E-mail has been a critical application for law firms for almost as long as I can remember. Today, it is even more critical as lawyers gain mobility and access their messaging applications anywhere, anytime, and as message stores take on the burden of housing voice mail from new IP-PBX systems and from unified communications applications. So what happens when e-mail is unavailable?
I am sure we can always find something to do when a mail server is down, but it may not be as productive and communicative as messaging. With that in mind, and with the fact that more law firms use Microsoft Exchange than not, I reviewed a high availability (HA) solution for Exchange: Teneros Application Continuity Appliance. The ACA can also be used for disaster recover (DR).
HA products replicate critical services on site. In the event a critical service goes down, an HA product steps in to provide the critical services during the outage. A DR product provides redundant services off site. In the event critical services go down or the remote site becomes unavailable, the DR solution serves them up from a remote location.
The Teneros appliance uses Exchange applications and Microsoft’s transactional API to replicate Exchange content and enable high availability. When an outage occurs, the ACA performs an IP- based fail-over where it takes over the IP address of your Exchange Server. In DR mode, the ACA makes uses Microsoft SQL and a DNS fail-over technique.
ON STAGE
I visited Teneros’ headquarters in Mountainview, Calif., to see an ACA in action. The Teneros platform for Exchange runs on top of a VMWare ESX virtual environment in a Hewlett Packard DL380 Proliant server. There are two models available: v1000 in a 1U form factor supporting 90 gigabytes of data and v3000 in a 3U form factor supporting 1.3 terabytes of data.
Although your IT personnel may be familiar with VMware virtualization software and HP hardware, they won’t need to bring that experience to bear on the appliance. Once the ACA is set up and configured, Teneros supports, maintains, and upgrades the box at configured intervals. That takes care of the “Is it easy to manage?” question. Now, how easy is it to deploy and use?
Deploying an ACA in HA mode in the law firm is not a difficult task. In fact, the most difficult part might be taking it out of the box and plugging it into the network. First, HP Proliant servers are not noted for their light weight. Second, the ACA needs to be inserted in the message path between the Exchange Server and the network switch that it is connected to (i.e., inband), so that e-mail messages pass through the ACA to the Exchange Server. Why? Because there is a virtual switch inside the appliance that uses inline network fail-over in the event the mail server becomes unavailable. Note that if you team network adapters on your Exchange server, the ACA supports teaming.
Prior to shipping the appliance, Teneros sets it up in HA or DR mode, depending on your needs. Once the device is on site, turned on, and plugged into the network, it sports a Web-based graphical user interface for installation and administration. If you are an Exchange or network administrator, you will not even need to refer to your notes. The device will need the usual Domain and network configuration information. It will also need four dedicated IP addresses: one for the device, one for console access in the event the Web user interface becomes unavailable, and two for HA/DR services. One of the IP addresses in HA services is used for the failover. The other is used to allow a backup server to connect to the Exchange server while the ACA provides Exchange services.
The ACA does not use Domain information to allow or deny access to the Web-based administration GUI. You have to set up administrative users to access the device manually. Once that is done, these users receive e-mail alerts in the event an Exchange service goes down and the ACA fails over to replace it.
Teneros aims to satisfy BlackBerry addicts even when the Exchange server is down. The ACA will continue to support BlackBerry access to messaging and calendaring during fail-over. All you need to set that up is the IP address of the BlackBerry server, its service account domain, and a service account for the ACA to restart the BlackBerry service after each fail-over or when the Exchange services are restored, i.e., when they fall back to the original server. Note that the ACA also supports Cisco’s Unified Messaging and GoodLink access to messages in the same manner as BlackBerry services.
SET UP TO FAIL OVER
The ACA can be set up to automatically fail over during an Exchange outage using a configuration page not unlike your favorite radio tuner. See Figure 1, below.
Figure 1. ACA Web page to configure high availability.
The real question is “What is an outage?” That’s a question you will have to answer using your threshold for downtime.
The ACA monitors and detects whether the Exchange server’s critical network ports (HTTP, HTTPS, SMTP) are available and whether certain Exchange services like the "World Wide Web," "Hub Transport," and "Internet Information Services" are running. In addition, it will determine if the "Information," "Mailbox" and "Public Folder" stores are available. In the event that any service or store is unavailable for a configurable number of minutes, the ACA will fail over Exchange services to the appliance and alert the appropriate staff of the event. For those firms where Exchange is ultra-critical, the ACA can even cover mail services while the server reboots after maintenance, upgrade, or other reason.
The Teneros lab contained a LAN switch that connected an ACA v1000 and an Exchange Server 2007 with clients running Microsoft Outlook 2003 and 2007. The Exchange server was connected to the LAN switch through the ACA’s virtual network ports. To test the ACA, I connected to the Exchange server’s administration module and brought the mail store down. The ACA automatically took over Exchange services to the connected Outlook clients without more. And, as part of the administrative group, I received an e-mail alerting me to the event.
Once Exchange services failed over to the ACA successfully, I engaged the mail store again, but Exchange services did not automatically fall back, or “failback,” to the Exchange server. Failback is not automatic. It is a manual task that may call for human interaction, depending on the state of the Exchange server vis-à-vis the ACA. To restore Exchange services to the Exchange server, I accessed the Web interface.
From the Web UI, I clicked on the “dashboard” screen for a graphical view of the facts: the ACA was active and the Exchange server was inactive. One click restores Exchange services to their rightful owner. Once clicked, the ACA goes into a “split brain” detection to see if the transactions on the Exchange server compare to the transactions on the ACA at the time of fail-over. If not, indicating a “split brain,” the ACA synchronizes the mail objects created on the Exchange server after failover that were created from its transaction log entries not present on the ACA.
When the mail store was shut down, transaction processing ground to a halt on the Exchange server; then services were transferred to the ACA. This would not cause a split-brain scenario, i.e., an unsynchronized state between the down Exchange server and the ACA. No transactions were processes after bringing down the mail store. But if there is a network outage, transactions on the Exchange server will continue for a time after services fail over to the ACA .Thus causing a split brain scenario. So, I unplugged the Exchange server from the network.
The ACA dutifully started up its Exchange services once it saw the network link to the Exchange server was down. Once I saw the Outlook clients sending and receiving mail from the ACA, I plugged the Exchange server back into the network and accessed the Web UI dashboard screen to failback services. This time, the ACA detected a split-brain scenario that needed attention and synchronized the mail objects successfully. See Figure 2, below.
Figure 2. ACA Web page to "failback" Exchange services with a "split brain" calculation.
PRICING
Recently, Teneros changed its business model from selling the appliance to law firms, with maintenance and support, to licensing the HA and DR platforms as a service. Instead of a one-time, up-front cost, customers now license the software on a per mailbox, per month fee starting from $5 to $12 per mailbox. In addition, you also need to supply the HA or DR platform with an Exchange license. It comes with a Microsoft Windows license.
If you have a lot of mailboxes on your Exchange server, the HA/DR service is not cheap when you do the math. But then again, a network outage is not cheap either, in terms of downtime. To justify the cost, you may need to figure the amount of downtime your Exchange Server suffered over the past and estimate how much that cost the firm in terms of non-productivity. And that is not an easy thing to do in the professional service industry. Thus, the decision is more akin to: "You know it when you need it."
CONCLUSION
Teneros ACA product is easy to install and use. It is, without a doubt, simpler to set up and administer then a clustered Microsoft Exchange environment. I think the failback feature should be configured to restore services to the Exchange server automatically if no “split brain” is detected that warrants human intervention. Other than that, I certainly would not turn an ACA down if someone left it in my data center. But if I were to license one, I would certainly have to consider Exchange a no-can-do-without service in the law firm.
Teneros
Application Continuity Appliances for MS Exchange
Starts at $5-12 per mailbox, per month
Comments