In the last couple of months, there have been a number of blogs added on this site covering the progress of Project Delaware -- the next release of XenApp (new name for Presentation Server) for Windows Server 2008. At the same time, another team of talented engineers has also been working on the next release of Citrix Access Essentials (CAE), codename Project Eden. Like its bigger XenApp sibling, Access Essentials projects are also named after rivers; however, in our case, Access Essentials projects are named after rivers "across the pond" - that is, in the U.K.  Project Eden has three main objectives:

1. Support Windows Server 2008 - Microsoft has introduced a number of enhancements in Windows Server 2008, including improved management, security and printing. As the adoption of Windows Server 2008 ramps up for the small to mid-size business (usually more rapidly because they have more flexibility to change), let's make sure customers can continue to leverage AE on this new OS platform. 
2. Integrate with Microsoft's new mid-size business offering, Essential Business Server (EBS) or codename "Centro". If you follow the SMB space, undoubtedly you've heard of "Centro" or Essential Business Server. You've probably also seen Citrix mentioned in one of the many EBS industry write-ups or the Citrix logo on a Microsoft EBS' blog post.
3. Deliver features to improve usability and enhance end-user experience. As an example, CAE 2.0 introduced SpeedScreen technology of Browser and Image Acceleration. Project Eden will deliver the additional SpeedScreen technology currently available in XenApp product for CAE customers.

Obviously there are more features and details not mentioned here, but, as you can see already, there are many exciting things going on with Access Essentials. So, even though the last CAE blog was posted some time ago, don't despair. You can expect to see more CAE coverage in the up-coming months! As the new Product Manager of CAE, I am very excited about this product and its future! If you are currently a CAE customer, I would love to hear about your experience with CAE. You can reach me by clicking on my name/profile above. If you are new to CAE, you can learn more about it here.

This is for those of you familiar with Presentation Server, to let you know that Access Essentials 2.0 is a little 'different'...

Here's my, slightly tongue-in-cheek, ten things you should know about Access Essentials 2.0 in Advanced Mode:

1. Access Essentials only supports use of the Access Database. It's pre-selected, and you're not given an option running chfarm / dsmaint is officially cheating.
2. Running chfarm / dsmaint isn't just cheating, you can break things. Yeah, really...
3. Access Essentials stores important info in Active Directory, which chfarm and dsmaint know nothing about, which is why they can break things. Now do you believe me?
4. Farms are called Server Groups in Access Essentials. Yep, you're right, we do just like changing the names of things for the fun of it.
5. A Server Group has an OU in Active Directory, all the servers are held within that OU. I hope I don't have to warn you about messing with this!
6. Not all servers are equal. special one, called the Master Server, holds the IMA datastore, and runs Web Interface and Secure Gateway. It gets kind-of busy serving apps as well, so make sure it's the best one.
7. If the Master Server fails, the Server Group can automatically recover without the need for any fancy-schmancy load-balancers. There's a magic floating IP address instead, which is the contact address of the Server Group. And no, we don't use NLB, but yes, it really is magic in that not-really-very-magic-at-all sense.
8. If the Master Server fails so badly that not coming back, can recover. We replicate configuration data to all of the servers every 24 hours, no you don't have to go scratching around to find those backup tapes you think you made 6 months ago.
9. For simple cases, you can configure roaming profiles and folder redirection right out of a simple wizard in the Quick Start tool - we'll even remotely create the shares on the file server for you. Probably best not to choose the Master server as the profile server - hint: if nothing else, you probably have a Domain Controller around somewhere...
10. There's only one zone, it's really important there's only one, and we control server precedence as part of configuring automatic recovery. You know the drill by now - mess with this either.
11. OK, I'm cheating There's also a maintenance button. It makes it really easy to take a server down for maintenance, probably best not to use it on all the servers at 9am your excitement...
12. Even if you 'know what you're doing' *cough*, try using the Quick Start tool first. We do automatic cross-server application discovery, it's cool.
    Oh, and if you get stuck, do by visit us at the support forums (v1.0, v1.5, v2.0) we do monitor in the engineering team and try to help out on most threads. I promise I won't try out my sense of humour on you there.

Oh, and if you get stuck, do come by and visit us at the support forums - we do monitor them in the engineering team and try to help out on most threads.  I promise I won't try out my highly-suspect sense of humour on you there.

I thought I'd share some of history behind the current release of Access Essentials, 2.0.

After Access Essentials 1.5 had shipped, we went on to think about what the next release of Access Essentials should be. For quite a long time during the development of Access Essentials 2.0, it was actually two products - Project Trent, the successor to Access Essentials and Voyager (product name not decided), targeted at slightly larger customers with support for multiple servers, a DMZ server, email alerting functionality. Both products were based on the same code - both would have the Quick Start tool. Quick Start adapted itself automatically to whichever type of server it was running on - Trent or Voyager to show the appropriate UI.

Then things changed.

Quite a bit as it happens.

In VSG we came to realize that our product line up was causing some confusion. The Presentation Server 4.5 release was going to act as the basis for new product releases: Access Suite 4.5, Presentation Server 4.5 Enterprise Edition, Presentation Server 4.5 Advanced Edition, Presentation Server 4.5 Standard Edition, Project Voyager and Project Trent. Some re-adjustment was required. I'm sure our marketing teams won't be happy with my characterization, but the Access Suite became Presentation Server Platinum Edition, Presentation Server Standard Edition went the way of the Dodo and Projects Trent and Voyager were combined into Access Essentials 2.0.

The challenge for us in the Access Essentials engineering team was how to combine the two conceived products into one. For customers that only wanted a single server, we wanted to keep all of that simplicity - but for customers wanting a multi-server solution, we needed to add the functionality to support them - no single point of failure, automatic failure recovery, and centralised profile storage.

We invented the concepts of Basic and Advanced modes in Access Essentials - Trent became Basic mode and the natural successor to Access Essentials 1.5, limited to a single server and available on workgroup servers. Voyager became Advanced mode and supports multiple servers, but has a dependency on Active Directory. Compared to Trent, Basic mode gained DMZ server option and e-mail alerting, because they didn't depend on Active Directory.

The end result is actually a product that I think is better than Trent and Voyager would have been individually. If you're starting out with Access Essentials, you can still start with the simpler option. As you grow your business, or just expand your use of Access Essentials, you can rest assured that without buying any more Access Essentials licenses, you're a server and a wizard away from a more resilient, higher capacity solution.  To keep things super-safe, with one wizard you can even return from Advanced mode back to Basic mode if you decide it's not for you.

[Updated to fix grammar: 4 March 2008]

With Access Essentials 2.0, we support installation on a Domain Controller. This is something that used to be possible with Presentation Server some time ago.  We've made it possible again for Access Essentials 2.0, with some caveats, and some health warnings...

If you only got one server, and handful of purchasing an additional server and Windows license just to run Access Essentials add to the cost of deployment, so installing Access Essentials on your Domain Controller might be appropriate for you.

However, the integrity of your Domain Controller is vital for the overall security and operation of your Domain. Ideally, you want to run as little as possible on your Domain Controller, and restrict access to trusted Administrators. By it's very nature, allowing users to run applications on your Domain Controller increases your exposure to both accidental damage, and to any security vulnerabilities in the Operating System or applications themselves.

We came to the conclusion that making this cost/security trade-off is something we can do for you, so we made it possible to install Access Essentials on a Domain Controller. When you run the installer on a Domain Controller, you be prompted with this message:

Not available on Small Business Server

A variation on installing on a Domain Controller that comes up fairly often, is installing Access Essentials on Small Business Server. It seems a natural fit. However, Small Business Server doesn include the necessary Terminal Services component, so I afraid that not going to work.

The alternative

Maybe you already got Small Business Server, or the security trade-offs aren appropriate. Obviously you can purchase an additional server to host Access Essentials. The cheaper alternative (and hopefully better for the environment) is to running Access Essentials within a Virtual Machine (VM), by running Server (or VMWare) your Domain Controller. There will be a performance hit of some kind if you do this, so if you have the opportunity, tweak up the spec of the server.

I running Access Essentials inside the VM rather than the Domain Controller - your Domain Controller should be up and running when you boot the Access Essentials server. For Server, a bit of googling finds these KB articles 840319 and 890893 you should take a look at. I couldn't find any useful info on running VMWare Server on a Domain Controller.

There additional benefits to using Virtual Server - budget and/or usage dictates, you can migrate the Access Essentials VM to a dedicated server and can also combine your Virtual Machine into a multi-server deployment.

In summary

Although not recommended, Access Essentials 2.0 can be installed a Domain Controller (but not SBS 2003). Also consider the option of installing Access Essentials in a Virtual Machine.

Next time, I probably start discussion on the multi-server aspects of Access Essentials 2.0 - but if there something you like me to discuss, feel free to post a comment.

We in the final engineering stages of Access Essentials 2.0 - it good to finally be able to see the light at the end of the tunnel

Augie, from Product Marketing team, has been working with Microsoft TS2 team, recording a Sales and a Technical webinar.

Because Essentials targeted at smaller customers, there are some new technologies appropriate to those customers that we been able to include in Access Essentials We also invited the CTPs to a more detailed technical briefing on those on Monday - it be the first time I the chance to chat with any of the CTPs (so be gentle guys).

Over the new few weeks, I aiming to drill in on the details the new features here - but I will say now that we to some of the feedback we had from both this site and the support forums.

We are listening - comments are always welcome.

Subscription Advantage allows Citrix customers to obtain updated versions of their Citrix products while they keep with Subscription Advantage. In this post I give a brief overview of the license-file mechanics of Subscription Advantage for Essentials and along the way try to explain what means.

It's all in the license file

All of the information we going to discuss is contained in the .lic files downloaded from MyCitrix.com. If you already installed your licenses, you can find them in the C:\Program Files\Citrix\Licensing\MyFiles folder. Here an example:

INCREMENT MPS_SMB_RN CITRIX 2005.0914 permanent 5 \
VENDOR_STRING=;LT=Retail;GP=720;CL=SMB;MLC=75;SA=0;ODP=0;NUDURMIN=2880;NUDURMAX=525600 \
DUP_GROUP=V ISSUED=05-Oct-2005 NOTICE= \
SN=LA-9999365386-09664:244383 START=14-sep-2005 SIGN= \
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \
XXXX XXXX XXXX XXXX XXXX

Subscription Advantage is based around dates, there are a few in this license, lets take a look in more detail:

START=14-sep-2005 This is the activation date of the license - the date on which, for licensing purposes, you bought the product. The relationship between the actual date you handed over the cash and the date in the license file can be somewhat complicated - but as far as licensing is concerned this is the purchase date. Attempting to use the product before this date won work - in practice you shouldn ever see one issued in the future, so that not a concern.

ISSUED=05-Oct-2005 This is the date you this particular license file from MyCitrix. In this example, we waited until 5th before downloading the file.

permanent This is actually a date. Normal Citrix licenses are perpetual, meaning that you can continue to use copy of the product you purchased indefinately. For evaluation licenses, and similar this field will contain a date, for example: 15-Oct-2006. For those licenses, the product will not be licensed after this date.

2005.0914 This is the date we been working towards, it the one that actually controls Subscription Advantage. In this example the date is 14-Sep-2005. Interestingly, all licenses - even those without Subscription Advantage - contain a date here.

Why is the date that controls Subscription Advantage in a strange format, and how does it work?

Date-based versions

The date 2005.0914 in the example above is actually a version number, in the form major.minor, where major is a year and minor is month and day. Also, notice how in the example above, the date is the same as the start date (i.e. the date the product was purchased). From now on, we call this the version date

Although you purchase Access Essentials 1.0 or 1.5, each version of the product actually has an embedded date which is version number actually used for licensing purposes. The simple rule is that a license file is valid if the date in the license file is later than, or the same as, version date embedded into the product. This means that any Access Essentials 1.5 license will also work just fine with Access Essentials 1.0 - what's important is the date you purchased the license, not which version you bought.

Representing Subscription Advantage

So we know how date-based versioning works, how does this fit into Subscription Advantage? When you purchase an Access Essentials with Subscription Advantage, the version date is set one year on from the purchase date. In our example it would be 2006.0914:

INCREMENT MPS_SMB_RN CITRIX 2006.0914 permanent 5 \
VENDOR_STRING=;LT=Retail;GP=720;CL=SMB;MLC=75;SA=1;ODP=0;NUDURMIN=2880;NUDURMAX=525600 \
DUP_GROUP=V ISSUED=05-Oct-2005 NOTICE= \
SN=LA-9999365386-09664:244383 START=14-sep-2005 SIGN= \
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \
XXXX XXXX XXXX XXXX XXXX

Any version of Essentials with an embedded date or before September 14th, 2006 will be licensed. How can you tell which versions of Essentials allowed to use with your license file? For that you need a handy decoder table:

Your license file will work with any version of CAE where the date in this table is on or before the date in the license file.

Subscription Advantage renewals

So far we only looked at your initial license - which may include one years Subscription Advantage. To enable you to continue to qualify for new releases beyond your initial year, you have to renew Subscription Advantage. When you do so, it entitles you to an UPGRADE file like this:

UPGRADE MPS_SMB_RN CITRIX 2006.0914 2007.0914 permanent 5 \
VENDOR_STRING=;LT=Retail;GP=720;CL=SMB;MLC=75;SA=1;ODP=0;NUDURMIN=2880;NUDURMAX=525600 \
DUP_GROUP=V ISSUED=09-Sep-2006 NOTICE= \
SN=LA-9999365386-09664:244383 START=14-sep-2005 SIGN= \
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX \
XXXX XXXX XXXX XXXX XXXX

This file actually modifies your original license file, replacing the old date with the new one (2007.0914) - the dates break down like this:

• The original license was purchased September 14th, 2005
• With 1 years Subscription Advantage, it would license any product released before September 14th, 2006
• After renewing Subscription Advantage, it now licenses any product released before September 14th, 2007

If you renew Subscription Advantage you don't have to actually download and install modified license file straight away - remember normal Citrix licenses are perpetual. You only need to download your new license file when you want to update to a newer version of Access Essentials (which isn't covered by your old license file).

Summary

Let recap. We taken a look at Access Essentials license files and some of the mechanics of how they work. We seen why the date you purchase Essentials License matters, not which version you purchase. Finally, we seen how renewing Subscription Advantage entitles you to new product releases.

So what does it mean be be Subscription Advantage? In terms of license files, it means that you have the right to download a license file with a date in the future - entitling you to any new an embedded version date up to, and including, that date.

One of the features we added in Access Essentials 1.5 is the ability to instantly create temporary 30-day SSL certificates from within the Quick Start tool. If you're not familiar with obtaining SSL this feature a great way to get Access without worrying about the cost and inconvenience of purchasing the wrong certificates. Even if you're confident handling SSL certificates, temporary certificates can be to double-check your setup, and to get up and running whilst you wait for a certificate from a Public Certificate Authority to be issued.

Here's my quick guide on setting up Remote Access in Access Essentials:

1. Make sure local access works first
2. Get a static IP address
3. Register a public DNS name
4. Open (only) port 443 in your firewall
5. Create a temporary certificate
6. Run a test
7. Get a from a Public Certificate Authority
8. Run a final test

I'll cover these in more detail below, but one other bit of advice - if you're used to configuring Secure Gateway in Presentation Server, try to resist the urge to configure Secure Gateway yourself. Most of the broken configurations I've seen or heard about result from trying to do things the 'Presentation Server way'.

Make sure local access works first

Might sound obvious, but before you start, make sure you can successfully start applications hosted on Access Essentials from the LAN. A simple connection test is all that's required, so make sure you've published an application and can start it from Web Interface.

Get a static IP address

Access Essentials should work with a dynamic IP address and a dynamic DNS provider, but my advice is to ask your ISP for a static IP address - it'll save you time and effort in the long run. To double-check your IP address, use a service like http://www.whatismyip.com/.

Register a public DNS name

A common trap is to try to avoid registering a DNS name, and just use your public IP address. I'm afraid I have some bad news - it ain't gonna work. The Citrix client software will refuse to play ball, so it's best to save yourself the effort and register one up front. Once you've registered your DNS name, make sure you create an 'A' record for your Essentials which resolves to your public IP address.

Open (only) port 443 in your firewall

There are a bunch of well-known ports related to Citrix, but the only one you should open in your firewall is port 443. In most firewalls you want add a rule for the HTTPS protocol. Don't open any of the other Citrix ports in your firewall, you don't need them and opening too many ports is a security risk.

Create a temporary certificate

Within the Quick Start tool, click the 'Manage external access' link and follow the wizard through. the Specify Certificate Source page, choose the 'Generate a temporary certificate'. You'll be prompted to save the CA certificate to disk.

Run a test

To do a basic connectivity test, you can use this tool: http://tools.citrixsmb.co.uk/conncheck/index.php. The tool will connect back to your server and perform some basic checks. If problems are found, it provides guidance than the client software. (This tool is only for Access Essentials. you it at Server, see some errors flagged even if your setup is OK).

If you find you've requested a certificate for the wrong name, you can easily generate a new temporary certificate from the Quick Start tool.

When get a green light, the next step is to try a real connection from a device connected to the Internet. First, you need to install the CA certificate you were prompted to save, to your client device:

• Copy the CA certificate to the client
• Double-click the certificate, and choose 'Install Certificate...'
  Then just connect to server as normal.

Get a from a Public Certificate Authority

Once you're happy with your configuration, you need to decide on a Public Certificate Authority and generate a CSR (Certificate Signing Request). To generate the CSR, use the 'Create new certificate request' task Quick Start. All of the necessary details will have been saved, so you should be able to click 'Next' through to the 'Specify Certificate Source' page. Choose the 'Manually submit the certificate request to a Certificate Authority' option.

You'll need to provide the CSR to your Certificate Authority. Quick Start places the CSR on your clipboard by default, so you can just paste your clipboard into the CSR field on Certificate Authority's submission form.

When the Certificate Authority sends you your signed certificate, use the 'Import requested certificate' link in Quick Start. CAE will automatically switch to use the new certificate.

Run a final test

Everything should 'just work', but I like to re-run the connectivity tests to make sure everything's OK.

A few people have asked whether they can use PN Agent with an Access Essentials server. The answer: yes you can, but you're on your own setting it up, and if things subsequently go wrong.

Given that Access Essentials is based on Presentation Server 4.0, you may be surprised by this - why wouldn't we support PN Agent used with Access Essentials? After all, the underlying technology is all there. I'll briefly discuss thought process that lead us to we are, our thoughts for the future. A lot of this is driven, ultimately, by the experience we want to give our customers, particularly ones new to Citrix technology - but I'll try to break out the individual factors as I see them.

Technical

PN Agent can be made to work with Access Essentials, so there's no technical reason blocking us from supporting PN Agent in some form. But, we can't replace Interface with Agent. That's a pretty bold assertion, what do I base it on? For me the two key technical reasons for this are:

1. Even in Presentation Server, we don't really support use of PN Agent over the Internet. There is no support for two-factor authentication, for example.
2. We rely on Web Interface's ability to push the software to users. Keeping this working in Web Interface is an arms race, but it's a valuable capability if you don't have control over all the client devices.
3. The Administrative scope of PN Agent doesn't suit all scenarios - PN Agent works great if your desktop administrator is the same person as your Presentation Server / Access Essentials administrator. This is likely internally in SMBs, but it falls down if you're using Access Essentials to allow partners, customers, occasional home workers, etc access to applications.

User Experience

Out of the box, we've aimed to provide a consistent experience for users whether they are accessing applications hosted on Access Essentials - from the LAN or over the Internet. The URL you type into your browser is necessarily different (though you could setup DNS to have the same URL work internally and externally), but otherwise the experience is pretty much the same - log in, click on an application and wait for it to appear.

Even if we supported PN Agent, we couldn't support it for external users. There's now two ways to access applications running on Access Essentials, depending on where you are - which is more to explain and demonstrate to users, more to become comfortable with administering, and more to diagnose when things go wrong.

One interesting point that came up some time ago, when we discussed this with a Citrix reseller/customer (it was long enough ago I forget which), is that Web Interface may actually have an advantage over PN Agent in terms of setting user expectation. By navigating to a web page, such as Web Interface, I have different expectations about interactivity than if I'm working with a locally installed application. Networks introduce characteristics that we can try to mitigate, such as latency and reliability, but that ultimately leak into the user's perception. starting Essentials applications from a web site lead to a more realistic set of user expectations, and so a more satisified user, than launching from the Start menu? For me, this rings true - but is it really true?

Admin Experience

For technical reasons, we can't replace Web Interface with PN Agent, so Agent is, at best, to be a choice for administrators and that means another decision to make, and that's something we've tried to remove from CAE. Individually, presenting customers with a can normally be justified - but in combination, choices can become overwhelming. Removing need to make a feature in Access Essentials.

Finite Resources

Ultimately, this is the big decider - we've only got so much engineering resource to spend on Access Essentials, so prioritization is a fact of life. If the other factors illustrate why PN Agent support wasn't a high-priority feature for Access Essentials, this is the real reason it's not available. Although we can be reasonably confident PN Agent works with Access Essentials, if we haven't put the effort into testing, to make sure it works, we can't claim support.

The Future

I've talked about why PN Agent isn't supported with Access Essentials, but what about the future? One possibility in the short term that we won't any changes to the product, but we'll make the investment to do some testing with PN Agent. It would still be a manual job install, configure and use Agent need to use the Presentation Server admin guides for documentation) but you could get support for a deployment using PN Agent.

I've been meaning to put up a quick post on this a days - I haven't seen much discussion in the community, but the Terminal Services team recently announced they're providing a Terminal Server Licensing WMI provider on Longhorn Server. I've had a look through the MSDN docs, and this looks to be quite thorough. This has to be a good thing if you have large Terminal Services deployments. my opinion this is also a deal for vendors, like Citrix, that OEM TSCALs. We've not got any detailed plans as yet, but we have the possibility of activating the Terminal Services License Server, and installing TSCAL license packs from within Start removing another area of complexity for Access Essentials customers.
TS team - my only gripe is around documentation:

• Add more detail to the MSDN documentation on the failure cases. What happens if the online server is down, or inaccessible for the XXXAutomatic methods?
• What are the validation rules for the various input fields - for example, the license key pack license codes or Country, eMail or other fields on the Win32_TSLicenseServer object.

All said this is a great move - kudos to the Terminal Services team!

Named-User license enforcement recently been a discussion topic in the engineering team working on the next version of CAE. In this article, I give a little background, discuss the requirements for Named-User licensing and what are plans are in the next version of Access Essentials.

Licensing is a thorny issue - fundamentally it an anti-feature - a that implemented for the benefit of vendor (in this case Citrix), rather than the customer (unless you subscribe to the view that enforcement takes the worry out of remaining compliant with the license). This means that whilst it must achieve our goal (protecting our product from unlicensed use), it also needs to have the least burden on customers we can achieve. We know the implementation in CAE 1.0 and 1.5 creating some confusion, and we want to address this.

Let start with the basics. Access Essentials is licensed for a number (maximum 75) of Named-Users, in increments of 5 users. By Named-User we mean, literally, a named individual, a person. You purchase 15 licenses, 15 named individuals are allowed to use the product. Sounds simple, nothing to hard about that, you just have a list of 15 accounts and only allow people on that list to use the product, right?

Sure but what if you want to license 75 users? Do you really want to list all 75 names when you install your licenses? I can imagine this is just about bearable for 75 users, but we like to aim for consistency, and with our Enterprise products this model of listing users goes out the door. Fancy listing, individually, all 10,000 named users for an Enterprise-level product? Didn think so. OK, so we have to be a bit smarter about this, and have some way for the product to automatically manage the list. So we have two requirements #1 - the implementation should be to Named-User enforcement in other Citrix products, and #2 the list of licensed users has to be (mostly) self-managing.

We like to think that the vast majority of our customers don actually need our license enforcement to stop them deliberately breaking the terms of the EULA, for the honest majority it about the product preventing them accidentally exceeding their license count. So, requirement #3 - enforcement needs to be strong enough to prevent accidental over-use of the product.

As new employees join, it can be tricky keeping track of how many licenses of which products you bought, and making sure you purchase additional licenses when appropriate. For this, you don just want the product to you exceed your license limit - really need visibility on who has a license allocated, and how many you have spare. So, requirement #4 - provide visibility on who has a license allocated, and how many you have available.

Right, next problem - bit of a shocker, but people actually change jobs. Chances are at some point, one of your Named-Users is going to no longer need a license, and you want to re-assign the license to someone else. So requirement #5 - allow customers to re-assign licenses.

We now have our basic requirements:

• #1 - The implementation should be similar to Named-User enforcement in other Citrix products
• #2 - The list of licensed users has to be (mostly) self-managing
• #3 - Enforcement needs to be strong enough to prevent accidental over-use of the product
• #4 - Provide visibility on who has a license allocated, and how many you have available
• #5 - Allow customers to re-assign licenses

I haven discussed preventing deliberate mis-use of the product. This is a potentially sensitive area for discussing in a public forum, so I hope you forgive me for treating that as implicit for the purposes of this discussion.

So, lets take a look at how CAE 1.0 and 1.5 stack up against our requirements list. In CAE 1.0 and 1.5, our model is to assign users a license when they start a connection to the server. They can create as many connections as they like, from as many devices as they like, and only consume one license. A very short time after they close all of their sessions, we release their license. So the score sheet:

• #1 - Erm, no - CAE enforcement model is unique within Citrix. Password Manager, which also supports Named-User licensing uses a different model.
• #2 - Yep, there no managed list of users - Erm, no - it too easy to accidentally exceed your purchased license count
• #4 - Erm, no - we don provide a way to view the list of licensed users
• #5 - Yep - because there is no managed list of users, and how long we lease the license for, this is OK

So, 2 out of - not a great score. How are we looking to do better in the next release?

Our current plan is to move to a model where we automatically release a user instead the only way to de-allocate a user license will be to use Quick Start. solves #3. We also show the current list of licensed users in the Quick Start tool, which covers #4. Our thinking here is that although requirement #5 states we must allow licenses to be re-assigned, we don think this is going to be such a common operation that using Quick Start in order to re-assign a license is a huge burden.

The score sheet now looks like:

• #1 - Still not perfect, we closer to other products but still aren a perfect match.
• #2 - Slightly worse than before - a license is still automatic, so no setup cost, but a license is no longer automatic
• #3 - A lot better here, re-using a license for a new user requires an explicit action by an administrator
• #4 - A lot better here, the Quick Start tool will now show who is allocated a license, and how many are free
• #5 - Slightly worse than before, because re-assigning licenses is something that requires use of the Quick Start tool.

Overall, this is a better score - but some things that used to be possible without using Quick Start, now require use of the Quick Start.

Do have strong views on enforcement, in Access Essentials or wider within Citrix? Do the changes we making, sense to you? Do you think the changes have some undesirable, unintended consequences?