2.6.7 Configuring Connection and Session Limits

Access Gateway establishes connections with clients and with web servers. For most networks, the default values for unresponsive connections and sessions provide adequate performance, but you can fine-tune the options for your network, its performance requirements, and your users:

Authentication time limits for inactivity sessions are configured on the contract and enforced by Identity Server. For information about how to configure this limit, see Assigning a Timeout Per Protected Resource.

Configuring TCP Listen Options for Clients

The TCP listen options allow you to control how idle and unresponsive browser connections are handled and to optimize these processes for your network. For most networks, the default values provide adequate performance. If your network is congested and slow, you might want to increase some of the limits.

  1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > TCP Listen Options.

  2. Select Enable Persistent Connections to allow Access Gateway to establish a persistent HTTP connection between Access Gateway and the browser. Usually, HTTP connections service only one request and response sequence. A persistent connection allows multiple requests to be serviced before the connection is closed.

    This option is enabled by default.

  3. Specify values for the TCP Listen Options:

    Keep Alive Interval: Determines when an idle connection is closed. If no application data is exchanged over a connection for this amount of time, the connection is closed. This value limits how long an idle persistent connection is kept open. This setting is a compromise between freeing resources to allow additional inbound connections, and keeping connections established so that new connections from the same device do not need to be re-established. The value can be set from 1 to 1440 seconds (24 minutes). The default is 300 seconds (5 minutes).

    Data Read Timeout: Determines when an unresponsive connection is closed. When exchanging data, if an expected response from the connected device is not received within this amount of time, the connection is closed. This value might need to be increased for slow or congested network links. The value can be set from 1 to 3600 seconds (1 hour). The default is 120 seconds (2 minutes).

    NOTE:WebSocket connection implements ping pong communication for continuous connectivity. If your application supports WebSocket but ping pong communication is not implemented, it is recommended to set this value to 3600 seconds to avoid frequent disconnection. If a WebSocket connection is idle for more than the value specified in Data Read Timeout, it will be terminated.

  4. To configure the encryption key, select one or more of the following:

    Enforce 128-Bit Encryption between Browser and Access Gateway: When this option is selected, Access Gateway requires all its server connections with client browsers to use 128-bit encryption. If the encryption key is less than 128, regardless of the cipher suite, the connection is denied.

    Enforce 128-Bit Encryption between Access Gateway and Web Server: When this option is selected, Access Gateway requires all its client connections to web servers to use 128-bit encryption. If the encryption key is less than 128, regardless of the cipher suite, the connection is denied.

    NOTE:These SSL listening options appear disabled if you are configuring the tunneling services.

  5. To save your changes to browser cache, click OK.

  6. To apply your changes, click the Access Gateways link, then click Update > OK.

Configuring TCP Connect Options for Web Servers

Connect options are specific to the group of web servers configured for a proxy service. They allow you to control how idle and unresponsive web server connections are handled and to optimize these processes for your network. For most networks, the default values provide adequate performance. If your network is congested and slow, you might want to increase some of the limits.

  1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options.

  2. Configure the IP address to use when establishing connections with web servers:

    Cluster Member: (Available only if Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. Only the value of the Make Outbound Connection Using option applies to the selected server.

    Make Outbound Connection Using: (Access Gateway Appliance) Specifies which IP address the proxy service must use when establishing connections with the back-end web servers.

  3. Select how the web servers must be contacted when multiple web servers are available. Select one of the following for the Policy for Multiple Destination IP Addresses option:

    • Simple Failover: Allows the next available web server in the group to be contacted when the first server in the list is no longer available.

    • Round Robin: Moves in order through the list of web servers, allowing each to service requests before starting at the beginning of the list for a second group of requests.

    NOTE:The Make Outbound Connection Using and Policy for Multiple Destination IP Addresses options are available in Access Gateway Appliance and the same options are not available in Access Gateway Services.

  4. Select Enable Persistent Connections to allow Access Gateway to establish a persistent HTTP connection between Access Gateway and the web server. Usually, HTTP connections service only one request and response sequence. A persistent connection allows multiple requests to be serviced before the connection is closed.

    This option is enabled by default.

  5. To modify the connection timeouts between Access Gateway and the web servers, configure the following fields:

    Data Read Timeout: Determines when an unresponsive connection is closed. When exchanging data, if an expected response from the connected device is not received within this amount of time, the connection is closed. This value might need to be increased for slow or congested network links. The value can be set from 1 to 3600 seconds (1 hour). The default is 120 seconds (2 minutes).

    NOTE:WebSocket connection implements ping pong communication for continuous connectivity. If your application supports WebSocket but ping pong communication is not implemented, it is recommended to set this value to 3600 seconds to avoid frequent disconnection. If a WebSocket connection is idle for more than the value specified in Data Read Timeout, it will be terminated.

    Idle Timeout: Determines when an idle connection is closed. If no application data is exchanged over a connection for this amount of time, the connection is closed. This value limits how long an idle persistent connection is kept open. This setting is a compromise between freeing resources to allow additional inbound connections, and keeping connections established so that new connections from the same device do not need to be re-established. The value can be set from 1 to 1800 seconds (30 minutes). The default is 180 seconds (3 minutes).

  6. To save your changes to browser cache, click OK.

  7. To apply your changes, click the Access Gateways link, then click Update > OK.

Configuring Connection and Session Persistence

Access Gateway establishes the following connections:

  • Access Gateway to browser

  • Access Gateway to web server

Access Gateway connections to the browser and Access Gateway connections to the web server involve setting up a TCP connection for an HTTP request. HTTP connections usually service only one request and response sequence, and the TCP connection is opened and closed during the sequence.

A persistent connection allows multiple requests to be serviced before the connection is closed and saves a significant amount of processing time. To configure this type of persistence, perform the following actions:

  • Access Gateway to Browser: Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > TCP Listen Options and select Enable Persistent Connections.

  • Access Gateway to Web Server: Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers > TCP Connect Options and select Enable Persistent Connections.

Configuring Web Servers

The web server configuration determines how Access Gateway handles connections and packets between itself and the web servers. For more information about web Server configuration, see Section 2.6.4, Configuring Web Servers of a Proxy Service

  1. Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers.

  2. The session stickiness provides information about the web server session connection details.

    Enable Session Stickiness: Default the Session Stickiness check box is enabled and this option makes the proxy server to use the same web server for all fills during a session.

  3. If your browsers are capable of sending HTTP 1.1 requests, configure the following field to match your web servers:

    Enable Force HTTP 1.0 to Origin: Indicates whether HTTP 1.1 requests from browsers are translated to HTTP 1.0 requests before sending them to the web server. If your browsers are sending HTTP 1.1 requests and your web server can only handle HTTP 1.0 requests, you must enable this option.

    When the option is enabled, Access Gateway translates an HTTP 1.1 request to an HTTP 1.0 request.

  4. To enable SSL connections between the proxy service and its web servers, select Connect Using SSL. For configuration information for this option, Web Server Trusted Root, and SSL Mutual Certificate, see Section 19.6, Configuring SSL between the Proxy Service and the Web Servers.

  5. In the Connect Port field, specify the port that Access Gateway must use to communicate with the web servers. The following table lists some default port values for common types of web servers.

    Server Type

    Non-Secure Port

    Secure Port

    Web server with HTML content

    80

    443

    WebSphere

    9080

    9443

    JBoss

    8080

    8443

  6. To control how idle and unresponsive web server connections are handled and to optimize these processes for your network, select TCP Connect Options. For more information, see Configuring TCP Connect Options for Web Servers.

  7. To add a web server, click New in the Web Server List and specify the IP address or the fully qualified DNS name of the web server.

    The web servers added to this list must contain identical web content. Configuring your system with multiple servers with the same content adds fault tolerance and increases the speed for processing requests. For more information about this process, see Setting Up a Group of Web Servers.

    • New: To create a new web server, click New. Specify the web Server IP Address or DNS. Click OK to add the new web server to the list or Cancel to discard the changes.

      After creating the web server in the list, you can configure it as primary server and prioritize the list of web servers based on your requirement.

    • Delete: To delete a web server, select the web server from the list, then click Delete.

      If you delete the selected web server, then all the web servers which are corresponding to the device in the cluster gets deleted.

  8. In case of Simple failover policy, the web server list will be ordered allowing selection of the primary web server.

    The most common use case is, same list of web servers as well as primary designate, in all the Gateway Appliances in a cluster. However, there can be scenarios where you want Gateway Appliances in a cluster to have different configuration for the above, one of them being locations separated geographically, each hosting Gateway Appliances, as well as some of the web servers. For such cases, select the individual members from the Cluster/Cluster Member drop down list, and configure the primary as well as other web servers for each

    NOTE:When the administrator opts for member change then the administrator cannot change the priority of web servers from the cluster but the other operations such as add, delete can be performed.

    Primary Web Server: The web server that serves all the requests for this service. Only applicable for simple failover.

    Group Web Servers: The web servers that are added at the cluster level will be common and displayed in all cluster member groups.

    For more information about this process, see Configuring Web Servers at Cluster Level and Configuring Web Servers at Member Level.

  9. To save your changes to browser cache, click OK.

  10. To apply your changes, click the Access Gateways link, then click Update > OK.