Watch me reply to myself! HUH! YEAH WATCH ME! Since nobody commented on this, I am bringing it up again to add up a bit to what I said previously. This licensing scheme holds true in Windows 2000, which was in place when I did my MCSE course (never did get the certification though from lack of motivation), but it occurred to me that it was a bit outdated. In Windows Server 2003, the "Per Seat" licensing mode was changed to "Per Device/Per User" (Per Server remains the same). This means that you either assign the CALs to Users or to Machines. Slightly more granular. So suppose I have the previous ASCII drawing, and have three users in there, I only need three CALs. This should be a bit more interesting than Per Seat if you have VPN services that auth against an Active Directory. Whenever I look at Windows licensing, I think "The price for a Kerberos token is high". And then nod in the same way you usually do whenever something gloom, of a nihilistic outcome is enunciated. And then proceed to sip Diet Coke. -----Message d'origine----- De : Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] Envoyé : 16 janvier 2006 10:19 À : [ISAserver.org Discussion List] Objet : [isalist] RE: ISA Licensing http://www.ISAserver.org Well, don't take what I'm saying as cold hard cash, but... This should be a refresher for you MCSAs MCSEs and MCPs. * Per Seat (which I prefer the split second you have more than one server): You will need one cal for each device/client that accesses the server (any kind of service). Connections between servers don't count for they are handled by your *server* license. This is the reason. * Per Server (which I find insanely limiting): In this scenario, some CALs are associated with a particular server; you enter them in the licensing applet in the control Panel. Purchasing say, 150 CALs will just allow you to connect 150 clients simultaneously. If you have two servers, and one of them needs to access the other server, that eats one CAL. So let's make it ASCII (I'm not as cool as Thor in this regard though): [Server] ----- [Server] / | | \ [Client] [Client] [Client] [Client] In this scenario, Per set licensing would require 4 CALs, because you have 4 clients accessing server resources, and the CALs are bound to the CLIENTS. Per Server would require...uh... 10 CALs. Because for each server, you have five devices (let's assume the two servers talk to each other continuously) accessing resources simultaneously and there are two servers, and the CALs are bound to the CONNECTIONS. I'm not sure about 2000 and 2003, but in the NT4 days, the per-server licensing mode was in fact "per connection" regardless of the device. In theory, it was probably not intended to, but practically that's what it did. Someone printing ate one CAL, the same person accessing the monthly tax report through SMB (or CIFS for those who like to call it that way) ate another. We had a Citrix Winframe (not metaframe. Winframe. NT 3.5 baby) server acting as the secondary DC that ate every single CAL by opening random RPC connections and never closing them... I think it was just the whole setup malfunctioning and that it was not intended that way. -----Message d'origine----- De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Envoyé : 14 janvier 2006 14:15 À : [ISAserver.org Discussion List] Objet : [isalist] RE: ISA Licensing http://www.ISAserver.org That's a good question. I thought per server was for CIFS connections only. ??? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Saturday, January 14, 2006 12:27 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: ISA Licensing > > http://www.ISAserver.org > > Not if it is per server licensing, right? > > t > > ----- > "I'll see your Llama and up you a Badger." > John T > > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Saturday, January 14, 2006 8:59 AM > Subject: [isalist] RE: ISA Licensing > > > http://www.ISAserver.org > > Hi Joseph, > > Why use RADIUS? Isn't the ISA firewall a domain member? > > You need CALs for the users at the DC. > > If you're using the local SAM on the ISA firewall, then you need user > CALs on the ISA firewall, but that's an unusual setup. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx] > > Sent: Friday, January 13, 2006 2:59 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] ISA Licensing > > > > http://www.ISAserver.org > > > > Jim: > > > > No - only authentication is for VPN to > ISA to > RADIUS/DC. > > > > Joe > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Friday, January 13, 2006 3:23 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: ISA Licensing > > > > http://www.ISAserver.org > > > > Part 2.. > > > > Does ISA authenticate any other traffic? > > If so, how are those accounts resolved; via RADIUS or direct-to-AD? > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx] > > Sent: Friday, January 13, 2006 12:03 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] ISA Licensing > > > > http://www.ISAserver.org > > > > Jim: Very interesting! > > > > My ISA is in Workgroup mode and using RADIUS for remote VPN > connection > > authentication. > > > > So, I assume I only need to count those accounts that > establish remote > > VPN connection? Correct? > > > > Joe > > P.S. one beer also goes to Jim. > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Friday, January 13, 2006 2:58 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: ISA Licensing > > > > http://www.ISAserver.org > > > > Caveat - Windows still requires a CAL for each user being > > authenticated > > by ISA. > > Don't confuse one with the other or think that ISA > licensing replaces > > Windows licensing. > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > >