Planning for Correct Licensing


Planning for Correct Licensing

Licensing with SBS is one of the simplest pieces of the installation and maintenance of a system, yet it leads to the most confusion on the part of business owners and consultants alike. You do not have to be a licensing guru to be able to procure the correct number and types of licenses for SBS. Microsoft does offer multiple licensing programs, however, and an explanation of those programs and how they apply to your installation is beyond the scope of this book.

First, SBS uses a different type of Client Access License (CAL) than the standard Windows Server product. The SBS CALs cover access to all the technologies included with SBSWindows Server, Exchange, SQL, and so on. These CALs are divided into two types: user and device. Depending on the makeup of the organization you may use one type or the other, possibly both.

When to Use User CALs

User CALs are associated with a particular usernot a user account, not a login name, but the actual human being who will be logging in to the server. The User CAL allows the user to access the server from any number of different devices, even multiple devices at the same time. This is the type of CAL that would be allocated to the system administratorhe will be accessing the server from multiple locations, probably even from home. Other users who would likely need a User CAL is a company executive who travels and may access his email from web terminals at airports, coffee shops, or trade shows. If this person also has more than one system that he uses regularlyfor example, a desktop at the office and a laptop for travel or home usethat person would need a User CAL.

Note

A question that comes up regularly in the newsgroups dealing with User CALs is "How many CALs are needed if multiple individuals use the same logon account to access the server?" Because the CAL is tied to the actual person and not an account, each person who uses that account would need a CAL. See the following discussion about Device CALs to discover the one scenario where this would not apply.


When to Use Device CALs

Device CALs are associated with a particular devicea PC, laptop, or PDA. Assigning a Device CAL to a particular computer is really only needed in one scenario: A shipping company has a warehouse staffed 24 hours a day. Three employees who work in shifts use a single computer terminal over the course of the day: one from 8:00 a.m. to 4:00 p.m., one from 4:00 p.m. to midnight, and the other from midnight to 8:00 a.m. In this case, assigning a Device CAL to the PC that all three employees use makes the most sense because you will need only one Device CAL rather than three User CALs to account for the use on that computer. On the other hand, if any of those employees uses another computer on the network that is not covered by a Device CAL, that person should have a User CAL assigned instead.

Best Practice: Determining the Number and Type of CALs Needed

In practice, unless an organization has a dedicated service area staffed only by shift employees who will only be accessing one specific terminal during their shift, your best bet is to purchase User CALs to cover the number of employees who will be accessing the server.

Think of a CAL as a yellow dot sticker. Each sticker must be placed on a person's forehead or device. A person can only log in to the network if she has a yellow dot stuck to her forehead or she logs in on a computer that has a yellow dot on it. If a person with no yellow dot on her forehead tries to access a computer that does not have a yellow dot on it, that person is accessing the network in violation of the license.

Using this analogy, understanding how the transfer of CALs works is simple. If a user who is assigned a User CAL (has a yellow dot on his forehead) leaves the company, he surrenders the CAL. That CAL can then be assigned to another user, his replacement for example, and then the CAL belongs to her (the yellow dot goes on her forehead). Device CALs work the same way. When a PC with a Device CAL is retired, the yellow dot is removed from the old PC and stuck on the new one.


Terminal Server CALs

Now that you have a solid understanding of how CALs work, let's add a twist to the mixterminal server. To access a terminal server on a network, you need to have a Terminal Server CAL (TSCAL) in addition to a User or Device CAL. The type of TSCAL you need depends on the operating system running on the terminal server.

As discussed in Chapter 1, "Understanding SBS Technologies," SBS 2003 cannot run Terminal Services in Application mode. Therefore, you do not need to purchase any TSCALs to access the server through a remote connection.

Note

Another frequently asked question in the newsgroups is "Can I increase the number of remote connections to the server by purchasing addition Terminal Server CALs?" The answer is always "no" because Terminal Server Remote Administration mode, which is the only type of remote connection supported by SBS, has a maximum number of concurrent connections set at two. That number can be reduced but not increased.


If the terminal server is running Windows 2000, no additional TSCALs are needed for workstations running Windows 2000 Professional or Windows XP Professional. When those clients connect, the Windows 2000 terminal server issues a license from its built-in license pool. All other clients connecting to the terminal server require a separate TSCAL to be installed into the Terminal Server Licensing server.

With Windows Server 2003, Microsoft changed the terminal server licensing requirements. Each terminal server connection still requires a TSCAL, but now TSCALs are divided into Per-User and Per-Device categories. The Per-User and Per-Device designations are similar to the User and Device categories for SBS CALs in that a TSCAL can be assigned to an individual or a particular workstation. In addition, Microsoft has removed the "operating system equivalency" feature that allowed Windows 2000 Professional and Windows XP Professional workstations to connect to a Windows 2000 terminal server without a separate CAL. Microsoft does offer a Terminal Server CAL Transition plan for organizations that had rights to run Windows XP on or before April 24, 2003. Under this plan, every eligible Windows XP Professional workstation can acquire a single Per-User or Per-Device TSCAL at no additional cost from Microsoft. More information about this program can be found at http://www.microsoft.com/windowsserver2003/howtobuy/licensing/tscaltransfaq.mspx, including the scheduled end date of this program, which is currently December 31, 2005.

Note

The TSCAL covers only connectivity to the server. It does not cover the use of any applications that may be installed on the terminal server. Consult the product's licensing to determine how to acquire the correct licenses to run the application on a terminal server.


Best Practice: Implementing Terminal Services in a Small Business Server Network

When SBS 2003 was initially released, there was a great uproar from the SBS community regarding the removal of support for Terminal Server in Application Mode on the SBS server itself. Even though Microsoft noted in the product documentation that TS in App Mode had been removed from the product, many SBS consultants initially sold the upgrade to SBS 2003 from SBS 2000 as a feature-for-feature match, only to get burned when they could not have more than two users access the "terminal server" at one time.

Two years after the initial product release, the SBS community is more familiar with the Terminal Server restrictions on SBS 2003, but some are still trying to find ways around the limitations. For anyone to access the SBS server remotely, the user can only log in to the server with an account that has domain administrator privileges. This is a significant security risk to the server and a practice that should be avoided at all cost.

The bottom line is this: If users in the SBS network need to access network resources through a Terminal Server type setup, you must install a separate server running Windows 2000 Server or Windows Server 2003 with Terminal Server in Application Mode configured, and you must have the appropriate TS licenses available.