Microsoft Exchange 2000 Server is much more than an email server for LAN and Internet mail. Exchange 2000 also offers a fast, lightweight Web mail interface (Microsoft Outlook Web Access—OWA), and it comes with a wide range of collaboration capabilities (in addition to the optional Exchange 2000 Conferencing Server product). Exchange 2000 offers better scalability, robustness, security, and functionality than Exchange Server 5.5, but even Exchange 2000 doesn't do everything—a thriving market exists for third-party products that fill in the gaps that Exchange leaves.

This third-party market has evolved because although Microsoft is a huge company with top-notch developers, the company can't build products to meet every possible customer need. Even if it could, good reasons exist for not doing so. It's in the company's best interest to keep vendors happy by making Exchange a platform that third parties can extend and enhance. Thus, Exchange doesn't include some messaging functions, which means you must go shopping if you want these functions. The following overview summarizes some of the most important product categories and offers suggestions for choosing the right product for your needs.

Antivirus Products
Not long ago, antivirus products were a luxury—administrators who could afford antivirus products might buy them but more out of a desire for completeness than necessity. Certainly that situation has changed: Exchange administrators now realize the importance of effective server-based antivirus protection. But knowing how these products work and what they can and can't do is valuable information when you're choosing an antivirus solution.

Antivirus products use different methods to access stored messages, and each method has strengths and drawbacks:

  • Antivirus scanners can use the familiar Messaging API (MAPI) interface to log on to each mailbox during a scan or when a message arrives at a mailbox. This method works on all Exchange versions, but it's slow and can impose a significant load on the server if you want to scan all messages in an Exchange Store database. In addition, a MAPI scanner receives notification that a new message needs to be scanned at the same time the client receives notification that the new message is available. This simultaneous notification means that a user might open the message before the antivirus software scans it. Worse still, MAPI scanners can't scan outbound SMTP mail or scan messages that POP3, IMAP4, or OWA submit.
  • Microsoft has introduced an antivirus API (AVAPI) to give antivirus software vendors a faster (than MAPI), Microsoft-supported method to access messages and attachments. The initial version of AVAPI lacked some important features that vendors need; the current versions (version 2.5 for Exchange Server 2003 and version 2.0 for Exchange 2000) let external products perform scheduled or on-demand scans of messages submitted to the Store for processing and delivery.
  • Some intrepid vendors (notably Sybari Software) reverse-engineered the Extensible Storage Engine (ESE) interfaces that Exchange uses internally so that the vendors' antivirus products have unfettered access to the Store's contents without the performance overhead that MAPI requires. Microsoft cautions that changes to the ese.dll code can break antivirus scanners that use this approach. In addition, the Microsoft article "XADM: Exchange and Antivirus Software" (http://support.microsoft.com/?
    kbid=328841) says that when you use such products, you "run the risk of database damage and data loss if there are errors in the implementation of the software." If you call Microsoft Product Support Services (PSS) for help troubleshooting an Exchange problem, PSS will likely ask you to turn off this type of antivirus scanner as part of the troubleshooting process. This precaution is understandable, but in all fairness to Sybari, its product has been remarkably stable and problem-free in the field, and, until Microsoft released AVAPI 2.0, Sybari provided the best set of scanning features. Sybari's products now support AVAPI, so those users who are worried by Microsoft's stance can do without the ESE-access layer.

Most antivirus products use a combination of access methods, which is a good strategy because it offers more flexibility. For example, AVAPI does a good job of scanning messages before email client software tries to open them, but it doesn't work as well for scheduled or manually initiated scans that look for old viruses or messages that weren't previously scanned. ESE-based scanners perform scheduled and manual scans better than AVAPI does, and even MAPI has its uses.

To effectively evaluate antivirus products, you need to decide which areas you want to protect. Exchange-based products protect your stored mail and might be able to scan the Exchange server for viruses, but they don't protect your desktops. You can buy licenses for antivirus client software and install it on each desktop. You can augment Exchange- and desktop-based protection by implementing a perimeter-based virus scanner that checks inbound and outbound messages for viruses.

Make sure you know which message types or transports a scanner can't scan. For example, I don't know of any products that can scan X.400 connector queues, and some scanners can't handle encrypted .zip files or digit-ally signed Secure MIME (S/MIME) messages. You need to know where your vulnerabilities are so that you can find a product or method that addresses them.

Find out what actions the scanner takes with messages that it flags as infected. Does the scanner simply delete those messages, or can it quarantine the messages for later inspection?

Find out how the product notifies you when it finds an infected message. Some administrators want immediate email or pager notification; other administrators want the scanner to dump quarantined messages into a public folder and send a weekly email summary report.

Be sure that the product you buy lets you start and stop scans on demand; this control lets you protect your network against new viruses by shutting down your SMTP connection, downloading the latest signature update, and scanning messages in the Store. Cost is an important factor, too, especially because you must keep virus scanners up-to-date. Find out whether your selected vendor offers discounts if you buy its desktop- or perimeter-scanning products along with Exchange, and ask how much product updates cost. You can search Usenet newsgroups or Exchange discussion forums to see how quickly scanning-product vendors react to new viruses by rolling out signature updates; some companies are faster than others. In general, my favorite antivirus products are Trend Micro's ScanMail for Microsoft Exchange and Sybari's Antigen for Exchange, both of which enjoy excellent reputations for speed, stability, and customer service.

Antispam Products
Because spam has become so prevalent and unpopular, products to combat it are increasingly in demand. An ongoing arms race is taking place between spammers and antispam product vendors, so you need to do some investigating when selecting a product to make sure your selection has the latest weaponry. Users can install client-side filtering or spam-prevention tools such as Cloudmark's SpamNet or Network Associates' McAfee SpamKiller, but the most effective way to stamp out spam is to filter incoming SMTP mail at your network perimeter. Accordingly, products that intercept incoming email messages and process them before they reach your Exchange mailboxes are probably your best choice. For example, GFI Software's GFI MailEssentials for Exchange/SMTP and Nemx Software's Power Tools for Exchange both provide scanners that can filter inbound SMTP traffic.

Selecting an appropriate antispam solution involves evaluating two functional areas: how the product determines whether an item is spam, and what the product does with the messages it labels as spam. Spam-identifying schemes include:

  • simple keyword filters that check for common spam terms in the subject line of messages. These filters are useful only if they let you change the list of common terms as spammers change their tactics.
  • scoring systems that assign points to items that are characteristic of spam (e.g., a lot of exclamation points in the subject line, common spam terms in the subject line or body, forged message headers). When a message earns a certain number of points, the product marks the message as spam. This approach works if you can adjust the number of points the product gives to various message characteristics and the number of points that marks a message as spam.
  • collaborative filters that let sites share information about spam. After a filter identifies a message as spam, it registers the message's fingerprint with a central server that other users of the same filtering software can check before accepting the message.

Each filtering approach has strengths and weaknesses, and the most useful products let you combine filtering schemes to catch the maximum number of unwanted messages. However, if you apply these tools too aggressively (or if your users send each other business-related messages about mortgages, Viagra, or radio-controlled miniracers), you might find that your antispam solution filters out some legitimate mail. Therefore, you need to select a product that lets you choose what happens to messages it tags as spam. Most products offer two choices: You can throw away the message, or you can mark the message with some type of tag that identifies it as spam and let it through the filter. The latter method is useful if you can get your users to apply mailbox-level rules (e.g., to automatically dump into a junk mail folder messages with "\[SPAM\]" in the header). Another option that some antispam products use is to quarantine spam messages in a mailbox or public folder so that users can check for legitimate messages. This approach means less work for the administrator. Spam messages remain in the quarantine folder for an administrator-defined period, and if no one claims them, the tool removes them. You can also use the quarantine feature to double-check your filter settings after you first install the product: Watch which messages the filter marks incorrectly as spam, and fine-tune your settings accordingly.

Backup and Recovery Software
Although Windows includes the capable NTBackup tool, which can back up and restore Exchange databases, the number of major third-party backup packages might surprise you. As useful as NTBackup is, it doesn't do everything. For example, it doesn't do a particularly good job of scheduling backups, and its reporting and filtering capabilities are limited. Third-party vendors have stepped in to fill the breach by offering backup software with a wide range of capabilities, from single-server backups to disk to data-center-scale backups (e.g., simultaneously backing up Exchange data from dozens of servers to a large tape library).

The fundamental question to ask when evaluating backup products for Exchange is simple: Is the product Exchange-aware? In other words, does it use the Exchange backup APIs to read and write Exchange data? Exchange-aware backup programs support online backups and provide a way to replay transaction logs when you do a restore. Many backup products don't support Exchange directly, so you have to add an Exchange agent of some kind.

After you've narrowed the field to those products that work with Exchange, you're likely to make your decision based on personal preference for a vendor. Cost can also be a factor, of course, as can the vendor's reputation for software quality and support. Because backup products are so important, I usually recommend testing prospective products in a lab environment to find out how well they work on your network and whether the administrative interface and reporting options suit your needs. Of course, you need to test restores, too, not just backups. Most small sites still use Microsoft's NTBackup utility; VERITAS Software's VERITAS BackupExec for Windows Servers (from which Microsoft developed NTBackup) and VERITAS NetBackup DataCenter.

Everything Else
Other useful products are available for use with Exchange, as well as some that appear to be useful but are often more trouble than they're worth. Here's a quick summary of some other add-on product categories:

  • Products that add disclaimers to email messages. Although not everyone agrees about the worth of these disclaimers, some firms (particularly in the UK, for some reason) insist on having them. The ideal product in this category lets you apply disclaimers to messages based on sender, recipient, or content. Most disclaimer products work with SMTP mail only; a few can also handle MAPI or X.400 mail.
  • Products that connect one POP3 mailbox to your Exchange server so that you can leverage one (usually dial-up) ISP account for an entire organization. These products work better in theory than in practice. (Microsoft includes a similar function in its Small Business Server—SBS—edition of Exchange that works fairly well.) In most situations, setting up SMTP dequeuing works better and costs less. (See the Simpler-Webb "Exchange - Dequeue" FAQ at http://www.swinc.com/resource/exch_dq.htm for more information about how to set up dequeuing.)
  • Spell-checking products for OWA 2000 and OWA 5.5. Microsoft includes a spell checker with OWA 2003, but third parties have stepped in to add spell checkers to earlier OWA versions. These tools give OWA spell-checking capabilities similar to Outlook's—a real boon to those who believe, as Andrew Jackson did, that "it's a damn poor mind that can only think of one way to spell a word." Messageware, Rupp Technology, and SpellChecker.net offer spelling checkers that plug into OWA 2000 or OWA 5.5 and provide server-side spell-checking.

Microsoft has incorporated a ton of features into Exchange since its original release. It's almost hard to recognize the original Exchange 4.0 feature set in the wealth of goodies included in Exchange 2003. However, to get the most functionality from Exchange, you might need to investigate third-party add-on programs. Fortunately, a thriving market exists for these add-on products, and as long as you check carefully the capabilities and vendor histories of the products you consider, you'll likely find just what you need.



Contact the Vendors
CLOUDMARK
Contact: SpamNet * http://www.cloudmark.com

GFI SOFTWARE
GFI MailEssentials for Exchange/SMTP * http://www.gfi.com

MESSAGEWARE
Plus Pack for Outlook Web Access
http://www.messageware.com

MICROSOFT EXCHANGE SERVER PARTNERS
Additional Information About
Third-Party Exchange Add-Ons http://www.microsoft.com/
exchange/partners

NEMX SOFTWARE
Power Tools for Exchange http://www.nemx.com/index.asp

NETWORK ASSOCIATES
McAfee SpamKiller * http://www.nai.com
RUPP TECHNOLOGY
AutoSpell for Outlook Web Access
http://www.spellchecker.com

SPELLCHECKER.NET
SpellChecker for OWA http://www.spellchecker.net

SYBARI SOFTWARE
Antigen for Exchange http://www.sybari.com/home

TREND MICRO
ScanMail for Microsoft Exchange
http://www.trendmicro.com/en/home/
us/enterprise.htm

VERITAS SOFTWARE
VERITAS BackupExec for Windows Servers,
VERITAS NetBackup DataCenter
http://www.veritas.com