Forum Discussion

Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Jul 14, 2011

Optimizing application delivery with F5 Secure ICA proxy

F5's Secure ICA proxy solution on APM/EDGE is over a year old now, and has been successfully deployed at many of our customers. Besides the simplicity and ease of administration it provides, F5 customers are looking for more value and want to make sure that the solution they implement can provide the fastest deliver of Citrix XenApp and XenDesktop to the remote users.

In one scenario, we've found that leveraging the following TCP profile on the APM ICA proxy virtual can drastically improve performance of applications where large data transfers are happening between the client and the XenApp/XenDesktop farm. This profile was tested in a typical WAN scenario with client connecting over T1 on a 200 ms link with 0.5-1% packet loss. In this scenario, F5 ICA proxy was able to maintain almost full bandwidth throughput(close to 1.5 Mbits/sec on the ICA connection, which was more than 2x improvement over throughput with regular TCP stack.

This is the snippet of the TCP profile configuration from bigip.conf

profile tcp optimized_xenapp_wan {
   defaults from tcp-lan-optimized
   reset on timeout enable
   time wait recycle enable
   delayed acks disable
   proxy mss disable
   proxy options disable
   deferred accept disable
   selective acks disable
   dsack disable
   ecn disable
   limited transmit disable
   rfc1323 disable
   slow start disable
   bandwidth delay disable
   nagle disable
   abc enable
   ack on push enable
   verified accept disable
   pkt loss ignore rate 0
   pkt loss ignore burst 0
   md5 sign disable
   cmetrics cache enable
   md5 sign passphrase none
   proxy buffer low 98304
   proxy buffer high 131072
   idle timeout 300
   time wait 2000
   fin wait 5
   close wait 5
   send buffer 65535
   recv window 65535
   keep alive interval 1800
   max retrans syn 4
   max retrans 8
   ip tos 0
   link qos 0
   congestion control scalable
   zero window timeout 20000
}

If you are running or deploying F5 Secure ICA proxy solution, we encourage you to try this tcp profile and see if it improves ICA performance in your environment as well. Any and all feedback will also be greatly appreciated.

citrix
partner
  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Sep 11, 2013

    Hi Michael,

     

    Which software version was that snippet pulled from? Loading it into 11.3.0 hf6 had a few differences.

     

    Also, it would be great to have a version ready to drop into the tmsh shell.

     

    Thanks! Looking forward to testing these settings.

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Sep 11, 2013

    The profile is automatically created and assigned by the latest iApp available here:

     

    https://devcentral.f5.com/wiki/iapp.Citrix-VDI-v1-1-0.ashx

     

    That snippet was done on 10.2.x, and the iApp will create our latest best optimized TCP settings on 11.3.