Re: Idle and Max. Session Length in Juniper SA

["Julian Y. Koh" <kohster () NORTHWESTERN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 10:33 AM -0500 12/16/10, Clark, Joseph K wrote:
> One complaint we are getting with our test base is in regards to
> the Idle and Max. Session timeouts. The complaint is they are too short.
> We currently had it set to 30 minutes Idle and 4 hour max session limit.
> Does anyone know of any standards or best practices to apply in this
> case?

When we rolled out our SSL VPN, we kept the same timeouts that we had with
our traditional VPN - 30 minutes idle and 12 hours max session length.
Some groups/roles have requested different shorter timeouts, which is no
problem.  No one has requested longer timeouts.

One interesting wrinkle is that with a traditional VPN, the idle timeouts
are pretty much never triggered because of random traffic that is always
coming out of the clients, like DNS queries, file browsing updates, etc
etc.  So when people started moving to SSL VPN, idle timeouts became a much
more frequent occurrence.


-----BEGIN PGP SIGNATURE-----
Version: 9.9.1.287

wj8DBQFNCjKoDlQHnMkeAWMRAmpQAJ4qoL3HmMhAvUFH6QIVuN5Wbl916wCgpuu8
DEuOytaxbckhEgce9j5pPtA=
=9kxa
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                         <mailto:kohster () northwestern edu>
Manager, Network Transport                         <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>