Remote access timeout best practices

["Chris Barber" <cmbarber () gmail com>]

Hi All,

I am working with several groups of people in my organization on some
remote access (VPN) issues.

Here is the major concern and point of contension:

Timeouts!

I have the ability to to place 2 timeouts on all VPN sessions, Idle and Session.

The default Idle timeout is set to 30 minutes, with a few waivered
exceptions pushing that to 2 hours.
The default Session timeout is set at 240 minutes (4 hours) so far
there are no approved exceptions to this, however, there is at least
one submitted request.
The session timeout is really a limit, no session will remain open
longer than 240 minutes regardless of activity

I have done some research and found that for the most part these seem
to be well within "best business practice"

I would like to hear from others what their take is on these timeouts
and what the reasons are for or against them.

Thanks in advance for your feedback,

Chris.