Features Windows Licensing Lead image: Lead Image © Wong Yu Liang, 123RF.com
Lead Image © Wong Yu Liang, 123RF.com

User licensing in Microsoft networks

In the Jungle

When you buy a Microsoft server license, you don't get client access licenses by default. Client licenses are part of the equation when calculating costs, and admins must come to terms with the many rules that apply. By Thomas Joos

A client access license (CAL) is a license that provides a user or a computer access to a server service. Device CALs give a computer with several users (e.g., working in shifts) access to a server. User licenses give users access to a server from their devices (e.g., PCs, laptops, tablets, or smartphones). To find the best approach for an enterprise, you always need to do the math. Licenses are available for both the operating system and for server applications such as Exchange and SharePoint.

Licensing with Windows Server 2012 R2

Companies can purchase server licenses for Windows Server 2012 R2 and use CALs for user licensing, which is the easiest approach in most cases. In this special case, CALs for servers with Windows Server 2012 are also valid for Windows Server 2012 R2, as well as Remote Desktop Services (RDS) or Active Directory rights management CALs – something that is normally not allowed.

The Foundation and Essentials editions of Windows Server 2012 R2 are the exceptions to this rule because you do not need any CALs here. This means you can only connect 25 (Essentials) or 15 users (Foundation). Furthermore, the servers are only allowed a maximum of two processors (Essentials) or one processor (Foundation). This is, however, only an exception in Windows Server 2012 R2, because CALs for Windows Server 2008 R2 are valid in neither Windows Server 2012 nor Windows Server 2012 R2. Conversely, it is always possible to access the previous version of the product with a CAL. In other words, you can use Windows Server 2012 CALs to access servers with Windows Server 2008 R2.

As soon as the successor to Windows Server 2012 R2 is released, enterprises are thus well advised to choose the successor version CALs with new licensing and use them with Windows Server 2012 R2. This step can save a large sum of money during a later migration because the CALs are already in place.

If you use other Microsoft products, such as SharePoint or Exchange, on your servers, you will also need another CAL for the corresponding server application in addition to the operating system CAL. That also applies to the use of the Remote Desktop Services and Active Directory rights management. In the case of RDS CALs, the server stops working if you have not licensed the product (Figure 1). As with conventional CALs, you can purchase user and device licenses for RDS CALs. Administrators using remote desktop services in the enterprise need to come to grips with the topic of licensing.

For Remote Desktop Services, you need to manage the licensing actively; otherwise, users cannot work with the system.
Figure 1: For Remote Desktop Services, you need to manage the licensing actively; otherwise, users cannot work with the system.

Cheaper by the Dozen: CAL Suites

If you use Windows Server 2012 R2 with Exchange Server 2013 on the network, you need to purchase a CAL for Windows and a CAL for Exchange for each user or device. If users also use Enterprise functions in Exchange, an Enterprise CAL is also required. Microsoft offers CAL suites to simplify licensing. Suites bundle the required CALs and are naturally cheaper than individually licensing all the products. Like normal CALs, you can assign CAL suites to users and devices. If you assign a CAL suite for Exchange to a user, that user can access their mailbox via the Internet from all their PCs, notebooks, and devices. However, you are not allowed to split CAL suites. In other words, you cannot spread a suite's individual licenses over multiple computers or users.

Another advantage of CAL suites is their comprehensive version support. If you opt for a CAL suite, you can access the latest versions of the licensed products without having to purchase additional licenses. For example, if you migrate from Windows Server 2008 R2/Exchange Server 2010 to Exchange Server 2013 with a CAL suite, the CAL suite remains valid. In this case, too, you need to be mindful of the suitability of the license for Enterprise. If you have a CAL Standard suite for Exchange, advanced features such as archive and journal are not included. You need a CAL Enterprise suite for these.

Microsoft offers a Core CAL suite and an Enterprise CAL suite for the major products. The Core CAL suite provides access to core components, such as Exchange mailboxes or calendars. The typical components are Windows Server CALs, Exchange Server Standard CALs, SharePoint Server Standard CALs, Lync Server Standard CALs, as well as a System Center Management license and System Center Endpoint Protection. The two suites are only available in the scope of software assurance agreements.

Licensing External Users and Server-Based Services

If external users need to access server services via the Internet, these users need to be licensed. This requirement also applies to server-based services such as printers or multifunction devices. If a printer communicates with the server in any way and uses server-based software (e.g., to email scanned documents), the printer needs a CAL. However, if the user accessing the device has a user CAL, you do not need to license the device.

If you have assigned CALs for accessing internal server services to users in the company, these users with external access to other servers must also be considered in terms of licensing. The user might be allowed to access your own servers via the Internet, but not the servers of your clients or partners. A CAL is not valid for all Windows servers, but rather just for your own company's servers. If, for example, you have assigned a CAL to a sales employee that allows that employee to access your own server on the network, this employee is not permitted to access partner company or client servers. This kind of access is not covered by the conventional CALs. This also applies to accessing services in Windows Azure and others, but more on that later.

In this context, Microsoft offers the External Connector license. This allows external users who have not been assigned a CAL in the company and who do not belong to your company to access public, server-based services such as Lync or a web server via the Internet. External Connector licenses are assigned directly to the servers and cover all external user access rights to this server and its services. In this way, it is possible, for example, for partners and clients to access the server without you having to purchase licenses for all users. The External Connector license thus replaces CALs for external access.

Special Cases: Lync, SharePoint, and Exchange

Users who access Lync do not need to be licensed if they do not need to be authenticated by either Lync or Active Directory. This is useful, for example, when using Lync as a telephone system. Callers do not need a license, but the Lync client is not free. If you want to install the Lync client, you need the standalone application or you can install Office Professional Plus, which contains the Lync client. You must, however, license both the underlying server and the CALs for the server.

This is also the case for Exchange. No Outlook license is included with either the server license, the Enterprise CAL, Standard CAL, or even the corresponding CAL suite. Users always need to license Outlook separately. Exchange CALs only allow access to the mailbox and do not give you Outlook free of charge.

As with Exchange, there are both Standard and Enterprise licenses for Lync. These licenses are necessary if the server is used as a video and web conferencing server, for desktop sharing or as a room system, and for multiple HD video streams. If you do use Lync, you need to examine the licensing in detail and possibly seek advice as to the required licenses. If you also use the Office Web App server with SharePoint, you do not need to purchase any licenses for this service. However, if you run Office Web App server on a standalone server, you will of course need Windows CALs for it.

Licensing Virtual Environments

Companies that virtualize Windows Server products need to plan licensing just like licensing traditional servers. Although virtual machines are already licensed for the Datacenter Edition and are automatically enabled when the Hyper-V host is activated, you still need CALs for these servers. You must, therefore, bear many things in mind regarding virtualized environments.

If you have a virtual desktop infrastructure (VDI) based on Hyper-V, Remote Desktop Services, or other virtualization solutions like VMware vSphere or Citrix XenServer in the enterprise, you can use a special type of licensing, called Windows Virtual Desktop Access (VDA). You assign VDA to a specific computer in the VDI environment and can then access a virtual environment on the Windows computer provided via VDI (Figure 2).

If you use Windows Server 2012 R2 as a host for a VDI infrastructure, VDA licenses can also be used.
Figure 2: If you use Windows Server 2012 R2 as a host for a VDI infrastructure, VDA licenses can also be used.

Put simply, this is a virtual Windows 7/8.1 computer. VDA is a subscription licensing model. The license is only available for assigning to virtual machines in a VDI environment. You are not allowed to use this license for installing or running a physical computer.

VDA gives a user the right to access their virtual machine from any internal access device. That can be a PC, tablet, or notebook. However, remember that Windows servers must be licensed and that, in many cases, RDS CALs are also required. VDAs only cover licensing for the virtual operating system, not for the whole access path across remote desktop services and other areas of Windows Server 2012 R2.

Using the VDA license, you also have the option of using the Windows To Go function from Windows 8.1. Users can thus start the operating system from a USB memory stick. To this end, users can create a Windows To Go disk from their VDI desktop and then use it anywhere without the need for additional licenses. Using Windows To Go via VDA also lets mobile users run Office programs from their VDI environment on the mobile Windows To Go system.

Bring Your Own Device

If you are still with me at this point, you will not be fazed by the fact that Microsoft has also come up with the Companion Subscription License (CSL), which does not make licensing any easier to understand. When a user accesses their VDI computer using their own, private computer on the company network, this access is not covered by VDA. VDA only supports the ability to transport VDI operating systems via Windows To Go beyond the normal scope of use.

For example, if companies allow users to access VDI computers with their own tablets at the office, this access is not covered by VDA. In this case, you also need the CSL. If these virtual computer users then want to access their PCs using their tablets, the VDI system must be licensed with VDA and the users need CSLs. This allows the users to access their VDI desktops from their other computers (e.g., from home).

Using Office Licenses Correctly

Office 2013 is still licensed by device, where each license must be assigned to a specific device. If you are using Office Professional Plus, you can also run the product on servers with Remote Desktop Services. In this way, you can run Office in a VDI environment, for example. If you assign Office 2013 Professional Plus to a Hyper-V host, this includes the right to install the product on this server's virtual machines. A downgrade right is also included here. With Office 2013 Professional Plus, you can therefore install an older Office version on one virtual machine and the current version of Office on another.

If you license Office 365 Pro Plus, a user can deploy this license on up to five computers. In this case, it is always assigned to users, not devices – as with Office 2013. It does not matter who owns the devices. A user who has an Office 365 Pro Plus license can use one instance on their company computer, another on their private PC, and a third on their private laptop.

Virtualization of Exchange, SharePoint, SQL, and Lync

If you virtualize Microsoft server products, you need to license them and the physical installations, too. For each virtual Exchange server, you will need just as many licenses as for physical servers. This also applies to the CALs. However, Microsoft allows the replication of virtual Exchange server to a limited extent without a license being required. If a server is not loaded in the RAM of the host (i.e., is not activated), then it does not need a license. However, as soon as the server is started and its instance is loaded in the host's RAM, a server license is needed, regardless of whether it is a test machine or a fallback server.

You also need to license these servers when using a Hyper-V replica. Because the servers are activated during synchronization and thus active in the host's RAM. You must either sign a licensing agreement with Microsoft or purchase individual server licenses for the replicated servers. This is also necessary if these servers are not in production use. If you use Software Assurance in the enterprise, Hyper-V replicas are covered but may not be used productively [1].

If you are running SQL Server 2014 with the core licensing model, you need to purchase a license for each core in each processor of each server. At least four licenses are required. If you are virtualizing SQL Server 2014, you also need to license each virtual core of the virtual processors. At least four licenses are required here, too. If you license SQL Server 2014 for all of a host's physical cores via Software Assurance, you can then create an unlimited number of VMs. No further licenses or CALs are then required here. This also applies to running as a Windows Azure VM or via an Azure DB, but more on that later.

Using License Mobility

Once you have assigned CALs and servers in the enterprise, you may make new assignments for up to 90 days after this. However, this is only permitted in what Microsoft designates as a server farm, which is a company's server environment with no more than two data centers. These must be located within four hours of the local time zone and within a geographic boundary defined in the Product Use Rights (PUR). In this context, you can relocate most of the products and their licenses free of charge. You can, for example, also use this license mobility if you want to transfer a server as an image to Windows Azure and use it as a VM in Azure.

Cloud Licensing: Office 365 in Hybrid Environments

The use of Office 365 is licensed via the User Subscription License (USL). Here, you need to assign a license to each user. This license gives users the ability to access online services in Office 365 as well as internal server services on your network to some extent. A USL thus supports access to SharePoint Online in Office 365 and to an internal SharePoint server on your network (e.g., if you use a hybrid environment).

A USL allows a user to access the Office 365 cloud services from five PCs. This means that a SharePoint Online user subscription license offers access rights to a SharePoint server that you would otherwise have to license via a SharePoint server access license, in addition to the access options in Office 365. These licenses are known as "dual access rights." The same principle applies to Lync, Exchange, and SharePoint.

Dynamics CRM Online is also licensed with a per-user USL. This means that these users may also access applications using various devices. Companies that already rely on Dynamics CRM internally can purchase some licenses cheaper if they use Dynamics CRM Online.

The Windows Azure Exception

Licensing for Windows Azure is usually based on two metrics: You have to pay for the traffic or the server load you cause. Other services are licensed on the basis of a subscription model. Companies have to calculate slightly differently for this use-based billing method than they do for traditional server/CAL models.

VMs can be created in Windows Azure as in Hyper-V. You can install your own services on these VMs or use preinstalled images such as SQL Server 2014. Billing and licensing in Windows Azure is based on the VM price per minute (Figure 3). If you install your own SQL Server image in a Windows Azure VM, you can use Software Assurance's aforementioned license mobility.

In Windows Azure, virtual servers and databases are billed on a price per minute or a subscription model basis.
Figure 3: In Windows Azure, virtual servers and databases are billed on a price per minute or a subscription model basis.

Each deployed Windows Azure VM requires a license for SQL Server. If you use the templates in Windows Azure for both nodes, the licenses are also covered here by the price per minute. If you use your own images, you need to license them accordingly or use license mobility again. You cannot move a virtual server from Windows Azure to a local Hyper-V environment; instead, you need to purchase a new license.

You do have the option of providing your own images from the internal network via Windows Azure. After moving to the cloud, the client/server model is replaced by time-based billing in Windows Azure. The server applications you deploy in the VM must, however, be considered.

You will not need any server CALs for access via a Windows Azure VM. The access rights are included in the per minute rates for the virtual machine with regard to the operating system. However, you need to purchase separate licenses for local use in a VHD(X). The price per minute only applies to operation in Windows Azure. You can use Software Assurance license mobility to transfer your System Center 2012/2012 R2 license to a Windows Azure VM. A System Center standard license can be used to manage two VM instances, and this also applies to Windows Azure.

Enterprise Cloud Suite

In the form of the new Enterprise Cloud Suite [2], Microsoft allows companies and users to install up to five PCs with a Windows and Office license – on private computers as well. The Enterprise Mobility Suite (EMS) and the Microsoft Azure Rights Management Services for management and security are part of the suite. The solution focuses on the cloud and the management of mobile devices such as laptops, smartphones, and tablets. The suite basically builds on three pillars: the new version of Windows Intune, Azure Active Directory Premium, and Azure Active Directory Rights Management.

The significant change, if you choose this form of licensing, is licensing per user. The Enterprise cloud suite consists of one Software Assurance per user. This includes a virtual desktop access license for Windows Enterprise versions, Office 365 E3, and the aforementioned Enterprise Mobility Suite. A main device use is still assigned to each user, however. The device must be installed with Windows 7/8/8.1/10 Enterprise, or Professional. Users with these licenses can also install Windows Enterprise on their private PCs.


Correctly and, above all, cost-effectively licensing Microsoft products for the enterprise is not a simple matter. Even experienced license professionals despair at times when it comes to joint licensing of internal services, cloud services, and other software. Significant differences exist in licensing between the editions of the same server application or Windows version. On top of this, you might have to consider Microsoft's different purchase, rental, and leasing models, and the many hybrid licenses. The process is certainly not easy, but I hope this article has shed a little light on the topic.