How the Secure Mobile Access Appliance Removes a User's Session from the Active Users List
03/26/2020 11 14916
This article includes a brief discussion of the criteria for removing a user session from the active users list in SonicWall SMA 1000 Series appliance, including the default timeout value and triggers that remove a user from that list. SonicWall SMA appliance uses the following criteria for the following services when determining how to time out a user session from the "Active Users" list of the Appliance Management Console (AMC).
WorkPlace / Web Access Service
WorkPlace and the Web Access Service time out a user session after 30 minutes of inactivity.
Client/Server Access Service
Client/Server Access Service times out a user session as soon as the user closes all of their connections to the service. For example, once a Connect user disconnects from the appliance, the Client/Server Access Service times out the user session. If the user never closes the connection, then the connection will time out after eight hours.
The Policy Service controls user access to the appliance and to resources, via authentication realms, authentication servers, and access control rules. The Policy Service keeps a status of all users. When a user makes a connection to Work Place / Web Access Service or Client/Server Access Service, these services make connections to Policy Service for user authentication and rule checking. Once these services terminate their connection with Policy Service, Policy Service starts a 15 minute countdown. After 15 minutes, Policy Service times out the user session. See "How the Active Users Count is Updated" below for more information.
How the Active User Count is Updated
The count of users displayed in the Active Users list is controlled by the Policy Service. Currently, this count will not refresh until the Policy Service receives a request to check on status of connections. An example of such a request is a user login to the appliance. At that point, the Policy Service will check status of connections and purge connections from its list which will, in turn, update the list of active users in the Active Users list.
If an administrator sees users who have been logged into the system for a long amount of time, and that knows that they are definitely inactive, it's because Policy Service hasn't received any new requests to update its list. The next time a user logs in, the Active Users list will be updated.
- WorkPlace user logs in to WorkPlace to check e-mail, use Web applications, access file shares, etc. User walks away from their computer, and returns to it an hour later. At this time, the user's session as timed out. It timed out 15 minutes earlier -- Remember, there was the 30 minute WorkPlace timeout plus a 15 minute Policy Service timeout. The end user must close their browser and log back into the WorkPlace.
- Connect Tunnel user establishes an Connect Tunnel connection, and checks e-mail using Outlook. User closes their Outlook connection, but doesn't close the Connect client, so Connect remains connected. User leaves their computer, and returns five hours later. The connection is still active because the default timeout for Client/Server Access service connections is eight hours and the user didn't reach that limit.
- Connect Tunnel user establishes an Connect Tunnel connection, and checks e-mail using Outlook. User closes their Outlook connection, and closes Connect client, ending the connection. This starts the 15 minute timeout countdown by Policy Service before the end user's connection is timed out completely.
Here's how to update policyserver immediately, if you're seeing some "stale" users in active users in AMC. Get on the console of the appliance, and run this command: policyinfo
Now, log into AMC, and refresh the list of active users. It should accurately reflect users that are active on the system. This is a lot easier than logging into the system yourself to get policyserver to update itself.