If I had a nickel for every time I had had a discussion like the below…
<Customer> wants to <do something>. I don’t think it’s a good idea and tried to explain that to them. They want to do it anyway. Is it supported?
The particular discussion that triggered this post was a conversation among MCMs concerning a customer who wanted to know if they could configure an Exchange 2010 server so that it was dual-homed, with one NIC on the LAN and another in their DMZ. There are a number of good reasons not to do this, most related to one of two things: the inability to force Windows and/or Exchange to use only one of the installed NICs for certain operations, or the lack of knowledge about how to configure everything properly in such a configuration. For example, you’d have to be careful to get static routes right so that you only passed the traffic you wanted on each interface. You’d also have to be careful about which AD sites your server appeared to be a member of.
The big issue for me: that configuration would add complexity. Any time you add complexity, you should be able to clearly articulate what you’re gaining in exchange. Performance, scalability, flexibility, security, cost savings.. there has to be some reason to make it worth complicating things. This is a pretty fundamental principle of designing anything technical, from airplanes to washing machines to computer networks, and you violate it at your peril.
In this case, the gain is that the customer wouldn’t need to use TMG or a similar solution. That seems like an awfully small gain for the added complexity burden and the supportability issues it raises.
You might be wondering why I’d bring up supportability in this context. The cherry on the sundae was this comment from the fellow who started the thread: “It’s not written that you can’t do it, so they assume that means you can.” This is a dangerous attitude in many contexts, but especially so here.
I’ve said it before (and so has practically everyone who has ever written about Exchange), but it bears repeating:
Just because something is not explicitly unsupported, that doesn’t mean it is supported.
Microsoft doesn’t– indeed, can’t— test every possible configuration of Exchange. Or Windows. Or any of their other products (well, maybe except for closed consumer systems like Windows Phone and Xbox 360). So there’s a simple process to follow when considering whether something meets your requirements for supportability:
- Does Microsoft explicitly say that what you want to do is, or is not, supported?
- If they don’t say one way or the other, are you comfortable that you can adequately test the proposed change in your environment to make sure that it only has the desired effects?
Point 1 is pretty straightforward. If Microsoft says something’s explicitly supported, you’re good to go. If they explicitly say something is unsupported, you’re still good, provided you don’t do it.
Brief digression: when Microsoft says something’s unsupported, it can mean one of three specific things:
- We tested it. It doesn’t work. Don’t do it. (Example: a long list of things involving Lync device provisioning.)
- We tested it. It works. It’s a bad idea for some other unrelated reason. Don’t do it. (Example: going backupless with a 2-copy DAG.)
- We didn’t test it. We don’t know if it works. You could probably figure out some way to make it work. If it doesn’t work, on your own head be it. (Example: the prior stance on virtualization of Exchange roles.)
OK, where was I? Oh yeah: if Microsoft doesn’t make an explicit statement one way or another, that is not an unconditional green light for you to do whatever you want. Instead, it’s an invitation for you to think carefully about what you’ll gain from the proposed configuration. If what you want to do is common, then there will probably be a support statement for it already; the fact that there isn’t should give you pause right there. If you believe the gain is worth the potential risk that comes from an increase in complexity, and you can demonstrate through testing (not just a SWAG) that things will work, only then should you consider proceeding.
(n.b. permission is hereby granted for all you Exchange folks out there to copy this and send it to your customers next time they ask you for something dangerous, ignorant, unsupportable, or otherwise undesirable.)
5 responses to “What "supported" really means”
Pingback: iras | IT?
My response to this is “No” from a security point of view. Most companies will have a firewall-of-sorts (e.g. TMG) that sits between their DMZ and CORP LAN – notably to protect the CORP LAN from both the outside world AND the DMZ.
Dual-homing your Exchange server bypasses this security, ultimately bridging the two networks – thus creating an insecure entry point in to the CORP LAN.
I agree, Richard, that this isn’t a good idea from a security standpoint; I wasn’t trying to address that. I don’t know the context of the original customer request, so I don’t know if they were thinking of security or not (though I’m guessing “not” is the answer!)
Pingback: Stalking the wily ADAccess event 2112 | Paul's Down-Home Page
Pingback: Thoughts on the new Exchange 2013 servicing model | Paul's Down-Home Page