Design your Exchange organization as an ASP would
Exchange Server administrators can learn valuable lessons from application service providers (ASPs) that host Exchange 2000 Server. Because an ASP is like an IT department that must stand on its own, an ASP must put a price on its operations or services and sell them on the open market. To be successful, ASPs must offer a better product at a lower cost.
To illustrate how you can run your Exchange organization the way an ASP does, I describe the infrastructure ASPs typically use to host Exchange for multiple customers and tell you how to set up customized user logon names in Active Directory (AD). In future articles, I'll show you how to configure user email addresses and introduce some AD provisioning tools that can help improve your efficiency in managing Exchange.
ASP Priorities
First, let's look at an ASP's top priorities. When potential customers interview ASPs, they frequently have some of the same key concerns: security, availability, email clients and access methods, and account management. So ASPs make sure that they've addressed these concerns in their service offerings.
With regard to security, customers want to make sure that their mail system is protected from external intrusion and isolated from other companies' information that the ASP might host on shared resources. The ASP must protect the privacy of hosted companies so that the companies aren't aware that they're on the same system. The ASP must hire a third party to periodically perform security audits and external intrusion tests to ensure security.
Availability is often the customers'—and therefore the ASP's—second priority. ASPs use the same techniques as you do to ensure availability: fault-tolerant hardware, clustering, good design and operational procedures, and disaster-recovery plans. I describe these techniques in more detail in "The 7 Habits of Highly Available Exchange Servers," http://www.win2000mag.com, InstantDoc ID 21519. However, for ASPs, availability is an important product offering and different levels of availability have different price tags. ASPs and their customers sign service level agreements (SLAs), which set expectations for the agreed-upon availability level and establish penalties if the ASP doesn't live up to the expectations.
Another question customers ask is what type of email clients and access methods are supported. Outlook is typically the email client of choice. You might also need Outlook Web Access (OWA) for roaming users. Typically, ASPs also offer POP3 with SMTP, and IMAP with SMTP for mobile devices.
Customers also want to know the ASP's account-management policies. They wonder how open the system will be to them (e.g., can they choose to perform tasks such as creating accounts and mailboxes and resetting passwords?) and how responsive the ASP will be for simple account- or server-management requests.
Front-End/Back-End Architecture
Unless an ASP is hosting only small companies or providing only Outlook client access, the hosted Exchange architecture, which Figure 1 shows, will consist of a front end and a back end. A double-layered architecture, with a firewall protecting each layer of multiple servers, helps to address customers' security concerns.
The main entry point for client access is through a front-end network running Microsoft Network Load Balancing Service (NLBS) or using load-balancing hardware products from vendors such as Cisco, Nortel Networks, F5 Networks, and Intel. Client requests are routed to a virtual IP address for load balancing, then directed to a front-end server. The front-end servers contain two network interfaces. One NIC faces the Internet with a public IP address, and the other is on the private internal network. The back-end servers include the AD domain controllers (DCs), Global Catalog (GC) servers and DNS servers, Exchange mailbox and public folder servers, and any operations servers such as backup servers and management and monitoring servers. The back-end servers often have one NIC for the internal network and another network interface for the management and operations network.
The front-end/back-end architecture supports the Internet protocols POP3, IMAP4, SMTP (which both POP and IMAP use to send messages), and HTTP-DAV (for OWA). You must establish a separate VPN for Outlook messages, which use the Messaging API (MAPI) protocol.
ASPs use the front-end/back-end architecture for three main reasons: security, load balancing and fault tolerance, and scalability and performance. This architecture provides security because one firewall protects the front-end network, and a second firewall (e.g., Internet Security and Acceleration—ISA—Server 2000) protects the back-end network. Front-end servers act as a proxy for Internet-protocol traffic between the clients and the back-end servers. Traffic between the front end and the back end is over port 80; you can't change it to another port (say to Secure Sockets Layer—SSL—on port 443), so the only way to secure this traffic is to use IP Security (IPSec), as Figure 2 shows.
The second reason that ASPs use the front-end/back-end architecture is load balancing and fault tolerance. Clients connect to what's known as a unified namespace—that is, they connect to one domain name (e.g., mail.company.com) with no knowledge of the underlying infrastructure. The public name is mapped to any number of underlying servers, providing a measure of fault tolerance as well as the load balancing mentioned earlier. The front-end servers are considered stateless—any server can service requests for the unified namespace, unlike the familiar hard-coded mailbox server name in your Outlook profile—so you can rotate front-end servers in and out of service without affecting overall availability.
The third reason for using the front-end/back-end architecture is for scalability and performance. The white paper "Exchange 2000 for ISPs: 250,000 to 3,000,000 Subscriber Architecture Reference" (http://www .microsoft.com/exchange/techinfo/hosting/isparch.asp) describes Microsoft's use of the front-end/back-end setup to test Exchange's handling of a very large number of clients. Microsoft used 1U (1.75") rack-mount servers with one or two processors for the front-end POP3, IMAP4, SMTP, and HTTP-DAV servers and 4-way or 8-way back-end servers with high-performance fibre channel storage in a Storage Area Network (SAN) to achieve its scalability goals.