We appreciated the active dialogue in the comments section on this topic. We agree that there are some good questions raised in the comments section which we'd like to address and appreciate your patience in doing so. Please see additional information following the main body of the article below. Also, we've included some clarifying details in the fourth scenario on RDS CALs. Thanks.
SUMMARY: Knowing who, when, and what needs a Client Access License (CAL) is a great question and one our team answers often. Under most scenarios, CAL requirements are generally straight forward, however, there are several specific scenarios which we address below. In this Licensing How To post, we cover the basics of Client Access Licensing, and recap a few common scenarios which may apply to you.
The Licensing How To series posts are provided by our Customer Service Presales and Licensing team members. These scenario based licensing topics are written on trending topics and issues based on their interactions with customers, Partners, and field sellers. For more posts from the Licensing How To series, search the “Licensing How To” tag on this blog.
It’s a question we answer daily, “I have scenario X, Y, or Z. Do I need a CAL?” Server software licensed via the Server / CAL licensing model always requires some sort of server license (which may be per instance or per processor depending on the Product) as well Client Access Licenses (CALs) for users and/or devices to access the server software. However, the question of who or what needs a CAL, along with any noted exceptions, varies by product.
The general requirement is, any User or Device that accesses the server software, either directly or indirectly, requires a CAL. Depending on the product and functionality being accessed, additive CALs may be required as well.
External users* (users who are not employees, onsite contractors, or onsite agents) can be licensed with CALs, External Connector licenses, and in some cases (SharePoint 2013, Lync 2013 or Exchange 2013) – external user access is granted with the Server License.
Access requirements vary by Product and you need to evaluate the requirements for each product you use. We encourage you to review the Product Use Rights, or Microsoft Software License Terms, that are applicable to you, and the products you use.
Here are a CAL questions that we answer frequently and we thought sharing them might help you when you think about your own CAL requirements. Please note that the below scenarios are based on licensing for the Server / CAL products currently available as of the date of publishing of this post.
Top CAL Questions
1 – Does my Multifunction Printer need a CAL?
Yes, if the multifunction printer is connected to a Windows Server network. A multifunction printer accesses server software to; receive an IP address, to receive a job, to communicate that the job is finished, etc. In short, it communicates with the server software. If the multifunction printer is accessing any server software licensed via the Server / CAL licensing model it requires a CAL for that software. The one caveat is, if your users who use the printer have CALs then the printer is covered by their use via their CALs. If not then the printer itself requires a device CAL. The same CAL requirement applies to any other type of networked device – such as networked scanners, networked fax machines, etc. Devices that do not connect to the network or the server software (generally referred to as peripherals) do not require CALs.
2 – Do my servers need a CAL?
Generally speaking – server to server communication does not require a CAL. However, servers used to pool connections (sometimes referred to as multiplexing) does not reduce your CAL licensing requirements. If, for example, you have an application server which uses SQL Server for its database – users of the application (or the devices they use) will need a SQL CAL even though they may not access the SQL Server directly. If you use a Linux server to run a web server, but your users accessing the web server are being authenticated via Windows Server – users (or the devices they use) will need a Windows Server CAL.
3 – Do my external users need a CAL?
The general rule is all server software access requires a CAL. However, external users* may have additional licensing options depending on the product. For example, with Windows Server – external users can be licensed with CALs or External Connectors (whichever is more cost effective). External user access to application servers such as SharePoint 2013, Lync 2013, and Exchange 2013 is included with the server software – CALs or External Connectors are not required for external users for these products. Note: external users will need to be licensed appropriately for the underlying Windows Server operating system and related software such as SQL.
4 – Do I need an RDS CAL?
There are two basic scenarios which trigger the requirement for an RDS CAL.
Your users or devices directly or indirectly access any of the RDS product functionality, and/or
Your users of devices directly or indirectly interact with the graphical user interface of the server software using RDS functionality or other third party technology (e.g. Citrix, GraphOn, 2X to name a few)
If you meet either (or both) of the points described above – an RDS CAL is required. It is also worth pointing out that RDS CALs are required in a VDI deployment when any of the RDS components are used to support it (e.g. Remote Desktop Web Access, Remote Desktop Gateway, Remote Desktop Connection Broker, Remote Desktop Session Host, or the Remote Desktop Virtualization Host.
5 – Do I need a CAL when my Windows Server is used to run a web server?
Windows Server 2012 R2 configured to run Web Workloads ** do not require CALs or External Connectors. Web workloads, also referred to as an internet web solution, are publically accessible (e.g. accessible outside of the firewall) and consist only of web pages, web sites, web applications, web services, and/or POP3 mail serving. Access to content, information, and/or applications within the internet web solution must be publically accessible. In other words, they cannot be restricted to you or your affiliate’s employees.
If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers.
6 – Can I use my CALs to access someone else’s server?
You may use CALs purchased by your company to access your servers, or servers owned by your Affiliates*** only. You may not use your CALs to access servers owned by an un-affiliated third party. Let’s say for example, that Company A and Company B are affiliates. Company A wants to provide employees from Company B with access to their SharePoint Servers. However, Company B already owns Windows Server and SharePoint Server CALs (that match the version of Windows and SharePoint Server that Company A uses). Company A will not need to purchase additional Windows Server or SharePoint Server CALs since employees from their affiliate, Company B, are already covered with the appropriate CALs. If we use the same scenario as above, but assume Company A and B are not affiliated - then CALs owned by B cannot be used to access Company A’s servers. Company A would need to appropriately license their SharePoint farm for external users.
7 – Do I need CALs for my administrators?
Server software licensed using CALs permits up to 2 users or devices to access the server software for the purposes of administration without CALs. However, if your administrators also use the software for anything other than administration (for example, they check their email), CALs will be required for them as well.
For additional information on CAL requirements, consult your Product Use Rights, License Terms, or contact your Reseller, Microsoft Partner, or Account Team. Many products have licensing guides on the Volume License Website and/or their respective product sites. Here are a few of our favorite resources on the subject.
Multiplexing - Client Access License (CAL) Requirements
Base and Additive Client Access Licenses: An Explanation
Licensing Windows Server 2012 R2 Remote Desktop Services
About Licensing – Client Access Licenses and Management Licenses
* External Users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.
** Web Workloads (also referred to as “Internet Web Solutions”) are publicly accessible and consist solely of web pages, websites, web applications, web services, and/or POP3 mail serving. For clarity, access to content, information, and applications served by the software within an Internet Web Solution is not limited to your or your affiliates’ employees.
Software in Internet Web Solutions is used to run:
web server software (for example, Microsoft Internet Information Services), and management or security agents (for example, the System Center Operations Manager agent).
database engine software (for example, Microsoft SQL Server) solely to support Internet Web Solutions.
the Domain Name System (DNS) service to provide resolution of Internet names to IP addresses as long as that is not the sole function of that instance of the software.
*** “Affiliate” means any legal entity that a party owns, that owns a party, or that is under common ownership with a party. “Ownership” means, for purposes of this definition, control of more than a 50% interest in an entity.
This is one scenario and licensing situation. Each customer scenario can vary by deployment, usage, product version, and product use rights. Always check your contract, and the current Products Use Rights document to confirm how your environment should be fully licensed. The blogging team does not warrant that this scenario will be the right licensing solution for other similar cases.
Additional content in response to questions:
Following is our best effort to answer some of the questions posted below. Please know that your feedback is shared with the respective product groups within Microsoft. The purpose of the Licensing How To series is to share insights gained through the many interactions our customer service teams have with customers, and present the details based on the licensing requirements set forth in our license term documents and guidance from the respective product groups. We are listening and take your feedback to heart.
Before going into further details, lets include the actual language from the use terms regarding CALs. This is from the current Product Use Rights for volume license customers, but the license terms for OEM and Retail licenses will be similar if not identical. Because the majority of questions are around Windows Server CAL requirements - this is from the Windows Server license terms.
- You must assign each CAL to a user or device, as appropriate, and each External Connector License to a Licensed Server.
- CALs or External Connector Licenses are required for access to server software.
- CALs and External Connector Licenses permit access to the corresponding version (including earlier versions used under downgrade rights) or earlier versions of server software.
- CALs are not required for access by another Licensed Server or for up to 2 users or devices to administer the software.
- CALs are not required to access server software running a Web or HPC Workload.
- CALs not required for access in a Physical OSE used solely for hosting and managing Virtual OSEs.
- Your CALs and External Connector Licenses only permit access to your Licensed Servers (not a third party’s).
Q1 - If I have a printer that uses an IP address assigned by a router, but the drivers are deployed via a GPO...does that need a CAL?
A1 - Yes, any Windows Server access requires a Windows Server CAL. In this scenario, the printers are connecting to, and receiving benefit of, Windows Server. However, if all users who access or use that printer already have a user CAL - then you’re covered and will not need additional device CALs for the printer.
Q2 - If I have guests that come into my office an temporarily use a Windows DHCP server to grab an IP address to access the Internet, do they need CALs? I guess the takeaway is to never use a Windows DHCP server?
A2 - Yes, they are using a Windows Server service and would need a CAL.
Q3 - If I have a Remote Access card installed in a server, does that need a CAL? If I run sniffer, does that need a CAL? If I use a common management tool that installs a service/daemon on each server - does that need a CAL?
A3 - Peripherals, server components and network equipment on their own do not generally require a CAL (for Windows Server or otherwise). Server to server communication does not require a Windows Server CAL (between two licensed Windows Servers). Device CALs are intended for the clients/endpoints accessing the Windows Server (for any reason - to get an IP address, to access a file, to authenticate to AD, to access an application of any type on the Windows Server, etc.) User CALs are intended for the same reason - but are assigned to the users using the clients/endpoints. For example, a sniffer. Generally, these won't require a CAL - they simply monitor network traffic. However, let’s say that you have a software based sniffer installed on your desktop at work - and your desktop is accessing Windows Server (to get an IP, to authenticate to AD, etc.) This scenario will require a device CAL for your desktop (or a user CAL for you), not because you are using a sniffer, but because the device/endpoint it’s installed on accesses Windows Server. Management software. Let’s use the same concepts above. Let's say for example, the management software is installed on a Windows Server, and is being used to manage client devices, network equipment, and other servers. Any device that accesses Windows Server as a result of being managed will require a Windows Server device CAL (with the exception of other Windows Server since Windows Server to Windows Server communication does not require a CAL). If you are licensed by user in this scenario however, and all users are covered with a Windows Server CAL, the n you’re covered since all users of the managed devices are already covered with user CALs.
Q4 - If I manage another companies servers as their help desk...and employ more than 3 people...and I already have CALs for my people, do I need additional CALs to administer their network?
A4 - CALs (for Windows Server, Windows Server RDS, Exchange Server, SharePoint, SQL, Lync, etc.) can be used only to access organization owned servers. Your CALs cannot be used to access servers operated by an independent organization (see #6 in the blog above). That being said, their licensed servers will provide the ability for 2 users/devices to access the servers for purposes of administration. For any number of users/devices employed to manage their servers in excess of 2, additional CALs will be required. For example, if 10 people, using 10 different devices are employed to manage their servers - a total of 8 additional user or device CALs will be required. The organization whose servers are being accessed will be required to purchase these CALs however. It is worth pointing out, that certain products - such as Exchange Server 2013, SharePoint Server 2013, and Lync Server 2013 (as well as to some extent, CRM Server 2013) do not require CALs for external user (non-employee) access (administrative access or otherwise). In this example, you are being hired by a third party to provide help desk support OFFSITE and would be considered an external user (see #3 in the blog above). If for example, you have 10 users/devices employed to administer a third parties servers - the company may be required to purchase additional CALs for products such as Windows Server, and/or (unless licensed by processor or core). However, because you can leverage the external user CAL exception for Exchange Server 2013, Lync 2013, or SharePoint 2013 - additional CALs for these products would not be required in this scenario. Note the external user CAL exception for the products mentioned above apply only to the current versions and not prior versions. External users must be offsite.
Q5 - So, if I host a web server using a Web Workload for any reason I need CALs for each user?
A5 - CALs are not required to access servers running a web workload (defined above in the blog), so no - CALs are not required to access servers running a web workload when users access anonymously.
Q6 - If I assist another company in an e-mail migration to O365 and need administrative/test mailboxes - do those need CALs?
A6 - It’s best to look at each involved product individually. For example, in this scenario you could potentially have Windows Server, Exchange Server, and Office 365 (or Exchange Online) - each with their own unique CAL licensing requirements. For Windows Server, see A4 above as this would be considered administration. For Exchange Server, we license by user or device accessing the Exchange Server (not per mailbox). Exchange Server also has the same 2 user/device administration exception as described above. If you have more than 2 users/devices accessing Exchange Server for the migration - yes additional CALs will be required.
Admin and test mailboxes just look like regular mailboxes from an O365 perspective, so they require subscriptions to be assigned. (USL required)
Admins can administer Office 365 (including Exchange) without having a mailbox, so that answer is a little more nuanced than the test accounts one.
Regarding 30 day grace period, there is a very narrow scenario where this is enabled (when you have a hybrid deployment and you are moving mailboxes from on-premises) but it is not worth bringing up in this context.
Note that we offer free 30 day trials of 25 licenses per tenant for Office 365, so that’s how most customers accomplish their testing.
Q7 - When accessing a VDI, do I always need an RDS CAL even if I use a pure Citrix solution?
A7 - Note that we have amended the last sentence to number 5. RDS CALs are required only when accessing the Windows Server GUI, or if any of the RDS components listed are used (e.g. Remote Desktop Web Access, Remote Desktop Gateway, Remote Desktop Connection Broker, Remote Desktop Session Host, or the Remote Desktop Virtualization Host.) If you are using a third party VDI solution, and it does not use any of the RDS components, then RDS CALs are not required.
We apologize if we were unable to get to each and every question. Please note this post was intended to be a general guide only and address some outlier scenarios we hear about from time to time. We encourage everyone to leverage your resellers, partners, and/or distributors. In each case, these resources have access to teams directly at Microsoft who can answer licensing questions, who are better equipped to answer large volumes of questions. There is also a group available who handles licensing questions via the Sales and Partner Information line at 800-426-9400.
Again, we appreciate the feedback and please know that it is shared with our products teams.