Administrators and users often want to add capabilities to their packaged software. Microsoft delivers on some—but not all—of its customers' requests for new features, leaving a functionality hole for third-party vendors to fill with add-on software products. As with other Microsoft products, a rich set of third-party add-ons complement Microsoft Exchange Server 2003 and Exchange 2000 Server.

Microsoft refers to an "ecosystem" that encompasses its server products. The Exchange ecosystem includes application developers and vendors whose add-ons fill functionality gaps in Exchange. Like a coral reef, the Exchange ecosystem is quite rich and complex. (In that simile, I suppose that Exchange is the great white shark.) Here, I look at four categories that make up an important subset of Exchange add-on software: antivirus, antispam, backup and recovery, and document management. For each category, I explain how to choose a product, provide questions you should ask when evaluating a particular product, and supply a partial list of vendors.

Antivirus Software
With exploits such as CodeRed, MyDoom, and SQL Slammer still fresh in your mind, you can easily see why antivirus software for Exchange is popular. Although Exchange doesn't scan for or eliminate viruses, it provides the antivirus API (AVAPI), which third-party products can use to access Exchange messages and attachments. To protect your Exchange mail system from viruses, you must use third-party antivirus products.

Effective antivirus protection requires multiple layers of defense. Ideally, your Exchange environment should have three tiers of protection. The first tier is a gateway scanner that checks all incoming and outgoing messages for viruses. A gateway scanner operates on the principles that preventing viruses from entering your network offers the best protection and that you should block outbound viruses before they spread to other networks, such as those of your customers and business partners. You typically run a gateway scanner on a system that you keep separate from your mailbox servers.

Some gateway scanners work by acting as SMTP proxy servers; they accept messages and then scan them, passing on clean messages to your Exchange SMTP bridgehead server. Other products use the Exchange event sink mechanism to access the Exchange SMTP service and scan messages. A few gateway scanners support Exchange 2003's updated AVAPI 2.5, which lets them check messages passing through an Exchange 2003 front-end server. Examples of gateway scanners include the CipherTrust IronMail appliance, Trend Micro's InterScan VirusWall, and Tumbleweed Communications' Tumbleweed Email Firewall.

The second layer of antivirus defense includes Exchange-aware scanners that use various methods to scan the messages sent to, and received by, recipients in the mailbox or public folder databases on your Exchange mailbox servers. Don't use conventional file-based antivirus tools (i.e., tools that aren't Exchange-aware) on your Exchange server's database, log, and queue directories or on the M pseudodrive. Such tools often damage or corrupt databases while attempting to remove viruses, and they sometimes falsely detect viruses in logs and queue files. Using file-based scanners on the Windows and Exchange binaries is all right; just keep the scanners away from \exchsrvr\mdbdata.

Exchange-aware scanners can use the Messaging API (MAPI) or AVAPI to scan messages in the Exchange Store. In general, AVAPI-based scanners offer much better performance than MAPI-based scanners but lack some of the MAPI-based scanners' functionality. The difference in functionality isn't the scanners' fault; some operations, such as deleting an infected message, are impossible with early versions of AVAPI. Some scanning products, such as Sybari Software's Antigen for Microsoft Exchange, hook directly into the Extensible Storage Engine (ESE) DLL, which lets them access the database directly and provides excellent performance. Although Microsoft previously didn't support such scanners, the company's current position is more lenient: If you have a problem with ESE and you use an ESE-based scanner, you must temporarily disable the scanner to obtain help from Microsoft Product Support Services (PSS). However, in my experience, scanners that use the ESE DLL are robust. Trend Micro's ScanMail for Microsoft Exchange and Symantec Mail Security for Microsoft Exchange are other examples of Exchange-aware scanners. (Table 1 lists contact information for Exchange add-on vendors I mention in this article. For a more complete list of Exchange add-on vendors, see the Microsoft Exchange Server Partner Products Web site at

The third layer of antivirus defense is the ubiquitous desktop-based antivirus scanner. You should install antivirus scanners on all your desktop systems to head off viruses that penetrate your network from the Internet, infected laptops that connect to your network, or infected files that are loaded onto a network system. Perimeter- and Exchange-based scanners don't block these desktop-borne infections. You're probably familiar with desktop antivirus scanners, such as Network Associates' McAfee VirusScan and Symantec's Norton AntiVirus.

Regardless of the type of Exchange antivirus product you need, you should ask the following questions when evaluating products:

  • What tier of protection is the product suited for—gateway, mailbox server, or desktop scanner?
  • What is the vendor's track record with Exchange? How long has it shipped its Exchange antivirus product? Does the vendor support all the Exchange versions your organization uses?
  • How quickly does the vendor usually release signature updates for new viruses?
  • Can you choose which scanning engine the tool uses? Using different engines for the perimeter, Exchange server, and desktop tiers is a good idea. Different engines look for different characteristics in order to catch viruses. Therefore, combining multiple engines gives you more thorough protection when a fast-acting new virus breaches your network before a given vendor has updated its signatures.
  • How flexible are the product's virus-scanning options? Can you easily schedule scans? What happens when a scan doesn't finish during the scheduled completion period?
  • How flexible are the product's reporting and notification options? In particular, look for a way to turn off annoying "your message has a virus" notifications sent to message senders. Because MyDoom, SoBig, and other viruses forge sender and recipient addresses, such notifications flood innocent users with warnings about messages they didn't actually send.

Antispam Software
Despite the CAN-SPAM Act of 2003, which took effect in January 2004 and restricts (but doesn't ban) unsolicited commercial email (UCE) messages, antispam software is still a necessity for businesses. The exact economic impact of spam is hard to quantify, but its annoyance factor is obvious.

As with antivirus tools, you can deploy spam filters in three primary tiers. Desktop-based filters, such as the filter in Microsoft Office Outlook 2003, work well for individual users but have one notable disadvantage for Exchange administrators: They don't stop spam until after it's delivered to a mailbox.

The distinction between network perimeter and Exchange-server-based spam filters is based largely on how your network is set up. If you permit SMTP traffic from the Internet directly to your Exchange mailbox server (as you might if you have only a few servers), the two tiers are really the same. However, large organizations more commonly have dedicated SMTP servers that handle inbound traffic and distribute it to mailbox servers inside the network perimeter. In either case, the idea behind the scanner is to trap spam before it reaches users' mailboxes. Many products can operate as either gateway or Exchange spam filters; examples include GFI MailEssentials for Exchange/SMTP and Nemx's Power Tools for Exchange Server. Microsoft's Exchange Intelligent Message Filter, which will ship later this year and is available only to customers enrolled in the Microsoft Software Assurance (SA) program, is a pure Exchange filter. NetIQ MailMarshal SMTP is a gateway-only product.

Spam-filtering tools use a variety of technologies. Simple keyword filters catch some spam messages by looking for terms commonly associated with spam (we all know what those are), as do tools that identify forged headers or filter messages based on a list of IP addresses of known or suspected spammers. More sophisticated tools attempt to determine whether a message is spam by using Bayesian filtering or by comparing the message characteristics against a centralized database of spam messages that users have reported. (The Bayesian approach uses probability to infer that a new message is likely to be spam if it contains text that in the past appeared often in spam but rarely in legitimate messages.) Each spam-filtering method has its strengths; a good filtering tool lets you combine multiple methods. For example, NetIQ MailMarshal SMTP supports header checking and keyword analysis and allows some additional heuristic rules. Exchange Intelligent Message Filter uses a state vector engine that acts like a Bayesian filter but doesn't require you to train the filter (i.e., initially input a certain amount of data) as Bayesian filters do.

Exchange itself also provides a filtering capability. Exchange Server 5.5 and later can block messages according to the sender's IP or domain address. Exchange 2003 and Exchange 2000 can disallow messages to certain recipients, and Exchange 2003 provides support for DNS-based block lists (i.e., lists of IP addresses used by known or suspected spam sources) and expanded sender and recipient filtering. Exchange 2003 also supports the spam confidence level (SCL) property on inbound messages; spam filters set the SCL to indicate how "spamlike" a message is. The Store and email client can then decide whether to throw away the message, file it in the user's Junk Mail folder, or treat it as regular mail.

Spam-filtering solutions vary widely in capability, cost, and stability. As you evaluate antispam add-on software, ask the following questions:

  • How adjustable is the filtering software? Can you tweak the filter by training it against a corpus of messages (for Bayesian filters), adjusting the keywords it uses, or changing other parameters?
  • How easily can you update the list of blocked and trusted senders? As users subscribe to newsletters and other outside sources of email, you don't want to spend a lot of time updating your filter.
  • Does the vendor offer automatic updates to its filters? Automatic filter updating increases the chances that your filter will catch new spam tactics without your intervention.
  • What can you do with filtered messages? Being able to delete them is good, but the ability to review them first is better. Best of all is the ability to segregate messages by user to let users review their own spam messages—so that you don't have to review hundreds (or thousands) of messages.
  • Could you obtain better filtering by using a hosted spam-filtering service such as those offered by Brightmail (Brightmail Anti-Spam, which is also available as an add-on product) or MessageLabs (SkyScan AS)? A hosted spam-filtering service filters mail before it gets to your bridgehead server, greatly lowering your administrative costs in exchange for monthly or yearly service agreements.

Backup and Recovery Software
Exchange includes a backup and recovery solution: the venerable NTBackup utility (originally written by VERITAS Software, maker of VERITAS NetBackup and VERITAS BackupExec). When you install Exchange 5.5 or later on a server, Exchange automatically updates the local version of NTBackup with new DLLs that make NTBackup Exchange-aware. The Exchange-aware version of NTBackup can use a special set of APIs that let you back up mailbox and public folder databases online. NTBackup is free, easy to use, and well supported. However, its functionality is limited compared with most Exchange-aware commercial backup tools. NTBackup doesn't let you easily schedule Exchange backups, back up individual mailboxes, or back up more than one storage group (SG) in parallel. Also, NTBackup provides no real interface for handling multiple-tape backup sets (much less tape changers, libraries, or robots).

Because Exchange provides a backup API set that any vendor can use, the mechanics of backing up are essentially the same in all Exchange-aware backup programs. You select the databases and SGs you want to back up, where you want the backup stored, and when you want the backup to happen.

The actual mechanics of restoring data vary somewhat according to the version of Exchange you use; whether you're restoring a database, an entire SG, or a complete server; and the type of backup you created. However, all Exchange-aware backup products work more or less the same way: They read database pages and transaction logs from the backup medium and pass the transactions to ESE for playback after all logs are restored.

The most important consideration when evaluating backup utilities is to ensure that they're Exchange-aware. Computer Associates (CA), LEGATO Software (formerly Legato Systems), UltraBac Software, and VERITAS offer Exchange-aware backup products. Typically, you must buy an additional Exchange agent for such products. Additional questions to ask when evaluating Exchange backup products include the following:

  • How scalable is the backup program? Some tools are meant for use on only a few servers, whereas enterprise-scale applications are optimized for large networks that have dedicated backup servers.
  • What logging and verification options does the program offer? Such options let you verify that backups occur as scheduled. A backup regime that silently fails will doom you when you need to restore your data.
  • Can the backup program use multiple tape drives simultaneously? Backing up to multiple tape drives at the same time is my favorite trick for speeding up large backups. Exchange lets you back up as many as four SGs simultaneously.
  • Does the backup program provide special support for disaster recovery? Some vendors include a "bare metal restore" option that lets you restore the OS, applications, and data files in one pass. This option can be an excellent time-saver.
  • If you use (or plan to use) Exchange 2003, does the backup program let you use the Microsoft Volume Shadow Copy Service (VSS) to make point-in-time copies of your Exchange data? Does the product support the use of Exchange 2003's recovery storage groups for faster disaster recovery?

Document Management Software
Microsoft shipped public folder support with Exchange 4.0 in 1996. Since then, Microsoft has zigged and zagged in its recommendations for using public folders. Many organizations use Exchange public folders as an ad hoc document management system, either by dumping documents into public folders or creating scripts and tools that help make document workflow orderly and predictable. Rather than use the APIs and tools that Microsoft ships with Exchange to create customized (and thus expensive-to-maintain) document management solutions, companies are increasingly turning to third-party vendors to implement such solutions. Although Microsoft has positioned Microsoft SharePoint Portal Server as its preferred solution for document management, you can also find document management add-ons for Exchange from vendors such as Achiever Business Solutions, 80-20 Software, IXOS, and Open Text.

The key impetus for document management varies from business to business. Some companies deploy document management systems to obtain the indexing and document-location features such systems typically offer; other companies want to construct workflows with multiple stages, approvals, and review cycles. When you evaluate a document management system, ask the following questions:

  • Does the product use Exchange public folders for document storage? Some systems provide Exchange- or Outlook-based add-ons that tie in with the product's own document management engine. Although such add-ons aren't necessarily detrimental, they add the overhead of a separate system that you must back up, restore, and administer.
  • Can you use the product to meet legal compliance requirements for your industry? Most of the time, you need a separate archiving or compliance product to obtain this functionality, but some document management vendors include it.
  • How much can you customize the product's workflow processing? If all you need is simple approval (i.e., a go or no-go decision at each stage), most products can comfortably meet that need. However, you might have to construct complex workflows that involve decision-making aspects such as customized actions and alternate approvers. Make sure that the product you choose works with the workflows you intend to design for it.

Extend Exchange
Although Exchange is a capable and flexible messaging, calendaring, and collaboration system, it might not do everything you want it to do. You can substantially extend Exchange's usefulness in your organization with the right combination of third-party add-on products.