Friday, June 18, 2010

SSL Offloading in Exchange 2010

UPDATE: Note that this post is based on Exchange 2010 RTM.  Guidance has been changed slightly for SP1.  Please see the wiki post HERE.

In one of my recent Exchange 2010 deployments at a client, the design was a highly available 3-node Exchange environment with all roles (MB, CAS, HUB) installed on each server.  So we configured DAG for the 3 nodes which relies on Windows Failover Clustering service.  For a CAS array, high availability can be implemented with either Windows Network Load Balancing (NLB) or using a Hardware Load Balancer (HLB).  Windows Failover Clustering and NLB cannot be installed on the same server so that left using a HLB to load balance the CAS service. 

The weapon of choice was a Citrix Netscaler.  A great thing about using  HLB is the ability to use SSL Offloading.  This provides many benefits with the biggest being scalability by taking off the SSL processing overhead off of the Exchange servers.  So enough of that, let’s get into how to configure it and one of the gotchas that I ran into.  I am not going to talk about the Netscaler side of the configuration, just the Exchange side.

SSL Offload

First things first:

  • Configure all internal and external URLs for the CAS services
  • Configure the CAS Array for the cluster by executing: New-ClientAccessArray –Name “CASArrayName” –Fqdn “” –Site “AD Site where array lives”

Outlook Anywhere (for each CAS server):

  • Server Configuration –> Client Access
  • In the action pane, Enable Outlook Anywhere
  • In the wizard, fill out the external host name, select the authentication method and check Allow secure channel (SSL) offloading
  • Finish wizard

OWA (for each CAS server):

  • Clear “Require SSL” in IIS for Default Web Site and select Accept Client Certificates
  • Clear “Require SSL” in IIS for OWA virtual directory and select Accept Client Certificates
  • Regedit: HKLM\System\CurrentControlSet\Services\MSExchangeOWA –> Create new DWORD with name value “SSLOffloaded” and set value to “1” (no quotes on values)
  • Restart IIS


EWS, Autodiscover, OAB, and the rest (for each CAS server):

  • Clear “Require SSL” in IIS for each virtual directory and select Accept Client Certificates (EWS, Autodiscover, etc.)
  • Edit web.config file to force HTTP for EWS (c:program files\microsoft\Exchange Server\V14\ClientAccess\exchweb\ews\)
    • Change all occurrences of the term httpsTransport to httpTransport
    • Important: this is case sensitive…I got errors when it was set to httptransport (no capital “T”)
  • Edit web.config file to force HTTP for Autodiscover (c:program files\microsoft\Exchange Server\V14\ClientAccess\exchweb\autodiscover\)
    • Change all occurrences of the term httpsTransport to httpTransport
    • Important: this is case sensitive…I got errors when it was set to httptransport (no capital “T”)

Other Important Notes:

  • Any databases created before the CAS Array is set up will need to be reconfigured to point to the CAS Array (definitely the default databases that are created)
    • Run: Set-MailboxDatabase “DBName” –RPCClientAccessServer “CASArrayName”


  1. I have been trying to figure this out for three days straight now and your insight resolved my issue. thanks a million!!!!!

  2. Tim, saw your post regarding DigiScope on the MS site and I appreciate it. Lets get you some experience with DigiScope so that you are well versed in the product. Please contact me at

  3. All the contents you mentioned in post is too good and very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts. cheap wildcard ssl

  4. Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)

  5. thanks you the article really helped me. I hope the articles that are made are useful for all of us.

    Cara Mengobati Penyakit Thalasemia

  6. The article is very useful. Thanks for sharing. Also read our article about health and treatment information, I'm sure useful :)

    Pengobatan Untuk Kanker Kulit Melanoma
    Obat Penghancur Tumor
    Obat Penyakit Difteri di Apotik

  7. The article is very interesting. And I also want to share articles about health, I'm sure this will be useful. Read and share it. Thank you very much :)

    Cara Mengobati Luka Bakar Melepuh
    Obat Jerawat Alami
    Obat Alami Sakit Kepala
    Obat gondok Beracun

  8. This article is interesting and useful. Thank you for sharing. And let me share an article about health that God willing will be very useful. Thank you :)

    Obat Pelancar Haid paling Ampuh
    Cara Membersihkan flek di Paru-paru
    Cara Menyembuhkan Nyeri Punggung

  9. Quickbooks user mainly get this error quickbooks won't open may be due windows operating system getting corrupted or damaged, that user can rectify by updating their system or reinstalling new windows