How to set per user inactivity and forced timeout in UAG
I recently had a customer ask about setting the timeout in Unified Access Gateway (UAG) on a per-user basis. By default, UAG allows you to determine this at the portal on an application basis, but not on a per-user basis. Knowing that UAG is VERY customizable, this blog outlines how to accomplish this.
Inactivity vs. Scheduled Timeout
UAG defines an “Inactivity Timeout” setting as a time period with no activity before a forced log off happens. There are several of these including: login page inactivity (default is 30 seconds), portal home page inactivity (default is 300 seconds for non-privileged endpoints) and application inactivity (default is 30 minutes).
UAG also defines a “Scheduled Timeout” for both privileged (default 60 minutes) and non-privileged (default 1440 minutes) endpoints. A scheduled timeout occurs whether or not there is any activity.
Change the setting on a per user basis
To meet some security policies, customers have a need to set the inactivity and scheduled logoff time on a per-user or per-group basis. Setting this can be accomplished by a single line of code, but UAG leave it up to the customer to determine the logic of when to apply the setting.
One example can be to pull the setting from the user repository. In this example, we can modify an attribute to hold the UAG timeout setting. To illustrate this example, consider the following code:
<%
on error resume next ' we need error handling so we can ignore users without a timeout setting
Dim oConn
Dim rs
Set oConn = Server.CreateObject("ADODB.Connection")
oConn.Provider = "ADSDSOObject"
oConn.Open "Ads Provider", Session("repository"&num) & "\" & Session("user_name"&num), Session("password"&num)
Set rs = oConn.Execute("<LDAP://dc=SCD-LABS,dc=net>;(&(objectClass=user)(sAMAccountName=" & Session("user_name"&num) & "));physicalDeliveryOfficeName")
if not rs.eof then
if rs.recordcount = 1 then ' we found our user!
SetSessionParam g_cookie, "SchedTimeout", trim(rs("physicalDeliveryOfficeName").value) ' setting the value
end if
end if
on error goto 0 ' reset error handeling
set oConn = nothing
set rs = nothing
%>
This code finds the user in Active Directory and returns the physicalDeliveryOfficeName attribute (which is the office attribute). It then sets the global cookie “SchedTimeout” to the value of that attribute. If the value of 120 was returned, the user would be experience a forced logoff after 2 minutes (120 seconds). We could also have set the “SessionTimeout”, cookie value, which would have set the inactivity for the user.
We used the “on error resume next” command to deal with any user who does not have the value set, though we could have added more complete logic.
Putting it in action
You can add the code sample above to any of the validate.inc files. In my example, I added it to the file <TrunkName><0 or 1>PreValidate.inc, where the TrunkName is the name you created in UAG, and 0 or 1 stands for HTTPS. In my case, my trunk was named “UAG” and it was HTTPS, so my filename is UAG1PreValidate.inc. This file is placed in the \von\InternalSite\inc\CustomUpdate directory.
Author:
Kevin Saye, Security Technical Specialist – Microsoft
Comments
- Anonymous
March 26, 2012
Hi there, Thanks for the information - I have created the file as above <portalname>1PreValidate.inc within voninternalsiteinccustomupdate, and have set a value 1440 in the 'Office' field of my AD profile, but I still get the privilege endpoint timeout value of 120. I've activated the config too, but I dont think its necessary - what have I missed? Thanks Nick