The Secure Gateway establishes connections over the Internet between
remote clients and Citrix XenApp servers. When a client connection is dropped
without being properly logged off, the Secure Gateway continues to keep the
connection to the server open. Accumulation of such “ghost” connections
eventually affects Secure Gateway performance.
A Secure Gateway deployment subject to a heavy load may run out of
sockets because of these “ghost” connections remaining open. The Secure Gateway
uses TCP/IP keep-alives to detect and close broken connections between the
Secure Gateway and the client device. The default Windows setting for
KeepAliveTime is two hours. This is the duration that TCP/IP waits before
verifying whether or not an idle connection is still connected. “Ghost”
connections may therefore remain open for up to two hours before the system
detects that a connection failed.
To prevent broken connections from remaining open, the Secure Gateway
changes the KeepAliveTime to one minute. If a connection is dropped, the Secure
Gateway knows within one minute, instead of two hours.
If there is no response, TCP/IP retries the verification process after
the interval specified by KeepAliveInterval and for a maximum number of times
specified by TcpMaxDataRetransmissions. The default value for KeepAliveInterval
is one second and the default value for TcpMaxDataRetransmissions is five
If the Secure Gateway is under a heavy load and is used predominately
to secure HTTP connections to internal Web servers, the Secure Gateway rapidly
opens and closes connections. Closed connections stay in the TIME_WAIT state
for an interval specified by TcpTimedWaitDelay.
The default value of TcpTimedWaitDelay is four minutes; the Secure
Gateway sets this value to 30 seconds. This change enables the Secure Gateway
to recycle sockets faster resulting in improved performance. The system cannot
reuse sockets in the TIME_WAIT state. MaxUserPort specifies the number of
sockets available on the system. By default, the system uses ports between 1024
and 5000; the Secure Gateway modifies this setting to use ports between 1024
The KeepAliveInterval, KeepAliveTime, MaxUserPort,
TcpMaxDataRetransmissions, and TcpTimedWaitDelay parameters are stored in the
Windows registry at:
For more information about making changes to these parameters, see the
Microsoft knowledgebase articles, Q120642 - “TCP/IP & NBT Configuration
Parameters for Windows 2000 or Windows NT,” Q314053 - “TCP/IP & NBT
Configuration Parameters for Windows XP,” and Q196271 - “Unable to Connect from
TCP Ports Above 5000”. Under normal circumstances, it is not necessary to
change these settings.