Virus Scanning and Exchange 2007 Message Flow

I have been wanting to post this for a while, but you know how things are … comments and views please ..

Message flow within an Exchange Server 2007 organization is based on the server roles. In a single AD site, all messages flow between the Mailbox and Hub Transport server roles.

1.1.1 How messages flow within a single site

When a user sends a message to a user who has a mailbox on an Exchange server in the same Active Directory site, the following steps occur:

1. If the user is using a MAPI client such as Outlook, the message is submitted to the computer running the Mailbox server role.

2. The message is forwarded to a computer running the Hub Transport server role using a MAPI connection. The Hub Transport server applies transport rules, expands any distribution lists, and determines where to route the message

3. The message is routed to the Mailbox server and the client is notified that the message has arrived.

4. Outlook Web Access and Exchange ActiveSync always connect to the Client Access server role and submit messages through the Client Access server role. After the message is submitted, the message flow continues as described previously.



Figure 1: Steps 1 to 3

Figure 2: Step 4

1.1.2 How messages are routed to the Internet

5. If you have deployed an Edge Transport server, all messages sent to the Internet or received from the Internet are passed through the Edge Transport server. For outbound messages, the computer running the Hub Transport server role forwards the messages to the computer running the Edge Transport server role, which applies transport rules and filtering for outbound e-mail, and then forwards the messages to the Internet. Inbound messages are sent to the Edge Transport server, which applies message filtering, and then forwards the messages to the Hub Transport server


Figure 3: Step 5

1.2 Anti Virus Scanning

Exchange 2007 can virus scan messages on an Exchange 2007 server with either a Mailbox or Hub Transport role installed.

1.2.1 Exchange Server-based solutions.

Microsoft recommends that you install server-side antivirus software on every Mailbox server and Hub Transport server in your organization. On Mailbox servers, antivirus software scans mailbox and public folder databases. On Hub Transport servers, antivirus software scans messages as they are sent between users. You also can deploy spam filters on Hub Transport servers to filter messages for spam sent inside your organization.

1.2.2 Exchange Server 2007 Antivirus Features

Viruses often spread between organizations via e-mail. By stopping all messages that contain viruses at your messaging environment’s perimeter, you can better protect your organization. If infected messages get into the organization, it is important that the virus is detected as soon as possible. To achieve this goal, Exchange Server 2007 includes the following virus protection improvements:

  • Continued support of the Virus Scanning API (VSAPI). In Exchange Server 2007, Microsoft has maintained support for the same VSAPI used in Exchange Server 2003. This VSAPI will be used by any antivirus software that runs on Mailbox servers.
  • Use of transport agents to filter and scan messages. Exchange Server 2007 introduces the concept of transport agents, such as the attachment filtering agent, to reduce spam and viruses. By running attachment filtering on the Edge Transport or Hub Transport servers, you can reduce the spread of malware attachments before they enter the organization. Additionally, third-party vendors can create transport agents that perform virus scans. Because all messages must be passed through a Hub Transport server, this is an efficient and effective means to scan all messages in transit inside the organization.
  • Use of antivirus stamping. Antivirus stamping reduces how often a message is scanned as it moves through an organization. After a message has been scanned once, the message is stamped with information that specifies the version of the antivirus software that performed the scan and the results of the scan. This antivirus stamp travels with the message as it is routed through the organization, and also is used to determine whether additional virus scanning must be performed on a message.

1.3 What to scan?

If you are using Exchange 2007, with no external access to OWA or Outlook, and you have desktop antivirus software, then it is reasonable to only virus scan on servers with the Hub role.

Only scanning on Hub servers will not prevent a virus being saved into a mailbox, but will protect from its proliferation around the messaging system.

If however, a client can access a server from outside an organisation where you cannot verify the client will have antivirus software, then you should install antivirus on mailbox role servers too.

Virus scanning on a mailbox role will increase the memory and CPU usage of a server.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.