TL;DR
- Banks quietly pay two vendors, two licenses and two support contracts for a single workflow: a green screen running inside a virtual desktop.
- IBM’s Host Access Client Package lists at $349 per registered user, the only public price among the big three emulators, and the access layer for a 500-seat bank runs roughly $200K–275K a year.
- Cybele makes both layers, Thinfinity Workspace (VDI plus ZTNA gateway) and z/Scope Classic (the full Windows emulator), under one license, one support contract and one vendor.
- The architecture is the bigger win: the unmodified Windows emulator runs in an OCI session-host pool, so host credentials, TN routes and downloaded files never touch the endpoint; only pixels leave.
- Because 3270/5250 are block-mode protocols, operators feel only the browser-to-VDI leg, while the AID-key round trip over FastConnect typically gets faster.
Two Invoices, One Workflow
Renewal season is uglier than usual this year. Omnissa raised Horizon prices between 7% and 21% effective May 4, 2026; Citrix renewal stories need no introduction. And riding quietly inside most bank VDI renewals is a second invoice that hasn’t been questioned in twenty years: the terminal emulator. Rocket BlueZone, OpenText Reflection, IBM Personal Communications: licensed per seat, maintained per year, supported by a second vendor, so that a green screen can open inside a virtual desktop you’re already paying someone else for.
Here’s the math that should be on the renewal-review agenda: you are paying two vendors, two licenses, and two support contracts for one workflow. IBM’s Host Access Client Package lists at $349 per registered user, the only public list price among the big three; Rocket and OpenText are quote-only, which is itself worth asking about. Street estimates for emulator licensing run $100–150 per user per year, plus ~20% annual maintenance. For a 500-seat regional bank, the access layer alone (VDI license plus emulator license plus two maintenance contracts) lands around $200K–275K a year. There is a structural alternative: a VDI platform whose vendor also makes the emulator, sold as one license.
The Two-License Stack, Itemized
- The VDI line: Citrix or Horizon at roughly $300–400 per user per year at renewal, climbing. This is the line item that gets board attention and triggers the market scan.
- The emulator line: BlueZone, Reflection or PCOMM at $100–350 per seat (list or street), renewed annually as a passenger on the VDI review, rarely re-evaluated because the amount is smaller and the macros are old.
- The hidden lines: Two support queues, two patch cadences, two security questionnaires for your DORA/FFIEC third-party register, and two vendors whose ownership has churned (Attachmate to Micro Focus to OpenText; Rocket under private equity).
To be clear about what we’re not claiming: BlueZone and Reflection are mature, capable emulators with deep macro ecosystems. The argument is structural, not qualitative: one workflow shouldn’t need two vendor stacks. The full five-year model for a 2,000-user bank, including infrastructure, is in our TN3270/TN5250 + VDI on OCI banking TCO analysis; this article stays at the per-seat, per-renewal level.
One License, But the Architecture Is the Real Story
Cybele makes both layers: Thinfinity Workspace (the VDI platform and ZTNA gateway) and z/Scope Classic (the full Windows terminal emulator: TN3270E, TN5250E, VT52–420, TLS 1.3, HLLAPI/EHLLAPI, macro engine, IND$FILE, printer sessions). One license covers both. z/Scope Classic runs inside the Thinfinity virtual desktop on OCI and reaches the user through the browser two ways: as part of the full virtual desktop, or published as a single app, just the emulator window in a browser tab. Access works from a browser or the Thinfinity client, behind the same zero trust gateway either way: MFA at the front door, per-user authorization, session recording.
But in 2026, these systems are still the backbone of global trade, handling transactions that keep banks, airlines, insurance companies, and governments running.
The consequence is a pattern neither incumbent stack can produce: the unchanged, full-fidelity Windows emulator (every macro, every keyboard map, every HLLAPI bot) executing in a controlled session-host pool instead of on five thousand endpoints:
| Property | Thick client on endpoints | z/Scope Classic inside Thinfinity VDI on OCI |
|---|---|---|
| Where the emulator runs | Every PC and contractor laptop | Session hosts in a private OCI subnet |
| TN3270/TN5250 path | Endpoint → VPN → host, across user networks | OCI → FastConnect/IPSec → host; datacenter-to-datacenter |
| Host credentials live | In session profiles on endpoints | Inside the VDI; the endpoint gets pixels only |
| MFA in front of the host | Rarely: userid/password to RACF | Always: enforced at the Thinfinity gateway |
| Macros, HLLAPI, IND$FILE, printer LUs | Full | Full, same unmodified Windows client |
| Patching | N endpoints × emulator + OS | One golden image |
| Audit | None, or per-PC logs | Centralized session recording, one timeline |
| Licenses and vendors | Emulator vendor + VDI vendor + VPN | One Cybele license, one support contract |
(If your population is occasional users who just need a green screen in a tab, a standalone web emulator like z/Scope Anywhere remains the lighter answer. Classic-in-VDI is for the power operator, the macro estate, the RPA bots and the printer-heavy back office: the seats where web emulators historically lose the 25-year CICS operator.)
Publishing the emulator as a single app is one profile on the Thinfinity side (illustrative configuration, your fields may differ by version):
# Thinfinity Workspace - published app: z/Scope Classic, single-app mode
application: zscope-cics-prod
path: C:\\Program Files\\zScope\\zScope.exe
args: profiles\\CICS-PROD.zws # locked session profile, no local edit
display: seamless # emulator window only, in a browser tab
access: group "mainframe-ops" via IdP (SAML) + MFA
policy: clipboard=paste-only file-transfer=disabled recording=full
hosts: session-pool "oci-fra-private" # private subnet, zero inbound ports
The Data Perimeter: What a Stolen Laptop Buys an Attacker
This is the part your CISO co-signs. With thick clients, a stolen or infostealer-infected laptop yields a session profile with the host IP and LU name, often a saved password, a routable VPN path to port 23/992, and whatever IND$FILE downloads sit in Documents. With z/Scope Classic inside the VDI, it yields a browser and a login attempt against an MFA-protected gateway. No profile, no credentials, no TN route, no downloaded files: the green-screen data and the host connection never existed on the endpoint. It’s the same data-perimeter argument we made for vendor access after the Citizens/Frost breach: put the work where the data is, and let only pixels leave.
The scale and precision of modern infostealers means a single infected endpoint — including a personal device used to access corporate systems — can expose an entire organization.
The host side gets simpler, not riskier. Nothing about the mainframe changes (same TN3270E listener, same ports), but its firewall rules collapse from every branch subnet and home network to one source CIDR: the OCI session-host subnet, connected over FastConnect or IPSec. MFA lands in front of RACF without touching z/OS (the approach we documented with Duo for mainframe and AS/400), and centralized session recording produces the per-user evidence FFIEC and GLBA examiners increasingly ask for on core-system access.
The Latency Objection, Answered With Protocol Math
Every mainframe ops manager asks the same question: you’ve added a hop — browser to VDI to host, so my operators will feel it. For 3270 and 5250, the intuition is wrong, because they are block-mode protocols. Typing into a formatted screen is rendered locally by the emulator; nothing goes to the host until an AID key (Enter, PF, PA). So the typing echo an operator feels is the browser-to-VDI leg only: the same latency they already accept for every other application in the virtual desktop, with the Thinfinity gateway adding single-digit milliseconds.
The round trip they actually wait on, the AID-key transaction, typically gets faster: OCI to host over FastConnect runs single-digit milliseconds metro, low tens regional, versus a thick client’s path across a consumer ISP and a VPN concentrator. The honest caveat is VT: VT100/220 is character-mode, every keystroke echoes through to the host, so the browser-to-VDI leg is felt per keystroke. Measure keystroke echo in the pilot, publish the number internally, and make it the acceptance criterion: keyboard parity and latency honesty are what make these projects stick with 25-year operators.
Who Shouldn’t Switch (Yet)
- Mid-contract estates: If your emulator maintenance renewed last quarter, the consolidation math starts at your next renewal. Use the time to pilot.
- Deep custom DLL integrations: HLLAPI and the macro engine come across unchanged, but emulator-specific compiled extensions (custom DLLs against a vendor SDK) need a compatibility pass first; z/Scope imports PCOMM, Reflection and BlueZone profiles and keymaps, which covers most estates, not all.
- Pure web-emulator populations: If nobody uses macros, printer sessions or file transfer, a standalone web emulator may be all you need, one product, not two.
Bring Your Renewal Quote
Send us your VDI and emulator renewal quotes. We’ll return the single-license equivalent side by side: z/Scope Classic inside Thinfinity Workspace VDI on OCI, with MFA, session recording, and green-screen data that never reaches the endpoint. If the math doesn’t work, you’ll know in one meeting.
Frequently Asked Questions
Does anything change on the mainframe or AS/400?
No. The host sees standard TN3270E/TN5250E traffic, optionally over TLS, arriving from one new source: the OCI session-host subnet over FastConnect or IPSec. No z/OS changes, no RACF changes, no new host software.
What happens to our macros, HLLAPI bots and IND$FILE workflows?
They come across unchanged, because z/Scope Classic is a full Windows emulator running inside the virtual desktop, not a re-implementation. Macros and keyboard maps import from PCOMM, Reflection and BlueZone formats; HLLAPI/EHLLAPI automation runs in the session host, co-located with the host connection; IND$FILE transfers land inside the VDI, where policy decides if files can leave.
How is the single license structured?
One Cybele license covers Thinfinity Workspace (VDI, gateway, ZTNA, recording) and z/Scope Classic running inside it: one renewal, one support contract, one vendor on your third-party register, replacing the separate VDI-vendor and emulator-vendor lines.
What does an attacker get from a compromised endpoint?
A browser and an MFA-protected login prompt. Session profiles, host credentials, the TN route to the host, and any transferred files all live inside the virtual desktop on OCI; only the rendered display ever reaches the endpoint.
