Category Archives: Remote Access

What Licenses Do I Need….

Earlier this week, I had a long discussion with a client (you know who you are) about what licenses they would need for a deployment of “zero client” devices. We’ve written a lot about Microsoft and Citrix licensing, about XenDesktop and XenApp, about the Citrix trade-up, etc., but it occurred to me that it might be beneficial to pull all the licensing information together into one post instead of expecting you, gentle reader, to have to sort through multiple posts to pull it all together.

So, let’s discuss Citrix licensing first, then move on to the Microsoft licensing.

First of all, if all you want to do is to deploy VDI (Virtual Desktop Infrastructure), and you have a limited number of users, then you should probably purchase VDI-in-a-Box.

If you decide that VDI-in-a-Box is not the right fit foryou, the next question you need to answer is whether to use XenApp licenses or XenDesktop licenses. Beginning with the introduction of XenDesktop v4.0, Citrix concluded, reasonably enough, that an organization that was deploying VDI probably wouldn’t get much leverage from a concurrent-use licensing model, because their concurrency ratio (by which I mean the ratio of total users to concurrent users) would be pretty close to 1:1. So XenDesktop v4.0 was introduced with a per-named-user or per-device license model. These licenses were roughly half the cost of the comparable XenApp concurrent-use license: XenApp Enterprise Edition, for example, carries an MSRP of $450 per concurrent user. XenDesktop Enterprise Edition carries an MSRP of $225 per user/device.

At the same time, Citrix made the decision to include XenApp rights in the XenDesktop license. So if you buy XenApp, you get only XenApp. But if you buy XenDesktop, you get both XenDesktop and XenApp - so you can use XenApp to stream applications to your virtual desktops, or have your virtual desktops function as client devices that run published applications that execute on the XenApp servers, or simply deploy a mixture of XenDesktop and XenApp to your user community depending on what delivery method is best for a particular use case. This is what Citrix refers to as the “FlexCast” delivery model.

This created the interesting situation where, because of the difference in license cost, if your concurrency ratio was less than 2:1, you were better off financially to purchase XenDesktop licenses even if all you really wanted to run was XenApp. And, since delivering what Citrix calls “hosted shared” desktops from XenApp servers makes more efficient use of the underlying hardware and storage infrastructure, the bias should probably be toward XenApp unless there is a clear use case for why users need to connect to individual desktop OS instances rather than a shared XenApp desktop (and it isn’t just appearance, because with XenApp v6.5 on Windows Server 2008 R2 we can deliver a XenApp desktop that looks and feels like a Windows 7 desktop). But, for the sake of this discussion, let’s move on down the XenDesktop trail.

Citrix has re-introduced a concurrent-use license option for XenDesktop, which is a better choice for organizations who want to deploy both XenDesktop and XenApp, but have a concurrency ratio greater than 2:1, but so far, I haven’t seen very many use cases where that license model made sense.

If you already have XenApp licenses, and want the ability to deliver VDI as well, you can take advantage of the Citrix trade-up program to transform your XenApp licenses into XenDesktop licenses. And if you trade up all of your XenApp licenses, you can get two XenDesktop user/device licenses for each XenApp license. So 250 XenApp licenses would become 500 XenDesktop user/device licenses. If you want more information on how the trade-up program works, and what your trade-up options are, check out the handy Citrix Trade-Up Calculator.

As of the release of XenDesktop v5.0 Feature Release 1, the license service got pretty smart in terms of how it managed those user/device licenses. This is good news for, say, a hospital, which may have devices that are used by multiple users and other users who use multiple devices. The license server can intelligently and dynamically reassign licenses between users and devices to make the most efficient use of the available licenses. For example, consider the following scenario for a brand-new environment where no licenses have yet been assigned:

  • User 1 logs on from client Device 1. The license server will, by default, check out a license to User 1.
  • User 1 logs off, and User 2 logs on from the same client device. The license server, now sensing that two different users have logged on from the same device, will take the license that was assigned to User 1, and reassign it to Device 1. Any subsequent users who log in from Device 1 will not cause any action by the license server, because Device 1 is already licensed.
  • If User 1 logs on again from a different client device, the license server will again check out a license to User 1 (so, at this point, two licenses are checked out: one to Device 1 and one to User 1). Since User 1 has logged on from two different devices, the license will remain assigned to User 1 unless/until manually released by an administrator (e.g., in the case of the employee leaving the organization), or unless User 1 doesn’t log on for a period of 90 days, in which case it will be automatically released due to inactivity.
  • Likewise, since two different users have logged on from Device 1, that license will remain assigned to that device unless manually released or automatically released due to 90 days of inactivity.

So…how do you know how many licenses you really need? There is actually a formula that will tell you that. You need to know how many total users you have (let’s call that number “A”), how many shared devices you have (let’s call that “B”), and how many of your users will use only shared devices (let’s call that “C”). The formula is A - C + B. So, if you have 1,000 total users, 300 shared devices, and 600 of your users will use only shared devices, you need 1,000 - 600 + 300 = 700 total licenses.

For more information on exactly how this works, see the Citrix Community Blog post by Christophe Catesson, which in turn links to a recorded session from Synergy 2011 that was a deep dive discussion of XenDesktop licensing.

Now for the Microsoft licensing component.

If you have users who will be executing applications on a XenApp server, you will need a Remote Desktop Services (RDS) CAL for that user, or for the client device that user is using. It is very difficult to manage a mixture of user CALs and device CALs in a Remote Desktop Services environment, so, in most cases, you’re going to be better off purchasing user CALs.

If you have users who will be attaching to a virtual desktop instance, the licensing requirements are different, depending on the client device. If the client device is a Windows PC whose Operation System is covered by Software Assurance, you do not have to purchase any additional Microsoft license to use that PC to connect to a virtual desktop. If the client device is not a Windows PC, or that copy of Windows is not covered by Software Assurance, you need a Virtual Desktop Access (VDA) license for that client device. VDA licenses are only available under the Open Value Subscription license model at present, meaning that you will continue to pay for them every year. Forever.

But wait! That’s not all! As Gabe Knuth outlines in a recent article on, there is a very strange loophole in the VDA license terms. If you have a VDA license for your primary device (or if it’s covered by Software Assurance), you have what Microsoft calls “Extended Roaming Rights,” which allow you to also use your home computer to access your virtual desktop, or use your iPad when you’re at home or traveling. But, technically, it does not entitle you to bring your iPad into the office and use it there! To solve that (using the term “solve” loosely), Microsoft recently announced something called a “Companion Device License” (CDL) which allows you to use up to four other devices (in addition to the primary licensed device) to access your virtual desktop. No word yet on what the CDL will cost.

So let’s see if we can summarize what our client would need for a deployment of “zero client” devices (like, for example, the Wyse Xenith thin client).

  • You’re going to need some kind of Citrix license, either VDI-in-a-Box, XenDesktop, or XenApp.
  • Since the thin client is not a Windows PC, and therefore cannot be covered by Software Assurance, you would need to purchase a Microsoft VDA license for it.
  • If the thin client will be used only to attach to a virtual PC desktop and execute applications within that desktop OS environment, no additional Microsoft license is needed. However, if the thin client will also be used to attach to applications that are executing on a XenApp server - either directly or indirectly by having the Citrix client baked into the virtual PC desktop - you will also need a Microsoft RDS CAL.
  • You do not need an RDS CAL if you are only using XenApp to stream packaged applications to a virtual (or physical, for that matter) desktop for execution there. Since you are not actually utilizing Remote Desktop Services by executing code remotely on a Remote Desktop Server, no RDS CAL is required.
  • If you want to institute a BYOD program, where users can bring whatever client device they wish into the office and use it to access your VDI, you’ll probably need some of the new Microsoft CDL licenses.

If I’ve overlooked anything, feel free to submit questions via comments on this post, and we’ll try to get them answered. Let the discussion begin!

The Future Is Now

I recently discovered a video on “Citrix TV” that does as good a job as I’ve ever seen in presenting the big picture of desktop and application virtualization using XenApp and XenDesktop (which, as we’ve said before, includes XenApp now). The entire video is just over 17 minutes long, which is longer than most videos we’ve posted here (I prefer to keep them under 5 minutes or so), but in that 17 minutes, you’re going to see:

  • How easy it is for a user to install the Citrix Receiver
  • Self-service application delivery
  • Smooth roaming (from a PC to a MacBook)
  • Application streaming for off-line use
  • A XenDesktop virtual desktop following the user from an HP Thin Client…
    • …to an iPad…
    • …as the iPad switches to 3G operation aboard a commuter train…
    • …to a Mac in the home office…
    • …to a Windows multi-touch PC in the kitchen…
    • …to an iPhone on the golf course.
  • And a demo of XenClient to wrap things up.

I remember, a few years ago, sitting through the keynote address at a Citrix conference and watching a similar video on where the technology was headed. But this isn’t smoke and mirrors, and it isn’t a presentation of some future, yet-to-be-released technology. All of this functionality is available now, and it’s all included in a single license model. The future is here. Now.

I think you’ll find that it’s 17 minutes that are well-spent:

First Look at Citrix Access Gateway 5.0

At the recent Synergy Berlin conference, Citrix announced Access Gateway 5.0. We have confirmed that, as of now, 5.0 is available for download from the Citrix download site - both as an update for the CAG 2010 hardware appliance, and in Access Gateway VPX (virtual appliance) format. (Note: you will need a “mycitrix” account to download the software.)

One of the things I really like about 5.0 is that it now supports running two 2010 appliances in an active/passive HA configuration with automatic failover. This was a serious shortcoming of the original CAG appliance.

In earlier versions, if you were using the Access Gateway as a general-purpose SSL VPN, you could configure HA of a sort within the Access Gateway client plug-in, by defining primary and secondary Access Gateways for the client to connect to. However, if you were simply running the Access Gateway in “CSG replacement” mode to connect to a XenApp farm without requiring your users to first establish an SSL/VPN connection, you had no ability to provide automatic failover unless you had some kind of network load balancing device in front of multiple Access Gateway appliances. That meant, of course, that to avoid having the load balancing device become a single point of failure, you had to have some kind of HA functionality there as well. By the time you were done, the price tag had climbed to a level that just didn’t make sense for some smaller deployments.

NOTE: This specifically applies to the 2010 appliance. The CAG Enterprise models, because they are built on the NetScaler hardware platform, have always supported operation as HA pairs with automatic failover. Of course, a CAG MPX 5500 also carries a $9,000 list price, compared to $3,500 for a CAG 2010.

Now, with the release of 5.0, you can purchase two 2010 appliances (which will cost you less than a single MPX 5500), and run them as an active/passive HA pair. Thank you very much, Citrix CAG team!

Here are a couple of videos from Citrix TV. The first deals with how to upgrade an existing CAG 2010 to the 5.0 software using a USB flash drive, and then set up the basic system parameters:

The second video shows how to configure a pair of appliances for active/passive failover:

You can access several other “how-to” videos by going to, and searching on “Access Gateway 5.0.”

Citrix Has Your Back - Again

I just read an interesting blog post over on ZDnet, entitled The Changing Face of IT: Five Trends to Watch. As I read through the article, I was struck by how Citrix solutions can enable IT organizations to deal with these trends. Consider:

  1. The consumerization of IT - “Workers are bringing their own laptops and smartphones into the office and connecting them to corporate systems. More people than ever are telecommuting or working from home for a day or two a week. And, the number of Web-based tools has increased dramatically…”

    Yep. In fact many companies are instituting “BYOPC” (Bring Your Own PC) policies, because in the long run it can be less expensive to give employees a fixed allowance and allow them to buy whatever they want than it is to issue - and maintain - a company-owned laptop. Citrix themselves instituted this policy a few years ago.

    If you’re using XenApp or XenDesktop to provide access to your key line-of-business applications, you don’t care what the endpoint is. If your employee prefers a MacBook, fine. Want to use an iPad? No problem. Connecting in from your home PC because your kids are sick? We’ve got that covered, too. Just install the Citrix Receiver and you’re good to go.

  2. The borderless network - “…today’s IT security model is more about risk management than network protection. Companies have to identify their most important data and then make sure it’s protected no matter who’s accessing it and from wherever and whatever device they’re accessing it from.”

    Citrix likes to say that their products are “Secure by Design,” meaning that security is built into them from the ground up. First of all, when you’re accessing your virtual desktop remotely, or running a published application from a XenApp server, the data never leaves the data center. The remote endpoint (whatever it is) is just sending keystrokes and mouse movements to the data center and getting back pixel updates. On top of that, we can encrypt that data connection using the Citrix Access Gateway.

    Citrix also gives you very granular control over whether files can be copied between client and server, and/or whether print jobs can be directed to a client-attached printer. In fact, using Advanced Access Control policies, those controls can be context-sensitive, i.e., you might allow files to be copied to the client device if the client device is a company-owned laptop, but not if it is a home PC; or you might allow client-attached printing if the client is connecting from a branch office, but not if the same user, using the same client device, is connecting from home, or from a hotel.

  3. The cloudy data center - Let me go on record as saying that the most cloudy thing about the cloud is trying to understand what someone means when they say the word. Not unlike the word “portal” a few years ago, the first question that usually needs to be asked in any discussion about cloud computing is: “When you say ‘cloud,’ what exactly do you mean?”

    But the point to remember is that when you’re delivering applications via Citrix, users don’t know and don’t care where the data center is or where the applications are being executed. It doesn’t matter. Want to move your entire infrastructure to a co-lo? Fine. Want to have multiple data centers with automatic failover from one to the other? We can do that, too. By some definitions of the term, we’ve been building “private clouds” since the release of WinFrame back in the mid-90s.

  4. The state of outsourcing - “Outsourcing is thriving in many different forms, and it’s reasonable to expect that it will accelerate.”

    We made the point above that users don’t know and don’t care where the data center is. The fact is, for about 90% of what they need to do, neither do the administrators. Virtualization in general, and Citrix products in particular, make it very easy to administer, troubleshoot, and repair issues remotely. We built the entire Evans Fruit Company infrastructure without ever having our engineer set foot on site. In fact, actually dispatching an engineer to a customer location is now the exception rather than the rule.

  5. The mobilization paradigm - “While PCs still make sense on the desks of knowledge workers, for all of these other workers who regularly move around as part of their daily job, the stationary PC often changes the natural flow of their routine because they have to stop at a system to enter data or complete a task. That’s about to change. Mobile computers in the form of smartphones and touchscreen tablets (like the iPad) have taken a big leap forward in the past four years. They are instant-on, easy to learn because of the touchscreen, and they have a whole new ecosystem of applications designed for the touch experience…”

    Very true…but these same users are going to still need to access your traditional line-of-business applications, which will not be transformed overnight into touchscreen enabled apps. It is axiomatic that, in IT, nothing ever actually goes away - instead, new technology just gets layered over the top of old technology…which is why you’ll still find applications running on big mainframes in a lot of enterprises. So how do you manage that transition?

    Once again, Citrix comes through. There’s a Citrix Receiver for the iPhone, one for the iPad, one for Windows Mobile phones, one for the Android, and just a couple of months ago, Citrix released a version of the Receiver for BlackBerry devices. And, of course, Receivers for Windows, Mac, and Linux PCs have long been available. I don’t know of any other product or technology that offers this kind of flexibility in delivering applications to users regardless of location, connection, or endpoint device.

  6. So a big “Thank you!” to Jason Hiner for an excellent post. You’ve just described, in a nutshell, why Moose Logic is still excited to be a Citrix partner after all these years. Just remember, as you work to adapt to all of these trends that are indeed changing the IT landscape, we’ve got your back.

XenClient Is Officially Here

Greetings from the Citrix Synergy conference in sunny San Francisco! It’s been a long time coming, but you can now download the XenClient Express Release Candidate code from the Citrix Web site. The link went live as Mark Templeton (the Citrix CEO) was delivering today’s keynote address.

It’s taken a while, because (1) there are a lot of things you need to worry about with client-side virtualization that aren’t an issue with server-side virtualization - like 3D graphics and USB plug & play, and (2) they wanted to make sure they got it right the first time.

This is a true “Type 1″ hypervisor, which means that it installs directly on the PC hardware (so be aware that it will wipe out whatever OS is already on the PC), and you are going to need specific hardware virtualization support on your PC. We’ll write more about that as time permits and as the requirements become more clear. But here are some of the cool things about it:

  • The first, and most obvious, is that you will be able to push a virtual desktop image down to a laptop PC, unplug it from the network, and take it on the road. There is a configurable lease timer that will disable that image if it doesn’t synchronize with the network again within the specified number of days.
  • If you are a desktop administrator, your life just got easier. Every desktop admin I’ve ever talked to has struggled with the issue of locking down the desktop. Take the user’s control away, and you’ve got managers in your face because they can’t install iTunes. Back down and give them local admin rights, and they break the desktop. Now you have to fix it.

    Now you can have a locked-down corporate desktop running side by side with a personal desktop on the same machine. If the user screws up the personal desktop, you can wipe it clean and push out a new one…and they can’t screw up the corporate desktop. How cool is that?

  • You manage the virtual desktops through a “Synchronizer,” which is a virtual appliance that runs on XenServer. When the user fires up the machine and connects to the Internet, it uses a client-initiated https connection to contact the Synchronizer - no VPN access is required.
  • The Synchronizer allows you to insure that critical data on the laptop is backed up in the datacenter, using a block-level protocol with compression for bandwidth efficiency.
  • If the laptop is lost or stolen, you can issue a “kill pill” from the Synchronizer that will immediately disable the VM image the next time the laptop comes on-line (or immediately, if it’s on-line when the kill pill is issued).
  • Because everything is backed up to the Synchronizer, it’s a matter of only a few minutes (depending on bandwidth) to push out that backed-up image to a new laptop, which doesn’t even have to be the same manufacturer as the old laptop, since the Type 1 Xen hypervisor gives you device independence.

VMware recently announced that they were changing direction away from a Type 1 hypervisor in favor of a Type 2 hypervisor for off-line VDI access. Basically, they’re still using a variation of VMware Workstation. That means that the VM is running on top of your local copy of Windows, and there are millions of lines of code between the VM and the hardware, as opposed to only about 80,000 lines of code in the Xen hypervisor. No way in the world that’s going to approach the performance level and user experience of XenClient.

Moreover, VMware assumes that everyone who will have off-line access will also have a hosted virtual desktop running somewhere on a VSphere infrastructure. So the hosted VDI instance comes first, then you get to check that virtual desktop out for some period of time, use it, and check it back in, at which time changes get synchronized. XenClient does not require that you have a hosted XenDesktop instance. You can push the corporate desktop image down onto a XenClient-enabled PC regardless of whether that user has access to a hosted XenDesktop PC. And synchronization takes place whenever you’re on-line.

As you can probably tell, I’m excited about this release. Yes, it’s “Release Candidate” code, and it’s intended to allow us to start playing with it so Citrix can get feedback on what needs to be tweaked. But it appears to be pretty darned solid RC code, and I don’t think we’re that far away from general availability.

Gartner is predicting that, by 2014, 72% of computing “endpoints” will be laptops. You cannot have a solid VDI strategy unless you can address off-line access by this large population of users. Citrix understands that. This is another game-changer!