Citrix/TS Issue with Proxy

customers of us do report the same problem: when they connect thru our proxies ( squid and/or trustwave), it happend often that their devices do freeze. (mouse,etc.)

it must be a well known issue,but how can it be fixed?
DukewillNukemAsked:
Who is Participating?
 
Ayman BakrConnect With a Mentor Senior ConsultantCommented:
Ask your clients if they are using X-Forwarded-For header in their Squid server. If yes then do the following modifications in the Include.java file on the Web Interface servers (it should be under: $SITEROOT/Citrix/XenApp/app_code/PagesJava/com/citrix/wi/pageutils/Include.java):

-> find the following section:

/**
     * Returns the IP address of the client
     *
     * @return the client IP address as a string
     */
    public static String getClientAddress(WIContext wiContext) {        
    String ageClientAddress = AGEUtilities.getAGEClientIPAddress(wiContext);        
    return (ageClientAddress != null
                    ? ageClientAddress                    
: wiContext.getWebAbstraction().getUserHostAddress());
}

Open in new window


-> Replace this entire section with:

   /**
     * Returns the IP address of the client.
     *
     * @return the client IP address as a string
     */
    public static String getClientAddress(WIContext wiContext) {
          WebAbstraction web = wiContext.getWebAbstraction();
        String forwardedAddress = web.getRequestHeader("X-Forwarded-For");
          if(forwardedAddress != null) {
               return forwardedAddress;
          }
          else {
        String ageClientAddress = AGEUtilities.getAGEClientIPAddress(wiContext);
        return (ageClientAddress != null
                    ? ageClientAddress
                    : wiContext.getWebAbstraction().getUserHostAddress());
          }
    }

Open in new window



Hope this would help as this will ensure the actual client IP address is passed to XML broker rather than the proxy address which might be causing the frequent freeze.
0
 
basrajCommented:
Is there any network issues going on?
0
 
Ayman BakrSenior ConsultantCommented:
How are they connecting through to your citrix servers? Through 443? Can you provide more on your architecture setup.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
DukewillNukemAuthor Commented:
no network issues. clients go first thru port 443,then port 4500. weill deliver more about the setup asap
0
 
robocatCommented:
This is indeed a known issue with proxy servers in general. Symptoms are sudden slowness, freezing or disconnects.

The only way to completely solve this problem is to bypass the proxy servers for the Citrix sessions (proxy exception).
0
 
DukewillNukemAuthor Commented:
we believe,that this is a Citrix ICA TS Protocol and Proxies problem. we never had any issues before: if we avoid the proxy,all works fine.

so far, we have performed a Workplace, ICA Version, Proxy-Settings, AV -Analysis, Citrix-Farm with vendor, ICA, SR, Settings -Analysis Network-components and sites, Latency, Jitter -Analysis, access thru different Proxy-Versions because the Problem - as it occurs today - happens accidentally and is not site relevant
0
 
DukewillNukemAuthor Commented:
robocat: do i understand you correctly: you do recommend to bypass the proy servers? however,we cannot go directly ti the internet,we must go thru proxy (defined by policy)
0
 
DukewillNukemAuthor Commented:
we also have configured our IE settings with GPO,this way we can ensure that the correct settings are enforced. however,this didnt help either
0
 
robocatCommented:
To make sure that we're talking about the same thing, this is the setup I'm talking about:

client ---> proxy server ---> citrix server

(and not client using a citrix session to browse the web through a proxy).

Is this the setup you're talking about ?
0
 
DukewillNukemAuthor Commented:
yes,correct.
client ---> proxy server ---> citrix server
the proxy is a GIN RADIUS.
0
 
robocatCommented:
As I said, we had the same problem and were never able to really solve it. On some fundamental level it seems that proxy servers are incompatible with citrix traffic.

I know all about security policies requiring the use of proxies. But proxy exceptions to a limited number of known citrix servers should be an acceptable risc.
0
 
DukewillNukemAuthor Commented:
a strange fact is that,only one site is affected.
would GPO settings for clients help?
it is clear,that bypassing the proxy is NOT accepted. therefore i must find a solution.

since its a well-known issue,why didnt citrix provide a solution so far?
0
 
Ayman BakrSenior ConsultantCommented:
Perhaps one of the main reasons is that third party proxies are not ICA-aware and thus routing to the correct server might not be possible in all cases causing slowness and freezing - at least my explanation.

If security is still a concern, then why don't you try having your Citrix clients connect to your servers through Citrix Secure Gateway, or better still through Access Gateway while bypassing proxy for these clients? The former is a software and free product while the latter is an appliance with licenses involved. This way you avoid the performance issues, yet you are still secure!
0
 
DukewillNukemAuthor Commented:
could you pls provide detailled info about this?
you are saying that (windows) client shall go thru Citrix Secure Gateway and bypassing the proxy? is it free? and how is the security still warranted?
0
 
Ayman BakrSenior ConsultantCommented:
What I meant you bypass proxy for Citrix clients - so when these connect they directly go to CSG. CSG provides SSL VPN connection through port 443 and acts as intermediary between your clients and the XenApp servers.

And yes, CSG is free (but you will need to purchase a certificate - GoDaddy could be fine).
0
 
DukewillNukemAuthor Commented:
do you mean Citrix clients = citrix receiver?
0
 
Ayman BakrSenior ConsultantCommented:
I meant your clients: users on their devices (obviously they will need the ICA client: either online plugin, or the receiver containing the online plugin)
0
 
robocatCommented:
If you're not already using CSG or Netscaler for securing your Citrix farm, you should do so from a security perspective. But that doesn't change this problem, you're still tunneling ICA traffic over HTTPS over a proxy. The issue remains, as we can testify.

You could experiment by increasing session timeouts / lifespan for individual http/https connections on the proxy, although this never worked for us.
0
 
DukewillNukemAuthor Commented:
no,we are not using CSG or Netscaler at all. but since this is for free,we might consider implementing it.
bypassing proxy for Citrix clients - so when these connect they directly go to CSG. tahts a solution we can live with
0
 
robocatCommented:
>bypassing proxy for Citrix clients - so when these connect they directly go to CSG. tahts a solution we can live with.

...and a solution that works.
0
 
DukewillNukemAuthor Commented:
If you're not already using CSG or Netscaler for securing your Citrix farm, you should do so from a security perspective. But that doesn't change this problem, you're still tunneling ICA traffic over HTTPS over a proxy. The issue remains, as we can testify.

then we will bypass the proxy for all citrix traffic. any other suggestions?
0
 
Ayman BakrSenior ConsultantCommented:
I agree; bypass the proxy for Citrix traffic and rely on CSG.
0
 
DukewillNukemAuthor Commented:
this solution is not accepted by customer,because its a proxy issue:
its a squid, 3.1.6 which has some issues with the ICA protocol.
does anyone has knowledge about squid versions and what is supported?
0
 
Ayman BakrSenior ConsultantCommented:
Try disabling CGP (That is session reliability) and see if this helps. Read this for more info:

http://blogs.citrix.com/2013/01/23/session-reliability/
0
 
robocatCommented:
This is not a Squid specific issue.  See my earlier messages.
0
 
DukewillNukemAuthor Commented:
ok,i spoke with the customer directly.
now i know that the connectivity was always on,with some acceptable disruptions. since that infrastructure was migrated with better HW and newer OS and citrix version,it became (strangely)worse. i believe,it could be a bandwith and latency issue as well
0
 
Ayman BakrSenior ConsultantCommented:
So isn't there any specific errors/events logged on the Citrix servers?
0
 
DukewillNukemAuthor Commented:
ok,i have some more news after i spoke with the responsible person:

this is what that company does:
http://www.aircominternational.com/Products/Planning/asset.aspx
for their Radio network planning tool to access, they used to connect to their citrix server thru our (squid) proxy.

the connection thru our proxy was always a bit shaky,however they were always able to work with it. once a while,there was a freeze; but the connection was always on.

as a workaround,the reconnected to that session and continued to work.

since that company has migrated their infrastructure (new HW and OS and new citrix version), that issue increased and became worse-which even makes less sense.

since the proxy is bypassed,the connectivity is fine and there was never a interruption.

that leads to the conclusion,that it must be the proxy. it is well-known,that the ICA protocol has some issues with proxies-or vice versa.

we are considering to replace the old proxy with the new F5.

meantime,i`d like to edit the proxypac file,my question is:

what do i need to do update that *.pac file to make it work?
0
 
robocatCommented:
You mean, how to bypass the proxy using the pac file?

BTW/would recommend to do a test with F5 before purchasing. Otherwise you could spend a lot of money without result.
0
 
DukewillNukemAuthor Commented:
yes,bypass the proxy using the pac file or update it to make sure that citrix ICA is listed too
0
 
DukewillNukemAuthor Commented:
however,Tunneling of different Traffic over HTTPS (Citrix ICA over HTTPS) is possible, but there are always constraints. our current solution is not designed for Realtime applications, so we have to find other ways
0
 
DukewillNukemAuthor Commented:
fact is,our customer has two different client versions and i was wondering if this could have some impact?
since this is a Realtime application,wouldnt it be advisable to use UDP?
0
 
Ayman BakrSenior ConsultantCommented:
From your last few posts I am more convinced that disabling Session Reliability could relax the situation, especially that your clients are re-logging as a work around.

I agree with robocat in that F5 might not be ICA-aware either. You need test it before spending big money.

I don't have experience in *.pac; you can post another question in the appropriate topic to get some help in that.
0
 
robocatCommented:
Seems that writing a pac file should not be too difficult. I've found this example on the net:

   if (shExpMatch(url, "http://abcdomain.com/folder/*"))
        return "DIRECT";

Replace that URL with the URL for connecting to the citrix server and you bypass the proxy only for that URL.
0
 
Ayman BakrSenior ConsultantCommented:
But, robocat - the ICA connection once initiated, the user doesn't go through the URL; the user device will directly connect with the session host. First connection to Web Interface will be through HTTP or HTTPS, port 80 or 443, to the URL. Once the user will launch an application, a session will be initiated with the session host server and connection becomes direct with no intermediaries through TCP ports 1494/2598 or 443.
0
 
DukewillNukemAuthor Commented:
Mutawadi: since our customer has migrated to a newer citrix (and windows OS) version with new HW (probably 64x),he confirms that the connection is even slower. i dont think that disabling Session Reliability itself will help. i believe,that all parts must be optimized (incl.the real-time application) to have the desired performance.

but this doesnt solve the issue itself:

those Citrix Servers shall be defined properly in the Pac file.
i can post the pac file,maybe somebody has a suggestion how to do that.
0
 
robocatCommented:
>connection becomes direct with no intermediaries through TCP ports 1494/2598 or 443

Are you sure this is your setup? Because if the ICA session is not tunneled over the proxy, you can't blame the proxy for any issues.
0
 
DukewillNukemAuthor Commented:
citrix traffic on the proxy is bypassed.
0
 
Ayman BakrSenior ConsultantCommented:
>connection becomes direct with no intermediaries through TCP ports 1494/2598 or 443

In 'intermediaries' I meant the web interface in the middle. But of course if the proxy is not bypassed, then it will have to go through the proxy.

Session Reliability has nothing to do witH real time apps; it is all about keeping the session up for a stated period of time, in case network interruptions happen so that the user comes back and resumes his session.
0
 
DukewillNukemAuthor Commented:
ok,after some research with the customer i can say that the problem is definitely not citrix,but on the proxy:

users can work without any interruptions as long proxy is bypassed.
when proxy is enabled, it takes 4-5 moves with the mouse and theres all freeze.

the "solution" is, to reconnect since the connection remains stable. this,of course i cannot propose as a solution to the customer.
0
 
Ayman BakrSenior ConsultantCommented:
this,of course i cannot propose as a solution to the customer.

I didn't really get your input/question here!
0
 
DukewillNukemAuthor Commented:
Mutawadi: i cant tell our customer to "live" with that fact. i cant tell him to reconnect each time when his mouse freezes. i have to deliver a satisfying solution with works for him
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.