Privilege Access Security

3rd Party Licensing Recommendations FAQs

Thank you for considering CyberArk to protect your organization’s high-value information assets, infrastructure and
applications from advanced cyber threats.
Our experienced team of cyber security experts has supported thousands of CyberArk deployments over the years, and our
goal is to ensure your CyberArk deployment and/or expansion is successfully planned and implemented.
Whether you start with a 30 day sprint or want to follow CyberArk hygiene methodology, expert resources, frameworks
and proven methodologies are available to facilitate the goals of your privilege access security program.
Please take a moment to review and share the details below with your team to fully understand Privilege Access Security
guidelines for 3rd party licensing recommendations.

1) What are licensing requirements for Microsoft Remote Desktop Services ("RDS") when deploying
CyberArk's Privileged Session Manager ("PSM")?

CyberArk Privileged Session Manager (PSM) leverages Microsoft Remote Desktop Services (RDS) for establishing
connections to endpoint systems. Microsoft licenses RDS through two Client Access License (CAL) models: Per Server and
Per User.

o Per User: Microsoft licenses the RDS service by the number of "users" accessing the terminal server (RDS Users)
o Per Server: Microsoft licenses number of devices accessing the terminal server (e.g. number of IT admins
workstations)
Only one type can be applied to each RDS licensing server. Client with existing RDS infrastructure and licenses in place may
be able to reuse the existing licenses for PSM. In order to comply with Microsoft's licensing requirements, clients will need
to work with their Microsoft representatives to identify and to purchase the correct number and type of the licenses.

Per Device Versus Per User CALs

The following table outlines the differences between the two types of CALs:
Per Device Per User

CALs are physically assigned to each device. CALs are assigned to a user in Active Directory.

CALs are tracked by the license server. CALs are tracked by the license server.

CALs can be tracked regardless of Active Directory CALs cannot be tracked within a workgroup.
membership.
 CYBERARK SECURITY SERVICES

Per Device Per User

You can revoke up to 20% of CALs. You cannot revoke any CALs.

Temporary CALs are valid for 52–89 days. Temporary CALs are not available.

CALs cannot be overallocated. CALs can be overallocated (in breach of the Remote Desktop
licensing agreement).
From <https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license>

For Windows Servers

The CAL used by users or devices must correspond to the version of Windows Server that the user or device is connecting
to. You can't use older CALs to access newer Windows Server versions, but you can use newer CALs to access earlier
versions of Windows Server.

The following table shows the CALs that are compatible on RD Session Hosts and RD Virtualization Hosts.
2008 R2 and earlier CAL 2012 CAL 2016 CAL 2019 CAL

2008, 2008 R2 license server Yes No No No

2012 license server Yes Yes No No

2012 R2 license server Yes Yes No No

2016 license server Yes Yes Yes No

2019 license server Yes Yes Yes Yes

Any RDS license server can host licenses from all previous versions of Remote Desktop Services and the current version of
Remote Desktop Services. For example, a Windows Server 2016 RDS license server can host licenses from all previous
versions of RDS, while a Windows Server 2012 R2 RDS license server can only host licenses up to Windows Server 2012
R2.From <https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license>

Clarifications for using per-User CALs

CyberArk recommends ONE Per User RDS CAL for each licensed CyberArk Enterprise Password Vault ("EPV") user. This
approach ensures all EPV users will be compliant with Microsoft Licensing terms and license usage can be tracked through
the Microsoft RDS Licensing server. The term "user" in this case refers to the users under which the mstsc.exe (i.e. RDP
client) application is ran. "User" does not refer to the privileged account being checked out of CyberArk in order to make
the endpoint connection). Each EPV user that connects through PSM is required to have a RDS CAL license. In other words,
if I'm logged into my workstation as "j.smith" and I initiate a PSM session to a Windows server using the "a_j.smith"
privileged account, it's the "j.smith" account that will be consuming a RDS CAL license for the connection to the PSM server.

Furthermore, this has implications for how many RDS CALs will be used if users connect to other RDS servers via PSM. In
those cases, because the "PSMConnect" account(s) are used to run the mstsc app on the PSM server, the PSMConnect
accounts may also consume an RDS license in that case. If the /admin or /console switches are used (depending on the OS)
that may circumvent the need for a per-User RDS license when connecting to that particular RDS server, but this should be
confirmed with Microsoft.
CyberArk.com Page 2 of 4
 CYBERARK SECURITY SERVICES

The last clarification that's important to consider is the "PSMAdminConnect" account. When performing live session
monitoring, this account is used to run the mstsc client in order to initiate an RDP session back into the PSM server. As
such, this account may also consume an RDS per-User CAL. If the customer has multiple PSM "pools" that each use their
own set of PSMConnect & PSMAdminConnect accounts, the customer should keep in mind that each will most likely
consume its own set of per-User RDS CALs.

2) What are the licensing requirements for third-party applications being hosted and/or published on
the Privileged Session Manager (“PSM”)?

For each application (i.e. administrative clients such as Toad) hosted and/or published on the PSM servers, the required
licenses need to be provided by the Customer. Those licenses are not part of the CyberArk PAS license agreement.

The Customer will need to work with the respective representative of the software provider to procure the necessary
licenses based on the usage of the software product.

3) What are the Microsoft SQL Server licensing requirements for Endpoint Protection Manager ("EPM")
and Loosely Connected Devices ("LCD")?

Endpoint Protection Manager Database Server and Reporting Server requires Microsoft SQL Server and hence require
Microsoft SQL Server licenses. In order to comply with Microsoft's licensing requirements, clients will need to work with
their Microsoft representatives to identify and to purchase the correct number and type of the licenses.

Loosely Connected Devices ("LCD") deployment requires an EPM Server infrastructure, which has the same requirement for
Microsoft SQL Server licenses.

Two licensing models are offered by Microsoft for SQL Server Standard 2016: Per Core versus Per Server+ CALs (Client
Access License). SQL Server Enterprise Edition 2016 only supports the Per Core licensing model.

o On physical servers, Microsoft considers a Core to be a physical processing unit found on a physical CPU.
o On VM guests, a core will map to a virtual core (v-core) which, by Microsoft, is defined as a virtual core, virtual CPU,
or virtual thread allocated to the VM guest(s) in question. A single physical thread supporting multiple v-cores and
multiple hardware threads supporting a single v-core will require additional licenses. Respectively, each v-core will
require per core license, and each hardware thread will require a per core license.
A CAL is defined by Microsoft as a user or device that will communicate data with the Database. For an EPM or LCD
deployment, this means each endpoint an agent is installed on will require a CAL to comply with Microsoft requirements.

CyberArk recommends to have a dedicated database server to support EPM and its various features. Deploying an EPM
database instance alongside another database instance may result in slow response time for reporting and information
gathering. It may also adversely impact the other instances running on this machine.

CyberArk.com Page 3 of 4
 CYBERARK SECURITY SERVICES

Question 4: What type of Docker support do I need for Conjur and/or Application Access Manager
("AAM")'s Dynamic Access Provider ("DAP")?

Conjur and DAP are supported on Docker community. Customers should consider having enterprise level support contract
with Docker when hosting production version of Conjur/DAP on Docker platform to ensure support-ability. Note that the
standard Docker community edition does not include enterprise level Docker support.

CyberArk.com Page 4 of 4