ARCHITECTURAL OVERVIEW E-mail Availability Service () with ActiveMailbox E-mail Availability Service () with ActiveMailbox For Microsoft Exchange -Centric Environments
The Market Need for Through direct customer validation with Global 2000 companies SunGard identified the need for a low-cost, easy-to-implement solution that provides continuity of e-mail service during a crisis impacting the primary e-mail system. The two key differentiators of the SunGard solution versus traditional approaches to e-mail high availability are solution cost and deployment time. With the goal of radically decreasing both cost and implementation time, SunGard evaluated new approaches to providing e-mail continuity and developed a solution that costs a fraction of traditional solutions would cost while retaining most of the critical benefits. This breakthrough offering in the e-mail disaster recovery space is called (E-mail Availability Service). Current e-mail high-availability / continuity solutions ecosystem Alternative (server replication) high bandwidth cost complex to manage requires redundant hardware real-time replication Only SunGard delivers a comprehensive solution that offers: enterprise-wide coverage instantaneous activation a breakthrough price point the most flexible deployment models Cost SunGard e-mail continuity/ suite of products low bandwidth cost easy to manage enterprise-wide protection real-time replication instantaneous & transparent activation offered as stand-alone software or hosted service most cost-effective & affordable solution Alternative (tape restore) long restore time (24hr+) requires expensive logistics (tapes, personnel, hardware) server-by-server restore failure-prone difficult to test Time Traditional solutions are costly and complex in part because of the upfront costs to replicate tremendous data volumes stored in today s e-mail systems. This data volume drives high bandwidth, storage, and administration costs. focuses on maintaining e-mail continuity, is designed to provide immediate Return Time Objective (RTO) of a transparent e-mail system for approximately one-tenth of the cost of traditional solutions while enabling bandwidth usage tailored to your requirements for historical e-mail storage. with ActiveMailbox TM keeps e-mail storage costs low by allowing administrators to determine which users have access to historical e-mail during an outage and the amount of history that is stored for each user. for Microsoft Exchange can typically be deployed in less than one day and contains several different implementation options depending on the details of a company s e-mail architecture. for Exchange 2000 and Exchange 2003 has the ability to redirect mail messages around a failure by deploying SunGard s Redirector Sinks. These optional components allow an organization to failover selected parts of their overall messaging topology to while leaving other parts unchanged. E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 2
Architectural Components Summary COMPONENT DESCRIPTION PLATFORM SUPPORT A hosted, backup mail system managed and administered by SunGard 5.5 / 2000 / 2003 SyncManager Customer managed software that keeps the mail system current 5.5 / 2000 / 2003 RecoveryManager RedirectorSink The Infrastructure The Infrastructure is the backup mail system that takes over for the primary mail system in the event of an e-mail disruption. The Infrastructure enables employees to have access to e-mail anytime and anywhere. When is not active it acts as a store-and-forward system for a company s primary e-mail system. This is useful in the case of minor outages that do not constitute sufficient reason to activate. Activating allows users to access their e-mail even though the primary system may not be available. A primary benefit of to the Exchange market is that provides end users with continuity of all the critical e-mail components they require on a daily basis - not only providing 100% coverage of internal and external e-mail, but also access to historical e-mail with ActiveMailbox, access to calendars as well as contacts. is readily deployed in the most complex, highly distributed, centralised/decentralised Exchange environments and provides the same robust service regardless of your specific configuration. What is it? Customer managed software that automatically imports messages into the primary mail system 5.5 / 2000 / 2003 after recovery An Exchange 2000 Event Sink that enables the dynamic re-routing of messages required in order to have some users active on the while other users remain on the primary mail system. Also 2000 / 2003 responsible for transferring copies of mail for ActiveMailbox enabled users to the RedirectorController Customer managed software that sends updates to the RedirectorSinks 2000 / 2003 RedirectorManager A centralized console to install, upgrade, and maintain RedirectorSinks 2000 / 2003 Responsible for relaying mail to for ActiveMailbox in a secure and efficient manner 2000 / 2003 Authentication Controller (Optional) Software that extends a customer s security policy for authentication to 2000 / 2003 The Infrastructure is capable of hosting a large number of mail users in the event of disaster. It is kept in sync with the primary mail system by use of the SyncManager. This ensures that when is activated it has the latest snapshot of the company directory and personal contacts. Through ActiveMailbox, provides immediate access to customised amounts of historical e-mail. Bandwidth can be managed and costs minimized by synchronizing specified amounts of historical mail for different users. The Infrastructure is managed by SunGard and hosted at SunGard s world-class Information Availability facilities. The Infrastructure is based on a highly scalable open source code base. The benefits of this include scalability, low cost, and the ability to be resistant to poison pill corruptions that would affect an Exchange-based backup solution. The Infrastructure is easily tested without the risk of taking down the primary mail system. How it works When a disaster is declared by a customer, can rapidly enable employee mailboxes (over 50,000 in less than 1 minute). can send notification messages to employees mobile phones, personal e-mail addresses, pagers, BlackBerries, etc. Employees have access to their e-mail anytime and anywhere using a simple web browser. They can send and receive messages to anyone on their contact list, access their calendars and historical e-mail with ActiveMailbox. E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 3
Security All data transmission in/out of the Infrastructure is conducted over 128-bit SSL. Inbound data syncs from the SyncManager can be conducted over a dedicated line or VPN. web servers use Thawte Certificate Authorities for authentication. servers are hosted in a secure, hardened, 24x7 hosting facility with the latest technologies in physical security, fire suppression, environmental systems, power management, and network availability. ActiveMailbox encrypts historical messages before they are transported, storing them in the archive in an encrypted format. This meets the secure e-mail storage requirements of HIPAA and other regulatory bodies. For organisations using Active Directory, enables Authentication Controller, as an option for users to login to with their Windows user names and passwords. SunGard has a strict policy never to share, sell, or distribute customer data to third parties not acting on behalf of SunGard, or in connection with the business of SunGard. For more information about Customer Data, please refer to our Privacy and Data Ownership Policies. Figure 1. The Infrastructure infrastructure topology Firewall Front-end servers MTA Store Load balancer Customer premises MTA infrastructure E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 4
The SyncManager The SyncManager plays a critical role in the system. The majority of the cost incurred by traditional DR/ HA solutions is due to redundant hardware and bandwidth that keep the backup hardware replicated with the latest data. The SyncManager allows customers to be smart about the portions of data they replicate and focus on the parts of mailboxes that have the highest value during a disaster while leaving behind the parts of the mailbox that drive the traditional high costs and security concerns. For example, a typical configuration of the SyncManager would be to update the names of the mailboxes that should be created when a disaster is declared, replicate all of the personal contacts from the mailbox and replicate the calendar entries from the mailbox, but not to replicate the hundreds of megabytes of old e-mail in the mailbox. The SyncManager puts the customer in control of the costs of providing e-mail continuity. The SyncManager will run on any Windows 2000/2003 computer and installs in approximately five minutes. The SyncManager runs as a Windows service and has a graphical UI for all setup and configuration. What is it? The SyncManager is software that runs in the customer s data centre that synchronises the most critical information required for to properly mimic the primary mail system. This can include the Global Address List, Personal Contacts, Distribution Lists and Calendar Entries. How it works The SyncManager queries the AD in Exchange 2000/2003 or the Exchange Directory Service in Exchange 5.5 in order to extract the list of all mailboxes in the environment. For each mailbox the SyncManager also extracts all valid SMTP addresses as well as personal contacts. Customers can define how often the replication should occur and at what time. Security CORPORATE SYSTEM SYNC AVAILABILITY RECOVERY Since the SyncManager runs as an NT service, the customer determines the NT Domain account that SERVICE the SyncManager will use for authentication permissions. All data collected by the SyncManager is compressed and encrypted with 128-bit SSL before transmission. The SyncManager always connects to the Infrastructure, never the reverse. As a result, only an outbound TCP session is required by the SyncManager. No computers outside of the company firewall require access to the SyncManager computer. Figure 2. The SyncManager CORPORATE SYSTEM SYNC RECOVERY AVAILABILITY SERVICE SYNC CORPORATE E-mail Availability Service SYSTEM () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 5 RECOVERY AVAILABILITY SERVICE
The RecoveryManager The RecoveryManager fulfills an essential role in post-recovery operations the migration of all e-mail from the backup system to the primary system. Employees expect that e-mail sent or received during the activation of the will not be lost when the primary mail system is restored. This process is automated by the RecoveryManager. After the primary system is repaired and brought back online after the disaster, is deactivated. When is deactivated it generates archive files of all messages sent, received, deleted, or saved as drafts. This alone is an industry regulatory requirement for many companies. The RecoveryManager software reads the archive files and uses MAPI to connect to mail servers in the primary messaging system and restore mail directly to mailboxes. The RecoveryManager preserves message properties such as read/unread status, time/date stamp, etc. The RecoveryManager also puts messages into their SYNC proper folders upon recovery; for example, sent messages to the CORPORATE Sent Items folder, deleted messages to the Deleted Items folder, etc. The RecoveryManager will run on any Windows 2000/2003 computer and installs SERVICE in approximately five minutes. What is it? The RecoveryManager is a customer run software application that automatically migrates messages sent/ received on back into the Exchange environment post-disaster. How it works The RecoveryManager connects to the Exchange servers over MAPI and injects the messages to be recovered. This does not cause downtime to end users. The RecoveryManager maps messages to mailboxes using their GUID, enabling migration of a mailbox from one server to another during the recovery process. SYNC The RecoveryManager processes archived files that contain mail for groups of mailboxes. As a result it SYSTEM can import mail for many people without manual intervention RECOVERY (unlike using exmerge AVAILABILITY with PSTs). Security SYSTEM CORPORATE RECOVERY AVAILABILITY SERVICE The RecoveryManager derives its privileges from the currently logged in user. That user account must have write privileges to the mailboxes being recovered. Figure 3. The RecoveryManager CORPORATE SYSTEM SYNC RECOVERY AVAILABILITY SERVICE E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 6
The RedirectorSink The RedirectorSinks were designed to allow customers to activate for partial failures of their Exchange 2000/2003-based messaging systems. In order to make this possible a mechanism must be in place to route incoming internet messages destined for users on impacted servers to. The re-routing is also necessary to ensure the proper delivery of internal company messages sent from individuals still on Exchange to individuals moved to. RedirectorSinks take advantage of Exchange 2000/2003 s open Event Sink architecture that provides a clean integration point for third party software vendors. The RedirectorSink can quickly enable a server to re-route messages destined to a server that is known to be down. Once activated, the RedirectorSink can ensure that messages for downed servers are being routed to and not queued in Exchange. What is it? The RedirectorSink is an Exchange 2000/2003 Event Sink designed to re-direct mail routing to accommodate for failure of sections of a company s overall messaging system. The RedirectorSinks not only provide the capability for partial activation of, but also provide the intelligence to send copies of mail for ActiveMailbox through the to. How it works The RedirectorSinks take advantage of Exchange 2000/2003 s open Event Sink architecture that provides a clean integration point for third party software vendors. The RedirectorSink is deployed to Exchange servers using a centralised deployment and management application called the RedirectorManager. The Redirector Manager can install, upgrade, or remove the Event Sink from remote servers. The RedirectorSink is invoked when all messages pass through the Exchange server. However, when is in the normal or ready state, nothing is done. The performance overhead associated with this is negligible. The RedirectorSink can quickly enable a server to route copies of messages to the associated in a rapid and efficient manner, for all users enabled on ActiveMailbox. Each RedirectorSink knows the routable address of the to which it will route copies of ActiveMailbox mail. When there is a partial failure in the Exchange system, and the customer chooses to activate, the RedirectorSinks are sent a list of all mail addresses that require re-routing. This list is loaded into memory for performance. Security The RedirectorSinks are managed by a centralized management application. Installation of the RedirectorSinks requires proper NT Domain privileges. The RedirectorSinks do not have connections to servers outside of the firewall. The RedirectorSinks maintain connections with available Controllers which act as proxies for the routing configuration information. Figure 4. The RedirectorSinks SG SG SG SG CONTROLLER SG SunGard RedirectorSink E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 7
The RedirectorController The RedirectorController sends routing configuration updates to the RedirectorSinks and to aggregate status of the RedirectorSinks prior to transmission to. RedirectorSinks maintain connections to RedirectorControllers for updated routing information. They also inform the Controllers of their overall status. Since the RedirectorControllers are required components during an activation, it is recommended that a customer deploy more than one RedirectorController. The RedirectorSinks can manage concurrent connections to many RedirectorControllers. The RedirectorControllers regularly poll the Infrastructure for routing updates (to forward to the RedirectorSinks). What is it? The RedirectorController is a customer managed software application that runs as a Windows service on a Windows 2000/2003 computer in the customer s data centre. How it works The RedirectorController regularly polls Infrastructure for latest message routing information. The RedirectorSinks maintain connections to the RedirectorControllers for latest message routing information. Security The RedirectorSinks serve as a proxy for configuration information being relayed from to the RedirectorSinks on the Exchange servers. Because of the RedirectorController, a direct connection from the Exchange servers to the internet is not necessary. The RedirectorController polls the Infrastructure over SSL (port 443). The RedirectorSinks communicate with the RedirectorController over a high numbered TCP port (port 10709). Figure 5. The RedirectorController SG SG SG SG CONTROLLER E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 8
The Vaultbox The was designed to address three specific customer requirements. First, is the requirement that all e-mail transferred from the primary mail system to the be done in a secure fashion. To address this, the strongly encrypts each message using a customer-specific encryption passphrase. The second customer requirement is that all e-mail be compressed in order to minimise bandwidth usage. The not only compresses message before transmission but also captures messages in a single-instance compliant manner; greatly reducing the bandwidth required versus traditional Exchange Journaling. The third and final key requirement is that the system minimises impact on the primary Exchange system. To address this, the performs all encryption and compression on a separate machine, minimising the additional load and impact to the primary e-mail system. What is it? The is software that runs in the customer s data centre on a dedicated server accessible to the associated Exchange Servers. The provides for encryption and compression of messages before transmitting them to. In order to configure ActiveMailbox, the software is installed on a dedicated server to which the associated Exchange Servers can connect. RedirectorSinks are installed on each Exchange server, and an entry for each in DNS is added in order to properly route mail to the. How it works Essentially, is responsible for assuring secure and efficient transmission from the corporate environment to the service. The is configured to receive e-mail for a specific routable entry in local DNS. The copies of e-mail for ActiveMailbox are routed using the Redirector Sink to the. The Vaultbox encrypts and compresses messages for secure transmission to. For distributed environments, a can be placed in each geographic location to reduce intra-site and inter-site routing of e-mail messages. can also be installed on multiple servers to provide redundancy. Security The plays a key role in providing message transport and storage security. The encrypts each message before transmitting over an encrypted channel to the service. Figure 6. SMTP SG SG SG SG ARCHIVE E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 9
The Authentication Controller (Optional) Authentication Controller allows Exchange 2000 and Exchange 2003 customers to extend their security policy for authentication to. Authentication Controller allows employees to log into the using their, Windows password. This removes the need for a separate password for and improves the ease of activation and an overall better user experience. What is it? The Authentication Controller is a customer managed software application that runs as a Windows service on a Windows 2000/2003 computer in the customer s data centre and proxies login requests from the to a local Active Directory server in real-time. How it works Authentication Controller must be deployed on at least one server per domain controller. For geographically disparate locations that depend on a single domain controller, customers may choose to deploy one Authentication Controller per location. The Authentication controller can be installed on the same hardware as the SyncManager. will validate users passwords by queuing authentication request for secure retrieval by the Authentication Controller. The Authentication Controller retrieves the login requests and verifies if the login credentials are valid. The Authentication Controller communicates over a 128-bit encrypted, outbound only connection over HTTPS and queries the SunGard server if there are any authentication requests pending. Authentication Controller takes the login requests, checks them against the customer s Active Directory and returns a authentication result to the SunGard system. Security Like all communication, it will be initiated by components inside the customer s firewall rather than having the back end initiating contact. Authentication Controller also allows IT departments to extend their security policy out to, in terms of user lockout, password management, password strength, etc. Customers of this service will never have to send usernames and passwords outside of their corporate environment or open ports on their corporate firewall. Figure 7. The Authentication Controller HUB B DOMAIN CONTROLLER DOMAIN CONTROLLER WINDOWS AUTHENTICATION CONTROLLER WINDOWS AUTHENTICATION CONTROLLER LOGIN AUTHENTICATION REQUEST E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 10
Customer Environment with a Single Internet Hub Customers with a single inbound internet connection naturally have a single point of failure of their e-mail system. A loss of service at the hub site will impact the mailboxes hosted locally as well as any mailboxes hosted in remote sites that depend on that internet hub. can be deployed to restore e-mail service for an entire organisation. can also be used to provide protection in the event of the loss of a remote site without impacting the users hosted in the hub; this leverages s unique partial failover technology. Figures 8 and 9 depict the deployment of the SyncManager, RedirectorSinks, and RedirectorController. Figure 8. Customer Environment with a single Internet Hub before Installation INTERNET COMPANY MX Figure 9. Customer Environment with a single Internet Hub after Installation SG SG SG SG SG SG SG SMTP CONTROLLER SYNC ARCHIVE SYNC UPDATES (DIRECTORY, CONTACTS, ETC) INTERNET COMPANY MX E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 11
Customer Environment with Redundant Internet Hubs Customers with two inbound internet hubs have the benefit of added redundancy to their inbound mail handling process but also have a complication as it pertains to partial failover. handles this scenario with the installation of the RedirectorSink for Exchange 2000. This RedirectorSink allows companies to continue to receive mail by whatever inbound SMTP hosts remain active. In the event of a partial activation, the remaining Exchange servers dynamically route messages to that would normally be queued pending delivery to the downed Exchange server. This allows a company to have some users active on while others continue to be active on the Exchange-based mail system. Figure 10. Customer Environment with Two Internet Hubs before Installation HUB B INTERNET COMPANY MX Figure 11. Customer Environment with Two Internet Hubs after Installation SG SG SG SG SG SG HUB B SG SG SG SG SMTP SMTP SG SG SG SG CONTROLLER CONTROLLER SYNC SYNC ARCHIVE SYNC UPDATES (DIRECTORY, CONTACTS, ETC) ARCHIVE SYNC UPDATES (DIRECTORY, CONTACTS, ETC) INTERNET COMPANY MX E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 12
Figure 12. Partial Activation after the failure of a Remote Site SG SG SG SG SG SG HUB B SG SG SG SG SMTP SMTP SG SG SG SG CONTROLLER CONTROLLER SYNC SYNC ARCHIVE SYNC UPDATES (DIRECTORY, CONTACTS, ETC) ARCHIVE SYNC UPDATES (DIRECTORY, CONTACTS, ETC) INTERNET COMPANY MX Figure 13. Partial Activation after the failure of an Internet Hub SG SG SG SG SG SG HUB B SG SG SG SG SMTP VaultBo aultbox SMTP SG SG SG SG CONT TROLLER CONTROLLER SYNCMA ANAGER SYNC ARCHIVE SYNC UPDATES (DIRECTORY, CONTACTS, ETC) ARCHIVE SYNC UPDATES (DIRECTORY, CONTACTS, ETC) INTERNET COMPANY MX E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 13
Phases of Operation There are three major phases of operation of the : Before: After has been installed but before a disaster has been declared. During: From the time is activated until the time the primary messaging system is back on line. After: From the time the primary system has been recovered to the time that all data has been migrated back from to the primary system. Before: Complete installation takes less than one hour. The SyncManager keeps the directory in synchronised with the primary system. Settings are completely configurable. With smart replication, total bandwidth can be as low as 0.5kb per mailbox! The facility is configured as a low priority MX record which means it is never in the mail stream until the primary messaging system fails or is deactivated. In the event of a minor outage of the primary mail system, will queue mail and attempt to redeliver until the primary system comes back online. The operation of is done through a secure, web-based interface. Figure 14. Phases of Operation Before HISTORICAL MAIL ARCHIVE SUNGARD SITE E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 14
During: can be configured to be activated over the web or with a phone call. rapidly activates the temporary mailboxes in less than 60 seconds! Notification messages are sent to the electronic contacts of the company employees (mobile phones, BlackBerries, personal e-mail addresses, pagers, etc). Employees can access the Infrastructure anytime and anywhere. The company maintains complete e-mail continuity among its employees and all external contacts, such as customers and suppliers. Figure 15. Phases of Operation During HISTORICAL MAIL ARCHIVE SUNGARD SITE E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 15
After: creates an archive of all traffic sent and received while was active. The RecoveryManager automatically migrates all data sent and received from back to the primary system. Figure 16. Phases of Operation After HISTORICAL MAIL ARCHIVE SUNGARD SITE SunGard Availability Services For further information about or to arrange for a product demonstration, contact SunGard by calling 800-468-7483 or visit us at www.availability.sungard.com. E-mail Availability Service () with ActiveMailbox: Architecture Overview: Microsoft Exchange-Centric Environments 16