STANAG 4406 is the NATO standard for Military Messaging based on X.400. STANAG 4406 defines a number of functional and security features to support formal military messaging. It is particularly important for High Grade messaging, where features of X.400 to support high reliability are used.

Used for both Strategic and Tactical messaging, STANAG 4406 has a number of special protocols to support tactical messaging, in particular to support very low bandwidth links such as HF radio (STANAG 4406 Annex E) and to support receivers in Emission Control (EMCON) mode who can receive but not send data. Isode's products for a military messaging solution feature:

  • Full compliance to the STANAG 4406 standards and architecture.
  • Support for STANAG 4406 Annex E for messaging over constrained links such as Satellite and HF Radio.
  • Support for ACP145 Gateway to Partner Networks.
  • Support for MIXER gateway to SMTP systems.
  • High message throughput and low switching latency.
  • Message precedence capabilities.
  • Support of Digital Signatures and Security Labels
  • Extensive use of ACP 133 Directory.
  • Audit logging and audit database.

On this page you'll find information on Military Messaging Architecture, Isode's Military Messaging Componants (including use of ACP 133 Directory and Operational Management & Statistics), Gateways and Integration with External Systems and Application Integration & Custom Client Development.

Military Messaging Architecture

The diagram below shows the top level STANAG 4406 architecture for communication in both the strategic (high bandwidth) and tactical (constrained bandwidth using STANAG 4406 Annex E) networks.

 

Military Messaging Architecture

 

Annex E architecture for communication over HF Radio, satellite and other constrained bandwidth networks. Components of this diagram to note:

  • MMTA (Military Message Transfer Agent): an X.400 MTA, which is the basic store and forward message switching component of a STANAG 4406 military messaging system supporting 'Full Stack' P1.
  • LMTA (Lightweight Message Transfer Agent): an MTA that supports P1/Annex E and not 'Full Stack' P1 in a constrained bandwidth environment.
  • TIA (Tactical Interface Agent): is an MTA that supports P1/Annex E and Full Stack P1 for switching messages between tactical (P1/Annex E) and strategic (Full Stack P1) environments.
  • MM-MS (Military Messaging Message Store): that enables military client access using the X.400 P7 protocol.
  • P1 (Full Stack): the standard military and civil protocol used to carry P1 over a TCP connection between MTAs. It is used over high bandwidth fixed line connections.
  • P1 (Annex E): the use of STANAG 4406 Annex E, used in conjunction with ACP 142 and STANAG 5066, to carry P1 over a low bandwidth link in an optimal manner.
  • X.400 P3: The standard X.400 delivery protocol between an MTA connecting to a Message Store or directly to a user agent.

Isode provides core STANAG 4406 messaging infrastructure, but does not provide the end user clients that make use of the infrastructure (MM-UAs – Military Messaging User Agents). Isode provides both of the standardized protocols for integrating an MM-UA: X.400 P3 (to M-Switch X.400) and X.400 P7 (To M-Store X.400). This enables use of any standards compliant MM-UA.

Isode recommends the SAFEmail.mil MM-UA product from its partner Boldon James, which is based on Microsoft Outlook. This product includes an X.400 P7 plug in for Outlook, which enables it to connect directly to M-Store X.400, and function according to the STANAG 4406 architecture. The Boldon James Outlook client solution also includes Enterprise Address Book, which enables secure client access over LDAP to data Isode's ACP 133 directory.

Isode Military Messaging Componants

Isode provides three server products that can be configured to fulfill a number of the componant roles outlined above.

M-Switch X.400

M-Switch X.400 is the central product of Isode's STANAG 4406 military messaging infrastructure. M-Switch X.400 can be configured as an MMTA, LMTA and TIA. providing message switching for high volume backbone operation and local services. Key features of M-Switch X.400 for military deployments include:

  • Low latency.
  • Flexible routing.
  • Alternate recipient support.
  • Precedence handling.
  • Audit database to support message tracking, management & operational statistics and fire and forget capabilities.
  • Archiving.
  • Support for digital signatures and security labels.
  • Sophisticated configuration and operational control capabilities.

More information on general product capabilities for military messaging can be found on the M-Switch X.400 Military Messaging page.

STANAG 4406 Annex E is supported by M-Switch X.400 for the provision of messaging over HF Radio and other constrained bandwidth networks. Further information is provided on the product page outlining M-Switch capabilities for constrained networks, which also includes pointers to a number of whitepapers.

M-Switch X.400 can also be configured as an ACP145 Gateway, described further in the section on Gateways & Integration with External Systems. A separate product page gives a more general overview of M-Switch X.400.

M-Store X.400

Isode's M-Store X.400 is MM-MS (Military Messaging Message Store) that enables military user agent access using the X.400 P7 protocol and also uses X.400 P3 to connect to an MMTA such as M-Switch X.400. It serves as an intermediary between User Agents and the Message Transfer Agent, accepting delivery of messages on the user's behalf and storing them for subsequent retrieval. A separate product page gives a more general overview of M-Store X.400.

M-Switch MIXER

M-Switch MIXER is a high performance message switch, providing conversion between X.400 and Internet email according to the MIXER specifications. The role of M-Switch MIXER is described further in the section on Gateways & Integration with External Systems.

Use of ACP 133 Directory & Configuration Management

Isode provides a military directory solution, which is an important part of the Isode STANAG 4406 military messaging infrastructure (for more detail see the separate page on Military Directory).

An ACP 133 directory may be used in conjunction with an MMHS solution in three basic ways:

  1. To provide a service to MM-UAs (Military Messaging User Agents) to enable lookup of email recipients.
  2. To provide a distribution list service: MM-UAs and MMTAs may interact with this service.
  3. To provide a basis for configuration and managing the MMTAs and MM-MSs.

Isode's ACP 133 solution based on M-Vault X.500 can be used for all three of these functions. The first two functions are standard ACP 123 specified capabilities. The third, optional, use is an important feature of the Isode solution.

M-Switch X.400 may be configured by tables or directory. In most situations Isode recommends use of directory configuration, which enables almost all configuration options to be controlled from the directory. This approach gives a number of advantages as configuration can be:

  • Easily shared between servers, and so managed in a single place.
  • Distributed and replicated locally to each MMTA, using directory replication.
  • Managed using client/server tools, making remote configuration management straightforward.

Operational Management & Statistics

Isode provides a number of management tools and capabilities with its MMHS products, to enable control and monitoring of an MMHS system. MMTAs can be monitored using SNMP (Simple Network Management Protocol), which is ideal for monitoring large numbers of servers, and provided by Industry standard management products. High end management, including SLA monitoring can be provided by Sentra, the high-end management tool from Isode's partner Insider Technologies.

M Switch X.400 includes MConsole, a powerful cross platform client/server graphical tool that can be used to monitor and manage M-Switch X.400, including message tracking and archive access. Statistics for message switching are provided using a Web interface to the Audit Database, that records information from one or more M-Switch X.400 servers. An example of statistics is given in the following screenshot that shows an analysis of message latency based on message precedence. Both tools are shown below:

The Audit Database also enables tracking of messages, delivery reports and inter-personal notifications (read receipts). This can be used to track messages, and also to determine if any acknowledgments are delayed or missing.

This enables support of “Fire and Forget” capability by the use of Guaranteed Action Points and is described in more detail in the Isode whitepaper [Using Message Acknowledgements for Tracking, Correlation and Fire & Forget]. MConsole's tracking of messages is shown in the screenshot below.

Gateways and Integration with External Systems

The description so far has been of a "pure" STANAG 4406 network. A key operational requirement is partner interoperability, and this will generally involve interconnect with other networks, operating STANAG 4406 or other protocols. This is illustrated below.

<

The gateways shown are:

MIXER Gateway

SMTP email is widely used. STANAG 4406 Military messaging deployments will often require gateway solutions to enable connectivity with SMTP systems. The MIXER specifications define how to achieve this. Isode offers a solution for this with M-Switch MIXER. This provides a flexible mapping between MMHS and Internet Email, including full directory based configuration of the mappings. M-Switch MIXER also includes flexible authorization, which can control use of the MIXER gateway and control who can send messages. There is also extended support for mapping STANAG 4406 capabilities.

High Assurance Guard

HAG is used to connect between STANAG 4406 systems, where a high level of security checking is needed. HAG products generally use X.400 P1, and so interconnection with M-Switch X.400 is straightforward. HAG products are available from BAE Systems and Deep Secure.

ACP145

National variants on the ACP 123 and STANAG 4406 specifications have led to a situation where interoperability between national MMHS systems is not guaranteed. ACP145 has been defined in order to overcome this problem, and is a complete protocol definition for international inter-working. The ACP145 specification has led to a requirement for "ACP145 gateways", which convert between the national variants of MMHS and ACP145. M-Switch can be deployed as an ACP145 Gateway, including support for Security Labels and Message Digital Signatures.

Isode’s ACP145 solution can also be deployed in conjunction with MIXER, to enable a national network using SMTP and S/MIME to be connected using ACP145. Further details in the Isode whitepaper [ACP145: Isode Support of International MMHS Gateways].

ACP127

ACP127 is the legacy protocol used for military formal messaging. To support integration between STANAG 4406 and ACP127, an ACP127 Gateway product is needed. The Isode ACP127 gateway is based on our widely deployed M-Switch MTA and enables exchange of ACP127 messages with STANAG 4406 (including ACP145) and SMTP systems and operation over HF Radio using STANAG 5066.

Microsoft Exchange

Many Military organizations have decided that Microsoft Exchange is the best way to support end users, and to use Microsoft Exchange as the place to store messages, rather than in a MM-MS that follows the MMHS X.400 architecture and supports X.400 P3 and P7. This may lead to a mixed configuration, where Microsoft Exchange is used as an MM-MS plus departmental MMTA, with M-Switch X.400 operating as the backbone MMTA and providing application integration. Isode recommends its partner Boldon James, for those who wish to use Microsoft Exchange as a part of their MMHS solution.

Exchange 2003 and earlier provide native X.400 support to connect to a STANAG 4406 military messaging infrastructure. Exchange 2007 and 2010 do not provide X.400 protocol support, and connection can be achieved using the Exchange X.400 Bridgehead product from Boldon James, which is based on M-Switch X.400. Details on how X.400 Bridgehead works are given in the Isode whitepaper [X.400 Bridgehead for Microsoft Exchange: Technical Architecture and Back-end Features].

Custom Gateway Development

Where other integration or gateway capabilities are needed, Isode provides integration APIs to its MMTA, and in particular support for the Open Group X.400 Gateway API (often referred to as XMT). This is often a practical approach for military solution providers. Isode's M-Vault ACP 133 directory can also be used to support configuration and MHS address translation for such gateways.

Application Integration & Custom Client Development

It is often appropriate to provide special purpose applications using an MMHS infrastructure. Isode provides a cross-platform simple API, which enables an application to operate over a P3 or P7 connection as below.

This API is ideal for applications and special purpose clients that require to be connected to an MMHS infrastructure with a minimum of intervening software.

User Agents

Isode provides core STANAG 4406 messaging infrastructure, but does not provide the end user clients that make use of the infrastructure (MM-UAs – Military Messaging User Agents). Isode provides both of the standardized protocols for integrating an MM-UA: X.400 P3 (to M-Switch X.400) and X.400 P7 (to M-Store X.400). This enables use of any standards compliant MM-UA.

Isode recommends the SAFEmail.mil MM-UA product from its partner Boldon James, which is based on Microsoft Outlook. This product includes an X.400 P7 plug in for Outlook, which enables it to connect directly to M-Store X.400, and function according to the STANAG 4406 architecture. The Boldon James Outlook client solution also includes Enterprise Address Book, which enables secure client access over LDAP to data Isode's ACP 133 directory.