What Is The Industry Practice Regarding MS Windows 7 EULA Or Windows Server CAL?

What is the industry common practice in regards to using server software like xprotect or acc, on a windows server or a windows 7 pro workstation? I am no expert on this licensing stuff, as I use linux whenever I need a server for something.

From what I am reading on the Internet about windows server access licenses, it seems like cameras may need device licenses. And it seems like every single user of client software that is connecting through the network with the vms server software on the windows server, also need a client access license. That is per human user, not per client computer. And if the vms server software use the MS sql server, does every user also need another license for connecting with the sql server?

I have seen vms server software installed on windows client computers. But after reading trough the windows 7 EULA, this seems like the sort of server usage that the license forbids. Are they using special windows versions for this?

Is there maybe some special license to buy, that fixes all these problems? Or does Microsoft not care? Or are all the mom and pop shops buying volume licenses and server licenses to use their vms? Or does the dealer/installer just make a server, put their server software on the thing, and expect the buyer to handle the microsoft licenses?

I am confused about all this stuff, so I hope some of you experienced installers and sellers may have some guidance for me. I would rather not suggest a vms to someone, if this sort of hidden costs may jump up and bite them in the ass after it is installed.


I've never heard of CALs being required for any VMS platform,

I'm not a Windows licensing expert, but my understanding has always been that CALs revolve around providing licensing for Microsoft-specific server functions to multiple users.

In the case of a typical VMS, the Windows OS is just a basic OS stack, it's not facilitating network access to cameras in the form of enhanced software features or functions, the VMS is (and you will typically need camera/device and/or client licenses from the VMS manufacturer).

I've never seen CALs quoted, or baked into a quote in any way.

A CAL is not a software product; rather, it is a license that gives a user the right to access the services of the server. A CAL can be either user or device based. User based CALs means a CAL is required for every user accessing the server. Access can be from any device & can be multiple devices. A device CAL means that the licenced device can access the server regardless of the user trying to access. In general, any user accessing an application running on the server requires a CAL. Up until Windows server 2012, server licences (Retail/OEM) came with a set number of included CALs. Base level was 5.

CALs are accumulated across severs so, 2 servers each with 5 CALs means that 10 users/devices can access the server farm. In the case of a camera server, 5 may well have seen out most installations. Particularly, if there are other servers already installed. But with Windows Server 2012, no CALs are included in the licence so they must be purchased separately. They are required. CAL are downward compatible but not upward. So CALs for Windows server 2008 are not valid for use with Windows server 2012.

SQL Cals work on the same basis. Each user accessing the SQL data base need an User/Device CAL plus a SQL CAL which can also be user or device based.

Similar licencing is required for RDP: if the server is taken out of administrator mode, an RDP cal is required for every user on top of the User/Device CAL & SQL CALs.

CALs are the cream for Microsoft. They just keep adding up!!.

The above is a broad explanation. There are a host of interations that I have not attempted to explain.

In general, any user accessing an application running on the server requires a CAL.

Should say:

In general, any user accessing a Microsoft application running on the server requires a CAL, except for Web servers who are accessed (from a Windows standpoint) anonymously.

Net/Net, if your VMS is authenticating using Windows authentication/active directory, then you will need users CALs.

Otherwise, you are fine, IMHO.

I am researching this subject as well. In talking with MS local office the understanding is that yes, you need a Server CAL for each camera and client station connected.... but this is still not documented by myself yet.

There is another licensing chanell called Embedded which is closer to what/how we use these licensing ( for "appliances" used for one application only, just like the POS computers or ATMs ) . My next task is to see how is the CAL licensing in Embedded as well....

I think it is an interesting subject to be discussed here, though one question which would clarify it all would be : Is the administrator notified if you don't have enough CALs for all connected devices ? That would be the simple way out...

But Vlad, do you think that if you are just connecting anonymously via tcp/ip sockets to a non Microsoft application, that doesn't use any using any Microsoft authentication or higher level services, that a CAL is necessary?

I don't think so, but I admit it might be tricky to verify definitively in a case where the VMS uses a MS SQL database, for instance. Even in that case, the if SQL requests are made anonymously and are similar in to web requests.

But, I think what it all boils down to is client/device visibility to the system. Unless the users are named Active Directory users, or the devices are being accessed thru Microsoft services, it has no way of even knowing what users or devices are involved.

What do you think?

I found this thing about dhcp or dns.

http://windowsitpro.com/windows-server-2012/cal-needed-dns-or-dhcp-client

My guess is that the same goes for stuff like serving time to the cameras, as no ip cameras I have seen, have battery backed up clocks.

But the question may be: If all the network stuff, like dhcp and time, is served by a linux server, what is then the server/client relationship between the camera and the microsoft server? Is the server requesting and downloading video from the camera? Then the camera is the server, and the microsoft server is acting like a client device. So no CALs for cameras, then? But it is often the camera that makes the decision that an event has happened, and that video must be sent to the server. The microsoft server then becomes just a database that cameras store video in. Then the microsoft server acts as a server, and you need a device CAL for the camera.

As I see it, this is an outdated money making system, that may work badly with the "internet of things" and especially the modern security camera industry. Where lots of tiny things act like little dudes, communicating and doing work over the network. In a not so distant future, where every little lock, light, camera, fan and food processor is connected to the same network; little servants pampering their human masters, a "Microsoft Tax" would be a unjustified reality. In my opinion.

My guess is the same goes for stuff like serving time to the cameras...

From your link

A: The only time you don't require a Windows CAL is when accessing Windows Server hosted services from the Internet in an unauthenticated manner.

So, if you were accessing a Microsoft NNTP server thru an authenticated connection, then yes.

But it the far more common case of simply syncing time thru the unauthenticated VMS socket connection, no.
IOT is safe as well, as long as it accesses the resources of the machine without involving the user authentication and higher sub systems.

If Microsoft were to charge a device CAL for every camera attached to a VMS, they'd loose a lot of money very fast as Windows could be ditched very quickly and easily by the VMS industry. Many NVRs support Linux anyway, Exacq doesn't need Windows for example, and I suspect most would not be very hard to convert. So I would not worry about it. I also get the impression that some of the terms used in legal agreements are deliberately a bit vague so they can mean anything they want them to mean in any given situation (like patents...), so it may be very hard to get a definitive answer when reading the license agreements alone.

As i see it it's up to MS to clearly say who does and doesn't need a CAL but from my research so far the cameras do need it. I would think it is the same licensing situation like printers or VoIP phones... I am not so sure of my findings but will look more into it and hopefully will either get a documented answer from MS or from an IT Manager which should know this stuff.

SQL is not so important as most systems we sell ( distribute ) use SQL Express and that has no CALs . Only the bigger systems require SQL Pro or Enterprise.

As a side note , Azure machines don't require a CAL so in theory, if you put the VMS in the(ir) cloud and do everything there you don't need any other licenses.

...but from my research so far the cameras do need it.

What in your research indicates that? Remember, in the case of printers, the device is known and accessed thru the ms print system. No VMS that I know of accesses IP cameras thru any MS camera service, if one even exists.

Microsoft only sees a socket connection to the outside world from which video is coming in. For all it knows, you could be playing a YouTube video from the Internet.

Well, first it is the answer from MS local people. I also found some article online about that ( still waiting for a PDF from them about all this ).

I also got this from a MS forum : https://social.technet.microsoft.com/Forums/windowsserver/en-US/e6a7e20c-3729-487b-9327-355f237b5be1/licensing-for-ip-cameras?forum=winservergen

Usually cameras do use Windows infrastructure :

- NTP, DHCP, etc ( though you could go around these )

- i would guess the networking infrastructure in Win Server

- idem for storage infrastructure

- other services like you also said ( Active directory, etc )

Usually cameras do use Windows infrastructure :

- NTP, DHCP, etc ( though you could go around these )

- i would guess the networking infrastructure in Win Server

- idem for storage infrastructure

- other services like you also said ( Active directory, etc )

IMHO, most cameras connected to a VMS do not use Windows infrastructure, except for anonymous tcp/ip sockets. They could use them, but don't usually.

In practice I see no evidence of these types of connections requiring CALs.

Searching Exacq, Milestone and Genetec for any talk of CAL requirements due to the their software has not yielded anything either.

I think Microsoft will sell you CALs for whatever you think you want them for.

Don't CAL's only apply to Windows Server? There is no technical advantage in running a VMS on Windows Server, none at all, so I'll just look at Windows desktop. The EULA for Windows 10 desktop OEM is in the link below:

Windows 10 OEM EULA

Now in section 2b it defines a "device" as follows:

Device. In this agreement, “device” means a hardware system (whether physical or virtual) with an internal storage device capable of running the software. A hardware partition or blade is considered to be a device.

I assume "the software" means Windows 10 OS in this case. So I would take that to mean that your typical camera is not a device as it can't run "the software" so I would say there is no limit to how many cameras it can connect to. (I could not find a definition of device at all in the Windows Server agreement.)

So the other thing is, is it OK for clients/users to access the VMS from their VMS client software on other workstations. The relevant clauses seem to be 2 c (v) and 2 d (iii), which seem to contradict each other.

2 c Restrictions. The manufacturer or installer and Microsoft reserve all rights (such as rights under intellectual property laws) not expressly granted in this agreement. For example, this license does not give you any right to, and you may not:

...

(v) use the software as server software, for commercial hosting, make the software available for simultaneous use by multiple users over a network, install the software on a server and allow users to access it remotely, or install the software on a device for use only by remote users;

but then:

2 d Multi use scenarios ...

(iii) Device connections. You may allow up to 20 other devices to access the software installed on the licensed device for the purpose of using the following software features: file services, print services, Internet information services, and Internet connection sharing and telephony services on the licensed device. You may allow any number of devices to access the software on the licensed device to synchronize data between devices. This section does not mean, however, that you have the right to install the software, or use the primary function of the software (other than the features listed in this section), on any of these other devices.

So I take it to mean that 2d (iii) overrides 2c (v) in that it does give permission for up to 20 clients to access the VMS in some circumstances. At this point I am slightly stumped. If the client software accesses the VMS thru IIS as some may do, then it does seems to say that up to 20 clients is OK. But what if it uses sockets? If a VMS client/server connection can be categorized under the statement "synchronize data between devices" then it seems to say that unlimited clients are OK. But I get the impression that it is at least Ok for 20 clients to connect, which is more than enough in most cases.

But I am not at all sure. I would not approach Microsoft and ask them, I would approach a lawyer instead.

After reading this:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/e6a7e20c-3729-487b-9327-355f237b5be1/licensing-for-ip-cameras?forum=winservergen

and watching this:

https://www.youtube.com/watch?v=UyfHOrhM_7U

I have come to this understanding:

Cameras are servers, as long as they do not access data on the microsoft server. The vms application is the client, accessing resources on the camera. When the vms is setting the time on the camera, the vms is doing so as a client application. When the vms is recording video, it is acting as a client, using the camera as a rtsp server.

From this, I assume I would not need a device CAL for any camera, as long as the camera does not request ip address, dns lookups, time or any other data from the windows server.

On the vms client side, I had misunderstood the point of the device CAL. I need a CAL to access data from the vms server, because it will be accessing data from a windows server. But I am not forced to buy one CAL for each user. If they all access the vms from one computer, then I can buy one CAL for that computer. Any user accessing the vms from that computer, will be licensed trough that computers device CAL.

To keep costs down, I would have to limit the number of devices that access the vms. This means, that features like mobile phone access and roaming access will be costly. For instance only licensing a video wall, the computers of investigators, and maybe a shared phone for the security guards, would keep costs down. Allowing every security guard to access the vms server trough their own personal phone, which would be more efficient, will cost more, and maybe open up user CALs as a better option.

As for using a client OS, like windows 7 or 10 for a vms, would be ok. But only as long as the vms server and vms client is on the same computer. So only one way to access the video. No networked clients, and no phones.

Even though this seems like a lot easier and cheaper than I first thought, I think I'll still go with Linux as server OS when possible. This licensing stuff makes pricing unpredictable. And a linux vms would be competitive simply by the fact that they would not have the whole windows server CAL problem. Maintaining a linux server is just as simple as maintaining a windows server, when its only role is working as an OS for the vms server.

So I'm hoping more mainstream vms makers start making linux versions of their product. Having only one name on the list, does not really make it a list...

To keep costs down, I would have to limit the number of devices that access the vms. This means, that features like mobile phone access and roaming access will be costly.

Roaming web access would be free through the web internet exemption, I believe.

If you really are concerned about this license thing, why not just buy the core license for the server and skip the device and user licenses altogether?

"Undisclosed 1", I disagree with your conclusions regarding the client OS.

As for using a client OS, like windows 7 or 10 for a vms, would be ok. But only as long as the vms server and vms client is on the same computer. So only one way to access the video. No networked clients, and no phones.

A similar discussion was raised on this thread below, with a qualified representative from Microsoft joining the discussion:

licensing-question-windows-client-os-working-as-server-with-third-party-apps

At one stage it states:

LarryG. wrote:

So if I have a dozen PCs in my office, all with OEM installs of Windows 7 Pro and I want to use a file sharing tool of some sort (FTP, whatever) on one of them... I can't. Is that correct?
Brand Representative for Microsoft replies:

No. If you check out the EULA attached, section e states the device connection. Which if I understand it correctly, FTP is more of 'file services' and not accessing the Windows 'session'.

e. Device Connections. You may allow up to 20 other devices to access software installed on the licensed computer to use only File Services, Print Services, Internet Information Services and Internet Connection Sharing and Telephony Services.

The VMS clients are accessing the VMS server, and not the windows session itself. The VMS server will always run in a single windows session and it is only using File services (e.g. stores/retrieves recorded video/audio/indexes... as files) and in some cases Internet Information Services. A VMS server doesn't use any other Windows services. Well it uses Network Services, but I think this is Ok as it is implied in the process of a device accessing the "software installed on the licensed computer".

I reckon Windows Client OS's are good for up to 20 connections from VMS client software, mobiles phones, browsers etc, and there is nothing to worry about.

Edit: Regarding IoT, I notice in the Windows 10 EULA, Microsoft has added a definition for "Device" that seems to restrict its meaning now to other computers capable of running Windows. Maybe this is their way of updating their license for the IoT age.

I would like to agree with you, undisclosed 3 manufacturer. And I did use to think like that.

But the example you quoted was about ftp, which absolutely is a file service. The way I read the EULA, you are not allowed to run windows 7 as a server, except when it is used for file services, print services, internet information services and internet connection sharing and telephony services. Windows 10 is even worse, as you are not allowed to install windows 10 on server hardware. Some time in the near future, windows 7 will not be an option.

A vms does absolutely use files, as almost every other service and application does. But in addition, it allows you to search trough and handle a bunch of different data, in a database way. Not only video, but also metadata like movement, errors, bookmarks etc. When you request a service to do a search trough a database via the network, I would say that you use the searching computer as a server. And the list "file services, print services, internet information services and internet connection sharing and telephony services" does not include databases, even as I try to read between the lines.

I read that list as the stack of services client versions of microsoft operating systems have supplied all the way back to win98, and partially back to win3. File sharing, printer sharing and name serving in a local workgroup trough the smb protocol. And in addition internet connection sharing from the time when phone modems connected the computer to the Internet. It is simply the minimum stuff Microsoft supply you with, to make a small business establish a resource sharing network without a windows server. The list does not tell me that vms'es are ok. And that may be what the money people and the IT guys need. For someone to say that it is ok.

This does not mean that I don't hope that you are right. I believe that you being right about this, and I being wrong, is absolutely the best thing for me, the security camera industry, the Internet and even Microsoft. But I don't see the proof to sway my worries in your reply. The fact that I like what you are saying, does not necessarily make you right.

It is hard to be absolutely 100% certain I agree, and I want you to be wrong for the same reasons :-).

My counter arguments would be:

But in addition, it allows you to search through and handle a bunch of different data, in a database way.

Yes, but it is not using any other Windows services for searching through the files, it is using its own code, and the Windows file system, that is all - same as an FTP server. It is allowed to use its own code to do things with the list of services otherwise even writing an FTP server would be impossible. (I do know how to write both a VMS server and an FTP server from scratch - at a top level they are very similar - a request comes in, process that request in C++ code, retrieve data from the File system and send that data back again to the client.. at a top level, they are very similar)

Not only video, but also metadata like movement, errors, bookmarks etc.

These are sometimes stored by the VMS Server directly in the file system ( from recall, I do not think Exacq uses a database engine ????) but also admittedly in databases in many cases, but this doesn't matter - see below...

...and the list "file services, print services, internet information services and internet connection sharing and telephony services" does not include databases, even as I try to read between the lines.

That is because Windows doesn't offer any builtin Database Services, they are not part of the operating system and not covered therefore by the EULA. For example SQL Server and dozens of others are installed separately - and even for their main functionality they only use File Services. They are only restricting you to using the Services in the "licensed software" - Windows in this case, not Services that can be written as applications that run on Windows. You can use a third party database, write your own, it amounts to the same thing, A bunch of instructions that run on the CPU that uses only the File system services in Windows - that is all a database is in most cases. Even SQL Server standard edition supports running on Windows 7. No one is going to buy SQL Server standard edition for Windows 7 is they can only use it for a single user are they?

I read that list as the stack of services client versions of microsoft operating systems have supplied all the way back to win98, and partially back to win3. File sharing, printer sharing and name serving in a local workgroup trough the smb protocol. And in addition internet connection sharing from the time when phone modems connected the computer to the Internet. It is simply the minimum stuff Microsoft supply you with, to make a small business establish a resource sharing network without a windows server.

In that case 2d (iii) would read:

You may allow up to 20 other devices to directly access the File Services, Print Services, Internet Information Services and Internet Connection Sharing and Telephony Services.

but it actually says:

e. Device Connections. You may allow up to 20 other devices to access software installed on the licensed computer to use only File Services, Print Services, Internet Information Services and Internet Connection Sharing and Telephony Services.

I take that to mean it is Ok to access any software written by a third party running on the OS, so long as the functionality that the 3rd party software is providing to the client is only using the File System, Print Services, etc. In this respect a VMS server is identical to an FTP server.

Windows 10 is even worse, as you are not allowed to install windows 10 on server hardware.

I could not see that in the EULA, but it doesn't matter anyway. I am not sure how you would define Server hardware anyway. Traditionally they limit the client OSs to how many cores/CPUs/memory they can scale to, so for example you couldn't run Windows 7 on a 32 processor machine at a data server -or you could, but it might only use 2 CPUs, and the other 30 sitting idle. I agree with MS on that one, but you don't need such high end hardware for a VMS.

It would make me feel a little bit easier if they had included "Network Services" in their list of services, but I am still going to sleep easy tonight.

If what you are saying is true, then lord knows how many companies in this industry and others would be violating their License agreements, It surely would have exploded years ago.

Ultimately, though, if you are really concerned, maybe get a lawyer to check over the arguments.

I think this boils down to me seeing this thing as a glass half empty, and you seeing the same glass half full. I don't disagree that I may be a bit too pessimistic about this. However, my worries remains, and I will have to take this with the IT department, so that they may make a decision. It would end up there anyway, sooner or later.

The Windows 10 EULA says under 2.c

Restrictions. The manufacturer or installer and Microsoft reserve all rights (such as rights under intellectual property laws) not expressly granted in this agreement. For example, this license does not give you any right to, and you may not:

(v) use the software as server software, for commercial hosting, make the software available for simultaneous use by multiple users over a network, install the software on a server and allow users to access it remotely, or install the software on a device for use only by remote users;

You should ask your VMS company what they think.

For example, several VMS's allow you to add device licenses to a server, or sometimes even upgrade the server software to go from allowing 2 client connections to 20 (or whatever numbers they enforce).

My point is that VMS companies will sell you additional licenses for their software that by some interpretations of the above comments would require you to also purchase more CALs from Microsoft.

This question must have come up to them before, and I would think they could give you an exact recommendation (in writing/via email...). If not, most of them should also be Microsoft development partners and could ask the question directly of someone at Microsoft.

However, my worries remains, and I will have to take this with the IT department, so that they may make a decision. It would end up there anyway, sooner or later.

Who are the users anyway? Do they have Windows Server already? If so, they probably need/have user license anyway, if not why are you assuming Windows server?

The Windows 10 EULA says under 2.c...

when they say "use the software as server software", they are not talking about running a web server, they are talking about as an OS server, i.e., RDP sessions.

It is prohibited except where it is permitted. So 2 c (v) prohibits you from using it as a server in all cases, except where it is permitted e.g. 2 d (iii) . If that weren't true, there would be no point having 2 d (iii) at all as it would always be overruled by 2 c (v).

2 c Restrictions. The manufacturer or installer and Microsoft reserve all rights (such as rights under intellectual property laws) not expressly granted in this agreement. For example, this license does not give you any right to, and you may not:

...

(v) use the software as server software, for commercial hosting, make the software available for simultaneous use by multiple users over a network, install the software on a server and allow users to access it remotely, or install the software on a device for use only by remote users;

but then:

2 d Multi use scenarios ...

(iii) Device connections. You may allow up to 20 other devices to access the software installed on the licensed device for the purpose of using the following software features: file services, print services, Internet information services, and Internet connection sharing and telephony services on the licensed device. You may allow any number of devices to access the software on the licensed device to synchronize data between devices. This section does not mean, however, that you have the right to install the software, or use the primary function of the software (other than the features listed in this section), on any of these other devices.

and, if that weren't true why would Microsoft include services like IIS on Windows 7/8/10 at all? I have read on the internet that IIS on Windows 7 limits its connections to 20 anyway, so that 2 d can't be violated.

We asked Milestone if CALs were needed for cameras connected to XProtect on Windows Server.

Milestones response:

The answer is no. Cameras in a video surveillance system provide video feeds and act as a data source. They do not access or use the services of Microsoft’s server software and there is no need for a CAL for each camera.

It seems that Microsoft takes care about CAL differently depending on the country. In my country, Republic of Korea, MS cares about CAL for VMS installed here. They charge the end-user for CAL license in connection with Milestone, Genetec or local VMS which use Windows server & services like Active Directory or SQL.

Especially, government-issued tenders request for it as Microsoft will ask for it later.

The other issue that we collectively failed to resolve was the question regarding the use of non-server Windows editions. According to my understanding of the EULA, it is OK to connect up to 20 clients to Windows 7/8/10, but others disagree.

QUESTION: is it possible to delete a post? and move it. I meant to reply to Brian's post above, but pushed the wrong Reply button...