Changing retry timeout for remote client connection 2

[damhna]

Hi,

Situation is as follows.
My client dials in to our CP Firewall 1.
The dialer starts secure remote to establish a tunnel.
Client launches the citrix app which prompts secure remote to request authentication.
Client will login

My problem is this.
I am unwilling to have the secure remote password cached.
While the user is typing his username and password the backround ICA client will decide it cant see a citirx server and proceeds to finish with an error.

Its not a hugh problem but what I think is required is a longer timeout set for trying to establish a connection to a citrix server.

Anyone know how to accomplish this?
Paul O'Connor
damhna@hotmail.com

 

[CitrixEngineer]

There are two registry keys which I believe address the issue you face, which are covered in this excerpt, which I have edited slightly for legibility:

From Citrix Knowledge Base article CTX703737 (although this is not the only document that covers these keys - it just happened to be the first I encountered when I searched on the key name!)


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix

The ICA keep-alive values are:

IcaEnableKeepAlive: REG_DWORD: 0 or 1 When this value is 0, ICA keep-alives are disabled. When this value is set to 1, ICA keep-alives are enabled. The IcaEnableKeepAlive is set to 1 by default.

IcaKeepAliveInterval: REG_DWORD: If the IcaEnableKeepAlive value is 1, this value controls the frequency at which ICA keep-alives are sent to the client. Sixty seconds is the default interval if this value is not defined but IcaEnableKeepAlive is set to 1.

The time that elapses between an ICA broken client connection and the MetaFrame server disconnect (or reset) event may be longer than the IcaKeepAliveInterval.

For instance, suppose the IcaKeepAliveInterval is set to 15 seconds. A clients ICA WAN connection is dropped at 12:00:00. The server may not put the session into a disconnected (or reset) state until sometime after 12:00:15, although the session usually disconnects (or resets) approximately within the IcaKeepAliveInterval +2 minutes.

This is because the TSE TCP/IP stack retransmits the ICA keep alive packet a number of times at increasing intervals before timing out. When the TCP/IP stack finishes its retransmissions, the session is disconnected (or reset).

The TCP/IP retransmission is controlled by the Windows Terminal Server TcpMaxDataRetransmissions registry value. See Microsoft Knowledgebase Articles Q120642 and Q170359 for more information.

 

[damhna]

Thats certainly a step further in the right direction.
I wonder that there is not a Citrix solution however.

To recap:
1. Client laptop dials ISP and connects to Internet
2. Citrix Custom Connection launched on laptop. Citrix Connection type set to WAN
3. Checkpoint's Secure Remote VPN Authentication box is automatically launched as the Citrix ICA Client tries to connect to our CITRIX server behind our Checkpoint FW.
4. While the user is entering his/her authentication details to pass through our firewall, a Citrix error is displayed indicating that the Citrix Client App has been unable to find our Citrix Server.

How do we increase the time interval of the Citrix Client Browse to the Citrix Server so that the user will be able to enter their authentication details and pass through our firewall, without receiving the Citrix error and hence finding our CITRIX Server.
Paul O'Connor
damhna@hotmail.com

 

[CitrixEngineer]

I'd guess the answer is the same; The Citrix server needs to wait longer for a response from the client, so I'd set the TCPMaxDataRetransmissions counter appropriately.

There are many reasons why one might need to edit these keys - and many documents that refer to them, so I tend to update TCPMaxDataRetransmissions as a matter of course if remote connections are used. A packet sniffer is useful for this purpose.

Sometimes what appears to be a timeout can be an inability of the client to resolve a servername. This can be fixed by inserting a servername or IP address in the Server Location field in the client. I have found this to work in many "Citrix Server can not be located" situations.

Have you considered using NFuse to publish Applications and/or desktops into the users' web browsers? You'd still use the firewall, but it would just "guard" the proxy server. And your users would simply surf for the LAN like they would for any other website.

NFuse also has timeout issues, but Citrix generally recommend these reghacks to fix them. As I pointed out above, the document I pointed you to was simply one that stated the hack, not detailed the problem.

I hope this helps

 

[damhna]

As standard we insert the IP in the server field and indeed it resolves the "Citrix Server can not be located" errors.

The error recieved while the user is typing in his secure remote password is "unable to connect to Citrix Server".

Your awnsers have helped me in trying to address the issue and I'll certainly have a look at the NFUSE product.

Are you aware of any adverse implications of increasing the timeout parameters on Terminal Server?

Just to point out to anyone else who might happen upon the thread it is possible to avoid the issue by using "Set Password" within Secure Remote. Natrually there are security implications.

Thanks for the help.
Paul O'Connor
damhna@hotmail.com

 

[damhna]

Sorry to raise this again but I'm still having something of a conceptual problem with the solution you recommend.

My problem is this.

The ICA client will never actually communicate with the Citrix server because the pathway will not have been established by Secure remote.

So changing settings on my Terminal server for TCP properties shouldnt make any difference.

What I believe I need is some way to configure the timeout on the client side (Client being Win9x).
Paul O'Connor
damhna@hotmail.com

 

[CitrixEngineer]

As far as I know, there are no settings in the client to adjust timeouts.

One possibility would be to use the Asynchronous connection, rather than the WAN connection in the client.

This way, the client dials the number and waits for authentication onto the LAN before attempting to connect to the Citrix server.

I hope this helps.

 

[Nostferatu]

You can change the default timeout at the client end by editing the usrs local copy of appsrv.ini this file holds all of the program neighbourhood settings and some others beside, learning how to manipulate this file allows you to do some pretty useful stuff, but in relation to this problem you need to alter the

BrowserTimeout=xxxx key to reflect the number in miliseconds you require, I believe the default is 1000, have a play around with the settings to see what would suit you best.

Hope this is a) on the right track, and b) helps ;-)

 

[yaba]

Hi,
Is there a way to reset or to disconnect citrix user when the connection idle for certain time?. I did set the Idle time in the user configuration; but it does not work! Remote users can not access the citrix server due to licensing limit, and many users idle for hours. Any idea will be greatly appriciated...

 

[Hof]

As Nosferatu pointed out you can change the BrowserTimeout-value in appsrv.ini. In the same file you can also change the value BrowserRetry to set how many times the ICA client tries to connect before it gives up.
Hope this helps

/Hof