Hosted Messaging and Collaboration Solution Technical Whitepaper

Abstract

This paper provides an overview of the prescriptive architecture of the Hosted Messaging and Collaboration (HMC) Solution from Microsoft and Compaq. It examines the interrelation of the hardware, software, and services that make up the solution, and is designed as a technical resource for service providers considering the deployment of a large-scale messaging and collaboration solution for business customers.

Microsoft Network Service Providers Group

August 2002

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user.Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document.Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, BizTalk, Outlook, SharePoint, SQL Serverand Windowsare either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

executive summary

Overview of the Hosted Messaging and collaboration solution

Overview of the prescriptive architecture

Server Hardware

Perimeter Network

Web Servers

External Domain Name Servers

Internet Security Servers

Microsoft Exchange 2000

Client Access

Front-End Servers

HMC Back-End Servers and Back-End Storage

Provisioning and Billing Services

Active Directory Services

Management Servers

Backup and Recovery

Microsoft Operations Manager

Network Components

Border Routers

Ethernet Switches

Load-Balancing Switches

Firewalls and Security Services

Conclusion

appendix a: prescriptive architecture components included in the HMC Solution bill of materials

appendix b: resources

Hosted Messaging and Collaboration Solution Technical Whitepaper

executive summary

This prescriptive architecture has been designed by Microsoft® Exchange 2000 Server experts within Microsoft and Compaq, and it has been tested extensively at the Microsoft Partner Solutions Center and the Compaq labs. The solution is based on the Microsoft System Architecture (MSA) and Microsoft Operations Framework, ensuring that service providers can achieve the highest levels of operational efficiencies and deliver optimal end-user satisfaction.

The HMC Solution has been designed with the particular needs of the service provider community in mind. The hardware, software, and support services are designed to enable rapid time-to-revenue, high reliability, ease of management and administration (even when working with a very high volume of customers), service extensibility, and high profitability. It is a platform for growth, enabling a service provider to scale a service offering to support a large number of subscribers.

Overview of the Hosted Messaging and collaboration solution

The Hosted Messaging and Collaboration (HMC) Solution is a Microsoft Exchange 2000 Server–based messaging and collaboration solution designed to be deployed as a hosted application service by a service provider and offered as an alternative to internally operated messaging infrastructures. The HMC Solution has been architected for high availability, high performance, and high security, based on best-practice examples of hosted Exchange 2000 implementations in the field. By relying on the prescriptive architecture, a service provider can avoid spending time, effort, and guesswork in designing a scalable solution.

The initial version of the HMC Solution focuses on feature-rich messaging, shared calendaring, and shared folders for end users in medium organizations and large enterprises. Future versions of the solution will build on this foundation and extend a service provider’s ability to offer services that include instant messaging, Microsoft SharePoint™ Portal Server integration, wireless messaging, and unified messaging and communications. Microsoft has worked closely with Compaq and independent software providers (ISVs) to make sure that all components in the solution integrate and work well together.

Furthermore, this architecture is fully supported by the Microsoft and Compaq product support organizations, with dedicated resources that focus on this very configuration. By standardizing on this configuration, customers benefit from this advanced support for the entire solution as well as sustained engineering of the base messaging platform and new value-added functionality such as unified communications.

Figure 1: Hosted Messaging and Collaboration Service Framework

The HMC Solution base offering includes the required hardware, software, and system integration services from Microsoft and Compaq Professional Services. The base service engagement from Compaq or Microsoft Consulting Services includes deployment of the HMC Solution. This engagement can be supplemented to address further operational requirements or customizations.

Microsoft offers a continuum of prescriptive architectures designed to serve the needs of a range of organizations—from one that needs only a departmental data center to one that needs a geographically distributed, continuously available data center environment. Microsoft’s prescriptive architecture identifies allthe infrastructure components required in a data center hosting Microsoft Windows® 2000–based services, such as storage, network components, Active Directory® service, security, and more.

Builtin collaboration with Microsoft partners and independent software vendors, these prescriptive architectures provide tried and tested configurations, which reduce the effort required by companies when putting together a sound infrastructure for running Microsoft servers and solutions.

The HMC Solution has been designed in accordance with the Microsoft Operations Framework (MOF). MOF defines a comprehensive suite of solution-oriented operational guides—including white papers, assessment tools, operations kits, best practices, case studies, and support tools—all of which help organizations understand how to make the best use of people, processes, and technologies in managing these complex systems.

Figure 2: Microsoft Operations Framework Process Model

Microsoft and Compaq have built on years of industry experience and best practices to create the knowledge base required to set up and run these processes. The framework builds on collaborative industry standards, such as the de facto best practices defined in the Information Technology Infrastructure Library (ITIL), and extends them with specific guidelines for running solutions based on the Microsoft platform in a variety of business scenarios.

Microsoft Gold Partner Certification for Hosted Applications focuses on identifying those application service providers (ASPs) that have demonstrated excellence in the areas defined by the MOF/ITIL model. Service providers earning the Microsoft Gold Partner Certification are eligible for further sales and marketing support programs that can foster the increased customer adoption of their HMC Solution-based messaging services.

Overview of the prescriptive architecture

The following diagram identifies the major components of the HMC Solution architecture.

Figure 3: Prescriptive Architecture for the HMC Solution

At a high level, the components in the prescriptive architecture for the HMC Solution include:

PublicDomain Name System (DNS) and Web servers
Front-end protocol servers
Back-end servers and back-end storage
Active Directory servers
Management and administration servers
Networkarchitecture components

The topology of these server sets is outlined in Figure 3; a discussion of the role of each component in the prescriptive architecture, as well as a brief discussion of the role of each component in the delivery of an HMC Solution-based service, follows.

Note

The configuration in Figure 3 shows all the components that are related to the prescriptive architecture. Because many service providers already have portions of this configuration in place—for example, routers, management servers, and backup/restore servers—the bill of materials for base configurations of the HMC Solution includes only the components necessary to enable messaging services. Service providers that need other components to complete a configuration can purchase other servers and systems as separate options when acquiring the HMC Solution from Microsoft or Compaq. See Appendix A for a table outlining which components of the prescriptive architecture are included in the HMC Solution bill of materials.

Server Hardware

The HMC Solution has been developed and extensively tested at both Microsoft and Compaq on Compaq ProLiant servers. The solution relies primarily on the ProLiant DL580, DL360, and DL380 servers.

The Compaq ProLiant DL580 is the ideal platform for applications that require superior performance, scalability, and reliability, such as Exchange 2000. With support for up to four Pentium III Xeon processors with 1M or 2M L2 cache standard, the DL580 provides the processing power and scalability needed to support your growing data center. The DL580 supports 16 registered DIMM slots for increased configuration flexibility and a maximum memory capacity of 16 gigabytes (GB). Additional performance is provided by Triple Peer 64-bit input/output (I/O) architecture, a slot-based dual port 10/100 Ethernet network interface card, optional Smart Array controllers, and 15,000 RPM Wide Ultra3 hard disks.

The Compaq ProLiant DL360 offers uncompromising performance, expanded availability, and unprecedented configuration flexibility. The ultra-thin 1U chassis houses up to two Pentium III Flip/Chip 1.26-GHz or 1.13-GHz processors with 512K cache, or 1.0-GHz, 933-MHz, or 866-MHz processors with 256K cache. It also offers 128 megabytes (MB) of 133-MHz ECC registered SDRAM DIMM memory, which is expandable to 4 GB, and a 133-MHz GTL bus to deliver excellent performance.

The new ProLiant DL380 enables you to do more with less. The brand-new chassis provides better performance, increased uptime, and easier ownership than the previous model, not to mention any other two-way dense rack server in the industry. The new 2U chassis manages to house two Intel Pentium III 1.26-GHz processors with 512K cache; up to 6 GB of 2:1 interleaved 133-MHz ECC SDRAM; hot plug redundant fans, power supplies, and hard disks; two 64-bit/66-MHz PCI slots and one 64-bit/33-MHz PCI slot; and quick deploy, ball bearing, tool-free rails.

Simple yet powerful, Compaq Insight Manager v7 introduces next-generation system software maintenance for ProLiant servers and provides scalable, Web-based management of Compaq and non-Compaq servers, clients, and networking devices.

Perimeter Network

Web Servers

These servers provide the interface for users, customer service representatives, and administrators for account management and for the provisioning, billing, and customer care systems. The recommended hardware is Compaq ProLiant DL360R 1U.

External Domain Name Servers

These servers provide Domain Name System services for Internet name resolution. The prescriptive architecture defines a split/split architecture for the DNS infrastructure. In this configuration, the external DNS service (used by the end user to access the service) and the internal DNS service (used by Active Directory and Exchange 2000 Server) are separate. The external DNS environment is split into advertising and resolving DNS servers. This is done to prevent DNS cache poisoning and other DNS attacks. Any BIND8 DNS servers are acceptable for use as external DNS servers. The prescriptive architecture requires Windows 2000–based DNS servers for the internal DNS environment for improved security and optimum integration with Exchange 2000–based services. The recommended server hardware is Compaq ProLiant DL360R.

Internet Security Servers

Microsoft Internet Security and Acceleration (ISA) Server is an application-aware firewall that provides protection from intrusion detection and other malicious attacks at the application layer, such as malformed Simple Mail Transfer Protocol (SMTP) requests. It has been included in the prescriptive architecture to protect the perimeter network and to facilitate access to the various services in a secure fashion. Because the front-end servers are behind ISA Server, all LDAP/Active Directory queries made by the front-end servers stay within the perimeter network, a design that further improves security of the environment.

The architecture prescribes ISA Server for securing access to HMC Solution–based services both as a virtual private network (VPN) termination device and as a means to publish Messaging Application Programming Interface (MAPI) services directly on the public Internet. A very useful feature of ISA Server is its ability to publish Exchange Server services, allowing MAPI access through the use of encrypted remote procedure calls (RPC) directly over the Internet. ISA Server is currently the only firewall on the market that has a specific Exchange 2000 Server MAPI/RPC application filter capable of securely publishing Exchange services directly on the Internet. By combining this functionality with the Microsoft Outlook® messaging and collaboration client’s ability to encrypt RPC data, service providers can offer secure application services for MAPI clients instead of or in addition to the more complex VPN-based access.

The secure server publishing capability of ISA Server also allows the front-end Outlook Web Access (OWA) and SMTP protocol servers to reside behind ISA Server, ensuring a more secure architecture than that provided by traditional perimeter networks using traditional packet inspection firewalls.

The recommended hardware for this server is Compaq ProLiant DL360R.

Microsoft Exchange 2000

The prescriptive architecture defines that Exchange 2000 Server be deployed in a front-end and back-end configuration. This greatly improves the scalability of the entire solution. The front-end servers route or proxy requests to the back-end servers. The back-end servers are the message store and also render the output to the front-end servers in the format of the protocol being used.

When a client connects to a front-end server, the server polls the Windows 2000 Active Directory service to authenticate the user. Once the client’s credentials are validated, the front-end protocol server gets the contents of the mail store from the back-end server and returns a view of the mailbox and folder structure to the client. Front-end/back-end communications are across whatever protocol the client connects with (IMAP4, HTTP, or POP3). However, the MAPI protocol is not proxied by front-end servers. Unless published using ISA Server, all MAPI connections communicate directly with the back-end servers.

Client Access

Business customers subscribing to an HMC-based service can use the following client software to access messaging services in the HMC Solution:

Microsoft Outlook Web Access—administrators can configure OWA to use HTTP or HTTPS to access HMC Solution–based messaging services. OWA uses basic authentication as a default; for a more secure connection, it is recommended that OWA users authenticate using basic authentication over Secure Sockets Layer (SSL).
Microsoft Outlook version 2002—administrators can configure Outlook 2002 to access MAPI-based service either through a VPN or directly over the Internet client as a MAPI client. This configuration is possible without the use of a VPN because of the capabilities of ISA Server.

Front-End Servers

Outlook Web Access Front-End Servers

OWA provides messaging and collaboration services and sits behind ISA Server. The OWA front-end servers are load-balanced using the load balancers as shown in Figure 3. This configuration allows OWA services to be scaled by simply adding more servers as OWA subscribers increase.

SSL sessions are used to protect the flow of information between an OWA server and an OWA client. The OWA SSL session is passed directly through ISA Server and terminated on the Exchange front-end server. This is the recommended approach for SSL connectivity. The OWA front-end servers also can provide terminating points for SSL connections. If the OWA traffic is substantial, then hardware-based accelerators can be used to terminate SSL connections.

The prescriptive architecture recommends the use of a third-party certificate authority, such as Verisign, for obtaining the certificate that is necessary to enable SSL on the Exchange front-end servers. This recommendation is made because obtaining a certificate from a trusted third-party authority is more cost-effective than setting up and maintaining a private certificate authority.

The recommended hardware for these servers is Compaq ProLiant DL360R.

SMTP Front-End Servers

These provide front-end services for SMTP-based messaging and sit behind ISA Server. The SMTP services are published through the Server Publishing capability of ISA Server. This ensures that ISA Server inspects all SMTP packets for validity, which greatly improves the security of the environment. These servers act as the SMTP bridgehead connectors to the Internet. As with the OWA front-end servers, the SMTP servers are load balanced using load balancers. Scaling the SMTP component is achieved by simply adding more SMTP front-end servers. Typically, virus scanning software is run on these servers. The recommended hardware for this server is Compaq ProLiant DL380R.