Capacity guidance for Exchange server roles
The following sections provide descriptions of each of the Exchange Server roles running Forefront Protection 2010 for Exchange Server (FPE) along with applicable guidance around performance.
Exchange Edge server
Exchange Hub server
Exchange Mailbox server
Exchange Multi-Role Server
Exchange Edge server
In the Exchange Edge Server role, the SMTP data stream flows into an organization and message hygiene is performed. Message hygiene includes antispam, antivirus, antispyware, and custom filtering. The FPE protection technology software resides on this server along with the Microsoft Exchange Transport service. The messages that pass an enterprise’s message hygiene are routed to the appropriate Hub server for additional routing. By default, messages that have undergone scanning as part of the message hygiene at the Edge are not scanned again at the Hub server.
As with all servers, you need to consider global performance factors when estimating the full extent on capacity. You also need to consider the following factors which impact FPE performance: SMTP load, spam, and filtering.
On the Edge server it is critical to understand the load requirements for performing message hygiene. This can be broken down into two main components: SMTP traffic that results in “clean” messages delivered to a user in your organization, and SMTP traffic detected as spam or as infected messages containing malware. The Edge server running FPE can also be configured to send outgoing email from your internal users, but the load from this activity is fairly minimal. You can assess your current message load by monitoring the following performance counters using Windows Performance Monitor:
Over a 24 hour period you can obtain the average and peak message load. The messages received/sec indicates the SMTP traffic entering the Edge server and the messages sent/sec indicates the messages that are sent from the Edge server to the Hub server.
By default, the FPE premium antispam capabilities are enabled on the Edge server. In some cases over 90% of the incoming SMTP traffic is identified or discarded as spam. This is achieved in two key areas within the transport pipeline: in the IP reputation service and in the content filtering service.
The incoming SMTP traffic first enters the IP reputation service, and if not discarded, is then sent for further processing in the pipeline by the spam content filtering service. If the SMTP traffic passes the content filtering service, the message is then scanned for filter matches and malware. It is important when considering message rate for capacity that you distinguish between the overall incoming message rate which includes all spam, the message rate that is processed by the content filtering service, and the message rate that is processed by the antimalware and filtering agents.
A 90.16% overall spam detection rate, which includes all IP reputation discards and a 15.7% spam detection rate in the content filtering service, is used to predict the overhead needed for the FPE premium spam filtering capabilities. These numbers are displayed and adjusted using the FPE capacity planning tool if the antispam functionality is enabled on the Edge Transport or Hub Transport server. The following graph shows the overhead associated with the FPE premium spam filtering based on the message rate entering the content filtering services and the number of server cores.
Keyword and file filtering
For capacity planning purposes, keyword and file filtering are taken into consideration although there are additional filtering capabilities such as subject line and sender-domain filtering. The latter, based on the data received, do not significantly impact capacity planning.
There are four levels of keyword filtering that your organization may employ.
Light 1 - 115 keyword filter entries
Moderate 116 – 230 keyword filter entries
Heavy 231 – 345 keyword filter entries
Very heavy 346 – 460 keyword filter entries
For capacity planning purposes, there are three levels of file filtering that your organization may employ.
Light 1 - 20 file filter entries
Moderate 21– 40 file filter entries
Heavy 41 – 60 file filter entries
As each message passes the content filtering service and enters the antimalware and filtering agents of FPE, keyword and file filtering is conducted. There is a correlation between the number of filtering entries that need to be identified and the performance impact based on the number of messages being processed.
The following graphs show the four-core and eight-core keyword and file filtering overhead.
Exchange Hub server
In the Exchange Hub server role, the FPE protection technology software resides on this server along with the Microsoft Exchange Transport service. The Hub Server role is similar to the Exchange Edge Server role, with a few differences. First, by default, FPE premium antispam functionality is not enabled. Second, by default, any messages scanned on the Edge server that are routed onto the Hub server are not scanned again for malware, though custom filtering is performed. Third, and most importantly, the Hub Transport server provides message hygiene from different message streams, specifically the data that is routed from the Edge Transport server and the data that originates from and is destined to an internal user.
As with all servers, you must consider global performance factors when estimating the full extent on capacity. You also need to consider the following factors that impact FPE Hub Transport server performance: SMTP routed to the Hub Transport from an Edge Transport server, spam, filtering, and messages routed from and to internal users.
Edge Server message traffic
As mentioned previously, the Edge servers route their messages to a Hub Transport server that performs message hygiene and eventually routes the message to the targeted users. In most scenarios, Edge Transport scanning is sufficient and rescanning on the Hub Transport server is not performed (FPE will not rescan messages if they have already been scanned on the Edge). Therefore, the performance impact on the Hub Transport server from the Edge Transport server message traffic is minor and can be excluded. Otherwise, the performance implications of the incoming message rate should be included in the overall capacity.
Normally an organization uses the Edge Transport server or an external mechanism, such as spam filtering in the cloud or a spam-filtering appliance, to pre-process messages before they are routed to the Hub Transport server. If this is the case, no overhead related to spam needs to be taken into consideration. However, if this is not the case, and the Hub server is used for routing as well as for the initial message hygiene, then capacity should be evaluated using the detailed information for the Exchange Edge server role.
Keyword and file filtering
You can configure different keyword and file filter lists on the Hub Transport server. However, the number of keyword and file-filter lists are normally much less than on the Edge Transport server, because Hub server filtering mainly applies only to internally routed email. For details about the impact of keyword and file filtering, refer to the Keyword and file filtering section in Exchange Edge server.
Internal email traffic
Internal email traffic originates from inside the organization and is destined for users inside the organization. This mail is routed through the Hub Transport server where message hygiene is performed. Therefore, it is necessary to understand the back-end user load for a given Hub server. This is the number of users and their user load profile, which is used to calculate the amount of internally routed mail.
The Microsoft Exchange Server Profile Analyzer can help in determining the user load profile of your organization. The result is the number of messages sent and received per day per user. The following graph shows the maximum number of downstream mailboxes supported given different configurations (# of cores in server - # of engines / engines and performance setting).
This graph is based on no impact other than internal message processing. To adjust the number of supported downstream mailboxes, you should evaluate the overall CPU utilization impact from the Exchange Edge server section and divide this by the 75% utilization factor. In order to do this, you must know the incoming message rate from the Edge server as well as the message rate contribution from the internally set mail. The internally sent mail message rate can be approximated from the following equation:
Rate (Msgs/Sec) = (<# of Mailboxes>*<UserLoadProfile>*60%)/(8Hrs*60(min/hr)*60(secs/min))
It is necessary to explain how the 60% number is determined. In different environments, approximately 80% of the total user load profile traffic is received by the user while 20% originates from the user. Out of the 80%, approximately 25% are messages that are received from outside of the organization. Therefore, out of the number of mailboxes being supported downstream from the Hub Transport server, 60% of this mail is targeted for these users and must be scanned at the Hub. This data is then transformed into messages per second for an 8 hour day, a conservative measure.
For example, if a user had the following settings:
Keyword filtering: Light
Filter filtering: Light
Edge message traffic into Hub server: 10 Msgs/Sec
Number of downstream mailboxes: 10,000
User load profile: 100 Msgs/Day
Configuration: 4 Cores - 5/One
Message rate for internal mail: 20.83 Msgs/Sec
The CPU impact is calculated by determining the keyword and file filtering for a message rate of 20.83 messages per second (approximately 10%) and then looking at the CPU load for scanning with the 20.83 messages/second from the Edge server graph (10%). This produces a 20% overhead and you would have to reduce the maximum supported downstream number of mailbox users by 20%/75% or 26.67%. Looking at the previous graph at 100 messages per day user load profile, this results in a maximum value of 35200, which is greater than the 10,000 initial users. Therefore, this is a viable supported scenario.
Exchange Mailbox server
In the Exchange Mailbox server role, the FPE protection technology software resides on this server along with the Microsoft Exchange Information Store service. In addition to scanning messages accessed on the server in real-time, FPE can perform a scheduled scan, on-demand scan, and be configured to scan messages based on the age of the message and the occurrence of an engine or definition update.
As with all servers, you need to consider global performance factors when estimating the full extent on capacity. You also need to consider the following factors that impact FPE Mailbox server performance: scheduled scanning, on-demand scanning, scanning after engine updates, and user load.
Scheduled scanning is typically used to scan the entire store associated with a Mailbox server. This can have a profound impact on the resources of the mailbox store if run during peak or heavy usage periods. Therefore, the scheduled scan should only be run during off-peak hours. If this is done, the capacity that has been defined should be more than adequate to accommodate the scheduled scanning load.
On-demand scanning functionality is intended to perform an ad-hoc scan of a targeted set of mailboxes. As with scheduled scanning, this adds additional overhead to the mailbox server. However, if the on-demand scan is configured to scan a small number of mailboxes or at off peak hours, there is no need to factor in any additional capacity for this scanning activity. Note: The performance of the on-demand scan is directly related to the number of messages and size of the mailboxes being scanned.
Scanning after engine updates
As an administrator, you can enable the Scan after engine update option for the realtime scan in the user interface or by entering a Windows PowerShell command in the Forefront Management Shell. If this option is enabled, any message that is accessed is rescanned if the engines or definitions on the mailbox server have changed. This functionality is an extra level of protection designed to catch day zero outbreaks and should only be used during a virus outbreak until all servers are guaranteed to be clean. Although this scenario does not occur often, it is recommended that you size your hardware to a level that leaves an additional 10-15% capacity from full utilization in order to accommodate such scenarios or extreme peak activity.
The user load profile is a sum of the number of messages that are sent and received by a user on a daily basis. The Microsoft Exchange Server Profile Analyzer can be used to help calculate this load. The following graph shows the maximum mailbox capacity based on this number. Because most of the scanning of messages is performed on the Edge and Hub servers, the load is fairly light and consistent. Therefore, the graph shows overlapping data grouped with the four-core and eight-core configurations because the numbers are tightly correlated independent of the configuration.
Exchange Multi-Role Server
The multi-role server supports the Exchange Hub Transport server and Exchange Mailbox server roles. In addition, the Client Access Server (CAS) may also be hosted on this computer, so understanding the performance implications are more complicated. First, by default, there are a total of eight scanning processes doing work for FPE: four associated with transport scanning and four associated with mailbox scanning. Second, the configuration of the Hub server must be taken into account for situations where spam and filtering capabilities are enabled.
As with all servers, you need to consider global performance factors when estimating the full impact on capacity. You also need to consider the following factors which impact FPE Multi-Role server performance: scanning process alignment and Hub configuration.
Scanning process alignment
As stated previously, the optimal performance is when the number of scanning processes matches the number of cores, up to eight cores. However, in the multi-server role, the default number of cores is eight, four from the Hub portion and four from the Mailbox portion. It is not recommended to reduce the default settings to align the number of processes with the number of cores on anything less than an eight-core server. The following graphs include data for eight-core configurations and it is best to use the FPE capacity planning tool in order to understand the capacity planning implications for four-core computers.
Because the Hub portion of the multi-role server can be used to perform message hygiene, it is necessary to account for the additional overhead based on the expected functionality. The following graphs show the multi-role server mailbox capacity and the associated recommended memory. This is for a default configured Hub server without any additional spam and filtering capabilities enabled. The graphs also reflect the capacity based on a 75% CPU utilization of the targeted server.
To account for the configuration of the Hub, use the graphs for the Exchange Edge server for spam, keyword filtering, and file filtering to obtain an overall overhead number (X%). This would then be used to understand the maximum capacity by reducing it by a factor of X/75.
Again, it is recommended that you use the FPE capacity planning tool if using anything other than the default five engines and “subset” as your engines and performance configuration selection.