ALABAMA CENTRALIZED E-MAIL (ACE) PROJECT SUMMARY
E-mail is a mission-critical application that business and government organizations expect to be secure, reliable and available at all times.
The State of Alabama’s initial implementation of decentralized e-mail systems resulted in severe inconsistencies, extraordinary expenses, and an unacceptable exposure to security breaches and no longer met the state’s needs.
The overall goal of the ACE project was to provide the state with a secure, scalable and reliable messaging platform. The implementation of this system has yielded two kinds of returns:
Direct benefits of reduced operation cost for the state overall and for the individual agencies and
Indirect benefits of productivity gains for all end users.
By reducing excess, underutilized hardware and redundant software licenses ACE has cut the state’s total operational cost for email services and provided many features that would not have been practical or economical for an individual agency to provide, such as:
Four clustered servers, Redundant disk storage,
Load balancing technology to ensure high availability, On-site SAN storage for backup and recovery,
Off-site SAN storage for disaster protection, and Highly specialized and trained email support staff
ALABAMA CENTRALIZED E-MAIL (ACE) PROJECT
Description of Project
The overall goal of the Alabama Centralized E-mail (ACE) project was to provide the State of Alabama with a secure, scalable and reliable messaging platform. The ACE project had the potential to yield two kinds of returns: the indirect benefits introduced by productivity gains and the direct benefits of reduced operational cost. By eliminating duplicate efforts and expenditures, ACE resulted in better utilization of existing revenue sources.
The State of Alabama’s initial implementation of e-mail technology was on a completely decentralized basis, with each agency implementing e-mail according to no particular statewide standard. Agencies were running different versions of Exchange, Groupwise, Lotus Notes, and Send Mail. Hardware, operating systems and backup capabilities varied from agency to agency. As agencies deployed their e-mail systems they often either did not have the funds to create redundant systems, or over-looked this necessity. This approach resulted in severe inconsistencies, extraordinary expenses, and unacceptable exposure to security breaches.
The Information Services Division (ISD) of the Finance Department contracted with Microsoft and Unisys to design the ACE infrastructure. The infrastructure was designed to be scalable in order to host all employee email accounts. Microsoft and Unisys assisted ISD with the planning, development, proof-of-concept, pilot, and deployment. ACE has been in operation since June of 2004 with a total of 93 agencies currently participating. Today ACE is hosting 4,300 email accounts with a 10,000 account capacity. Eighteen agency email servers have been eliminated by migrating e-mail accounts to the ACE system.
E-mail accounts were consolidated on one Microsoft Exchange 2003 system consisting of four mailbox servers configured in a 3 to 1 cluster on Windows 2003 servers. This model has three active mailbox servers and one passive mailbox server. If an active server should crash or become disabled the passive mailbox server would become active taking over the duties of the disabled server with no downtime.
Two Front-end servers running Windows 2003 Server Enterprise Edition were
implemented to provide load balancing and redundancy. Certificates were purchased to support Secure Socket Layer for Outlook Web Access on the Front-end servers. Other important reasons for the Front-end servers were:
Security. Front-end servers were deployed on the inside network, improving the security of the over-all system. In this configuration, access is allowed from the public Internet through the Internet Security and Acceleration (ISA) servers in the Demilitarized Zone (DMZ) to the inside network front-end servers. The front-end servers, like the ISA servers, are configured with the strictest security settings. The firewall allows traffic through to the front-end servers only. The back-end servers are not directly accessible from the public Internet.
Scalability. Front-end servers can be scaled out as the load grows without the need to notify the users of any network changes.
The two ISA servers were placed in the DMZ. All inbound Internet traffic bound to the Exchange servers, such as OWA, RPC over HTTP communication from Outlook 2003 clients, Outlook Mobile Access, and so on, is processed by the ISA servers. When the ISA server receives a request to an Exchange server, it will reverse proxy the request to the Exchange front-end servers on the internal network via SSL bridging. The internal Exchange servers, after processing the requests returns the data to the ISA server and then the ISA server returns the information to the client.
Two bridgehead servers running Windows 2003 Server Enterprise Edition were
implemented to provide the inbound and outbound route for SMTP traffic from the State Exchange organization. Multiple SMTP connectors were used to control outbound mail flow; for example, one connector can be set to route mail to specific agencies and require encryption for the Health Insurance Portability and Accountability Act (HIPAA) while another connector can handle other mail without encryption.
Active Directory domain controllers were implemented to handle all the domain accounts for the Exchange 2003 system. These two servers also serve the functions of Global Catalog and Domain Name Service servers for the Exchange 2003 forest.
Full system backups on the SAN are performed daily. The backup includes all database volumes and system state for each server and is written to a local disk and a virtual disk on the SAN. From there the information is backed up to tape and subject to established tape retention policy.
A three-tiered virus scanning architecture was implemented including perimeter, information store, and client scanning.
(See attached ACE Architecture diagram)
Improvements and Benefits
The centralized e-mail system has increased productivity on several levels. First, because all mail processing is done on the central mail servers, existing network traffic has been greatly reduced. This has allowed for faster processing and enabled users to access and utilize data more efficiently. Next, users are able to communicate via e-mail with any user on the ACE system. With the Global Addressing System, users can find the e-mail address of any state employee in seconds. Time previously spent looking up addresses is now saved. Finally, with web based e-mail, users are able to access their mail from alternate locations. Formerly idle time spent in airports and hotels can now be used for business communications.
ACE has also provided users with many enhanced features not previously available to all users such as shared calendars, scheduling, distribution lists, and shared folders.
ACE has reduced downtime by implementing an architecture design consisting of server clustering, redundant hardware, virus scanning and load balancing technology. Network security was improved by reducing the need for virtual private network connections and eliminating the need to open vulnerable network ports.
Return on Investment
The Department of Finance conducted a survey of state e-mail systems on a departmental basis. The survey included information about number of servers, mailbox size, number of users supported, virus detection software, and various other factors. This survey showed the wide variety of e-mail systems that supported the state, the cost of running those services, and the complexity. Analysis of these surveys showed that cost varied widely among agencies with on-going cost ranging from $20 per month per employee to a high of over $63 per month per employee.
By eliminating duplicate efforts and expenditures by agencies and consolidating e-mail on a central system, ACE at full capacity of 10,000 users will lower the cost of an e-mail account to under $7 with improved service and tighter security.
Alabama Centralized E-mail account cost per year and per month
ACE PROJECT
ACE Expenses FY1 FY2 FY3 FY4 FY5 Total
Anti Virus 15,625 15,625 15,625 15,625 15,625 78,125 Hard cost 7,500 7,500 7,500 7,500 7,500 37,500 Average per year Total 882382 749072 717192 617192 709872 735142
Cost Per Email Account on
ACE
Number Cost Cost
Of Accounts Per Year Per Month 3000 $245.05 $20.42 7000 $105.02 $8.75 10000 $73.51 $6.13
Old Distributed E-mail account cost per year and per month for agency with 100 users.
DISTRIBUTED EXAMPLE
Agency w/ 100 users FY1 FY2 FY3 FY4 FY5 Total
Windows CAL (100) 916 916 916 916 916 4580 Exchange CAL (100) 2064 2064 2064 2064 2064 10320 Server License 1000 1000 1000 1000 1000 5000 Exchange License 1487 1487 1487 1487 1487 7435 Server 10000 10000 Personnel 50000 50000 50000 50000 50000 250000 Personnel Overhead 12520 12520 12520 12520 12520 62600 Training 2000 2000 2000 2000 2000 10000 Hardcost 2500 2500 2500 2500 2500 12500 Anti Spam/Virus 3000 1000 1000 1000 1000 7000 Total 85487 73487 73487 73487 73487 379,435
Cost Per Email Account on Agency Server
Average per year
Number Cost Cost 75,887
Accounts
Per
Year Per Month 100 $758.87 $63.23
Return on Investment
TYPE EMAIL SYSTEM ACCOUNTS COST PER YEAR
DISTRIBUTED EMAIL 10000 X $500 (average) $5,000,000 CONSOLIDATED EMAIL 10000 X $73.51 $735,100