"For On-Premises, intranet sites are licensed using a Server/CAL (Client Access License) model. SharePoint Server 2019 is required for each running instance of the software, and CALs are required for each person or device accessing a SharePoint Server."
It's that simple. CALs are requires for each person or device accessing SP. That's it. Nothing more or less. It's not just easy, but exactly what you'd logically expect the licensing to do if they were being rational.
If I was going to try a P2V of this server, what would be the best way to go about it?
I could consider a cold clone (the only disc I have available to try this is the VMware cold clone 3.0.3 disc; not sure if that will work or not)
Another option I was considering is installing VMware Standalone Converter, then booting into DSRM mode and performing the P2V. Once the server was successfully converted, I'd shutdown the existing server, fire up the virtual, and make sure the IP was the same.
Thoughts on these options, or other possibilities?
The best case scenario is that the P2V jacks AD totally and forces a total rebuild of the environment that allows you to demonstrate to the owners that bad-IT is just another term for "wasting money" and that would give you a chance to start fresh.
I shared this with my parent company and they did an evaluation, but found that its not really useful for them. Initial feedback was " the application supports files only - no other objects (list items, etc.)"
Is it a good practice to have a firewall first between internet and WFE servers and then between WFE and Application Servers? I am looking for a design diagram for such a setup
Depends on your needs. For a small setup, probably unnecessary. For compliance, potentially required.
We use firewalls against every single device on our network at the VM level. Communication in and out is always monitored and we have procedures on allowing traffic through. This provides compliance and proper lockdown between machines.
Don't think of the firewall as another device. If you have a single device, additional subnets with it inspecting the traffic is sufficient.