A fly in the ointment of my utopian remote access solution

In my February 2001 column, I described a near-utopian remote access scenario: a combination of a wireless Internet connection and Windows 2000 Server Terminal Services or Citrix MetaFrame through an ICA- or RDP-based client or a Web-based client. This setup provides thin-client access to applications and data on the corporate network, and Terminal Services provides a low-cost solution for low-bandwidth RAS connections. I've been using this method of wireless connectivity with success, but I recently discovered a major problem with Terminal Services that put a damper on my practically perfect wireless connectivity scheme.

So what is this major flaw? Licensing. Terminal Services is plagued with ill-conceived licensing policies. To help you understand the problems, let's quickly review how Terminal Services licensing works.

Terminal Services uses the Microsoft secure licensing system. Although there is a 90-day grace period for newly connected clients, a Terminal Services licensing server must be present on any Win2K network running Terminal Services. (This licensing server requirement applies only to networks running Terminal Services in Application Server mode, not to networks running Terminal Services in Remote Administration mode.) This licensing server ensures that every Terminal Services client in your organization has a valid terminal services client access license (TSCAL). To set up licensing in your network, you must first install the licensing service on a server, then run a licensing wizard that walks you through the licensing process. Microsoft's clearinghouse provides your licensing server with a digital certificate that validates the server's identity and license. The server is then ready to start dispensing licenses to Terminal Services systems that are requesting licenses on behalf of unlicensed clients attempting to access a Terminal Services system. The digital certificate that Microsoft provides is tied to the server involved. Thus, you'll have licensing problems if you need to reinstall the OS or move the licensing functions to a different server.

After you complete the licensing procedure and obtain a digital certificate, the licensing server transparently hands out licenses in your network—until you start artificially running out of licenses. All Terminal Services clients must have a valid TSCAL before they can access a Terminal Services server. Win2K clients have a built-in TSCAL, but legacy OSs such as Windows NT 4.0 and Windows 9x systems need the licensing server to issue them a license, which the clients then store locally. A problem arises because these license assignments aren't dynamic; they don't revert back to the license pool when the client is no longer active. Therefore, if an NT 4.0 or Win9x client accesses a Terminal Services system in your network only occasionally or even just once, the Terminal Services license is lost when the client leaves the network.

Thus, the licensing scheme offers no built-in facility for the licensing server to reclaim lost or unused licenses. In addition, the licensing scheme offers no built-in feature for transferring licenses from one client to another. To work around this problem, administrators must call Microsoft, then modify the registry on the original client. The only potentially good news is that Microsoft has promised fixes for these problems in Win2K Service Pack 2 (SP2).

If you're hoping that the Microsoft Terminal Services Internet Connector license, which provides a concurrent licensing scheme, is a solution to Terminal Services licensing woes, you're going to be disappointed. Microsoft designed this licensing scheme only for anonymous Internet-based access of Terminal Services servers. Terminal Services Internet Connector doesn't replace the need for a TSCAL.

I sincerely hope that Microsoft makes swift changes to improve this situation and considers adopting a concurrent licensing scheme similar to the one that Citrix employs for MetaFrame. Until then, the administration of Terminal Services remains impaired, and my utopian connectivity solution remains elusive.