Timeouts and End Users
Why Do My End Users Have a Timeout in Your VRL Cloud? They're used to keeping their clients open overnight
Why Do My End Users Have a Timeout in Your VRL Cloud? They're used to keeping their clients open overnight
Updated: Friday, 05 November 2021 at 09:43AM
Author: Eric Vasbinder
Our VRL connection mechanism is designed to provide robust, powerful access to your Vista ERP from nearly anywhere in the world. VRL uses HTTPS, the same connection standard as banking web sites. In fact, VRL was designed, in many ways, to operate similar to Microsoft Outlook connecting to Office 365 over HTTPS, but with the added security considerations of a full ERP.
As an ERP, Vista is the keys to your kingdom, and thus needs to adhere to security standards and requirements that are more stringent than those of an email client.
In the past, when on-premise some of our customers would have their users
We totally hear your concerns. This is absolutely a change for your end users and how they operate. Several years ago, we had a number of internal discussions around how we’d handle this situation for customers. As such, we investigated this process thoroughly prior to landing on our current standards for timeouts. At the end of the day, it boiled down to a few critical factors:
A. Our infrastructure partners, both in Azure and in the predecessor that we used, had limits to the maximum time that port 443 HTTP connections might be left open with no traffic.
B. The security compliance standards that were so critical for the industry as a whole and our customers specifically required that we have reasonable timeouts for sessions where users are not present.
We then looked into “keep alive” traffic so as to eliminate point “A” as a concern, however, realized very quickly that not only would we put our SOC2 compliance effort at serious risk, but that the potential performance impacts on the VRL connection for a number of stale connections could be significant. These security concerns around holding the connection open were amplified recently as well with our efforts to adhere to the even more stringent CMMC security standard, designed to assist our customers who perform work for the DoD.
Given all of this, an effort to change the timeouts to be longer than approximately 30 minutes would be ineffective due to Azure limitations today, and if we attempted to work around those, we would lose our security certifications.