The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

Symantec Licensing Quick Guide

Symantec Licensing Quick Guide

This quick guide has been contributed by Matt Marnell of Flexera Software.


Symantec is currently the world’s largest computer security software publisher, standing head and shoulders above the rest in terms of market share and revenues. Their popular brands include a wide variety of acquisitions that have been occurring at an impressive rate since just before Norton back in 1990. Today, the list of brands under the Symantec umbrella also includes Veritas, Altiris, MessageLabs, PGP, VeriSign, and many others.

Symantec currently organizes most enterprise solutions into 5 broad and somewhat overlapping categories:

  • Security encompasses endpoint, messaging, and web security and filtering products like Endpoint Protection, Network Access Control and Web Gateway.
  • Infrastructure Operations includes endpoint and IT service management, including products such as Altiris IT Management Suite, Mobile Management and Workspace Virtualization.
  • Information Risk & Compliance products focus on IT compliance, data discovery, retention and protection through offerings such as Enterprise Vault, Protection Suite and Endpoint Encryption.
  • Storage – Symantec has several heavyweights for managing, protecting, and when necessary, recovering data through sophisticated and often intertwined solutions including Storage Foundation, NetBackup and Backup Exec.
  • Business Continuity is something of an extension of Storage that adds to the mix certain high availability and disaster recovery offerings like Cluster Server, CommandCentral Storage and Volume Replicator.
Matt Marnell, Flexera Software

Matt Marnell, Flexera Software

While managing licenses for most major vendors is challenging, managing license entitlements for Symantec poses a particular set of unique challenges due to the vast array of products from their acquisitions. Many of the acquired products have been bundled or otherwise integrated into Symantec’s major product lines over the years, and this process is ongoing. From an entitlement perspective, Symantec offers a number of product use rights that vary from product to product, or even specific versions of products.

However, rather than focus on the product groupings, or families, for the purposes of this quick guide we will to stick to the most important building blocks: the general license types, the purchase programs, and the maintenance and support offerings. We won’t be able to dive deeply into many of those product-specific use rights here. In fact, there are many nuances, exceptions, and one-offs that come into play when discussing Symantec licensing that we won’t address. It is, however, the aim of this overview to provide a useful foundation for building a deeper understanding of Symantec’s offerings and how licensing decisions will impact your bottom line.

Symantec License Types

Per User

Let’s start with one of the most common license types that may also be a significant source of confusion for entitlement managers: Symantec’s per user licensing. Symantec makes widespread use of the ‘user’ license type, but in some cases it may not actually stand up to scrutiny as a proper user license. What Symantec formally calls a user, even if only in packaging, sometimes more accurately refers to a device or instance. This guide will attempt to explain the Symantec types in the larger context of software licensing across publishers. As a general rule of thumb with any publisher, it is better to focus on the purpose and function of a product, including caveats and exceptions, rather than the branded license type when trying to understand the best model to use for license management.

With that in mind, let’s consider Enterprise Vault, the Symantec mail and content archiving product. Enterprise Vault’s end user license agreement (EULA) does not contain any further guidance beyond Symantec’s boilerplate definition of user. In this case, the definition of ‘Users’ actually refers to ‘Active Users’ within an enterprise, i.e., users that are actively creating data archived with the software. So, you’ll need a license for each protected mailbox, excluding inactive mailboxes, system/group mailboxes, or users with multiple mailboxes. Other products like Brightmail Message Filter, the spam and malware software, are also licensed by the number of users accessing the software or being protected by the software.

Per Device

The user-based licenses considered so far should seem fairly straightforward but Symantec employs other interpretations of the user license type, too. For a better understanding of this, let’s quickly take a look at the definition of ‘user’ Symantec often uses in its EULAs: “an individual person and/or device authorized by You to use and/or benefit from the use of the software, or is the person and/or device actually using any portion of the Licensed Software.” So is a license needed for each user, for each device, or both? The answer depends on the product.

One great example of a Symantec ‘user’ license that is in practice better understood as device-based is Endpoint Protection, the recently repackaged antivirus product that also includes other malware protection and IT security policy enforcement features. Endpoint Protection is sold by the user and the EULA is clear that the product is licensed per user, just like Enterprise Vault. But unlike Enterprise Vault, the Endpoint Protection EULA goes on to specify that each running physical or virtual instance must be licensed. Although this certainly makes sense considering that each machine in an environment is a candidate for such protection, it also means that it is more useful to track it as a device-based license. One helpful hint for managing Endpoint Protection licenses: an important exception exists that allows a single extra running instance within Windows XP Mode on Windows 7 machines—in other words, two instances of the application are covered by a single license. Data Loss Prevention Standard and other ‘endpoint’ type products are also typically licensed based on devices.

Ultimately, when considering Symantec user licenses, it is important to fully understand what is and is not a ‘user’, as well as what additional rights and restrictions are tied to that specific product. Of course, not all Symantec products licensed per device are sold or branded per user. Some are consistently treated as device-based, like CommandCentral, Symantec’s storage resource and change management solution.

Tiered Device

At this point, our discussion of Symantec licensing models really starts to get interesting. Continuing on with device-based licensing types, many of Symantec’s storage and business continuity products like Storage Foundation, Cluster Server, and NetBackup take a tiered approach to licensing. Although this adds a layer of complexity to these licenses, just remember that the tiers are simply pricing tiers. So, the underlying license type still typically determines the actual entitlements, but the price for each license is determined by the hardware on which the software will operate. However, note that exceptions do exist that cannot be covered in this guide. As one example, the NetBackup client is often licensed per physical machine for virtual machine systems – but, clients installed on IBM zSeries are licensed per virtual machine.

The pricing tiers are generally arranged based on hardware performance characteristics, like the number of populated processor sockets on the machine. The platform, or operating system, on which a product is deployed, can be a factor in price as well and usually limits the license models available. Symantec lists 4 license tier types in the documentation, but we’re going to mainly focus on 3 here: Tiered Server, Tiered Operating System, and Tiered Processor.

The Tiered Server type is really something of a ‘per server’ device-based license that costs different amounts to operate on different kinds of hardware. Each physical server needs to be licensed according to the proper server hardware tier. Tier assignments are not impacted by virtualization or partitioning. But, when licensing virtual environments a number of additional factors may come into play, like the specific platforms and packages deployed in each virtual machine.

Many products licensed per tiered server are also available under a tiered processor license, covered a bit later, and it is important to weight the cost and value between these options to decide which is better for a particular situation. For example, Storage Foundation HA on some Sun Fire servers may cost just a small fraction of, or well above, the per server cost when licensed per processor. It all depends on the number of processors. Perhaps that server is subdivided into secure independent domains, and the software is only deployed on a small number of those machines. Remember to factor in not just the current hardware platforms and configurations, but plans for change and growth as well. It may also make sense from a license management perspective to align license metrics across several products from different vendors.

Tiered Operating System licenses apply to storage products like Storage Foundation deployed in Windows operating system environments, but not all Windows platform products licensed using the tiered device model can be licensed using operating system tiers. Some must be licensed using other tiered methods. For those products that can be acquired under this model, the pricing tiers correspond to the edition of the Windows Server operating system running on the server rather than according to the hardware. Licenses can also be downgraded across editions, i.e. a license for one tier can be used on an operating system in that or a lesser tier. Thus, a license covering Windows Server Enterprise can also be used on a machine with Windows Server Standard, but not on one with Windows Server Datacenter. Besides the lack of hardware-based tiers, this model is also special because of unique virtual use rights that line up with those granted by Microsoft. The number of virtual machines allowed under a single license is the same, with the following exception: a license in the tier covering Windows Server Standard only allows a single physical or virtual instance rather than the 1 plus 1 physical/virtual configuration allowed by Microsoft.

Finally, the Tiered Processor license functions much the same as typical processor-based examples that are probably already familiar to most, but again with the added construct of pricing tiers. Similar to many other major publishers, Symantec counts multicore chips as a single processor. So, to determine the number of licenses required to cover any single machine, just count up the number of occupied processor sockets. However, if you’re dealing with any Multi Chip Module servers, keep in mind you will need to count the sockets on the Multi Chip Module rather than the board socket.

The tiered processor type, like other processor types, can seem expensive, but it offers greater license portability as well as greater deployment flexibility compared to the tiered server model. For instance, licensing per tiered processor may make more sense in situations where it is desirable to run a product on just a small part of a larger subdivided server, as already discussed. And since there are far fewer processor tiers than sever tiers, it also has advantages in situations where it is important to have the option to transfer a license to a different server over time.

The fourth tiered type, known as NProcessor, functions much like the tiered processor model but without the elaborate pricing tiers. That is, products licensed this way are licensed on a per-processor basis. However, when it comes to the storage and high availability products typically licensed by tier, only certain platforms, e.g., specific Linux distributions, for certain products can be licensed per-processor. Further, Symantec appears to be moving away from this model for many of those products.

Per Terabyte

One licensing meter that is becoming more popular in Symantec’s storage and business continuity lineup is a model based on protected storage space known as the front-end terabyte. A front-end terabyte is essentially the actual amount of protected data, regardless of the size of the volume upon which that data resides. When dealing with NetBackup that amount has certain exclusions, like data retained by NetBackup that has been removed from a client.

Symantec recently introduced a simplified licensing model based entirely on a single front-end terabyte meter, called the NetBackup Platform. Using this model, a licensee can obtain access to almost all of the NetBackup components with very few licenses to buy or manage. Purchase one for the base, maybe a couple others for add-ons, all based on a single front-end terabyte meter. But, not everything is available this way. Items like the Media Server Encryption Option and Desktop and Laptop Option still need to be licensed by their respective meters. To avoid unexpected non-compliance when licensing based on the NetBackup Platform, it may be a good idea to plan and purchase for data growth over the required maintenance period, typically a one year minimum.

Outside of NetBackup, similar storage-space models are used for other components like Enterprise Vault’s Discovery Collector Option, where the amount of data identified by the Discovery Collector is licensed. And, some are sold based on gigabytes rather than terabytes.

Other License Metrics

Of course, these aren’t the only license types found in Symantec’s products. There is also licensing per appliance, IP, node, processor, tiered NAS device, SAN switch port, storage domain, and server bundle, among others. Many of these other types are used to license component products or special products within a larger family. When unsure about a licensing metric, or researching a product, first check the product EULA. They rarely provide a complete picture, but are a good place to start. Symantec maintains a public list of current product license agreements on its website.

Purchasing Programs

Those interested in the discounts, ease of management, and flexibility of volume purchasing programs will find that Symantec offers a variety of options to meet many needs. Although popular programs are covered, other options designed to fit more specialized needs are available.

Express is the entry-level, no contract option targeted toward small to medium sized businesses. It is a transaction-based program where purchases are discounted by price bands based on individual order volume. “S band” products, like servers, have only a single price band but do contribute toward overall count to achieve the best possible pricing. For customers purchasing more than 500 units at a time it would be wise to consider another program, like Rewards.

The Rewards program is positioned for the medium to large business, but still offers simple online enrollment. Rather than using units, points are accumulated based on factors like product, unit volume, and region. There is an initial minimum purchase of 6000 points, no minimum thereafter, and points turn over on an annual basis, adjusting the price band. A Symantec Agreement Number (or SAN) can be used to manage acquisition of Symantec products at the same discounted rates across affiliates, but is not exclusive to this program.

Enterprise Options, the continuation of Enterprise Flexible, is a contract-based program meant for large enterprises that want to commit to a predictable, prepaid pricing structure and Essential Support (defined below) for specific products. Split into two editions known as Enterprise Flex Standard and Enhanced, contracts require legal review and are typically inked for a period of 2 or 3 years. Since only a subset of Symantec products is offered through this program, customers often also have another active agreement, like Rewards or Enterprise VPA.

The Enterprise VPA program is suited to large enterprises looking for consistent, no-hassle, discount pricing on Symantec products for 2 years or more at a time. Approval is required by Symantec, and a large initial purchase must be made that can be a combination of new licenses, maintenance and renewals. This program provides access to most Symantec products and support options at fixed discounts typically established by the initial investment.

Government and Academic agreements are available to qualified institutions in those verticals, including government prime contractors. These programs are very similar to Express, but have preferential entry level, thresholds, and prices. Academic Subscription agreements are also available.

Support & Maintenance

Along with the various purchasing options, Symantec offers two main levels of maintenance and support: Basic Maintenance and Essential Support. Both Basic Maintenance and Essential Support include access to upgrades, updates, patches, and technical support. For most, one of these two levels of support will suit just fine. But, Essential Support also provides the basis for acquiring Symantec’s Business Critical Services. As an add-on to Essential Support that is available in several levels, Business Critical Services include a dedicated account manager and upwards of 20 onsite visits. If business continuity, IT risk management, a straight line to Symantec’s advanced support engineers, or a dedicated Symantec support team is a high priority to manage your environment, then Business Critical Services may be right for you.

License Optimization

Unfortunately, it is simply not enough to understand the licensing basics covered in this guide. The subtle but meaningful variations in license types, combined with the wide variety of product use rights available for Symantec products, makes managing Symantec license entitlements particularly challenging compared to other software publishers. Having a good understanding of the basics allows you to focus on applying product use rights that can lead to a significant reduction in an organization’s license consumption. And that reduced consumption means you can realize lower on-going license and maintenance costs.

Wrap up

Managing Symantec entitlements is a difficult job, at times even more so than other vendors, because of the special set of licensing challenges faced when working with Symantec’s enterprise solutions. Arming yourself with the right tools and resources will help put you back in the driver’s seat during negotiations. Of course, today’s IT infrastructures are incredibly sophisticated, varying from one case to another. So be sure to get help from SAM tools and professionals you trust – not just your account manager – to make sure you’re getting the most out of your software investment.

This quick guide has been contributed by Matt Marnell of Flexera Software.



About Martin Thompson

Martin is owner and founder of The ITAM Review, an online resource for worldwide ITAM professionals. The ITAM Review is best known for its weekly newsletter of all the latest industry updates, LISA training platform, Excellence Awards and conferences in UK, USA and Australia.

Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.

He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.

Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).

When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.

Connect with Martin on LinkedIn.


  1. Laraine MacKenzie says:

    I think this is a terrific summary. Thanks!

  2. sainn says:

    this is the what i trying the understand. Thank you! But here is the question: I have 100 license per mailbox. But now i have 200 mailbox. So how is it working? Is it filtering only first 100 mailbox? or they do not count it? (On Symantec Messaging Gateway)

  3. Sam says:

    Let’s say, I’d like to purchase Symantec Backup Exec 2014. But I’m not sure which license type to obtain. There’s a Standard License Edition, it is called Bundle Standard License or something like that in the price list, which in fact is quite costly. On the other hand, there are so called Initial Basic and Initial Essential license types, which are much cheaper. Can you please explain the difference between Bundle Standard License and Initial Basic or Essential license? Thank you in advance!

  4. Muhammad Ahsan Saleem says:

    what is a difference between commercial vs business licences

Leave a Comment