CALs: Silly or Not?
-
5 – Do I need a CAL when my Windows Server is used to run a web server?
Windows Server 2012 R2 configured to run Web Workloads ** do not require CALs or External Connectors.
** Web Workloads (also referred to as “Internet Web Solutions”) are publicly accessible and consist solely of web pages, websites, web applications, web services, and/or POP3 mail serving. For clarity, access to content, information, and applications served by the software within an Internet Web Solution is not limited to your or your affiliates’ employees.
Software in Internet Web Solutions is used to run:
-web server software (for example, Microsoft Internet Information Services), and management or security agents (for example, the System Center Operations Manager agent).
-database engine software (for example, Microsoft SQL Server) solely to support Internet Web Solutions.
-the Domain Name System (DNS) service to provide resolution of Internet names to IP addresses as long as that is not the sole function of that instance of the software.
-
So can you point out, exactly, how Mangolassi website does not fall under their "web workload" definition?
You've got the platform, then you have the database. Both are exclusively used as described under their web workload definition.
-
@scottalanmiller said in CALs: Silly or Not?:
Actually, they do exactly the opposite. This is their quote: "External Users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents."
What?? I said they define "publicly"......
You just defined "external users".
Two different things here.
Also, I took that "publicly" definition directly from their definition.
External users do not need a CAL when accessing web-workloads publicly.
-
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@dashrender said in CALs: Silly or Not?:
... and assuming you're not lieing about the number of users by making people share accounts or deleting them why couldn't user count be done on a server by server basis?
Lieing is a bad term here, the only place you are asked the number of users is in the count of your CALs. Beyond that, there is no place where one could lie in this context. But moving on, if you don't have AD, where do you envision these accounts living?
Let's take this to a non-Windows, really simple set of examples... all of which could be on Windows if it was affordable...
- MangoLassi
- Google DNS
In both of these scenarios, how would we count up all of the users who are getting benefits from their services? And, of course, what makes Windows different from the operating systems used for either of these?
If Windows Server is hosting a website or public DNS, you don't need CALs for the public user access to that. Publicly accessible services hosted on a Windows Server do not require CALs for public users. Once it's not made publicly accessible, then you need CALs.
Actually it's only for public anonymous users that you don't need Named CALs. If you can identify them, even publicly, you need CALs.
I seen nothing specifying the anonymous requirement.
That doesn't make sense. What if you hear a rumor that John Smith from way back in kindergarten just happens to be a frequent visitor of your website. That doesn't mean you now suddenly need to buy a CAL for him. It's still public access. I didn't see anything specifying anonymous.
Publicly means unidentified. If you authenticate a public user, for example (and for others reading - authenticate in no way implies AD or any form or Windows or Microsoft authentication mechanism) then they need a User CAL.
Without those you need an EC, which is a public CAL.
If you were hosting Mangolassi.it on a Windows Server, you would NOT need a user CAL for me. That's not how it works.
Certainly would, no question. Because you using non-web services.
What on Mangolassi's web server am I accessing that doesn't fall under their web-workload definition?
-
@eddiejennings said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@dashrender said in CALs: Silly or Not?:
... and assuming you're not lieing about the number of users by making people share accounts or deleting them why couldn't user count be done on a server by server basis?
Lieing is a bad term here, the only place you are asked the number of users is in the count of your CALs. Beyond that, there is no place where one could lie in this context. But moving on, if you don't have AD, where do you envision these accounts living?
Let's take this to a non-Windows, really simple set of examples... all of which could be on Windows if it was affordable...
- MangoLassi
- Google DNS
In both of these scenarios, how would we count up all of the users who are getting benefits from their services? And, of course, what makes Windows different from the operating systems used for either of these?
If Windows Server is hosting a website or public DNS, you don't need CALs for the public user access to that. Publicly accessible services hosted on a Windows Server do not require CALs for public users. Once it's not made publicly accessible, then you need CALs.
Actually it's only for public anonymous users that you don't need Named CALs. If you can identify them, even publicly, you need CALs.
I seen nothing specifying the anonymous requirement.
That doesn't make sense. What if you hear a rumor that John Smith from way back in kindergarten just happens to be a frequent visitor of your website. That doesn't mean you now suddenly need to buy a CAL for him. It's still public access. I didn't see anything specifying anonymous.
Publicly means unidentified. If you authenticate a public user, for example (and for others reading - authenticate in no way implies AD or any form or Windows or Microsoft authentication mechanism) then they need a User CAL.
Without those you need an EC, which is a public CAL.
If you were hosting Mangolassi.it on a Windows Server, you would NOT need a user CAL for me. That's not how it works.
Certainly would, no question. Because you using non-web services.
If I recall, the product for that is the "External Connector" CAL or something along those lines.
Correct. You would need CALs for external users if they are not accessing web-workloads publicly.
-
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@dashrender said in CALs: Silly or Not?:
... and assuming you're not lieing about the number of users by making people share accounts or deleting them why couldn't user count be done on a server by server basis?
Lieing is a bad term here, the only place you are asked the number of users is in the count of your CALs. Beyond that, there is no place where one could lie in this context. But moving on, if you don't have AD, where do you envision these accounts living?
Let's take this to a non-Windows, really simple set of examples... all of which could be on Windows if it was affordable...
- MangoLassi
- Google DNS
In both of these scenarios, how would we count up all of the users who are getting benefits from their services? And, of course, what makes Windows different from the operating systems used for either of these?
If Windows Server is hosting a website or public DNS, you don't need CALs for the public user access to that. Publicly accessible services hosted on a Windows Server do not require CALs for public users. Once it's not made publicly accessible, then you need CALs.
Actually it's only for public anonymous users that you don't need Named CALs. If you can identify them, even publicly, you need CALs.
I seen nothing specifying the anonymous requirement.
That doesn't make sense. What if you hear a rumor that John Smith from way back in kindergarten just happens to be a frequent visitor of your website. That doesn't mean you now suddenly need to buy a CAL for him. It's still public access. I didn't see anything specifying anonymous.
Publicly means unidentified. If you authenticate a public user, for example (and for others reading - authenticate in no way implies AD or any form or Windows or Microsoft authentication mechanism) then they need a User CAL.
Without those you need an EC, which is a public CAL.
If you were hosting Mangolassi.it on a Windows Server, you would NOT need a user CAL for me. That's not how it works.
Certainly would, no question. Because you using non-web services.
What on Mangolassi's web server am I accessing that doesn't fall under their web-workload definition?
So from looking at what you quoted.... databases used solely for web workloads (say... MariaDB used only for WordPress public sites) is now included in their web workload definition? That's definitely new (new meaning since I last investigated, not necessarily recent) because that's definitely not what it used to be.
-
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
Actually, they do exactly the opposite. This is their quote: "External Users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents."
What?? I said they define "publicly"......
You just defined "external users".
Two different things here.
Also, I took that "publicly" definition directly from their definition.
External users do not need a CAL when accessing web-workloads publicly.
Where do they have a public definition for their CALs?
-
@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.
We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.
This excerpt makes it pretty clear...
"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."
-
@marv said in CALs: Silly or Not?:
@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.
While not the only thing that makes you need a CAL, it's certainly been my understanding that anyone that gets authenticated needs one.
-
@marv said in CALs: Silly or Not?:
@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.
We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.
This excerpt makes it pretty clear...
"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."
That's the same part that affects MangoLassi.
-
@scottalanmiller said in CALs: Silly or Not?:
@tim_g said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
Actually, they do exactly the opposite. This is their quote: "External Users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents."
What?? I said they define "publicly"......
You just defined "external users".
Two different things here.
Also, I took that "publicly" definition directly from their definition.
External users do not need a CAL when accessing web-workloads publicly.
Where do they have a public definition for their CALs?
Section 5:
publically accessible (e.g. accessible outside of the firewall)... ...cannot be restricted to you or your affiliate’s employees
-
@scottalanmiller Exactly - there are various other factors too. In our particular situation, we would need CALs anyway as our site isn't publicly accessible but I was just making the point.
-
@scottalanmiller said in CALs: Silly or Not?:
@marv said in CALs: Silly or Not?:
@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.
We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.
This excerpt makes it pretty clear...
"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."
That's the same part that affects MangoLassi.
It's not the authentication that causes a user to need a CAL. If you read closely, it's the fact that in their example, the authentication took place on a non-web-workload server, on the back end. Had the authentication taken place on the web-server, it would hvae been fine.
Read the last sentence of that section: (see bolded parts)
@marv said in CALs: Silly or Not?:
they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."
-
@scottalanmiller said in CALs: Silly or Not?:
@marv said in CALs: Silly or Not?:
@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.
We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.
This excerpt makes it pretty clear...
"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."
That's the same part that affects MangoLassi.
That excerpt applies when authentication and other backend services are talking to a non-web workload that is on a Microsoft system.
If I use IIS for my web server, but the DB server is MariaDB on Fedora 27, then there is no connection to a MS server that requires a CAL. Granted, few sane people would run IIS like this anyway.
-
@tim_g Interesting - I hadn't spotted that key distinction!
-
In that example, their authentication could have been done on their AD server (as one example), which is not a web-workload server. That's why they would then require a CAL, as they mentioned.
If their authentication was done on their front-end web-workload server (web server via mangoDB as in the Mangolassi case, i think), then no CALs are needed.
-
@jaredbusch said in CALs: Silly or Not?:
@scottalanmiller said in CALs: Silly or Not?:
@marv said in CALs: Silly or Not?:
@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.
We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.
This excerpt makes it pretty clear...
"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."
That's the same part that affects MangoLassi.
That excerpt applies when authentication and other backend services are talking to a non-web workload that is on a Microsoft system.
If I use IIS for my web server, but the DB server is MariaDB on Fedora 27, then there is no connection to a MS server that requires a CAL. Granted, few sane people would run IIS like this anyway.
Exactly my point.
-
@tim_g said in CALs: Silly or Not?:
In that example, their authentication could have been done on their AD server (as one example), which is not a web-workload server. That's why they would then require a CAL, as they mentioned.
If their authentication was done on their front-end web-workload server (web server via mangoDB as in the Mangolassi case, i think), then no CALs are needed.
I tend to agree with this as well.