• Project Manager - Trading...
• Information Risk Analyst / ...
• IT Manager
• VMware System Engineers,...
• IT SUPPORT OFFICER (MATERNITY...

Microsoft Exchange 2007 pushes envelope

Oliver Rist, Information Age

18/10/2006 20:44:21

Managing e-mail servers is among IT's most painful tasks. It's no wonder, then, that Microsoft chose Exchange as the server product that would capitalise on the benefits of Longhorn first.

We managed to get an early look at Microsoft Exchange Server 2007 Beta 2, eagerly anticipating some pain relief. We're pleased to report that this is a compelling upgrade. Not only has administration improved, but Exchange 2007 turns out to be a felicitous example of Microsoft's time-honoured strategy: add features that used to require separate applications in order to grab more market share.

Exchange 2007 integrates two new Microsoft antivirus and antispam options and adds a powerful new command shell. Most impressive of all, Microsoft has reworked the install process to enable administrators to set up Exchange in several common, preset configurations, potentially simplifying setup.

In addition, new support for handheld devices could pose a serious challenge to the BlackBerry's dominance in mobile e-mail.

But that's not all. Microsoft has also reworked the Exchange management console GUI with a new look and feel designed to decrease keystrokes and mouse clicks and ease the day-to-day grind that today's e-mail administrators endure. And for the first time, all administration functions can be performed from either the GUI or the command line.

Revving up for Exchange Beta 2 doesn't have quite the install process the production version will use, but it's close. Hardware requirements are an important difference. You can run the beta on 32-bit CPUs, but for the production version, Microsoft says Exchange 2007 will do 64-bit silicon only. This will support much larger mail stores and faster e-mail processing, but the downside -- especially for small businesses -- will be the need to purchase new servers.

Moreover, because Exchange is on track to be released later this year, it may arrive well ahead of Longhorn. If so, early adopters of Exchange 2007 will need Windows Server 2003 x64 until the Longhorn OS shows up.

But getting Exchange 2007 up and running has more new wrinkles. In the installation process, Exchange 2007 introduces the concept of "roles", a departure from the mail server's previous one-size-fits-all model. Some server roles can coexist on the same machine, whereas others must be elsewhere, such as the DMZ.

The default roles for a typical Exchange 2007 installation are Mailbox, Client Access and Bridgehead. These provide, respectively, mailbox storage, client connectivity (including Outlook Web Access) and internal transport. Other roles include Unified Messaging, Edge Transport and Clustered.

For our beta test, we ran a standard set of roles on a Dell PowerEdge 1800 with dual 3.0 Xeon processors and 2GB RAM running Windows Server 2003 SP1. Also on the network was our existing Windows 2003 domain controller handling Active Directory, DNS and other sundries, as well as a smaller Dell PowerEdge SC1420 running Windows 2003 Server Standard. We placed this in the DMZ and installed Exchange 2007, again with the Edge Transport role.

As part of the installation, we were prompted to install some prerequisites, including IIS (Internet Information Server), Microsoft Management Console, a Windows .Net update, and Monad, now officially called Windows PowerShell. With those completed, installing Exchange initially failed but was successful on the second attempt -- a classic case of beta willies. A call to Microsoft determined that it was a bug in the beta software, which failed to alert us to a required restart of the installation routine after installing IIS.

Mail on the edge After installation completes, you'll discover a richer array of options than Exchange 2003 offers. Take the Edge Transport server role. Allowing direct SMTP connections from the Internet to a domain member inside the firewall always turns security officers green. This is why the edge e-mail server was invented, so an SMTP relay server could be placed in the DMZ. The relay server had generally been a Unix or Linux system running Sendmail or Postfix with open source antivirus and antispam filtering, turning the edge server into an effective e-mail gateway without spending loads more on another e-mail server licence.

Exchange 2007 seeks to bring all that functionality into the Microsoft family via Edge Transport. This role offers an SMTP relay function on a Windows platform that's not a member of the active directory domain. Edge Transport is, effectively, a stripped-down version of Exchange with no mailboxes. Microsoft has fleshed this out by adding two options for antivirus and antispam -- but only for folks with an enterprise licence for Exchange. Those people, however, have a choice of two Microsoft solutions: the FrontBridge hosted AV/AS services or a Sybari-based local package called Forefront.

FrontBridge has a per-user/per-month service charge; Forefront has up-front licensing and requires an annual fee for security updates. Exchange users without enterprise CALs (client access licences) can still install their own AV/AS software, but the Microsoft versions are off-limits according to the Exchange team. Whether the Edge Transport role will do better than an open source edge relay is a question of some complexity.

The power of Monad Next to roles, one of the most useful new features we found for day-to-day Exchange Server administrators is the new Exchange Management Shell, built on the foundations of Windows PowerShell, previously code-named Monad. The new Management Shell is sexy because it goes a long way toward giving Exchange administrators the same powerful command-line environment about which their Unix counterparts have long been bragging. From our testing, literally anything that can be done through the GUI-based Exchange Management Console -- formerly known as System Manager -- can now be done at the command prompt.

We ran the Management Shell through its paces, too, including automating account creation, running mailbox moves, and statistics gathering. It worked well in publishing mailbox and server statistics automatically to a Web page, for instance. An especially nice feature is that tasks performed in the GUI console also display the text-based command syntax for reference -- a good thing because we didn't find the command syntax to be all that intuitive.

The ups and downs of Web access

Administrators aren't the only ones who can look forward to new goodies. Users will love OWA (Outlook Web Access), which has undergone a transformation; the Web UI is now a practical mirror of the Outlook 2003 desktop version. Plus, at long last, Microsoft has seen fit to deliver a much faster search engine.

But Exchange 2007's OWA may also cause a headache or two for some administrators because it adds the ability for OWA users to map to Windows shared folders -- or SharePoint sites -- anywhere on the network, not just on the Exchange server. So after logging in to OWA, users can potentially view documents in any shared folder on the domain that they would have permission to access -- from, say, Windows Explorer.

On the surface, this is a very nice function that used to be available to a remote user only via VPN. The security implications are, of course, a different question. Now, if an OWA account gets hacked, not only do the bad guys get access to e-mail and Exchange public folders, but they potentially get the ability to read data anywhere on the network. Microsoft says this feature will be disabled by default in the production version of Exchange 2007, but after it's enabled, there are no additional blocks between OWA access and shares, so the headache will remain.

Fat-client fun While OWA was developed by the Exchange team, the Office 2007 team has added some new features of its own in Outlook 2007. We installed the beta of Outlook 2007 on a Windows XP workstation and connected to our Exchange 2007 machine. Two synergies come out of this union: the aforementioned faster searching and a new feature called auto-discover.

With auto-discover, users don't need to know a server and mailbox name to configure their Outlook profile -- or rather, their administrators don't need to know them. Now, you just fire up Outlook for the first time, enter a user name and password, and Outlook will find and communicate directly with Exchange to determine where the mailbox is located. In a large network, this can save quite a bit of legwork for the desktop support staff.

If you want to try this in your own beta evaluation, be aware that during our test, this function did not work until we configured certificate services and SSL. According to Microsoft, in the production release, SSL will be recommended but optional. Even after auto-discover started working, however, we found that it still allowed us to open a mailbox without a password, simply by knowing the e-mail address. Microsoft said this appears to be a bug. We agree.

Mail on the road The joys of Windows Mobility have come a long way. To prove it, Microsoft kindly provided us with an i-Mate K-JAM smartphone running Windows Mobile 5.0. Microsoft is very clearly chasing the BlackBerry grail, turning the combination of Windows Mobile and Exchange into a solid e-mail push combination.

First, all the iMate had to do was connect to Cingular's wireless data service. Afterward, pushing e-mail to and from the Exchange server was a simple task that happened with more-than-acceptable speed. In Exchange, this new functionality is housed in its native gateway, handling not only mailbox synchronisation but calendaring and contacts as well. Functionality overall was similar to RIM's BlackBerry.

The upgrade decision Overall, Exchange 2007 is a very likeable upgrade. The new management interface is somewhat reorganised; and while Microsoft did succeed in making it a mite cleaner overall, the UI most likely won't save you much real time in day-to-day work. On the other hand, the addition of the command line management console very well help you recoup some of your workday. Indeed, the Exchange Management Shell may be worth the upgrade all by itself for some folks.

Microsoft's addition of server roles in Exchange 2007 is a slightly bumpier road. For new installations, it's a very obvious step up. For folks with existing e-mail infrastructures that will need to migrate to Exchange 2007, it may add some complexity.

In the end, users may enjoy the benefits of Exchange 2007 as e-mail administrators will. OWA and Windows Mobility both seem like "nice-to-haves" at first blush, but both have powerful long-term potential. The 2007 OWA interface is so good that the concept of thin-client computing actually becomes feasible for enterprise e-mail. And although Windows Mobile 5.0 may take some time to overtake the BlackBerry, all the technology components to enable that to happen are here and working in Exchange 2007.

If there's anything we really don't like about Exchange 2007, it's got to be the sudden move toward x64-only. Sure, we were expecting it, and it's probably even a good idea in the long run, but Redmond's really throwing early adopters a curveball here by releasing a 64-bit-only e-mail server before it releases Longhorn. That means Windows Server 2003 x64 until Longhorn arrives, followed by more OS migration migraines. The timing could have been better.

That gripe aside, Exchange 2007 Beta 2 represents a solid evolutionary step up from the existing platform. And if Microsoft fixes the security bugs we found, Exchange 2007 can reduce administrators' malware worries and improve users' e-mail experience in one swoop.

Opinion: Exchange as a gateway?

By Jamie Bernstein and Oliver Rist

Nobody with an ounce of security sense would plug a Web connection directly to an e-mail server behind the firewall. That's one reason why, around the time the firewall was invented, the DMZ was born. A DMZ is a network segment that sits between two firewalls: one facing the dangerous Internet and the other protecting the safe interior of the LAN. If the SMTP gateway is kept in the DMZ, the risk of a hacker taking over the mail server and using it as a jumping off point to attack the rest of the network is reduced by that extra firewall.

Until recently, Exchange wasn't really suited for edge server duty in the DMZ, because an Exchange SMTP relay server required a full Exchange implementation, with all of the associated overhead and licence costs, when all that was required was a mail gateway to relay between outside and inside.

As a result, many organisations that run Exchange internally have been opting for an open source e-mail server to act as their SMTP gateway. Common choices include Sendmail or Postfix running on Linux. These free, open source choices can be bundled with antivirus and antispam packages to create a full e-mail security gateway.

Exchange 2007, however, introduces the Edge Transport Server role. This is a modified Exchange installation that includes only functions that need to run on a gateway server. And, more important, the server does not need to be a member of the Active Directory domain, reducing the chance hackers can bust open your network directory. Instead, it uses ADAM (Active Directory Application Mode) to manage a list of Exchange users permitted through the gateway. In short, e-mail that is not addressed to a valid Exchange mailbox is denied at the gateway, rather than coming all the way to the destination server.

But does that really mean it's time to give up Postfix and go all-Redmond, all the time? Microsoft sure makes a good case for it. For one, it's done a lot more than just basic SMTP relay functionality. Antivirus and antispam functions are part of the edge transport server role, assuming the Exchange enterprise licence has been purchased, and you can get it as either an in-house software purchase or as part of the Exchange Hosted Filtering Service, similar to the type of off-site e-mail filtering provided by MessageLabs.

An especially nice feature is the safe-sender function. When an Outlook user chooses to flag a specific sender as either "safe" or "blocked", this information is now distributed to the Edge Server. This means that blocked e-mail, on a per-user basis, can now be denied at the gateway as well. Conversely, a sender known to be safe can be allowed through the antispam filter. And it is handled per user; Bob's blocked sender can be Alice's safe sender.

So with all these new features, why consider using anything else as your SMTP relay server? Cost. Microsoft's not requiring another Exchange server licence, and you'll already have the Exchange CALs (client access licences), but you will need a new Windows 2003 server licence. Antivirus and antispam also cost extra, with the hosted version requiring monthly fees. Also note Exchange 2007's requirement for 64-bit hardware.

If those numbers don't bother your budget, however, then the Edge Transport Server role fills a significant gap in Exchange functionality and adds a few Exchange-only features that would be harder to configure using a third-party solution.

[Sidebar]

Top 10 new features of Exchange 2007

1. Server roles: A new modular system that configures Exchange as one (or more) of five basic server roles. Choosing a role means enabling only those features necessary to that role, thereby decreasing the surface area for attacks through other features.

2. WebReady Document Viewing: A new option in OWA allows Office documents (Word, Excel, PowerPoint and PDF) to be accessed as e-mail attachments or through public folders to be displayed as HTML, even if Office isn't installed on the client PC.

3. Exchange Management Shell: The PowerShell scripting language, specifically optimised for Exchange, offers potent new tools for the day-to-day e-mail administrator.

4. Exchange ActiveSync: Improved direct push e-mail ensures ActiveSync clients receive messages on server connect. Other mobile-friendly features include inline message fetch -- the ability to download long attachments without reloading the entire message -- and information rights management, which allows users with proper authority to view protected messages without being connected to a server.

5. Exchange Forefront and Exchange Hosted Services: Forefront is a rebranding of the Antigen antivirus/antispam products acquired from Sybari, which together provide a quality local security gateway. The Exchange Hosted Services version, available by subscription, delivers additional security, archiving, and continuity.

6. Outlook Web Access: The latest OWA client is a near-perfect clone of the Outlook 2003 desktop interface. Features and views are nearly the same, and performance is excellent. Incredibly, thin-client deployment becomes a real option.

7. Outlook auto-discover: Exchange 2007 combined with Outlook 2007 means administrators will no longer need to walk to client desktops to configure Outlook access to a specific account location. Users simply enter their user names and passwords, and Outlook automatically finds local Exchange servers, locates the proper e-mail account, and sets up access.

8. Smart scheduling: The addition of Scheduling Assistant and Calendar Attendant mean that Exchange tracks not only the schedules of all meeting invitees but also the availability of meeting rooms and can manage all of this on the server, so meetings can be fully scheduled without everyone's Outlook client being connected.

9. Improved search: A rewritten search algorithm noticeably boosts the speed at which Outlook can find specific messages in large message stores. Administrators can access the same fast indexing in multiple-mailbox searches.

10. Bundled encryption: Exchange can now automatically encrypt all e-mail messages sent within the local organisation. It also automatically supports TSL (Transcript Security Layer) encryption, including built-in certificates, as long as both hosts support TLS.