Friday, June 29, 2012

Getting Your Teeth Into Microsoft Licensing

Microsoft Licensing For Omnivores



On more than a few occasions people have been confused by the murky quagmire known as Microsoft Licensing and despite Microsoft's continual claims to the contrary, it is far from an easy concept to grasp considering just how many different products they have and the number of different ways each of their products can be licensed.

The people who have been confused by Microsoft Licensing are not only the end users, but also the resellers and Microsoft Partners who are trying to help their clients understand the intricacies of Microsoft's multiple myeloma Licensing method.

Is it a bird?  Is it a plane?  No - its "Wookie to the Wescue" as far as Microsoft Windows Server 2008/2008 R2 and Small Business Server 2008/2011Client Access Licenses (CALs) are concerned.  Read on if you dare...


This discussion applies to Microsoft Windows Server 2008 R2 and Microsoft Windows Small Business Server 2008 R2 (oops, 2011) licensing and may or may not apply to other Microsoft products.  Quark IT is not privy to any information other than the Microsoft Licensing agreements published on the Microsoft website and the EULAs (End User Licensing Agreements) that come with all Microsoft software and hardware.  We are also not lawyers and the following discussion should therefore not be interpreted as legal nor financial advice.  Think of it more as a fairy tale...

Introduction To Client Access Licenses

A Client Access License (CAL) is really a piece of paper that gives you rights to access something.  As far as servers go, a CAL is the right to access the server - you need to have separately licensed the server oerating system and the client operating system.  In the Microsoft world, this means that you need to buy Windows Server or Windows Small Business Server (from now on known as SBS) as the server operating system (OS) and Windows 7 as the client or workstation OS.  Neither the purchase of the Server OS nor the Workstation OS gives you the right to connect to the server from any machine other than the server - basically, without CALs, the server can serve only its own simple needs.  You can buy a bundle that has the Server OS and some CALs in it, but these are separate components of the bundle.

To clarify, a CAL isn't a piece of software and no Microsoft server nor client operating system license includes Windows Server CALs per se, although you may buy a bundle with both the server OS and CALs.

How CALs Are Assigned

Microsoft basically assigns a CAL to a bag.  This bag can contain meat (in the case of User CALs) or machinery (in the case of Device CALs).  You can mix and match User CALs and Device CALs on the one network, but when you buy CALs you buy either a User CAL or a Device CAL and that particular CAL cannot change its colors.  You can use 5 Device CALs in the warehouse for your 12 warehouse staff and 15 User CALs in the office for your 15 office staff, but to do this you must have purchased 5 Device CALs and 15 User CALs.

Reader Participation Time

OK everybody, can you all stand up.  Great.  Now, here's where we split into two groups to hand out "assignment tools"- first, everyone will get a box of alcohol swabs and then those who don't mind getting their hands dirty need to get a pneumatic nail gun and those who don't like too much blood will be given a roll of gaffer tape (it sticks WAY better than masking tape or cellotape).  Everyone also needs a pad of yellow sticky notes and a pad of blue sticky notes.  Now, keep these with you at all times for the rest of the discussion as you're going to need it.  You can now sit back down with your alcohol swabs (no, DON'T suck them) and your "assignment tool" of choice.

User CALs

A User CAL, as suggested by its name, is assigned to a User.  There's no big revelation there.  People try to read all sorts of things into what Microsoft means by User, but the best definition is "a bag of meat that needs to authenticate to your Server".  User CALs are used where a particular "bag of meat" access your network from more than one device - for example, any combination of their workstation, laptop, smartphone, pda and checking their email using Outlook Web Access from home.  (If you allow anyone to access your network from public machines in an Internet Cafe, now is the time to put down your "assignment tool", walk to the boss' office and resign.)

It is really easy to assign a User CAL - look out the door and ask the closest person who requires a User CAL to come in and help you with this exercise for a second.  Grab a yellow sticky note, wipe the user's forehead with a clean alcohol swab, then place the sticky note on this person's forehead.  Now, as we all know the oils naturally present in our skin will cause this sticky note to fall off in a few seconds, so here's where our "assignment tool" comes in handy.  Once you've used your assignment tool of choice to more permanently affix the sticky note, you have assigned your first User CAL.  Time for a congratulatory coffee.  All you now need to do is to walk around the rest of the office (or offices) and assign these yellow User CALs to those people needing them.  Don't forget to keep count of the number you have used.

Device CALs

A Device CAL, again as suggested by its name, is assigned to (all at once) "a Device".  People try to imagine Microsoft doing all sorts of unimaginable things to the English language here, but quite simply a Device is "a bag of machinery that needs to authenticate to your Server".  Device CALs are used where a particular "bag of machinery" is accessed by a number of "bags of meat" that don't necessarily have yellow sticky notes affixed to their foreheads - for example, a nurse station, the goods inward terminal in a warehouse or the computers located in the sales office hot-desking area.

It is a lot less fun to assign Device CALs as all you have to do is to walk around the business using your "assignment tool" to affix blue sticky notes to the "bags of machinery" (including workstations, thin terminals, smartphones, iPads and scanners that scan to email or a file system location but excluding pens, paper, LCD displays, mice, cats, keyboards, printers and the vacuum cleaner) that are accessed by non-sticky-noted "bags of meat".

When To Assign User Or Device CALs

A simple rule of thumb is to buy and assign User CALs all the time unless Device CALs will save you a tidy sum of money.  This allows your staff ("bags of meat") to access the network resources from wherever they need (as long as those places are not public access terminals such as Internet Cafes as they are unsafe, to say the least).  Device CALs are quite suited to workshops, warehouses, nurse stations and similar locations where numerous "bags of meat" will access the "bag of machinery" during the normal course of business.

Remember that if a "bag of meat" without a yellow sticky note on their forehead who is accessing a "bag of machinery" with a blue sticky note on it decides to buy (or is assigned) a smartphone or an iPad to use whilst out of the office, this mobility device will need a Device CAL assigned to it.  Again, this is why it is generally better to use User CALs where possible.

What Happens If The Nail Hit Something Important?

In the unfortunate situation where the affixing of the sticky note caused irreparable damage to the particular bag in question, then that bag's CAL can be assigned elsewhere.  If a "bag of meat" who is assigned a yellow sticky note and a  User CAL chooses to move to another employer, then that User CAL can be placed back into the pool and assigned to the "bag of meat" that replaces the original "bag of meat".  You cannot reassign User CALs on a willy nilly basis to try and avoid buying adequate CALs.  I'd also not suggest reusing the yellow sticky notes - pull a fresh one off the pad for the replacement User.  Remember, at all times, safety first!

As for Device CALs, these can only be reassigned on a temporary basis if a particular "bag of machinery" is away for repair.  They can be reassigned permanently if a particular "bag of machinery" has been retired or replaced.  Again, you cannot keep reassigning Device CALs to try and avoid buying adequate CALs.

But We Run Multiple Shifts So We Can Reuse User CALs

No, you can't.  This is called "concurrent licensing" and Microsoft does not support this any longer.  As I have said, a yellow User CAL is nailed to the forehead of a particular "bag of meat" and the likelihood that a nail long enough to connect two foreheads leaves the owner of the first forehead in a state whereby they can perform useful work is rather unlikely.  Microsoft won't support you anyway and you will be running unlicensed (that's spelled P I R A T E D) software.

OK, So I Have One User Logging In As Bob, Sales And Accounts

I hope he gets paid well!

Aside from that, if he has a yellow sticky note nailed to his forehead, he's definitely allowed to do this with the use of a single User CAL.  Alternatively, if he's using a "bag of machinery" that has a blue sticky note nailed to it and never needs to access the network from his home or iPad, then the Device CAL assigned to the "bag of machinery" he uses allows him to legally log in with as many names as he so chooses, as well as allowing someone else to use that "bag of machinery" if they need to.

So, What About Distribution Groups And Exchange Contacts

As none of these are "bags of meat" nor "bags of machinery" and as none of these actually authenticate to the Server, then none of these need a CAL.  In other words, you can have as many Distribution Lists and Exchange Contacts as you like regardless of the number of CALs you own.

But I need to buy all Premium CALs for SBS 2008/2011 Premium, don't I?

Actually, no.  SBS 2008/2011 comes in two flavors - Standard (without SQL) and Premium (with SQL).  By that description, you should start to get a feel for when you need a Premium CAL - and the feeling should be something akin to "I need an SBS Premium CAL only for a User or Device that is going to access the SQL component of SBS Premium".  Any other feelings, although maybe nice, are not necessarily correct.

So, you can quite legally run an SBS 2011 Premium server with 5 Premium User CALs, 10 Standard User CALs, 3 Premium Device CALs and 2 Standard Device CALs as long as only those bags accessing the SQL components have a sticky note affixed to either their forehead (yellow sticky note) or the device (blue sticky note) they are accessing.

Now, what's this about Exchange Enterprise CALs?

OK, even though I wasn't going to cover Exchange Server here, this bit of it is relevant for the SBS users.  Exchange Server 2007 and 2010 comes in 2 flavors - Standard and Enterprise with Enterprise being in addition to Standard (ie, "for an extra dollar").  If you want the "extra" part, then you need to make sure you have bought Exchange Server Enterprise CALs which are added to an existing Exchange Standard or SBS CAL however you only need to buy Exchange Enterprise CALs for the users/devices who will be using those features (similar to how you only need to buy SBS Premium CALs for the users/devices that will be using the SQL component).

What's offered in the Exchange Enterprise CAL?  Microsoft once stated "The Exchange Enterprise CAL provides access to Unified Messaging and advanced compliance, as well as Forefront Security for Exchange Server and Exchange Hosted Filtering for onsite and hosted antivirus and anti-spam protection", however that link has been removed.  The best Microsoft replacement I've found is this comparison of Exchange 2010 CAL types.

When you are using the Exchange Management Console, you will clearly see which features require an Enterprise CAL.  The interface won't stop you using the features, however if you don't have enough Enterprise CALs, you will be in an unlicensed (that's spelled P I R A T E D) state.

(This information was originally posted on the old Quark IT website before I broke it, so I have reposted it here to stop people like Anthony Michaud from constantly bitching at me about its absence.)


The Outspoken Wookie


Anonymous said...

Don't confuse Exchange Server Enterprise and Exchange Server Standard, with Exchange Enterprise CALs and Exchange Standard CALs. No relationship. Also, Exchange Enterprise CALs are NOT a superset of Exchange Standard CALs, and Exchange Server Enterprise is not really a superset of Exchange Server Standard. The main difference is Enterprise edition's ability to handle more databases. It has no user-facing features that the Standard edition does not.

Hilton Travis said...

Nope, I'm not confusing Exchange Server Standard and Exchanger Server Enterprise - I'm talking about the CALs here, which is the whole point of the post.

You are wrong when you say that Exchange Server Enterprise CALs are not a superset of Exchange Server Standard CALs - an Exchange Server Enterprise CAL is required for individual mailbox archiving, even using Exchange Server Standard (which offers the feature if you have an Exchange Server Enterprise CAL for that particular mailbox).

Microsoft even states that Unified Messaging and Mailbox Archiving are available in Exchange Standard using an Enterprise CAL. See this link:

RSP said...

Hilton, an exchange enterprise cal is definitely not a superset, as it's an add-on. From the page you reference:
To enable Enterprise CAL features, the user must be licensed with one Standard CAL plus one Enterprise CAL.

RSP said...

By the way, excellent article and wonderful humour.

Hilton Travis said...

RSP - correct. That bit was left over from when I originally wrote the article when the 2008 products weren't even yet a rumor. I will amend this and make it right. :)