SBS 2008 Premium CAL

Hello,

I'm having a problem and think it's attributed to CAL issues, but as this is the first SBS 2008 I've done I'm not sure how to go about finding the answer.  I recently learned that the licensing manger is no longer in 2008 when it was in 2003.  My questions centers around this, I have about 10 users here on the LAN (connect to Exchange and sign onto workstations daily) and about 30 that connect to Exchange using Outlook anywhere.  

The ones that connect using outlook anywhere are the ones however that are giving me the problems, currently only 5 at a time can connect to the exchange server, if one signs out and another user signs in it works fine.  Is the 75 active seats for SBS 2008 Premimum only for internal Users?  

If this is the case then what CAL's do I need to buy for the ones that are outside the LAN to use the Outlook anywhere?

Thanks in advance
DaveHaertelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ady FootSharePoint ConsultantCommented:
SBS 2008 doesn't implement CALS in the same way as SBS 2003 - there is no requirement to enter keys into the system, any extra CALS purchased are just hard documents that you need to keep for auditing purposes.

There are no limits imposed for concurrent use of Outlook Anywhere so this is an interesting problem.  Previously the following guide (which implements a registry fix) has helped very similar issues so please give it a try to see if it resolves your issue:
http://blogs.technet.com/sbs/archive/2009/01/28/slow-connectivity-for-outlook-anywhere-and-sites-that-use-the-sbs-web-applications-app-pool.aspx

I know it talks of slow connectivity but it is worth a shot as it has helped someone suffering from nearly exactly the same symptoms where only 5 users could connect to OWA.

Regards,

Ady
0
Kruger_monkeyCommented:
Have you actually purchased 75 CALS?  It sounds like you are running on your standard 5 user cal, or am I reading it wrong?

AFAIK, the cals apply to connections regardless of where they are originating, but it does depend on what is being accessed.

SBS has a 75 seat limit, but doesn't come with 75 seat licences.
0
DaveHaertelAuthor Commented:
I misunderstood the licensing then.  Actually the 30 seats are overseas, so that could be a problem as far as timeout activity goes.  If the default is indeed only 5 though, why are the internal ones connecting no problem, as they are all concurrent connections and have no problems?
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Ady FootSharePoint ConsultantCommented:
Dave,

As I said, you don't tell SBS 2008 that you have extra CALS; it's all done on a 'trust' basis these days.  So CALS are not your issue.

Please try the time-out registry fix and let me know if it doesn't work so we can put our thinking hats back on :-)

Regards,

Ady
0
Kruger_monkeyCommented:
Check the registry fix that afoot mentions, I've not really played with sbs 2008 licensing.

Here is the 2008 sbs licencing faq for you to review.

http://www.microsoft.com/sbs/en/us/licensing-overview.aspx
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
https://www.testexchangeconnectivity.com/

Set up a test user account with a mailbox and dump some of your e-mail via PST export from your Outlook into the new mailbox. Sign in to your system with the test user ID and import the PST into Outlook. Log off, then log on as yourself.

Use the above tester to verify all of your settings using the test user account. Once finished, _delete_ the test account. It will tell you whether there are any problems with your actual setup.

Did you use the Getting Started Tasks wizards to set up your SBS 2008?

Philip
0
DaveHaertelAuthor Commented:
@MPEC yes I did use the getting started tasks and actually ran into a nasty DNS issue because I'm used to adding forwarders to the DNS server, but by default the wizard will only use root hints, so after a week of good operation all of a sudden, I had no recursive DNS and it took me quite a while to figure it out.  That being said, that's a problem with the 08 OS though not with the SBS wizard, so I'm not really knocking SBS or its wizards about that but, I'm usually pretty carefully about re-examining everything that the wizards do.  

Back to the topic at hand though, @afoot, that article that you mentioned including an ASP.NET registry add that changes the default simultaneous connections from the default which is 12 to whatever you need and that, at the moment, appears to have solved the issue, I'm waiting on confirmation from our Phillipine office that they can all make the connection.  Thank you everyone for great replies, I've looked at all the responses and already learned what I didn't know about CAL's for SBS 2008.  I will update and award points in a little bit.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
There is a problem in DNS Root lookups. Windows Server 2008 Service Pack 2 should fix that.

We always set the ISP's or OpenDNS's DNS servers in the forwarders tab for the SBS DNS's settings.

Philip
0
DaveHaertelAuthor Commented:
Ok, I added the registry change and unfortunately I am in the same position, the total Exchange connections from the outside is only allowing 5 concurrent connections through outlook.  One thing that I was thinking about while looking at that registry fix though is that it's basically working on the share point area, so is this just opening the number of connections using outlook web access?  I'm not sure where the problem lies now, as I was very hopeful that was the problem.
0
dmessmanCommented:
as per the previous notes on licensing, it's obviously not a CAL issue.  I run several SBS 2008 servers, and indeed - you do not enter your license keys anywhere.  MS trusts that you have the correct number of CALs.

So since we know it's not a CAL issue, I wonder if it's an RPC over HTTPS issue.  I remember I once helped someone on an Exchange 2003 server where there was an upper limit to the number of RPC over HTTPS connections that he could have.  Users beyond that could not connect.  However, the users were still able to connect using TCP/IP or MAPI or whatever you want to call it.  

My thought process is . . . you have 30 external users.  The first 5 can connect using RPC just fine.  The 6th cannot connect using RPC, but can the 6th user connect via VPN and use MAPI?  If so, there is obviously a limitation only on Outlook Anywhere, whch I have not seen on Exchange 2007 anywhere yet.

Is it safe to assume you are on Exchange SP 2?

You can install Exchange 2007 SP 2 using this tool specifically designed for SBS 2008:

http://blogs.technet.com/sbs/archive/2010/01/14/exchange-server-2007-service-pack-2-installation-tool-for-sbs-2008-released.aspx
0
DaveHaertelAuthor Commented:
I've upgraded Exchange 2007 to SP1 rollup 9 but have not done SP2, as this is a less than 2 week old install and already have had some major issues, so I don't want to rock the boat too hard.  I have verified that they can all connect using Outlook Web Access, so I'm pretty sure you're right about this not being a CAL issue.  That being said, I'm not sure where to begin to look for where the limit setting is for Outlook Anywhere.  
0
dmessmanCommented:
On the chance that there is a fix located in SP2, I don't see how it could hurt to upgrade to SP2.  With that being said, there should be no reason for the problem you are seeing.  

Have you set up the autodiscover record correctly?  I had many more than 5 users working concurrently on Outlook Anywhere before I fully understood autodiscover and implemented it correctly, so I don't think that's the problem either.

Personally, I'd install SP2 and then re-test - and if you're in a production environment and under a time crunch - I'd call Microsoft and pay the support fee.

0
DaveHaertelAuthor Commented:
Actually I had the exchange server crash once and had Microsoft log in remotely and part of what they worked on was the auto discovery.  They also tried to install SP2 and couldn't get it to go, that's part of the reason I'm a little nervous to do so.  I'll take a look at the auto discovery again, but my thought is, if it's able to find it for the first 5 then that's probably not causing the problem unless it's shutting down to the outside after 5 connections.
0
dmessmanCommented:
your whole install sounds unstable.  As hard as this would be - I'd honestly just rebuild it this weekend.  You've got a bunch of odd behavior that is atypical - especially for a new build.  I have found SBS 2008 to be very stable and had nothing like what you are describing.  

Was this an SBS 2003 migration, an OEM install, or did you install it yourself without a migration?
0
DaveHaertelAuthor Commented:
This was an OEM installation, with no migration at all, ironically they brought me in to start fresh because of trouble they were having with their SBS 2003 exchange installation and the admin before me that did that installation.  So basically everyone exported all their existing mail and we started from scratch.  Even though it's a fairly new install, this is a complex organization and it would take a lot to redo what I've already gotten accomplished.  There are about 30 accepted email domains with numerous distribution lists and email addresses per user.  It was a nightmare just to get the email flowing to the appropriate users.  I understand that these results are atypical but I really do need to try and exhaust all avenues before I can say it's time to drop back and punt.  I have done many SBS 2003 installs with exchange and never run into this kind of trouble either, but this is indeed the first 2008 one I've done, so I expected a learning curve.  I really feel like there's something blocking this at 5, through some setting either in exchange or the internal firewall rules.  
0
dmessmanCommented:
what is your firewall?
0
DaveHaertelAuthor Commented:
It's an Intellinet VPN router, with the following Ports Forwarded

389 Both
80 Both
443 Both
25 Both
26 Both (some of our remote users have had their residential ISPs block 25)
987 Both
110 and 995 Both (POP and POP SSL) -currently not being used but in case

0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Outlook Anywhere on SBS at the TechNet site:
http://technet.microsoft.com/en-us/library/cc794265(WS.10).aspx

The _only_ ports needed:
 + 443 HTTPS
 + 25 SMTP (gateway IP restricted if using sanitation service too)
 + 987 HTTPS Companyweb
 + 1723 + GRE if using PPTP VPN

80 is optional. None of your other ports should be open from the Internet to SBS. No ports should be open unless needed specifically.

26? Why? If your remote users are using Outlook Anywhere, that is RPC/HTTPS and there is no need to have SMTP on them. Otherwise, they send/receive via the ISP's POP/SMTP (use a smart host for SMTP in Outlook to ISP's SMTP!).

Additional troubleshooting via EMEA SBS Blog for OA:
http://blogs.technet.com/asksbs/archive/2008/12/10/intermittent-outlook-anywhere-connectivity-in-sbs-2008.aspx

Whose SSL certificate are you using and how was it installed?

Philip
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
BTW, do you have a grandfathered backup of the server when it was freshly installed and the configuration was done? If so, then export to PST + restore is an option.

Philip
0
DaveHaertelAuthor Commented:
The 26 was for the POP/SMTP connector if it needed to be used by some of the managers who have 25 blocked by their ISP at their homes.  80 is for a CRM that is running that is published to the outside running on IIS (and yes I know that's not optimal and insecure but that is by my customer's request and he's been notified of the security issues).  

0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Port 80 is used by SBS on the Default Web site for a number of different HTTP related tasks. You will note that certain HTTP sites are directed according to host header. Is this how the CRM setup is being done?

Whose CRM product is it and is it certified to run on SBS 2008?

Philip
0
DaveHaertelAuthor Commented:
It's Oasis CRM but I'm not sure if it's certified.  I really haven't had any trouble with it at all.  My firewall is handling the VPN traffic, so I don't need 1723 and I have Exchange set to use 25 or 26 for SMTP, I can just as easily use 25 instead and drop the 26 but the only thing that will be able to send on 26 is LDAP authenticated clients using TLS, so I'm comfortable having it open for right now, but I really don't think that's the problem.  It wouldn't give me access for 5 based on wrong ports, the problem is more than likely in IIS somewhere, because if the wrong ports were forwarded, none of them would be able to connect.  
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The catch is, if you run one of the SBS Wizards, such as the Fix My Network Wizard, all of those changes may be washed away. The problem with that is, the FMNW is meant to fix any problems _with_ the networking structures in SBS 2008.

Whose SSL certificate are you using and how was it installed?

Can you create more than 5 TSGateway based connections to desktops inside the network?

Philip
0
DaveHaertelAuthor Commented:
It's the standard self signed certificate that came with SBS that we're using.  I've not run the Fix my network wizard because of not wanting to have changes made to the network structure.  I ran into the DNS server error that's from the glitch in reading the root hints about a week into this and spent quite a time getting the forwarders to work and get things back on track.  As far as the TS gateway connections, that's something I'll have to try, as nobody really is using TS in the company.  I will test it and return the results though.,
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
I suggest that you invest a little bit and get yourself a GoDaddy SSL certificate:
http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html

It's cheap and eliminates the huge heartache that the self-issued certificate presents.

And it might actually fix your problem as it reseats all of the internal HTTPS, RPC/HTTPS, and RDP via TSGateway settings.

Since your setup is not following the SBS 2008 setup guidelines, getting help from Microsoft if things hit the wall will be diffucult if not impossible.

Philip
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dmessmanCommented:
So you installed the self signed certificate on all these overseas users' computers?

I stopped using self signed certificates years ago when I learned how easy it was to install a simple godaddy cert.  But again, that's not likely to cause what we're seeing.  And we're 100% sure that there is no consistency to who is having trouble - meaning its isolated to connections not to people?

Meaning - one day it's user 1 through 5 who can connect.

But the next day, it could be users 6 through 10 that cannot connect and 1 through 5 are shut out?

Have you thoroughly checked through all applicable logs to see if any attempted connections are being denied (on the SBS box and on the firewall)?
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
What is the model number of the IntelliNet router please?

Philip
0
DaveHaertelAuthor Commented:
I'm pouring through logs right now, and haven't found too much.  Just for kicks though I hooked my laptop in the Local LAN, installed the self signed certificate and then put it on wifi and configured my exchange account using Outlook Anywhere and it connected right away first time.  I have a sneaky suspicion there is some configuration error on the part of my phillipino counterpart who is maybe not getting the certificate installed correctly.  

As for the router, I'm not 100 percent sure, but it's a low grade, very simple one with just basic VPN functions and simple SPI firewall.  I just don't have time to do the lookup and there's nothing in the config page of the router with the model number.
0
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
GoDaddy is step 1.

But, you may be caught by the fact that the consumer grade router does not have the processing abilities to allow anymore than 5 HTTPS sessions through the box at any one time.

Philip
0
DaveHaertelAuthor Commented:
no, it does, now I'm sure of it, I remoted into my box at home and configured it correctly and had a friend configure his as well, so we're now up to 8 connections and they are all lightning fast.  I'm sure now it's a configuration issue on the other end.  I'll have to deal with them in the morning.  

I will definitely go grab a go daddy cert, there's really no reason not to at this point.
0
DaveHaertelAuthor Commented:
Final update, I have finally figured out the bottom line to all of this.  The phillipine office is running on a very weak E1 connection equating to about 1 Meg up and down and it was that connection that could not handle the additional HTTPS locks, as a solution we set them up on POP, so the staggered connections eased the load on their network.  They did lose some of the true Exchange functionality but the budget and non-availability of decent bandwidth for a decent price in the Phillipines is really hampering this situation, so until things change over there, this will be pretty much a permanent solution.  

I really want to thank everyone for the help here and I appreciate the advice on the certificates, it was indeed easy as could be and did make the overall operation easier.  I'm awarding the points to Phillip because it was his suggestion about the low grade router here not being able to handle the multiple connections (which actually it turns out handles many more than that with ease) that lead me to investigate the Phillipine bandwidth.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.