Licensing How To: When do I need a Client Access License (CAL)?

Licensing How To: When do I need a Client Access License (CAL)?

  • Comments 102
  • Likes

UPDATE: 3/26/14

We appreciated the active dialogue in the comments section on this topic. We agree that there are some good questions raised in the comments section which we'd like to address and appreciate your patience in doing so. Please see additional information following the main body of the article below. Also, we've included some clarifying details in the fourth scenario on RDS CALs. Thanks.

 

SUMMARY:  Knowing who, when, and what needs a Client Access License (CAL) is a great question and one our team answers often. Under most scenarios, CAL requirements are generally straight forward, however, there are several specific scenarios which we address below.   In this Licensing How To post, we cover the basics of Client Access Licensing, and recap a few common scenarios which may apply to you.

The Licensing How To series posts are provided by our Customer Service Presales and Licensing team members.  These scenario based licensing topics are written on trending topics and issues based on their interactions with customers, Partners, and field sellers.  For more posts from the Licensing How To series, search the “Licensing How To” tag on this blog.

 

It’s a question we answer daily, “I have scenario X, Y, or Z. Do I need a CAL?”  Server software licensed via the Server / CAL licensing model always requires some sort of server license (which may be per instance or per processor depending on the Product) as well Client Access Licenses (CALs) for users and/or devices to access the server software.  However, the question of who or what needs a CAL, along with any noted exceptions, varies by product. 

The general requirement is, any User or Device that accesses the server software, either directly or indirectly, requires a CAL.  Depending on the product and functionality being accessed, additive CALs may be required as well. 

External users* (users who are not employees, onsite contractors, or onsite agents) can be licensed with CALs, External Connector licenses, and in some cases (SharePoint 2013, Lync 2013 or Exchange 2013) – external user access is granted with the Server License.

Access requirements vary by Product and you need to evaluate the requirements for each product you use. We encourage you to review the Product Use Rights, or Microsoft Software License Terms, that are applicable to you, and the products you use.

Here are a CAL questions that we answer frequently and we thought sharing them might help you when you think about your own CAL requirements. Please note that the below scenarios are based on licensing for the Server / CAL products currently available as of the date of publishing of this post.


Top CAL Questions
 


1 – Does my Multifunction Printer need a CAL?
 

Yes, if the multifunction printer is connected to a Windows Server network.  A multifunction printer accesses server software to; receive an IP address, to receive a job, to communicate that the job is finished, etc.  In short, it communicates with the server software.  If the multifunction printer is accessing any server software licensed via the Server / CAL licensing model it requires a CAL for that software. The one caveat is, if your users who use the printer have CALs then the printer is covered by their use via their CALs. If not then the printer itself requires a device CAL. The same CAL requirement applies to any other type of networked device – such as networked scanners, networked fax machines, etc.  Devices that do not connect to the network or the server software (generally referred to as peripherals) do not require CALs.


2 – Do my servers need a CAL?
 

Generally speaking – server to server communication does not require a CAL.  However, servers used to pool connections (sometimes referred to as multiplexing) does not reduce your CAL licensing requirements.  If, for example, you have an application server which uses SQL Server for its database – users of the application (or the devices they use) will need a SQL CAL even though they may not access the SQL Server directly.  If you use a Linux server to run a web server, but your users accessing the web server are being authenticated via Windows Server – users (or the devices they use) will need a Windows Server CAL.


3 – Do my external users need a CAL?

The general rule is all server software access requires a CAL.  However, external users* may have additional licensing options depending on the product.  For example, with Windows Server – external users can be licensed with CALs or External Connectors (whichever is more cost effective).  External user access to application servers such as SharePoint 2013, Lync 2013, and Exchange 2013 is included with the server software – CALs or External Connectors are not required for external users for these products.  Note: external users will need to be licensed appropriately for the underlying Windows Server operating system and related software such as SQL.


4 – Do I need an RDS CAL?

There are two basic scenarios which trigger the requirement for an RDS CAL.

    1. Your users or devices directly or indirectly access any of the RDS product functionality, and/or

    2. Your users of devices directly or indirectly interact with the graphical user interface of the server software using RDS functionality or other third party technology (e.g. Citrix, GraphOn, 2X to name a few)

If you meet either (or both) of the points described above – an RDS CAL is required.  It is also worth pointing out that RDS CALs are required in a VDI deployment when any of the RDS components are used to support it (e.g. Remote Desktop Web Access, Remote Desktop Gateway, Remote Desktop Connection Broker, Remote Desktop Session Host, or the Remote Desktop Virtualization Host.


5 – Do I need a CAL when my Windows Server is used to run a web server?

Windows Server 2012 R2 configured to run Web Workloads ** do not require CALs or External Connectors.  Web workloads, also referred to as an internet web solution, are publically accessible (e.g. accessible outside of the firewall) and consist only of web pages, web sites, web applications, web services, and/or POP3 mail serving.  Access to content, information, and/or applications within the internet web solution must be publically accessible.  In other words, they cannot be restricted to you or your affiliate’s employees. 

If you have Windows Servers configured to run a “web workload” these users will not require CALs or External Connectors.  However, let’s say you are using Windows Server to setup an online store where customers can buy widgets.  You have front end Windows Servers setup to support your website, and backend servers (e.g. commerce servers) setup so customers can check out and buy your widgets.  The front end servers used to host your website would generally be considered as running “web workloads” and CALs or External Connectors will not be required to access these servers.  Once the customer adds a widget to their shopping cart, creates an account and enters their credit card and shipping information to complete the sale – they are now authenticated via your back end commerce servers/application (non-web workload).  Since users are accessing the backend commerce servers which web workloads are not running – CALs or External Connectors will be required for users to access these back end servers.


6 – Can I use my CALs to access someone else’s server?

You may use CALs purchased by your company to access your servers, or servers owned by your Affiliates*** only.  You may not use your CALs to access servers owned by an un-affiliated third party.  Let’s say for example, that Company A and Company B are affiliates.  Company A wants to provide employees from Company B with access to their SharePoint Servers.  However, Company B already owns Windows Server and SharePoint Server CALs (that match the version of Windows and SharePoint Server that Company A uses).  Company A will not need to purchase additional Windows Server or SharePoint Server CALs since employees from their affiliate, Company B, are already covered with the appropriate CALs.  If we use the same scenario as above, but assume Company A and B are not affiliated - then CALs owned by B cannot be used to access Company A’s servers.  Company A would need to appropriately license their SharePoint farm for external users.


7 – Do I need CALs for my administrators?

Server software licensed using CALs permits up to 2 users or devices to access the server software for the purposes of administration without CALs.  However, if your administrators also use the software for anything other than administration (for example, they check their email), CALs will be required for them as well.


For additional information on CAL requirements, consult your Product Use Rights, License Terms, or contact your Reseller, Microsoft Partner, or Account Team.  Many products have licensing guides on the Volume License Website and/or their respective product sites.  Here are a few of our favorite resources on the subject.

Multiplexing - Client Access License (CAL) Requirements
Base and Additive Client Access Licenses: An Explanation
Licensing Windows Server 2012 R2 Remote Desktop Services
About Licensing – Client Access Licenses and Management Licenses

 

* External Users means users that are not either your or your affiliates’ employees, or your or your affiliates’ onsite contractors or onsite agents.

** Web Workloads (also referred to as “Internet Web Solutions”) are publicly accessible and consist solely of web pages, websites, web applications, web services, and/or POP3 mail serving. For clarity, access to content, information, and applications served by the software within an Internet Web Solution is not limited to your or your affiliates’ employees.

Software in Internet Web Solutions is used to run:

  • web server software (for example, Microsoft Internet Information Services), and management or security agents (for example, the System Center Operations Manager agent).

  • database engine software (for example, Microsoft SQL Server) solely to support Internet Web Solutions.

  • the Domain Name System (DNS) service to provide resolution of Internet names to IP addresses as long as that is not the sole function of that instance of the software.

*** “Affiliate” means any legal entity that a party owns, that owns a party, or that is under common ownership with a party.  “Ownership” means, for purposes of this definition, control of more than a 50% interest in an entity.

This is one scenario and licensing situation. Each customer scenario can vary by deployment, usage, product version, and product use rights.  Always check your contract, and the current Products Use Rights document to confirm how your environment should be fully licensed.  The blogging team does not warrant that this scenario will be the right licensing solution for other similar cases.

 

Additional content in response to questions:

Following is our best effort to answer some of the questions posted below.  Please know that your feedback is shared with the respective product groups within Microsoft.  The purpose of the Licensing How To series is to share insights gained through the many interactions our customer service teams have with customers, and present the details based on the licensing requirements set forth in our license term documents and guidance from the respective product groups.  We are listening and take your feedback to heart. 

Before going into further details, lets include the actual language from the use terms regarding CALs.  This is from the current Product Use Rights for volume license customers, but the license terms for OEM and Retail licenses will be similar if not identical.  Because the majority of questions are around Windows Server CAL requirements - this is from the Windows Server license terms.

  1. You must assign each CAL to a user or device, as appropriate, and each External Connector License to a Licensed Server.
  2. CALs or External Connector Licenses are required for access to server software.
  3. CALs and External Connector Licenses permit access to the corresponding version (including earlier versions used under downgrade rights) or earlier versions of server software.
  4. CALs are not required for access by another Licensed Server or for up to 2 users or devices to administer the software.
  5. CALs are not required to access server software running a Web or HPC Workload.
  6. CALs not required for access in a Physical OSE used solely for hosting and managing Virtual OSEs.
  7. Your CALs and External Connector Licenses only permit access to your Licensed Servers (not a third party’s).

Q1 - If I have a printer that uses an IP address assigned by a router, but the drivers are deployed via a GPO...does that need a CAL?

A1 - Yes, any Windows Server access requires a Windows Server CAL.  In this scenario, the printers are connecting to, and receiving benefit of, Windows Server.  However, if all users who access or use that printer already have a user CAL - then you’re covered and will not need additional device CALs for the printer.

 

Q2 - If I have guests that come into my office an temporarily use a Windows DHCP server to grab an IP address to access the Internet, do they need CALs? I guess the takeaway is to never use a Windows DHCP server? 

A2 - Yes, they are using a Windows Server service and would need a CAL.

 

Q3 - If I have a Remote Access card installed in a server, does that need a CAL? If I run sniffer, does that need a CAL? If I use a common management tool that installs a service/daemon on each server - does that need a CAL?

A3 - Peripherals, server components and network equipment on their own do not generally require a CAL (for Windows Server or otherwise).  Server to server communication does not require a Windows Server CAL (between two licensed Windows Servers).  Device CALs are intended for the clients/endpoints accessing the Windows Server (for any reason - to get an IP address, to access a file, to authenticate to AD, to access an application of any type on the Windows Server, etc.)  User CALs are intended for the same reason - but are assigned to the users using the clients/endpoints.  For example, a sniffer.  Generally, these won't require a CAL - they simply monitor network traffic.  However, let’s say that you have a software based sniffer installed on your desktop at work - and your desktop is accessing Windows Server (to get an IP, to authenticate to AD, etc.)  This scenario will require a device CAL for your desktop (or a user CAL for you), not because you are using a sniffer, but because the device/endpoint it’s installed on accesses Windows Server.  Management software.  Let’s use the same concepts above.  Let's say for example, the management software is installed on a Windows Server, and is being used to manage client devices, network equipment, and other servers.  Any device that accesses Windows Server as a result of being managed will require a Windows Server device CAL (with the exception of other Windows Server since Windows Server to Windows Server communication does not require a CAL).  If you are licensed by user in this scenario however, and all users are covered with a Windows Server CAL, the n you’re covered since all users of the managed devices are already covered with user CALs.

 

Q4 - If I manage another companies servers as their help desk...and employ more than 3 people...and I already have CALs for my people, do I need additional CALs to administer their network?  

A4 - CALs (for Windows Server, Windows Server RDS, Exchange Server, SharePoint, SQL, Lync, etc.) can be used only to access organization owned servers.  Your CALs cannot be used to access servers operated by an independent organization (see #6 in the blog above).  That being said, their licensed servers will provide the ability for 2 users/devices to access the servers for purposes of administration.  For any number of users/devices employed to manage their servers in excess of 2, additional CALs will be required.  For example, if 10 people, using 10 different devices are employed to manage their servers - a total of 8 additional user or device CALs will be required.  The organization whose servers are being accessed will be required to purchase these CALs however.  It is worth pointing out, that certain products - such as Exchange Server 2013, SharePoint Server 2013, and Lync Server 2013 (as well as to some extent, CRM Server 2013) do not require CALs for external user (non-employee) access (administrative access or otherwise).  In this example, you are being hired by a third party to provide help desk support OFFSITE and would be considered an external user (see #3 in the blog above).  If for example, you have 10 users/devices employed to administer a third parties servers - the company may be required to purchase additional CALs for products such as Windows Server, and/or (unless licensed by processor or core).  However, because you can leverage the external user CAL exception for Exchange Server 2013, Lync 2013, or SharePoint 2013 - additional CALs for these products would not be required in this scenario.  Note the external user CAL exception for the products mentioned above apply only to the current versions and not prior versions. External users must be offsite.

 

Q5 - So, if I host a web server using a Web Workload for any reason I need CALs for each user?

A5 - CALs are not required to access servers running a web workload (defined above in the blog), so no - CALs are not required to access servers running a web workload when users access anonymously.

 

Q6 - If I assist another company in an e-mail migration to O365 and need administrative/test mailboxes - do those need CALs?

A6 - It’s best to look at each involved product individually.  For example, in this scenario you could potentially have Windows Server, Exchange Server, and Office 365 (or Exchange Online) - each with their own unique CAL licensing requirements.  For Windows Server, see A4 above as this would be considered administration.  For Exchange Server, we license by user or device accessing the Exchange Server (not per mailbox).  Exchange Server also has the same 2 user/device administration exception as described above.  If you have more than 2 users/devices accessing Exchange Server for the migration - yes additional CALs will be required.

  • Admin and test mailboxes just look like regular mailboxes from an O365 perspective, so they require subscriptions to be assigned.   (USL required)

  • Admins can administer Office 365 (including Exchange) without having a mailbox, so that answer is a little more nuanced than the test accounts one.

  • Regarding 30 day grace period, there is a very narrow scenario where this is enabled (when you have a hybrid deployment and you are moving mailboxes from on-premises) but it is not worth bringing up in this context.

  • Note that we offer free 30 day trials of 25 licenses per tenant for Office 365, so that’s how most customers accomplish their testing.

 

Q7 - When accessing a VDI, do I always need an RDS CAL even if I use a pure Citrix solution?

A7 - Note that we have amended the last sentence to number 5.  RDS CALs are required only when accessing the Windows Server GUI, or if any of the RDS components listed are used (e.g. Remote Desktop Web Access, Remote Desktop Gateway, Remote Desktop Connection Broker, Remote Desktop Session Host, or the Remote Desktop Virtualization Host.)  If you are using a third party VDI solution, and it does not use any of the RDS components, then RDS CALs are not required.

 

We apologize if we were unable to get to each and every question.  Please note this post was intended to be a general guide only and address some outlier scenarios we hear about from time to time.  We encourage everyone to leverage your resellers, partners, and/or distributors.  In each case, these resources have access to teams directly at Microsoft who can answer licensing questions, who are better equipped to answer large volumes of questions.  There is also a group available who handles licensing questions via the Sales and Partner Information line at 800-426-9400 .

Again, we appreciate the feedback and please know that it is shared with our products teams.


Comments
  • In the answer to Question #1: "A multifunction printer accesses server software to; receive an IP address..." -- does this mean that any device which receives an IP from a Windows DHCP server requires a CAL (assuming the environment is Device-CAL-only)?

  • Hi !

    Can you clarify this point in FAQ, please : If i use a Windows Server 2012 R2 for WSUS without backend server (only internal database installed by WSUS on front end), does i need CALs ?

    Thanks

  • I think that this "clarification" is probably one of the worst that I've seen. First, a CAL is not a CAL. There are AD CALs, Exchange CALs, SharePoint CALs and a bunch of others. There are many times when multiple CALs are required, but yet no mention of it.
    It was my understanding that AD CALs are only required when users authenticate against the server. A printer receiving DHCP wouldn't require a CAL. Would an IP addressable light bulb that get's a IP require a CAL? What about all of the IP telephones on my network that DON'T talk to the AD, but still use DHCP. Do they require a CAL?
    Come on, get a little more real about this, A freaking printer requires a CAL? I've known of no Microsoft Sales rep that would even think about asking customers to buy CALs for printers.

  • My interpretation is that multifunction printer may carry out a task (such as scanning a document) that is stored using Windows Server credentials. In this case the multifunction printer is using Windows Services just like a PC and would require a CAL unless the person accessing it has a Windows Server User CAL assigned to it. A regular printer would not require a CAL.

  • I am very concerned about these FAQ's. #1 and #5 I find a little horrifying. Ed's comments about lightbulbs reflects my horror with #1. As for #5, ASP.Net is designed to have a pluggable infrastructure for security. If a web app is authenticating with something other than AD, it makes zero sense to me why an external connector would be required. Seriously Microsoft.., this on top of the lagging mobile and tablet market share, issues with the Surface Pro2, changes to MPN is really making me consider things outside the Microsoft stack, and based on #1 and #5 for me personally that might begin with the server layer. The team I respect the most at MSFT is the VS team.. so I don't see stopping using VS for the foreseeable future for dev, but what dev I do in VS I can see changing more radically to HTML/CSS/JS for front end, Node.JS for the application layer, and well I guess I should start investigating a good SQL replacement (other than MySQL which I do not like).

    It is in your best interests to clarify #1 and #5.. I know I'm not the only .NET Developer who is getting tired of MSFT licensing complications, small market share in important areas, etc. A love for C# will only go so far!

  • This is worse than trying to do taxes. I have a bunch of questions based on the above.

    1. If I have a printer that uses an IP adders assigned by a router, but the drivers are deployed via a GPO...does that need a CAL?

    2. If I have guests that come into my office an temporarily use a Windows DHCP server to grab an IP address to access the Internet, do they need CALs? I guess the takeaway is to never use a Windows DHCP server?

    3. If I have a Remote Access card installed in a server, does that need a CAL? If I run sniffer, does that need a CAL? If I use a common management tool that installs a service/daemon on each server - does that need a CAL?

    4. If I manage another companies servers as their help desk...and employ more than 3 people....and I already have CALs for my people, do I need additional CALs to administer their network?

    5. So, if I host a a web server using IIS for any reason I need CALs for each user?

    6. If I assist another company in an e-mail migration to O365 and need administrative/test mailboxes - do those need CALs?

    7. Does a management software that sends out e-mails as alerts need CALs? Does a monitoring software that send s aping to a SQL server verifying logon is up and functional need a AD and SQL license?

    So far the lessons I am learning here is to never, ever use Microsoft DHCP servers for anything, never utilize IIS for your web servers, try to standardize on as many non-Microsoft products as possible, and hold onto your shorts as it's impossible for any mere mortal to actually license anything correctly.

  • I'm more confused after I read this article than I was before. Multifunction printers need a CAL? Get out of town - that's ridiculous.

  • "Yes, if the multifunction printer is connected to a Windows Server network. A multifunction printer accesses server software to; receive an IP address, to receive a job, to communicate that the job is finished, etc. In short, it communicates with the server software. If the multifunction printer is accessing any server software licensed via the Server / CAL licensing model it requires a CAL for that software. The one caveat is, if your users who use the printer have CALs then the printer is covered by their use via their CALs. If not then the printer itself requires a device CAL. The same CAL requirement applies to any other type of networked device – such as networked scanners, networked fax machines, etc. Devices that do not connect to the network or the server software (generally referred to as peripherals) do not require CALs."

    We have many printer/scanner/fax machines. You are saying that we need to license a CAL for each of them just because they lease an IP address? Wait - what? That's news.

    If we hard code the servers and remove the server print queue so that the clients directly print to them would that remove the requirement to need a device CAL? I ask this because a number of our users don't log into AD, but they do print to the printers and nobody has ever informed us that we need CALs for these devices before. I just sent an e-mail to our Microsoft Partner and they have never heard of this requirement before either.

    Does this mean that our BigIP boxes needs CALs? It sounds as if anything that utilizes dynamic IPs needs a CAL, so do our IP-based phones that configure via scope options also need CALs? If so, then we'll immediately remove the services from our Windows servers and utilize our hardware switches and/or routers to perform the leases instead.

    I'm very concerned about #2 as well because we utilize BigIP load balancers. Do we need CALs for all of our VIPs and NATs? How does that work? Does our routers need CALs? This is very confusing information and I can't understand all the details.

    For #7, we have more than 2 administrators. How does that work? We need to buy CALs for our Microsoft Partner in order to have them access our servers too?

    Y'all have made this beyond understanding and too convoluted. I don't even know how I'm supposed to be compliant here and I don't have months of my time to pour over this information trying to figure everything out. Again, even our licensing partner is confused. This is a mess and now you're adding cloud services into this as well. You need to clean this up and remove the confusion.

  • In regards to number six above, does that mean that all outsourced helpdesks need adminstrative Cal's for each customer they manage if they have more than two administrators assisting the customer? That does not seem fair to me.

    For number five, if customers buy items from IIS servers, then they need a Cal for each user? That is a sure way to get people to instantly drop IIS and switch to Apache. That is not going to fly.

    For number one, there is not a single entity that I know of that buys printer cals. that is retarded.

    I linked here from the computerworld articles and I must say I knew licensing was complicated, but had no idea it was this big of a mess

  • " If you use a Linux server to run a web server, but your users accessing the web server are being authenticated via Windows Server – users (or the devices they use) will need a Windows Server CAL."

    For each user? That could be tens of thousands or even hundreds of thousands. That is in addition to the sql server license?

    Time to drop SQL as well. Completely and utterly retarded licensing model that makes zero sense.

  • Does anyone respond to these comments? I see a lot of people with great questions. Where can we find the answers?

  • I thought I understood microsoft licensing - on a couple of occassions I've corrected or found Microsoft licensing changes that the resellers we use have had to check with Microsoft are actually correct....

    Having read this post clarifying FAQ's, I'm think i'm actually confused.

  • Microsoft, please provide clarifications on this post. After reading it (twice) I have to admit I'm even mover puzzled than I was when I started. If this is your idea of clarification - then big, big massive fail.

  • It would be great if Microsoft would document its answers, like point out where in its contract language these rules come from. Let me quote some important Microsoft contract language, since they seem to be avoiding it.
    For example, here is the official language (from a Microsoft Enterprise Enrollment) that defines a "Qualified Device," which is, among other things, a device that would need to be licensed with a CAL. Tell me if you see any printers in here.
    "“Qualified Device” means any device that is used by or for the benefit of Enrolled Affiliate’s Enterprise and is: (1) a personal desktop computer, portable computer, workstation, or similar device capable of running Windows Professional locally (in a physical or virtual operating system environment), or (2) a device used to access a virtual desktop infrastructure (“VDI”). Qualified Devices do not include any device that is: (1) designated as a server and not used as a personal computer, (2) an Industry Device, or (3) not managed (as defined in the Product List at the start of the applicable initial or renewal term of the Enrollment) as part of Enrolled Affiliate’s Enterprise."
    I'll now throw in part of the definition of an Industry Device, which is, in effect, something that is NOT a Qualified Device.
    "“Industry Device” (also known as line of business device) means any device that: (1) is not useable in its deployed configuration as a general purpose personal computing device (e.g., personal computer), a multi-function server, or a commercially viable substitute for one of these systems."
    I'd say a printer falls far more easily into the Industry Device category than the Qualified Device category.
    The rules are more complicated than this--an industry device might still require a CAL in some cases. But surely if MIcrosoft wanted to dump printers, network switches, fax machines and the like into the pot, this would be the place to do it--in their contract language.

  • @Paul - I would say a printer is an "Industry Device" as well.

    I sure hope that some one from the licensing team is reading this blog and can help clarify the situation. I'm thoroughly puzzled as to this blog post. It makes things seem much more complicated than they need to be and obfuscates many issues.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment