• Illustration: Basic FCS Licensing Model
• Illustration: Adding FCS to an Existing Agreement
• Chart: Estimating FCS Costs

Forefront Client Security (FCS), which became generally available in July 2007, is a subscription-based online service that does not follow Microsoft's more traditional server and Client Access License (CAL) perpetual license model. The way the subscription model is priced makes the product most cost-competitive for large organizations, in particular large organizations that can add FCS into an existing infrastructure that includes Windows Server and SQL Server. While customers can add clients to their subscription at any time during the term of the agreement, they cannot cancel or reduce the number of clients until the agreement ends or is renewed.

The FCS Licensing Model

FCS, Microsoft's first antivirus and antispyware offering for corporate customers, includes client- and server-side components and requires that both the clients being protected and the servers providing the protection be licensed under the company's Online Services Licensing (OSL) program. (For more detail on the basic FCS architecture and components, see "Forefront Client Security Focuses on Administration" on page 9 of the June 2007 Update.)

The client component of FCS is an agent that runs on each protected computer (desktop, laptop, or server) to provide malicious software protection, security state assessments, and event gathering and alerting. Under OSL, every computer protected by FCS requires one of two licenses for clients or users, each of which costs approximately US$13 per year, and at least one license for the FCS management console.

A User Subscription License (USL) enables the functionality of a service for a particular user. Although FCS is primarily a tool to protect devices rather than people, Microsoft expects many organizations will license most users by the USL.

A Device Subscription License (DSL) enables the functionality of a service for a particular device. Typically organizations will use a DSL for computers that are used by multiple users, virtual machines, and servers being scanned by FCS.

An organization may choose to use the USL rather than a DSL if users have several computers, such as a desktop and a laptop, or the organization wants to extend FCS to employees' home computers, which can get updates for the home computer from either the organization's FCS server or Microsoft Update.

Another way to license devices or users for FCS is with the Enterprise CAL Suite, a bundle of 11 different CALs that includes FCS client access. The Enterprise CAL Suite can be purchased per device or per user, and its components, such as FCS, are also then applied per device or per user, depending on which edition of the Enterprise CAL Suite was purchased.

A Services Subscription License (SSL) is also required for each FCS management console, used to manage scanning policies, collect status information, and produce status reports. A single console (i.e., FCS server machine) can manage several thousand machines.

Note that SSL licensing for FCS is different from that of most other products licensed under the OSL. In most cases, an organization purchases a single SSL to subscribe to a service. In the case of FCS, however, each deployment of the FCS management console within an organization requires its own SSL. (For an illustration showing a typical FCS installation and how each piece is licensed, see "Basic FCS Licensing Model".)

Because FCS uses an online services model, its cost is not affected by either the number of CPUs or the number of processing cores in the server.

Operation of FCS requires three other Microsoft products—Windows Server Update Services (WSUS), Microsoft Operations Manager (MOM) 2005, and SQL Server 2005. WSUS, a free add-on to Windows Server, is used to get current signature files from Microsoft Update and to distribute them to the FCS agents.

A specially adapted version of MOM 2005 collects status information from FCS agents. The FCS SSL includes a license for this stripped down version of MOM. (Note that use of this version of MOM is required for FCS, even if an organization is already using MOM 2005 or its successor, Operations Manager 2007, for other management purposes.)

FCS also relies on SQL Server 2005 Standard Edition or Enterprise Edition to store various FCS data and produce reports. Unlike WSUS and MOM, the SQL Server requirement has significant licensing implications.

Licensing SQL Server

If an organization already has a Windows Server and a SQL Server with sufficient capacity, then licensing the infrastructure is simple, but could still add costs.

If a SQL Server which has available capacity to support FCS is licensed with a per-processor license, then the customer only needs the required number of SSL and USL or DSL licenses as needed. In this case, the cost for an SSL will be US$98 per year, making the cost for the SSL and 100 scanned devices US$1,357, or less than $15 per device per year.

However, if an FCS customer uses an existing SQL Server licensed in the server/CAL model (SQL Server's second licensing option), all the clients protected by FCS must also have a US$162 SQL Server CAL.

Infrastructure Needed

If an organization lacks sufficient capacity on an existing SQL Server, it will need an additional SQL Server license, for which it has the following two options:

• Purchase a stand-alone license for SQL Server
• Purchase an edition of FCS that includes a license for a copy of SQL Server 2005 Enterprise Edition that must be used for FCS only.

The cost for an SSL for FCS with the included SQL Server is US$2,468 per year. It is not clear why Microsoft requires Enterprise Edition in the special FCS/SQL Server bundle, because the SQL services needed to host FCS, such as SQL Reporting Services, are available in SQL Server Standard Edition. When using the FCS/SQL Server bundle, the total cost of FCS for 100 computers is US$3,727 per year, or approximately US$37 per device.

Alternately, the customer can purchase a stand-alone license for SQL Server Standard Edition separately (at US$5,737 for a perpetual per-processor license), which might cost less than the FCS edition that includes Enterprise Edition if amortized over a few years. In addition, the stand-alone SQL Server license can be repurposed if the customer does not renew their FCS subscription, while the bundled SQL Server license cannot be used without an active subscription.

Online Services Licensing

Most Microsoft products are licensed for perpetual use—if a customer purchases licenses, the customer can use the product that they licensed forever. OSL, the sole licensing model used for FCS, is a subscription: during the term of the subscription, customers are entitled to install and use the latest version of the client agent and server software, and download updated signature files. But rights to use the software cease at the end of the subscription term. Once the subscription term expires and the customer doesn't renew, the customer doesn't get to use FCS anymore.

Although Microsoft's licensing site states that updates and upgrades are included at no additional cost with the subscription, customers are not guaranteed complete upgrade rights. Significant enhancements to FCS in the future could be licensed under an additional OSL called the Add-on Service License. In other words, customers may have the right to the latest version of the existing FCS features, but new features that expand the functionality of FCS into new areas of security protection could, at Microsoft's discretion, require an additional payment for an Add-on Service License.

The FCS SSL includes one phone support incident for general technical support, and there is no charge when working with Microsoft to resolve false-positive or malicious software submissions or for e-mail-based support. All of the money an organization pays Microsoft for FCS licenses also counts toward the accumulation of Software Assurance (SA) benefits, which can be used for additional phone support incidents, but to get one additional support call, which costs US$245 if purchased separately, an organization must spend another $20,000 on FCS.

Paying for FCS

FCS is licensed through specific volume license programs: Select, Open Value, or Enterprise Agreements (EA). FCS is priced monthly and billed annually for a subscription term equal to the remaining term of the underlying volume license purchase agreement.

Subscription Term

An FCS subscription extends from the date of purchase to the end of the term of the underlying volume license purchase agreement; for example, when added to an existing EA, the FCS subscription term is the remaining term of the EA.

The FCS subscription term is critical because once FCS is added to an agreement it cannot be cancelled, nor can the number of SSL, DSLs, or USLs be reduced until the end of the subscription term.

Billed Annually

Depending on the reseller of the volume license purchase agreement, it may be possible to be billed and pay for each year of the FCS subscription on the agreement's anniversary date; otherwise, customers must prepay for the entire FCS subscription term. Most volume license resellers support annual payments.

Thus, if a customer purchases FCS when signing a three-year agreement, the FCS subscription term is 36 months, and the customer is entitled to use FCS for those 36 months. The customer is entitled to any updates to the services included in FCS at the time of the agreement that Microsoft releases during those 36 months. At the end of the 36 months, the customer must renew its subscription to continue using FCS. If the customer does not renew, it may no longer use FCS.

If the reseller supports annual payments, then the customer will make three payments, one at the start of the agreement, and one each on the first and second anniversaries of the agreement. If the reseller does not support annual payments, then the entire bill for the 36 months is due at the time the agreement is signed.

The customer can never decrease the number of subscription licenses for the term of the license, but the customer can add subscription licenses at any time.

For example, a customer may have an existing agreement in place for nine months when it decides to deploy FCS. The customer would pay for the remaining three months left in the first year of the agreement at the time of signing and then pay for the remaining two years on the annual anniversary date. Although the payments are annual, the customer is committed to using FCS for the full 27-months that remained in their agreement at the time they subscribed. (For an illustration, see "Adding FCS to an Existing Agreement".)

Priced Monthly

The price listed for FCS on the Microsoft Open Value Volume Licensing price list shows the amount the customer will be billed per license, per month. For example, a USL or DSL for FCS is US$1.06 per month.

Customers must always commit to the full subscription term (the remaining term of the volume license agreement under which they purchased FCS), customers are always billed annually, and they cannot drop the service or reduce the number of covered desktops on a monthly basis. The only time a customer would use monthly pricing would be if the customer were adding FCS to an existing agreement and it was necessary to calculate the costs to prorate the remaining months until the agreement's next anniversary.

Even then, the true cost per computer per month could only be calculated by including all the costs related to FCS, including a portion of the FCS SSL and the necessary infrastructure such as SQL Server.

Determining the True Costs

To determine the true costs of deploying FCS, it is insufficient to merely take the monthly costs for the FCS licenses (SSLs plus DSLs or USLs) in the Microsoft volume licensing price lists. Doing this could lead one to conclude that the licensing costs were just US$1.06 per client per month, or US$12.72 annually.

The actual per-client cost must also include the infrastructure for FCS divided by the total number of computers being scanned. For example, with an existing SQL Server licensed per processor, the cost per client, per year to license FCS to scan 100 computers is approximately $US15 (this assumes an existing Windows Server with capacity to run the FCS management console). Using FCS with the included Enterprise Edition of SQL Server, the cost per client, per year to license FCS to scan 100 computers is $US37. As the cost per scanned computer would rise with fewer clients, it would appear that Microsoft sees FCS as an enterprise rather than a medium to small business solution.

(For more details on how these costs were calculated, see "Estimating FCS Costs".)

Microsoft provides minimal assistance to a customer in complying with FCS licensing. For example, administrators can enter into MOM the number of DSL or USL licenses they have purchased so that a notice can be created when the number is exceeded. But it is only a warning; it does not force compliance. In general, compliance is left to the customer, and enforcement is based on the licensing agreement in place.

Availability and Resources

Microsoft's Online Services Guide, which outlines the rules for licensing an online service, including Forefront Client Security, can be downloaded from download.microsoft.com/download/0/b/f/0bff005c-5f96-4245-82be-de40cd91d5c8/Online_Services_Guide.doc.

Information on how to purchase Forefront Client Security is available from the Forefront Web site at www.microsoft.com/forefront/clientsecurity/howtobuy/default.mspx.

A technical overview of the Forefront Client Security service can be found in "Forefront Client Security Focuses on Administration" on page 9 of the June 2007 Update.