Suppose that you’re a Citrix administrator that needs to use a remote Citrix License Server so that users from a contractor, subsidiary, or a customer acquire licenses from somewhere other than the main Citrix License Server that supports the core XenApp or XenDesktop farm. What’s the best way to do this?
Depending on the Citrix technology and version that is being licensed, the options differ. For example, XenApp 5 allows you to designate a Citrix License Server based on a server or farm basis, whereas XenDesktop 4 requires a single Citrix License Server designation based on the entire farm. And XenApp 6 and XenDesktop 5 add policy-based assignment of the Citrix License Server, e.g., you can opt to designate a Citrix License Server based on XenApp Worker Groups.
Once you’ve determined which entities will access which Citrix License Server and the proper configuration, there are a few additional factors to consider:
• Being that the request for the Citrix License is not in the same data center as your Citrix infrastructure, access to that remote Citrix License Server must be unencumbered yet secure. For example, if a subset of XenApp servers are being serviced by a Citrix License Server hosted at a contractor site, the network connection to that location must be accessible yet fast, while not opening a security hole. Logon time will likely be slightly extended due to the time required to make the network connection and acquire a license. For users to acquire licenses, it is necessary to open the appropriate ports (TCP 7279 and 27000 by default) on the firewall, and the source/destination IP address block should be designated to provide greater security. Further, if administrative access to the remote Citrix License Server is provided, TCP 8082 will also need to be opened.
• Where a remote Citrix License Server provides licenses that are not the same type or version as the Citrix technology being accessed, users may not be able to access resources. For example, if a license that is not up to date on Subscription Advantage is used to access a Citrix resource that has the latest version installed, user logons may fail or functionality may not be available.
• When a remote Citrix License Server doles out licenses, administrators at the main data center may not have a means of monitoring the Citrix License Server and determining when the supply of licenses is depleted. Thus, users may receive licensing errors and/or be denied access based on lack of licenses when there are actually no issues within the core Citrix implementation.
• After the initial connection to the Citrix License Server, a 30-day licensing grace period is provided so that user connections are not disrupted in the event of a temporary server issue, maintenance, etc. However, if the remote Citrix License Server is not actually providing licenses and thus an administrator unknowingly causes users to access temporary licenses for the grace period, licensing issues will only present themselves when the 30-day grace period expires. Thus, it may initially appear that licensing is functioning correctly and then exactly 30 days later, user connections will fail.
• Ensure that you are properly licensed and in compliance with Microsoft Terminal Services/Remote Desktop Services licensing for XenApp, as well as available access to the desired Microsoft License Server(s), especially when configuring via the registry or GPO. For XenDesktop, compliance with Software Assurance (SA)/Virtual Desktop Access (VDA) for XenDesktop is required.
• In all cases, the requirements stated in the Citrix EULA must be followed in order to be in compliance.
To be honest, we don’t see many customers having the need to access remote Citrix License Servers, but there may be times where this is required. While it may be technically and legally possible to do so, please consider the aforementioned items and be sure to fully test any scenario that you are planning to deploy into production.
Jo Harder, Senior Architect