So add 2 minutes at least when testing.ģ. However if you define 1 minute and wait 180 seconds on your chronometer you will always get the authentication prompt as it should. For instance if you define 1 minute and start testing by clicking the icon again after you timing 60 seconds on your chronometer you will see your setting does not take effect (yet) and reconnect still happens immediately without re-authentication. This is a big caveat and set me on the wrong foot causing me to wrongfully conclude and dismiss this field as not-working-properly during my initial testings. Note also that there is a random extra timer automatically being added to the timer you define of up to a few minutes due to internal gateway working in mysterious ways. Note that besides defining this timer at the "global settings" level you could consider instead defining it in the specific equivalent session profiles in case you want this restriction to only apply to specific scenario's such as for instance connections coming from workspace/receiver apps (but not from logons through website).
![citrix workspace app for windows 7 citrix workspace app for windows 7](https://i.imgur.com/FMAqFuQ.png)
#Citrix workspace app for windows 7 full
Internal connections go directly to the storefront server and come from internal computers that are subject to policies where we have full control over these timers so they are out of scope for this case. In other words all external connections where the risk is largest and control least. By setting it there it will apply to all scenario's and sessions coming in through Netscaler gateway. This timer value is set and defined in the Netscaler Gateway " Global Settings" section under the " Client Experience" tab in the " Session Time-out" field. This is essentially the period of time during which clicking the icon of your published application/desktop will reconnect to an existing HDX session or start a new HDX session before the icon becomes considered 'expired' and immediately returns a re-authentication prompt instead. (essential) The Netscaler Gateway session (= the "validity lifetime" of your icons). Practically it means that regardless of which client device or way of connecting remotely or internally, any Citrix session where no input has been detected for X minutes will be disconnected (but remains available for instant reconnecting after for instance a lunch break)Ģ. For this I found the only true working -under all conditions- solution to be The Citrix policy " Server Idle Timer interval". (essential) The Actual Citrix HDX session (= the published desktop you are working in) needs to become automatically disconnected after x minutes of user inactivity. To summarize there are 3 levels that can be controlled of which 2 are essential and necessary as well as sufficient while the third one can be considered optional as well as incomplete:ġ.
![citrix workspace app for windows 7 citrix workspace app for windows 7](https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/media/app_protect_install.png)
Update, solution and conclusion for future reference to all that it may concern or interest:Īfter more rigorous testing and searching I have found my remaining answers to enforce a strict security plan against Session hijacking after a computer theft for people connecting to your Citrix session from any possible external resources (Android, Ipad, Windows laptops and computers, Chromebooks. I need to ensure that re-authentication is enforced whenever people -past the timeout- manually click the icon in Workspace app for windows to start/reconnect Citrix apps and desktops Instead the workspace app for windows reconnects to the existing (previously disconnected) Citrix session immediately which is a potential security breach according to our company policy. When testing logging in from for instance a Chromebook from an external internet line through the Netscaler Gateway I validated succesfully that I get the " logoff successful" page after 1 minute inactivity but when testing the same from a Windows 1905 app for windows I cannot get authentication to pop-up.įor the record I'm aware that the windows app never gives a "log off" message and that your apps and desktops remain visible but -according to the documentation- I'm supposed to at least get the authentication pop-up to happen when clicking the app/desktop past the timeout. I then configured - for testing and validation purposes- in Storefront that logons to this website should timeout and logoff 1 minute after no activity as follows:
![citrix workspace app for windows 7 citrix workspace app for windows 7](https://www.ibm.com/support/pages/system/files/inline-images/image_5462.png)
I'm currently testing a new setup which uses storefront 1906 + Netscaler gateway (latest) + Workspace app for windows 1905 that I just finished setting up.