Exchange 2007 server’s bells and whistles mean nothing without client accessibility. In our testing from the client side, we found that while it’s easy to connect to the Exchange 2007 back end in most cases, it’s not completely without its problems.
It comes as no surprise that Microsoft ‘s preferred client access method for Exchange 2007 is Outlook 2007, part of the recently released Office 2007 and available only on Windows platforms.
While Exchange 2007 server is also open for use with other e-mail client access methods, such as Thunderbird (the e-mail counterpart to Firefox) and Microsoft’s older Mac Office e-mail product called Entourage, this subpar access does not include any of the groupware-focused features, such as shared contact, mail, files/folders, group calendars and Microsoft SharePoint services.
The accessibility afforded for Exchange 2007 clients is quite varied. Obtaining simple e-mail access through standard POP3 and IMAP protocols across all clients was easy in our tests.
We used a number of e-mail client applications successfully, including Thunderbird (under Linux , MacOS, and Windows XP/Vista Ultimate), Apple Mail, and Netscape clients all ran successfully and flawlessly.
Exchange 2007, as in previous versions, supports a Microsoft Internet Information Server (IIS)-based Outlook Office Web Access (OWA) browser application to deliver Web-based mail. We found that Web-based e-mail access worked well under Internet Explorer 6 and 7, as well as Apple Safari 2.0 and Mozilla/Firefox 2.0 browsers. IE 7 presents some problems with connectivity if there are certificate errors (such as an incorrect root certificate or the wrong type of certificate), but if everything is configured correctly, it works well. The OWA browser application when connecting to Exchange 2007 does not support the option to suppress externally referenced content (usually pictures) that are situated on a Web site or other Internet source, letting the mail sender record that the content have been seen/read in the e-mail. This inability to suppress rich (and revealing) content is disturbing, as it leaves this security measure to be handled by third-party applications.
Outlook 2007 is touted to have an automatic configuration. The lore is that one adds user account name, domain, and password information, and, like magic, all should be configured. It can happen that way. Our test showed that this autoconfiguration works simply on LANs and VPN connections.
However, if one initially connects Outlook 2007 via a Web connection (and not a LAN or VPN connection), a different authentication mechanism is used. This external initial connection requires that an organization distribute certificates to the user, and the user must install these certificates to establish a trust relationship directly between Outlook 2007 and Exchange Server 2007; this can be easily scripted with the certificate delivery to prevent user installation-time missteps.
We used a method that sets up a proxy relationship of the Outlook 2007 service that ran over Port 80 (the HTTP port) and is then translated in the Exchange Server — with the authenticated credentials generated by the user-installed certificate.
We also used the IMAP feature of a Motorla Q phone (running Windows Mobile 5 OS) to read mail, and to easily synchronize information across an EV-DO Verizon network connection to the primary server. Outlook Mobile also can perform the same connectivity but with the enhancement of synchronization of contacts, e-mail and calendars. We found this is simple to set up with instructions for savvy users, but the process begs for a scripting method that could be used to provide configuration tasks for users of Windows Mobile 5 devices.
How we tested Exchange 2007
To test Exchange 2007, we made heavy use of VMware virtual machines. We started by creating a separate Windows Active Directory domain on a Windows 2003 system. Then, we installed Exchange 2007 on five virtual servers in various configurations, including one simple mailbox server that also acted as a hub transport.
Some of our early tests were of the high-availability and scalability features.
Once we had a single server acting in several Exchange roles, including mailbox server, transport between mailboxes, and client access server for Web users and mobile devices, we attempted to add more servers into the Exchange environment to test high availability.
We added a set of two systems as a cluster to test the high-availability capabilities of Exchange 2007 running in Active/Passive mode across multiple systems.
We also tested high availability by adding a fourth mailbox server running the local replication service to multiple disk drives.
To further test the high-availability functions, we used the features of VMware to stop systems abruptly and remove disk drives from under the various operating systems , and we recorded how Exchange 2007 behaved during these unusual events.
For our management and architectural evaluation, we included both installation and configuration of the system as a whole in our tests. We also tested a number of maintenance and operations procedures, including moving data stores, adding and deleting users, and enabling and disabling services. We worked with Microsoft technical support, online Web knowledge bases and the built-in documentation as well.
We finished our installations by adding Exchange 2007 on a fifth system to test the new Edge Transport role and Forefront Security antivirus and antispam inside of Exchange.
To evaluate Exchange 2007 in an Edge Transport role we used open source tools (nmap, PeachFuzz and conventional network utilities) in a CentOS 4 Linux environment running in a VMware virtual machine to look for listening applications on the Edge Transport server, and to launch a wide variety of attacks on the SMTP server we found listening. The Web-based documentation was used as the source for vendor security guidance during the evaluation.
To test antispam functions, we used a variation on our 2004 antispam test , sending a real-time stream of about 11,000 e-mails from our normal corporate e-mail feed through the Exchange 2007 server as they were received. Following Microsoft’s guidelines, we configured Exchange 2007 to mark messages as “definitely spam ” (those with a spam confidence level of 7 or above), as “suspected spam” (those with a level of 5 or above) or “not spam” (spam confidence levels below 5). We hand-sorted each message into a “spam” or “not spam” and then compared our manual ratings with the ones that Exchange 2007 provided. We also ran the same stream, at the same time, through three other commercial antispam products to see how Microsoft’s antispam technology would compare.
We reported results as ranges. Because each product has a “suspected spam” category, one end of the range includes “suspected spam” as spam for the purposes of calculating false-positive and false-negative results. The other end of the range assumes that suspected spam is not counted as spam.
Assessing security at the edge of an Exchange 2007 network
With Exchange 2007, Microsoft has introduced the concept of an Edge Transport server which is the outward-facing messaging component for handling SMTP network traffic.
An Exchange 2007 server in this role can send and receive Internet mail for the Exchange network (and do such things as blocking viruses and spam ) but isn’t joined to the Active Directory domain. With this in place, Microsoft claims you can mi