Manual Chapter : Integrating APM with Citrix XML Brokers

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0, 15.1.0
Manual Chapter

Integrating APM with Citrix XML Brokers

Overview: Integrating APM with Citrix XML Brokers with SmartAccess support

In this implementation, you integrate Access Policy Manager
®
(APM
®
) with Citrix XML Brokers and present Citrix published applications on an APM dynamic webtop.
APM integration with Citrix XML Brokers
  1. A user (client browser or Citrix Receiver) requests access to applications.
  2. The virtual server starts an access policy that performs authentication and sets SmartAccess filters.
  3. The virtual server sends the authenticated request and filters to a Citrix XML Broker.
  4. An XML Broker returns a list of allowed applications to the external virtual server.
  5. The virtual server renders and displays the user interface to the client on an Access Policy Manager webtop.

Supported authentication

For Citrix Receiver Windows and Linux clients: only Active Directory authentication is supported.
For Citrix Receiver clients for iOS, Android, and Mac: Active Directory, or both RSA and Active Directory authentication is supported.
For web clients, you are not restricted in the type of authentication you use.

About APM dynamic webtop for Citrix XML Brokers

A dynamic webtop enables Access Policy Manager
®
(APM
®
) to act as a presentation layer for Citrix published resources. APM communicates directly with Citrix XML Brokers, retrieves a list of published resources, and displays them to the user on a dynamic webtop.
The addresses of XML Brokers are configured in pools on APM. A pool includes addresses from one Citrix farm. You specify a pool as a destination in a Citrix remote desktop resource. Each resource logically represents a Citrix farm. You can assign multiple resources to a user, enabling the user to access Citrix applications from multiple Citrix farms.

About Client Type

The Client Type action determines whether the client is using a full browser, the BIG-IP
®
Edge Client, or another client to access the Access Policy Manager
®
(APM
®
). This action makes it possible to specify different actions for different client types in one access policy and, as a result, to use one virtual server for traffic from different client types. This figure shows the Client Type action as it looks when first added to an access policy.
Client Type
By default, the Client Type action includes these branches:
Edge Portal
Indicates that the user is connecting with the BIG-IP
®
Edge Portal
®
mobile app.
Edge Client
Indicates that the user is connecting with the BIG-IP
®
Edge Client
®
or BIG-IP Edge Client app, supported on multiple devices and operating systems.
Citrix Receiver
Indicates that the user is connecting using a later Citrix Receiver client.
Citrix Receiver (legacy)
Indicates that the user is connecting using an earlier Citrix Receiver client (identified with PN Agent).
VMware View
Indicates that the user is connecting using a VMware Horizon View client.
Full or Mobile Browser
Indicates the user is connecting with a Windows web browser or a mobile browser.
Windows Inbox F5 VPN Client
Indicates the user is connecting using the Windows Inbox F5 VPN client.
fallback
Indicates the user is connecting with another method.
APM supports the client types on multiple operating systems. Refer to AskF5™ (support.f5.com) to look up the supported operating systems and versions in the compatibility matrix for your version of APM.
Note: To create additional branching for a client type based on operating system, you can add a client operating system (Client OS) action on the client type branch.

About Citrix client bundles in APM

A Citrix client bundle enables delivery of a Citrix Receiver client to a user's Windows computer when a client is not currently installed, or when a newer client is available. Access Policy Manager
®
(APM
®
) detects whether the Citrix Receiver client is present and redirects users to a download URL, or downloads a Citrix Receiver client that you have uploaded.
In Access Policy Manager, you specify the Citrix client bundle in a connectivity profile. By default, a connectivity profile includes the default Citrix bundle, /Common/default-citrix-client-bundle, which contains a download URL, receiver.citrix.com.
Note: You can upload Citrix Receiver clients from the Application Access area of Access Policy Manager.

About APM SSO support for Citrix clients

Access Policy Manager
®
(APM
®
) supports two single sign-on options for Citrix that provide password-less authentication:
  • Kerberos - Supports any kind of password-less authentication on APM: SmartCard, RSA PIN, client SSL certificate, and so on. Citrix supports Kerberos only for XenApp.
  • SmartCard - Citrix supports SmartCard for XenDesktop. Citrix also supports SmartCard for XenApp.Note: When using SmartCard with XenApp, a user is prompted for a SmartCard PIN twice: once when logging in to APM and again when starting a Citrix application.
These options work in APM only when:
  • Citrix is configured to support SmartCard SSO (with Kerberos) or SmartCard.
  • Citrix requirements for using SmartCard SSO or SmartCard are met.

About the iApp for Citrix integration with APM

An iApps
®
template is available for configuring Access Policy Manager
®
and Local Traffic Manager™ to integrate with Citrix applications. The template can be used on the BIG-IP
®
system to create an application service that is capable of performing complex configurations. You can download the template from the F5
®
DevCentral™ iApp Codeshare wiki at https://devcentral.f5.com/wiki/iApp.Citrix-Applications.ashx. A deployment guide is also available there.

Task summary for XML Broker integration with APM

Ensure that you configure the Citrix components in the Citrix environment, in addition to configuring the BIG-IP
®
system to integrate with Citrix XML Brokers.
Perform these tasks on the BIG-IP system so that Access Policy Manager
®
can present Citrix published resources on a dynamic webtop.
Task List

Creating a pool of Citrix XML Brokers

Create one pool of XML Brokers for each Citrix farm that you want to support.
  1. On the Main tab, click
    Local Traffic
    >
    Pools
    .The Pool List screen opens.
  2. Click
    Create
    .The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. In the Resources area, using the
    New Members
    setting, add each resource that you want to include in the pool:
    1. Either type an IP address in the
      Address
      field, or select a preexisting node address from the
      Node List
      .
    2. If access to the XML Broker is through SSL, in the
      Service Port
      field, type
      443
      or select
      HTTPS
      from the list; otherwise, type
      80
      or select
      HTTP
      from the list.
    3. Click
      Add
      .
  5. Click
    Finished
    .
The new pool appears in the Pools list.

Configuring a Citrix remote desktop resource

Create one Citrix remote desktop resource for each Citrix farm that you want to support.
  1. On the Main tab, click
    Access Policy
    >
    Application Access
    >
    Remote Desktops
    >
    Remote Desktops List
    .The Remote Desktops list opens.
  2. Click
    Create
    .The New Resource screen opens.
  3. Type a name for the remote desktop resource.
  4. For the
    Type
    setting, retain the default
    Citrix
    .
  5. For the
    Destination
    setting, select
    Pool
    and select the pool that you created previously.
  6. In the Single Sign-On area, select the
    Enable SSO
    check box for single sign-on to a Citrix XML Broker after logging in to Access Policy Manager
    ®
    (APM
    ®
    ).
    1. From the
      SSO Method
      list, select the type of single sign-on to use, either Password-based, Kerberos, SmartCard, or Anonymous.The Kerberos and SmartCard options enable password-less authentication. You cannot use either of them successfully unless Citrix is configured for SmartCard SSO (Kerberos) or SmartCard.The fields that are displayed vary based on this selection.
    2. In the
      Username Source
      field, accept the default or type the session variable to use as the source for the SSO user name.
    3. In the
      Password Source
      field, accept the default or type the session variable to use as the source for the SSO user password.
    4. In the
      Domain Source
      field, accept the default or type the session variable to use as the source for the SSO user domain.
    5. From the
      Kerberos SSO
      list, select a Kerberos SSO configuration that has already been configured.
  7. In the Customization Settings for language_name area, type a
    Caption
    .The caption is the display name of the Citrix resource on the APM webtop.
  8. Click
    Finished
    .All other parameters are optional.
This creates the Citrix remote desktop resource.

Configuring a dynamic webtop

A dynamic webtop allows you to see a variety of resources protected by Access Policy Manager
®
, including Citrix Published Applications.
  1. On the Main tab, click
    Access Policy
    >
    Webtops
    .The Webtops screen displays.
  2. Click
    Create
    .The New Webtop screen opens.
  3. In the
    Name
    field, type a name for the webtop.
  4. From the
    Type
    list, select
    Full
    .The Configuration area displays with additional settings configured at default values.
  5. Click
    Finished
    .
The webtop is now configured, and appears in the webtop list.

Creating an access policy for Citrix SSO (APM dynamic webtop)

Before you can create an access policy for Citrix single sign-on (SSO), you must meet these requirements:
  • Configure the appropriate AAA servers to use for authentication.
    An Active Directory AAA server must include the IP address of the domain controller and the FQDN of the Windows domain name. If anonymous binding to Active Directory is not allowed in your environment, you must provide the admin name and password for the Active Directory AAA server.
  • Create an access profile using default settings.
You configure an access policy to authenticate a user and enable single sign-on (SSO) to Citrix published resources.
APM
®
supports different types of authentication depending on the client type. This access policy shows how to use the Client Type action to configure authentication for legacy Citrix Receiver clients (Windows and Linux), and later Citrix Receiver clients (iOS, Mac, and Android) in the same access policy.
  1. On the Main tab, click
    Access Policy
    >
    Access Profiles
    .The Access Profiles List screen opens.
  2. In the Access Policy column, click the
    Edit
    link for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new action item.
    Note:
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type
    client
    in the search field, and select
    Client Type
    from the results.A properties screen displays.
  5. Click
    Save
    .
  6. On the properties screen, on the Logon tab, select an access policy as appropriate:
    • Logon Page
      : Specify this if you allow one-factor password authentication with a single logon prompt containing one password field.
    • Citrix Logon Prompt
      : Specify this if you allow two-factor password authentication with a single logon prompt containing two password fields.
  7. Click
    Save
    .The properties screen closes, and the Client Type action and Logon action displays in the visual policy editor.
  8. To configure actions for Citrix Receiver for Windows and Linux clients, perform these substeps.
    Note:
    Citrix Receiver for Windows version 3.4 and later, and Citrix Receiver for Linux, version 13 and later, support Active Directory authentication only.
    1. Click the (
      +
      ) icon on the Citrix Receiver (legacy) branch after the Client Type action.
    2. On the Logon tab, select either
      Logon Page
      or
      Citrix Logon Prompt
      , and click
      Add Item
      .A properties screen displays. The default page settings are acceptable.
    3. Click
      Save
      .
    4. After the Logon Page action, add an SSO Credential Mapping action with default settings.
    5. After the SSO Credential Mapping action, click the (
      +
      ) icon.
    6. Type
      var
      into the search field, select
      Variable Assign
      from the results, and click
      Add Item
      .Use the Variable Assign action to pass the domain name for the Citrix remote desktop resource so that a user is not repeatedly queried for it.A properties screen opens.
    7. Click
      Add new entry
      .An
      empty
      entry appears in the Assignment table.
    8. Click the
      change
      link next to the empty entry.A dialog box opens, where you can enter a variable and an expression.
    9. From the left-side list, retain the
      Custom Variable
      setting, and type
      session.logon.last.domain
      .
    10. From the right-side list, retain the
      Custom Expression
      setting, and type
      expr {"example.com"}
      to assign the domain name for the Citrix remote desktop resource (where
      example.com
      is the domain name of the resource).The Citrix remote desktop resource equates to an XML Broker that is selected from a pool.
    11. Click
      Finished
      .
    12. Click
      Save
      .
    13. After the previous action, click the
      Deny
      ending, and select the
      Allow
      ending.
    The access policy branch for legacy Citrix Receiver clients is complete.
  9. To configure actions for Citrix Receiver for iOS, Android, and Mac, complete the remaining steps.Citrix Receiver for iOS, Android, and Mac, support both RSA SecurID and AD Auth authentication. This example shows how to use both.
  10. After the Client Type action, on the Citrix Receiver branch, click the (
    +
    ) icon.
  11. On the Logon tab, select either
    Logon Page
    , and click
    Add Item
    .
  12. Customize the Logon Page to accept an RSA token and an Active Directory password:
    1. In row 2: From the
      Type
      list, select
      password
      ; in the
      Post Variable Name
      field, type
      password1
      ; in the
      Session Variable Name
      field, type
      password1
      .APM stores the text that a user types into this field in the session.logon.last.password1 session variable.You have added another password field to the logon page.
    2. In
      Login Page Input Field #2
      , type
      Password
      .You replaced the existing prompt for the first password field.
    3. In
      Login Page Input Field #3
      , type
      Passcode
      .You provided a prompt for the second password field.
  13. To add RSA SecurID authentication, click the plus (
    +
    ) icon between
    Logon Page
    and
    Deny
    :
    1. Type
      rsa
      in the search field, select
      RSA SecurID
      from the results, and click
      Add Item
      .
    2. From the
      Server
      list, select the AAA RSA SecurID server that you created previously and click
      Save
      .The properties screen closes.
    3. After the RSA SecurID action, add a Variable Assign action.Use the Variable Assign action to move the AD password into the session.logon.last.password session variable; the authentication agent requires this.A Variable Assign properties page opens.
    4. Click
      Add new entry
      .An
      empty
      entry appears in the Assignment table.
    5. Click the
      change
      link next to the empty entry.A dialog box opens, where you can enter a variable and an expression.
    6. From the left-side list, retain the
      Custom Variable
      setting, and type
      session.logon.last.password
      .
    7. From the right-side list, retain the
      Custom Expression
      setting, and type
      expr { "[mcget -secure session.logon.last.password1]" }
      . For two-factor authentication, type
      expr {[mcget {session.logon.last.password1}]}
      .
    8. Click
      Finished
      to save the variable and expression, and return to the Variable Assign action screen.
    9. Click
      Save
      .
  14. After the previous action, add an AD Auth action and configure properties for it:
    1. From the
      AAA Server
      list, select the AAA server that you created previously.
    2. If you are using Android Citrix receiver with a disabled session ID rotation in APM, you must set
      Max Logon Attempts
      to
      1
      .
    3. Configure the rest of the properties as applicable to your configuration, and click
      Save
      .
  15. Click the Add Item (
    +
    ) icon between
    AD Auth
    and
    Deny
    .
    1. On the Assignment tab, select
      SSO Credential Mapping
      , and click
      Add Item
      .
    2. Click
      Save
      .
    The SSO Credential Mapping makes the information from the session.logon.last.password variable available for Citrix SSO.
  16. Add a Variable Assign action after the SSO Credential Mapping action.Use the Variable Assign action to pass the domain name for an XML Broker so that a user is not repeatedly queried for it.
    1. Click
      Add new entry
      .An
      empty
      entry appears in the Assignment table.
    2. Click the
      change
      link next to the empty entry.A dialog box opens, where you can enter a variable and an expression.
    3. From the left-side list, select
      Custom Variable
      (the default), and type
      session.logon.last.domain
      .
    4. From the right-side list, select
      Custom Expression
      (the default), and type an expression
      expr {"example.com"}
      .
    5. Click
      Finished
      to save the variable and expression, and return to the Variable Assign action screen.
  17. On the fallback path between the last action and
    Deny
    , click
    Deny
    , and then click
    Allow
    and
    Save
    .The access policy branch for the Citrix Receiver client type is complete.
  18. Click the
    Apply Access Policy
    link to apply and activate the changes to the access policy.
  19. Click
    Close
    .
You should have an access policy that contains actions for both Citrix Receiver client types.
Example access policy for legacy Citrix Receiver clients and later Citrix Receiver clients
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Assigning Citrix resources to an access policy for Citrix integration

Before you assign Citrix resources to an access policy for integration, create or select an access profile, and open the associated access policy for edit.Assign the webtop and Citrix remote desktop resources that you configured to a session so that XML Brokers associated with the resources can return the appropriate published resources for display on the webtop.
This access policy shows how to use the Advanced Resource Assign action item to assign the resources. Alternatively, you can use the Resource Assign and Webtop, Links and Sections Assign action items.
  1. Click the
    (+)
    icon anywhere in the access policy to add a new action item.
    Note:
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  2. On the Assignment tab, select
    Advanced Resource Assign
    and click
    Add Item
    .The properties screen opens.
  3. Click
    Add new entry
    .An
    Empty
    entry displays.
  4. Click the
    Add/Delete
    link below the entry.The screen changes to display resources that you can add and delete.
  5. Select the Remote Desktop tab.A list of remote desktop resources is displayed.
  6. Select Citrix remote desktop resources and click
    Update
    .You are returned to the properties screen where Remote Desktop and the names of the selected resources are displayed.
  7. Click
    Add new entry
    .An
    Empty
    entry displays.
  8. Click the
    Add/Delete
    link below the entry.The screen changes to display resources that you can add and delete.
  9. Select the Webtop tab.A list of webtops is displayed.
  10. Select a webtop and click
    Update
    .The screen changes to display properties and the name of the selected webtop is displayed.
  11. Select
    Save
    to save any changes and return to the access policy.
Citrix remote desktop resource and an Access Policy Manager
®
(APM
®
) dynamic webtop, are now assigned to the session.

Adding Citrix Smart Access actions to an access policy

To perform this task, first select the access profile you created previously, and open the associated access policy for edit.You can set one or more filters per Citrix Smart Access action. If you include multiple Citrix Smart Access actions in an access policy, Access Policy Manager accumulates the SmartAccess filters that are set throughout the access policy operation.
  1. Click the(
    +
    ) icon anywhere in your access profile to which you want to add the Citrix Smart Access action item.The Add Item screen opens.
  2. From
    General Purpose
    , select
    Citrix Smart Access
    and click
    Add Item
    .The Variable Assign: Citrix Smart Access properties screen opens.
  3. Type the name of a Citrix SmartAccess filter in the open row under Assignment.A filter can be any string. Filters are not hardcoded, but must match filters that are configured in the XenApp™ server for application access control or a user policy.
    In the XenApp server, you must specify
    APM
    as the Access Gateway farm when you configure filters.
  4. To add another filter, click
    Add entry
    and type the name of a Citrix filter in the open row under Assignment.
  5. When you are done adding filters, click
    Save
    to return to the Access Policy.
  6. Click the
    Apply Access Policy
    link to apply and activate the changes to the access policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Example access policy with Citrix SmartAccess filters

Here is a typical example access policy that uses Citrix SmartAccess filters to restrict access to published applications based on the result of client inspection. Client inspection can be as simple as IP Geolocation Match or Antivirus. The figure shows an access policy being configured with a Citrix Smart Access action to set a filter to
antivirus
after an antivirus check is successful.
Example access policy with Citrix SmartAccess action and an antivirus check

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the Access Policy Event Logs area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Access Policy
    >
    Access Profiles
    .The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit.The properties screen opens.
  3. On the menu bar, click
    Logs
    .The access profile log settings display.
  4. Move log settings between the
    Available
    and
    Selected
    lists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note:
    Logging is disabled when the
    Selected
    list is empty.
  5. Click
    Update
    .
An access profile is in effect when it is assigned to a virtual server.

Adding a connectivity profile

Create a connectivity profile to configure client connections for Citrix remote access.
Note:
A Citrix client bundle provides an installable Citrix Receiver client. The default parent connectivity profile includes a default Citrix client bundle.
  1. On the Main tab, click
    Access Policy
    >
    Secure Connectivity
    .A list of connectivity profiles displays.
  2. Click
    Add
    .The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a
    Profile Name
    for the connectivity profile.
  4. From the
    Parent Profile
    list, select the default profile,
    connectivity
    .
  5. To use a Citrix bundle that you have configured, select
    Citrix Client Settings
    from the left pane and select the bundle from the
    Citrix Client Bundle
    list in the right pane.The default Citrix client bundle is included if you do not perform this step.
  6. Click
    OK
    .The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile appears in the Connectivity Profile List.

Adding Citrix Receiver for HTML5 to a connectivity profile

Download the Citrix Receiver for HTML5 from the Citrix website.You add Citrix Receiver for HTML5 to a Citrix bundle and add the bundle to a connectivity profile so that APM
®
can deliver Citrix Receiver for HTML5 to clients.
  1. From the command line, type
    msiexec /a filepath to MSI file /qb TARGETDIR=filepath to target folder
    .
  2. On the Main tab, click
    Access Policy
    >
    Application Access
    >
    Remote Desktops
    >
    Citrix Client Bundles
    .
    1. In the
      Name
      field, type a name that includes
      html5
      .
    2. From the
      Source
      list, select
      Windows Package File
      .
    3. Click
      Choose File
      and upload the file ./Citrix/HTML5 Management/HTML5Client.zip.
  3. On the Main tab, click
    Access Policy
    >
    Secure Connectivity
    .
    1. Click the
      Connectivity Profile List
      tab.
    2. Select the connectivity profile you want to update.
    3. Click
      Edit Profile
      .A popup screen opens.
    4. Click
      Citrix Client Settings
      .
    5. From the
      Citrix Client Bundle
      list, select the bundle with
      html5
      in its name.
  4. On the Main tab, click
    Access Policy
    >
    Hosted Content
    >
    Manage Profile Access
    .
    1. Click the checkbox next to the Access Profile that is associated with the Citrix Virtual Server.
    2. Click
      OK
      .
The Citrix Receiver for HTML5 is included in a bundle with a particular connectivity profile.To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Creating a virtual server to support Citrix web and mobile clients

This virtual server supports Citrix traffic and responds to web and mobile client requests.
  1. On the Main tab, click
    Local Traffic
    >
    Virtual Servers
    .The Virtual Server List screen opens.
  2. Click the
    Create
    button.The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address
    field, type the IP address for a host virtual server.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  6. From the
    Configuration
    list, select
    Advanced
    .
  7. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select an SSL profile with an SSL certificate that the clients trust, and use the Move button to move the name to the
    Selected
    list.
  8. If access to XML Brokers requires SSL, then for the SSL Profile (Server) setting, select an SSL profile.
  9. From the
    Source Address Translation
    list, select
    Auto Map
    .
  10. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  11. In the Access Policy area, from the
    Connectivity Profile
    list, select the connectivity profile.
  12. From the
    VDI Profile
    list, select a VDI profile.You can select the default profile,
    vdi
    .
  13. Click
    Finished
    .
The access policy is now associated with the virtual server.

Overview: Giving APM users time to enter a Smart Card PIN

If you have configured Access Policy Manager
®
for smart card authentication and your users cannot enter a PIN before the SSL handshake times out, they can experience problems such as browser failure or errors because the BIG-IP
®
system sends a TCP reset after the SSL handshake times out. You can mitigate this problem by increasing the handshake timeout in the client SSL profile.

Updating the handshake timeout in a Client SSL profile

By default, a client SSL profile provides a 10-second SSL handshake timeout. You might need to modify the timeout to give users more or less time for the SSL handshake to complete.
  1. On the Main tab, click
    Local Traffic
    >
    Profiles
    >
    SSL
    >
    Client
    .The Client profile list screen opens.
  2. In the Name column, click the name of the profile you want to modify.
  3. From the
    Configuration
    list, select
    Advanced
    .
  4. Scroll down to
    Handshake Timeout
    and select the
    Custom
    check box.Additional settings become available.
  5. To limit the timeout to a number of seconds, select
    Specify
    from the list, and type the desired number in the
    seconds
    field.In the list, the value
    Indefinite
    specifies that the system continue trying to establish a connection for an unlimited time. If you select
    Indefinite
    , the
    seconds
    field is no longer available.
  6. Click
    Update
    .