RE: ISA Licensing

• From: Alexandre Gauthier <gauthiera@xxxxxxxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 18 Jan 2006 08:05:26 -0500

Watch me reply to myself! HUH! YEAH WATCH ME!

Since nobody commented on this, I am bringing it up again to add up a bit to
what I said previously. This licensing scheme holds true in Windows 2000,
which was in place when I did my MCSE course (never did get the
certification though from lack of motivation), but it occurred to me that it
was a bit outdated.

In Windows Server 2003, the "Per Seat" licensing mode was changed to "Per
Device/Per User" (Per Server remains the same). This means that you either
assign the CALs to Users or to Machines. Slightly more granular. So suppose
I have the previous ASCII drawing, and have three users in there, I only
need three CALs.

This should be a bit more interesting than Per Seat if you have VPN services
that auth against an Active Directory.

Whenever I look at Windows licensing, I think "The price for a Kerberos
token is high". And then nod in the same way you usually do whenever
something gloom, of a nihilistic outcome is enunciated. And then proceed to
sip Diet Coke.

-----Message d'origine-----
De : Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] 
Envoyé : 16 janvier 2006 10:19
À : [ISAserver.org Discussion List]
Objet : [isalist] RE: ISA Licensing

http://www.ISAserver.org

Well, don't take what I'm saying as cold hard cash, but...
This should be a refresher for you MCSAs MCSEs and MCPs.

* Per Seat (which I prefer the split second you have more than one server):

You will need one cal for each device/client that accesses the server (any
kind of service). Connections between servers don't count for they are
handled by your *server* license. This is the reason.

* Per Server (which I find insanely limiting):

In this scenario, some CALs are associated with a particular server; you
enter them in the licensing applet in the control Panel. Purchasing say, 150
CALs will just allow you to connect 150 clients simultaneously.

If you have two servers, and one of them needs to access the other server,
that eats one CAL.

So let's make it ASCII (I'm not as cool as Thor in this regard though):

         [Server] ----- [Server]
        /    |           |     \
[Client]  [Client]   [Client] [Client]

In this scenario, Per set licensing would require 4 CALs, because you have 4
clients accessing server resources, and the CALs are bound to the CLIENTS.

Per Server would require...uh... 10 CALs. Because for each server, you have
five devices (let's assume the two servers talk to each other continuously)
accessing resources simultaneously and there are two servers, and the CALs
are bound to the CONNECTIONS.

I'm not sure about 2000 and 2003, but in the NT4 days, the per-server
licensing mode was in fact "per connection" regardless of the device. In
theory, it was probably not intended to, but practically that's what it did.
Someone printing ate one CAL, the same person accessing the monthly tax
report through SMB (or CIFS for those who like to call it that way) ate
another.

We had a Citrix Winframe (not metaframe. Winframe. NT 3.5 baby) server
acting as the secondary DC that ate every single CAL by opening random RPC
connections and never closing them... I think it was just the whole setup
malfunctioning and that it was not intended that way.

-----Message d'origine-----
De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Envoyé : 14 janvier 2006 14:15
À : [ISAserver.org Discussion List]
Objet : [isalist] RE: ISA Licensing

http://www.ISAserver.org

That's a good question. I thought per server was for CIFS connections
only. ???

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> Sent: Saturday, January 14, 2006 12:27 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Licensing
> 
> http://www.ISAserver.org
> 
> Not if it is per server licensing, right?
> 
> t
> 
> -----
> "I'll see your Llama and up you a Badger."
> John T
> 
> 
> 
> ----- Original Message ----- 
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Saturday, January 14, 2006 8:59 AM
> Subject: [isalist] RE: ISA Licensing
> 
> 
> http://www.ISAserver.org
> 
> Hi Joseph,
> 
> Why use RADIUS? Isn't the ISA firewall a domain member?
> 
> You need CALs for the users at the DC.
> 
> If you're using the local SAM on the ISA firewall, then you need user
> CALs on the ISA firewall, but that's an unusual setup.
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
> 
> 
> > -----Original Message-----
> > From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx]
> > Sent: Friday, January 13, 2006 2:59 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] ISA Licensing
> >
> > http://www.ISAserver.org
> >
> > Jim:
> >
> > No - only authentication is for VPN to > ISA to > RADIUS/DC.
> >
> > Joe
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Friday, January 13, 2006 3:23 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA Licensing
> >
> > http://www.ISAserver.org
> >
> > Part 2..
> >
> > Does ISA authenticate any other traffic?
> > If so, how are those accounts resolved; via RADIUS or direct-to-AD?
> >
> >
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx]
> > Sent: Friday, January 13, 2006 12:03
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] ISA Licensing
> >
> > http://www.ISAserver.org
> >
> > Jim: Very interesting!
> >
> > My ISA is in Workgroup mode and using RADIUS for remote VPN 
> connection
> > authentication.
> >
> > So, I assume I only need to count those accounts that 
> establish remote
> > VPN connection? Correct?
> >
> > Joe
> > P.S. one beer also goes to Jim.
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Friday, January 13, 2006 2:58 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA Licensing
> >
> > http://www.ISAserver.org
> >
> > Caveat - Windows still requires a CAL for each user being
> > authenticated
> > by ISA.
> > Don't confuse one with the other or think that ISA 
> licensing replaces
> > Windows licensing.
> >
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> >
> >

Other related posts:

• » ISA Licensing
• » Re: ISA Licensing
• » RE: ISA Licensing
• » ISA Licensing
• » RE: ISA Licensing
• » ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing
• » RE: ISA Licensing

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---