Four types of add-on products plug gaps in Exchange functionality
Administrators and users often want to add capabilities to their packaged software. Microsoft delivers on some—but not all—of its customers' requests for new features, leaving a functionality hole for third-party vendors to fill with add-on software products. As with other Microsoft products, a rich set of third-party add-ons complement Microsoft Exchange Server 2003 and Exchange 2000 Server.
Microsoft refers to an "ecosystem" that encompasses its server products. The Exchange ecosystem includes application developers and vendors whose add-ons fill functionality gaps in Exchange. Like a coral reef, the Exchange ecosystem is quite rich and complex. (In that simile, I suppose that Exchange is the great white shark.) Here, I look at four categories that make up an important subset of Exchange add-on software: antivirus, antispam, backup and recovery, and document management. For each category, I explain how to choose a product, provide questions you should ask when evaluating a particular product, and supply a partial list of vendors.
With exploits such as CodeRed, MyDoom, and SQL Slammer still fresh in your mind, you can easily see why antivirus software for Exchange is popular. Although Exchange doesn't scan for or eliminate viruses, it provides the antivirus API (AVAPI), which third-party products can use to access Exchange messages and attachments. To protect your Exchange mail system from viruses, you must use third-party antivirus products.
Effective antivirus protection requires multiple layers of defense. Ideally, your Exchange environment should have three tiers of protection. The first tier is a gateway scanner that checks all incoming and outgoing messages for viruses. A gateway scanner operates on the principles that preventing viruses from entering your network offers the best protection and that you should block outbound viruses before they spread to other networks, such as those of your customers and business partners. You typically run a gateway scanner on a system that you keep separate from your mailbox servers.
Some gateway scanners work by acting as SMTP proxy servers; they accept messages and then scan them, passing on clean messages to your Exchange SMTP bridgehead server. Other products use the Exchange event sink mechanism to access the Exchange SMTP service and scan messages. A few gateway scanners support Exchange 2003's updated AVAPI 2.5, which lets them check messages passing through an Exchange 2003 front-end server. Examples of gateway scanners include the CipherTrust IronMail appliance, Trend Micro's InterScan VirusWall, and Tumbleweed Communications' Tumbleweed Email Firewall.
The second layer of antivirus defense includes Exchange-aware scanners that use various methods to scan the messages sent to, and received by, recipients in the mailbox or public folder databases on your Exchange mailbox servers. Don't use conventional file-based antivirus tools (i.e., tools that aren't Exchange-aware) on your Exchange server's database, log, and queue directories or on the M pseudodrive. Such tools often damage or corrupt databases while attempting to remove viruses, and they sometimes falsely detect viruses in logs and queue files. Using file-based scanners on the Windows and Exchange binaries is all right; just keep the scanners away from \exchsrvr\mdbdata.
Exchange-aware scanners can use the Messaging API (MAPI) or AVAPI to scan messages in the Exchange Store. In general, AVAPI-based scanners offer much better performance than MAPI-based scanners but lack some of the MAPI-based scanners' functionality. The difference in functionality isn't the scanners' fault; some operations, such as deleting an infected message, are impossible with early versions of AVAPI. Some scanning products, such as Sybari Software's Antigen for Microsoft Exchange, hook directly into the Extensible Storage Engine (ESE) DLL, which lets them access the database directly and provides excellent performance. Although Microsoft previously didn't support such scanners, the company's current position is more lenient: If you have a problem with ESE and you use an ESE-based scanner, you must temporarily disable the scanner to obtain help from Microsoft Product Support Services (PSS). However, in my experience, scanners that use the ESE DLL are robust. Trend Micro's ScanMail for Microsoft Exchange and Symantec Mail Security for Microsoft Exchange are other examples of Exchange-aware scanners. (Table 1 lists contact information for Exchange add-on vendors I mention in this article. For a more complete list of Exchange add-on vendors, see the Microsoft Exchange Server Partner Products Web site at http://www.microsoft.com/exchange/partners/e2ksolutions.asp.)
The third layer of antivirus defense is the ubiquitous desktop-based antivirus scanner. You should install antivirus scanners on all your desktop systems to head off viruses that penetrate your network from the Internet, infected laptops that connect to your network, or infected files that are loaded onto a network system. Perimeter- and Exchange-based scanners don't block these desktop-borne infections. You're probably familiar with desktop antivirus scanners, such as Network Associates' McAfee VirusScan and Symantec's Norton AntiVirus.
Regardless of the type of Exchange antivirus product you need, you should ask the following questions when evaluating products:
Despite the CAN-SPAM Act of 2003, which took effect in January 2004 and restricts (but doesn't ban) unsolicited commercial email (UCE) messages, antispam software is still a necessity for businesses. The exact economic impact of spam is hard to quantify, but its annoyance factor is obvious.
As with antivirus tools, you can deploy spam filters in three primary tiers. Desktop-based filters, such as the filter in Microsoft Office Outlook 2003, work well for individual users but have one notable disadvantage for Exchange administrators: They don't stop spam until after it's delivered to a mailbox.
The distinction between network perimeter and Exchange-server-based spam filters is based largely on how your network is set up. If you permit SMTP traffic from the Internet directly to your Exchange mailbox server (as you might if you have only a few servers), the two tiers are really the same. However, large organizations more commonly have dedicated SMTP servers that handle inbound traffic and distribute it to mailbox servers inside the network perimeter. In either case, the idea behind the scanner is to trap spam before it reaches users' mailboxes. Many products can operate as either gateway or Exchange spam filters; examples include GFI MailEssentials for Exchange/SMTP and Nemx's Power Tools for Exchange Server. Microsoft's Exchange Intelligent Message Filter, which will ship later this year and is available only to customers enrolled in the Microsoft Software Assurance (SA) program, is a pure Exchange filter. NetIQ MailMarshal SMTP is a gateway-only product.
Spam-filtering tools use a variety of technologies. Simple keyword filters catch some spam messages by looking for terms commonly associated with spam (we all know what those are), as do tools that identify forged headers or filter messages based on a list of IP addresses of known or suspected spammers. More sophisticated tools attempt to determine whether a message is spam by using Bayesian filtering or by comparing the message characteristics against a centralized database of spam messages that users have reported. (The Bayesian approach uses probability to infer that a new message is likely to be spam if it contains text that in the past appeared often in spam but rarely in legitimate messages.) Each spam-filtering method has its strengths; a good filtering tool lets you combine multiple methods. For example, NetIQ MailMarshal SMTP supports header checking and keyword analysis and allows some additional heuristic rules. Exchange Intelligent Message Filter uses a state vector engine that acts like a Bayesian filter but doesn't require you to train the filter (i.e., initially input a certain amount of data) as Bayesian filters do.
Exchange itself also provides a filtering capability. Exchange Server 5.5 and later can block messages according to the sender's IP or domain address. Exchange 2003 and Exchange 2000 can disallow messages to certain recipients, and Exchange 2003 provides support for DNS-based block lists (i.e., lists of IP addresses used by known or suspected spam sources) and expanded sender and recipient filtering. Exchange 2003 also supports the spam confidence level (SCL) property on inbound messages; spam filters set the SCL to indicate how "spamlike" a message is. The Store and email client can then decide whether to throw away the message, file it in the user's Junk Mail folder, or treat it as regular mail.
Spam-filtering solutions vary widely in capability, cost, and stability. As you evaluate antispam add-on software, ask the following questions:
Backup and Recovery Software
Exchange includes a backup and recovery solution: the venerable NTBackup utility (originally written by VERITAS Software, maker of VERITAS NetBackup and VERITAS BackupExec). When you install Exchange 5.5 or later on a server, Exchange automatically updates the local version of NTBackup with new DLLs that make NTBackup Exchange-aware. The Exchange-aware version of NTBackup can use a special set of APIs that let you back up mailbox and public folder databases online. NTBackup is free, easy to use, and well supported. However, its functionality is limited compared with most Exchange-aware commercial backup tools. NTBackup doesn't let you easily schedule Exchange backups, back up individual mailboxes, or back up more than one storage group (SG) in parallel. Also, NTBackup provides no real interface for handling multiple-tape backup sets (much less tape changers, libraries, or robots).
Because Exchange provides a backup API set that any vendor can use, the mechanics of backing up are essentially the same in all Exchange-aware backup programs. You select the databases and SGs you want to back up, where you want the backup stored, and when you want the backup to happen.
The actual mechanics of restoring data vary somewhat according to the version of Exchange you use; whether you're restoring a database, an entire SG, or a complete server; and the type of backup you created. However, all Exchange-aware backup products work more or less the same way: They read database pages and transaction logs from the backup medium and pass the transactions to ESE for playback after all logs are restored.
The most important consideration when evaluating backup utilities is to ensure that they're Exchange-aware. Computer Associates (CA), LEGATO Software (formerly Legato Systems), UltraBac Software, and VERITAS offer Exchange-aware backup products. Typically, you must buy an additional Exchange agent for such products. Additional questions to ask when evaluating Exchange backup products include the following:
Document Management Software
Microsoft shipped public folder support with Exchange 4.0 in 1996. Since then, Microsoft has zigged and zagged in its recommendations for using public folders. Many organizations use Exchange public folders as an ad hoc document management system, either by dumping documents into public folders or creating scripts and tools that help make document workflow orderly and predictable. Rather than use the APIs and tools that Microsoft ships with Exchange to create customized (and thus expensive-to-maintain) document management solutions, companies are increasingly turning to third-party vendors to implement such solutions. Although Microsoft has positioned Microsoft SharePoint Portal Server as its preferred solution for document management, you can also find document management add-ons for Exchange from vendors such as Achiever Business Solutions, 80-20 Software, IXOS, and Open Text.
The key impetus for document management varies from business to business. Some companies deploy document management systems to obtain the indexing and document-location features such systems typically offer; other companies want to construct workflows with multiple stages, approvals, and review cycles. When you evaluate a document management system, ask the following questions:
Although Exchange is a capable and flexible messaging, calendaring, and collaboration system, it might not do everything you want it to do. You can substantially extend Exchange's usefulness in your organization with the right combination of third-party add-on products.