Exchange DAG protection questions (storage, Linux, the meaning of dedicated).

Superuser

Exchange DAG protection questions (storage, Linux, the meaning of dedicated).

Dear Sirs,

 

A hungarian customer has been using a single-server Exchange setup, but now they want to build an Exchange 2016 DAG with 2 members and continue using FSAV ESS 12.11 on that. They have some questions left even after the reading the cluster deployment guide:

1., How much quarantine storage space requirement should they assume?

So far I only found this guidance: "As a minimum requirement, Quarantine database should have the capacity to store information about all incoming and outgoing mail to and from your organization that would normally be sent during 2-3 workdays."

2., The customer wants to place the quarantine storage area on a Linux-based file server, because they think it would be safer that way.

- I think granting that wish isn't possible, because the implementation document says this: "For the Database Availability Group (DAG) installation, the quarantine storage must be set on a dedicated computer. This computer has to be a member in the same domain with Exchange Servers."

 

However, Microsoft Corp. insists a Linux computer cannot be a true member of a domain, if "domain" means Active Directory membership. Is Samba imitation good enough for this purpose or worth trying?

- I think any quarantined content is stored in encrypted form by FSAV Exchange protection, so it's harmless even if located on a Windows file server. Thus the customer's worries are unfounded and there is no need for involving a Linux server. Can you confirm this?

3., If they must use a Windows-based server for storing the quarantine, is it really impossible to utilize a DAG member for that purpose and do they really have to provide a dedicated 3rd computer?

 

I think they need a non-DAG computer for that, because the document says: "For the Database Availability Group (DAG) installation, the quarantine storage must be set on a dedicated computer." However, they really want a confirmation on this issue.

 

Thanks in advance, Yours Sincerely:

Tamas Feher, 2F 2000 Kft., Hungary.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
F-Secure

Re: Exchange DAG protection questions (storage, Linux, the meaning of dedicated).

Hi Tamas,


Good questions you have there =)


1) Your answer is good I think. I'm wondering on how much space did they utilize before DAG. As I think switching to DAG will not double their mail flow.


2) We have never tested scenario with linux. And if needed it will require certain time to check...
Regarding quarantine - there is no encryption so it must be protected by permissions.


3) From our experience with DAG clusters - separate dedicated server is not necessary. For example quarantine folder can be situated on "witness" server and it is working.

2 REPLIES 2
Highlighted
F-Secure

Re: Exchange DAG protection questions (storage, Linux, the meaning of dedicated).

Hi Tamas,


Good questions you have there =)


1) Your answer is good I think. I'm wondering on how much space did they utilize before DAG. As I think switching to DAG will not double their mail flow.


2) We have never tested scenario with linux. And if needed it will require certain time to check...
Regarding quarantine - there is no encryption so it must be protected by permissions.


3) From our experience with DAG clusters - separate dedicated server is not necessary. For example quarantine folder can be situated on "witness" server and it is working.

Superuser

Re: Exchange DAG protection questions (storage, Linux, the meaning of dedicated).

Hello,

 

This is the response I've just from received from F-Secure partner support:

 

Q - How much quarantine storage space requirement should customer assume?

A - Regarding this question, it depends on the volume of mail traffic, mailboxes, attachments etc the customer has. We can't really say for sure as we don't have this information. The documentation says: "As minimum requirement, Quarantine database should have the capacity to store information about all incoming and outgoing mail to and from your organization that would normally be sent during 2-3 days.

Q - The customer wants to place the quarantine storage area on a Linux-based file server, because they think it would be safer that way.

A - As you said, they need to place it on a computer part of the domain, as the user account used has to be part of the domain to ensure proper access and permission. In this case a Samba server situation is not supported.

Q - I think any quarantined content is stored in encrypted form by FSAV Exchange protection, so it's harmless even if located on a Windows file server. Thus the customer's worries are unfounded and there is no need for involving a Linux server. Can you confirm this?

A - The quarantine is stored in a way that can be opened by our software only, but it is not encrypted. It is not advised to encrypt the folder containing the quarantine as it will impact the performance on read and write operations.

Q - If they must use a Windows-based server for storing the quarantine, is it really impossible to utilize a DAG member for that purpose and do they really have to provide a dedicated 3rd computer?

A - In this case I advise to follow the documentation as it states the supported scenarios. It is possible that if they install a MSSQL server on the same server and point to it, it will work, but this can impact the performance, and since it's not a supported scenario according to the documentation, if there are any issues, we won't be able to support it as it is not tested.

 

Best Regards: Tamas Feher, Hungary.