I am running the latest Beta Warp Client (2022.2.116.1). Can someone help explain how “Enforce WARP client session duration” works? I have tried to enable it at varying durations on various resources (web, smb, rdp, tcp) and the “success” splashscreen pops up, but access to the specific resource is denied. Sometimes a faint flicker of a window pops and immediately disappears if the resource makes multiple connections in succession.
In my head, it works as follows:
- Set policy to “enforce warp client session duration” to 30 min.
- I try to access resource
- login prompt to auth provider (AzureAD) pops up
- I enter and validate AzureAD credentials
- access to resource is permitted.
- 45 min later, I try to access same resource
- login prompt to auth provider (azuread) pops up
- access to resource is permitted
repeat 7-10 after 30+ min between sessions
Is that not how this works?
Finally resolved this through Cloudflare support.
from Cloudflare support:
You have enabled the Include-Only mode, and this is why the re-authentication is not supported.
When you use the Split Tunnels Include-only mode to instruct the WARP client to only handle traffic to a specified set of IP addresses or domains. Any traffic that is not included by IP address or domains defined in the Split Tunnel Include configuration will be ignored by the WARP client and handled by the local machine. Use this mode when you only want specific traffic processed by Gateway, such as when using Tunnels for a specific resource.
As a workaround, they recommended following one of the next steps:
*.cloudflareaccess.com in the split tunnel configuration so that requests to the Access domain go inside the tunnel.
I added *.cloudflareaccess.com in the split tunnel configuration and it worked.