CALs: Silly or Not?

marv

@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.

We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.

This excerpt makes it pretty clear...

"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."

scottalanmiller

@marv said in CALs: Silly or Not?:

@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.

While not the only thing that makes you need a CAL, it's certainly been my understanding that anyone that gets authenticated needs one.

scottalanmiller

@marv said in CALs: Silly or Not?:

@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.

We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.

This excerpt makes it pretty clear...

"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."

That's the same part that affects MangoLassi.

Obsolesce

@scottalanmiller said in CALs: Silly or Not?:

@tim_g said in CALs: Silly or Not?:

@scottalanmiller said in CALs: Silly or Not?:

Actually, they do exactly the opposite. This is their quote: "External Users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents."

What?? I said they define "publicly"......

You just defined "external users".

Two different things here.

Also, I took that "publicly" definition directly from their definition.

External users do not need a CAL when accessing web-workloads publicly.

Where do they have a public definition for their CALs?

Section 5:

publically accessible (e.g. accessible outside of the firewall)... ...cannot be restricted to you or your affiliate’s employees

marv

@scottalanmiller Exactly - there are various other factors too. In our particular situation, we would need CALs anyway as our site isn't publicly accessible but I was just making the point.

Obsolesce

@scottalanmiller said in CALs: Silly or Not?:

@marv said in CALs: Silly or Not?:

@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.

We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.

This excerpt makes it pretty clear...

"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."

That's the same part that affects MangoLassi.

It's not the authentication that causes a user to need a CAL. If you read closely, it's the fact that in their example, the authentication took place on a non-web-workload server, on the back end. Had the authentication taken place on the web-server, it would hvae been fine.

Read the last sentence of that section: (see bolded parts)

@marv said in CALs: Silly or Not?:

they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."

JaredBusch

@scottalanmiller said in CALs: Silly or Not?:

@marv said in CALs: Silly or Not?:

@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.

We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.

This excerpt makes it pretty clear...

"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."

That's the same part that affects MangoLassi.

That excerpt applies when authentication and other backend services are talking to a non-web workload that is on a Microsoft system.

If I use IIS for my web server, but the DB server is MariaDB on Fedora 27, then there is no connection to a MS server that requires a CAL. Granted, few sane people would run IIS like this anyway.

marv

@tim_g Interesting - I hadn't spotted that key distinction!

Obsolesce

In that example, their authentication could have been done on their AD server (as one example), which is not a web-workload server. That's why they would then require a CAL, as they mentioned.

If their authentication was done on their front-end web-workload server (web server via mangoDB as in the Mangolassi case, i think), then no CALs are needed.

Obsolesce

@jaredbusch said in CALs: Silly or Not?:

@scottalanmiller said in CALs: Silly or Not?:

@marv said in CALs: Silly or Not?:

@scottalanmiller My understanding is that as soon as a user is authenticated, they require a CAL.

We have a web app sat on a Windows server which hooks up to an Oracle database. Our staff login to the site to collect / process their jobs for the day and since we authenticate them in Oracle, they need a Windows Server CAL.

This excerpt makes it pretty clear...

"If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors. However, let’s say you are using Windows Server to setup an online store where customers can buy widgets. You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets. The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers. Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload). Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers."

That's the same part that affects MangoLassi.

That excerpt applies when authentication and other backend services are talking to a non-web workload that is on a Microsoft system.

If I use IIS for my web server, but the DB server is MariaDB on Fedora 27, then there is no connection to a MS server that requires a CAL. Granted, few sane people would run IIS like this anyway.

Exactly my point.

Dashrender

@tim_g said in CALs: Silly or Not?:

In that example, their authentication could have been done on their AD server (as one example), which is not a web-workload server. That's why they would then require a CAL, as they mentioned.

If their authentication was done on their front-end web-workload server (web server via mangoDB as in the Mangolassi case, i think), then no CALs are needed.

I tend to agree with this as well.