An Outlook Web Access (OWA) client session in Microsoft Internet Security and Acceleration (ISA) Server 2004 may time-out before the idle session time-out period that you configure in ISA Server 2004. This article describes why this behavior may occur.

When you publish OWA through Microsoft ISA Server 2004 by using forms-based authentication, you can configure the idle session time-out period for client computers. You can do this by entering a time value in the Idle Session Timeout area for public computers and private computers. However, the client session may time-out before the idle session time-out period that you configure in ISA Server 2004.

The idle session time-out is configured in ISA Server 2004 by converting the total time-out period into three session renewal periods. ISA Server 2004 divides the idle session time-out period by three to create the session renewal period.

Additionally, a session key is used to decrypt the client cookies that are created for each client session. ISA Server 2004 stores three keys at a time in the buffer. When the client computer provides a cookie that any of the keys in the buffer cannot decrypt, ISA Server 2004 closes the client session.Therefore, the idle time that causes the client session to time-out can be any value between 2*Idle Session Timeout period/3 and Idle Session Timeout period. For example, when you configure the idle session time-out period to be 30 minutes, the client session may time-out when the idle time is between to 20 minutes or 30 minutes.