Get Ready for Exchange Edge Services

Security experts talk a lot about "defense in depth," the concept that you should use multiple, preferably overlapping, security systems so that an attacker has to penetrate several different defenses to reach your systems. Microsoft security guru Steve Riley uses the analogy of a medieval castle, which was protected by moats, traps, poor lighting, clutter, pits, and fat guys with large swords.

For Exchange Server systems, we usually start planning defense in depth at the network perimeter (aka "the edge"). The edge is the best place to filter spam, catch viruses, and enforce email policies. Therefore, in most Exchange deployments, at least one server is exposed to the Internet and given the job of acting as an edge server. However, Microsoft has had a hard time convincing some of its customers to deploy Exchange as an edge server. In the first versions of Exchange, the SMTP service wasn't robust enough or fast enough to let the product act as an edge server. Exchange 2000 Server fixed both problems, and Exchange Server 2003 is an even better product. Unfortunately, Exchange still doesn't do some things as well as competing products. For example, Exchange doesn't offer as much flexibility for address rewriting as UNIX-based products such as sendmail, Postfix, or qmail do. Enter, therefore, a new item from the Exchange product group: Exchange Edge Services, set to be released next year.

The UNIX world has a long tradition of setting up single-function SMTP edge hosts that accept outside email, process it, and deliver it to mail servers on the internal network for delivery to the recipient's mail server. These edge hosts don't store email; they only accept it. Along the way, the hosts might perform tasks such as rewriting sender addresses (for outbound email) or recipient addresses (for inbound email) or scanning inbound email for viruses. Many environments already deploy UNIX-based edge servers that pass email to Exchange servers. Obviously, Microsoft (and probably most Exchange administrators) would rather use Exchange servers for the job, for several reasons. These reasons, which Microsoft has been hearing about from customers, have been driving the Exchange Edge Services development process.

First, you need to manage UNIX servers separately from your Exchange servers, so you lose much of the benefit of Exchange's management and monitoring architecture (including integration with the Microsoft Operations Manager--MOM--and third-party tools such as those from NetIQ and Quest Software). Second, most UNIX-based edge products are quite difficult to configure if you aren't already familiar with them. This difficulty makes it too easy for administrators to accidentally make mistakes that cause lost or misdirected email. And third, although the Exchange event sink architecture permits a high degree of extensibility, it isn't intended to let you string together multiple sets of sinks on one server. In some cases, you can use multiple sinks on the same server, but not all combinations of sinks will work properly all the time.

These points led naturally to the Exchange Edge Services design: a single-function edge server that doesn't use Active Directory (AD) but that acts like, and is managed like, your existing Exchange mailbox and front-end servers. This design is intended to deliver three major functions: SMTP gateways, message hygiene (e.g., spam filtering, antivirus functions, recipient filtering), and routing (including address rewriting, relaying, format conversion, and masquerading). The design likely will let you apply multiple sets of filters or transformations to inbound messages, letting you concentrate all three major functions onto one server or split them apart, depending on your deployment requirements.

Another interesting twist to the Exchange Edge Services story is that Microsoft Chairman and Chief Software Architect Bill Gates has promised that it will incorporate the new Caller ID for E-Mail technology that Microsoft announced last week (and which I'll write more about next week). To get the lowdown on Exchange Edge Services, see Microsoft's Exchange Edge Services Overview at .

On a final note: With spring just around the corner, many of you might be thinking about attending a tradeshow or getting some training. Check out our Events Central Web site, which provides a comprehensive listing of tradeshows, conferences, and Web seminars targeted to the IT user. Whether you're searching by event type or event topic, you'll find a complete one-stop listing of events to fit your needs.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.