Exchange upgrade earns mixed grades

Mammoth upgrade hits on management, system security and availability, but stumbles with immature antispam wares

Exchange 2007 hits on management, system security and availability.

Microsoft's recently released Exchange 2007 package is huge, literally. The reviewer's guide comprises 26,000 words, and the list of new features is 28 pages long. In this Clear Choice Test, we opted not to test every bit of code, but instead to dive deep in several critical areas important to large-scale deployments.

Overall, we found Exchange 2007's management and availability extensions are improved dramatically, and new architectural maneuvers have beefed up security, especially in the areas of compliance and e-mail policy management.

However, when we enabled Microsoft’s new antispam software on our Exchange 2007 deployment, we found that  it requires more engineering effort to compete with established vendors in that market.

Exchange 2007 is sized for the largest enterprises, because it requires 64-bit hardware. That signals that the product will need substantial hardware, software, network bandwidth and operations resources. We didn't run strenuous, repeatable benchmarks on Exchange 2007 for this features-based test.

MS antispam not on par with market leaders In our test of the new antispam features shipping with Exchange 2007, Microsoft could not keep up with the market leaders' spam-catch rates or hold false-positive rates to acceptable levels.
ProductSpam-catch rateFalse-positive rate
IronPort Anti-Spam94% to 98%0.1% to 0.4%
Symantec Brightmail94% to 96%0.2% to 0.5%
Exchange 200781% to 86%2.1% to 2.3%
Barracuda Spam Firewall79% to 84%0.4%

With Exchange 2007, Microsoft has solved one of the messaging platform's long-standing reliability issues by allowing for true database replication to independent storage subsystems. We used Exchange 2007's Cluster Continuous Replication service to build a cluster of two mailbox servers, each with independent disk storage. We turned off the cluster's active node and watched it continue to operate without a hitch.

The active/passive model consumes twice as many resources, depending on how the disk storage is replicated, but the cost of additional hardware could be low compared with the cost of losing an enterprise e-mail system.

For systems with lower transaction rates, Exchange 2007's Local Continuous Replication (LCR) service makes the same technology available on a single node. LCR lets the user keep two continuously updated copies of the mailbox database on separate storage systems. We used LCR to copy our database to two disks on the same server. When we disconnected the master disk, we used the updated management GUI, Exchange Management Console, to point the database to the copy disk and were up and running within a few minutes.

Nothing about managing Exchange in the past was as simple as handling Exchange 2007 now. While the Exchange Management Console is a variation on the traditional theme -- "Hey, how about we move a bunch of stuff over to the right side from the left side?" -- Microsoft has added a true command line, called Exchange Management Shell, which is based on Microsoft's new Windows PowerShell technology.

We found GUI management very streamlined. This partly is a side effect of being able to hide some of the complex and seldom-used options on the command-line interface (CLI) side, but it's also a credit to the efforts of the GUI designers. Some operations are even simpler to complete using the guided wizards, for example, to define mail policies for compliance or message tagging. But for many tasks, it's better to drop into the command shell than to root around in the GUI. We never did find some things in the GUI, such as enabling RPC-over-HTTP for remote users, but we were able to complete these tasks easily using the CLI. Other very complicated tasks, such as point-of-presence and IMAP management, are doable only via the CLI.

ENTERPRISE MESSAGING EXCHANGE 2007

Microsoft
 
Price:$75 per client access license, $699 per standard server, $4,000 per enterprise server.
Pros:High degree of scalability and excellent high-availability; easy to manage using both GUI and command-line interface; new features extend into such areas as mobile device synchronization and VoIP PBX integration; security model provides an architecture that supports significant defense capabilities (antispam, exfiltration, reduced attack surface).
Cons:Security model still not completely Internet-hardened; Forefront antispam engine lags behind those of industry leaders; defense capabilities don't address state-of-the-art attack strategies; content inspection not on par with that of third-party solutions.

With Exchange 2007, the Microsoft team again has hit deep into the field by formalizing server roles (functions that Exchange servers play on the network, such as mailbox server, client access server and transport hub) and letting them be managed centrally. Servers can have multiple roles, but most Exchange 2007 deployments will have separate functions on separate servers. This refinement simplifies creating large Exchange networks and will help with requirements for e-mail policy enforcement and compliance.

One change in particular will be critical for e-mail policy management. In Exchange 2007, all messages -- internal or sent via the Internet -- must pass through a transport server that applies policy and controls. This may seem inefficient for user-to-user traffic, but it finally formalizes a consistent hook into Exchange that administrators have needed for years and that has been provided only haphazardly by third parties.

In our testing, we used a separate transport server to apply a specific archiving policy to messages between users in our clustered mailbox server. Defining this type of policy is simple using the wizards in Exchange Management Console.

A new role introduced in Exchange 2007 is the Edge Transport server, a system that isn't joined to the Active Directory domain but sends and receives Internet e-mail. The thinking is that by having an Edge Transport server in place, not trusted in the domain, security exposure is minimized. The server, among other functions for Edge Transport server facilities, runs antispam and antivirus tools.

Microsoft provides an integrated antivirus and antispam add-on for Edge Transport servers called Forefront Security, which pits Exchange/Forefront against more established e-mail gateways from Symantec, IronPort (bought last week by Cisco), Trend, Tumbleweed and SonicWall. Microsoft's antivirus system is based on technology it picked up with its 2005 Sybari acquisition. Its multiengine framework lets users apply as many antivirus engines as they have CPU resources to dedicate to the task. The price is an astonishing $3 per user, per month. Our test implementation included seven third-party wares plus Microsoft's own engine.

The antispam features in Exchange 2007 won't have anyone at antivirus market leader Symantec too frightened, out of the gate. Using the same antispam testing methodology we used in our 2004 antispam test over an 11,000-message stream, we found the spam-catch rate of the Exchange 2007 engine was a dismally low 81% to 86%, while the false-positive rate was an unacceptably high 2.1% to 2.3%. Results for Symantec and IronPort gave spam-catch rates of over 94%, with false-positive rates of less than .5% (see graphic). Users migrating to Exchange 2007 may want to keep their existing antispam and antivirus gateways.

Large enterprises with huge mail flows of millions of messages a day should have Exchange 2007 testing and performance evaluation at the top of their 2007 list of projects. Its simplified management, improved compliance tools, and a long list of features including unified messaging with VoIP-based PBXs, make this an upgrade to consider early on. These aren't incremental changes or glitzy bits (although there are plenty of those, such as voice recognition and ability to read e-_mail aloud): With its broad changes and functionality improvements for large networks, Exchange is in a position to gain the respect of e-mail managers.

Midsize companies with a few hundred mailboxes might not see the same benefits. This is an enterprise-class product, and training, experience and attention are required to keep it running at peak efficiency. Upgrading could be expensive and not worth the effort for companies with older Exchange systems running reliably. Microsoft reportedly is working on a slimmed-down package, which these companies would be advised to wait for.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com. Henderson is a principal at ExtremeLabs in Indianapolis. He can be reached at thenderson@extremelabs.com. Thayer is an independent security consultant. He can be reached at rodney@canola-jones.com.

NW Lab Alliance

The three are also members of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Learn more about this topic

Compare Exchange 2007 with competing messaging platforms via the NWW Messaging Buyer’s Guide

Microsoft releases Exchange Server 2007

12/08/06

Sneak peek at Exchange

06/05/06

Microsoft outlines new Exchange CAL, Beta 2 features

06/01/06

1 2 Page 1
Page 1 of 2
IT Salary Survey: The results are in