« See you at iForum 2006 | Main | Java Client 9.4 released »

Citrix ships Access Gateway 4.2.3

Today Citrix posted a new hotfix for Access Gateway, which brings the current version up to 4.2.3:

v4.2.3 Hotfix for Citrix Access Gateway
http://support.citrix.com/article/CTX108902

The article lists 20 issues resolved by this hotfix. I thought I would spend a moment talking about #16:

16. Session reliability sessions are dropped when the Secure Ticket Authority (STA) is restarted. (TT23204)

As you probably know, the Secure Ticket Authority creates a one-time-use ticket that allows the user to connect through the gateway en route to a Presentation Server. If the gateway can validate the ticket, then the traffic is allowed through and that ticket can never be used again. So why would restarting the STA affect sessions that are already established?

The answer lies in how Session Reliability is implemented for Gateway connections (Secure Gateway or Access Gateway). The requirement for session reliability is that if the user's network connection is severed, we should be able to create a new ICA+SSL connection through the gateway and get reconnected to the Presentation Server session without the user having to re-authenticate. But how do we pull that off if the original connection ticket from the STA has already been used?

When a user opens a connection through the Gateway with session reliability enabled, the gateway first validates their connection ticket as before, but then immediately requests a 2nd ticket from the STA. This 2nd ticket is a reconnection ticket, which is sent down through the CGP protocol to the end user. This reconnect ticket is only used if the connection gets broken and the user needs to re-establish their transport-layer connection to the gateway.

Tickets issued by the STA naturally expire after a fixed amount of time--for reconnect tickets I believe the default is 500 seconds. At some point before that 500 second window expires, the gateway needs to "refresh" the reconnect tickets of all the users who are currently connected. So the gateway will periodically check back in with the STA to perform ticket renewal for the connected sessions. When this happens, you'll see an entry such as this in the Access Gateway system log:

(07/15/06 19:44:10):server:sta_proto: Entering renew_sta_tickets

The STA needs to stay alive for this to succeed, because the reconnect tickets are not persisted to disk; they are just held in memory at the STA. If you bounce the XML service or reset IIS on the server acting as the STA, you will flush all the current tickets from memory and and all the users who were relying on those tickets will sacrifice their reconnect capability.

Now here's the bug that was fixed in 4.2.3: when the Access Gateway failed to renew a reconnect ticket at the STA, it would forcefully disconnect the user's session instead of allowing them to remain connected minus the session reliability feature. The corrected behavior is that users will not lose their session because of a ticket renewal failure, but instead they will only lose the ability to withstand brief network outages.

Jay

Posted by JayT on August 2, 2006 11:48 AM |

TrackBack

TrackBack URL for this entry:
http://www.jaytomlin.com/cgi-bin/mt/mt-tb.cgi/9

Comments

Hi Jay,
How are you?
When I try to download the hotfix I get the following from the Citrix Web site:

NOTE:

You have reached the end of the Internet and must go back.

Please click here to continue.

New wording to be developed.

Posted by: Andrea Borghi | August 2, 2006 01:40 PM

Looks like the link is broken on the KB article. Try this link instead.

Posted by: Jay Tomlin | August 2, 2006 01:45 PM

Hi Jay,

Are you able to shed any light on a memory leakage issue with CAG?

Please http://www.brianmadden.com/forum/tm.aspx?m=59735
for more info.

Thanks,

James.

Posted by: James | August 6, 2006 09:04 PM

James,

Sorry to hear that you are having problems. I know there have been a few memory leaks identified and fixed in versions 4.2.2 and 4.2.3. If you are running 4.2.3 and are still experiencing the memory leak, then Citrix tech support should escalate the case in order to identify the source of the leak. They have engineers who can connect to your gateway in a debug mode to identify the offending code and produce a hotfix. This sounds like the course of action that's needed. However, they won't attempt to debug your server unless it's running the latest and greatest code, so be sure to verify that the issue still occurs with 4.2.3. If it does, you have a solid case for escalation.

Jay

Posted by: JayT | August 7, 2006 10:26 AM

Jay,
Do you know when Exchange 2003 ActiveSync with the Access Gateway to the Pocket PC will be available?
Also when it is available will it require AAC or will it work with the Access Gateway by itself?
Thanks

Jay,

Posted by: Chuck | August 7, 2006 07:37 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)