1.7 Configuring Connection and Session Limits

The Access Gateway establishes connections with clients and with Web servers. The Identity Server establishes the session and sets the session timeout. For most networks, the default values for the connection and session limits provide adequate performance, but you can fine-tune the options to match for your network, its performance requirements, and your users:

1.7.1 Configuring TCP Listen Options for Clients

The TCP listen options allow you to control how idle and unresponsive browser connections are handled and to optimize these processes for your network. For most networks, the default values provide adequate performance. If your network is congested and slow, you might want to increase some of the limits.

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > TCP Listen Options.

    Configuring the listen options for clients

  2. Select Enable Persistent Connections to allow the Access Gateway to establish a persistent HTTP connection between the Access Gateway and the browser. Usually, HTTP connections service only one request and response sequence. A persistent connection allows multiple requests to be serviced before the connection is closed.

    This option is enabled by default.

  3. Specify values for the TCP Listen Options:

    Data Read Timeout: Determines when an unresponsive connection is closed. When exchanging data, if an expected response from the connected device is not received within this amount of time, the connection is closed. This value might need to be increased for slow or congested network links. The value can be set from 1 to 3600 seconds (1 hour). The default is 120 seconds (2 minutes).

    Idle Timeout: Determines when an idle connection is closed. If no application data is exchanged over a connection for this amount of time, the connection is closed. This value limits how long an idle persistent connection is kept open. This setting is a compromise between freeing resources to allow additional inbound connections, and keeping connections established so that new connections from the same device do not need to be re-established. The value can be set from 1 to 1800 seconds (30 minutes). The default is 180 seconds (3 minutes).

  4. To configure the encryption key, select one or more of the following:

    Enforce 128-Bit Encryption between Browser and Access Gateway: When this option is selected, the Access Gateway requires all its server connections with client browsers to use 128-bit encryption. If the encryption key is less than 128, regardless of the cipher suite, the connection is denied.

    Enforce 128-Bit Encryption between Access Gateway and Web Server: When this option is selected, the Access Gateway requires all its client connections to Web servers to use 128-bit encryption. If the encryption key is less than 128, regardless of the cipher suite, the connection is denied.

  5. To save your changes to browser cache, click OK.

  6. To apply your changes, click the Access Gateways link, then click Update > OK.

1.7.2 Configuring TCP Connect Options for Web Servers

Connect options are specific to the group of Web servers configured for a proxy service. They allow you to control how idle and unresponsive Web server connections are handled and to optimize these processes for your network. For most networks, the default values provide adequate performance. If your network is congested and slow, you might want to increase some of the limits.

  1. In the Administration Console, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options.

    Configuring connection options for the Web servers

  2. Configure the IP address to use when establishing connections with Web servers:

    Cluster Member: (Available only if the Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. Only the value of the Make Outbound Connection Using option applies to the selected server.

    Make Outbound Connection Using: Specifies which IP address the proxy service should use when establishing connections with the back-end Web servers.

  3. Select how the Web servers should be contacted when multiple Web servers are available. Select one of the following for the Policy for Multiple Destination IP Addresses option:

    • Simple Failover: Allows the next available Web server in the group to be contacted when the first server in the list is no longer available.

    • Round Robin: Moves in order through the list of Web servers, allowing each to service requests before starting at the beginning of the list for a second group of requests.

  4. Select Enable Persistent Connections to allow the Access Gateway to establish a persistent HTTP connection between the Access Gateway and the Web server. Usually, HTTP connections service only one request and response sequence. A persistent connection allows multiple requests to be serviced before the connection is closed.

    This option is enabled by default.

  5. To modify the connection timeouts between the Access Gateway and the Web servers, configure the following fields:

    Data Read Timeout: Determines when an unresponsive connection is closed. When exchanging data, if an expected response from the connected device is not received within this amount of time, the connection is closed. This value might need to be increased for slow or congested network links. The value can be set from 1 to 3600 seconds (1 hour). The default is 120 seconds (2 minutes).

    Idle Timeout: Determines when an idle connection is closed. If no application data is exchanged over a connection for this amount of time, the connection is closed. This value limits how long an idle persistent connection is kept open. This setting is a compromise between freeing resources to allow additional inbound connections, and keeping connections established so that new connections from the same device do not need to be re-established. The value can be set from 1 to 1800 seconds (30 minutes). The default is 180 seconds (3 minutes).

  6. To save your changes to browser cache, click OK.

  7. To apply your changes, click the Access Gateways link, then click Update > OK.

1.7.3 Configuring Connection and Session Persistence

The Access Gateway establishes three types of connections:

  • Access Gateway to browser

  • Access Gateway to Web server

  • Browser to Web server

The Access Gateway to the browser connections and the Access Gateway to the Web server connections involve setting up a TCP connection for an HTTP request. HTTP connections usually service only one request and response sequence, and the TCP connection is opened and closed during the sequence. A persistent connection allows multiple requests to be serviced before the connection is closed and saves a significant amount of processing time. To configure this type of persistence, see the following:

  • Access Gateway to Browser: Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > TCP Listen Options and configure the Enable Persistent Connections option.

  • Access Gateway to Web Server: Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options and configure the Enable Persistent Connections option.

The persistence of the browser to Web server connection is always enabled and is not configurable. This feature allows a browser to use the same Web server after an initial connection has been established. Most Web applications are designed to expect this type of behavior.

1.7.4 Configuring the Session Timeout

When a user logs in and authenticates to the Identity Server, the Identity Server establishes a session for the user and sets an inactivity timeout for the session. If the user’s session becomes inactive and reaches this time limit, the session becomes invalid. If the user tries to access a resource from an invalid session, the user is prompted to log in again.

The session timeout is a global value, affecting all users who authenticate to the Identity Server and all resources protected by Access Manager. The default value for the session timeout is 60 minutes.

To modify this value:

  1. In the Administration Console, click Devices > Identity Servers > Edit.

  2. For the Session timeout option, use the up-arrow button to increase the timeout and the down-arrow button to decrease the timeout.

  3. Click OK, then update the Identity Server.