Re: SBS 2003 as web server
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Tue, 13 Jun 2006 12:45:29 +1000
that's correct. UNauthenticated access does not require a CAL. As soon as
you authenticate someone, by any means, BINGO, CAL required.
I posted this several days ago (3rd June)
the gist of recent discussion about licensing and external user access
(external users who are not covered by internal use CALs) suggests, in a
very grey manner, that you must have enough CALs for your internal users
(either 'user' or 'device') and enough CALs of 'user' type to cover the
number of concurrent external users who are not covered by 'internal' CALs.
Maybe an example will help:
SBS base CALs (5 CALs included)
I have 2 PC's in use by many people, 2 device CALs.
I have 3 people who use many devices, 3 user CALs.
Included CALs accounted/assigned.
I wish to allow access to an authenticated process on SBS2003. It is
authenticated therefore CALs are necessary (unauthenticated access does not
require CALs). It does not matter what mechanism is used for authentication
(I used to believe it was authentication against AD, I no longer think this
is correct).
I am going to allow authenticated access from 3000 people using any device,
but only 5 of those people at a time will be allowed to authenticate. I need
5 SBS 'user' CALs.
I get a headache when I think about the control mechanisms for this, you see
this scenario allows 8 external users to be authenticated, 5 'external'
users plus my 3 'internal' users (via their 'user' CAL) when they are
outside. Will the devoper of the web application provide a mechanism in
their application(s) to say DO/DON'T count this authentication against my
'concurrent sessions' based on whether the account is covered by an SBS
'user' (as against 'device') CAL? I doubt it. SBS can't count CALs, how can
I expect my web developer to do something MS can't be bothered addressing?
Say I need two different web applications, from different vendors. Will they
provide a mechanism that allows the 'concurrent connections' aggregated
across the applications to not exceed my 'allowance', I doubt it.
I don't even know if this is correct. It is my current interpretation.
"Gregg Hill" <bogus@xxxxxxxxxxx> wrote in message
news:e6WvhBpjGHA.1600@xxxxxxxxxxxxxxxxxxxxxxx
Per every doc I have read, anonymous connections via the Internet do NOT
require a CAL.
Are you saying that even anonymous web connections DO require a CAL?
Gregg Hill
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:eQw6QjojGHA.4044@xxxxxxxxxxxxxxxxxxxxxxx
This is not correct. It was my belief that only authentication against
the AD required CALs. A senior member of the SBS product group recently
stated this was not so.
Many of the SBS MVP's will be meeting with the product group in a few
days time (unfortunately, not me, I don't like travel and AU -> US was
out this time), I believe this is slated for discussion.
"TechSoEasy" <TechSoEasy@xxxxxxxxx> wrote in message
news:1150161150.848307.211650@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
As far as "authentication" is concerned, SBS licensing only applies to
Active Directory Authentication. Creating user accounts in a .NET
appliction wouldn't have anything to do with that.
However, licensing isn't really the issue because running a public
website, especially an e-commerce site on an SBS which is your Domain
Controller, risks both security and resource availability.
This is the first time I've read that transcript and am actually
floored that they suggest that SBS makes a great web server... when
there is solid documentation and experience to the contrary. The ONLY
exception to this would be if SBS was deployed as a single machine
without any clinet workstations or users.
Jeffrey B. Kane
TechSoEasy
San Francisco, CA
http://www.techsoeasy.com
Mark Berry wrote:
Hi,
I am trying to get some clarification on web server licensing before I
start
developing a web product in .NET.
The question is simply, can I use SBS to host a public web application
that
requires (non-Active Directory-based) authentication? You know, for an
e-commerce site, or a personals web site, a site for sharing photos, or
a
community site providing content to registered users (like
www.smallbizserver.net).
I've been reading in the transcript of the presentation "Licensing
Microsoft
Windows Small Business Server 2003":
http://support.microsoft.com/default.aspx?kbid=883786. I see this text
that
seems to imply that "authentication" means having an Active Directory
identity: "The next question is, 'Is the access coming through the
Internet
and the user unauthenticated?' In other words, there are no
credentials, no
logon. It doesn't map to an Active Directory principal, role, or group.
If
the answer is, 'No, I'm coming through the Internet and I'm not
authenticated,' then you also don't need a CAL. SBS is great as a Web
server, in this example, providing static or dynamic content out to
your
business customers."
However, the Product Use Rights seem broader: "* You do not need CALs
for:
(1) any user or device that accesses your instances of the server
software
only through the Internet without being authenticated or OTHERWISE
INDIVIDUALLY IDENTIFIED by the server software or through any other
means."
(emphasis mine)
This would seem to imply that if I have an e-commerce server, for
example,
once a customer creates an account, I have to assign a CAL to that
person,
whether they buy anything or not. Once I have 75 customers, I have to
turn
the rest away. Same thing with each registered member of my forum
software,
or whatever. In other words, in practical terms, this can't be done
under
SBS. In fact, I'm not sure how "dynamic content" would be possible at
all
without identifying the customer.
There is mention in the presentation of running Web Edition as a web
front
end in lieu of Linux. But if I'm not mistaken, Web Edition does not
allow
storing web users' files, so they would have to be stored back on the
SBS,
which means that you have "individually identified" user files
accessing the
SBS (whether it's their order history or forum posts or whatever),
which
means you're back with the same question.
Is it really the intention of the SBS Product Use Rights to prevent
implementing these kinds of pseudo-authenticating web sites under SBS?
Thanks for any clarification anyone has to offer.
Mark
.
- Follow-Ups:
- Re: SBS 2003 as web server
- From: Mark Berry
- Re: SBS 2003 as web server
- References:
- SBS 2003 as web server
- From: Mark Berry
- Re: SBS 2003 as web server
- From: TechSoEasy
- Re: SBS 2003 as web server
- From: SuperGumby [SBS MVP]
- Re: SBS 2003 as web server
- From: Gregg Hill
- SBS 2003 as web server
- Prev by Date: Re: SBS 2003 as web server
- Next by Date: Re: Help - Server seems to have developed serious issues
- Previous by thread: Re: SBS 2003 as web server
- Next by thread: Re: SBS 2003 as web server
- Index(es):
Relevant Pages
|
Loading
