Wednesday, October 17, 2007

Free TS CALs Forever!

I've given you a way to get around the Citrix licensing. It's only fair that I illustrate how to give the finger to Microsoft as well.

You'll note from my last entry, that I'm a little pissed at old Billy Gates. So I got to thinking.. As a Citrix engineer, how can I screw Microsoft? Of course the answer is licensing - the same way MS screws us. It's kinda poetic when you think about it.

There's potentially two ways to do this. Both of them are illegal, so you're on your own if you get caught.

User Mode licensing - TS User licensing with Win2003 is something that most Citrix Engineers don't mess with much. The idea is that you set up user level licensing and then you pay for each user who would be accessing a terminal server in your environment. In reality, it works much differently.

You see user level TS licensing is a new feature with Win2k3 server. Unfortunately, it's half baked. If you log on to a terminal server that's running in user licensing mode, it checks to see if there is a TS Licensing server on the network. That's it. If it finds a license server you're in. Money in the bank. So you can have a TS License server set up with only 1 CAL installed, and thousands of users would still be able to connect as long as your Terminal Servers are using user licensing. Nice huh?

Now if you opt to stay with device cals (the older win2k model that most of us are probably familiar with) the solution is a bit more extensive, but is still within reach.

The device CAL is stored on each workstation in the following registry location

If the device tries to connect and doesn't have an entry there, a CAL is issued.. or if no CALs are available - a *temporary* CAL is issued. The temporary CALs expire in 120 days, which is plenty of time to get your users working. The problem of course is that after 120 days they get an error if there are no legitimate device CALs available.

So the way to get around that is to have a TS Licensing server that has a few device CALs installed, but all of them being in use. In this scenario, workstations that connect without a CAL are issued a temporary one. If the temporary CAL is deleted before it expires, it will get another temporary CAL, and so on.

It's the "and so on.." part that we're most concerned with. If you keep deleting the temporary CAL at login, they get a new one the next time they connect. This can be done over and over.

So a simple line or two in the login script to delete the license store (the registry key above) when users logon is enough to keep your entire enterprise running on temporary CALs.

Now go get busy,

No comments: