Clientless SSO STAS logoff detection vs dead entry timeout clarification needed

Question

Please bear with me, I am a 1-man IT band, and am NOT a "Firewall" guy. :-) 
 Background: 
 Simple Network: 
 
 2 Active Directory Domain controller Servers (for redundancy) w/ STAS Suite loaded on BOTH controllers. 
 1 XG Sophos Firewall XG 230

I am in the works setting up a new Sophos XG 230 for our business, and decided that "Clientless SSO Authentication w/ AD" sounded the best? (I THINK)? 
 I have it up and running, BUT was dealing with some issues with a test workstation being disconnected within minutes of logging on, even though I had "Dead Entry Timeout" selected on the STAS Suite for 2 hours (for testing). Within minutes of logging on, (and showing up under "Live Connections" the workstation would suddenly drop off the list. If I "logoff" or even "Lock" the workstation and log back in... it works again for a few minutes. 
 After working with support for some time, I noticed if I set "Dead entry timeout" on the AD Domain Controllers STAS Suite to 0 (disabled) this not longer happened and the user would stay connected indefinitely. Previously had it set for 2 hours (just for testing). 
 BUT... I noticed in the Sophos Article: "Sophos Firewall: Clientless Single Sign-On in a Active Directory Domain Controller Environment" it states: 
 Note: 
 
 Ensure Logoff Detection and Dead Entry Timeout are not simultaneously disabled because users will remain live in the STAS DB. (which is what I just did in order to rectify my problem of my test workstation getting dropped off every few minutes).

Question to you guys MUCH smarter than I: What is the most FOOL PROOF, dependable, way to setup SSO w/ AD authentication (As far as logging off workstations that sit idle for an extended period)? 
 
 Logoff Detection? (On STAS Suite on AD Domain Controllers)? 
 Dead entry timeout? (on STAS Suite on AD Domain Controllers)? 
 " Enable User Inactivity"? (on Sophos XG firewall)? 
 
 - Which one? or Combination? 
 Again, my only concern is that I am not missing some Security hole, or Performance issue by leaving users connected indefinitely on either the XG firewall or STAS Suite (DC's). 
 Long story short, I am looking to see what you guys with MUCH more KNOWLEDGE than I recommend for SSO w/ AD integration settings. (especially pertaining to Logoff due to idle time). 
 THANKS!

sachingurung · Answer

Hi Jarrod, 
 User logoff detection works in conjunction with the Windows WMI queries to detect a logoff entry. Read the KBA here for further information. Alongside, &lsquo;Dead entry timeout&rsquo; is independent of whether the Logoff Detection is enabled or not. Using Dead Entry Timeout in STAS, an administrator can configure the time period (in hours) after which a user is to be logged out from the XG. After user login, on completion of the specified time period, the user is automatically logged out. 
 One of the most interesting, User inactivity timeout is necessary for Single Sign On implementation to get the accurate reporting about a user's activity. Users at their workplace do not shut down their system at the end of their shifts. If User is configured for Single sign on, whenever User logs on to Windows, he/she is automatically logged to the appliance. So, in XG Live User Page, users will remain logged in till the next time he/she logs into the Windows Domain. This would result in showing the User on the Live UserPage for many days without any logoff. To avoid such situation &lsquo;Inactivity Time&rsquo; parameter for STAS settings must be configured. 
 Hope that helps.