Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 18251 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos slows down Citrix logon on Windows Embedded Thin Clients

Laggetjeuh

Hi,

We have a few different types of Thin Clients running Windows XP Embedded or Windows 7 Embedded (HP t5730/5740/t510).

All of them have Sophos Endpoint Security and Control installed as virusscanner (no firewall), because they are in fact Windows machines and thus infecteable.

The Thin Clients are not part of our domain and connect to our central Endpoint server to get their AV updates etc.

The HP Write Filter is turned off.

When the Thin Clients are started they auto-logon as User and provide the user with a menu (RES Subscriber) to start a Citrix session (RES Workspace Manager 2012 desktop) on one of our Windows 2008 R2 Terminal Servers.

Lately we've noticed a difference in logon times between those Thin Clients and our regular PC's (which are also protected by Sophos and start their Citrix session in the same way), especially from a cold boot:

Thin Client with Windows Embedded (XP or 7):

- User turns on Thin Client, it boots Windows Embedded and automatically logs on as User.

- Once the RES Subscriber menu is shown the user clicks "Start Desktop" and then has to wait about 1 minute before the logon screen of the Terminal Server is shown and the user can actually log on. ("Start Desktop" launches the ICA Client that connects to a published desktop)

PC with Windows (XP or 7):

- User turns on PC, it boots Windows.

- User logs on to PC and sees the RES Subscriber menu.

- User clicks "Start Desktop" and immediately starts logging on to the Terminal Server (pass-through logon).

When we stop and disable all Sophos services on the Thin Client the waiting after a cold boot is suddenly reduced from 1 minute to 5 seconds! (which is a fair time to launch the ICA Client and connect to a published application)

We've tried this on a few different locations and the result is always the same: the logon process is much faster and even the Citrix session seems to be a lot more stable without Sophos running on the TC. (users that complained about strange slowdowns during work hours now have no problems at all)

For us (the IT dept.) this explains why users were complaining about slow logon times and we couldn't replicate this on our machines (because we only tested by starting a Citrix session with their credentials).

The logon times on remote offices are much longer than in our main office (where the Endpoint server is), so it seems to have something to do with connecting to the Endpoint server after booting. Lines to remote offices are 10/30/100mb fiber.

The Thin Clients have the same AV policy as our regular PC's (On-access on Read and scan for Adware/PUA/Suspicious files)

Their hardware is a little less powerful than a regular PC (the HP t510 Thin Client is our latest model with a dualcore VIA Eden X2 U4200 1Ghz and 2GB 1066 Mhz DDR3 RAM), but should still be sufficient.

Of course we don't want to leave our Thin Clients unprotected, so I was wondering if there might be a setting that causes this behaviour so we can fix it without leaving our TC's unprotected.

Thanks in advance!

Regards,

Jeroen

:39025


This thread was automatically locked due to age.
  • 0

    Cannot find the Edit option, so here's some more info:

    Last week we've tested some more with the Thin Clients and the problem also occurs in our main office (where the CID is), so I was mistaken about that.

    I've also tested if this was credentials-related (the TC's get their updates from the CID with provided domain credentials from a serviceaccount) by creating a non-domain server with a share that's available to anonymous users (so without credentials) and configuring the TC's to get their updates from that server/share. This made no difference in startup time.

    I've also tested without the RES Subscriber menu:

    Starting up takes just as long, but the difference is that the users just see the Windows Welcome screen about 20 seconds longer and when the taskbar and desktop are shown it takes about 30 seconds to start any windows application (Subscriber replaces the windows explorer shell and appararently immediately shows it's menu after logon even when Windows is not done loading other stuff). After the initial 50-second-slowdown programs are started immediately.

    Again: with all Sophos services disabled this only takes a few seconds.

    Another test was excluding the ICA Client cache folder (%appdata%\ICAClient\Cache) from on-access scans. This seemed to improve the stability of the citrix session, but didn't fix the startup delay.

    :39157
  • 0

    I'm seeing some odd effects related to Sophos Web Intelligence Service - try disabling just that one service, reboot the thin client and see if that still is an improvement.

    :39217
  • 0

    Sorry I forgot to mention that we already tested disabling the separate services, the culprit seems to be the Anti-Virus service (SAVService).

    I've disabled the webintelligence service before (because of incompatibility with the ISA Client) and it got automatically enabled again with the next software update.

    Thanks for the info though!

    :39221
  • 0

    Also tested by removing the network version and installing the standalone version (even installed 10.2 while our other systems are on 10.0.10), this shows the same behaviour in startup delay.

    :39233
  • 0

    Hi,

    Can you please raise a case with support on this

    http://www.sophos.com/en-us/support/contact-support/contact-information.aspx

    The simply answer is that there should be no noticable slowdown on these systems , from what you've said so far I'd suspect an interaction between our software and some other 3rd party software on the server so we're going to need to look over the installed software on there and get some detailed logs from the server while Sophos is active.

    :39239
  • 0

    Hello,

    could you send feedback after you solve the problem, i also try to enhance citrix session logon time.

    regards

    :39421
  • 0

    already created a case through our reseller.

    so far I've tried the following:

    - exclude more folders from on-access scanning

    - disable the first update after booting (http://www.sophos.com/en-us/support/knowledgebase/27646.aspx)

    without positive results...

    :39423
  • 0

    Hello,

    thanks for the reply, could you give me the list of your exclusions?

    mine are:

    citrix specifics:

    c:\Progra~1\Citrix\
    C:\Program Files\Citrix\
    C:\WINDOWS\system32\spool\PRINTERS\

    + windows recommended:

    c:\pagefile.sys
    C:\WINDOWS\SoftwareDistribution\DataStore\
    C:\WINDOWS\security\Database\
    C:\WINDOWS\system32\GroupPolicy\
    C:\Documents and Settings\All Users\ntuser.pol

    :39477
  • 0

    current exclusions for our thin client policy (some added on sophos advice):

    %AppData%\ICAClient\Cache\*
    *.dmp
    *.ldb
    *.mdb
    *.mdw
    C:\Documents and Settings\User\Application Data\ICAClient\Cache\
    C:\Program Files (x86)\Citrix\
    C:\Program Files\Citrix\
    C:\System Volume Information\DFSR\
    C:\Users\User\AppData\Roaming\ICAClient\Cache\
    C:\WINDOWS\Ntds\
    C:\WINDOWS\Ntfrs\
    C:\WINDOWS\Security\Database\
    C:\WINDOWS\SoftwareDistribution\
    C:\WINDOWS\System32\DHCP\
    C:\WINDOWS\System32\Dns\
    C:\WINDOWS\System32\GroupPolicy\
    C:\WINDOWS\system32\msvbvm60.dll
    C:\WINDOWS\system32\spool\
    C:\WINDOWS\System32\Wins\
    C:\WINDOWS\Sysvol\Staging areas\
    C:\WINDOWS\Sysvol\Sysvol\
    Edb.chk
    Ntfrs.jdb
    pagefile.sys
    Tmp.edb

    :39481