Are you in violation?

Recently, a client asked me to help with a complex but essential task.

"If these calculations are wrong, we'll lose a lot of money," my client explained. "There are a lot of rules, and it's got to be done right." I quickly reminded the client that I'm a computer guy, not an accountant. The confused client asked, "What would we need an accountant for?"

"You need help with your taxes, right?" I replied, a bit confused myself.

"No, we need help with our client access licenses."

I winced. Taxes are probably easier.

Windows NT 3.1 cost a flat $1500, and you could attach as many users to an NT Advanced Server (NTAS) as you wanted. That policy was an advantage over the then-dominant Novell file-server software because Novell charged larger enterprises more money than it charged smaller companies for NetWare. NTAS, in contrast, cost the same whether you attached one user or 1000 users to a server.

Microsoft changed all that in NT 3.5 by adding the Client Access License (CAL). You bought the server software for about $700, and bought CALs that let you attach users to the server. A CAL's list price was $40, but Microsoft offered half-price CALs to people moving from Novell, users upgrading from LAN Manager, and others. People upgrading from NT 3.5 to NT 3.51 didn't have to buy new CALs, but an upgrade to NT 4.0 required upgrading each NT 3.x CAL to an NT 4.0 CAL for about $20 apiece. When you move your servers to Windows 2000 (Win2K), you'll probably have to buy another set of CALs or upgrade the licenses you have.

The details of licensing confuse many people. Getting caught with an insufficient number of CALs can put you in legal hot water. So this month, let's take a look at how CALs work. (I'm grateful to Microsoft's Mark Hassall for supplementing my knowledge about this subject and verifying the scenarios in this column.)

A CAL gives you permission to access file-sharing and print-sharing services on an NT server. Beyond this basic definition, things get complicated quickly. For example, browsing Web pages on an NT machine running Microsoft Internet Information Server (IIS) doesn't require a CAL. I run a simple Rockliffe SMTP/POP3 server, and accessing my mailbox from an NT server running Rockliffe doesn't require a CAL. However, if your NT server is running Microsoft Exchange Server, you need a CAL to access your mailbox. When you access the chat service or public folders via a Web browser or news reader, you don't need a CAL.

Microsoft offers two ways you can use your CALs—you can choose per-server or per-seat licensing. Per-server licensing is the default option, but most firms choose per-seat licensing.

Per-seat licensing requires you to buy one CAL for each workstation that will access any server in your enterprise. That CAL entitles anyone sitting at a licensed workstation to access file and print services on any server in the enterprise, no matter what domain or workgroup the server is a member of. Regardless of how many people use a given workstation, you need to buy only one CAL for the workstation. (Although Microsoft calls this kind of licensing per-seat, the rest of the industry refers to this concept as per-workstation licensing.) You don't need to buy CALs for servers. Therefore, for an enterprise with 20 workstations, one PDC, and one BDC, you would need to buy 20 CALs.

You need a CAL for any workstation that accesses file and print services on an NT server, no matter how the workstation accesses those services. The workstation can be running NT Workstation, Windows 9x, or Windows for Workgroups (WFW). If the workstation is a Macintosh, it can be accessing Services for Macintosh and need a CAL. You don't need a CAL to access machines running NT Workstation, Win9x, or WFW if you want to use the peer-to-peer network sharing that those OSs support.

You might think the process sounds simple (but expensive) enough: Just buy a CAL for every desktop PC and NT-accessing Mac in the enterprise. But don't forget the laptops—they need CALs too. And what about home users?

Suppose an employee fires up the home PC and dials in to the company RAS server. She copies a spreadsheet and Microsoft Word document to a home PC, then disconnects. Because she just accessed file-sharing and print-sharing services, her home computer needs a CAL. Suppose another employee wants to check his office email before turning in for the night. Connecting to the company network via PPTP over his cable modem, he reads a few messages and disconnects. He must have a CAL for this situation.

Companies have no simple way to track these kinds of unintentional license violations. CALs are just pieces of paper. Although NT comes with a license-monitoring aid called License Manager, License Manager isn't geared to detect these kinds of violations. License Manager is more useful in tracking per-server licensing. Per-seat licensing enforcement depends on a combination of the honor system and disgruntled employees reporting license-violating firms.

How do you avoid getting in trouble with the license police? First, your firm can buy CALs for employees' home machines. (By the way, you can transfer CALs. If you fire Sam and hire Jane, you can stop counting Sam's home machine as one of your required CALs and start counting Jane's home machine.) This option can become complex because not all employees have home PCs and those who do might never access the corporate network. Buying an extra CAL for every employee is probably a waste of money.

Second, your firm can forbid employees access to the corporate network from home unless they use a company laptop. In this case, the company laptop must have a CAL.

Third, instead of per-seat licensing, you can choose per-server licensing. This option won't help many companies, but it might be useful to smaller businesses. A better name for per-server licensing might be per-connection licensing. You configure a per-server machine to accept only a predetermined number of concurrent connections. For example, if you set the number to 30, only the first 30 users trying to connect to the server succeed. The 31st user gets a connection-refused message.

If a firm with one server and 100 employees never has more than 60 users logged on to the server at any given time, the firm needs to buy only 60 CALs and set up the server with per-server licensing rather than per-seat licensing. The server doesn't care which 60 machines access it or whether those machines are at employees' homes or in the office.

The drawback of per-server licensing is that you must buy CALs for each server. If the firm in my example adds a second server and wants to permit up to 60 users to access that server, the firm must buy 60 more CALs for the second server. Had the company chosen per-seat licensing, it would need only 100 CALs for all its employees. Adding a second or third per-seat server doesn't require any more CALs—but the company would have to deal with that tricky home-computer problem.

The moral of the story is straightforward: Take another look at your licensing setup. You might need a few more licenses.