Outlook Web Access Time-out Settings in Exchange Server

There are many reasons why time-out settings exist in corporations and why they’re essential to both the security of a company and the business over all. An instance of when time-out settings become necessary are, for example, an employee getting let go or fired. As a company, you wouldn’t want that employee being able to access their documents or emails, and you would normally take away all their hardware that belongs to the company. However, what happens with applications like Outlook and their web application where they have a time-out setting that can be as long as 8 hours. A disgruntled employee could easily access their account, if they’re already logged into it from say, their mobile phone or their personal PC, for hours after being disassociated with the company.

Here are some key points and things to keep in mind for the OWA timeout policy in Exchange Server.

This article discusses authentication time-out values for Microsoft Outlook Web Access (OWA).

Time-out values for an OWA session

Users are automatically logged off OWA after a period of inactivity. The time-out period of an OWA session depends on whether a user selects the This is a public or shared computer option or the This is a private computer option when the user logs on to OWA.

By default, the time-out values are set in Microsoft Exchange as follows:

Option                                                            Time-out value

This is a public or shared computer     The OWA session ends, and the user is automatically logged off after 15 minutes of inactivity.

This is a private computer                   The OWA session ends, and the user is automatically logged off after 8 hours of inactivity.

However, be aware that there are circumstances that override these default values. If a company uses two-factor authentication, an authentication server is located in front of the OWA server. Although a user’s session may time out against a particular authentication server, the user’s session in OWA remains active until the time-out setting for the logon option that the user selected is reached.

To configure the idle session time-out period for Outlook Web Access clients:

1. In the Forefront TMG Management console tree, click Firewall Policy.
2. In the task pane, click the Toolbox tab.
3. On the Toolbox tab, click Network Objects, expand Web Listeners, and select the applicable Web listener.
4. On the toolbar beneath Network Objects, click Edit.
5. On the Forms tab, click Advanced.
6. Under Client Security Settings, select Treat as maximum idle time.
7. In Timeout for public computers (minutes), set the maximum time that users can remain idle on public computers before they are disconnected.
8. In Timeout for private computers (minutes), set the maximum time that users can remain idle on trusted private computers before they are disconnected.
9. Click OK to close Advanced Form Options, and then click OK again to close the Web listener properties.
10. In the details pane, click the Apply button to save and update the configuration, and then click OK.

Lastly, you can also use Powershell to make the change and adjust the timeout value. See command below:

Set-organizationconfig –ActivityBasedAuthenticationTimeoutEnabled $true-ActivityBasedAuthenticationTimeoutInterval 00:05:00 -ActivityBasedAuthenticationTimeoutWithSingleSignOnEnabled $true

Alisha Khan, PEI