How do you choose the right IM tools for your organization? Security, stability, and scalability are key factors in all IT decisions and can help you narrow the field of more than 50 available IM clients. These factors dictate the need for an internal client/server model that provides control of the system and how users are allowed to use these real-time communication tools.
The same concerns that you must address to secure your network (e.g., viruses, worms, identity spoofing, firewall tunneling, and data leaks) apply to securing IM systems as well. The IM system must integrate into your existing security infrastructure and work with your existing directory service for authenticating users. The enterprise IM solution must protect your network from the barrage of threats that are typically associated with email systems, including attachment scanning or blocking, logging of system events, and archival of individual usage.
You'd need to replace your phone system and email system if downtime were a problem, and your IM system is no different. When you start using an enterprise IM solution, users quickly become dependent on the system for communication. If the system falls below your standard of 95 to 99 percent uptime, you'll start feeling the pressure to find a more reliable solution. Note that with enterprise IM, we're not just referring to the ability of the IM clients to send and receive messages; the IM server infrastructure must be available to authenticate users, log message transactions, and prevent malicious attacks.
The IM solution must meet the scalability-needs of the organization as it grows. A nonscalable system that meets organizational needs for security and stability doesn't fit into the group of relatively few true enterprise IM players.
With more than 50 IM products available, we needed to define criteria for narrowing the field. First, for an enterprise-level solution, we focused on client/server solutions. All IM clients connect to some sort of server, but for the enterprise, users connect to an internally managed server rather than connect to Yahoo! or Google servers. The server must be able to handle the number of concurrent connections required in the enterprise environment, which we set at 50,000 users for this review.
The enterprise IM solution must provide for authentication integrated with your existing directory service, auditing and archival, and protection against malicious code in the form of viruses, worms, and spim (the IM equivalent of spam email).
This product comparison explores the features and capabilities of four enterprise IM solutions: Jabber XCP 5.1 (and associated JabberNow appliance), IBM Lotus Sametime 7.5, Microsoft Office Live Communication Server 2005, and Akonix Systems A-Series appliances. Each of these products approach real-time messaging technology from a different angle, so this review will help you decide which approach will work best for your organization.
Jabber XCP and JabberNow
Jabber developed its Jabber Extensible Communications Platform (Jabber XCP) IM product about five years ago. It uses a protocol known as the Extensible Messaging and Presence Protocol (XMPP), the Internet Engineering Task Force (IETF) standard for messaging and presence technologies. The presence portion of the Jabber protocol communicates the state of the person, application, or system on the other end of the message, allowing easy integration into workflow processes. For example, Jabber XCP can allow employees to see the availability of any member of a group of people needed to approve a phase of a project so they don't need to wait for one manager. Although Jabber XCP is available as a fully customizable solution that can run on multiple platforms, such as Windows, Red Hat Software's Red Hat Linux, and Sun Microsystems Solaris, the company also offers the secure IM appliance Jabber-Now. The JabberNow server allows Plug and Play (PnP) IM capabilities on your network. Both Jabber XCP and JabberNow provide messaging archival for compliance purposes and simplify management through a common interface called the XCP Controller, which Figure 1 shows.
On the desktop, the Jabber Messenger IM client offers relatively few options beyond real-time messaging and presence capabilities, so don't expect built-in audio or video conferencing, gaming options, or whiteboard tools by default. However, because Jabber XCP is based on open-source code, you can easily find and add the features you need.
Jabber Messenger lets you track several conversations at a time by using tabs rather than separate windows for each conversation. When you have the messenger minimized, a notification pops up above the system tray when you receive new messages.
Jabber XCP lets you create text conference rooms that allow multiple users to participate in a real-time conversation. When creating a room, you can make it persistent (i.e., permanent) so that it remains running on the server even when everyone leaves the conversation. Participants who join the room late can easily catch up with the conversation by viewing the previous 100 messages sent to the room.
Security, Stability, and Scalability. Jabber XCP's optional plug-in integrates authentication with Windows Active Directory (AD). As an extensible, component-based platform, deployment can span servers within or across multiple locations. Single servers can support more than 20,000 users and have been tested with as many as 100,000 users. Jabber XCP and JabberNow are currently deployed in more large enterprises than any other enterprise IM solution.
IBM developed Sametime so that Lotus shops could provide instant, anytime access to people and information throughout the enterprise. Sametime offers useful capabilities such as presence awareness, IM, and Web conferencing. Version 7.5 introduces support for LDAP for AD domains, integration with Microsoft Office Outlook 2003 and Microsoft SharePoint technologies, and support for Research in Motion, Nokia, and Windows Mobile handheld devices. Earlier versions of Sametime required IBM Domino servers so you might need to perform extensive testing in non-Domino environments. However, if you do run a Lotus messaging environment, Sametime might be your best option for real-time messaging.
In its native environment, Sametime uses the Domino server for directory services, security, and replication, so it runs with the same level of security and reliability as Lotus Domino email servers. The user must authenticate using his or her network username and password when the Sametime Connect client opens. Once authenticated, users can communicate with anybody on the network, or they can set up Web conferences with external users, as Figure 2 shows.
Native integration with the Lotus Domino directory service makes adding contacts to the Sametime Connect client easy. Because the Sametime server uses the Domino directory, there's no need to add users to the system. Implementation of Sametime focuses on the configuration of the server networking components, such as the Session Initiation Protocol (SIP) gateway, and deciding which features to enable for the end user.
Security, Stability, and Scalability. Sametime uses Lotus Domino directory, security, and replication services and has a highly available Domino architecture. Multiple Sametime servers connect to scale the solution and reduce traffic across WANs.
Live Communication Server
Microsoft's Live Communication Server 2005 is the likely IM choice for organizations that implement AD. Similar to Microsoft Exchange Server, Live Communication Server modifies the forest and domain schema to add custom attributes to AD users. Live Communication Server provides a wizard that lets you enable IM for individuals or groups of users and lets you set which server the IM client will connect to. A separate wizard helps administrators configure archiving, remote access, public IM connectivity, and federation services.
The Live Communication Server 2005 Archiving Service stores a copy of all IM traffic for organizations that need to comply with government or corporate regulations or to conduct usage analysis. You can set archive settings at user level or globally for the entire AD, as Figure 3 shows.
The public IM connectivity options let you exert granular control over real-time messages sent to recipients outside the AD forest. If you want to allow users to communicate with MSN, AOL, and Yahoo! IM servers, you must explicitly authorize each user or user group for public IM connectivity. However, the option for controlling IM traffic to and from clients other than those three is missing from Live Communication Server 2005. To exert this control on your network, you'll need to employ firewall and software installation restrictions through Group Policy.
For the end user, Live Communication Server 2005 eliminates the need to configure the Microsoft Office Communicator IM client. Because Live Communication Server adds attributes to the AD schema, the IM settings become part of the user account. When launching Communicator for the first time, end users need to enter only their SIP ID, which is typically their email address, and the client will automatically connect to the proper Live Communication Server. If you need to control certain settings for the client, such as video calls, computer-to-phone calls, and file transfers, you can use Group Policy to push out the changes.
Communicator also integrates with Microsoft Office System 2003 applications, allowing you to easily send email or share applications for instant collaboration. The end user can also send files using the IM client. The recipient will receive a message stating that the sender attached a file, and he or she can open or save the attachment directly from the IM client.
Security, Stability, and Scalability. Live Communication Server 2005 is completely integrated with AD for authentication and authorization. It has a two-tiered architecture, in which Live Communication Server server pools are connected to a separate, shared Microsoft SQL Server database to deliver a highly available and stable IM infrastructure. Although the standard edition consists of one standalone server and a Microsoft SQL Server Desktop Engine (MSDE) database, the enterprise edition offers additional front-end servers to handle larger loads, while all user data remains in a central SQL Server database.
Akonix A-Series Appliances
Although this IM solution can't be directly compared to the other three IM software-based server products, I believe no IM review would be truly complete without mentioning the IM security appliances from Akonix Systems. The Akonix A-Series of devices are hardware-based IM gateways that run the AkOS hardened OS designed specifically for real-time messaging environments. Each appliance controls access to public and internal IM by applying security policies using Akonix L7 Enterprise software and ensures compliance to those policies via L7 Enforcer. The Management Console, which Figure 4 shows, provides access to both components.
By leveraging strategic partnerships with the developers of the leading IM clients such as AOL, Yahoo!, IBM, Microsoft, and Jabber, Akonix A-Series appliances let you securely use any IM client you choose. Akonix appliances also work with open-source IM clients, such as Sun Java IM and Jabber XCP. The L7 Enforcer software protects your organization from users who try to bypass your enterprise IM policies by installing a client locally. Akonix products work as gateways between the Internet and the enterprise network, so all IM traffic is filtered and logged before it leaves the network. For internal messaging, the gateway automatically routes the traffic to the recipient, bypassing the need for the messages to reach a public IM server such as Yahoo! or MSN. Note that the appliance acts as a message router; it doesn't provide traditional IM server functions.
To integrate with your existing network, L7 Enterprise connects with standard LDAP directories such as AD, Novell Directory Services, and Lotus Domino. L7 Enterprise uses LDAP queries to allow you to select which fields the gateway imports to so that you can apply permissions or filter content. For example, you can restrict IM traffic to only internal users for the Research department or allow file attachment capabilities only to the Sales and Marketing departments. L7 Enterprise maps the user to IM sessions by requiring users to provide their username and password before sending or receiving messages. The gateway then logs the IM activity for that user.
The A-Series appliances have an IM traffic-filter that blocks users from sending proprietary or offensive information. The filtering engine performs similar to the Email Rules option found in Outlook 2003, providing context-specific options for blocking or allowing IM features or content. The ASeries appliances include the Sophos Antivirus engine and can integrate with Symantec Norton Antivirus to scan messages allowed by the gateway filters. To prevent propagation of malicious code, the antivirus engine can recognize multiple instant messages sent with encoded URLs and queue those messages for delivery. The gateway sends a message to the user notifying him or her of a potential attack and requires the user to correctly answer a simple question (e.g., what is 2 plus 3?) before the security filter allows the messages to continue.
Security, Stability, and Scalability. The Akonix appliance's dynamically updating and customizable policies work with standard LDAP directories to authenticate communication. The A6000 Gateway supports more than 50,000 concurrent connections, and multiple gateways can be clustered locally or distributed among locations.
Each product offers specialized features and provides a viable IM solution, depending on the needs of the organization. For a customizable, open-source solution, Jabber provides the best set of tools, especially for an enterprise needing to extend the IM infrastructure to include business applications. I didn't find the other solutions to be very customizable (beyond simple interpersonal messaging). Sametime and Live Communication Server integrate seamlessly with Domino and AD, respectively, and therefore are a practical solution for those types of environments. However, for the highest level of control at the administrative level and flexibility at the user level, Akonix A-Series security appliances beat the competition.
How, you say, can I suggest a security appliance over the other server-based solutions? The only difference I see between the different approaches is where the messages are processed. With Akonix, messages are processed on a public server, whereas the other solutions process messages on an internal server. The important enterprise IM features of message archiving, filtering, and authenticating users are managed equally well with all the solutions.
What impressed me most during product testing, especially with regards to the enterprise customer, was Akonix's ability to control all IM traffic while supporting all IM clients. At the enterprise level, administrators worry about how to address the governmental compliance requirements of archiving all IM traffic. The other IM solutions I looked at work well to manage real-time communication as an infrastructure but fail to address users who use Google Talk or any of the other 50 IM clients available for free download.
So how should you approach enterprise IM deployment? I recommend you start by implementing the Akonix solution to control the organization's IM use rather than standardizing on one IM solution. The problem is that within a large organization, users might be using as many as 20 different IM clients, both internally and externally. A brutish approach would be to force all users to uninstall their preferred client and use one enterprise-wide solution. The Akonix approach provides the necessary security, policy enforcement, and archiving capabilities at the enterprise level, with the least impact on end users. With this in place, the organization can then gradually standardize users on a single internal IM solution such as Jabber XCP, Sametime, or Live Communication Server, depending on your organization's needs and the infrastructure in place.