DukewillNukem
asked on
Citrix/TS Issue with Proxy
customers of us do report the same problem: when they connect thru our proxies ( squid and/or trustwave), it happend often that their devices do freeze. (mouse,etc.)
it must be a well known issue,but how can it be fixed?
it must be a well known issue,but how can it be fixed?
basraj
Is there any network issues going on?
How are they connecting through to your citrix servers? Through 443? Can you provide more on your architecture setup.
ASKER
no network issues. clients go first thru port 443,then port 4500. weill deliver more about the setup asap
This is indeed a known issue with proxy servers in general. Symptoms are sudden slowness, freezing or disconnects.
The only way to completely solve this problem is to bypass the proxy servers for the Citrix sessions (proxy exception).
The only way to completely solve this problem is to bypass the proxy servers for the Citrix sessions (proxy exception).
ASKER
we believe,that this is a Citrix ICA TS Protocol and Proxies problem. we never had any issues before: if we avoid the proxy,all works fine.
so far, we have performed a Workplace, ICA Version, Proxy-Settings, AV -Analysis, Citrix-Farm with vendor, ICA, SR, Settings -Analysis Network-components and sites, Latency, Jitter -Analysis, access thru different Proxy-Versions because the Problem - as it occurs today - happens accidentally and is not site relevant
so far, we have performed a Workplace, ICA Version, Proxy-Settings, AV -Analysis, Citrix-Farm with vendor, ICA, SR, Settings -Analysis Network-components and sites, Latency, Jitter -Analysis, access thru different Proxy-Versions because the Problem - as it occurs today - happens accidentally and is not site relevant
ASKER
robocat: do i understand you correctly: you do recommend to bypass the proy servers? however,we cannot go directly ti the internet,we must go thru proxy (defined by policy)
ASKER
we also have configured our IE settings with GPO,this way we can ensure that the correct settings are enforced. however,this didnt help either
To make sure that we're talking about the same thing, this is the setup I'm talking about:
client ---> proxy server ---> citrix server
(and not client using a citrix session to browse the web through a proxy).
Is this the setup you're talking about ?
client ---> proxy server ---> citrix server
(and not client using a citrix session to browse the web through a proxy).
Is this the setup you're talking about ?
ASKER
yes,correct.
client ---> proxy server ---> citrix server
the proxy is a GIN RADIUS.
client ---> proxy server ---> citrix server
the proxy is a GIN RADIUS.
As I said, we had the same problem and were never able to really solve it. On some fundamental level it seems that proxy servers are incompatible with citrix traffic.
I know all about security policies requiring the use of proxies. But proxy exceptions to a limited number of known citrix servers should be an acceptable risc.
I know all about security policies requiring the use of proxies. But proxy exceptions to a limited number of known citrix servers should be an acceptable risc.
ASKER
a strange fact is that,only one site is affected.
would GPO settings for clients help?
it is clear,that bypassing the proxy is NOT accepted. therefore i must find a solution.
since its a well-known issue,why didnt citrix provide a solution so far?
would GPO settings for clients help?
it is clear,that bypassing the proxy is NOT accepted. therefore i must find a solution.
since its a well-known issue,why didnt citrix provide a solution so far?
Perhaps one of the main reasons is that third party proxies are not ICA-aware and thus routing to the correct server might not be possible in all cases causing slowness and freezing - at least my explanation.
If security is still a concern, then why don't you try having your Citrix clients connect to your servers through Citrix Secure Gateway, or better still through Access Gateway while bypassing proxy for these clients? The former is a software and free product while the latter is an appliance with licenses involved. This way you avoid the performance issues, yet you are still secure!
If security is still a concern, then why don't you try having your Citrix clients connect to your servers through Citrix Secure Gateway, or better still through Access Gateway while bypassing proxy for these clients? The former is a software and free product while the latter is an appliance with licenses involved. This way you avoid the performance issues, yet you are still secure!
ASKER
could you pls provide detailled info about this?
you are saying that (windows) client shall go thru Citrix Secure Gateway and bypassing the proxy? is it free? and how is the security still warranted?
you are saying that (windows) client shall go thru Citrix Secure Gateway and bypassing the proxy? is it free? and how is the security still warranted?
What I meant you bypass proxy for Citrix clients - so when these connect they directly go to CSG. CSG provides SSL VPN connection through port 443 and acts as intermediary between your clients and the XenApp servers.
And yes, CSG is free (but you will need to purchase a certificate - GoDaddy could be fine).
And yes, CSG is free (but you will need to purchase a certificate - GoDaddy could be fine).
ASKER
do you mean Citrix clients = citrix receiver?
I meant your clients: users on their devices (obviously they will need the ICA client: either online plugin, or the receiver containing the online plugin)
If you're not already using CSG or Netscaler for securing your Citrix farm, you should do so from a security perspective. But that doesn't change this problem, you're still tunneling ICA traffic over HTTPS over a proxy. The issue remains, as we can testify.
You could experiment by increasing session timeouts / lifespan for individual http/https connections on the proxy, although this never worked for us.
You could experiment by increasing session timeouts / lifespan for individual http/https connections on the proxy, although this never worked for us.
ASKER
no,we are not using CSG or Netscaler at all. but since this is for free,we might consider implementing it.
bypassing proxy for Citrix clients - so when these connect they directly go to CSG. tahts a solution we can live with
bypassing proxy for Citrix clients - so when these connect they directly go to CSG. tahts a solution we can live with
>bypassing proxy for Citrix clients - so when these connect they directly go to CSG. tahts a solution we can live with.
...and a solution that works.
...and a solution that works.
ASKER
If you're not already using CSG or Netscaler for securing your Citrix farm, you should do so from a security perspective. But that doesn't change this problem, you're still tunneling ICA traffic over HTTPS over a proxy. The issue remains, as we can testify.
then we will bypass the proxy for all citrix traffic. any other suggestions?
then we will bypass the proxy for all citrix traffic. any other suggestions?
I agree; bypass the proxy for Citrix traffic and rely on CSG.
ASKER
this solution is not accepted by customer,because its a proxy issue:
its a squid, 3.1.6 which has some issues with the ICA protocol.
does anyone has knowledge about squid versions and what is supported?
its a squid, 3.1.6 which has some issues with the ICA protocol.
does anyone has knowledge about squid versions and what is supported?
Try disabling CGP (That is session reliability) and see if this helps. Read this for more info:
http://blogs.citrix.com/2013/01/23/session-reliability/
http://blogs.citrix.com/2013/01/23/session-reliability/
This is not a Squid specific issue. See my earlier messages.
ASKER
ok,i spoke with the customer directly.
now i know that the connectivity was always on,with some acceptable disruptions. since that infrastructure was migrated with better HW and newer OS and citrix version,it became (strangely)worse. i believe,it could be a bandwith and latency issue as well
now i know that the connectivity was always on,with some acceptable disruptions. since that infrastructure was migrated with better HW and newer OS and citrix version,it became (strangely)worse. i believe,it could be a bandwith and latency issue as well
So isn't there any specific errors/events logged on the Citrix servers?
ASKER
ok,i have some more news after i spoke with the responsible person:
this is what that company does:
http://www.aircominternational.com/Products/Planning/asset.aspx
for their Radio network planning tool to access, they used to connect to their citrix server thru our (squid) proxy.
the connection thru our proxy was always a bit shaky,however they were always able to work with it. once a while,there was a freeze; but the connection was always on.
as a workaround,the reconnected to that session and continued to work.
since that company has migrated their infrastructure (new HW and OS and new citrix version), that issue increased and became worse-which even makes less sense.
since the proxy is bypassed,the connectivity is fine and there was never a interruption.
that leads to the conclusion,that it must be the proxy. it is well-known,that the ICA protocol has some issues with proxies-or vice versa.
we are considering to replace the old proxy with the new F5.
meantime,i`d like to edit the proxypac file,my question is:
what do i need to do update that *.pac file to make it work?
this is what that company does:
http://www.aircominternational.com/Products/Planning/asset.aspx
for their Radio network planning tool to access, they used to connect to their citrix server thru our (squid) proxy.
the connection thru our proxy was always a bit shaky,however they were always able to work with it. once a while,there was a freeze; but the connection was always on.
as a workaround,the reconnected to that session and continued to work.
since that company has migrated their infrastructure (new HW and OS and new citrix version), that issue increased and became worse-which even makes less sense.
since the proxy is bypassed,the connectivity is fine and there was never a interruption.
that leads to the conclusion,that it must be the proxy. it is well-known,that the ICA protocol has some issues with proxies-or vice versa.
we are considering to replace the old proxy with the new F5.
meantime,i`d like to edit the proxypac file,my question is:
what do i need to do update that *.pac file to make it work?
You mean, how to bypass the proxy using the pac file?
BTW/would recommend to do a test with F5 before purchasing. Otherwise you could spend a lot of money without result.
BTW/would recommend to do a test with F5 before purchasing. Otherwise you could spend a lot of money without result.
ASKER
yes,bypass the proxy using the pac file or update it to make sure that citrix ICA is listed too
ASKER
however,Tunneling of different Traffic over HTTPS (Citrix ICA over HTTPS) is possible, but there are always constraints. our current solution is not designed for Realtime applications, so we have to find other ways
ASKER
fact is,our customer has two different client versions and i was wondering if this could have some impact?
since this is a Realtime application,wouldnt it be advisable to use UDP?
since this is a Realtime application,wouldnt it be advisable to use UDP?
From your last few posts I am more convinced that disabling Session Reliability could relax the situation, especially that your clients are re-logging as a work around.
I agree with robocat in that F5 might not be ICA-aware either. You need test it before spending big money.
I don't have experience in *.pac; you can post another question in the appropriate topic to get some help in that.
I agree with robocat in that F5 might not be ICA-aware either. You need test it before spending big money.
I don't have experience in *.pac; you can post another question in the appropriate topic to get some help in that.
Seems that writing a pac file should not be too difficult. I've found this example on the net:
if (shExpMatch(url, "http://abcdomain.com/folder/*"))
return "DIRECT";
Replace that URL with the URL for connecting to the citrix server and you bypass the proxy only for that URL.
if (shExpMatch(url, "http://abcdomain.com/folder/*"))
return "DIRECT";
Replace that URL with the URL for connecting to the citrix server and you bypass the proxy only for that URL.
But, robocat - the ICA connection once initiated, the user doesn't go through the URL; the user device will directly connect with the session host. First connection to Web Interface will be through HTTP or HTTPS, port 80 or 443, to the URL. Once the user will launch an application, a session will be initiated with the session host server and connection becomes direct with no intermediaries through TCP ports 1494/2598 or 443.
ASKER
Mutawadi: since our customer has migrated to a newer citrix (and windows OS) version with new HW (probably 64x),he confirms that the connection is even slower. i dont think that disabling Session Reliability itself will help. i believe,that all parts must be optimized (incl.the real-time application) to have the desired performance.
but this doesnt solve the issue itself:
those Citrix Servers shall be defined properly in the Pac file.
i can post the pac file,maybe somebody has a suggestion how to do that.
but this doesnt solve the issue itself:
those Citrix Servers shall be defined properly in the Pac file.
i can post the pac file,maybe somebody has a suggestion how to do that.
>connection becomes direct with no intermediaries through TCP ports 1494/2598 or 443
Are you sure this is your setup? Because if the ICA session is not tunneled over the proxy, you can't blame the proxy for any issues.
Are you sure this is your setup? Because if the ICA session is not tunneled over the proxy, you can't blame the proxy for any issues.
ASKER
citrix traffic on the proxy is bypassed.
>connection becomes direct with no intermediaries through TCP ports 1494/2598 or 443
In 'intermediaries' I meant the web interface in the middle. But of course if the proxy is not bypassed, then it will have to go through the proxy.
Session Reliability has nothing to do witH real time apps; it is all about keeping the session up for a stated period of time, in case network interruptions happen so that the user comes back and resumes his session.
In 'intermediaries' I meant the web interface in the middle. But of course if the proxy is not bypassed, then it will have to go through the proxy.
Session Reliability has nothing to do witH real time apps; it is all about keeping the session up for a stated period of time, in case network interruptions happen so that the user comes back and resumes his session.
ASKER
ok,after some research with the customer i can say that the problem is definitely not citrix,but on the proxy:
users can work without any interruptions as long proxy is bypassed.
when proxy is enabled, it takes 4-5 moves with the mouse and theres all freeze.
the "solution" is, to reconnect since the connection remains stable. this,of course i cannot propose as a solution to the customer.
users can work without any interruptions as long proxy is bypassed.
when proxy is enabled, it takes 4-5 moves with the mouse and theres all freeze.
the "solution" is, to reconnect since the connection remains stable. this,of course i cannot propose as a solution to the customer.
this,of course i cannot propose as a solution to the customer.
I didn't really get your input/question here!
ASKER
Mutawadi: i cant tell our customer to "live" with that fact. i cant tell him to reconnect each time when his mouse freezes. i have to deliver a satisfying solution with works for him
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.