RE: ISA Licensing
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 18 Jan 2006 09:33:25 -0600
WORD.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 18, 2006 9:05 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Licensing
>
> http://www.ISAserver.org
>
> All true, but the point was about "ISA" licensing, which is
> not in any way shape or form related to CALs.
>
> Let us not confuse one with the other, but rather, bask in
> the glow that cometh from a judicious application of synapse
> activity directed toward a soluble conundrum.
>
> Can I get a witness?!?
>
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
>
> -----Original Message-----
> From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 18, 2006 5:05 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Licensing
>
> http://www.ISAserver.org
>
> Watch me reply to myself! HUH! YEAH WATCH ME!
>
> Since nobody commented on this, I am bringing it up again to
> add up a bit to
> what I said previously. This licensing scheme holds true in
> Windows 2000,
> which was in place when I did my MCSE course (never did get the
> certification though from lack of motivation), but it
> occurred to me that it
> was a bit outdated.
>
> In Windows Server 2003, the "Per Seat" licensing mode was
> changed to "Per
> Device/Per User" (Per Server remains the same). This means
> that you either
> assign the CALs to Users or to Machines. Slightly more
> granular. So suppose
> I have the previous ASCII drawing, and have three users in
> there, I only
> need three CALs.
>
> This should be a bit more interesting than Per Seat if you
> have VPN services
> that auth against an Active Directory.
>
> Whenever I look at Windows licensing, I think "The price for
> a Kerberos
> token is high". And then nod in the same way you usually do whenever
> something gloom, of a nihilistic outcome is enunciated. And
> then proceed to
> sip Diet Coke.
>
> -----Message d'origine-----
> De : Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
> Envoyé : 16 janvier 2006 10:19
> À : [ISAserver.org Discussion List]
> Objet : [isalist] RE: ISA Licensing
>
> http://www.ISAserver.org
>
> Well, don't take what I'm saying as cold hard cash, but...
> This should be a refresher for you MCSAs MCSEs and MCPs.
>
> * Per Seat (which I prefer the split second you have more
> than one server):
>
> You will need one cal for each device/client that accesses
> the server (any
> kind of service). Connections between servers don't count for they are
> handled by your *server* license. This is the reason.
>
> * Per Server (which I find insanely limiting):
>
> In this scenario, some CALs are associated with a particular
> server; you
> enter them in the licensing applet in the control Panel.
> Purchasing say, 150
> CALs will just allow you to connect 150 clients simultaneously.
>
> If you have two servers, and one of them needs to access the
> other server,
> that eats one CAL.
>
> So let's make it ASCII (I'm not as cool as Thor in this
> regard though):
>
> [Server] ----- [Server]
> / | | \
> [Client] [Client] [Client] [Client]
>
> In this scenario, Per set licensing would require 4 CALs,
> because you have 4
> clients accessing server resources, and the CALs are bound to
> the CLIENTS.
>
> Per Server would require...uh... 10 CALs. Because for each
> server, you have
> five devices (let's assume the two servers talk to each other
> continuously)
> accessing resources simultaneously and there are two servers,
> and the CALs
> are bound to the CONNECTIONS.
>
> I'm not sure about 2000 and 2003, but in the NT4 days, the per-server
> licensing mode was in fact "per connection" regardless of the
> device. In
> theory, it was probably not intended to, but practically
> that's what it did.
> Someone printing ate one CAL, the same person accessing the
> monthly tax
> report through SMB (or CIFS for those who like to call it
> that way) ate
> another.
>
> We had a Citrix Winframe (not metaframe. Winframe. NT 3.5 baby) server
> acting as the secondary DC that ate every single CAL by
> opening random RPC
> connections and never closing them... I think it was just the
> whole setup
> malfunctioning and that it was not intended that way.
>
> -----Message d'origine-----
> De : Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Envoyé : 14 janvier 2006 14:15
> À : [ISAserver.org Discussion List]
> Objet : [isalist] RE: ISA Licensing
>
> http://www.ISAserver.org
>
> That's a good question. I thought per server was for CIFS connections
> only. ???
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Saturday, January 14, 2006 12:27 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: ISA Licensing
> >
> > http://www.ISAserver.org
> >
> > Not if it is per server licensing, right?
> >
> > t
> >
> > -----
> > "I'll see your Llama and up you a Badger."
> > John T
> >
> >
> >
> > ----- Original Message -----
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Saturday, January 14, 2006 8:59 AM
> > Subject: [isalist] RE: ISA Licensing
> >
> >
> > http://www.ISAserver.org
> >
> > Hi Joseph,
> >
> > Why use RADIUS? Isn't the ISA firewall a domain member?
> >
> > You need CALs for the users at the DC.
> >
> > If you're using the local SAM on the ISA firewall, then you
> need user
> > CALs on the ISA firewall, but that's an unusual setup.
> >
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx]
> > > Sent: Friday, January 13, 2006 2:59 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] ISA Licensing
> > >
> > > http://www.ISAserver.org
> > >
> > > Jim:
> > >
> > > No - only authentication is for VPN to > ISA to > RADIUS/DC.
> > >
> > > Joe
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Friday, January 13, 2006 3:23 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: ISA Licensing
> > >
> > > http://www.ISAserver.org
> > >
> > > Part 2..
> > >
> > > Does ISA authenticate any other traffic?
> > > If so, how are those accounts resolved; via RADIUS or
> direct-to-AD?
> > >
> > >
> > > -------------------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
> > > -----Original Message-----
> > > From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx]
> > > Sent: Friday, January 13, 2006 12:03
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] ISA Licensing
> > >
> > > http://www.ISAserver.org
> > >
> > > Jim: Very interesting!
> > >
> > > My ISA is in Workgroup mode and using RADIUS for remote VPN
> > connection
> > > authentication.
> > >
> > > So, I assume I only need to count those accounts that
> > establish remote
> > > VPN connection? Correct?
> > >
> > > Joe
> > > P.S. one beer also goes to Jim.
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Friday, January 13, 2006 2:58 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: ISA Licensing
> > >
> > > http://www.ISAserver.org
> > >
> > > Caveat - Windows still requires a CAL for each user being
> > > authenticated
> > > by ISA.
> > > Don't confuse one with the other or think that ISA
> > licensing replaces
> > > Windows licensing.
> > >
> > > -------------------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: jim@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
