13.6 Configuring Connection and Session Limits

The Access Gateway establishes connections with clients and with Web servers. The Identity Server establishes the session and sets the session timeout. For most networks, the default values for the connection and session limits provide adequate performance, but you can fine-tune the options to match for your network, its performance requirements, and your users:

13.6.1 Configuring TCP Listen Options for Clients

The TCP listen options allow you to control how idle and unresponsive browser connections are handled and to optimize these processes for your network. For most networks, the default values provide adequate performance. If your network is congested and slow, you might want to increase some of the limits.

  1. In the Administration Console, click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > TCP Listen Options.

    Configuring the listen options for clients

  2. Select Enable Persistent Connections to allow the Access Gateway to establish a persistent HTTP connection between the Access Gateway and the browser. Usually, HTTP connections service only one request and response sequence. A persistent connection allows multiple requests to be serviced before the connection is closed.

    This option is enabled by default.

  3. Specify values for the following fields:

    Connection Handshake Timeout: (NetWare only) Sets a timeout limit for a connecting device that stops responding after having initiated the TCP handshake process. If an expected handshake response is not received from the connecting device in this amount of time, an error occurs. Setting the value lower might help defend against SYN attacks. The timeout can be set from 1 to 120 seconds. The default is 30 seconds.

    Keep Alive Interval: (NetWare only) Sets the length of time between packets being sent to a connected device to determine if the connection is still alive. If a response is not received within the Data Read Timeout value, the connection is closed. On an idle connection, sending these ping packets continues until the Idle Timeout value is reached. Setting the value to zero prevents the sending of keep-alive packets. The value can be set from 0 to 1440 seconds (24 minutes). The default is 300 seconds (5 minutes).

    Data Read Timeout: Determines when an unresponsive connection is closed. When exchanging data, if an expected response from the connected device is not received within this amount of time, the connection is closed. This value might need to be increased for slow or congested network links. The value can be set from 1 to 3600 seconds (1 hour). The default is 120 seconds (2 minutes).

    Idle Timeout: Determines when an idle connection is closed. If no application data is exchanged over a connection for this amount of time, the connection is closed. This value limits how long an idle persistent connection is kept open. This setting is a compromise between freeing resources to allow additional inbound connections, and keeping connections established so that new connections from the same device do not need to be re-established. The value can be set from 1 to 1800 seconds (30 minutes). The default is 180 seconds (3 minutes).

    Retransmit Limit: (NetWare only) Determines how many times data is resent. When exchanging data, if the expected acknowledgement (ACK) response is not received, this is the number of times the device attempts to resend the data before closing the connection. You can set the value from 1 - 50. The default is 8.

    Enable Nagle’s Algorithm: (NetWare only) Determines whether small buffer messages can be concatenated into one large message. When this option is enabled, small buffer messages are automatically concatenated. This process increases the efficiency of a network application system by decreasing the number of packets that must be sent. Enabling this feature delays data transmission until a full TCP packet can be sent.

  4. On a Linux Access Gateway, you can also configure the encryption key. (For the NetWare® Access Gateway, the encryption key is set globally for all reverse proxies. See Section 14.6, Configuring the Encryption Key.) Select one or more of the following:

    Enforce 128-Bit Encryption between Browser and Access Gateway: When this option is selected, the Access Gateway requires all its server connections with client browsers to use 128-bit encryption. If the encryption key is less than 128, regardless of the cipher suite, the connection is denied.

    Enforce 128-Bit Encryption between Access Gateway and Web Server: When this option is selected, the Access Gateway requires all its client connections to Web servers to use 128-bit encryption. If the encryption key is less than 128, regardless of the cipher suite, the connection is denied.

  5. To save your changes to browser cache, click OK.

  6. To apply your changes, click the Access Gateways link, then click Update > OK.

13.6.2 Configuring TCP Connect Options for Web Servers

Connect options are specific to the group of Web servers configured for a proxy service. They allow you to control how idle and unresponsive Web server connections are handled and to optimize these processes for your network. For most networks, the default values provide adequate performance. If your network is congested and slow, you might want to increase some of the limits.

  1. In the Administration Console, click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options.

    Configuring connection options for the Web servers

  2. (Linux only) Configure the IP address to use when establishing connections with Web servers. Configure the following:

    Cluster Member: (Available only if the Linux Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. Only the value of the Make Outbound Connection Using option applies to the selected server.

    Make Outbound Connection Using: (Linux only) Specifies which IP address the proxy service should use when establishing connections with the back-end Web servers.

  3. (Linux only) Select how the Web servers should be contacted when multiple Web servers are available. Select one of the following:

    • Simple Failover: Allows the next available Web server in the group to be contacted when the first server in the list is no longer available.

    • Round Robin: Moves in order through the list of Web servers, allowing each to service requests before starting at the beginning of the list for a second group of requests.

      This is the default behavior of the NetWare Access Gateway, and it is not configurable.

  4. Select Enable Persistent Connections to allow the Access Gateway to establish a persistent HTTP connection between the Access Gateway and the Web server. Usually, HTTP connections service only one request and response sequence. A persistent connection allows multiple requests to be serviced before the connection is closed.

    This option is enabled by default.

  5. To modify the connection timeouts between the Access Gateway and the Web servers, configure the following fields:

    Connection Handshake Timeout: (NetWare only) Sets a timeout limit for a connecting device that stops responding after initiating the TCP handshake process. If an expected handshake response is not received from the connecting device in this amount of time, an error occurs. Setting the value lower might help defend against SYN attacks. The timeout can be set from 1 to 120 seconds. The default is 30 seconds.

    Keep Alive Interval: (NetWare only) Sets the length of time between packets being sent to a connected device to determine if the connection is still alive. If a response is not received within the Data Read Timeout value, the connection is closed. On an idle connection, sending these ping packets continues until the Idle Timeout value is reached. Setting the value to zero prevents the sending of keep-alive packets. The value can be set from 0 to 1440 seconds (24 minutes). The default is 300 seconds (5 minutes).

    Data Read Timeout: Determines when an unresponsive connection is closed. When exchanging data, if an expected response from the connected device is not received within this amount of time, the connection is closed. This value might need to be increased for slow or congested network links. The value can be set from 1 to 3600 seconds (1 hour). The default is 120 seconds (2 minutes).

    Idle Timeout: Determines when an idle connection is closed. If no application data is exchanged over a connection for this amount of time, the connection is closed. This value limits how long an idle persistent connection is kept open. This setting is a compromise between freeing resources to allow additional inbound connections, and keeping connections established so that new connections from the same device do not need to be re-established. The value can be set from 1 to 1800 seconds (30 minutes). The default is 180 seconds (3 minutes).

    Retransmit Limit: (NetWare only) Determines how many times data is resent. When exchanging data, if the expected acknowledgement (ACK) response is not received, this is the number of times the device attempts to resend the data before closing the connection. You can set the value from 1 to 50. The default is 8.

    Enable Nagle’s Algorithm: (NetWare only) Determines whether small buffer messages can be concatenated into one large message. When this option is enabled, small buffer messages are automatically concatenated. This process increases the efficiency of a network application system by decreasing the number of packets that must be sent. Enabling this feature delays data transmission until a full TCP packet can be sent.

  6. To save your changes to browser cache, click OK.

  7. To apply your changes, click the Access Gateways link, then click Update > OK.

13.6.3 Configuring Connection and Session Persistence

The Access Gateway establishes three types of connections:

  • Access Gateway to browser

  • Access Gateway to Web server

  • Browser to Web server

The Access Gateway to the browser connections and the Access Gateway to the Web server connections involve setting up a TCP connection for an HTTP request. HTTP connections usually service only one request and response sequence, and the TCP connection is opened and closed during the sequence. A persistent connection allows multiple requests to be serviced before the connection is closed and saves a significant amount of processing time. To configure this type of persistence, see the following:

  • Access Gateway to Browser: Click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > TCP Listen Options and configure the Enable Persistent Connections option.

  • Access Gateway to Web Server: Click Access Manager > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options and configure the Enable Persistent Connections option.

The persistence of the browser to Web server connection is always enabled and is not configurable. This feature allows a browser to use the same Web server after an initial connection has been established. Most Web applications are designed to expect this type of behavior.

13.6.4 Configuring the Session Timeout

When a user logs in and authenticates to the Identity Server, the Identity Server establishes a session for the user and sets an inactivity timeout for the session. If the user’s session becomes inactivity and reaches this time limit, the session becomes invalid. If the user tries to access a resource from an invalid session, the user is prompted to log in again.

The session timeout is a global value, affecting all users who authenticate to the Identity Server and all resources protected by Access Manager. The default value for the session timeout is 15 minutes.

To modify this value:

  1. In the Administration Console, click Access Manager > Identity Servers > Edit.

  2. For the Session timeout option, use the up-arrow button to increase the timeout and the down-arrow button to decrease the timeout.

  3. Click OK, then update the Identity Server.