How to close the webgate to access server connection before firewall drops it

This is a very important item when you deploy your IDM system in real time. Let us assume there is a WebServer in DMZ zone you will see a firewall between WebGate installed on WebServer and the Access server which will be in the Application Zone.

When you create a WebGate profile, a parameter  Maximum Client Session Time (hours) will have a default value of 24 hours. The parameter specifies how long the connection between a WebGate and an Access Server can last. As obvious, longer value specified, more vulnerable the system is for attack.

Mostly the firewall timeout will be less than or equal to 1 hour (could be client specific as well)  which means that all application sessions that that are traversing through this firewall will be dropped after 1 hour.

To be on a safer side, it is good to close the connections by applications itself rather than firewall dropping it.

In case of WebGate to Access Server connection, we can have a User Defined parameter in WebGate profile that allows you to specify Timeout in minutes as shown below.

In this case, when we assume firewall timeout is 60 minutes, then we can close WebGate to Access Server connections in less than 60 minutes as shown below.

On similar lines, other sessions such as LDAP to DB has to be closed before Firewall drops it.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

11 comments
Sourabh Gupta says October 27, 2012

Hi ,

I am trying to understand this parameter.The parameter specifies how long the connection between a WebGate and an Access Server can last.

Is this Time parameter for every user makes a request to protected resource ? Like suppose if a 100 users make a request to resource ( protected ) , then 100 connection will be opened by the webgate to access server and that 100 connections will be open for 24 Hours.

Then what does this parameter signifies ?

Reply
Sourabh Gupta says October 27, 2012

Or It is something different connection mechanism b/w webgate and Access gate

Reply
Haris Dermawan says February 18, 2014

What is the difference between Maximum Client Session Time in Access Gate Configuration and Access Server Configuration.

Do we need to change both side?
If 1 hour is recommended, why the default setting is 24 hours?

What will happen if firewall drop the session? I’m facing problem like this, firewall drop the session, but that session will still be ESTABLISHED in Access Server (by netstat -a command). So then the number of sessions increased in Access Server and the system will be down. Amazingly, it will automatically recovered in the afternoon like nothing happen before (number of sessions will be back to normal).

Reply
Mahendra says February 18, 2014

Hi Haris,

Max client session time in AccessGate defines the connection time between AG and AS if there is a firewall between them. I am not sure if there is a prominance for similar param in AS configuration.

It need not be 1 hr, but it should be the actual firewall timeout.

If firewall drops the ESTABLISHED connections then those connections that are lasting for 1 hr (param setting) will be dropped and new connections will be established from AG/WG.

Hope this helps.

Thanks
Mahendra.

Reply
Haris Dermawan says February 18, 2014

Hi Mahendra,

Thanks a lot for your answer.
yesterday I tried to implement as your explanation: create user-defined parameter for maxSessionTimeUnits in minutes, and change the value of Maximum Session to 50.

Session time in Firewall is 3600sec.
But this morning I check, it seems not working as still so many connections dropped.
In OAM Server, there are zombie connections (netstat) those are dropped by firewall.

I wonder if this user-defined parameter will work on OAM 10.1.4.3.

Reply
Mahendra says February 19, 2014

Hi,
Connections will close automatically before firewall timeout. Is this not happening?

If not, when do you notice connections dropping?

HTH

-Mahendra

Reply
Haris Dermawan says February 19, 2014

Nope, even after 50 minutes, by netstat I can still see the connection still established in Webgate.
And then after more than 1 hour, firewall drop it (I see in firewall log).

The problem is, even the connection was dropped and doesn’t exist anymore in Webgate, it will create zombie in OAM server. Day by day, they will increased and make OAM hangs.

What should I check first?

Now I’m trying to increase firewall session to 24hours (Access Gate Max Session is still 50 minutes) to prevent firewall drop the connection.

Reply
Haris Dermawan says February 19, 2014

Sorry, I need to add this info:
In our system, there are 16 webgates and 2 OAM server.
Everytime I restart OAM, number of connection to port 8888 (OAM) is ~160.
But 3-4 days after restart, number of connections will become >1000, and OAM will hang and restarted automatically after several hours hang.

Reply
Mahendra says February 19, 2014

Firewall dropping connections is unusual. You can also check the initial connections and max connections in webgate definition. Make sure to have reasonable value for these params.

For firewall drops, you can test this. Remove the user defined param. Specify Max Session time as 1 hr or 60 mins and increase firewall timeout to 70 mins. This will tell you if user defined param is causing the issue.

-M

Reply
Haris Dermawan says February 21, 2014

Mahendra,

You are correct!
I’ve tried to change the Max Session Time as 1 hr and increase firewall timeout to 70 min.
It works now, I can see in firewall log, there are 10 new connections created every hour and number of connections in OAM is stable (also 10).

In this case, maxSessionTimeUnits is not working at OAM 10.1.4.3.

However, it happened only on our Checkpoint UTM-1 (firmware R75.20) but not on our Checkpoint IP 295, 395, 2455 (firmware R75.40).
Thanks for your helps.

Reply
Mahendra says February 21, 2014

Glad to know that it has worked!!

Reply
Add Your Reply