To configure secure logoff

  1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

  2. In the details pane, click the applicable Web publishing rule that uses HTML forms-based authentication.

  3. On the Tasks tab, click Edit Selected Rule.

  4. On the Application Settings tab, in the Published server logoff URL field, type the string that is used in the logoff link on the published Web page to indicate a logoff request, for example, ?Cmd=logoff, or logoff=1.

  5. Click OK.

  6. On the Listener tab, click Properties.

  7. On the Forms tab, click Advanced.

  8. Under Cookie Settings, you can provide a name for the cookie that Forefront TMG provides to the client after forms-based authentication succeeds. From the drop-down list you can select whether the cookies are persistent (continue to exist on the client after the session ends) on all computers, only on private computers, or never.

  9. For Ignore browser IP address for cookie validation, set whether you want to allow clients to use the same cookie from different IP addresses. For example, requests from a single client may appear to come from different IP addresses, such as when there is a load balancer between the client and Forefront TMG.

  10. Under Client Security Settings, select:

    • Treat as maximum idle time, to set a time-out period based on the amount of time that the client is idle.

    • Treat as maximum session duration, to set a time-out period based on the session length. Then provide time-out periods for public and private computers, which will be used to establish the maximum idle time or maximum session length.

    • Apply session timeout to non-browser clients, to apply the session time-out period to clients that are not browser-based (such as Outlook RPC/HTTP and ActiveSync).

  11. Click OK, click OK again, and then click OK again.

  12. In the details pane, click the Apply button to save and update the configuration, and then click OK.

  • When Forefront TMG receives the configured logoff URL in a user request, it logs off the user, removes the authentication cookie from the client computer, and notes that the cookie has been revoked. Forefront TMG then presents the logoff page to the user, indicating that the logoff has taken place successfully.

  • Non-persistent cookies are removed from the client computer when all of the browser windows are closed (ending the browser process) or when the user logs off the computer. Persistent cookies remain on the computer after the browser window has been closed and are only removed when the user logs off the computer. You can also configure a maximum idle time, so that if a user abandons a computer and leaves the browser open and inactive, the cookie will automatically expire.

  • If you select to use persistent cookies, you can specify whether they are used on public computers or private computers. Note that when logging on, the user indicates whether logging on from a public or private computer.

  • On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.

  • Use persistent cookies to allow opening documents from Microsoft Windows SharePoint Services without requiring users to provide credentials again. However, we recommend enabling persistent cookies on private computers only.

  • As an additional measure to avoid security issues associated with cookies, we recommend that you create a logoff process that removes the cookies, and train corporate users to log off each time they leave a public computer. The logoff process should be triggered by clicking a link or button on the corporate Web page.

  • When a session reaches the end of its time-out period, clients are required to log on to the session using their user credentials.

  • When you configure the time-out period for forms-based authentication, we recommend that the time-out period be shorter than that imposed by the published server. If the published server times out before Forefront TMG, the user may mistakenly think that the session ended. This could allow attackers to use the session, which remains open until actively closed by the user or timed out by Forefront TMG as configured in the form setting.

Related Topics

Copyright © 2009 by Microsoft Corporation. All rights reserved.