Exchange upgrade earns mixed grades

By Joel Snyder
Network World, January 8, 2007

Original Article on Network World Web Site

Microsoft's recently released Exchange 2007 package is huge, literally. The reviewer's guide comprises 26,000 words, and the list of new features is 28 pages long. In this Clear Choice Test, we opted not to test every bit of code, but instead to dive deep in several critical areas important to large-scale deployments.

Overall, we found Exchange 2007's management and availability extensions are improved dramatically, and new architectural maneuvers have beefed up security, especially in the areas of compliance and e-mail policy management.

However, when we enabled Microsoft’s new antispam software on our Exchange 2007 deployment, we found that  it requires more engineering effort to compete with established vendors in that market.

Exchange 2007 is sized for the largest enterprises, because it requires 64-bit hardware. That signals that the product will need substantial hardware, software, network bandwidth and operations resources. We didn't run strenuous, repeatable benchmarks on Exchange 2007 for this features-based test.

With Exchange 2007, Microsoft has solved one of the messaging platform's long-standing reliability issues by allowing for true database replication to independent storage subsystems. We used Exchange 2007's Cluster Continuous Replication service to build a cluster of two mailbox servers, each with independent disk storage. We turned off the cluster's active node and watched it continue to operate without a hitch.

The active/passive model consumes twice as many resources, depending on how the disk storage is replicated, but the cost of additional hardware could be low compared with the cost of losing an enterprise e-mail system.

For systems with lower transaction rates, Exchange 2007's Local Continuous Replication (LCR) service makes the same technology available on a single node. LCR lets the user keep two continuously updated copies of the mailbox database on separate storage systems. We used LCR to copy our database to two disks on the same server. When we disconnected the master disk, we used the updated management GUI, Exchange Management Console, to point the database to the copy disk and were up and running within a few minutes.

Nothing about managing Exchange in the past was as simple as handling Exchange 2007 now. While the Exchange Management Console is a variation on the traditional theme -- "Hey, how about we move a bunch of stuff over to the right side from the left side?" -- Microsoft has added a true command line, called Exchange Management Shell, which is based on Microsoft's new Windows PowerShell technology.

We found GUI management very streamlined. This partly is a side effect of being able to hide some of the complex and seldom-used options on the command-line interface (CLI) side, but it's also a credit to the efforts of the GUI designers. Some operations are even simpler to complete using the guided wizards, for example, to define mail policies for compliance or message tagging. But for many tasks, it's better to drop into the command shell than to root around in the GUI. We never did find some things in the GUI, such as enabling RPC-over-HTTP for remote users, but we were able to complete these tasks easily using the CLI. Other very complicated tasks, such as point-of-presence and IMAP management, are doable only via the CLI.

With Exchange 2007, the Microsoft team again has hit deep into the field by formalizing server roles (functions that Exchange servers play on the network, such as mailbox server, client access server and transport hub) and letting them be managed centrally. Servers can have multiple roles, but most Exchange 2007 deployments will have separate functions on separate servers. This refinement simplifies creating large Exchange networks and will help with requirements for e-mail policy enforcement and compliance.

One change in particular will be critical for e-mail policy management. In Exchange 2007, all messages -- internal or sent via the Internet -- must pass through a transport server that applies policy and controls. This may seem inefficient for user-to-user traffic, but it finally formalizes a consistent hook into Exchange that administrators have needed for years and that has been provided only haphazardly by third parties.

In our testing, we used a separate transport server to apply a specific archiving policy to messages between users in our clustered mailbox server. Defining this type of policy is simple using the wizards in Exchange Management Console.

A new role introduced in Exchange 2007 is the Edge Transport server, a system that isn't joined to the Active Directory domain but sends and receives Internet e-mail. The thinking is that by having an Edge Transport server in place, not trusted in the domain, security exposure is minimized. The server, among other functions for Edge Transport server facilities, runs antispam and antivirus tools.

Microsoft provides an integrated antivirus and antispam add-on for Edge Transport servers called Forefront Security, which pits Exchange/Forefront against more established e-mail gateways from Symantec, IronPort (bought last week by Cisco), Trend, Tumbleweed and SonicWall. Microsoft's antivirus system is based on technology it picked up with its 2005 Sybari acquisition. Its multiengine framework lets users apply as many antivirus engines as they have CPU resources to dedicate to the task. The price is an astonishing $3 per user, per month. Our test implementation included seven third-party wares plus Microsoft's own engine.

The antispam features in Exchange 2007 won't have anyone at antivirus market leader Symantec too frightened, out of the gate. Using the same antispam testing methodology we used in our 2004 antispam test over an 11,000-message stream, we found the spam-catch rate of the Exchange 2007 engine was a dismally low 81% to 86%, while the false-positive rate was an unacceptably high 2.1% to 2.3%. Results for Symantec and IronPort gave spam-catch rates of over 94%, with false-positive rates of less than .5% (see graphic). Users migrating to Exchange 2007 may want to keep their existing antispam and antivirus gateways.

Large enterprises with huge mail flows of millions of messages a day should have Exchange 2007 testing and performance evaluation at the top of their 2007 list of projects. Its simplified management, improved compliance tools, and a long list of features including unified messaging with VoIP-based PBXs, make this an upgrade to consider early on. These aren't incremental changes or glitzy bits (although there are plenty of those, such as voice recognition and ability to read e-_mail aloud): With its broad changes and functionality improvements for large networks, Exchange is in a position to gain the respect of e-mail managers.

Midsize companies with a few hundred mailboxes might not see the same benefits. This is an enterprise-class product, and training, experience and attention are required to keep it running at peak efficiency. Upgrading could be expensive and not worth the effort for companies with older Exchange systems running reliably. Microsoft reportedly is working on a slimmed-down package, which these companies would be advised to wait for.