Product Documentation

Controlling Client Connections in XenApp

Apr 29, 2015
You can control XenApp client connections in these ways.
Citrix Receiver
A software client that is installed on the user device, supplies the connection to the virtual machine via TCP port 80 or 443, and communicates with StoreFront using via the StoreFront Service API.
XenApp policies

Policies let you define how you want clients to connect, including SSL or encryption requirements, and the properties for the user’s environments after the connection is established.

Citrix recommends using XenApp policies whenever possible to control connections. Connection settings defined through XenApp policies also supersede all other connection settings in your environment, including those at the operating system level, in TS Config, and specified when you publish an application

Application Publishing
You can define connection settings on a per-application basis when you are publishing a resource. Settings you can define include the maximum number of connections to an application, importance level of the application, maximum number of instances an application can run in the farm, types of connections that can access an application, audio properties, and encryption requirements.
Terminal Services Configuration
Terminal Services Configuration (TS Config), which is part of Windows Server 2008, lets you define XenApp connection settings similar to the ones found in XenApp policies. However, these TS Config settings must be defined on a per-server basis. Because defining settings using TS Config requires setting them on each server in your farm, Citrix recommends using TS Config to define connection settings only for test farms or very small server farms.
Active Directory
Citrix provides a Group Policy Object (GPO) template, the icaclient.adm, that contains Citrix-specific rules for securing client connections. This GPO lets you configure rules for network routing, proxy servers, trusted server configuration, user routing, remote client devices, and the user experience. For more information, see the Citrix online plug-in documentation.

Preventing Specific Client Connection Types

You can specify the types of client connections from which users can start sessions. For example, to increase security, you can specify that users must connect through Access Gateway Advanced Edition (Version 4.0 or later). This allows you to benefit from filters created in Access Gateway.

To configure connection access control

  1. Configure the Connection access control Computer policy setting with one of the following options:
    • Any connections allows access to published applications through any connection.
    • Citrix Access Gateway, Citrix online plug-in, and Web Interface connections only allows access to published applications through the listed connections, including any version of Access Gateway. Denies access through any other connection.
    • Citrix Access Gateway connections only allows access to published applications only through Access Gateway Advanced Edition servers (Version 4.0 or later).

Specifying Connection Limits

To help maintain the availability of resources in a server farm, you can limit the number of connections to servers and published applications. Setting connection limits helps prevent:
  • Performance degradation and errors resulting from individual users who run more than one instance of a published application at the same time
  • Denial-of-service attacks by malicious users who run multiple application instances that consume server resources and connection license counts
  • Over-consumption of resources by non-critical activities such as Web browsing

Connection limits, including the option to log denials resulting from connection limits, are configured in Computer policy settings. (You cannot configure connection limits in the plug-ins.)

There are two types of connection limits:
  • Concurrent connections to the server farm - Restricts the number of simultaneous connections that each user in the server farm can establish. See Limiting Connections to a Server Farm.
  • Published application instances - Restricts the total number of instances of a published application that can run in the server farm at one time, and prevents users from launching more than one instance of a published application. See Limiting Application Instances. .

By default, XenApp does not limit connections in any way.

Limiting Connections to a Server Farm

To conserve resources, you can limit the number of concurrent connections that users are permitted to establish. Limiting connections can help prevent over-consumption of server resources by a few users.

Active sessions and disconnected sessions are counted for the total number of concurrent connections. For example, you can set a limit of three concurrent connections for users. If a user has three concurrent connections and tries to establish a fourth, the limit you set prevents the additional connection. A message tells the user that a new connection is not allowed.

Connection control affects users only if a connection attempt is prevented. If a user’s number of connections exceeds a connection limit, the plug-in displays a message that describes why the connection is not available.

You can also limit the number of connections on a farm by ensuring that session sharing is enabled.

To specify the total number of sessions that can logon to a server

When this setting is used, users can still launch additional sessions, as long as the limit has not been reached.

  1. Configure the following Citrix Computer policy settings:
    • Limit user sessions. The maximum number of concurrent connections a user can establish, in the range 0-8192. A value of 0 indicates no connections.
    • Limits on administrator sessions. Enables or disables connection limit enforcement for Citrix administrators. Limiting connections for Citrix administrators can adversely affect their ability to shadow other users.
    Local administrators are exempt from the limit so they can establish as many connections as necessary.
To specify the maximum number of connections a user can make to the server farm at a given time

When this setting is used and the specified number is reached, the user cannot launch additional sessions, even if the server has availability.

  1. Configure the Citrix User Policy Concurrent logon limit setting.

Sharing Sessions and Connections

Depending on the plug-in, when a user opens an application, it can either appear in a seamless or non-seamless window. These window modes are available for most plug-ins, including the Web Interface and Citrix online plug-in.
  • In seamless window mode, published applications and desktops are not contained within an ICA session window. Each published application and desktop appears in its own resizable window, as if it is physically installed on the client device. Users can switch between published applications and the local desktop.
  • In non-seamless window mode, published applications and desktops are contained within an ICA session window. This creates the effect of the application appearing in two windows.

The mode that you choose typically depends on the type of client device that your users will be using and whether you are publishing a desktop or individual applications. Desktops are typically published in non-seamless window mode. This table provides examples of when you might want to publish desktops and applications.

If your users will be using... then you...
Local computers Might want to publish desktops or individual applications.
Local computers with locally installed applications Might want to publish individual applications.
Thin clients Must publish desktops.
Kiosks Might want to publish desktops, which allows the user to have a more holistic experience and provide more control from a security perspective.

When a user launches a published application, the plug-in establishes a connection to a XenApp server and initiates a session. If session sharing is not configured, a new session is opened on the server each time a user opens an application. Likewise, every time a user opens a new application, a new client connection is created between the client device and the server.

Session sharing is a mode in which more than one published application runs on a single connection. Session sharing occurs when a user has an open session and launches another application that is published on the same server; the result is that the two applications run in the same session. For session sharing to occur, both applications must be hosted on the same server. Session sharing is configured by default when you specify that applications appear in seamless window mode. If a user runs multiple applications with session sharing, the session counts as one connection.

If you want to share sessions, ensure all applications are published with the same settings. Inconsistent results may occur when applications are configured for different requirements, such as encryption.

Note: Session sharing is not supported on PocketPC clients.

Session sharing always takes precedence over load balancing. That is, if users launch an application that is published on the same server as an application they are already using but the server is at capacity, XenApp still opens the second application on the server. Load management does not transfer the user’s request to another server where the second application is published.

Limiting Application Instances

By default, XenApp does not limit the number of instances of a published application that can run at one time in a farm. By default, a user can launch more than one instance of a published application at the same time.

You can specify the maximum number of instances that a published application can run at one time or concurrently in the server farm. For example, you can publish an application and set a limit of 30 concurrent instances in the farm. Once 30 users are running the application at the same time, no more users can launch the application because the limit of 30 concurrent instances was reached.

Another connection control option lets you prevent any user from running multiple instances of a particular published application. With some applications, running more than one instance in a single user context can cause errors.

You can apply application limits independently to each published application. For example, you can apply the limitations on total concurrent instances and multiple instances by a single user to one published application. You can limit only the total concurrent instances of another application. You can configure a third application to limit launching of multiple instances by individual users.

Note: Connection control options apply to published applications and published desktops only and do not affect published content such as documents and media files that execute on the client device.

To specify a limit for a published application or desktop

  1. From the Delivery Services Console, select the farm, then select Applications.
  2. Select the application or desktop you want to modify. In the Action menu, select Application properties.
  3. In the Properties tree, select Limits. Select one or both of the following options:
    • Limit instances allowed to run in server farm. Enter the maximum number of instances that can run at one time in the server farm without regard to who launches the application.

      For example, if you enter 10 and a user tries to launch the application when 10 instances are running, the server denies the connection request and records the time and the name of the published application in the System log.

    • Allow only one instance of application for each user. Prevents any user from running more than one instance of this application at the same time.

Logging Connection Denial Events

Event logging records an entry in the System log each time a server denies a user connection because of a connection control limit. Each server records the data in its own System log. By default, this type of event logging is disabled.

You can configure XenApp to log when limits are reached (and connections denied) for the following:
  • Maximum connections per user
  • Application instance limits
  • Application instances per user

To enable or disable logging of connection denial events, configure the Logging of logon limit events Citrix Computer policy setting.

Configuring the ICA Listener

To configure the ICA listener, use the Citrix ICA Client Configuration Tool (CtxICACfg.exe). For more information, see CTX125139.
Important: Do not use Microsoft Remote Desktop Services tools to configure the ICA listener.

Preventing User Connections During Farm Maintenance

You might want to prevent logons to a server when you install software or perform other maintenance or configuration tasks. This is helpful when you are installing applications that require there be no active sessions on the server. It also lets you restart the server without having to wait for users to disconnect.

By default, logons are enabled when you install XenApp and users can launch an unlimited number of sessions and instances of published applications. You can prevent users from connecting to a server in the farm by disabling logons.

To disable logons on a server

  1. From the Delivery Services Console, select the server.
  2. In the Actions pane, select Other Tasks > Disable logon.
Note: To reenable disabled logons, select Other Tasks > Enable logon.