by Orlando Scott-Cowley
We’ve only been in the New Year a few weeks and it’s quickly becoming clear that 2014 is the year of the cloud. Even the committed laggards or cloud refuseniks are being compelled to move some services into the cloud.
But you would expect us to say that of course. As in all things, there’s always another point of view to consider. One of our older posts on the value of the cloud received a challenging comment that warrants a response. This comment gave us all the opportunity to reconsider why a commitment to cloud services makes sense for customers of all kinds and sizes, even those within regulated industries.
Barriers to cloud adoption have been broken down – initial reticence regarding data ownership in the cloud has been met with credibility built by vendors
The comment challenged our stand on the cloud:
“…Regulation may require certain data controls/protections/audit trails which a Hosted product can’t provide and Exchange (Windows Server Standard plus Exchange software, backups, redundant power, etc.) remain cost prohibitive….”
Initially I was just going to post a response to the comment, but as it has been some time since the original post, I thought that it was worth bringing this discussion right to the top of our blog. Thank you John for taking the time to comment on the post – I hope this post acts as an update, a reassertion of our belief that the cloud is actually more and more an ideal solution specifically for companies of all sizes dealing with the additional pressures of regulatory control.
Most Mimecast customers face these issues. So why is the cloud the solution to their needs?
In the world of email, these industries have high demands on storing and accessing their data – they need sophisticated e-discovery capabilities, granular legal hold functionality, centralization of archives and rigorous compliance capabilities. They have a heavy security requirement too, of course.
The bottom line is that neither on-premise or cloud archiving solutions address these demands perfectly. But what is clear is that in terms of centralization of data, cost to the business, and time to implement, cloud has and will continue to be the better option. And it’s these powerful values which are driving business as a whole towards hosted services, including finance and legal.
As far back as 2011, data were beginning to emerge about this wholesale shift to cloud services. At that point, about one-fifth of companies had already moved their email archiving to cloud or hosted options, away from on-premise. In the same study a significant number of those maintaining capacity in-house had experienced failures in hardware and software implementations, and one third had lost emails – possibly as a result.
Also, remaining barriers have been broken down.
Initial reticence regarding data ownership in the cloud has given way to proof of credibility built by vendors providing well-trained engineers and experts available to support the service. These services offer parity with traditional options. For example, in the case of archiving, email should be stored in its original format mirrored to multiple locations. In addition, written into a vendor’s SLA should be a guarantee that the customer’s data will only be stored within appropriate jurisdictions, to ensure compliance with the regulations imposed in some sectors.
So to answer the original question, is the cloud always the solution? The answer is actually in a few cases it may not be for everyone. But as cloud services continue to mature, these exceptions will become few and far between.
by Clint Boessen
Microsoft has changed the way Offline Address Book (OAB) Distribution works over previous versions of the product to remove a single point of failure in the Exchange 2007/2010 OAB Generation design. While this new method of generating and distributing the Offline Address Book has its advantages, there is also a disadvantage which can result in a breach of privacy especially in multi-tenant environments. In this article we will be looking over how OAB Generation worked in the past as opposed to how it works now highlighting both the good and the bad.
Back in May 2009, I published an article entitled “How OAB Distribution Works” which has received a large number of visits and can be found on my personal blog under the following URL link. This article explains in detail the process behind OAB Generation in Exchange 2007 and 2010 and I highly recommend this read to anyone who is not familiar OAB Generation in previous releases of the product.
If you have not read the above article, let’s quickly summarise. In Exchange 2007/2010 every OAB has a mailbox server responsible for OAB Generation. The mailbox server responsible for OAB generation would generate the OAB according to a schedule and place it on an SMB share under \mailboxservernameExchangeOAB. The Exchange 2007/2010 CAS servers responsible for distributing this Offline Address Book would then download the OAB from this share to a folder advertised through Internet Information Services (IIS). Outlook clients then discover the path of the IIS website through autodiscover and download the files located under the OAB IIS folder through HTTP or HTTPS. If you need to gain a more in-depth understanding of this process again I encourage you to read the blog post above.
Now the problem with the above design is every OAB has one Mailbox server hard coded to be the server responsible for performing OAB Generation. The whole point of Exchange Database Availability Groups is to allow mailbox servers to fail and have databases failover to other mailbox servers which is a member of the same Database Availability Group. This presents a single point of failure. In the event the server responsible for generating the OAB was to fail, this OAB generation process would not failover to another server as the OAB is hardcoded to use that specific mailbox server as the OAB generation server. This means until an administrator brings back the mailbox server which failed or moves the OAB generation process for the specific OAB to another mailbox server, the OAB in question will never get updated.
To fix this in development of Exchange 2013, Microsoft needed a method to allow any mailbox server to fail without disrupting the OAB generation process, after all this was the whole idea behind Database Availability Groups – the ability to allow mailbox servers to fail. Instead of spending development time on putting together a failover technology around OAB Generation, Microsoft decided to incorporate the OAB Generation process into Database Availability Groups. This means instead of having one mailbox server generate the OAB and share it out via SMB, the Exchange 2013 server hosting the active mailbox database containing the Organization Mailbox is now the server responsible for generating the OAB. In fact in Exchange 2013, the OAB is now stored in an Organisation Mailbox so in the event a mailbox server fails or a database failover occurs, the OAB will move along with it. This architecture change has removed the OAB generation single point of failure which caused problems for organisations in previous releases of the product.
Whilst Microsoft removed the single point of failure from the generation process of the OAB, they introduced a problem with the distribution process. In previous releases there was a service running on CAS servers known as the Exchange File Distribution Service, a process which downloaded a copy of the OABs from various mailbox servers performing the OAB Generation task and placed the OABs in a web folder available for clients to download. This allowed companies running multiple OABs to provide NTFS permissions on the OAB folders to restrict who is allowed to download the OAB. This is especially useful in Exchange multi-tenant environments to ensure each tenant is allowed to only download the address book applicable to their organisation.
In Exchange 2013 Client Access Servers the Exchange File Distribution Service has been removed and the Exchange 2013 CAS now proxies any OAB download requests to the Exchange 2013 mailbox server holding the active organisation mailbox containing the requested OAB. The Exchange 2013 CAS finds which mailbox server this is by sending a query to Active Manager. As the Exchange 2013 CAS no longer stores each OAB in a folder under the IIS OAB directory, companies can no longer set NTFS permissions on the folders to restrict who has permissions to download each respective OAB. It is also important to note that inside each organisation mailbox there is no means provided for organisations to lock down who can download each OAB through access control lists. This introduces privacy issues for companies who offer hosted Exchange services as it presents a privacy breach. Someone who knew what they were doing and has a mailbox within the Exchange environment could download OABs from other organisations and in result gather full list of employee contacts for data mining purposes. Microsoft’s response to this threat documented in the multi-tenant guidance for Exchange 2013 is for hosting companies to “monitor the OAB download traffic” – in other words there is no real solution to prevent this from happening.
For more information about the Exchange 2013 OAB distribution process I strongly recommend the following article published by the Exchange Product Team.
by Barry Gill
Clint Boessen is a Microsoft Exchange MVP located in Perth, Western Australia. Boessen has over 10 years of experience designing, implementing and maintaining Microsoft Exchange Server for a wide range of customers including small- to medium-sized businesses, government, and also enterprise and carrier-grade environments. Boessen works for Avantgarde Technologies Pty Ltd, an IT consulting company specializing in Microsoft technologies. He also maintains a personal blog which can be found at clintboessen.blogspot.com.
Over the past two days, 55 of our technical customers in the UK, joined us to find out more about Exchange 2013. We organized this with friends of ours that wrote a new book called ‘Microsoft Exchange Server 2013: Design, Deploy, and Deliver an Enterprise Messaging Solution’, Nathan Winters and Nicholas Blank. They were joined by other expert speakers Brian Reid and Carl Holt.
The presenters have the full attention of the audience at the Mimecast Exchange event
We put this event on for our customers as part of our commitment to help them best exploit their messaging environment. We also have established a private community for Sys Admin customers on LinkedIn where we will share content including video content after the event.
Over the two days we dived deep into the technical detail of Exchange. In day 1 we looked at mailbox and client access Exchange architectures, load balancing and publishing, and, most importantly, designing Exchange. Day 2 was hybrid deployments, High Availability and Site Resilience, and finally migration to Exchange 2013.
This event has been extremely well received with many of the attendees being able to use the last two days as an opportunity to rapidly skill up in preparation for pending upgrades!
So check back on our blog over the coming week for highlights from the discussions. Or join our LinkedIn community if you are a technical customer.
by Tim Bond
Last month, Mimecast announced Large File Send for Outlook and personally I can’t wait for it to be rolled out. This is something, Capsticks and our clients, as a security aware firm have been crying out for.
Obviously, it was exciting news for the end users who will now be able to send files of up to 2GB from Outlook. But equally as important is the impact it will have to people like me running an IT Department. That’s why when Mimecast asked me to guest post about the service on its blog I jumped at the chance.
Capsticks is a specialist healthcare law firm, ranked as the number one healthcare firm in both Legal 500 and Chambers legal directories
The first thing that struck me about the new service was that we can now meet the user demand for large file sharing whilst ensuring the files are stored within our existing infrastructure governance. Plus, as the user experience is so easy, it should be easy enough to persuade our users to switch from consumer file sharing services. On the governance side, Mimecast has really delivered on the user experience – users get to set custom expiration dates on the files that they send. Administrators can control these expirations and the Administrator is provided with audit logs and download counters and reporting.
The other benefit I’m really looking forward to is improved storage. As the Mimecast service intercepts the large file and stores it in the secure cloud, it bypasses the constraints of our Exchange server. Plus, Large File Send makes each inbox work harder – as large attachments are no longer hogging the users’ storage allowance on the server. Cloud storage also eliminates duplication of large files, instead of a large file sitting in the sender and receiver’s mailbox, one copy sits in the cloud. In addition, the service allows for large attachments from internal and external mail to be removed from the email server by administrator defined policy.
[Tweet "Mimecast Large File Send – up to 2GB files without impact on Exchange...it's a big step up"]
As you’d expect from Mimecast, the large files are protected with advanced security. Data Leak Prevention controls can be set centrally for sensitive information and all file uploads are SSL encrypted and stored with AES encryption. Also, you can be notified of policy breaches as well as determine the file size that can be sent and received within the organization. All large file attachments are securely uploaded from Microsoft Outlook to the Mimecast cloud, where they’re scanned according to security policies defined by the IT administrator before being sent on to the recipient.
It was only when I really started using Large File Send for Outlook and exploring these features that I appreciated how useful it was going to be for IT teams. If, like us at Capsticks, you’re always looking for ways to tighten security and improve visibility of data but want to offer users modern features it’s a big piece of the puzzle. Mimecast really gets the challenges I face as Head of IT in a law firm and I can’t wait to see what Mimecast brings out next.