Exchange Server 2007 Migration –Part 3
Features without Cross-Operating System Support
Some features of Exchange 2007 do not have cross-operating system support; namely, standby continuous replication (SCR) and the management of failover clusters in both single copy cluster (SCC) and cluster continuous replication (CCR) environments:
- When you use SCR, the SCR source computer and all its SCR target computers must run the same operating system. Thus, before you migrate an existing SCR source or target computer, you must first disable SCR for the computer being migrated.
- Windows Server 2008 represents a clean break from the Cluster APIs included in earlier versions of Windows Server. Because the Cluster service does not allow you to use the cluster management tools for remote administration of failover clusters across different operating systems, you cannot use the Exchange management tools for remote administration of failover clusters across different operating systems. For example, you cannot do the following:
· Manage a clustered mailbox server that is running on Windows Server 2008 from a computer that is running Windows Server 2003 or Windows XP.
· Manage a clustered mailbox server that is running on Windows Server 2003 from a computer that is running Windows Server 2008.
In addition to the previous restrictions, you cannot install different operating system versions of the cluster management tools on the same computer. Thus, if you are running multiple client and server operating systems in your Exchange environment, you may have to use alternative methods, such as the Remote Desktop Protocol tools, to manage some or all Exchange servers.
|
Note: |
|
At the time of this writing, the remote server administration tools for Windows Vista are not yet available. These tools must be installed on Windows Vista to enable the remote management of failover clusters running Windows Server 2008. |
Procedures for Individual Server Role Migration
The procedures in this topic discuss how to migrate individual server roles from Exchange 2007 (RTM or SP1) on Windows Server 2003 to Exchange 2007 SP1 on Windows Server 2008. For detailed information about how to migrate a single server environment from Windows Server 2003 to Windows Server 2008, see the section "Procedures for Single Server Environments" later in this topic.
Microsoft Exchange Server 2007 Edge Transport - Part 18
Best Practices
Processing over 13 million messages per day for 130,000 mailboxes is no simple task. It requires tremendous coordination, planning, administration, and monitoring. Microsoft IT used the Beta 2 release of Exchange Server 2007 to incorporate new goals and improvement ideas into a new messaging protection strategy. In its experiences, Microsoft IT developed the following best practices that an organization can use when planning for and deploying Edge Transport servers and an overall messaging protection solution. Although Microsoft is a unique environment, these general best practices apply to other organizations as well.
· Plan ahead For businesses and messaging environments of all sizes, it is important to analyze the risks, dependencies, technical requirements, and trends for proper provisioning, hardware sizing, and workflow. By planning, Microsoft IT was able to migrate 1,000 mailboxes per day from Exchange Server 2003 to Exchange Server 2007.
· Use a perimeter network A perimeter network helps protect internal network resources and provides administrators the capability to disable incoming mail flow easily in case of severe attacks. Perimeter network servers can be severely restricted in terms of open ports, services, permissions, and users. If servers are compromised, protective measures remain on corporate Active Directory data. Microsoft IT decided to use a perimeter network for these reasons, and to prepare for expansion to accommodate business growth. Because all servers are load balanced through round robin, adding additional capacity entails adding extra servers and updating DNS MX records.
· Test before production Microsoft IT deploys in a test environment sample configurations and software builds, and then tests configurations against typical loads to determine stability and analyze results. By testing Edge Transport servers before putting them in a live environment, Microsoft IT can minimize problems and their impacts on users.
· Use multiple layers of protection Microsoft IT filters out over 95 percent of inbound messages because they are spam, contain viruses, or are otherwise not legitimate. That filtering success is the result of using multiple filtering layers, using multiple messaging protection strategies, and enforcing protection at multiple organization levels.
· Scan for spam before employing antivirus software Microsoft IT examined its messaging statistics and discovered that most viruses that enter through messages come through spam messages. To reduce server processing and workload, Microsoft IT decided to first filter out all spam messages, thereby also filtering out the majority of message-based viruses.
· Update virus and reputation databases New viruses and the constantly changing nature of spammer origins necessitate constant updates to spam signatures, IP reputation databases, and virus definitions. Microsoft IT configured the Edge Transport servers to receive updates to spam signatures and IP reputation information automatically. Microsoft IT also configured Forefront Security for Exchange Server to update virus definitions for the individual scanning engines daily.
· Reject bad messages When connection filtering, recipient filtering, or sender filtering marks a message as illegitimate, it is best to reject the message and not quarantine it because the confidence level in these types of filtering stages is very high. As a best practice, Microsoft IT configures custom SMTP replies to inform the sending host why the Edge Transport server refused the requested action.
· Configure thresholds As messages undergo more complex filtering, such as content filtering, additional variables are involved that might mistakenly identify a legitimate message as unwanted. To help lower false positives, Microsoft IT configures thresholds to quarantine mail and make it available for later administrative retrieval.
· Remove attachments Certain attachments, such as executable files and code, have the potential to damage recipient computers and can spread across the network. New viruses and other malicious code can cause damage because virus definitions may not be up to date. Therefore, filtering out specific attachments in the perimeter network reduces the chance that malicious attachments will cause damage.
· Harden servers Microsoft IT trusts Edge Transport servers to face the Internet because they sit behind a firewall and are restricted to the absolute essentials, thus limiting the attack surface. Only vital ports, such as port 25 for SMTP, services, and permissions, are enabled.
· Use block and allow lists To reduce processing, known bad senders, as well as known good senders, can be blocked or allowed to pass through, respectively. Additionally, maintained real-time block lists provide updated information about known illegitimate senders. Filtering based on lists enables messages to be rejected early in the filtering process, minimizing server load and infrastructure impact.
· Enforce client antivirus Using logon scripts to enforce antivirus software configuration and keeping virus definitions updated help ensure that clients are protected against viruses that come from messages and other sources.
· Implement virus scanning for outbound and inbound messages Microsoft IT discovered that although keeping viruses out of the organization is crucial, so is dealing with viruses inside the organization. Virus scanning at the client desktop level controls viruses in general, but not necessarily viruses present on outbound messages. Therefore, it is important to scan for viruses on Edge Transport servers and Hub Transport servers.
· Do not send security notifications to Internet senders Spammers often try to validate the identity of recipients or attempt to discover more about the network or settings of an SMTP server. By not sending notifications to Internet senders, Microsoft IT helps protect internal configuration data and reduces server load.
· Configure antivirus to be mail-direction aware Incoming messages from the Internet are often spam or contain viruses. Outgoing messages and internal messages typically are free from viruses. Microsoft IT configures different options for virus scanning based on e-mail direction. Therefore, antivirus software must be aware of e-mail direction.
· Reduce server load for known bad senders Exchange Server 2007 features such as connection tarpitting and SMTP backpressure slow down connections to ensure that legitimate inbound, as well as outbound, messages are processed.
· Verify sender identity and reputation Spammers and other illegitimate senders often hide their identities through open proxy servers, try to spoof their identities, or provide false identity information. By verifying sender IP and domain, and keeping a reputation database through Edge Transport servers in Exchange Server 2007, Microsoft IT blocks and rejects unwanted connections.
Conclusion
Spam, viruses, malicious code, and other messaging issues cost companies money. The costs include hard costs, such as increased server load and bandwidth use, and soft costs, such as employee productivity. For many years, Microsoft has used a messaging protection system that effectively helps protect against messaging issues. With Exchange Server 2007 Edge Transport servers, the messaging protection solution at Microsoft meets the latest business and technical demands to defend against new viruses, spam, phishing, and other messaging exploits.
Microsoft IT used the principle of multilayer, multistep messaging protection and developed a systematic approach to reducing unwanted messages. First, Microsoft IT protects internal network resources from the outside through a perimeter network. Second, Microsoft IT uses Edge Transport servers and their many filters to block as many unwanted messages as possible from entering the internal messaging environment. Third, Microsoft IT protects the internal environment by enforcing antivirus policies and enabling users to specify safe and blocked senders.
In deploying the Exchange 2007–based messaging protection solution, Microsoft IT used all messaging protection features of Edge Transport servers and Forefront Security for Exchange Server to block, delete, reject, or quarantine unwanted messages. To further increase security, servers were hardened and audited for vulnerabilities to ensure readiness for Internet visibility.
The many steps that Microsoft IT took to design a network environment, combined with the messaging protection features of Exchange Server 2007, resulted in greater flexibility, fewer false positives, and reduced TCO. Microsoft IT continues to monitor the messaging protection solution to optimize settings and is constantly vigilant against unwanted messages.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, see the following links.
· http://www.microsoft.com
· http://www.microsoft.com/itshowcase
· http://www.microsoft.com/technet/itshowcase
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.