Licensing Focus: External Connectors

 

This article pulls together one of the most comprehensive resources on External Connectors and SharePoint for Internet Sites on the internet. Microsoft has done a great job updating their own website, this article looks also at the other areas and definitions that will affect how you look at licensing your estate. Where possible I have included Product Use Rights references from the October 2010 release.

Important Definitions

“A customer’s CALs permit access to servers licensed by that customer or its affiliate (as defined in the customer’s volume license agreement). “ [Ref: Product Use Rights]

An External Connector (EC) license is an alternative to CALs for each server that external users will access. External users are users who are not employees or onsite contractors.  An EC license assigned to a server permits access by any number of external users, as long as that access is for the benefit of the licensee and not the external user.  Each physical server that external users access requires only one EC license regardless of the number of instances running.  The right to run instances of the server software is licensed separately; the EC, like the CAL, simply permits access.  EC licenses, like CALs, are version and functionality specific. They must be the same version or later than the server software being accessed.  The decision on whether to acquire CALs or an EC for external users is primarily a financial one.  [Ref: Product Use Rights, Page 8 of 136]

Each physical server that external users access requires only one EC license regardless of the number of instances running.

[Ref: Product Use Rights, Page 11 of 136]

a) External Connector Licenses. You must assign each external connector license you acquire to a server licensed to run one or more instances of the server software. A hardware partition or blade is considered to be a separate server. Each external connector license assigned to a server permits any number of external users to access instances of the server software on that server. You do not need CALs for those users.

“External users” means users that are not either:

(i) your or your affiliates’ employees, or

(ii) your or your affiliates’ onsite contractors or agents.

You do not need an external connector license for external users who access your instances of the server software only through the Internet without being authenticated or otherwise individually identified by the server software or through any other means. [Ref: Product Use Rights, Page 38 of 136]

SharePoint for Internet Sites

Under the External users definition. If the customer is  an external user and can leverage the SharePoint for Internet Site license.

The caveat for the license is that it is for external users only (anonymous Internet users or authenticated extranet users). Internal users can only use this license if all content, information, and applications are also accessible to external users. If the server has content, information and applications are for internal-use only, then those users need to adopt the Server / CAL model.

Microsoft Office SharePoint for Internet sites is used for both anonymous Internet users and authenticated extranet users. It is the only way to license SharePoint for anonymous Internet use, but it is one of two options for extranets. If the external users are countable and individual CALs can be assigned to specific individuals, CALs are an alternative licensing method. In such cases, the decision between the two licensing models is typically made based on comparing the prices.

SharePoint Enterprise CAL isn’t based on read versus write access and  Accessing/using the Dashboards requires SharePoint Enterprise CAL.  All users accessing the Dashboards feature have to be licensed even for those accessing it for viewing information.

If you want to consolidate SharePoint under a single deployment, then can assign both the Server CAL model and Internet Sites license. However a CAL is required for access content limited to internal users.

SharePoint for Internet Sites, Enterprise, delivers the full capabilities of the SharePoint 2010 Enterprise CAL for use on an Internet or extranet site

Once the Enterprise features of Microsoft Office SharePoint Server are enabled, every client accessing Enterprise functionality on that server, or servers in a farm, is required to have an Enterprise CAL in addition to their Standard Client Access Licenses.

Usage Scenario

Internet-facing Web site: where content, information, and applications are meant to be used by external, non-employees. For example, as a company’s Web presence, informational Web site, community usage (wikis, blogs, discussion lists), or an e-commerce Web site.

Office SharePoint Server 2010 for Internet sites

No CALs are required for the authoring of external-facing content by internal users.

Extranet Web site: where internal and external, employees and non-employees, can collaborate on content, information, and applications that are not being used exclusively for internal organizational use.

Office SharePoint Server 2010 for Internet sites OR Microsoft Office SharePoint Server 2010 combined with CALs

Internal Intranet Portal or team site: where internal users, or employees, can collaborate on content, information, and applications that are meant for internal organizational use.

Office SharePoint Server 2010 along with CALs

Microsoft SharePoint Website

image

image

Microsoft SharePoint Website

 

Defining the Enterprise

image

[Ref: MBSA 2009 Agreement]

The customer is able to define the affiliates in their Enterprise when signing the Enterprise Agreement.

The Enterprise Agreement price-point is determined on platform standardization, accordingly all desktops of all departments and divisions must be included in the agreement. The customer cannot separate individual departments; however, they could separate legal entities that even though might be owned in 50% or more for some reason would not commit to the same standardization, that’s why at the enrollment level you have the section where you one can exclude affiliates, or elect only only specific affiliates that are to be included. Please note that including all affiliates also means affiliates that are owned in 50% or more that even might be located in countries different from the one where the agreement is being signed.

 

Windows Server External Connector

 

Customer Scenario

The customer has three Windows Servers:

  1. Windows Server 2008 R2 Datacenter (facing the Internet)
  2. Windows Server 2008 R2 Datacenter running IBM WebSphere MQ 
  3. Windows Server 2008 Enterprise, running SQL Server (Per Proc)

In terms of the process:

  1. External users come in from the internet
  2. They connect to a Windows Server 2008 R2 server (Server #1 above)
  3. Server #2 above, processes the information from Server #1, interrogates the SQL Server (Server #3 above) and completes the process.

The question is, as the users will never be authenticating against the Windows Server specifically, but instead, will be utilising SQL to hold both usernames and passwords, which in this case is licensed on per processor.

  1. Would an External Connector be required?
  2. If Server #1 was a Windows Web Server, instead of a Datacenter edition server, would that negate the need for an External Connector (EC) for that particular server
  3. Can a Datacenter edition Windows Server be downgraded to Web Server, (For example as a Virtual Machine, with a correctly licensed host), and thus again, negate the need for an External Connector (EC)?
  4. If they do require External Connectors (EC) in this scenario, yet the Windows Servers / SQL Server are all virtualised on Host #1, would the customer only need 1 Windows External Connector (EC)?
  5. Does forms based authentication exempt a customer from requiring CALs?

Answer

  • In your customers scenario they will require a Windows Server 2008 R2 External Connector (EC) for each physical server that is being accessed indirectly by the external users.
  • It does not matter where that authentication takes place, if the external user is identified in anyway a CAL or an External Connector (EC) is required for access.
  • If Windows Server OSE #1 #2 #3 are all running on one physical host only One Windows Server External Connector (EC) is required.
  • Windows Server 2008 R2 Datacenter edition can not downgrade to Windows Server Web (any version).
  • If Server #1 was a Windows Server Web edition it would negate the need for an Windows Server External Connector (EC) for that OSE.
  • If you are running a SQL Active-Passive cluster you only need to purchase the processor licenses for your Active Node.
  • Forms is included within the caveat in the Product Use Rights “through any other means” [Ref: Product Use Rights, Page 36 of 136]

Question

  1. Information is pulled from Active Directory (AD) on a regular basis to update records and held within an online “web service” like BPOS or Google. That information is then used to within the “web service” to authenticate users, rather than the web service communicating back to AD to authenticate – no data passes backwards and forwards between AD for authentication.
  2. A Linux webserver running Apache, performs LDAP(S) authentication (LDAP request to Active Directory using standard LDAPs functions as found in Apache web servers) for users to gain access to a cloud based intranet site.
  3. An SMTP mail gateway performs LDAP lookups to verify internal e-mail addresses held in AD (simply an e-mail address book lookup – no authentication or access control functions).

Answer

Any direct or indirect access to a Windows Server where the users/devices are uniquely identified will require a CAL for every user or device that accesses the Windows Server.

If the accessing users and/or devices are external (not your affiliates’ employees,  or your affiliates’ onsite contractors or agents) you can assign a Windows Server External Connector (EC) license to the Server.

 

Product Use Rights

Below I have provided the relevant sections from the Product Use Rights that you will be able to refer to. As always, don’t rely on this website but go directly to the most recent version of the PUR for your region.

 
a) Client Access Licenses (CALs).

  • You must acquire and assign a CAL to each device or user that accesses your instances of the server software directly or indirectly.  A hardware partition or blade is considered to be a separate device. The appropriate CAL for each product is listed in the table below.

You do not need CALs for:

  • (1) any user or device that accesses your instances of the server software only through the Internet without being authenticated or otherwise individually identified by the server software or through any other means,
  • (2) any of your servers licensed for and running instances of the server software,
  • (3) up to two devices or users to access your instances of the server software only to administer those instances, or
  • (4) any instance running in a physical operating system environment used solely to
  • (i) run hardware virtualization software
  • (ii) provide hardware virtualization services
  • (iii) run software to manage and service operating system environments on the licensed server

· Your CALs permit access to your instances of earlier versions, but not later versions, of the server software, unless stated in the table below.  If you are accessing instances of an earlier version, you may also use CALs corresponding to that version. [Ref: Product Use Rights, Page 36 of 136]

a) External Connector Licenses. You must assign each external connector license you acquire to a server licensed to run one or more instances of the server software.  A hardware partition or blade is considered to be a separate server.  Each external connector license assigned to a server permits any number of external users to access instances of the server software on that server.  You do not need CALs for those users.

“External users” means users that are not either:

(i) your or your affiliates’ employees, or

(ii) your or your affiliates’ onsite contractors or agents. 

You do not need an external connector license for external users who access your instances of the server software only through the Internet without being authenticated or otherwise individually identified by the server software or through any other means.

[Ref: Product Use Rights, Page 38 of 136]

For Windows Server 2008 R2 Datacenter Edition:

Running Instances of the Server Software.

The software is only available for servers with two or more processors.  You may not run instances of the server software on a server with less than two processors. You may run on the licensed server an instance of Standard or Enterprise in place of Datacenter in any of the operating system environments. 

 

Thanks to my colleagues for the customer scenarios.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s