Terminal Server 2003 Licensing Overview | Terminal Services for Microsoft Windows Server 2003: Advanced Technical Design Guide (Advanced Technical Design Guide series)

Before addressing the technical components that will make up your licensing infrastructure, let's review Microsoft's licensing policy. Microsoft licenses can be divided into two groups:

Licenses required for each server.
Licenses required for clients.

Terminal Server implementation will require both client and server licenses.

Licenses Required for Each Terminal Server

Microsoft requires one license for each server in a Terminal Services environment. This license, known as a "server license," is just the standard Windows Server 2003 license—you don't need anything special to run Terminal Server. It is the same license used for the base server operating system of any Windows 2003 server—whether that server is an Exchange Server, a SQL Server, or a file and print server. However, unlike some Microsoft server applications that require specific server licenses (like Exchange or SQL Server), no additional server licenses are required to use Terminal Server.

Some features (as described in Chapter 1) require the "Enterprise" edition of Windows Server 2003. For those you would need an Enterprise version of a Windows Server 2003 license for your server.

Microsoft Terminal Server Client Access Licenses

Before you get too excited about the fact that you don't need a special server license to run Terminal Services, remember that you'll need a client license for everyone that connects to a Windows 2003 Terminal Server.

Prior to Windows Server 2003, a Terminal Server Client Access License (TS CAL) was required for every computer device that connected to a Terminal Server. This licensing system is known as "per device" licensing. Microsoft defined one "device" as a unique piece of hardware used to access a server. If you had two computers and you accessed the same server from each of them, you had two different devices and needed a separate "per device" license for each. Such was the case even if you never used both devices at the same time. Naturally this method of licensing elicited numerous complaints.

In Windows Server 2003, Microsoft added a second TS CAL option. This "per user" client licensing option allows you to purchase one license for each user account. A user can then access a Terminal Server from multiple client devices using one license. "Per user" TS CALs are associated with user accounts, so two users cannot share a license even if they never log on at the same time. If two users share the same physical computer, then it might be preferable to employ the "per device" license option discussed in the previous paragraph.

Microsoft also offers an "external connector" Terminal Server client access license that you buy for a server and lets you connect an unlimited number of non-employees to the server.

Let's look at the three different Terminal Server client license options.

Option 1. Terminal Server "Device" Client Access License

Terminal Services licensing has traditionally been handled by the Terminal Server device Client Access License (TS Device CAL). One license is assigned to each specific client device. Each unique client device that accesses a Terminal Server requires a single TS Device CAL.

What is this license good for? If your environment has workstations that are used by a multiple users, as in round-the-clock environments such as factory floors, call centers, and nursing stations, this license is the most effective since your users could share a single TS Device CAL.

Option 2. Terminal Server "User" Client Access License

A Terminal Server user Client Access License (TS User CAL) is assigned to a user account. It then "follows" that user no matter which server he logs on to and no matter which client device he logs on from.

This license is ideal for mobile workers that roam from location to location while using Terminal Servers to access their applications. Also, if your users use multiple client devices (perhaps their work PC and home PC), this model may save your company significant licensing dollars.

Option 3. External Connector License

A challenge to using per-user and per-device CALs is the fact that they have to be assigned to a specific user account or a specific client device. While adequate for employees of the company that bought the license, what happens if a company wants to extend its Terminal Server environment to business partners where the names of users and client devices wouldn't be known? What happens if a company wants to extend an application via a Terminal Server to the Internet? Technically following the Microsoft terms, you would need to buy a license for each unique user or computer that connected to your server.

Clearly this is not feasible. To address this challenge, Microsoft introduced the External Connector License (ECL), designed to be used when systems are extended to external parties, including business partners and the public.

ECLs are available for all new Microsoft products (except products that are licensed on a per-processor basis since per-processor licenses already account for unlimited users and client devices). In Terminal Server 2003 environments, ECLs provide a simple way to buy "concurrent" user licenses for those who need to connect to your server. If you wanted to open up a server to trading partners, you would buy a Terminal Server ECL.

At this point you might be wondering why you can't just buy ECLs and forget all this per-user and per-device garbage. Microsoft has strict rules governing the use of ECLs, and users of the TS ECLs cannot be employees of the organization that bought the license.

Microsoft Windows Server Client Access Licenses

Now that you understand the difference between the three Terminal Server-specific CALs, you need to know that each client device also needs a standard Windows Server 2003 CAL. To legally access a Windows 2003 Terminal Server, each client seat requires each of the following licenses:

Windows Server 2003 Client Access License.
Windows Server 2003 Terminal Server Client Access License.

License 1. Windows Server Client Access License (Server CAL)

Any user needs this Windows Server CAL to access a Windows 2003 server. This license provides the "basic" access rights that allow users to store files, print, and be part of an Active Directory. If you have a unified Active Directory with 5000 users, then you'll have 5000 Windows Server CALs.

License 2. Windows Server 2003 Terminal Server Client Access License (TS CAL)

We discussed the TS CAL (either per-device, per-user, or External Connector License) in the previous section. It builds upon the regular Windows Server CAL, adding the legal right for users to access a "remote control" session on a Terminal Server.

If you have a 5000-user Active Directory environment with a few Terminal Servers that provide applications for 300 users, then you'll need 5000 Windows Server CALs and 300 Terminal Server CALs.

Special Licensing Scenarios

Prior to Windows Server 2003, there were special license rules for specific situations. Microsoft has changed the way these situations are handled with the introduction of Windows Server 2003.

TS CAL Requirements when Connecting to a Terminal Server from Windows XP

Prior to Windows Server 2003, client workstations that ran Windows NT, 2000, or XP Professional had the right to obtain a "free" TS CAL. The only requirement was to purchase a TS CAL for client devices that ran an operating system lower than the Terminal Server operating system. For example, Windows 2000 Professional workstations did not require purchase of a TS CAL to connect to a Windows 2000 Terminal Server since Windows 2000 client devices had the right to obtain a free Windows 2000 TS CAL. Also, since these licenses were backwards compatible, the Windows 2000 TS CAL would also apply if you were using a Windows XP Professional client to connect to a Windows 2000 Terminal Server.

Since Windows XP was released over a year before Windows Server 2003, many people bought Windows XP Professional with the assumption that it would include a "free" Windows Server 2003 TS CAL. However, with the release of Windows 2003, Microsoft removed the "free" TS CAL license that was built-in to Windows XP Professional. Unfortunately, this announcement came well after many organizations bought multiple copies of Windows XP assuming that its free TS CAL would work with Windows 2003 Terminal Servers.

Negative response to this announcement prompted Microsoft grant a free Windows 2003 TS CAL to anyone who owned a Windows XP Professional license on April 23, 2003 (the day before the release of Windows Server 2003. Does your copy of Windows XP come with a free Windows Server 2003 TS CAL? If you bought it before April 24, 2003, then it does. If you bought if after that it does not, and you'll have to buy a Windows 2003 TS CAL. (If you had TS CALs that were enrolled in Microsoft Enterprise Agreements or Software Assurance, then you automatically qualified for the Windows 2003 TS CAL upgrade.)

Interestingly, the added TS CAL costs of Terminal Server on Windows Server 2003 has upset some companies so much that they are claiming it as the sole reason that they will keep their Terminal Servers running on Windows 2000.

The Work-at-Home TS CAL

Microsoft licensing agreements also used to provide "work-at-home" licenses for Terminal Servers. These were additional, cheap TS CALs for users that used an office computer to access Terminal Servers and then went home and accessed Terminal Servers from a home PC. With the advent of Windows 2003's new per-user TS CAL, the work-at-home license is no longer an option.

Similar to TS CALs, any prior work-at-home licenses that are enrolled in an Enterprise Agreement or Software Assurance may be upgraded to current licenses.

Windows 2003 Terminal Server Licensing Components

Windows NT Server 4.0 Terminal Server Edition used the "honor system" for tracking licenses. While you were legally supposed to purchase the correct licenses, there was nothing technically stopping you from connecting more users than you paid for. While the honor system worked well for system administrators and thieves, it has not worked as well for Microsoft shareholders.

As alluded to in the opening sentences of this chapter, this system changed when Windows 2000 was released. In Terminal Services for Windows 2000, a Microsoft "Terminal Services Licensing Service" is required to run on one or more servers on your network. This Terminal Services licensing service is responsible for monitoring, distributing, and enforcing TS CAL usage. Microsoft implemented this licensing service as a "service to their customers" who were "deeply concerned that they might accidentally forget to pay for a license or two, every once in awhile." In Terminal Server environments running on Windows 2000 platforms, this licensing service infrastructure guarantees that there be no "accidentally forgetting" to purchase all the needed licenses.

Windows 2003 Terminal Servers also make use of licensing servers—although the exact manner depends upon for which of three licensing options a server is configured (per device, per user, or the external connector license).

In Windows 2003 environments, there are four main technical components that make up the Terminal Services licensing infrastructure:

Terminal Services licensing servers.
The Microsoft license clearinghouse.
Windows 2000/2003 Terminal Servers.
Licenses.

click to expand
Figure 4.1: Microsoft licensing components

Let's take a look at the licensing-related roles of each component.

Terminal Services License Server

The Terminal Services license server is a standard Windows 2003 server with the "Terminal Server Licensing Service" installed. This license server stores digital certificates for TS CALs that are distributed to client devices. Like Windows 2000 environments, a Windows 2003 license server is responsible for issuing licenses and tracking their use.

Microsoft License Clearinghouse

TS license servers and TS client access licenses must be activated be Microsoft before they can be used. The Microsoft license clearinghouse is a large Internet-based certificate authority that authorizes and activates these licenses and servers. Microsoft does this to ensure that no TS CALs are stolen, copied, or pirated (which is why more and more Microsoft software requires activation after you input your license codes).

A TS license server will function before it's activated via the Microsoft clearing-house, however, an unactivated license server will only pass out temporary TS CALs that expire after 90 days. In order for a license server to distribute permanent licenses, it must be activated.

Terminal Server

Windows 2003 Terminal Servers understand that client devices must be licensed. To that end, when you enable Terminal Services, the server immediately begins trying to locate a licensing server. It then communicates with the licensing server to ensure that client devices are licensed properly.

Each Terminal Server must be configured to use per-user, per-device, or external connector licenses.

Licenses

The license service that runs on a Windows 2003 server keeps track of seven different types of licenses. These include four types of licenses for Windows 2003 Terminal Servers and three types (for backward compatibility) for Windows 2000 Terminal Servers. The seven types of Windows 2003 client licenses include:

Windows Server 2003 TS Device CALs .This license is the per-device CAL that is issued to unique client hardware devices. It allows the client device to access Windows 2000 and 2003 Terminal Servers.
Windows Server 2003 TS User CALs .This is the per user CAL that's assigned to unique user accounts. This license allows a user to access Windows 2000 and 2003 Terminal Servers. If the client device has a valid TS Device CAL, then this TS User CAL is not needed, and vice versa.
Windows Server 2003 TS External Connector Licenses .When assigned to a Terminal Server, this ECL license allows unlimited non-employee connections. When this ECL is used, TS Device CALs and TS User CALs are not needed.
Windows 2000 TS CALs .These are per-device licenses for devices connecting to Terminal Servers running Windows 2000.
Windows 2000 TS Internet Connector Licenses .These licenses are essentially the Windows 2000 version of the Windows 2003 TS ECL. When assigned to a Windows 2000 Terminal Server, this license allows 200 simultaneous connections. These connections must be made by non-employees, across the Internet, via anonymous user accounts.
Windows 2000 Built-in Licenses .These built-in licenses are used for Windows 2000 and Windows XP workstations that are connecting to Windows 2000-based Terminal Servers. Remember from the previous section that Windows 2003 Terminal Servers do not support the use of built-in licenses. (Which is why even if your Windows XP workstations qualify for "free" Windows 2003 TS CALs, you have to obtain TS Devices CALs from Microsoft—they're not automatically built in.)
Temporary Licenses . If a licensing server ever runs out of activated licenses, it will issue temporary licenses to any client devices requesting per-device TS CALs (applicable to Windows 2000 or 2003-based Terminal Servers). The number of temporary TS CALs a licensing server can grant is unlimited, although the temporary CALs themselves expire after 90 days and cannot extended.