Product Documentation

Coordinating Keep-Alive Values Between the Secure Gateway and Citrix XenApp

Sep 15, 2015

If you enable TCP/IP keep-alive parameters on computers running Citrix XenApp, Citrix recommends that you modify the parameters on the server running the Secure Gateway in the same manner.

In an environment containing the Secure Gateway, ICA and HTTP/S connections are routed through the Secure Gateway. TCP/IP keep-alive messages from the Citrix XenApp server to the remote client are intercepted, and responded to, by the server running the Secure Gateway. Similarly, TCP/IP keep-alive packets from the server running the Secure Gateway are sent only to the user device; the server running the Secure Gateway does not transmit keep-alives to the Citrix XenApp server. Setting the keep-alive values on the server running the Secure Gateway to match the values set on the Citrix XenApp server ensures that the server farm is aware of the client connection state and can either disconnect or log off from the connection in a timely manner.

Setting Connection Keep-Alive Values and the Secure Gateway

The Secure Gateway establishes connections over the Internet between remote clients and Citrix XenApp servers. When a client connection is dropped without being properly logged off, the Secure Gateway continues to keep the connection to the server open. Accumulation of such “ghost” connections eventually affects Secure Gateway performance.

A Secure Gateway deployment subject to a heavy load may run out of sockets because of these “ghost” connections remaining open. The Secure Gateway uses TCP/IP keep-alives to detect and close broken connections between the Secure Gateway and the client device. The default Windows setting for KeepAliveTime is two hours. This is the duration that TCP/IP waits before verifying whether or not an idle connection is still connected. “Ghost” connections may therefore remain open for up to two hours before the system detects that a connection failed.

To prevent broken connections from remaining open, the Secure Gateway changes the KeepAliveTime to one minute. If a connection is dropped, the Secure Gateway knows within one minute, instead of two hours.

If there is no response, TCP/IP retries the verification process after the interval specified by KeepAliveInterval and for a maximum number of times specified by TcpMaxDataRetransmissions. The default value for KeepAliveInterval is one second and the default value for TcpMaxDataRetransmissions is five seconds.

If the Secure Gateway is under a heavy load and is used predominately to secure HTTP connections to internal Web servers, the Secure Gateway rapidly opens and closes connections. Closed connections stay in the TIME_WAIT state for an interval specified by TcpTimedWaitDelay.

The default value of TcpTimedWaitDelay is four minutes; the Secure Gateway sets this value to 30 seconds. This change enables the Secure Gateway to recycle sockets faster resulting in improved performance. The system cannot reuse sockets in the TIME_WAIT state. MaxUserPort specifies the number of sockets available on the system. By default, the system uses ports between 1024 and 5000; the Secure Gateway modifies this setting to use ports between 1024 and 65000.

The KeepAliveInterval, KeepAliveTime, MaxUserPort, TcpMaxDataRetransmissions, and TcpTimedWaitDelay parameters are stored in the Windows registry at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ Parameters\

For more information about making changes to these parameters, see the Microsoft knowledgebase articles, Q120642 - “TCP/IP & NBT Configuration Parameters for Windows 2000 or Windows NT,” Q314053 - “TCP/IP & NBT Configuration Parameters for Windows XP,” and Q196271 - “Unable to Connect from TCP Ports Above 5000”. Under normal circumstances, it is not necessary to change these settings.