Jan. 07, 2016
Maintaining session activity is critical to providing the best user experience. Losing connectivity due to unreliable networks, highly variable network latency, and range limitations of wireless devices can lead to user frustration. Being able to move quickly between workstations and access the same set of applications each time they log on is a priority for many mobile workers such as health-care workers in a hospital.
The Logon interval section describes how to change the default setting.
You can also log a user off of a session, disconnect a session, and configure session prelaunch and linger; see the Manage Delivery Groups article.
Session Reliability keeps sessions active and on the user’s screen when network connectivity is interrupted. Users continue to see the application they are using until network connectivity resumes.
This feature is especially useful for mobile users with wireless connections. For example, a user with a wireless connection enters a railroad tunnel and momentarily loses connectivity. Ordinarily, the session is disconnected and disappears from the user’s screen, and the user has to reconnect to the disconnected session. With Session Reliability, the session remains active on the machine. To indicate that connectivity is lost, the user’s display freezes and the cursor changes to a spinning hourglass until connectivity resumes on the other side of the tunnel. The user continues to access the display during the interruption and can resume interacting with the application when the network connection is restored. Session Reliability reconnects users without reauthentication prompts.
Citrix Receiver users cannot override the Controller setting.
You can use Session Reliability with Transport Layer Security (TLS). TLS encrypts only the data sent between the user device and NetScaler Gateway.
Enable and configure Session Reliability with the following policy settings:
If you use both Session Reliability and Auto Client Reconnect, the two features work in sequence. Session Reliability closes, or disconnects, the user session after the amount of time you specify in the Session reliability timeout policy setting. After that, the Auto Client Reconnect policy settings take effect, attempting to reconnect the user to the disconnected session.
With the Auto Client Reconnect feature, Citrix Receiver can detect unintended disconnections of ICA sessions and reconnect users to the affected sessions automatically. When this feature is enabled on the server, users do not have to reconnect manually to continue working.
For application sessions, Citrix Receiver attempts to reconnect to the session until there is a successful reconnection or the user cancels the reconnection attempts.
For desktop sessions, Citrix Receiver attempts to reconnect to the session for a specified period of time, unless there is a successful reconnection or the user cancels the reconnection attempts. By default, this period of time is five minutes. To change this period of time, edit this registry on the user device:
HKLM\Software\Citrix\ICA Client\TransportReconnectRetryMaxTimeSeconds; DWORD;<seconds>
where <seconds> is the number of seconds after which no more attempts are made to reconnect the session.
Enable and configure Auto Client Reconnect with the following policy settings:
Auto Client Reconnect incorporates an authentication mechanism based on encrypted user credentials. When a user initially logs on, the server encrypts and stores the user credentials in memory, and creates and sends a cookie containing the encryption key to Citrix Receiver. Citrix Receiver submits the key to the server for reconnection. The server decrypts the credentials and submits them to Windows logon for authentication. When cookies expire, users must reauthenticate to reconnect to sessions.
Cookies are not used if you enable the Auto client reconnection authentication setting. Instead, users are presented with a dialog box to users requesting credentials when Citrix Receiver attempts to reconnect automatically.
For maximum protection of user credentials and sessions, use encryption for all communication between clients and the Site.
Disable Auto Client Reconnect on Citrix Receiver for Windows by using the icaclient.adm file. For more information, see the documentation for your Citrix Receiver for Windows version.
Settings for connections also affect Auto Client Reconnect:
Enabling the ICA Keep-Alive feature prevents broken connections from being disconnected. When enabled, if the server detects no activity (for example, no clock change, no mouse movement, no screen updates), this feature prevents Remote Desktop Services from disconnecting that session. The server sends keep-alive packets every few seconds to detect if the session is active. If the session is no longer active, the server marks the session as disconnected.
Note: ICA Keep-Alive works only if you are not using Session Reliability. Session Reliability has its own mechanisms to prevent broken connections from being disconnected. Configure ICA Keep-Alive only for connections that do not use Session Reliability.
ICA Keep-Alive settings override keep-alive settings that are configured in Microsoft Windows Group Policy.
Enable and configure ICA Keep-Alive with the following policy settings:
The default interval is 60 seconds: ICA Keep-Alive packets are sent to user devices every 60 seconds. If a user device does not respond in 60 seconds, the status of the ICA sessions changes to disconnected.
Workspace control lets desktops and applications follow a user from one device to another. This ability to roam enables a user to access all desktops or open applications from anywhere simply by logging on, without having to restart the desktops or applications on each device. For example, workspace control can assist health-care workers in a hospital who need to move quickly among different workstations and access the same set of applications each time they log on. If you configure workspace control options to allow it, these workers can disconnect from multiple applications at one client device and then reconnect to open the same applications at a different client device.
Workspace control affects the following activities:
Workspace control is available only for Citrix Receiver users who access desktops and applications through a Citrix StoreFront connection. By default, workspace control is disabled for virtual desktop sessions, but is enabled for hosted applications. Session sharing does not occur by default between published desktops and any published applications running inside those desktops.
User policies, client drive mappings, and printer configurations change appropriately when a user moves to a new client device. Policies and mappings are applied according to the client device where the user is currently logged on to the session. For example, if a health care worker logs off from a client device in the emergency room of a hospital and then logs on to a workstation in the hospital’s x-ray laboratory, the policies, printer mappings, and client drive mappings appropriate for the session in the x-ray laboratory go into effect at the session startup.
You can customize which printers appear to users when they change locations. You can also control whether users can print to local printers, how much bandwidth is consumed when users connect remotely, and other aspects of their printing experiences.
For information about enabling and configuring workspace control for users, see the StoreFront documentation.
By default, sessions roam between client devices with the user. When the user launches a session and then moves to another device, the same session is used and applications are available on both devices. The applications follow, regardless of the device or whether current sessions exist. In many cases, printers and other resources assigned to the application also follow.
While this default behavior offers many advantages, it might not be ideal in all cases. You can prevent session roaming using the PowerShell SDK.
Example 1: A medical professional is using two devices, completing an insurance form on a desktop PC, and looking at patient information on a tablet.
Example 2: A production manager launches an application on the PC in his office. The device name and location determine which printers and other resources are available for that session. Later in the day, he goes to an office in the next building for a meeting that will require him to use a printer.
To configure session roaming, use the following entitlement policy rule cmdlets with the "SessionReconnection" property. Optionally, you can also specify the "LeasingBehavior" property; see Connection leasing and session roaming below.
For desktop sessions:
Set-BrokerEntitlementPolicyRule <Delivery-Group-name> -SessionReconnection <value> -LeasingBehavior Allowed|Disallowed
For application sessions:
Set-BrokerAppEntitlementPolicyRule <Delivery-Group-name> -SessionReconnection <value> -LeasingBehavior Allowed|Disallowed
Where <value> can be one of the following:
The "LeasingBehavior" property is described below.
Effects from other settings
Disabling session roaming is affected by the application limit "Allow only one instance of the application per user" in the application's properties in the Delivery Group.
If you're not familiar with connection leasing, see the Connection leasing article.
When a Controller enters leased connection mode, session reconnection reverts to its default value, reconnecting the user to only one of the active or disconnected sessions for the desktop or application.
For additional security, if you configured a nondefault session roaming value, and have multiple users who share the same logon credentials on multiple devices, consider disabling the connection leasing feature for the Delivery Group that includes that user account.
Why? In this scenario, one session is shared among all devices. This could be undesirable if, for example, one person has sensitive information displayed that is not meant to be seen by someone else who reconnects with the same credentials while the Controller is in leased connection mode.
Disabling connection leasing in the entitlement policy eliminates this possibility: a user will not be able to see the session of another user with the same logon, even when the Controller is in leased connection mode. Other entitlement policies can remain as-is; individual user accounts can use the connection leasing functionality through separate entitlements.
To disable connection leasing in an entitlement policy, add the “LeasingBehavior Disallowed” property to the entitlement policy cmdlet. If you disable connection leasing, you must manually delete any launch leases that have already been created and cached for that entitlement policy; otherwise, users will still be able to reconnect during a database outage.
If a virtual machine containing a desktop VDA closes before the logon process completes, you can allocate more time to the process. The default for 7.6 and later versions is 180 seconds (the default for 7.0-7.5 is 90 seconds).
On the machine (or the master image used in a Machine Catalog), set the following registry key:
Specify a decimal time in seconds, in the range 0-3600.
If you change a master image, update the catalog.
Note: This setting applies only to VMs with desktop (workstation) VDAs; Microsoft controls the logon timeout on machines with server VDAs.