S 3.84 Introduction to Exchange systems

Initiation responsibility: Head of IT

Implementation responsibility: User, Administrator

Groupware is focused on supporting groups regarding collaboration, coordination of dates, general coordination, as well as daily communication. The Microsoft Groupware solution consists of the Microsoft Exchange Server and Microsoft Outlook. The Exchange Server is a management system for messages that also offers functions relating to the area of workflow support. Amongst other things, it is intended to allow for internally and externally exchanging messages such as emails in medium-sized to large agencies and/or companies. Exchange can be used to manage, deliver, filter, and send messages. Furthermore, typical communication applications such as newsgroups, calendar, and task lists, as well as Unified Messaging are offered and managed by Exchange.

Microsoft Outlook is a Groupware client that is part of the Microsoft Office package. In addition to the pure email functionality, it also offers a host of additional functions intended to facilitate business processes such as communication and messaging in companies and government agencies.

Hereafter, the combination of an Exchange server and connected Outlook clients is called Microsoft Exchange system. The representation below is limited to typical installations used frequently in practice.

Exchange architecture

The structural and topological design of a typical Microsoft Exchange system particularly depends on the application scenario: The bandwidth of topologies may range from small companies and government agencies disposing of a single server all functions are executed on to large-scale companies and government agencies normally using separate servers for individual functions and sites. This different design is also reflected in the Active Directory site topology: The Microsoft Exchange system integrates the Microsoft directory service Active Directory (see module S 5.16 Active Directory). The level of integration increases with each version of Microsoft Exchange. The directory service can be distributed to several (global) catalogue servers.

Typical Exchange system
Figure 1: Typical Exchange system

In a Microsoft Exchange system, the location the service is delivered differs from the location the service is used: A Service Delivery Location (SDL) refers to a physical location Microsoft Exchange and other servers are located in. An SDL must offer all dependant services required by Microsoft Exchange. Along with a local network infrastructure (Local Area Network, LAN), the name resolution with DNS (Domain Name System) and the directory services of Active Directory domain controllers and/or global catalogue servers belong to the indispensable location factors. In figure 1, the DNS service, the functions of the domain controllers, and the directory services are provided by the global catalogue servers S-GC_01 and S-GC_02. Optionally, SDLs also include public, external network connections and demilitarised zones (DMZ) and/or perimeter networks. An SDL may consist of one or several sub-networks and may contain one or several Active Directory locations. SDLs correspond to an individual building or a dedicated environment in a general backbone network. SDLs are always separated by a WAN connection (Wide Area Network). In figure 1, this connection is characterised by the location link: in the figure, the locations A and B (with A and B being independent Exchange organisations in each case) are separated by another perimeter network.

A group of clients of one location (Client Service Location, CSL) can access an SDL. A CSL may be in the same location as an SDL or in a different location, separated from the SDL. Here, a CSL also includes devices using a common client access protocol (POP3, SMTP, IMAP) via a public network.

Microsoft Exchange Server

Along with delivering emails, managing dates in calendars, managing tasks, contacts, and addresses, the typical range of functions of a Microsoft Exchange system at an SDL also includes saving documents and notes. A client can use this range of functions from a CSL using Microsoft Outlook or Outlook-Web-Access. When using Outlook-Web-Access, the range of functions can only be partially used. Common email clients are limited to the pure email functions of the Exchange server. A detailed description of the email protocols can be found in the RFC documents of the IETF (Internet Engineering Task Force).

With the Activesync protocol, the Microsoft Exchange system offers a common synchronisation protocol for mobile devices. Exchange offers security functions regarding confidentiality and integrity via the certificate-based authentication and encryption using a PKI, including support for S/MIME, support for the sender ID email authentication protocol, and line encryption between client and server. Along with an anti-spam filter, acceptance and rejection lists (white lists/black lists) are also managed. Interoperability with Microsoft Exchange can be ensured by using so-called connectors for some third party manufacturer products and other transport protocols.

Along with the geographic classification of Microsoft Exchange systems, the physical topologies are considered as well. The description of a network regarding the distribution of server services and roles to physical elements ranges from SDLs with one server, with several servers to several locations. In this, the server services can be centralised or distributed.

Microsoft Outlook

Microsoft Outlook is an application used as email client, collaboration tool, and for managing personal information (Personal Information Manager, PIM). In Mac OS from Apple, Microsoft offers an application called Entourage, with a similar range of functions. In connection with the Microsoft Exchange Server, Outlook can use the complete range of functions: calendar management, the coordination of meetings, and the administration of several participants, resources, and rooms. Microsoft Outlook offers contact databases and a note and task management function in one interface. However, Outlook can also be used without Microsoft Exchange Server, because the common internet protocols POP3, IMAPv4, and SMTP for the email function are supported.

Standard and Enterprise editions

To some extent, Microsoft Exchange systems differ significantly in the characteristics and versions.

Microsoft Exchange Server is delivered as Standard or Enterprise edition in each case. The editions serve to realise functional restrictions by means of the corresponding licences: Differences mostly result from the number of storage groups, the option of managing several databases, the maximum size of databases, and the high-availability functions, e.g. clustering. As an architecture and further development consequence, Microsoft Exchange Server and Microsoft Office are delivered as 64-bit versions that can be executed on 64-bit Microsoft operating systems. However, it is not possible to update from a 32-bit version to a 64-bit version.

The specific versions are described below, taking version 2010 as an example:

Further development of the information memories with Microsoft Exchange Server
Figure 2: Further development of the information memories with Microsoft Exchange Server

The databases for managing the information memories of Microsoft Exchange Server 2010 were converted regarding their access behaviour: The input/output procedures on the hard disk memories were characterised by the expensive random access prior to version 2010. This type of access required highly available and reliable hard disk systems. The migration to Microsoft Exchange 2010 now allows for using more inexpensive SATA hard disk memories as information memory for the databases, because Microsoft Exchange 2010 uses sequential access for data management. The integrity and availability are ensured by the architecture of the Microsoft Exchange kernel: Recovery functions upon catastrophes and high-availability options were combined to become one solution based on the experiences with CCR and SCR. Given this solution, the LCR and SCC options and clustering the mailbox servers are obsolete. The paradigmatic change regarding the distribution of the server roles now consequently covers the databases: Individual mailbox servers can be connected to become Data Availability Groups ( DAG for short). These now offer automatic recovery on the logical mailbox level instead of physical server level. This also renders the "memory groups" inapplicable from a conceptional point of view, because the mailbox databases are not connected to the Microsoft Windows server system any more, but are managed independently. The innovations do not refer to the information memories of "public folders".

The transport and routing functions in Microsoft Exchange Server 2010 result in important innovations: Workflow approval processes can now be performed within the email application. The "Shadow Redundancy" concept in message transport prevents any loss of messages during routing, because the sender server retains a copy of the sent messages until the next communication partner confirms the delivery. The routing functions allow for linking several Exchange On-Premise installations ("Cross-Premises") and Exchange Online services. Routing options such as the prevention of forwarding or the encryption of contents are implemented via rules (also called: Rights Management Services, RMS for short). These can also be implemented by using the corresponding trust settings exceeding the Exchange organisation and/or SDL.

In Microsoft Exchange Server 2010, web support was strongly enhanced in the form of Outlook Web Access: it was possible to implement the native support of browsers such as Safari and Firefox by consistently avoiding Microsoft-specific contents and add-ons. Furthermore, the administrator activities (also called: Exchange Control Panel, ECP for short) can now be performed using the same known web interface of Outlook Web Access. Granular roles and assignments for different administrator roles and administration by users, e.g. creating a new employee or managing mailing lists, can be managed using the role-based access control concept (RBAC for short). Overall, the range of functions of the Outlook Web Access interface is now significantly more oriented towards the interfaces of the Outlook-Software client.

The differences between the Standard and Enterprise editions are similar to those of the Microsoft Exchange Server 2007.

As an architecture and further development consequence, only the 64-bit version exists in Microsoft Exchange Server 2010 that must be executed on a 64-bit Microsoft operating system, e.g. the x64 version of Microsoft Windows Server 2003 or the 64-bit versions of Microsoft Windows Server 2008.

In Microsoft Outlook 2010, the concepts and strategies for user-friendliness and integration of the communication options were expanded further: In the mailbox preview, voice mails are directly converted from natural voice to readable text and displayed. The Ribbon interface introduced in Microsoft Office 2007 for the other Office applications is now also integrated in Outlook.

The new "MailTips" function prevents unnecessary emails from being sent or warns against possible misunderstandings when sending emails to large groups of recipients or external recipients.

The "Clean Up" and "Ignore" functions can now be used to provide thread-based summaries of the email messages in the mailbox and to ignore undesired message threads.

© Federal Office for Information Security. All rights reserved.