It's all about design.
The licensing model has been vastly improved since the days of XP. It's easier and more secure to manage your Citrix licenses. In fact, there used to be a cool utility called TFLKey.exe that would puke up Citrix licenses all day long, including licenses for unlimited servers and connections. You could even activate your existing cals with it.
Of course, using such a utility violates the license agreement (which I guess you wouldn't really need if you had the tool) and may get you thrown in Jail - which is bad because being Bubba's bitch is never fun.
But if it's an architectural design flaw that is a security hole - and you happen to build your environment in such a way that exposes it.. is it still illegal? You're not exploiting or in violation of licensing - and all your servers are working normally. Or are you just leveraging an aspect of the product's design in an unconventional way? Hmm.
Consider the following:
Let's say your environment consists of:
-10 MPS4 servers
-1 Citrix License Server with 100 CALs installed
-1000 users
In this scenario, we're going to potentially consume 100 Citrix CALs, but we're going to get our 1000 concurrent users up and running.
How the hell do we do that? We're simply going to leverage the 30 day Citrix Licensing grace period. You see, each of those 10 MPS servers keeps its own running tally of how many CALs are available. So with the license server up and running you have a max concurrency of 100 users.
Here's where it gets fun.
Kick off all your users and wait a few minutes. At some point, each server will recognize that there are 100 CALs available.
Shut down your license server.
Now you have entered the 30 day grace period where each server thinks that there are 100 licenses available. And since there's no license server to update as users logon and logoff, each server now has the capability to issue 100 cals.
As long as that license server stays offline (for up to 30 days), you can host all of those 1000 users using only 100 CALs.
Obviously the way around this is to bring it back up every 29 days when no users are online for a little while. Once you verify in the event logs on each server that the grace period has been reset you can take it down again, and drive on for another 29 days.
You've just saved your company 315,000 dollars (assuming 350 bucks per CAL).
Is this legal? I honestly don't know.. I think it might be a gray area that could be argued either way. Chances are that Citrix can pay for better lawyers than you or I, so I don't suggest doing something like this.
Is it ethical? No, but all that aside, from a technical perspective it is a pretty cool hack.
-CG
Subscribe to:
Post Comments (Atom)
4 comments:
Yup pretty cool hack, but I think it's in violation with the Citrix licensing terminology as you're not paying for what you actually use.
This is what the MPS-WSXICA_MPS-WSXICA.ini file is all about. Whenever the license server "legitimately" goes offline whatever the state of the available licenses, is reflected in this file. This is how many additional licensed connections each server can use. As was stated earlier, each server acts as its own license server.
My question is this: Once the license server does come back online and the servers begin talking to it, what happens to the additional connections that got in. In other words, you have a great chance of being oversubscribed during the time the license server was offline. Do those connections get dropped.
Good Catch, I completely forgot about that file. It's all there in plan text no less.
With regards to your question, existing sessions don't get dropped, but new connections are refused until the session count drops below what you're actually licensed to use.
Additionally, I'd like to thank our overseas division for volunteering their productivity in the name of research and furthering the search for knowledge in this endeavor.
-CG
Might be fun to see what happens when you make that file read only. That would be an interesting bit of whimsy for a sick day.
-CG
Post a Comment