Re: per Device CAL

• From: jay <jay@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 31 Jan 2006 14:33:12 -0800

Thanks again. Interesting reference to that 2x.com product.
Jay

"Vera Noest [MVP]" wrote:

> I think so, yes.
> But don't forget user education, including educating Administrators 
> about the console session. That's a very underrated method.
> 
> And you could SecureRDP:
> http://www.2x.com/securerdp/
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting:  http://ts.veranoest.net
> SQL troubleshooting: http://sql.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
> 
> =?Utf-8?B?amF5?= <jay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 31 jan
> 2006 in microsoft.public.windows.terminal_services: 
> 
> > Thanks for your helpful response. I guess I'll experiment with
> > restricting access to the terminal service computer by local
> > policy on that machine, restricting access to administrator and
> > the designated computers. Am I on the right track?
> > 
> > Jay
> > 
> > 
> > "Vera Noest [MVP]" wrote:
> > 
> >> If you don't implement any of the methods that I listed, then
> >> yes, you have to keep your fingers crossed that nodoby logs on
> >> from a non-authorized client. 
> >> And not only during the initial phase, when the LS issues the
> >> TS CALs for the first time.
> >> 
> >> Let me give you an example: assume that you have 10 TS CALs,
> >> which should go to 10 clients, out of a total of 50 clients.
> >> Let's also assume that you see to it that the correct 10
> >> clients get the 10 TS CALs. Those TS CALs will have an
> >> expiration date of 52-89 days ahead, and then they have to be
> >> renewed. Now imagine that someone connects on day 40 from a
> >> non-authorized client. There is no permanent TS CAL left, so
> >> this client will receive a temporary TS CAL, which is valid for
> >> 90 days. The user continues to connect with this 11th client,
> >> thanks to its temporary license. Now on day 67, the first
> >> permanent TS CAL expires and is returned to the Licensing
> >> Server. If client 11 connects on that day before client 1 does,
> >> client 11 will get its temporary license exchanged with the
> >> newly returned permanent license. When client 1 tries to
> >> connect later in the day, there will be no permanent license
> >> left, and client 1 will not receive a temporary license either.
> >> It will be refused. 
> >> 
> >> That's why you will have to implement methods to avoid this.
> >> 
> >> About connection made by an Administrator: if you make a normal
> >> connection, you will take a TS CAL, just like anybody else. But
> >> assuming that your TS runs on Windows 2003, you can make a
> >> session to the console of the server, and such sessions do
> >> *not* take a license. Use "mstsc /console" (without the
> >> quotes). 
> >> _________________________________________________________ Vera
> >> Noest MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting:  http://ts.veranoest.net
> >> SQL troubleshooting: http://sql.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >> 
> >> =?Utf-8?B?amF5?= <jay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 29
> >> jan 2006 in microsoft.public.windows.terminal_services: 
> >> 
> >> > Yikes! That's not what I was hoping to hear but thanks for
> >> > you prompt response anyway.
> >> > Just to make sure I've got this straight, what you are saying
> >> > is that I have to make sure that the first computers to log
> >> > in to Terminal Server after I activate the License Server are
> >> > the ones that we want to be issued licenses and hope that no
> >> > other computer logs on in the interval. Is this correct? 
> >> > 
> >> > Related question: Does logging in as administrator for
> >> > purposes of development use up a device CAL?
> >> > Thanks again.
> >> > Jay
> >> > 
> >> > "Vera Noest [MVP]" wrote:
> >> > 
> >> >> There's no easy way to do this with native Windows
> >> >> techniques. You can make sure that only certain *users* are
> >> >> allowed access to your Terminal Server, but it's difficult
> >> >> to stop them from accessing the server from a lot of
> >> >> different clients. 
> >> >> 
> >> >> User education is one way to go, a login script which
> >> >> immediately logs off all non-authorized clients is another
> >> >> (but doesn't completely prevent the problem), restricting
> >> >> users to only certain desktops is a possibility, as well as
> >> >> disabling the rdp client completely on those machines which
> >> >> should not be used to connect to your TS. You might need a
> >> >> combination of the above methods. 
> >> >> 
> >> >> And there are a number of 3rd party utilities that provide
> >> >> this feature.
> >> >> _________________________________________________________
> >> >> Vera Noest
> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> >> TS troubleshooting:  http://ts.veranoest.net
> >> >> SQL troubleshooting: http://sql.veranoest.net
> >> >> ___ please respond in newsgroup, NOT by private email ___
> >> >> 
> >> >> =?Utf-8?B?amF5?= <jay@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 24
> >> >> jan 2006 in microsoft.public.windows.terminal_services: 
> >> >> 
> >> >> > Newbie question: I'm getting ready to activate the license
> >> >> > server (on a Windows 2003 Small Business Server) for
> >> >> > terminal server running on a dedicated machine. How can I
> >> >> > make sure that the permanent licenses go only to the
> >> >> > computers that we want to have permanent licenses and not
> >> >> > to whichever computer logs on first? Thanks for the help
> >> >> > in advance. Jay
> 
.

• Prev by Date: Re: TS clients are being disconnected at remote location
• Next by Date: Re: Problem running Remote Desktop to domain computers for users
• Previous by thread: Re: TS clients are being disconnected at remote location
• Next by thread: Re: Problem running Remote Desktop to domain computers for users
• Index(es):
  • Date
  • Thread

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint