[There's a reason that Yoda is the unofficial mascot of SBS.  Size indeed matters not.] SMBKitchen: Licensing - THE OFFICIAL BLOG OF THE SBS DIVA
Wed, Jan 8 2014 21:41 bradley

SMBKitchen: Licensing

With Server 2008 R2, 2012 and 2012 R2, the HyperV deployment allows you to deploy a Parent and then install two copies of the server as children/guests.

One of the ways you can deal with the sticker shock of server deployment in this era is to purchase the server operating system via volume license with payments spread out over three years.  Volume licensing also gives you downgrade rights as well as making it easier to track product key codes.

if you downgrade one of the instances of the server to Essentials and/or deploy the Essentials role in one of the servers remember that you also need RDS cals in order to use the Remote Web Access. 

In this new era of post small business server you will need the following:

Windows Server 2012 standard - set up as a HyperV server with two guests.  One will host the Domain controller, the other the Exchange Server.  If you need a third server for a line of business server or to host SharePoint, you'll need another license.

Exchange 2013

Server cals

Exchange cals

RDS cals - for remote web access use

The sticker shock to what your client was used to paying will be great.  Prepare your client and as I said earlier, consider 3 year payment option.

I do not install antivirus on the HyperV host, nor do I on servers.  What you say?  Yes you heard me.  Threats come into the server from the locations where users have access.  So I use Exchange defender as Exchange hygiene in order to prevent spam and viruses from entering the network.  Antivirus is installed on all workstations and terminal servers (like Multipoint).  If you DO install antivirus on servers ensure you place ALL exclusions as recommended.

http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

Also follow any line of business application recommendation for exclusions as well.  Bottom line if you deploy antivirus, make sure it's set up correctly or don't do it at all. Incorrectly set up antivirus does more harm than good.

Filed under:

# re: SMBKitchen: Licensing

Thursday, January 09, 2014 10:22 AM by G. Smith

Respectfully, I disagree about AV. You're talking about servers that have some level of Internet exposure (Email server - at least SMTP and SSL, etc.)

OS and application vulnerabilities can allow servers to be attacked without going through a workstation or terminal server. And if a workstation has a fault in its AV... then you have a hole in your single line of defense.

I recommend using a different AV solution on the servers than the clients, in order to provide defense in depth. And yes, ***ABSOLUTELY*** make sure you set all of the exclusions in keeping with the OS and application requirements.

There's almost nothing worse than having an entire Exchange system taken down because the backend database file was "cleaned".

So, I also recommend application-aware AV where it makes sense. On email servers? Absolutely!

# re: SMBKitchen: Licensing

Thursday, January 09, 2014 11:46 AM by bradley

That's why I have Exchange defender.  It scans the email before it gets into the firm.  OS and application vulnerabilities first have to enter the system, and then there's a high probability that a/v won't stop such a vulnerability.  OS vulnerabilities either have a patch (which I've installed already) or they are zero days and not even the a/v vendors have anything for them yet.  

Vulnerabilities have to enter the system and these days they enter with human interaction.  Don't browse on the server, don't launch files directly on the server (of an external unknown source).  

In the case of cryptolocker, no a/v was stopping that ergo why we're ensuring that we limit use/ensure permissions are set correctly and use software restriction policies.

Having a threat management gateway product or web surfing filtering goes way farther in this day and age of drive by attacks to protect.

# re: SMBKitchen: Licensing

Friday, January 10, 2014 3:12 AM by squeakstar

Hi Susan - if you already bought your SBS2011 with PAO a couple of years back and have the Essentials and Server 2012 options available in your volume licensing as upgrades (we cunningly did the three year payment too) when you do move off SBS2011 do you still have to get RDS CALs for remote web access use?

thanks!

# re: SMBKitchen: Licensing

Monday, January 13, 2014 3:06 PM by bradley

Squeakstar

Officially yes.  Call the VLSC and supposedly they will give you RDS cals for this.  I haven't personally tried it.