More than a dozen Microsoft server products require clients to be licensed with Client Access Licenses (CALs) or a limited-use license called an External Connector. Popular server products using CALs and/or External Connectors include Windows Server, Communications Server, Exchange Server, SharePoint Server, and SQL Server (which can also be licensed in other ways). These products follow many of the same general principles, but each product has its own rules. The general principles that hold for most products are described here.

Client Access Licenses

A CAL gives one person or physical device the right to connect to and use any instance of the server product running within the organization. CALs are the only option available for licensing an organization's employees and onsite contract employees. However, organizations can also use CALs to license nonemployees€”such as business partners, suppliers, customers, retirees, and alumni users. General principles for CALs include the following:

CALs can be assigned per-user or per-device. A User CAL gives one person the right to access all instances of the server product from any device. User CALs are attractive when users employ several devices; for example, when employees access Exchange mailboxes from PCs and mobile phones. A Device CAL licenses a particular device to access a server product. Device CALs are useful for devices shared by multiple users, such as workstations in a 24-hour call center.

User and Device CALs cost the same but have different part numbers when purchased through volume license programs. Customers can purchase a mix of User and Device CALs for the same product, but to ease management and tracking Microsoft recommends customers standardize on one or the other. Changing the mode of previously purchased CALs is only an option for customers with CALs enrolled in Software Assurance, and then only at the time they renew Software Assurance on their CALs.

Not all products offer both types of CALs. For example, Identity Lifecycle Manager (used to manage user accounts and privileges across systems) and Duet for Microsoft Office and SAP offer only User CALs.

One CAL covers all instances. No user or device ever needs more than one CAL to access all instances of a particular server product running within the organization. For example, if a Vista workstation is running two instances of Windows in virtual machines (VMs), and both VMs access Windows Server, only a single Windows Server CAL is needed.

CALs have no digital footprint. CALs are simply a set of legal rights; they are not installed as software or recorded in the Windows Registry or Active Directory. As a result, CALs cannot be detected and counted automatically by software asset management tools.

Organizations need to own enough CALs to cover all the clients that use the server product. This is not simple, because Microsoft does not provide tools to measure and compare actual usage with CAL purchases or to enforce compliance by blocking access by unlicensed clients. To assure compliance, customers must either buy CALs for all users or devices or stitch together their own compliance monitoring or enforcement system.

In a few cases, CALs are enforced by the software. Windows Server Terminal Services records CALs in electronic form, tracks clients, and in some situations, ensures that licensing limits are not exceeded. Windows Essential Business Server (EBS) 2008 includes a similar capability.

CALs are specific to server versions, not server editions. Microsoft designates versions of server products by calendar year of release, and each server product version normally has a corresponding CAL version. In general, a client with a CAL for a server product version may only access the same or prior versions of the server product. For example, a Windows Server 2008 CAL can be used to access Windows Server 2008, Windows Server 2003, or any of its predecessors, but a Windows Server 2003 CAL does not provide the right to access Windows Server 2008. Microsoft does not always require new CALs with a new version of a server product: for example, Windows Server 2003 CALs are valid for access to the subsequently released Windows Server 2003 Release 2 (R2).

A CAL may normally access any edition of a server product version to which it applies. For example, a Windows Server 2008 CAL is valid for access to Windows Server 2008 Standard, Enterprise, or Datacenter editions. One prominent exception is the SQL Server Workgroup Edition CAL, which is not valid for access to the product's Standard or Enterprise editions.

Access through an intermediary still requires a CAL. Customers can't avoid the need for CALs by placing an intermediate multiplexing or pooling device between clients and the server software. For example, users who access their Exchange mailboxes via a Web server (i.e., Outlook Web Access) still must have an Exchange Server CAL even though they access Exchange indirectly. Similarly, organizations commonly use pooling to reduce the number of clients that directly connect to SQL Server databases since each time a connection is made it consumes additional server resources. A SQL Server licensed using CALs and servicing queries from 100 employees might be programmed to put 25 connections in a pool, and each request to the database uses a connection from the pool. The customer must still license 100 SQL Server clients, even though only 25 connections are used.

Some features require additional CALs. Several Microsoft server products have more than one type of CAL. Some products (such as Exchange and SharePoint Server) have a base CAL (often called the Standard CAL) which is required for all clients and licenses the clients for the most common functions, while an additive CAL (often called the Enterprise CAL) must be added to the base CAL for premium features. For example, an Exchange 2007 Standard CAL entitles the client to the most common end-user features of Exchange, such as its e-mail and calendar functions, while use of the Exchange unified inbox feature (which stores not only e-mail but also fax and voice messages) requires a second (additional) CAL, called the Enterprise CAL. Other products, such as Dynamics CRM and Windows Essential Business Server, offer a base CAL and a premium CAL, where the premium CAL grants a superset of the rights of the base one.

When a server product has multiple CAL types, they are generally not tied to a particular server edition. For example, the Exchange Standard CAL may be used to access Exchange Server Enterprise Edition. As noted, this is not true for SQL Server Workgroup Edition CALs.

CALs are not always required. Up to two devices or users may access most server products for administration purposes (such as reading an event log) without CALs. Some specific products require CALs in some circumstances but not others; for example, Identity Lifecycle Manager requires CALs only for users who employ a specific subset of its digital credentials management features, and Windows Server does not require CALs for anonymous clients accessing a server over the Internet.

CALs are not bundled with client or server software. CALs don't include rights to use the client software necessary for interfacing with the server product, and the license for the client software usually does not include a CAL for the associated server product. For example, the Exchange Server 2007 CAL does not include a license to use Outlook 2007, and Outlook 2007 does not include an Exchange Server 2007 CAL. One notable exception to this rule is the Project Professional 2007 client software, which bundles a CAL for Project Server 2007.

Enterprise server product licenses purchased through volume licensing programs do not include corresponding CALs, which must be purchased separately. CALs are sometimes bundled along with a server license in retail packages of Windows Server, Exchange Server, and SQL Server, but organizations of any size are unlikely to purchase through retail channels because volume licensing programs offer better prices.

External Connectors

The majority of products licensed with CALs also offer External Connectors. An External Connector licenses an unlimited number of clients to access a server product on a single physical server. The clients licensed by an External Connector may not be employees of the organization that owns the server, and onsite contractors are considered employees. An External Connector license is for a specific server: if an organization makes a server product available to external clients on multiple servers (such as multiple servers in a Web farm), each server requires its own External Connector license.

External Connectors are valuable for licensing products that serve an organization's customers or business partners, where it's not practical for the organization to purchase a CAL for every authorized user or device. For example, an organization might use a Windows Server External Connector to license suppliers accessing the company's extranet site.

Some general principles that apply to CALs also apply to External Connectors:

• An External Connector is not software but only a right that customers purchase
• External Connectors are specific to server versions, not server editions
• Access through an intermediary still requires an External Connector
• Some features require additional External Connectors (for example, Communications Server has both Standard and Enterprise External Connectors corresponding to its Standard and Enterprise CALs)
• Some specific types of external access might not require an External Connector; the rules vary from product to product
• External Connectors must be purchased separately from the server software.

Two principles are specific to External Connectors.

An External Connector licenses all instances of a server product running on a single physical server. For example, if a Windows Server 2008 server hosts four VMs running Windows Server, a single Windows Server 2008 External Connector is sufficient to license access by external users to all of the VMs.

External Connector licenses can be moved freely from server to server. Starting in Sept. 2008, External Connector licenses associated with the latest versions of Windows Server and server applications can be transferred from one physical server to another within a server farm without restriction. (The only caveat is Microsoft's definition of a qualifying server farm - see the licensing brief referenced in the "Resources" section in "Licensing Windows Server.") Previously, transfers could not take place more frequently than every 90 days. This change makes it more practical and less expensive to use virtualization to move workloads that require an External Connector between different physical servers running in a datacenter.