Wednesday, October 31, 2007

Edgesight Licensing Hole

Edgesight is a cool product. There's no doubt about it. But why pay for it if you don't have to?

A little history is probably in order..

Edgesight was actually developed by another company called Reflectant. Citrix bought Reflectant as a means to round out their suite of products. Let's face it, Resource Manager is about as useful as loose bowels. Oh sure, it was probably grand back in the days, but it's a dinosaur by modern standards. Hence the need for Citrix to find something to monitor their stuff.

A little known fact is that shortly after acquiring Reflectant, Citrix promptly told most of the other competing vendors (EG Innovations, etc) to go fuck themselves. Citrix is no longer including these vendors in the development process of the Metaframe product suite. Downright bastardly if you ask me, but many of us have seen the big red dot toss its weight around before for no other apparent reason than just to be catty. They refunded their iForum exhibition fees and did a tremendous job in showing their ass.

So anyways, after Citrix purchased reflectant they were in a rush to re-brand the product and get it out there. As is often the case, certain compromises were made with the product conversion for the sake of some deadline. Long story short is that the licensing in 4.0 and 4.2 is not perfect.

It's so imperfect in fact that it is not enforced by the product. Edgesight is licensed by concurrent connection in the same fashion that MPS is. What is supposed to happen is that the product gathers data on the number of users that you are licensed for and then stops once it hits the ceiling. With version 4.0 and 4.2 this doesn't happen. You could be licensed for 10 users and collect data on 10,000. Pretty sweet.

This little bug is fixed in 4.5, which may explain why Citrix is pushing folks so hard to upgrade even though the improvements are somewhat minor in the newer version.

Sometimes the latest and greatest turns out not to be.


Wednesday, October 17, 2007

Free TS CALs Forever!

I've given you a way to get around the Citrix licensing. It's only fair that I illustrate how to give the finger to Microsoft as well.

You'll note from my last entry, that I'm a little pissed at old Billy Gates. So I got to thinking.. As a Citrix engineer, how can I screw Microsoft? Of course the answer is licensing - the same way MS screws us. It's kinda poetic when you think about it.

There's potentially two ways to do this. Both of them are illegal, so you're on your own if you get caught.

User Mode licensing - TS User licensing with Win2003 is something that most Citrix Engineers don't mess with much. The idea is that you set up user level licensing and then you pay for each user who would be accessing a terminal server in your environment. In reality, it works much differently.

You see user level TS licensing is a new feature with Win2k3 server. Unfortunately, it's half baked. If you log on to a terminal server that's running in user licensing mode, it checks to see if there is a TS Licensing server on the network. That's it. If it finds a license server you're in. Money in the bank. So you can have a TS License server set up with only 1 CAL installed, and thousands of users would still be able to connect as long as your Terminal Servers are using user licensing. Nice huh?

Now if you opt to stay with device cals (the older win2k model that most of us are probably familiar with) the solution is a bit more extensive, but is still within reach.

The device CAL is stored on each workstation in the following registry location

If the device tries to connect and doesn't have an entry there, a CAL is issued.. or if no CALs are available - a *temporary* CAL is issued. The temporary CALs expire in 120 days, which is plenty of time to get your users working. The problem of course is that after 120 days they get an error if there are no legitimate device CALs available.

So the way to get around that is to have a TS Licensing server that has a few device CALs installed, but all of them being in use. In this scenario, workstations that connect without a CAL are issued a temporary one. If the temporary CAL is deleted before it expires, it will get another temporary CAL, and so on.

It's the "and so on.." part that we're most concerned with. If you keep deleting the temporary CAL at login, they get a new one the next time they connect. This can be done over and over.

So a simple line or two in the login script to delete the license store (the registry key above) when users logon is enough to keep your entire enterprise running on temporary CALs.

Now go get busy,

TS License Server and the Chamber of Secrets

So here's the scoop. We're retiring our main TS Licensing server and replacing it with a new box. Sounds simple yes? Yeah not so much.

The basic process is this you get on the phone with the MS Licensing Clearinghouse, which is a boiler room operation somewhere overseas, give them a bunch of numbers, and if the stars line up just right, then they give you a bunch of licenses to install.

So after the myriad of mindless voice prompts:
"Please say the operating system you're caling about"

"Windows 2003"

"It sounded like you said Windows XP. Is this correct?"

"I'm sorry, please say the name of the operating .."

"Windows 2003"

"It sounded like you said Windows 2003. Is that correct?"

"Yes. Damn this is a pain"

"Are you calling about licensing for terminal server, licensing for.."

"Yes. Terminal Server"

"I'm sorry. Please say your selection again.."

"Terminal server. Terminal Server! Terminal-fucking-server. What the mickey mouse fuck is your problem? None of your other products even sound remotely like the words 'terminal server'. You blind horse fucking toaster.."

"Transferring you to an operator"

"Mother Fucker!"

---Operator picks up---

[in a very thick indian accent] "Halo and tank you fah callind microsoft lichsing. My name is Bill. How can I assist you today?"

"Your name isn't Bill is it?"

"My name is Bill, yes"

"Seriously, what's your name"

[quietly] "It is.. uh.. Prasheid"

"Uh huh.. you guys in Redmond?"



"Look I need 90 thousand TS device CALs."

"What?" [Noises of the guy shitting a golden and curry scented brick can be faintly heard in the background]

"TS CALs - 90 thousand of em"


"Ninety .. Nine.. zero.. thousand. Nine.. Zero.. Zero..Zero.. Zero."

"Hold on"

[Shitty hold music ensues]

"Sir I can't give you that many licenses."

"Our SA agreement should cover that amount.. what's the problem?"

"I'm not allowed to give you 90 thousand licenses"

"But we paid for that many. How am I supposed to get them?"

"You need to call back."


"I can only grant 9999 per call"

"So I have to call back 9 more times to get the licenses that we paid for?"

"Yes sir"

"That's bullshit."

"I'm sorry?"

"Nevermind.. alright then.. so let go ahead with it.

"Okay sir.."


F-ing rediculous.