The VMware infrastructure suffered from stability and performance issues resulting in regular service interruptions which negatively impacted availability and user's productivity. The primary goal was to assess the environment and provide a direction to solve these problems. A secondary goal was to evaluate upgrading to the latest already purchased VMware offering and plan a restructuring of the new environment optimized to the unique usage of VMware within the company.

The existing virtual infrastructure consisted of 10 ESX host servers running v3.5.0 utilizing a EMC CX3 SAN providing 36TB usable Datastore storage. Configuration of the ESX host servers was non-standard and was not optimized for performance. With a very unique high quantity of virtual machines, total of 1129, all ESX host servers were almost continuously 80-100% utilized. vCenter was used/accessed by 59 users for VM tasks & operations.

Analyzed and documented the existing infrastructure, interviewed with key resource owners, and developed new environment design/plan for implementation. The new EMC SAN had very specific requirements in that storage would not be shared between departments; with custom configured allocation on a per storage enclosure case, allowing for separation of storage to prevent impact across departments virtual machines and also allow for future storage expansion to be purchased by the department requiring it.

Minimized impact implementation was successfully performed with the cycled upgrade of the latest ESX 4.x on 9 Dell R900 servers, designed for maximum performance. Additional project items included:

• Designed and setup easy to use SQL Database views for advanced users to run reports against VMware data.
• Created customer tailored documentation as follows:
  
  1. "VMware Infrastructure Assessment and Recommendations" detailing the existing infrastructure, key factors affecting project, migration strategy/plan, and recommendations.
  2. "vSphere ESX 4.x Deployment Instructions" for customer including details on all customized settings, Jumbo Frames for vmKernel interfaces, and overall VMware setup.
  3. "ESX Users Best Practices Guide" to provide recommendations for VMware virtual machines configuration and maintenance based on best practices to ensure maximum performance/stability for the overall environment, VM's, and ESX host servers.
  4. "vCenter Database Information Access How-to" for advanced reporting & data mining of the VMware SQL database for vCenter.
  5. "EMC Procedure for Provisioning New Storage" outlines the procedure for configuring the new EMC storage to provide optimum and targeted storage hosting via NFS exports on the Celerra head unit.
  6. "VMware Assessment & Upgrade Project Conclusion" detailing project completion achievements, benefits, improvements; continued strategies and post-project recommendations.
• Defined 2 separate cluster groups for Applications Engineering & Platform Engineering specific to Engineering virtual infrastructure resources, and 1 cluster for Corporate IT.
• Deployed newly purchased vKernel Reporting VM appliance used for reporting on virtual environment with reports detailing efficiencies to save resources/money
• Assisted with off-site Business Continuity Plan (BCP) implementation which utilized external service provider Datapipe for hosting copies of critical virtual machines
• Utilized VMware vCenter Server 4 Standard & vSphere 4 Enterprise Plus licensed features to by configuring vNetwork Distributed Switches, vCenter Update Manager, High Availability, vDR, Storage vMotion, and others.

The final datacenter virtualization solution included VMware ESX 4.x Hypervisor on multiple servers; vCenter providing centralized management with High Availability (HA), vMotion, and ESX hosts patch management; VMware vDR appliance for backups; and a the customized deployment of a new EMC CX4 SAN with a Celerra (NS-480) appliance providing NFS NAS connectivity for the VMware host servers using 10GB fiber networking to prevent a communications bottleneck.

• Upgrade to latest VMware software released version providing better stability, scalability, performance, and new enhanced features. Maximized VMware annual subscription costs by deploying the latest software which the customer is paying for and already entitled to.
• Separation of managed VMware infrastructures by IT and QA/DEV resulting in improved performance, access control for IT environment, and isolation to prevent single point infrastructure failure. The separation also provides unrestricted continued planned growth for the QA/DEV environment.
• Optimized ESX host servers now provides full remote server console access via "Dell Remote Access Card" (DRAC), hardware level health monitoring & alerting, up-to-date hardware firmware for stability & features, and utilization of additional network adapters for segmentation of target communications for improved performance.
• High Availability (HA) actively used to provide continued operations of critical virtual machines within the IT infrastructure to ensure internal and public services availability in the event of an ESX host server loss event.
• New VM online backup functionality provided by VMware Data Recovery (vDR) allows for effective backup's to a storage efficient "de-duplication" store.
• Deployment of reporting facilities for the purpose of VMware infrastructure reporting to provide valuable information used to further optimize the environment and assist with ongoing maintenance. Reporting solutions include 3rd party VMware reporting application vKernel and Microsoft SQL 2008 server database queries using custom views for easier end-user data usability.
• New EMC SAN pre-configured for optimum performance specifically designed for separate storage channels for VMware groups for impact isolation and per-group capacity scaling/expansion.
• Notable VM performance improvements above the previous infrastructure contributing to higher environment utilization and increased user productivity.
• Discovered critical hidden problem in VMware centralized management database used by vCenter v2.5 which was resolved prior and during upgrade preventing continued performance issues.
• Identification of key factors with the unique use of the VMware environment providing optimum future hardware investment strategies and user education for improved utilization & use.
• Enhanced networking design and configuration using adapter teaming and Jumbo Frames providing fault-tolerance with improved networking performance.

Customer had multiple offices world-wide with the headquarters containing the majority of the servers accessed by all locations except for remote offices using their local server for common functions such as printing, authentication, and some network file shares. The infrastructure was all rack mount or tower style servers with no centralized shared storage such as a SAN/NAS. Additionally remote offices had older Exchange services running with mail routing handled by headquarters (referred as HQ from this point). The large number of individual servers in the company caused increased maintenance, inflexible/limited local server storage expansion, and increased operating costs due to power and cooling requirements... just to name a few.

With Virtualization on the horizon as an enabling technology with VMware having been in the arena for years and just releasing their ESX 3.0 version software, it was a good time to improve the server infrastructure. Assessment was the first step to determine all server resources (i.e. OS, hardware dependencies, services, & storage) and generate an infrastructure resource matrix for determining new requirements of the primary HQ Virtualized Datacenter. The second step was designing a new improved consolidated infrastructure based on many factors of: (1) Current infrastructure; (2) Business requirements; (3) Future business needs outlook/forecast; (4) Optimized IT environment; (5) Improved services and security; (6) Reduced operating & maintenance costs.

The final step was to implement the new design deployment in multiple stages so that each element was deployed as transparently as possible with minimum negative user base impact to productivity. The first phase was to deploy the new updated Windows 2003 R2 forest on the VMware virtualized Datacenter and integrate the forest/domain into all existing ones. Additionally a new Exchange 2003/2007 infrastructure was introduced in the first phase as to prevent issues after going live with new domain resources. Critical infrastructure elements being handled by the legacy domains were transferred to the new one, such examples are: DNS, DHCP for multiple subnets, and WINS. The newly deployed Exchange servers deployed at this phase provided organizational wide email gateway and routing functionality to all legacy mail systems.

The following stages included consolidating various network services & applications from the old to the new infrastructure utilizing as much as the resources to reduce the number of Windows virtual machines required/deployed. Users legacy mailboxes were migrated to the new Exchange systems and client systems were updated to use the latest features of Exchange 2003/2007 providing mobile PDA email capability (aka "Mobile Exchange"), Outlook Anywhere (without VPN), and Office 2007 Outlook profile auto-configuration (aka "Auto Discovery") feature capabilities.

The final datacenter virtualization solution included VMware ESX 3.x Hypervisor on multiple servers including blade & rack mount hardware; Virtual Center (known as vCenter now) providing centralized management with High Availability (HA), vMotion, and ESX hosts patch management; VMware Virtual Consolidated Backup (VCB) for online backups of VM's used with Symantec Backup Exec; and a mixture of VMware drive storage including standalone RAID 5 arrays with an EMC CX300 SAN deployed for the datacenter.

• Reduced physical servers dramatically and decommissioned over 25% of Windows Servers
• New centralized SAN storage provides flexible & extensible capabilities for future transparent growth requirements
• Virtualized infrastructure now provides high availability (HA) protection, full virtual machine (VM) backups, and flexible ready asset infrastructure for new VM's as needed
• New Exchange 2007 mail server's infrastructure providing better security, features, and functionality directly improving end user productivity while lower IT maintenance costs.
• Updated versions of Windows operating systems, servers, and various network applications that had been migrated/consolidated during the project; providing the latest stable & supportable environment.
• Improved overall security using newly deployed operating systems and applications.
• Easy future hardware upgrade path as VM's can be migrated to the newly purchased hardware after the VMware Hypervisor has been installed
• New Windows Forest/Domain infrastructure designed with HA and fault-tolerance for critical domain services such as: multiple domain controllers (DC/GC roles), redundant DNS/DHCP/DFS/WINS servers, and redundant Internet mail gateway servers.

The existing virtual infrastructure consisted on 2 Microsoft Hyper-V servers managed by Microsoft SCVMM using standalone storage and 3 VMware ESX v4.0 servers managed by vCenter using an EqualLogic PS SAN. Configuration of both virtual environments was inconsistent and non-optimum for performance with features for both virtualized environments not configured or improperly configured.

Designed/deployed new ESXi v4.1 servers using the MD3000i SAN, all configured for optimum performance by configuring Jumbo Frames, dedicated & teamed network adapters, SAN controllers balanced with storage LUN's for best performance/throughput, and enabling all licensed features available such as vMotion for full utilization of purchase & functionality. Migrated, converted Hyper-V VM's as needed, and optimized 38 production VM's to new environment. Increased VM count to 51 active production VM's with improved performance and increased storage. New replacement vCenter deployed running the latest version and configured for maximum effectiveness using clusters for high availability, alarms for active alerting, automatic VM startup/shutdown, and various other vCenter capabilities. MD3000i SAN & ESX servers use multipath connections using dedicated pair of IP Storage switches for load balanced iSCSI connectivity and fault-tolerance to prevent single point failures.

• Robust VMware virtual infrastructure designed for performance, ease of maintenance, and capable of scaling as needed using existing equipment.
• Fault tolerant networking using dedicated SAN storage multipath networks ensures storage connectivity to prevent single point failures and allow for flexible network minor changes as needed.
• Utilization of all licensed features by properly configuring ESX host servers for full use & capabilities.
• Standardized configuration for maximum reliable VM compatibility & stability between ESX host servers.
• Granular vCenter user roles/rights combined with VM organization to provide safe & controlled access to resources.
• Defined and configured vCenter resources custom attributes to facilitate easier maintenance and information.

A customer needed a virtual desktop infrastructure designed and deployed as a solution for the following needs: (1) Test environment by employees for development & applications; (2) Controlled business operating system environment for consultants; (3) Factory floor traditional desktop computer replacement model. All these needs were addressed by using four technologies, VMware ESX 3.x server hosting virtual machines running Windows XP/Vista, Windows 2003 R2 Terminal Services, Sonicwall SSL VPN appliance, and thin client devices.

The VMware environment was designed and configured to run VMs of XP & Vista in a secure network linking the VM's to the "Client Computers" subnet as opposed to the normal "Trusted Servers" subnet even though the VM's were running on a server. This specific configuration places all XP/Vista VM communications on the proper network subnet to isolate the communication from the "Trusted Servers" network for security purposes (i.e. monitoring, filtering, and firewall rules). Internal employees accessed their designed VM's with Remote Desktops using RDP. VMware Virtual Center (now vCenter) was used to provide centralized management and High Availability (HA) across multiple ESX 3.x hosts.

Consultants requiring access to their assigned VM internally used the same method as employees, but additionally needed a secure & controlled access method when outside the company network; and for security reasons Consultants did not have VPN access. The solution was to deploy the Sonicwall SSL VPN appliance not to provide VPN access, but using the appliances "Web Portal" functionality. This allowed Consultants to securely log onto the HTTPS Portal web interface and use a web based RDP client to access only their assigned VM with the Sonicwall appliance acting as a secure proxy between the Consultant and the internal VM. Additional Sonicwall appliance security configurations isolated the Consultants access to only that resource improving security, but also making it extremely easy to use. Note: At the time of the project Windows 2008 had not been fully released or using Microsoft's ISA 2006 in conjunction with Windows 2008 Terminal Services Gateway would have been a better solution.

The factory floor desktop computers replacement model used a low cost thin client and Windows Terminal Services 2003 R2. The thin client provided tough factory environment protection as it was fan-less and used flash memory running Linux with an RDP client for communication to the Terminal Server. Designing and deploying the Terminal Server to be secure with restrictions for the user only to be able to run the factory test software took a combination of AD Group Policy & Terminal Server configuration. The end solution provided a secured & controlled factory console workstation that cost effectively replaced the desktop solution. Additionally deploying a $150-$200 thin client is fast and easy with none of the issues associated with traditional desktops such as virus infections, users changing settings (or playing), unauthorized software, and continuous patch management.

• Employee VM's without the requirements of additional computer systems.
• VM's isolated to prevent issues between VM's when employees do testing.
• Quick VM state recovery when problems arise using snapshots and full VM backups.
• Easy and fast VM deployments when needed using VM templates.
• Non-employee controlled environment to prevent others Operating Systems interaction to domain resources for security purposes.
• Secure & monitored access from the Internet for individuals (i.e. Consultants) without VPN access needs.
• Reduction of traditional desktop computers with a solution providing a safe restricted comparable environment free of user tampering at a faction of the cost (i.e. thin clients & TS).
• Centralized Terminal Server application updates saving IT staff time to update individual factory floor systems.
• Scalable solution for providing desktop environments to employees and non-employees alike.

Customer had aging and minimal security infrastructure with multiple offices required a redesign and overhaul to properly protect against various security related situations such as malicious attacks/abuse against publically accessible services, prevent and/or contain internal malware infections, active monitoring & alerting of infrastructure events, and provide secured controlled access to internal network resources for authorized individuals. A full assessment of the current infrastructure and related business IT operations was conducted to determine all aspects for building the new security infrastructure.

The network subnets were restructured to both define subnet classification (i.e. "Trusted", "Untrusted", "Servers", "DMZ", etc...) and isolate/control communications on & between segments. Servers accessible from the Internet were locked down (i.e. OS/Application hardening), placed within the appropriate classed subnet zone, and Firewall filtering applied to control communications for proper operation of the servers.

Malware control was addressed with various items such as local host level firewall configurations on server and client systems to prevent all unauthorized & unexpected communications, Internet Firewall monitoring and active alerting for events, updated anti-malware (i.e. anti-virus, anti-spyware, etc...) software on all hosts, and centralized anti-malware management software using McAfee EPO.

Secured controlled access was accomplished by deploying new Wireless Access Points configured for maximum security, VPN servers locked down and hardened, and a new remote access appliance deployed providing secured non-VPN controlled access to internal resources. Network level monitoring providing detailed real-time internal/external/office-office communications visibility was accomplished with various solutions including 3rd party open source (Snort, NTOP, MRTG, etc...) and custom software I developed for network monitoring/alerting.

Additionally to provide full network resource monitoring; all servers, Firewalls, wireless access points, and other devices were configured to log events to centralized logging applications for active notification and historical purposes. This logging provided proactive security handling of events as well as network details and overview status visibility. The monitoring of the Windows systems was further extended by custom software I developed in conjunction with various commercial products (such as SQL Server) to provide granular details such as servers storage status, DNS/WINS/DHCP activity, and enterprise backup activity status.

The new security infrastructure implemented provided effective protection for the customer with a zero major incident rate in over two years in operation with only one minor incident which was detected and effectively resolved. Another positive side effect of the complete network visualization was regularly scheduled IT maintenance was made more effective because IT was aware of who was actively using server resources before, during and after maintenance without extra effort & time to gather such information.

• Rouge Wireless Access Point active detection and alerting.
• Real-time remote VPN monitoring with detailed session information containing logged in user, remote system public IP address, dynamically assigned internal VPN endpoint IP address, operating system, and connection statistics.
• Internet Firewall protective features such as network level anti-virus, IDS/IDP, protocol inspection & filtering, granular rules protecting both inbound & outbound communications, and real-time logging/alerting of critical events.
• Centralized enterprise-wide auditing, logging, & alerting from all infrastructure items such as Windows Server operating systems, Firewalls, Routers, various network appliances, Wireless Access Points, applications, and Server products (i.e. Exchange, SQL).
• Host level protection for mobile systems while outside the safety of the company networks
• Enterprise wide visualization of events, storage capacities, network utilization, and critical operational activities.
• Proactive notifications to IT for events of interest with complete detailed historical data from multiple sources allowing quick & effective research capabilities.

Customer was a small business but a subsidiary of a Fortune 500 company, wanting to replace their currently leased rack mount individual servers and move to a virtualized infrastructure after I had discussions with them about virtualization. Working directly with the companies Administrator on this project, I recommended VMware as the virtualization Hypervisor as it had been in the market for years and was a mature stable product. My role in the project was to provide the strategy and technical assistance to the Administrator who performed all the work as he was completely new to virtualization and would need to understand it for supporting the new environment.

At the time of the project the parent Fortune 500 company had not engaged in any virtualization efforts and this was to be the first pilot project. I provided the Administrator a executive overview write-up of the virtualization project that was submitted for approval, which received great interest from the parent company and was approved. Assistance commenced with the Administrator on virtualization concepts, requirements, project specific details, and recommended server hardware. The Administrator procured all project related items and deployed two new VMware servers with technical assistance & guidance from me. One server was to be the primary production system while the second was to perform maintenance/monitoring duties with it also being ready as a failover hot spare in case a hardware problem occurred on the production system.

Even though this pilot virtualization project was a minimal implementation, the positive results and benefits of virtualization prompted the parent company to organize a new "Corporate Virtualization Team" in which the Administrator I assisted became a member of and years later is actively working to virtualize the parent company & subsidiaries.

• Education of decision makers on new technologies such as virtualization has kick-started the effort within the company to implement virtualization for all its benefits.
• Real world hands on training & experience for the Administrator who will be supporting virtualization.
• Virtualizing the infrastructure on leased servers will allow for fast and simple future hardware upgrades at the lease interval without requiring a traditional reload of the operating systems as was done in the past.
• Reduction of the number of leased servers required by the company saving on both annual lease costs as well as lowered operating costs such as cooling requirements and power consumption.
• Of course all the benefits of virtualization such as improved hardware utilization, backups, etc...

The finance controller at a customer needed a custom web-based reporting system for the primary purpose of sales reports and generating commissions' information. The existing ERP system could not provide the internal customized logic applied to the sales data for determining commissions, so the ERP data would have to be imported into a new system that could provide this. Working closely with the controller, we built the business process logic specification for the project and intensive review of the ERP data to be used for the system.

Using Microsoft SQL Server as the database repository, I created a custom Windows application which would import the daily ERP sales data into the database and apply the custom business logic rules. After the sales data was inserted into the SQL database, additional rules and validation checks against the data were performed by stored procedures to ensure data integrity for accurate financial reports. A feature rich web interface was created using Active Server Pages (ASP) hosted on Microsoft Internet Information Server (IIS) and linked into the SQL database.

Two areas of the web interface were created, the first for administering the web reporting system & database data, the second area for regular users authorized to generate various web sales reports. Reporting options included easy to use data filters for customized report data and export data to Excel for further data analysis. Security features of the system included full logging of system use with each user having the ability to change their password as well as a history of account logins. Granular SQL database permissions designed to prevent unauthorized access and changes to data within the system.

The original solution was deployed in 2002 and has actively been used as an important system for over 7 years with no major problems. Minor maintenance has been performed on the system but only to accommodate ERP system data changes. Recent improvements to the system have included SQL 2005 database upgrade and encryption of sensitive data; SSL encryption of web browser communications; additional stored procedures added for changed business logic; and direct users access to database data using Microsoft Office products with newly created SQL Server views for proper data representing custom business logic.

• Investment in an important solution that has been used for over 7 years resulting in a high return of investment.
• Well planned and flexible designed system that has required the minimum maintenance over the years.
• Recent changes allow users to access data directly using Office products, thus extending the solution and its usefulness.
• Targeted business solution that could not, and has not been duplicated within the customers ERP system due to being too time consuming & costly.

Customer was redesigning their Internet web site working with two 3rd party companies with one entirely focused on the graphical design, and the other providing technical coding to implement the new design. I was contacted late into the redesign efforts a couple of month before the target launch date because the company handling the coding stated they could not make the deadline. After evaluating the project I accepted and determined that the deadline could be met but would be close.

Working closely with both the Webmaster and other graphical design company, we made good progress with the project. As I had developed many web sites in the past for customers, including both graphical and technical coding, I was able to identify and guide the graphics company on modifications that gave the design layout maximum flexibility for future content changes without breaking the look & feel of the visual design.

The coding was done primarily in ASP, hosted on Microsoft IIS web services using SQL 2005 Server as the database. A flexible dynamic web page design was used allowing for all changes within the database to be reflected real-time in the template web site. This being the case, a basic custom Content Management System (CMS) was created for easy web based management of the web site. Additionally the customer desired a "BETA" testing site for internal use which was designed and created to link into the public site framework reducing extra time for coding and allowing for easy publishing of testing content without the need for a separate server.

Finally the web site was completed on time and deployed which received welcomed reviews. As a important aspect of any web site is to rank high on search engine results, known as Search Engine Optimization (SEO)... the web site listed on Google's 1st & 2nd results pages. This was accomplished with my guidance in various ways such as: using the proper meta tags and words to be used; dynamic database template design ensured meta tags on pages were populated and normalized; and other SEO tricks ensuring a high ranking.

• Project was completed on time and on budget with additional features.
• Easy to use customized web-based CMS targeted for the customers use.
• Flexible graphical design allowing for a larger tolerance of content changes in areas that would normally "break" the look & feel.
• High search engine ranking due to SEO guidance and coding resulting in increased visitors.
• Industry standards used for coding and platforms providing easy maintenance and future easy upgrades with minimal problems.
• Overall design allows for non-technical individuals to easily manage system using CMS, or technical individuals can use SQL database directly when preferred.

IT department needed employee Extranet web site to be used by employees to support Helpdesk operations providing self help resources. The primary most important goal was to provide a secure method for employees to use their internal domain account to login and if expired after authenticating, provide a new password form to update the internal domain account. Additional goals were to provide employees secured and tracked access to company licensed software such as anti-virus. An employee self help area was also desired to lower standard requests demands on the IT Helpdesk providing internal documentation for employee on how to access their email using OWA, how to setup VPN, and other self help documentation.

The internal domain authentication was the most important as well as security sensitive part that required precision coding logic to ensure this Internet accessible feature could not be used to hack the company. The first step was to establish a new security domain to host the Extranet that would have a one way trust to the internal users domain. Significantly locked down and extensive logging configured to actively notify IT of events, this new security domain was deployed to host the Extranet web services. Using any of the Microsoft IIS features for domain authentication did not provide either granular control over the process and no expired accounts password reset model existed that could be used. To achieve high security, I created two custom applications, the first being a server side ActiveX control and the second a Microsoft MTS application used as the core account lookup and password reset piece. Because it used MTS it was transactional preventing issues when multiple user accounts were being processed at the same time... didn't want to change the wrong password.

The MTS application component incorporated strict security logic as to prevent account discovery, controlled domain authentication, and username/password filtering. To ensure flexibility for longevity, the component was designed with AD group membership logic allowing "AND"/"OR" additional logic applied to requests (i.e. login and/or password changes) outside hard-coding configured within AD. Most importantly was the compatibility of the MTS component with normal Windows domain security features such as account lockout, password complexity requirements, and login account restrictions. To ensure future protection of possible process exploits, all calls made from the MTS component were done so in the context of the account being validated as to prevent excessive privilege exploits which are common security design flaws/oversights.

After the solution was deployed, it became an important tool especially to remote/mobile users whose passwords had expired but also to general users requiring easy to access self help documentation and secured software downloads.

• Invaluable secure tool for remote/mobile employees to maintain their domain account passwords.
• Extranet solution reducing standard IT Helpdesk requests.
• Secured, controlled, and tracked corporate licensed software distribution assisting in IT's ability to accurately manage licenses and track abuse.
• Integrated Active Directory logic and Windows domain security features ensuring simplicity while maintaining security standards.

Customer providing health care sensitive information to hospitals needed a new client/server solution developed to provide secured encrypted access for their customers to the data in as easy manner as possible due to non-technical customers that will be using the system. Customer had internal developers but decided to outsource the core development of the new system that would eventually be maintained and enhanced by internal developers at project completion. A strict Federal guideline on protecting health care data was the primary requirement, with secondary requirements for performance and ease of use by their customers.

Both server and client coding was done in Delphi using higher encryption levels required by Federal health care standards as to ensure future compliance with changing encryption standards requirements. The server-based application (Windows service) design incorporated a multi-threaded TCP/IP custom protocol used for communications with the newly developer Windows client application. Server application contained customer accounts database with integrated logic linking to customers other proprietary health care data so that it could securely transfer this data to the client application when requested. When client/server communication was active, all data between them was encrypted in blocks specifically to each client to prevent any other client from being able to decrypt someone else's data, ensuring data privacy regardless of situation.

The Windows client application requirements to be as simple to use as possible were successfully achieved with an interface that had one action button to start the secured connection and download the data with a wizard assisting in saving to various locations as desired. In-depth coding logic handled all expected and unexpected circumstances with informative interface feedback messages designed to help the non-technical user. Additionally the client applications logging & feedback design was implemented so that any issues on the client side were sent back to the server for technical support awareness and proactive assistance.

Upon completion of the core project, final approval testing of up to 30 simultaneous clients were connected and successfully performed operations as designed with server resource utilization under 30%, well within expected design specifications. As contracted all source code and design documentation were turned over to the customer for continued internal development and official solution deployment to their customers.

• Solution developed specifically to the customer as requested with encryption levels higher than Federal requirements ensuring an extended life-cycle.
• Coding provided so that the customer can use internal developers to continuously maintain and enhance the solution.
• Clear and detailed project documentation so that future replacement solution can be modeled from the project, increasing the return on investment.
• Outsourcing the solutions core development freed internal developers and additionally they learned from the coding techniques used.

Customer with legacy Exchange v5.5 servers located in various office locations world-wide was ready to upgrade to Exchange 2003 for security and all the latest feature offerings. The infrastructure consisted of 5 mailbox servers in several separate trusted domains with additional Outlook Web Access (OWA) servers deployed providing web email access. Due to several factors adding complexity to the project such as multiple domain hosting user accounts, diverse geographic locations including Europe, client computers not fully ready for Exchange 2003, and a new Active Directory forest/domain... the upgrade had to be performed in a coexistence migration with Exchange 5.5 using a multi-phase deployment.

The initial phase was to deploy the first Exchange server in the new AD forest/domain and configure both Exchange 5.5 & 2003 to be aware of each other without conflicting allowing emails to flow between systems. Upon successful integration, the Exchange 5.5 standalone directory was synchronized with the Exchange 2003 AD for mailbox visibility as AD is used to list the "Global Address List" (GAL). Internet inbound/outbound email routing operations was moved off Exchange 5.5 onto 2003 so that the company could immediately benefit from the newer Exchange features (ex. IMF). An additional Exchange 2003 server was deployed as a OWA server and customized changes were made so that the users when accessing the URL for OWA would be transparently directed to the appropriate OWA server, either 5.5 or the new 2003. On completion of phase 1, everything had been accomplished transparently to the end users with email routing being handled by the new 2003 system.

The next phase was to migrate mailboxes in groups from Exchange 5.5 to the new 2003 coordinating with targeted mailbox users. Initial selected users were individuals who could benefit the most from Exchange 2003 features which was the remote users either using OWA or Outlook with the "RPC over HTTP" (now known as Outlook Anywhere), and additionally users with supported PDA's. When the majority of mailboxes had successfully been migrated to the Exchange 2003 systems, the new Exchange 2007 was officially released and prompted the decision whether to further upgrade during the project to Exchange 2007. The extensive improvements in the latest 2007 made the decision easy and the plans were updated to include the new version.

Deployment of the first Exchange 2007 Hub/CAS/Mailbox roles server went very well and because 2007 was newly released, selected mailbox users were migrated onto the new server for a short testing period. Upon completion of testing, an additional Exchange 2007 Hub/CAS server was deployed to act as the primary OWA & ActiveSync server. Mailboxes that had been migrated to 2003 already, smoothly moved to the new 2007 and in most cases users were not even aware of the upgrade as Outlook profiles automatically update when using Office Outlook 2003 or newer making it a transparent process. Additional Exchange 2007 servers where then deployed in various roles including Edge Transport to handle Internet email routing and servers located in Europe's virtualized infrastructure. Users embraced the new features and performance improvements of Exchange 2007 with the Outlook Anywhere being at the top of the list.

• Newest Exchange platform providing improved connectivity using Outlook Anywhere, ActiveSync for PDA phones, and OWA; all contributing to increased user productivity
• Customer moved from a separate directory store using Exchange 5.5 to AD integrated with Exchange 2003/2007 lowering IT maintenance.
• New security features providing a much more secure messaging environment than before.
• Improved backup and recovery capabilities of Exchange data stores

Customer's infrastructure consisted of multiple offices world-wide with each branch office having local servers, and the corporate office hosting global resources such as ERP, Email, and various other resources within the Datacenter. The backup infrastructure required a complete reassessment and restructuring to properly protect the business. Disaster Recovery and Business Continuity plans required rewrites to reflect all changes to be made. Some factors affecting the new design were no branch office IT staff as all support came from corporate, branch offices had dated tape backup drives considered inadequate & unreliable, and other projects were underway to centralize a majority of the company data within the Datacenter at corporate.

Each server was evaluated to identify all backup data including files, proprietary network applications data, services data (i.e. Exchange, SQL, etc...), System State, and Windows services data (i.e. WINS, DNS, DHCP, etc...). Upon completion each server was prepared as needed in various ways such as restructuring of file/folder data structure to simplify backup replication, scheduling local backup tasks for staging data (Exchange, SQL, System State), and additional hidden shares with restricted access/rights for data replication.

A secure backup server was setup in the corporate Datacenter to replicate all servers data to a centralized SAN storage that provided expandability for future storage backup requirements. Data was replicated as a mirror operation to maintain an exact copy of each protected server while reducing WAN bandwidth usage only replicating changed data. This accomplished the goal of immediate loss recovery in events where a branch office suffered either a server loss or complete loss due to a fire. Because all branch office data was mirrored offsite to corporate, this accomplished offsite DR/BCP.

To address change incremental/differential backup & recovery, the centralized mirror was backed up to a newly deployed Robotic Tape Library with tapes being stored in a fireproof safe as well as sent offsite in a rotation schedule. To prevent unnecessary retrieval of backup tapes and the possibility of tape media failure, disk-based incremental were also maintained on the backup server using a custom design that performed this task when data was replicated as opposed to scheduling double backup jobs to tape/disk. This custom design saved backup processing time and enabled immediate recovery from disk incremental for faster recovery of changed data.

Additional data protection was leveraged depending on server roles using Microsoft features such as Volume Shadow copies and DFS-R. The VMware virtualized corporate Datacenter included further protection using VirtualCenter (now known as vCenter) using VCB & VM Snapshots providing full server operating system backups.

Future plans were created to extend this protection model to all computers such as desktops & laptops with special consideration to mobile users being able to securely backup laptops over the Internet. Improvements were planned to move the SAN centralized backup repository volume to a "Single Instance Store" (SIS) aware operating system that would significantly reduce storage requirements for duplicated files.

• Very cost effective solution requiring no server agents, complex expensive applications like Microsoft Data Protection Services (DPM), and Backup Exec remote agent licenses as all protected data is located on local backup server volume(s).
• Multiple levels of protection and recovery capabilities either at the file level or an entire operating system.
• Full branch office recoveries to Datacenter and/or quick office rebuild capability.
• Secondary incremental disk-based backups ensured data availability in the case of backup tape media failure or loss.
• Fast file recovery request times due to disk-based backups requiring copying files from backup repository to designated file server location.
• Bandwidth efficient backup model for branch offices and local office servers.
• Centralized repository of mirrored data provides side benefits such as effective global data searches, data storage & change rate trends reporting, efficient malware global scan detections, and IT policies abuse detection (i.e. checking for unauthorized file types such as music MP3's).

Customer had Exchange Servers hosted and managed internally with a single SurfConrol anti-spam server routing & filtering all inbound/outbound Email communications. As the existing SurfControl software was old, the effectiveness of the solution had diminished and a replacement was needed to control the increasing spam problem. At that time Microsoft had released the Antigen (aka "Forefront for SMTP Servers") and even though it was a new offering the features it provided gave it an edge on renewing the SurfControl. Multi-vendor anti-virus engines detection, real-time block lists (RBLs), possible Forefront for Exchange integration, archiving, and other standard Email gateway features. Additionally the cost per server and mailbox usage was very effective in comparison to other offerings, so an initial trial system was setup for evaluating the effectiveness before a purchase commitment.

The company's daily average Email processing was between 110,000-125,000 of which only around 1,000 maximum were legitimate Emails to be routed to mailboxes. After implementing the Antigen gateway, the inbound Email filtering dramatically reduced to around 10,000 average daily but was like the SurfControl solution placing significant load on the single Email gateway server. Reviewing detailed logs both from Antigen and custom logging, patterns emerged indicating ways to effectively and accurately reduce the spam processing using a custom SMTP Event Sink application I developed for this solution which I had used in the past. After custom filtering was implemented, the Antigen processing load reduced to a manageable 20-30% from the original 80-90%, and the Email daily average passing through the gateway to internal Exchange servers lowered to about 1,200-1,500.

Implementing Exchange 2003 IMF feature on the internal routing hub Exchange Server further reduced spam with additional tagging of suspect emails to be sent to the users Junk mail folder. On completion of the first Antigen & custom filtering deployment, a second email gateway server was deployed configured the same to provide priority processing of outbound user emails and also provide inbound email gateway redundancy protection.

• Very effective and accurate reduction of spam while ensuring legitimate emails were properly processed.
• Reduced processing load on internal Exchange Servers increasing response times to users.
• Reduction of spam to internal Exchange Servers improved Exchange email archiving.
• Priority outbound email gateway ensuring delivery even in events when spam or DoS attacks on inbound email gateway server are performed.
• Redundant inbound email gateways ensuring email flow from server/application failure.
• Multi-vendor anti-virus protection on emails being processed through the gateway ensuring maximum malware protection for the business.
• Effective spam free email logging & archiving contributing to smaller archives and faster backups.
• Overall cost effective solution for spam control with very low maintenance through the use of automated daily maintenance tasks.