Talk:Client Access License
From Wikipedia, the free encyclopedia
 |
This article is within the scope of Computing WikiProject, an attempt to build a comprehensive and detailed guide to computers and computing. If you would like to participate, you can edit the article attached to this page, or visit the project page, where you can join the project and/or contribute to the discussion. | |
| ??? | This article has not yet received a rating on the quality scale. | |
| ??? | This article has not yet received an rating on the importance scale. | |
Would anyone be interested in clearly documenting the current policies concerning CALs? Hopefully someone who has gone though an audit and came out clean :). I'm having difficulty locating a reliable source that is easy to understand when it comes to licensing.
--DJSnuggles 23:19, 11 July 2006 (UTC) x
[edit] My understanding is..
Firstly, do you need to put a reference to the [wikipedia:legal disclaimer|wikipedia legal disclaimer] on articles like this? I hope this information is of use to someone who decides to edit or rewrite this article: Here's the understanding I've gained about CALs within the context of SBS 2003, it is likely to be similar to the CALs for the other editions of Server 2003 but not identical. I can't testify to earlier/later versions of windows server. This is after examining several documents and talking to the microsoft lisensing hotline, but it is in no way the official word and I'm not affiliated with MS, etc. I'm also not an expert or guru by any stretch. It will help in understanding the CALs if you do not associate them directly with sign-ins, logins, exchange private mailboxes, and/or active directory users. Of course, a person with a CAL will usually have one or more of these things associated with them. There are two types of CALs, as you probably know, device CALs and user CALs. For SBS, you can buy these in packs of 5 or 20, and each pack is only device CALs or user CALs, never a mix. You can never convert a user CAL to a device CAL, or vice-versa, with only one exception (that I am aware of), which is that, if you have purchase Software Assurance with the pack of CALs, and then renew that software assurance at the end of its term, you may choose to convert those CALs from user to device (or the other way) at the time of renewal. I don't know the exact process to do this. Software Assurance must be chosen and paid for at the time of purchase for the CAL pack, it can't be added later AFAIK. One other small point, regarding the CALs that come with the Server 2003 license: In the case of SBS, there are 5 CALs that come with it. In this case only, you may choose weather these are user or device CALs, or even a split of the two (for example, 2 user CALs and 3 device CALs). You must make this choice upon install of the server operating system, and it is permanent. You are supposed to document your choice, and, I believe, write it on the license agreement form. (I wonder how many people actually do that?)
USER CALs: A lot of times it becomes confusing to think about user CALs because of the tendency to want to correlate them with sign-ons and/or email addresses. This isn't correct. A CAL applies to one individual human being who is in your organization. You should not typically (or ever) have multiple people using (sharing) the same sign-on and password, but even if you do, it does not mean that these people only "use up" one CAL, even if they never use the sign-on at the same time. Likewise, the CALs are not transient, one CAL applies to one person (MS sometimes uses the term employee), even when that person is not at work or using it. There is one allowance, however, for if a person (employee) is temporarily gone for an extended period (sick or on leave), and another person is there temporarily (eg a temp worker), a new CAL does not need to be associated with the temporary person. In general, if your organization is using only user CALs, every person who uses the software and/or services that come with the SBS 2003 Server license must have a a user CAL associated with them to do so in accordance with your organization's contractual usage agreement with MS. One person, one CAL. Also, people who are not in your organization, but need access to the software and/or services provided by SBS2003, will also need a CAL. In general, to be sure you are in compliance, you should maintain documentation of how your user CALs are allocated. One other thing, a person who has a user CAL associated with them, can have multiple different sign-ons, and multiple exchange mailboxes, though I may have seen something about this being limited to "a reasonable number" or something like that, I'm not going to bother confirming that right now. If a person within the organization resigns, retires, or otherwise permanently leaves the organization, that user CAL can be unassociated from that person and thus be freely reapplied to a new person.
Simple enough so far, right?... but, read on..
DEVICE CALs: Alternatively, you can go with device CALs. These license connections from one device. A device is most commonly a computer, for example, an XP workstation would be a device. However, a smartphone that accesses email from the server, wireless tablet, notebook computer, etc are also devices. Anything from which a person accesses services on the server must be licensed, as well as any device which interacts with the server in an authenticated fashion, such as a NAT device possibly or, for example, a network scanner which copies files onto a shared folder which is not open for to writing to "everybody", eg it is authenticated is some way. Another example of using the services on the server that you might overlook, that requires the use of a CAL, is authenticated access to another device on the domain, since the authentication happens via the domain controller. An example of this would be using a shared folder on another workstation, where the permissions of the share folder are not set to "everybody", eg the access is authenticated. If you choose device CALs, the people within your organization do not require user CALs to use the software and/or server. A person can have their own domain sign-on, and their own exchange mailbox, and so on, so long as these are accessed only via licensed devices, it is within compliance. Device CALs are a good choice for an organization who will clearly have fewer computers (and other devices) than they do people who use them. The device CAL applies to a device even if it it not currently accessing the server in any way. IE, 5 device CALs apply to literally 5 devices, it does not mean, for example, that you have any number of devices so long as only 5 access the server at the same time. Its a good suggestion for assuring that you are in compliance, to document each device in your organization for which you will associate a CAL. One device CAL for one device, one device for one device CAL. There is one allowance for a device which is out for repair, and there is a temporary device in its place (for example a "loaner"), a new device CAL is not required for the loaner. This is analogous to the tempworker clause for the user CALs. Also analogous to the user CALs, if a device 'leaves' the organization (disposed of, sold, given away, etc), the device CAL can be unassociated from that device in this case and be freely applied to a new device.
MIXING USER and DEVICE CALs: Microsoft "strongly suggests" that your organization choose one of either user CALs or device CALs and never mix the two within a domain. I have also seen several people state they support this suggestion in various web forums. I would tend to agree, mixing the two is going to probably cause more headaches and work then is worth it in almost every case, making the "total cost of ownership" greater then anything you stand to save. However, it can be done. Here is how it would work. Each user CAL would be associated with an employee or other person in the orginization who needs access to the software and/or services on the server. Likewise, each device CAL would be associated with one device. However, not every person using the server, nor every device in the organization, would probably have a CAL (since doing so, would would definatly have spent more money on CALs then was nessisary). Documentation, which is kept updated, in this case is essential to have any hope of demonstating compliance to the licensing terms. Persons who do not have an associated user CAL, would not be able to access the server from devices which do not have associated CALs, without being in violation.
|
accessing from |
device with CAL |
device without CAL |
|---|---|---|
|
person with CAL |
OK |
OK |
|
person without CAL |
OK |
Violation! |
(Here's a suggestion from your's truely, make a security group consisting of Un-CALed users, and another security group of Un-CALed devices, and, if your handy with group policy, you can create a rule to disallow login of unlicensed users from unlicensed devices. This tip probably doesn't belong in an encyclopedia article however, since I guess it is original research.)
WHO DOESN'T NEED A CAL: A person accessing SBS services from a machine with an associated device CAL (see above). I am not certain but I think that users accessing the internet when the SBS machine is the gateway and/or NAT device, who are not otherwise authenticating to the server or using any sevices of the server (aside from perhaps the web acceleration technologies of ISA), do not need any CALs. IE, a guest can use your network to access the internet even though the traffic passes through and is filtered and/or proxies by SBS. If using ISA, the term for this would be an "Secure-NAT" client, but not an authenticated user. I presume by extention that a device acquiring an address from the DHCP server does not require a CAL. Also, no CAL is required for a user and/or device to access a web page hosted on the SBS machine (via IIS) if this access is unauthenticated, or (I believe) anonymous ftp or anonymous internet service, or (I beleive) to access a shared folder which which is unauthenticated, eg the folder is shared to "everyone".
WHAT I DIDN'T DISCUSS: I didn't say anything about the SBS2003 server license itself. With SBS2003, there are rules about having other servers on the SBS domain, and what is allowable and what is not. I'm not going to get into those in any detail. But suffice it to say, when another server is within the SBS2003 domain in a fashion allowed by the SBS2003 license and it's own license, then in many cases the SBS user or device CAL will apply to services on that machine as well. For example, if you had a second exchange server as a backup or supplement to the one within your SBS03 server, then I believe the SBS Cals apply to using that exchange server as well. But i'm sure things can get rather confusing here as well. I wonder what happens if you buy a copy of windows server and it comes with CALs, and use it within the SBS domain. What becomes of those CALs, and how are they usable, I have no idea. Authenticated access to web services, such as a hosted site that requires you log in, for people who do not use other services (eg it is not outlook web access, which would require the use of Exchange and thus an SBS CAL or an exchange server CAL), for this there is a different type of licensing that I am not familiar with, and I don't know how this licensing interacts with SBS (if it is allowed at all). I think Windows Server Web Edition is usually used for this sort of thing.
SBS vs other Windows Server 2003 editions: I was mostly referring to SBS premium edition, and there may be a few differences between this and standard edition. Furthermore, if your using a the 'standard' Windows Server, the licensing will be similar in several respects, but a Server 03 CAL covers only the services and software that comes with the Server 03 license. For example, if you use Exchange Server, which does not come with the standard Server 03 license, then it requires its own CALs, with probably its own similar-yet-different rules. With SBS Premium, each CAL covers use of all of the software that comes with SBS, so long as that software is being run on the SBS 2003 licensed server, with of course a few possible exceptions where it can also apply to servers running within the SBS domain.
automatic CAL tracking and enforcement: MS includes no tracking mechanism in SBS 2003 (and I'm sure server 03 in general) to aid CAL complience, tracking, or enforcement. It is, in essence, on good faith. It does, however, require that you register your CALs on the server. I think that to say there is absolutely no tracking at all is a little inaccurate. It does appear to limit connections based on the number of registered CALs. My sense is that, if there are for example 10 CALs registered on the server, it won't allow more then 10 people to be logged in simultaneously (or maybe a number slightly more then 10). I have observed this once but I have not seen it documented (nor have I really looked).
Anyone wishing to paraphrase me in editing this or any related wikipedia article may do so, but please don't copy exactly since I didn't write this in an encyclopedic voice. Also, citations and fact verifications are needed.
here is a good source for more information about Microsoft licensing
Noogenesis (talk) 18:50, 26 April 2008 (UTC)
