Architecture

It has always been possible to run Exchange on a single server, indeed the Small Business Server product is designed as a complete one-box solution for small and medium-sized businesses. However the ability to deploy different server roles onto different boxes offers increased security, scalability and flexibility.

It was Exchange 2000 that first offered the concept of front-end servers: an optional method of deploying an Exchange server to ‘load-balance’ incoming client requests to the correct back-end mailbox server, as well as requiring that users need only remember one server address when accessing their email via Outlook Web Access (OWA) or Exchange ActiveSync (EAS), regardless of where their mailbox be physically located.

Exchange 2007 has expanded on this approach, allowing the administrator to allocate specific Exchange-based roles to specific servers and deploy a ‘distributed’ messaging infrastructure.

An Exchange 2007 deployment can be separated into the following roles:

• Client Access – similar to a front-end server in an Exchange 2000 or 2003 installation. This server receives incoming client requests and directs them to the correct back-end mailbox server. This server runs Outlook Web Access, Server ActiveSync, POP & IMAP (if enabled) as well as receiving RPC over HTTP(s) requests.
• Mailbox – stores user mailboxes and public folders.
• Hub Transport – routes all messages, be they between users on the same mailbox server, from Unified Messaging servers, or external messages from Edge servers. Also enforces the messaging policy for messages moving within and outside the company (size limits, number of recipients allowed, etc).
• Unified Messaging – enables PBX integration to allow voice mail and fax messages to be delivered to the user’s Exchange mailbox. Also provides ‘voice dial-in’ feature enabling users to dial into their mailbox to have voicemails played back or emails ‘read’ to them. This feature is known as Outlook Voice Access which I will look at in more detail.
• Edge Transport – can reside outside the company network and provides routing, anti-spam and anti-virus services.

The Edge Transport server can be placed in a DMZ environment with no requirement for any inbound TCP ports to be open to the internal network. The Hub Transport server establishes an outbound-initiated connection with the Edge Transport server using a protocol designed for purpose called EdgeSync.

The EdgeSync protocol also sends information to the Edge Transport server on existing mailboxes and addresses as well as safe-sender lists to reduce the number of requests to the internal network to verify the validity of spam messages.

The Client Access Server should not be placed in the DMZ, despite being Internet-facing, due to the fact that it needs to be able to issue RPC requests to the Active Directory.

Exchange 2007 supports an unlimited information store database size. Standard edition supports up to 5 storage groups and databases per server, Enterprise Edition up to 50.

Possibly the biggest difference with Exchange 2007 is that it can only be installed on 64-bit hardware and the 64-bit version of the Server 2003 operating system (Server 2008 also only being available in 64-bit). In real terms this means that the operating system can address up to 16 Exabytes of memory (264), as opposed to the 4GB supported by 32-bit systems.

New Features

Increased security – with Exchange 2007, all messages sent between servers within the same organisation are encrypted using TLS (Transport Layer Security). All client communications, be they via OWA, ActiveSync or RPC over HTTP are all encrypted using SSL.

All Exchange 2007 servers are configured with a self-signed SSL certificate automatically.

Exchange Management Console – the Exchange Management Console has been reorganised to reflect the role-based architecture of Exchange 2007. With Exchange 2007, Exchange Administrative Groups have been done away with. Permissions are now delegated at the organisation level. Administrative groups allowed for permissions to be assigned to specific groups, but once created were quite limiting: a server could not be moved between administrative groups, for example. Routing Groups have also been done away with, Exchange 2007 instead using the existing Active Directory Sites and Site Links topology to route email between Exchange servers within the same organisation.

• Organisation Configuration allows you to configured Exchange global data that applies to all servers running a particular server role.
• Server Configuration allows you to manage the servers based on their roles. You can use this area to configure all of the Exchange servers and their child objects.
• Recipient Configuration allows you to manage the Exchange recipients.
• The Toolbox provides a central location for Exchange administrative tools and troubleshooters.

Exchange Management Shell – the Management Shell is a command-line scripting technology that allows the administrator to perform complicated actions against a number of sources, including the mailbox database and Active Directory, with minimal code and avoiding the need to ‘point and click’ within the Management Console.

Outlook AutoDiscover – this feature removes the need for users to know the name of their Exchange server when creating an Exchange profile within Outlook. All the user needs to know is their username, password and email address.

When the user enters their email address, the Outlook client performs an MX lookup via DNS to locate the Exchange server for the domain. A configuration request is then issued to the Exchange server, which is accepted by the Client Access Server. The appropriate configuration information is then returned to the client automatically. This requires a DNS entry for 'autodiscover.domain.com'

Improved Outlook Web Access – Exchange 2007 OWA has been updated to have a general look and feel more like Outlook 2007, to ‘streamline the user experience’ as marketing types might say. One immediately apparent difference is the log in screen, whih gives the users the option of specifying whether they are connecting from a ‘public’ (ie untrusted) or ‘private’ (ie trusted) computer:

There is also the option of selecting ‘Outlook Web Access Light’ which only displays a reduced amount of features. Microsoft say this mode is useful for those accessing OWA over a slow Internet connection. Actually ‘light’ mode looks in IE how ‘full’ mode looks in all browsers other than IE. Indeed OWA 2007 in Firefox doesn’t give you access to any of the more advanced features that are available in Internet Explorer.

OWA Share Access – Exchange 2007 Outlook Web Access provides users with the ability to access Sharepoint or file shares enabling centralised access to information remotely, without the need for a VPN connection.

Within the properties of the OWA web site within the Exchange Management Console, the administrator can allow or disallow both File Share and Sharepoint access:

Different access rights can be granted depending on whether the user is connecting in from a ‘private’ computer or a ‘public’ computer (which users specify when they log in).

The administrator can then explicitly allow or disallow file shares on specific servers. The domain suffix can also be entered so that users need only enter the name of the server rather than its FQDN.

Within OWA, there is an entry for Documents along with the usual Mail, Contacts, Calendar, Tasks, etc:

Selecting the option to Open Location allows the user to enter the name of a file share (for example, ‘\\UKFILE01\’). Provided that the administrator has allowed access to this share, the contents of the directory is listed in the IE window, with the option of ‘view in Windows Explorer’, in exactly the same way that FTP sites are handled by IE.

OWA Document Viewing – Outlook Web Access 2007 also has the ability to convert a variety of document types into HTML so that that document can be viewed on the client in a browser window, even if the application that was used to create the document is not installed on the client. Formats include Word, Excel, Powerpoint and PDF files.

Flexible Out of Office Rules – this feature allows the user to configure different Out of Office rules for internal and external users. Each rule can be given a start and an end date.

Unified Messaging – this feature gives users central remote access to all forms of business communications, including email, voice mail and fax messages, in one location – their Exchange Inbox. Voicemail, faxes and emails are delivered to the Inbox where they can be accessed from a range of clients – OWA, EAS, Outlook, etc. With the new Outlook Voice Access technology, users can dial into the UM Server from any ordinary telephone and access their Email, Voicemail, Contacts and Calendar. Once dialled in, users can manage their Inbox over the phone by saying commands such as 'delete message' or 'forward message', etc. I admit I have played with this feature briefly and was impressed, but did find that if there is any background noise the auto attendant got confused and there was a lot of "I'm sorry I don't understand that command" so I expect it's brilliant if you're in the car with all the windows shut and the radio off, but not so good if you're on a crowded platform.

The UM functionality requires that the Exchange Server be linked into the corporate telephone system. If an IP PBX is used, then the PBX can communicate with the UM Server directly using the SIP VoIP protocol (Session Initiation Protocol). If a legacy PBX is used, then a VoIP gateway will need to be deployed between the PBX and the UM server.

If a user’s telephone extension is not available, voicemail messages can be recorded and notification sent to the user's Inbox. That user can then dial in to listen to the message, or choose to download it as a sound file.

The UM server can also be integrated into the corporate PBX to provide an auto attendant that can transfer you to the person you wish to speak to based on the information held in the Global Address List, using Speech Recognition technology.

The diagram below gives an overview of the functionality using Outlook Voice Access, or OVA:

This image is available in PDF format from the Microsoft web site, here:

http://download.microsoft.com/download/6/7/e/67ef31de-9ee0-47aa-a2ff-a89...

Users have the ability to edit some of the OVA features within OWA, as well as resetting their PIN number should they forget it:

Exchange ActiveSync – Users can now manage their mobile devices through Outlook Web Access. For example, if a device is lost or stolen, the user can remotely ‘wipe’ or ‘kill’ that device through OWA without needing to speak to their corporate IT department.

Administrators can now also define separate per-user or per-group ActiveSync policies with different settings, for example allowing or disallowing attachments.

Windows Mobile 6.1 devices provide users with the ability to manage their Out of Office status and messages directly from their device.

Exchange 2007 also provides the administrator with the ability to remotely manage their device fleet by deploying corporate policies defining how those devices can be used, including the ability to disable hardware and software elements on the device as well as blacklist applications.

File shares can also be accessed from Windows Mobile 6.1 devices without the need for a VPN connection. In the same way that file shares can be accessed via OWA. The shares available can be defined independently from OWA:

Summary

In short, then, Exchange 2007 has been developed with mobility very much the focus. The requirement for 64-bit architecture will require the purchase of new hardware for most companies and if you plan to make the most use out of a separate EdgeSync server then this will add to the cost. The question you have to ask is do the benefits outweigh the expense?