Looking for some suggestions for how others are using Timeout Policies. We have experimented with several options from hours to days but have yet to find an option that meets all our needs. One complaint we sometimes get is that Timeout occurs while the user is in the middle performing some function in an application and they potentially lose some progress. Or worse someone from a customer support team is on call with a customer and temporarily loses access to an application needed to support the customer. With our previous VPN application this was never an issue as it needed to be manually launched and authenticated to. So users would launch the VPN app at the beginning of their shift and authenticate, and then they would be good for the rest if their work day. It would be ideal if we could somehow refresh the timeout period when the user starts their shift.
guess this depends on your exact security policy
but a general easy way to handle âtimeout happens in the middle of my workâ is probably to go for a longer timeframe
i wouldnât go much shorter than 12h (so a full working day of employee is covered) and not much longer than 7 days
Good question Joe !
Iâm curious on other responses here.
We are currently using the 7 day timeout for general domain resources but Financial App Segment might be configured for 12 hours in the near future.
I havenât tested the option in mobile portal âAutomatically Attempt ZPA Reauthenticationâ, has anyone here ?
G
i have it set but ZPA still ends up on âauth requiredâ state and i need to click on that; just canât remember if this always happens after timeout or only every nâth time
We have automatic reauth enabled, but since we also require MFA the user still has to interact with the client. In our case it basically just prevents the user from having to click the Authenticate button in the ZCC. Depending on how your MFA works, it may also result in users getting unexpected MFA requests on their phone. We use DUO MFA, and when the ZPA timeout occurs (even if the user is not at their machine) it will send a push to their phone.
It would be good if we could force a re-auth at ânext rebootâ or ânext loginâ after the re-auth timer has expired.
This would stop someoneâs access being interrupted in the middle of the day and causing them problems.
Funky idea Gordon, now youâve got me thinking of a new Enhancement Request 
Iâll honestly be happy with a ZCC 10 minute advance warning of session timeout with the ability of âone-timeâ to snooze for x minutes (configurable in App Profile like ZIA re-enable security).
This could address Joeâs requirements but also help with ours.
G
I like this idea as well.
the biggest issue in that regards is the fact that this âauth requiredâ info can very easily be overseen.
In worst case it is only a small red dot in the tasktray (and the user decided to not show that icon)
â in result user annoyed, one more unnessary ticket.
Some optional setting like âif auth timeout reached - popup ZCC in front and demand reauth ⌠without breaking any existing connection for a configurable grace time.â
That would make the issue âundeniably visibleâ to even the most ignorant user and give him some time to react before ZCC âcuts the wireâ so to say.
I think the timeout warning is a great idea. Ideally the timeframe would be configurable. Something like âYour Zscaler session will expire in X minutes, click âRe-Authenticateâ now to avoid service interruption.â And have the âRe-Authenticateâ button right in the popup warning.
Please back ER-12149 if it meets your requirements
Thank you to this thread for the inspiration 
Use case:
Userâs ZPA session is about to timeout for Re-authentication during important customer interaction which requires information to be entered in a database using ZPA. Timeout causes temporary loss of connection while entering crucial data.
Enhancement request:
ZPA user receives a ZCC notification popup 10 minutes prior to ZPA timeout with the ability to perform a âone-timeâ snooze option for x amount of minutes. The x amount of minutes can be configured in the App Profile like the âReactivate Internet Security After (In Mins)â
Justification:
This enhancement request will avoid user impact during critical time window without losing ZPA connection.
G
Hi G-Man8,
iâd probably rephrase the ER a bit
from
âZPA user receives a ZCC notification popupâ
to
âZCC should be brought in front of all other windows showing a warning that ZPA access is about to expireâ
Nothifications/popups can easily be overseen (think âafk because of biological needsâ); only if ZCC is in front waiting on the user to action it is obvious enough.
Then the user can either quickly click âget out of my way for the next 10 minâ or reauth right there.
tS
Hi Thomas,
Valid point and happy to amend.
We are planning to use the new âNotification Frameworkâ once we move to ZCC 3.8 for that reason.
I find the notifications much clearer without Win 10 interfering.
G
using that as well already (recently started with global 3.8.0.102 rollout)
But the notifications are not âsticky on topâ nor do they force the user to react.
Combine that with âhidden tasktray iconâ and the result is a SD ticket for âZPA kicked me out yaddayaddaââŚ
Since it was not obvious to me when we first setup our timeout policy, the timeout setting is per application. So if you have some app segments you donât want to timeout (SCCM & NTP for example), you can allow that to continue communicating even when ZCC shows reauthentication is needed.
@joe.van has a good point which Iâve missed !
I guess the correct Zscaler approach will be to exclude this âcriticalâ or time sensitive App Segment/Segment group to âNever timeoutâ . Iâm guessing the ER might be ignored then 
i would not be so sure about that ER getting ignored
There seems to be at least one other ER (besides 12149 you mentioned) which seemingly gets more and more traction, ER-6955.
Just pester your TAM to be added to the requester list for that
The more customers requesting some options for âZPA shall not break user sessions, everâ the better.
For anyone wondering, the notification feature seems to be coming in 4.2 ZCC
