Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 1841 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Users being prematurely logged out

adrianBromley

Hi All,

We have an XG with AD intergration.  We have a web traffic firewall rule that requires authentication, which is working well.  As well as web browsing, our users all use Outlook, connecting to O365 mailboxes.

Our problem is that if users do not browse regularly, their Outlook slips into 'disconnected' mode.  Then, if they do not notice this (most do not) they miss new email coming in.

Extending the SSO timeout to 60 minutes (from the default of 6) definitely helps.  So, I could extend this to the maximum of 1440 minutes (just over 24 hours) but am worried that there may be other unintended consequences.

So, I wonder why Outlook loses its connection (is is because it is not run in a browser?), and if there is another way of fixing this, and would appreciate comments.

Thanks

Adrian



This thread was automatically locked due to age.
  • 0

    You should look at the reason of your logout. Which service do you use to authenticate? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar,

    Thanks for responding.

    We have integrated the XG with AD, and AD is the only authentication mechanism for user authentication.  So, its Kerberos/NTLM.

    If users do lots of browsing, it is OK.  Their Outlook carries on working.

    But if they leave their computers to do something else then come back, their Outlook is disconnected.  This happens after about 10 minutes. 

    I think it is the AD SSO timeout that logged them out, which is by default 6 minutes.  If we extend the timeout to 60 minutes, it improves for some users; but still happens if users do no browsing for about 60 minutes.

    So, firstly I wonder if there is anything I can do to keep Outlook connected?  I have tried adding another rule for destination *.office365.com without authentication, but it has made no difference.  Other background processes (such as TeamViewer) continue to work.

    Or, should I extend the timeout to its maximum - 1440 minutes?  Will this have any detrimental effects in other ways?

    Thanks

    Adrian

  • 0

    Hi Adrian,

    I think Outlook / Outlook Anywhere (rpc over https) should use more or less the same IPs/port as Outlook Web Access (https).
    I would also think that it is connecting on a regular basis to pull new mails (unless there is some kind of notification from out side which triggers the pull). But these connects maybe are not recognized in the same way as plain https web requests in Outlook Web Access.

    Though It SHOULD be possible to make an exception policy/rule for Outlook 365 without user authentication on the firewall.

    (We also had an issue with this which led to flapping access of websites through 2 different rules. Users were authenticated but logged out very often because STAS was not able to do the test whether the computer/users was still online/logged in properly (due to missing rights in WMI and the fact that we did not want to let the services run as a domain admin).

    So you can integrate the Sophos XG as a (member) computer in AD and use SSo with Kerberos etc. directly whithout using the LDAP? Is there a description how to do this?

    Regards,
    BeEf

  • 0 in reply to BeEf

    Hi Beef,

    Yes I think you are right.  I'm thinking that because Outlook Anywhere traffic is not generated in a browser, it does respond to a Negotiate authentication request.  Perhaps only browsers can respond to those.

    I have added a firewall rule for traffic to *.office365.com that does not require authentication; but it does not seem to have helped.

    I'm continuing to investigate, will let you know if I find anything.

    Thanks

    Adrian

  • 0 in reply to adrianBromley

    It could be a open Bug, hitting your issue. Because the session should not be flushed, if active. In the upcoming MR5, there will be a fix, which could eventually resolve your issue. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello Mr. Tony, you wrote a month ago that this problem "could be a open bug" - One of our clients is having these Issues and the Connection to the Exchange Server stopps when this happens and Outlook hangs. I cannot find the open Bug, could you tell me more where to find it? Thank you very much in advance! 

Unfiltered HTML