� When Disaster Strikesin Exchange Server 2010Disaster can strike at any time. Microsoft ExchangeServer must be configured to seamlessly fail over withoutdata loss. Can Exchange Server 2010’s native databaseavailability groups minimize an admin’s backup and DRefforts? BY SERDAR YEGULALP

� Built-In Security with ForefrontProtection 2010 for Exchange ServerWith spam and malware attacks at an all-time high, Micro-soft bolstered Exchange Server 2010’s native security in abig way. How does Forefront Protection 2010 fend off threats,and is it enough for your environment? BY RICHARD LUCKETT

� Email Archiving andE-Discovery Best PracticesImplementing email-archiving solutions to successfullymeet e-discovery obligations means finding the rightbalance of what to save and for how long.

exchangeinsiderE-ZINE

vol.5

2 Exchange Insider E-zine Volume 5

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

k EDITOR’S NOTE++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Carefree Exchange ServerManagement SecretsBY MICHELLE BOISVERT, MANAGING EDITOR

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

MICROSOFT HAS ADDED a couple of welcomed features to Exchange Server 2010,including improved backup and disaster recovery methods as well as an en-hanced native security tool. Each addition brings with it the promise to lessenan administrator’s day-to-day stress.

Serdar Yegulalp’s article, “When Disaster Strikes in Exchange 2010,” looksat how the server’s database availability groups facilitate replication throughautomatic mailbox server syncs and how they can eliminate service interrup-tions during updates. But these changes may take some getting used to—admins may need to adjust the way they perform certain tasks. Get all thedetails in this article.

The constant threat of spam, viruses and malware can keep an ExchangeServer admin on high alert. Implementing the proper security measures meansthe difference between getting some shuteye and sleeping with one eye on yourExchange infrastructure. In “Built-In Security with Forefront Protection 2010 forExchange Server,” Richard Luckett traces the steps that led to the developmentof Microsoft’s native Exchange Server 2010 security. Luckett also explains thedifferences between on-premise and managed or cloud-based security and howeach fits into your enterprise-wide security plan.

Implementing the proper level of email archiving in order to meet e-discoveryrequirements shouldn’t leave you in a cold sweat. Ease your anxieties by read-ing Mark Arnold’s article, “Email Archiving and E-Discovery Best Practices,”to make sure your email archiving policies and solutions are working for you.

What are your biggest Exchange Server administration fears? Share themwith me at mboisvert@techtarget.com. �

A LARGE PART of an Exchange Serveradministrator’s job involves preparingfor and recovering from disaster—setting up a backup strategy or con-figuring Exchange servers for failover.Microsoft added some seamless newhigh-availability and site resiliencefeatures (backup and disaster recov-ery) to Exchange Server 2010 that donot involve any additional configura-tion or extraordinary work to estab-lish.

High availability (HA) in ExchangeServer 2007 was a function of contin-uous cluster replication, which isn’tperfect, but still a huge improvementover Windows Server 2003 active/passive failover. In that case, youcould leverage Exchange 2007’s logshipping and replay functions in con-junction with clustering, but you were

still stuck with only one database perstorage group. Exchange Server 2010gives you multiple databases throughthe use of database availability

groups, or DAGs, which automatical-ly stay in sync with each other.

These groups of up to 16 Exchange2010 mailbox servers automaticallyreplicate Exchange databases and

k BACKUP AND DISASTER RECOVERY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

When Disaster Strikesin Exchange Server 2010Disaster can strike at any time. Microsoft Exchange Servermust be configured to seamlessly fail over without data loss.Can Exchange Server 2010’s native database availabilitygroups minimize an admin’s backup and DR efforts?by serdar yegulalp

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

3 Exchange Insider E-zine Volume 5

Databaseavailability groupsautomaticallystay in sync withone another.

create less of a dependency for agiven mailbox to reside on a specificdatabase or server. You can add orremove servers from the DAG at anytime with minimal effort. Therefore,DAGs make it possible to combine anHA solution with disaster recovery(DR) because it has elements of bothin one package.

DAGs are also useful because theyallow more flexibility in how a partic-ular cluster or server setup can berolled out. You can start with a singleExchange server on Windows Server2008 R2 Enterprise Edition, and thenadd more machines at a later timeto either increase system uptimeand availability or for data protection.Mailbox servers can also be multi-use machines, which allows them toassume other Exchange roles suchas unified messaging. Therefore, youdon’t need to dedicate them exclu-sively as a failover for othermachines.

A DAG can span more than oneActive Directory (AD) site. For exam-ple, if you have multiple Exchangeservers in different data centers, youcould include them all in a DAG. Re-dundancy among the different datacenters would add that much moreresilience to your setup: If one datacenter fails, the other continues torun as expected.

If you do this, typically you’ll needto turn on Datacenter ActivationCoordination Mode, which allows a

DAG that has been divided acrosstwo data centers to survive an outageat one site and still allow both datacenters to recover gracefully withouteach site assuming that it’s the only

surviving site. Microsoft calls thisbehavior split-brain syndrome.

Exchange Server 2010’s data-base availability groups were alsodesigned so that updates can beapplied to machines in the DAG with-out interrupting services. You stillhave to apply updates manually oneach machine in the DAG in succes-sion, but automatic failover betweenthese machines means you can sim-ply apply the updates, let the DAGhandle the failover gracefully eachtime and continue on without havingto take additional steps.

k BACKUP AND DISASTER RECOVERY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

4 Exchange Insider E-zine Volume 5

DAGs allow moreflexibility in howa cluster or serversetup can be rolledout. You can startwith a singleExchange serverand add moreat a later time.

5 Exchange Insider E-zine Volume 5

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

k BACKUP AND DISASTER RECOVERY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WINDOWS SERVER INTEGRATIONAND DAG CONFIGURATIONExchange Server 2010 integrates verywell with Windows Server’s conven-tional backup functions. A DAG’sfailover and continuity functionsaren’t meant to be substitutes forconventional backup—just as RAIDisn’t a substitute for a proper serverbackup plan. This is why Microsoftcreated a Windows Server Backupplug-in for Exchange 2010 that usesthe Volume Shadow Copy Service(VSS).

The Windows Server Backup plug-in isn’t perfect. Its list of limitationsincludes an incompatibility with Win-dows Server Backups’ command-lineinterface (which still doesn’t work

with Exchange 2010). In addition,backups only work at the volumelevel (i.e., no backups of only thedatabase or the logs). But despitethese limitations, the plug-in is stilluseful.

DAGs can be configured in a fewdifferent ways. The easiest way andthe one most familiar to Exchangeadmins, is a simple two-member(two-server) DAG.

On the higher end, there is a four-member DAG—two local machinesand two other machines placed ina remote data center. The localmachines are for availability (if oneserver goes down, the other keepschugging); the remote servers arefor site resilience (if your onsite data

MANY OF THE disaster recovery/continuity features of Exchange Server 2010 willbe familiar to trained Exchange admins, but there are a few end-user continuityfeatures—like dial tone portability—that will stand out.Dial tone portability creates a temporary mailbox for a user whose original mail-

box lived on a failed database or server. All message traffic is redirected seamlesslyto the newmailbox. Users runningMicrosoft Outlook 2007 or later don’t need toreconfigure anything on their end—they’re automatically connected to the newmailbox.A dial tone recovery can be performed on the server where the database failed.

This is recommended so that the database doesn't have to be copied to anotherserver, or on another server, which can in turn become the new permanent homefor that user’s mailbox if needed. The new way in which databases are managed inExchange Server 2010 make this feature possible. �

MAILBOX CONTINUITY VIA DIAL TONE PORTABILITY

center fails, the other one can pickup where the first left off). All of thework that needs to be done via DAGscan be done from the Exchange Man-agement Console or from a Power-Shell prompt—the former for ease ofuse, the latter for fine-grained controland scripting.

OBSTACLE-FREE REPLICATIONThese changes in Exchange Server2010 mean that many long-timeExchange admins have had to adjustthe ways in which they perform cer-tain tasks. The most relevant changesencompass the fact that clusteredmailbox servers and storage groupsno longer exist. This probably soundsextreme at first, but in practice itmeans there are fewer obstacles tomaintaining replication and consis-tency. You don’t have to manuallyadminister Exchange as a clusteredapplication—for the most part, thatis handled under the hood.

Microsoft also made a lot of under-the-hood changes in how replicationworks in Exchange Server 2010. Forexample, it has streamlined theprocess of populating passive copiesof a database from the databasecache. That way, if a failover occurs,the backup database is availablemore quickly than in the past.

Exchange admins who have sweat-ed blood in the past getting backupand disaster recovery features to

work ought to be intrigued, to say theleast, about what Exchange Server2010 has to offer in this vein. If you’recurious about putting it to work in

your organization, start by checkingout the prerequisites for an Exchange2010 installation, and give it a try.Microsoft offers various trial environ-ments, from a 120-day evaluationcopy to a pre-loaded virtual hard diskyou can use in your virtual machineof choice. �

Serdar Yegulalp has been writing about computersand IT for more than 15 years for a variety ofpublications, including SearchWinIT.com, Search-Exchange.com, InformationWeek andWindowsmagazine.

k BACKUP AND DISASTER RECOVERY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

6 Exchange Insider E-zine Volume 5

Exchange adminswho have sweatedblood in the pastgetting backupand disaster re-covery featuresto work ought tobe intrigued aboutwhat Exchange2010 has to offer.

WHILE ANTIVIRUS AND antispamproducts vary greatly—from soft-ware to appliances to in-the-cloudsolutions—most products use vari-ous layers to provide a combinationof antispam and antivirus protection.And there is good reason for this.

Sophos Group’s Security ThreatReport: 2010 contains some startlingstatistics regarding trends in malwareand spam. Although the Internet andsocial networks now overshadowemail as a means of propagating mal-ware, email remains at the top of thelist for spam distribution and is stillheavily used by hackers to distributemalware. According to the report, the10 most common malware releasesdistributed via email in 2009 areshown in Table 1, at right.

With regard to spam propagation,the U.S. sends out 14.4% of spam—leading all other countries. However,

when you look at spam propagationby continent, Asia leads with 34.9%,reports Sophos.

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Built-In Security withForefront Protection 2010With spam and malware attacks at an all-time high, Micro-soft bolstered Exchange Server 2010’s native security in abig way. How does Forefront Protection 2010 fend off threats,and is it enough for your environment? BY RICHARD LUCKETT

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

7 Exchange Insider E-zine Volume 5

TOP 10 EMAIL PAYLOADS IN ’09

TYPE/NAME %OFOF ATTACK OCCURRENCE

Trojan/Bredo 42.8%

Malware/EncPk 8.4%

Trojan/Agent 7.2%

Malware/WaledPak 5.9%

Trojan/Invo 5.3%

Trojan/ZipMal 4.8%

W32/Netsky 3.7%

Malware/FakeVirPk 2.8%

Malware/Iframe 1.7%

Malware/ZipMal 1.6%

Other 15.8%

BUILDING BLOCKS OFEXCHANGE SERVER SECURITYWhen Microsoft acquired SybariSoftware Inc. in 2005, it acquired itsAntigen for Exchange product line.Microsoft later released its first suiteof Microsoft-branded Antigen prod-ucts in June 2006, marking its firstline of antivirus products specificallyfor Exchange Server 2000 and Ex-change Server 2003. The next gener-ation of this product—ForefrontSecurity for Exchange Server—wasreleased shortly after the debut ofExchange Server 2007. This versionwas enhanced to support the newrole-based architecture and to lever-

age the new transport pipeline inExchange Server 2007.

Forefront Protection 2010 for Ex-change Server is the current genera-tion and next evolution of antispamand antivirus protection from Micro-soft. Microsoft’s 2005 acquisition of

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

8 Exchange Insider E-zine Volume 5

FIGURE 1

Antispam Agents on Edge Transport Server

Forefront Securityfor Exchange Serversupports a role-based architecture.

FrontBridge Technologies Inc., a lead-ing provider of managed services forcorporate email compliance, securityand high availability, paved the wayfor its hosted security solution forExchange, which now includes Fore-front Online Protection 2010 forExchange Server.

EXCHANGE 2010 BUILT-INANTISPAM PROTECTIONWhen you deploy an Exchange EdgeTransport Server role, a wide rangeof antispam agents are installed thatleverage Exchange Server 2010’sbuilt-in API hooks.

Transport agents (Figure 1, page8) were first introduced in ExchangeServer 2007 and can directly lever-age the transport pipeline. They allowantivirus and antispam applicationsto proactively scan inbound and out-bound email processed by the edgetransport server before it enters orexits an organization.

If the edge transport server isn’tdeployed, the antispam transportagents can be imported onto a hubtransport server role using theinstall-AntispamAgents.ps1 script.This allows any Exchange Serverdeployment topology to benefit fromantispam protection. Of course, anantispam application will onlyaddress half of the problem; you stillneed an antivirus product to protectthe organization from malware.

FILTERING LAYERSOF PROTECTIONForefront Protection 2010 forExchange Server (FPE) is an on-premise application that can beimplemented in the internal networkon the hub transport and mailboxroles. You can also implement it inthe perimeter network, on the edgetransport or threat-managementgateway (TMG).

FPE was designed to provide threedistinct layers of filtering: connectionfiltering, protocol filtering and con-tent filtering.

Layer 1: Connection Filtering(Rejects approximately 80%of spam)

� DNS Block List (DNSBL)� IP Allow/IP Block� Sender ID

Layer 2:MTP Filtering (rejectsapproximately 3% to 5% of spam)

� Sender� Recipient� Global safe list� Global block list� Sender ID� Backscatter

Layer 3: Content filtering(rejects approximately 55%to 60% of spam)

� Cloudmark� Automatic updates every45 seconds

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

9 Exchange Insider E-zine Volume 5

10 Exchange Insider E-zine Volume 5

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

FPE can also be installed on themailbox role. Table 2, below, showsavailable configuration options whenFPE is installed on a mailbox server.

FOREFRONT PROTECTION CON-FIGURATION AND MANAGEMENTForefront Protection Manager (FPM),which allows administrators to man-age not only multiple FPE serverswithin an organization but also thesettings for Forefront Online Protec-tion for Exchange (FOPE) is expectedto be released in the first half of thisyear. The protection manager is ex-pected to have additional reportingtools to help administrators under-

NOTE: If you’ve alreadypurchased the Enterprise CALfor Exchange to take advan-tage of its advanced ExchangeServer 2010 features, you alsoreceived licenses for bothForefront Protection 2010 forExchange Servers (FPE) andForefront Online Protectionfor Exchange (FOPE). Thisbonus could be the compellingreason to use FPE/FOPEinstead of a third-partysolution.

l

MAILBOX SERVER SCANNING OPTIONS

SCANNINGOPTION DESCRIPTION

Proactive scanning Scans messages when they are submitted to themailbox database.

Real-time scanning Scans messages when they are accessed. Accesscan include opening a message, viewing it in thepreview pane and performing content-indexingoperations. (This is set by default.)

Scheduled scanning Scans messages based on a set schedule or can berun immediately as needed. Scheduled scans aretypically used to scan the entire information store.

On-demand scanning Scans specific mailboxes that are suspectedof having been compromised by malware.

stand the nature and trends ofmalware and spam protection.

Until its release, the redesignedFPE Server Administrator Consoledoes an adequate job of allowingyou to configure FPE and FOPE foran organization. The new dashboardview (Figure 2) makes it easy to trackcurrent activity and the status of the

different components in ForefrontProtection for Exchange Server.

NEW FEATURES TO LOOK FORForefront Protection for ExchangeServer has several new features.Let’s take a look at some of thecoolest ones and how they work.

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

11 Exchange Insider E-zine Volume 5

FIGURE 2

FPE Administrator Console Dashboard

� DNSBL: The DNS Block List featureautomates subscriptions to real-timeblock list (RBL) services and enablesconfiguration through a single mouseclick. This is possible because Micro-soft has already subscribed to someof the most respected RBL providersto create its own DNS block list.

When you enable DNSBL, yousubscribe to the Microsoft list, andenabling it eliminates subscriptionfees that are often required to trans-fer block-list information to yourservers. It also eliminates the head-ache of managing and configuringyour own subscriptions.

� Backscatter: This feature protectsyour organization from bogus NDRmessages. Prior to the release of FPE2010, no Microsoft solution couldprevent fictitious NDR messagesfrom being delivered to users’ mail-boxes.

When you enable Backscatterand generate a set of keys, each out-bound message will have an attachedtoken that’s based on a hashed tab toP1.MailFrom: in the email header. Ifthe external messaging system thatreceives the email must return a non-delivery report, the token will bereturned as well.

If the Backscatter feature onExchange 2010 transport servers canvalidate the hash, then the NDR willbe allowed into the organization.However, if the NDR is missing the

hashed tag or Backscatter cannotvalidate the hash, then the NDRmessage will be dropped.Note: To prevent inadvertently

dropping valid NDR messages, alltransport servers must have theBackscatter feature enabled. At thevery least, it should be enabled onall Internet-facing transport servers.

� Cloudmark: You can license thisbest-of-breed antispam solution fromMicrosoft for both FPE and FOPE.Once FPE is installed, it will replacethe default antispam connection filterengine with Cloudmark. Cloudmarkhas a proven 99.77% catch rate.Microsoft guarantees a 98% catchrate in its service-level agreement(SLA) for FOPE.

THIRD-PARTY SPAMAND VIRUS PROTECTIONMicrosoft developed four featuresin Forefront Protection 2010 forEx-change Server that differentiatesthe product from third-party solu-tions.

1. FPE uses five simultaneousscanning engines.2. It has a multilayer defensearchitecture.3. FPE is easy to administer,monitor and report.4. The solution supports a hybridmodel that integrates both on-

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

12 Exchange Insider E-zine Volume 5

premise and online servers as wellas a singular solution.

Despite these advantages, it isn’tfor everyone. Sometimes you needa third-party antivirus or antispamsolution. There are a number of well-known antivirus and antispam ven-dors for Microsoft Exchange Server.When it comes to choosing the bestone for your enterprise, which factorsshould you consider? Key aspects tolook for in a third-party antivirussolution for Exchange Server 2010are:

� Support for the latestvirus-scanning API

� Support for hub, edgeand mailbox roles

� Use of transport agentsfor scanning

� Support for antivirus stamping� Support for multiple scanningengines

FOREFRONT PROTECTIONDEPLOYMENT TOPOLOGIESFPE and FOPE were designed to sup-port environments of all sizes. Fore-front Online Protection for Exchangeis a hosted solution, so it was de-signed to scale support for even thelargest enterprises.

There are different ways to deployFPE and FOPE in an Exchange 2010organization. FPE can protect Ex-change organizations with singleservers through the use of combinedroles or dedicated server roles. Youcan leverage FOPE by itself; however,deploying FOPE and FPE together isthe most comprehensive solution.

On-Premise: Combined ExchangeServer Roles.All Exchange Serverroles are combined on a single server.Although the client access server roleand unified messaging role are on thesame server, FPE does not directlysupport them.

All email and voicemail are sub-mitted to the mailbox role; therefore,client access server and UM rolesare indirectly protected.

On-Premise:Dedicated ExchangeServer Roles. FPE is installed on theedge, hub and mailbox server roles,

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

13 Exchange Insider E-zine Volume 5

PARSING OUTANTIVIRUS VENDORSTHE FOLLOWING ARE some of themost commonly used third-partyantivirus vendors.

� Network Associates� TrendMicro� CA� Symantec

For a comprehensive list of anti-virus vendors, click here.

but you don’t need to install it on theUM or CAS roles. This topology givesthe administrator the greatest levelof flexibility when sizing each serverto meet the resource requirementsof both Exchange 2010 and FPE. Athreat management gateway (TMG)was also deployed to protect theCAS role (Figure 3).

On-Premise/Hosted:Hybrid. FPEand FOPE are deployed as a holisticanti-malware/antispam solution.Once the Forefront Protection Man-ager becomes available, it will alsobe possible to centrally manage anantispam policy. However, there isan additional FOPE gateway serverin this configuration that is used to

push the antispam policy to FOPEfrom the Forefront Protection Man-ager (Figure 4, page 15).

FPE DEPLOYMENTRECOMMENDATIONSHere are a few general rules fordeploying Forefront Protection forExchange Server:

� Deploy FPE on an edge trans-port server, on all hub transportservers and on all mailboxservers.

� Run all five engines, if possible,and run no fewer than twoengines for fault tolerance.

� During a malware outbreak,

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

14 Exchange Insider E-zine Volume 5

FIGURE 3

Dedicated Exchange Server Roles

enable the Scan after engineupdate setting for real-timescanning on mailbox servers.

� Optionally, deploy FPE ona TMG instead of an edgeserver.

� Until the Forefront ProtectionCapacity Planning Tool becomesavailable, use the planning guide-lines posted at the ForefrontProtection Team Blog.

PROTECTION IN THE CLOUD ANDYOUR SPAM CARBON FOOTPRINTThere is a concept with anti-malwareand antispam prevention that sug-

gests the sooner you can eliminatethe threat, the less it will cost yourorganization. To describe this con-cept in today’s environmentally con-scious landscape, some refer to thisas reducing the carbon footprint ofspam and malware.

The last 10 years have seen anexplosion in hardware appliances andperimeter-based email security appli-cations designed to prevent unwant-ed email from even making it insidean organization. The downside tothese products is that they requireadditional security expertise to main-tain, they must be kept up to date inorder to be effective and many organ-

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

15 Exchange Insider E-zine Volume 5

FIGURE 4

FPE/FOPE Hybrid Solution

izations just don’t have enough staffto meet these challenges.

The consequences of a solutionfailing are too great for many organi-zations, so they have begun to seekalternatives.

The use of cloud-based managedsecurity solutions for email systemshas increased significantly over thelast few years. Cloud-based securitygives companies the potential tomaintain the smallest carbon foot-print possible for malware and spambecause these solutions eliminateunwanted email in the cloud—not inthe perimeter.

When Microsoft acquired Front-Bridge, it became one of the topemail hygiene providers along withPostini (Google), MessageLabs(Symantec), Sophos and TrendMicro. Today, you can choose frommore than 10 well-known hostedemail hygiene/security providersas well as several lesser-knownvendors.

What makes Microsoft’s solutionso compelling? The company’s tech-nological advances with FOPE makeit an excellent choice for a managedsecurity solution in the cloud. Thestrongest argument for FOPE is that itis the only solution tightly integratedwith its on-premise counterpart FPE.FOPE can also be enabled and provi-sioned with a few clicks of the mouseusing the same tools you need tomanage FPE.

HOW TO STAY ONE STEPAHEAD OF ATTACKSViruses and worms of a decade agoseemed like the biggest threats tomessaging security. But when youthink about what they have evolvedinto today—the latest phishing andmalware attacks with criminal intent,for example—it’s no surprise thesecurity industry has grown. Emailadministrators are at the center ofthe malware and spam storm andhave the greatest responsibility toprotect their organizations.

The good news is that there are arange of antispam and anti-malwaresolutions specifically designed formessaging systems.

As the industry moves forward, themarket is trending toward managedsecurity solutions. Managed securitysolutions in the cloud are becomingmore attractive to administrators thathave found it increasingly difficult tokeep pace with the exponentiallygrowing threats to their email sys-tems. �

Richard Luckett is president of SYSTMS of NY Inc.,a Microsoft Gold Partner providing professionalservices, managed services and training solutions.He is an MCSE, MCITP andMCTS with security andmessaging specializations and anMCT with nineyears of Exchange training experience. Richard isan Exchange MVP award recipient, co-author ofAdministering Exchange 2000 Server and ExchangeServer 2007: The Complete Reference, course directorand author of seven Microsoft Exchange courses,and resident email security expert for Search-Exchange.com. Contact him at Richard.Luckett@systmsny.net.

k SECURITY++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

16 Exchange Insider E-zine Volume 5

ELECTRONIC DISCOVERY (e-discovery)in an Exchange Server 2007 environ-ment is a minefield. On one hand, youcould find yourself implementingexpensive email-archiving solutionsthat do not meet e-discovery require-ments. On the other hand, you couldbe setting yourself up for a lot of workby selecting the wrong email archivingapplication or no application at all.

Exchange Server administratorsneed to understand what level of reg-ulations and litigation their businessis subject to and how to adhere tothose e-discovery requirementsthrough email retention and backuppolicies and email archiving solutions.

E-DISCOVERY REGULATIONLEVELS IN EXCHANGE SERVERA business that either has no emailretention policy or a requirement toretain messages without stringent

forensic security measures can adjustits Exchange Server backup regimesand email archiving applications toprovide an acceptable level of e-dis-covery services to an investigatingdepartment or agency.

But more businesses are subjectto regulatory attention—either for-mal, stringent regulations such as theSarbanes-Oxley Act (SOX) or less-stringent regulations such as the Fed-eral Rules on Civil Procedure (FRCP).Exchange Server administrators mustunderstand what levels of regulationstheir businesses are subject to andwhat their responsibilities and deliv-erables might be if they are asked toprovide current or historical informa-tion in an investigation. The humanresources (HR) department or thefederal government could direct thisinvestigation.

Unless you are required to saveemail, the best service that any

k EMAIL ARCHIV ING++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Email Archiving andE-Discovery Best PracticesImplementing email-archiving solutions to successfullymeet e-discovery obligations means finding the delicatebalance of what to save and for how long.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

17 Exchange Insider E-zine Volume 5

Exchange administrator can offer abusiness is agreeing to a deletion pol-icy. If it’s company policy to have noretention policy, that’s as legitimateas a policy requiring you to retainmonths or years worth of messages.Having no email retention policy andenforcing it as such is acceptable toany investigator. It’s only a problemif you can’t prove that you’ve deletedmessages that you say you haven’tretained.

Whatever regulations you mustmeet, you should concentrate onsystem backups. Therefore, it makessense to understand how those back-

ups can provide some form of e-dis-covery activity and possibly preventexpensive duplication of tape, diskspace or software applications. Someapplication suites will back up Ex-change servers efficiently while pre-senting an interface that allowssomeone to search for individualmessages based on complex anddetailed criteria.

It is contradictory to have a backupapplication-integrated solution thatcontrols backups and facilitates mes-sage recovery if your organizationallows users to store mail in .pst fileson the network or a local workstation.

k EMAIL ARCHIV ING++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

18 Exchange Insider E-zine Volume 5

THE TRADITIONAL APPROACH to email archiving is to rely on backups or implementspecialized third-party tools that aren’t native to Exchange Server. MicrosoftExchange Server 2010 integrates its own email archiving, retention and e-discoverycapabilities—a step beyond previous versions of Exchange Server. For example, apersonal archive allows users to access their archived email using Outlook.Retention management policies let administrators automate archiving and the

eventual deletion of messages—legal hold capabilities ensure that edited or deletedmessages are preserved. New search capabilities allow compliance officers or otherinvestigators to conduct e-discovery acrossmultiplemailboxes and in archives.Integration in Exchange Server 2010 offers organizations several benefits. For

example, enterprises with noncritical retention requirements will have the tools on-hand to implement archiving without having to rely on backups, which can often beslow or cumbersome. Businesses with demanding email-archiving needs are freedfrom the burden of requiring a separate archiving/retention/discovery tool—simpli-fying the IT environment and allowing IT teams to focus attention on other businessinitiatives. �

EMAIL ARCHIVING SIMPLIFIED IN EXCHANGE SERVER 2010

If you suspect that you might besubject to regulatory requirementsor be involved in a business wherelitigation could be a factor, considermigrating to Exchange Server 2007or even Exchange Server 2010 andgive users enough space to meetstorage requirements without resort-ing to .pst files.

You also should implement GroupPolicies in Active Directory to preventusers from creating and maintaining.pst files. There is no need to merge.pst files into Exchange Server. Theycan remain read-only and be pre-served in a central, administrativelocation for e-discovery applicationaccess, as required.

SHARE THE E-DISCOVERYRESPONSIBILITYIt’s important that someone elsewithin the company—not the Ex-change Server administrator—con-duct e-discovery tasks. You don’twant to be involved in preparingdata to be searched as well as siftingthrough email for relevant messagesresulting from those specific searchparameters. It’s more sensible tohave an application that HR or legaldepartments can use for emailsearches. You can recover the rawdata for them. The business will giveyou dates to work with, but once thatinformation is available, let the busi-ness manage any detailed searches.

Getting information out has alwaysbeen easy. The difficulty is getting itout in a useful format. E-discoveryactivity results should be provided inan open format; XML is the preferredformat. Provisioning in a .pdf formatwould also be acceptable.

MEET REGULATIONS ANDMAINTAIN PERFORMANCEExchange Server administrators canleverage e-discovery requirementsto retain and produce large quantitiesof email on demand with the pressureto maintain a healthy Exchange Serv-er environment. A business at thehigher-end of the regulation spec-trum, one with clearly defined e-dis-covery requirements for retaining andproducing historical email, may bene-fit from a dedicated email archivingand e-discovery solution. It’s alsoimportant, however, to implementsuch a solution so that it’s beneficialto an Exchange administrator, endusers and auditors.

Corporations implement email-archiving solutions for two reasons.

� If they want to reduce storageon their Exchange servers, but don’thave a serious discovery or regulato-ry requirement, they may implementa third-party add-in tool to separatecurrent email messages from oldmessages. From an administrator’sperspective, these solutions work

k EMAIL ARCHIV ING++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

19 Exchange Insider E-zine Volume 5

well. Such tools reduce the size ofExchange databases that are running,allowing backups to run efficiently.Because the archiving run may onlyoccur about once every week, thearchive database and content doesn’tchange, so it gets backed up infre-quently.

� It’s different for organizationsthat are heavily regulated and arerequired to retain email, instant mes-sages (IMs) and other electroniccommunications for several years.In these cases, the archiving solutionruns secondary to the e-discoverycomponent. Evaluate all email archiv-ing products before selecting the onethat meets the right functionality andprice point for your organization.

The basics remain the same: Atregular intervals, remove as muchmail as practical from the runningExchange Server stores and moveit into the archive repository. Don’tarchive too frequently, though, as oneof the big benefits to archiving is areduction in tape media or disk spaceuse for backups. Once every twoweeks should be enough, even downto every month if the traffic on theExchange server isn’t so excessivethat it increases storage over thecourse of a month. You don’t wantmessage storage to become unman-ageable with the backup infrastruc-ture you have decided to maintain.

Taking as much old and infrequentlyaccessed email out of the ExchangeServer is only part of the solution.Just because users haven’t accessedthe email in a considerable amountof time doesn’t mean they won’t needthe information in the future. Makethe archive available in a seamlessmanner to users. It helps administra-tors by reducing and possibly elimi-nating help desk calls to recover indi-vidual messages that users haveprematurely shift-deleted.

All email archiving applicationsoffer the configurable capability topublish some or all of an originalmessage in a “stub,” so that justenough of the original message isavailable. Should the entire messageor any attachment be required, theuser would experience a slight delayas Exchange Server pulls the neces-sary content from the archivingrepository.

Don’t archive too stringently,though. There’s no point archivingall email over a 30-day period out ofExchange if a particular departmenthas a 60-day cycle to pull reportsbased on the previous cycle. Toomany enquiries into the archivemeans that either users will experi-ence undesirable delays when mes-sages are retrieved or the archiveapplication must be installed on alarger system or systems.

Archiving and store reduction isan additional bonus, so how should

k EMAIL ARCHIV ING++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

20 Exchange Insider E-zine Volume 5

an administrator handle search anddiscovery?

It’s common for IT departments toseek to retain control over the emailarchiving application, but this shouldbe avoided. Granting the necessaryadministrative and investigatoryteams with individual access to thesystem takes away a significantamount of work from overloaded ITdepartments.

Individual departments shouldwork out their own data-protectionguidelines to secure against randomand unwarranted searches for tenu-ous reasons. This ensures thatsearches are fully audited to preventaccusations of probing being leveledat the IT department. That, of course,means necessary training must begiven to those conducting searches;and the search interface must beintuitive for non-IT professional use.

Database management, archivingand discovery projects go hand-in-hand. Any project will encompasstwo or all three of these elements.When planning a solution to reducethe overall storage on ExchangeServers, be sure there isn’t a projectin place already to secure messagesfor compliance or similar purposes. �

Mark Arnold, MCSE+M, has been a MicrosoftMVP in the Exchange discipline since 2001. He con-tributes to various Microsoft-focused technologywebsites and can be found in the Exchange news-groups and other Exchange forums. Visit his blogat http://markarnold.blogspot.com/.

k EMAIL ARCHIV ING++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Editor’s Note

When DisasterStrikes in Exchange

Server 2010

Built-In Securitywith Forefront

Protection 2010for Exchange

Server

Email Archivingand E-DiscoveryBest Practices

21 Exchange Insider E-zine Volume 5

Cathy GagneEditorial Director

cgagne@techtarget.com

Matt GervaisSite Editor

mgervais@techtarget.com

Michelle BoisvertManaging Editor

mboisvert@techtarget.com

MarthaMooreCopy Editor

mmoore@techtarget.com

Linda KouryArt Director of Digital Content

lkoury@techtarget.com

Marc LaplantePublisher

mlaplante@techtarget.com

Peter LarkinSenior Director of Salesplarkin@techtarget.com

TechTarget275 Grove Street

Newton, MA 02466www.techtarget.com

©2010 TECHTARGET. ALL RIGHTS RESERVED.

q3 Reasons to Consider Google Apps

qWebcast—Google Apps vs. Microsoft Exchange

qMigration fromMicrosoft Exchange 2007 to Google Apps

About Google: Google email security and archiving services, powered byPostini, enable organizations to make their existing email infrastructure moresecure, compliant, and productive. The services protect against spam and mes-saging threats as well as provide content filtering and encryption for email. Thearchiving service stores email messages in a central archive with search capa-bilities to locate messages quickly. As a service, there is nothing to install ormaintain, so organizations can simplify their IT architecture and lower costs.

k FROM OUR SPONSOR++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

22 Exchange Insider E-zine Volume 5