Licensing of remote usage and access
Accounting for license compliance follows different rules when applications are not installed locally on the users' devices but provided somewhere in the organization's network. Several technologies and scenarios can accomplish this. The most known are Microsoft Remote Desktop Services (formerly known as Terminal Services), Microsoft Remote App (based on Remote Desktop Services), Citrix XenApp, and Citrix XenDesktop.
In most cases – where such software provisioning is allowed by licensing terms at all – vendors focus on actual usage rather than consider potential usage to account for required licenses. Operating systems that are used to provide such benefits usually require specific client access licenses for respective platform to install Remote Desktop Services or any hosted (virtual) desktop operating system on each device.
The Remote Usage Licensing feature provides functionality to manage such licensing scenarios and ensure appropriate compliance accounting. With these capabilities you can check how applications are accessed and used on application hosts (i.e. computers in the network that provide application services to end users). Remote Usage Licensing provides full transparency about the corresponding infrastructure, actual user activities, and compliance accounting.
Ensure that the software inventory is up-to-date on every application host
Remote Usage Licensing supports the following scenarios:
- Launching Remote Application (Microsoft Remote Desktop Services)
- Launching Application on Remote Desktop (Microsoft Remote Desktop Services)
- Launching Published Application (Citrix XenApp)
- Launching Application on Hosted Virtual Desktop (Citrix XenDesktop)
There are limitations when tablets or smartphones are accessing virtual infrastructures. This is because such devices do not provide unique device names for proper identification that is required for usage tracking and compliance accounting.
The tracking agent collects information about the session, access and usage. A single instance of this agent runs on each server that provides applications for remote access. It records remote application usage by providing user account name, fully qualified name of the accessing device, and fully qualified name of the computer that hosts the application.
If Hosted Virtual Desktops (XenDesktop) are involved, one instance of the tracking agent should run on a server in the network with API access to the Citrix Hosting Infrastructure Server. It should be configured to access relevant Citrix Desktop Delivery Controllers (for more information, see section Base configuration below). This instance records user sessions that access Hosted Virtual Desktops. It provides fully qualified name of the accessing device that cannot be seen on the Virtual Desktop itself.
Two specific engine activations handle automated processing:
License Manager - Remote Usage Configuration
Updates configuration for application usage agents.
License Manager - Remote Usage Data Processing
Imports and processes reported sessions and usages.
Please verify that the scheduled activation matches your individual schedules. Both should run after all your frequent data imports from AD, inventory, and other data sources.
Setup and configuration
To set up Remote Usage Licensing, perform the following steps:
- Setup base configuration on Matrix42 application server
- Setup agent configuration on Matrix42 application server
- Enable relevant engine activations
- Install agents on every application host
- Configure removal of obsolete tracking data
On the server where the Matrix42 server application is running must be configured depending on the type of communication that is used by the tracking agents.
The base configuration file Matrix42.Agent.Service.exe.config is located in the folder <Matrix42 Installation Folder>\RemoteUsages\Agent.
Here you configure:
- Error level for tracing
- Citrix XenDesktop access
<?xml version="1.0"?> <configuration> <configSections> <section name="processMonitor" type="System.Configuration.NameValueSectionHandler"/> <section name="citrixConfiguration" type="Matrix42.SessionProvider.Citrix.Configuration.CitrixConfigurationSection, Matrix42.SessionProvider.Citrix"/> </configSections> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/> </startup> <processMonitor configSource="processMonitor.config"/> <!-- CITRIX XENDESKTOP TRACKING <citrixConfiguration> <ddcServers> <ddcServer name="FULLQUALIFIEDSERVERNAME " connectionString=" FULLQUALIFIEDSERVERNAME:PORT"/> </ddcServers> </citrixConfiguration> --> <system.diagnostics> <trace autoflush="false" indentsize="4"> <listeners> <add name="EventLogListener" type="System.Diagnostics.EventLogTraceListener" initializeData="Matrix42 Remote Usages Monitor"> <filter type="System.Diagnostics.EventTypeFilter" initializeData="Warning"/> <!-- Legend: Trace Levels Off: 0: None Error: 1: Errors Warning: 2: Warnings and Errors Information: 3: Information, Warnings and Errors Verbose: 4: Debug Trace, Information, Warnings and Errors --> </add> </listeners> </trace> </system.diagnostics> </configuration>
Configure Citrix XenDesktop tracking
If you want to monitor the usage of Citrix Virtual Desktop, uncomment section <citrixConfiguration> and provide fully qualified name (e.g., lab.matrix42.de\DDC01) of your Citrix Desktop Delivery Controller (DDC; under FULLQUALIFIEDSERVERNAME and FULLQUALIFIEDSERVERNAME:PORT).
Always use the server name! IP-address cannot be used!
Here you configure:
- Communication protocol: file (SMB), http or https.
- Tracking interval: Frequency in minutes at which the agent scans the process list.
- Reporting interval: Frequency in minutes at which the agent sends results back to server.
- Configuration update interval: Frequency in minutes at which the agent checks for updated configuration on server.
- Agent tracking status: Tracking activity of agent is enabled or disabled.
If you choose "file exchange" for tracking configuration and tracked usage data (via Network Share):
- Share the <Matrix42 Installation Folder>\RemoteUsages folder in your local network.
- Grant full access rights to the account that is used by the tracking agents.
Configuration for product versions up to 9.1.0
The agent is configured in the file "processMonitor.config.template" located in the folder <Matrix42 Installation Folder>\RemoteUsages.
After the adjustments, copy the processMonitor.config.template file to the folder <Matrix42 Installation Folder>\RemoteUsages\Config.
When remote usage tracking is configured for the first time The activation License Management - Remote Usage Configuration uses this template to provide final tracking configuration to all installed agents. For this purpose the activation merges the template with "Process List" settings that are managed inside Software Products in Matrix42 Software Asset & Service Management (see here for more details).
Insecure web-service with implicit authentication (http):
<?xml version="1.0" encoding="utf-8" ?> <processMonitor> <!-—http communication – also configure Web-Service on Server!--> <add key="RemoteUsageServiceUrl" value="http://SERVERNAME/M42Services/LVC/RemoteUsageService.svc "/> <!-- Interval (Minutes) agents check sessions and application usage on target --> <add key="ScanInterval" value="1"/> <!-- Interval (Minutes) agents reports collected information --> <add key="ReportInterval" value="60"/> <!-- Interval (Minutes) agents check for updated configuration --> <add key="ConfigReloadInterval" value="2"/> <!-- Setting to enable (true) or disable (false) agent operation --> <add key="Enabled" value="true"/> <!-- List of executables to track usage – will be updated automatically by system --> <add key="ProcessList" value=""/> </processMonitor>
Secure web-service with explicit authentication (https):
<?xml version="1.0" encoding="utf-8" ?> <processMonitor> <!-— https communication – also configure Web-Service on Server! --> <add key="RemoteUsageServiceUrl" value="https://SERVERNAME/M42Services/LVC/RemoteUsageService.svc "/> <!-- Interval (Minutes) agents check sessions and application usage on target --> <add key="ScanInterval" value="1"/> <!-- Interval (Minutes) agents reports collected information --> <add key="ReportInterval" value="60"/> <!-- Interval (Minutes) agents check for updated configuration --> <add key="ConfigReloadInterval" value="2"/> <!-- Setting to enable (true) or disable (false) agent operation --> <add key="Enabled" value="true"/> <!-- List of executables to track usage – will be updated automatically by system --> <add key="ProcessList" value=""/> </processMonitor>
File communication (SMB):
<?xml version="1.0" encoding="utf-8" ?> <processMonitor> <!-- Network share where updated agent configuration is provided --> <add key="ConfigPath" value="\\SERVERNAME\M42RemoteUsages\Config"/> <!-- Network share where agent store session and usage information --> <add key="TargetFolder" value="\\SERVERNAME\M42RemoteUsages\Inbox"/> <!-- Interval (Minutes) agents check sessions and application usage on target --> <add key="ScanInterval" value="1"/> <!-- Interval (Minutes) agents reports collected information --> <add key="ReportInterval" value="60"/> <!-- Interval (Minutes) agents check for updated configuration --> <add key="ConfigReloadInterval" value="2"/> <!-- Setting to enable (true) or disable (false) agent operation --> <add key="Enabled" value="true"/> <!-- List of executables to track usage – will be updated automatically by system --> <add key="ProcessList" value=""/> </processMonitor>
Configuration for product versions starting from 9.1.1 and higher
To configure tracking settings, open the Settings navigation item in the Licenses application and edit the global system settings.
In the Tracking Agent section, specify the required data.
- Select the Enable remote usage tracking checkbox. This setting activates the tracking.
- Choose the communication protocol:
- If you fill in the Application Service URL field and leave the Use network sharing folder checkbox empty, the HTTP/HTTPS communication will be used to exchange data between the tracking agent and the server. The service URL should have the following format: https://SERVER/M42Services/LVCRemoteUsageService.svc where SERVER is a fully qualified domain name of Matrix42 Software Asset & Service Management server.
- Select the Use network sharing folder checkbox if file exchange via network share should be used for agent/server communication.
- In this case, enter the path to a folder with the tracking configuration file in Config Folder Path. This file is generated automatically by the License Management - Remote Usage Configuration engine activation after all required settings have been saved. The path should have the following format: \\SERVER\RemoteUsages\Config where SERVER is a fully qualified domain name of the Matrix42 Software Asset & Service Management server.
- In the Target Folder Path field, you must enter the path to a folder where the tracking agent will save remote usage files. The path should have the following format: \\SERVER\RemoteUsages\Inbox where SERVER is a fully qualified domain name of the Matrix42 Software Asset & Service Management server.
- In Limited Computer List (comma separated), specify a list of computers to be monitored by entering hostnames. If the field is empty, all computers in the system will be tracked for remote usage.
- Choose your authentication settings:
- Keep the Use process credentials checkbox selected if you wish to use the implicit authentication. In this case the account used to run the tracking agent will also be used to access the Matrix42 Software Asset & Service Management server. Using this setting is preferred. Please note that this account should be registered in the system.
- Alternatively, you can specify credentials for the explicit authentication by filling in User Account, Password, and Domain. These fields are editable if the Use process credentials checkbox is cleared.
- Use Scan Interval (min) to determine how often computers are scanned for running processes.
- Use Config Reload Interval (min) to determine how often the tracking agent will check for updates in the configuration file.
- Adjust Report Interval (min) to set the frequency at which the tracking agent will send remote usage files to the server.
Enable relevant engine activations
Finally, enable following service activations are enabled (set to "active"):
- License Management - Configuration Remote Usage (Update configuration for remote usages)
- License management - Processing of usage data (Daily creates license requirements based on remote usages)
- Microsoft .NET Framework 4.6.1
- Windows PowerShell 2.0
- If using HTTPS for Server Communication: SSL Certificate
- If monitoring Citrix DDC: Citrix Desktop Studio Management Console
To install the tracking agent on application hosts, copy the <Matrix42 Installation Folder>\RemoteUsages folder to all application hosts and run either install.cmd or installx64.cmd (depending on the local operating system) from the <Matrix42 Installation Folder>\RemoteUsages\Agent\Installation folder. The agent will be installed as a Windows service by using the local system account with the manual start type. Change the start type of the service to automatic and log on under the appropriate service account to finalize the installation.
The user account used by tracking agents does not have to belong to the Administrators group, but it requires the permissions listed below.
- It needs to have at least the Remote Desktop Services permissions (external link) or to be included into the Remote Desktop Users group on the corresponding application host. Being a Local Administrator will also work fine. Depending on local security configurations, being a Local Administrator may be required.
- In Local Security Policy > Local Policies > User Rights Assignment this user should be added to the Debug programs policy.
- It also needs to have Read permissions to registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security.
- In case the agent installation terminates with the error "IO.FilenotFOund": start a command window (CMD) for installation as Administrator, navigate to the installation path where the installx64.cmd is located and then start the installation command file.
- In case there is a message that the service cannot be started immediately at the end of the installation: open properties of windows service "Matrix42 Agent" and verify the user account and password - possibly reenter credentials.
- If the agent service doesn't start and the Event Viewer contains errors with code 1000 and/or 1026, you need to check if there is a registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Matrix42 Agent Service. If there is a similar key (e.g., HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Matrix42.Agent.Service), please edit it to match the above-mentioned one. If the key doesn't exist, it should be created manually.
- Check agent logs in the Windows Application Event Log. You can set the trace level in the Agent Configuration file (see here).
- Check if the agent creates an XML report file in the folder <agent installation folder>/Storage (interval depends on configured interval; see here)
- Check In the file "hostcommon.log" on the Matrix42 application server if the XML file was processed and if any errors occurred during processing.
- Check in the technical inventory if the tracked software product is listed as hosted application.
- Check if license requirements have been created based on remote usage or access.
Configure removal of obsolete tracking data
In order to keep you system clean from obsolete information, there is an automatic "garbage collection". You should review and possibly adjust the default value for removing old tracking data so that you are able to review old tracking information if required.
- Open Licenses application and navigate to Settings.
- Click Edit.
- Check setting Delete Application Usage Data (after days).
Default value here is "0" which means that all tracking data is removed after the minimum entitlement period defined in the software product has expired.
If you like to conduct reviews about remote access and usage it could be useful to set this setting to a value between 10 and 30 days or any other value that meets your needs.
- Save you changes.
Read this article to follow-up configuring Software Products for tracking of remote usage or remote access so that the system creates license requirements automatically from recorded activity.