Exchange Server 2010's design is fairly unique among major enterprise applications. Compared with other applications that integrate all features and functionality into a single platform, Exchange Server 2010 is divided into a series of roles.
Grouping various messaging tasks into roles that administrators deploy and manage separately can reduce the potential attack surface in an Exchange environment. It allows allows them to scale Exchange to meet an organization's specific needs. Let's examine each Exchange 2010 server role and how it affects the environment.
Exchange 2010’s five server roles
Exchange Server 2010 is divided into five separate but related server roles; the mailbox server, client access server (CAS), hub transport server, edge transport server and unified messaging server. It's important for administrators to understand what they do and how they can be combined for an effective Exchange 2010 deployment.
- Mailbox server role -- The mailbox server is Exchange 2010's back-end repository and contains content items like mailboxes, public folders, address lists, resource schedules and meeting items. Database availability groups support the mailbox server; this support allows admins to deploy highly available mailboxes within the organization.
- Client access server role -- The CAS role handles all connections between all external clients that need email access. All the protocols necessary for client access are handled in the CAS, including POP3, Internet Message Access Protocol 4 (IMAP4), Messaging Application Programming Interface (MAPI) and HTTPS. The CAS also supports Microsoft Outlook, Outlook Anywhere, Outlook Web App (OWA) and Exchange ActiveSync (EAS).
Hub transport server role -- This server role processes, routes and delivers all mail sent through Exchange 2010. The hub transport server oversees message filtering and formatting and checks the validity of attachments. This provides the oversight that an Exchange organization needs to control internal and external email.
A hub transport server also record and journals email messages, adds company disclaimers and other actions that support regulatory requirements. This role can work in conjunction with an edge transport server.
- When installed, the optional Edge transport server role provides an added layer of security between the Exchange Server 2010 organization and the outside network. The edge transport server checks that messages sent from outside an organization are free from spam and viruses before routing them to the hub transport server. Outgoing mail from the hub transport server is routed to the edge transport (if deployed) before leaving the Exchange organization.
- Unified messaging server role -- the UM server, which is also optional, integrates an organization's PBX system with Exchange Server 2010. This stores business data like voicemail and faxes with email, calendars and contacts in users' mailboxes. Users also get features like call answering, automated greetings, message recording and fax support.
The benefits of Exchange 2010 server roles
Having so many roles might seem to complicate Exchange, but experts note there are several advantages to a role-based architecture. First, adopting individual roles can improve security over previous versions.
“There was a larger potential attack footprint on the machine; 20 or 30 ports might be open on an Exchange box in the old days,” said Sean Evans, senior consultant at Blue Chip Consulting Group in Independence, Ohio. “By separating roles, you only need to worry about the client access server having port 443 open.”
Evans also noted that older server hardware is more likely to provide the resource requirements needed for one or more individual roles. This means organizations can avoid the capital expense of buying powerful new servers to host the entire Exchange Server system.
It's difficult to say which server role is most important for Exchange 2010. It depends on the organization and its needs. Some experts suggest that the mailbox server role is most important since it’s at the core of any deployment.
Other experts suggest that the CAS is most important because it handles the majority of mail processing in Exchange Server 2010. This removes much of the functionality that existed in the mailbox server under previous versions of Exchange. Still, every organization is different and other admins have focused on other roles. “Unified messaging is extremely important for us,” said Joe Chiarchiaro, senior messaging engineer with Grant Thornton LLP. “We're moving our voicemail platform to Microsoft unified messaging on [Exchange] 2010.”
Distributing Exchange 2010 server roles
Exchange Server architects have the flexibility to distribute roles across hardware platforms. A basic Exchange Server 2010 deployment involves a mailbox, client access and hub transport server on the same physical box. This is the minimum set of roles needed to store, route and deliver messages inside and outside an organization.
It is also possible to add the UM server to the same physical system; the edge transport server cannot coexist on the same computer as other server roles. The physical server must have enough resources to support all roles. This setup is often the most cost-effective approach for smaller, cost-conscious businesses. Blue Chip's Evans also points out that licensing costs can be mitigated when configuring combined (multi-role) servers.
Distributing roles across multiple servers enables an Exchange organization to scale them according to specific needs. When performance demands increase, segregate affected role(s) on separate servers to make the most of the available computing power. You can also group servers to boost performance and resilience; migrating roles to larger and more capable boxes according to traffic loads can also help.
When selecting servers to host Exchange Server 2010 roles, experts say there are few concrete rules because system requirements aren’t spelled out. However, experts recommend referring to Microsoft best practices for hardware sizing.
“I think most hardware platforms can meet the requirements in place; they're not stringent [requirements],” Evans said. “In a multi-role scenario, you're looking at 16 cores. That isn't outlandish when it comes to processing power most customers can get their hands on.”