Licensing of Remote Usage and Access
Accounting for license compliance follows different rules when applications are not installed locally on the users' devices but provided somewhere in the organization's network. Several technologies and scenarios can accomplish this. The most known are Microsoft Remote Desktop Services (formerly known as Terminal Services), Microsoft Remote App (based on Remote Desktop Services), Citrix XenApp, and Citrix XenDesktop.
In most cases – where such software provisioning is allowed by licensing terms at all – vendors focus on actual usage rather than consider potential usage to account for required licenses. Operating systems that are used to provide such benefits usually require specific client access licenses for respective platform to install Remote Desktop Services or any hosted (virtual) desktop operating system on each device.
The Remote Usage Licensing feature provides functionality to manage such licensing scenarios and ensure appropriate compliance accounting. With these capabilities you can check how applications are accessed and used on application hosts (i.e. computers in the network that provide application services to end users). Remote Usage Licensing provides full transparency about the corresponding infrastructure, actual user activities, and compliance accounting.
Ensure that the software inventory is up-to-date on every application host
Remote Usage Licensing supports the following scenarios:
- Launching Remote Application (Microsoft Remote Desktop Services)
- Launching Application on Remote Desktop (Microsoft Remote Desktop Services)
- Launching Published Application (Citrix XenApp)
- Launching Application on Hosted Virtual Desktop (Citrix XenDesktop)
There are limitations when tablets or smartphones are accessing virtual infrastructures. This is because such devices do not provide unique device names for proper identification that is required for usage tracking and compliance accounting.
The tracking agent collects information about the session, access and usage. A single instance of this agent runs on each server that provides applications for remote access. It records remote application usage by providing user account name, fully qualified name of the accessing device, and fully qualified name of the computer that hosts the application.
If Hosted Virtual Desktops (XenDesktop) are involved, one instance of the tracking agent should run on a server in the network with API access to the Citrix Hosting Infrastructure Server. It should be configured to access relevant Citrix Desktop Delivery Controllers (for more information, see section "Base Configuration" below). This instance records user sessions that access Hosted Virtual Desktops. It provides fully qualified name of the accessing device that cannot be seen on the Virtual Desktop itself.
Two specific engine activations handle automated processing:
License Manager - Remote Usage Configuration
Updates configuration for application usage agents.
License Manager - Remote Usage Data Processing
Imports and processes reported sessions and usages.
Please verify that the scheduled activation matches your individual schedules. Both should run after all your frequent data imports from AD, inventory, and other data sources.
Setup and Configuration
To set up Remote Usage Licensing, perform the following steps:
- Setup base configuration on Matrix42 application server
- Setup agent configuration on Matrix42 application server
- Enable relevant engine activations
- Install agents on every application host
- Configure removal of obsolete tracking data
On the server where the Matrix42 server application is running must be configured depending on the type of communication that is used by the tracking agents.
The base configuration file "Matrix42.Agent.Service.exe.config" is located in the folder <Matrix42 Installation Folder>\RemoteUsages\Agent.
Here you configure:
- Error level for tracing
- Citrix XenDesktop access
<?xml version="1.0"?> <configuration> <configSections> <section name="processMonitor" type="System.Configuration.NameValueSectionHandler"/> <section name="citrixConfiguration" type="Matrix42.SessionProvider.Citrix.Configuration.CitrixConfigurationSection, Matrix42.SessionProvider.Citrix"/> </configSections> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/> </startup> <processMonitor configSource="processMonitor.config"/> <!-- CITRIX XENDESKTOP TRACKING <citrixConfiguration> <ddcServers> <ddcServer name="FULLQUALIFIEDSERVERNAME " connectionString=" FULLQUALIFIEDSERVERNAME:PORT"/> </ddcServers> </citrixConfiguration> --> <system.diagnostics> <trace autoflush="false" indentsize="4"> <listeners> <add name="EventLogListener" type="System.Diagnostics.EventLogTraceListener" initializeData="Matrix42 Remote Usages Monitor"> <filter type="System.Diagnostics.EventTypeFilter" initializeData="Warning"/> <!-- Legend: Trace Levels Off: 0: None Error: 1: Errors Warning: 2: Warnings and Errors Information: 3: Information, Warnings and Errors Verbose: 4: Debug Trace, Information, Warnings and Errors --> </add> </listeners> </trace> </system.diagnostics> </configuration>
Configure Citrix XenDesktop Tracking
If you want to monitor the usage of Citrix Virtual Desktop, uncomment section <citrixConfiguration> and provide fully qualified name (e.g., lab.matrix42.de\DDC01) of your Citrix Desktop Delivery Controller (DDC; under FULLQUALIFIEDSERVERNAME and FULLQUALIFIEDSERVERNAME:PORT).
Always use the server name! IP-address cannot be used!
The agent is configured in the file "processMonitor.config.template " located in the folder <Matrix42 Installation Folder>\RemoteUsages .
Here you configure:
- Communication protocol: file (SMB), http or https
- Tracking interval: Cycle in minutes the agent scans the process list
- Reporting interval: Cycle in minutes the agent sends results back to server
- Configuration update interval: Cycle in minutes the agent checks for updated configuration on server
- Agent tracking status: Tracking activity of agent is enabled or disabled
After the adjustments, copy the processMonitor.config.template file to the folder <Matrix42 Installation Folder>\RemoteUsages\Config .
The activation License Management - Remote Usage Configuration uses this template to provide final tracking configuration to all installed agents. For this purpose the activation merges the template with "Process List" settings that are managed inside Software Products in Matrix42 Software Asset Management (see here for more details).
Insecure web-service with implicit authentication (http):
<?xml version="1.0" encoding="utf-8" ?> <processMonitor> <!-—http communication – also configure Web-Service on Server!--> <add key="RemoteUsageServiceUrl" value="http://SERVERNAME/M42Services/LVC/RemoteUsageService.svc "/> <!-- Interval (Minutes) agents check sessions and application usage on target --> <add key="ScanInterval" value="1"/> <!-- Interval (Minutes) agents reports collected information --> <add key="ReportInterval" value="60"/> <!-- Interval (Minutes) agents check for updated configuration --> <add key="ConfigReloadInterval" value="2"/> <!-- Setting to enable (true) or disable (false) agent operation --> <add key="Enabled" value="true"/> <!-- List of executables to track usage – will be updated automatically by system --> <add key="ProcessList" value=""/> </processMonitor>
Secure web-service with explicit authentication (https):
<?xml version="1.0" encoding="utf-8" ?> <processMonitor> <!-— https communication – also configure Web-Service on Server! --> <add key="RemoteUsageServiceUrl" value="https://SERVERNAME/M42Services/LVC/RemoteUsageService.svc "/> <!-- Interval (Minutes) agents check sessions and application usage on target --> <add key="ScanInterval" value="1"/> <!-- Interval (Minutes) agents reports collected information --> <add key="ReportInterval" value="60"/> <!-- Interval (Minutes) agents check for updated configuration --> <add key="ConfigReloadInterval" value="2"/> <!-- Setting to enable (true) or disable (false) agent operation --> <add key="Enabled" value="true"/> <!-- List of executables to track usage – will be updated automatically by system --> <add key="ProcessList" value=""/> </processMonitor>
File communication (SMB):
<?xml version="1.0" encoding="utf-8" ?> <processMonitor> <!-- Network share where updated agent configuration is provided --> <add key="ConfigPath" value="\\SERVERNAME\M42RemoteUsages\Config"/> <!-- Network share where agent store session and usage information --> <add key="TargetFolder" value="\\SERVERNAME\M42RemoteUsages\Inbox"/> <!-- Interval (Minutes) agents check sessions and application usage on target --> <add key="ScanInterval" value="1"/> <!-- Interval (Minutes) agents reports collected information --> <add key="ReportInterval" value="60"/> <!-- Interval (Minutes) agents check for updated configuration --> <add key="ConfigReloadInterval" value="2"/> <!-- Setting to enable (true) or disable (false) agent operation --> <add key="Enabled" value="true"/> <!-- List of executables to track usage – will be updated automatically by system --> <add key="ProcessList" value=""/> </processMonitor>
If you choose "file exchange" for tracking configuration and tracked usage data (via Network Share):
- Share the <Matrix42 Installation Folder>\RemoteUsages folder in your local network.
- Grant full access rights to the account that is used by the tracking agents.
Enable relevant engine activations
Finally, enable following service activations are enabled (set to "active"):
- License Management - Configuration Remote Usage (Update configuration for remote usages)
- License management - Processing of usage data (Daily creates license requirements based on remote usages)
- Microsoft .NET Framework 4.6.1
- Windows PowerShell 2.0
- If using HTTPS for Server Communication: SSL Certificate
- If monitoring Citrix DDC: Citrix Desktop Studio Management Console
To install the tracking agent on an application host, run either install.cmd or installx64.cmd (depending on the local operating system) from the <Matrix42 Installation Folder>\RemoteUsages\Agent\Installation folder. The agent will be installed as a Windows service by using the local system account with the manual start type. Change the start type of the service to automatic and log on under the appropriate service account to finalize the installation.
The user account used by tracking agents does not have to belong to the Administrators group, but it requires the permissions listed below.
- It needs to have at least the Remote Desktop Services permissions (external link) or to be included into the Remote Desktop Users group on the corresponding application host. Being a Local Administrator will also work fine. Depending on local security configurations, being a Local Administrator may be required.
- In Local Security Policy > Local Policies > User Rights Assignment this user should be added to the Debug programs policy.
- In case the agent installation terminates with the error "IO.FilenotFOund": start a command window (CMD) for installation as Administrator, navigate to the installation path where the installx64.cmd is located and then start the installation command file.
- In case there is a message that the service cannot be started immediately at the end of the installation: open properties of windows service "Matrix42 Agent" and verify the user account and password - possibly reenter credentials.
- Check agent logs in the Windows Application Event Log. You can set the trace level in the Agent Configuration file (see here).
- Check if the agent creates an XML report file in the folder <agent installation folder>/Storage (interval depends on configured interval; see here)
- Check In the file "hostcommon.log" on the Matrix42 application server if the XML file was processed and if any errors occurred during processing.
- Check in the Technical Inventory if the tracked software product is listed as hosted application.
- Check if License Requirements have been created based on remote usage or access.
Configure Removal of Obsolete Tracking Data
In order to keep you system clean from obsolete information, there is an automatic "garbage collection". You should review and possibly adjust the default value for removing old tracking data so that you are able to review old tracking information if required.
- Open License application and navigate to "Settings".
- Click on "edit"
- Check setting "Delete Application Usage Data (after days)".
Default value here is "0" which means that all tracking data is removed after the minimum entitlement period defined in the Software Product has expired.
If you like to conduct reviews about remote access and usage it could be useful to set this setting to a value between 10 and 30 days or any other value that meets your needs.
- Save you changes
Read this article to follow-up configuring Software Products for tracking of remote usage or remote access so that the system creates license requirements automatically from recorded activity.