S The (simplified) scenario I am looking at is as follows.
I have an environment consisting of a 2003 web server a 2003 file server, and users running Windows 7. We have enough 2003 CALs to support all user
activities. We would like to implement a 2012 application server acting as a standalone certificate authority.
My PKI procedure would be as follows:
A limited set of administrators would use IIS on the web server to make a file based offline CSR request file. This file would then be manually copied
to a file share on the 2003 file server. A limited set of administrators would login to the 2012 server, browse to the 2003 file server, and import the
CSR. The CSR would be inspected, and once approved a valid certificate would be exported, and manually copied to the 2003 file server. At this
point the web server administrator would manually import the certificate into the 2003 web server. The certificate server is then powered off, and the
web server provides HTTPS service to the Windows 7 users.
Based on the below statement, taken from the referenced briefing I think that I only need enough 2012 CALs to cover the administrator connections, not for the entire user base.
"Generally, if files, data, or content are available because of manual activity (a person uploading a file onto a server or emailing the file), a CAL is not required for users or devices accessing those manually transmitted files. Microsoft Volume Licensing Brief - Multiplexing – Client Access License (CAL) Requirements
After speaking with a MS representative they indicated that if instead of copying the CSR and certificate files to the 2003 file server I used a USB memory stick that the Windows 7 users would not require 2012 CALs as the Multiplexing requirement would be broken by a clearly manual process.
Does anyone have any insight to add?