The news that Microsoft has released a security bulletin (today) that affects Exchange 2007 (SP3), Exchange 2010 (SP2 and SP3), and Exchange 2013 is interesting, if only because it is the first time since the new servicing model for Exchange 2013 came into force. The important security fix for Exchange covers three vulnerabilities discovered in the document transcoding service and the data loss prevention feature (MS13-061) and is rated as a critical issue. It’s time to schedule some server downtime so that the security fixes can be applied.
As you’ll recall, one big plus cited for the Exchange 2013 servicing model is the clear isolation between cumulative updates and security fixes. In other words, you can apply a security fix without having to first upgrade your server.
The EHLO blog describes the way things work for Exchange 2013 like this:
Dedicated security releases – Independent security releases will allow customers to quickly install an update with confidence knowing that only the fixes which address a particular problem will be included. In the event there are multiple security releases required for a particular CU, all fixes will be delivered in a single package simplifying the deployment of multiple security fixes.
Microsoft has scheduled a briefing on the security bulletin for Thursday, August 14 at 11AM Pacific. You can register here. Older versions of Exchange don't use the same servicing model as Exchange 2013 so it comes as no surprise that they have therefore released roll-up updates for Exchange 2007 SP3 (RU11), Exchange 2010 SP2 (RU7), and Exchange 2010 SP3 (RU2).
In other recent news, the August 7 disclosure that you won’t, after all, be able to place a witness server on an Azure server for now wasn’t a complete surprise. Database Availability Groups are one of the two essential building blocks for Exchange and can be complex beasts, especially as they scale up to span multiple datacenters. You’d prefer if Microsoft did the work to establish exactly what is necessary for a witness server to operate properly once it was dispatched into the clouds and that’s what the post told us. Some more work is necessary on the part of Azure before it can meet the needs of Exchange.
I don’t doubt that it will soon be possible to host chunks of Exchange on cloud application platforms – and to do so in a supported manner. As I described on April 23, it’s possible to install Exchange 2013 on Azure and Amazon recently released an interesting implementation guide describing how to install Exchange 2010 on Amazon Web Services EC2. Amazon has published two case studies to describe how companies have moved their Exchange deployments to EC2, so some real work is happening in this space.
A video featuring Tom Rizzo of Amazon is also available to tell you how to deploy Exchange and SharePoint on EC2. Tom is an 18-year veteran of Microsoft and wrote books such as Programming Microsoft® Outlook® and Microsoft Exchange 2003, so he knows his way around the Windows ecosystem.
One question I have not managed to track down yet is how companies who deploy on EC2 receive support or how they handle cumulative updates and security bulletins. It might be like the early days of virtualization when you had to replicate a problem on a “real” server before Microsoft would accept that an issue exists. Now virtualization has become so-so and is very much a part of corporate computing strategies and Exchange functions well on both Hyper-V and VMware. In the future, I expect that the same will happen for cloud application platforms and running applications like Exchange on something like Azure or EC2 will be commonplace.
Follow Tony @12Knocksinna