Friday, June 18, 2010

SSL Offloading in Exchange 2010

UPDATE: Note that this post is based on Exchange 2010 RTM.  Guidance has been changed slightly for SP1.  Please see the wiki post HERE.

In one of my recent Exchange 2010 deployments at a client, the design was a highly available 3-node Exchange environment with all roles (MB, CAS, HUB) installed on each server.  So we configured DAG for the 3 nodes which relies on Windows Failover Clustering service.  For a CAS array, high availability can be implemented with either Windows Network Load Balancing (NLB) or using a Hardware Load Balancer (HLB).  Windows Failover Clustering and NLB cannot be installed on the same server so that left using a HLB to load balance the CAS service. 

The weapon of choice was a Citrix Netscaler.  A great thing about using  HLB is the ability to use SSL Offloading.  This provides many benefits with the biggest being scalability by taking off the SSL processing overhead off of the Exchange servers.  So enough of that, let’s get into how to configure it and one of the gotchas that I ran into.  I am not going to talk about the Netscaler side of the configuration, just the Exchange side.

SSL Offload

First things first:

  • Configure all internal and external URLs for the CAS services
  • Configure the CAS Array for the cluster by executing: New-ClientAccessArray –Name “CASArrayName” –Fqdn “mail.domain.com” –Site “AD Site where array lives”

Outlook Anywhere (for each CAS server):

  • Server Configuration –> Client Access
  • In the action pane, Enable Outlook Anywhere
  • In the wizard, fill out the external host name, select the authentication method and check Allow secure channel (SSL) offloading
  • Finish wizard

OWA (for each CAS server):

  • Clear “Require SSL” in IIS for Default Web Site and select Accept Client Certificates
  • Clear “Require SSL” in IIS for OWA virtual directory and select Accept Client Certificates
  • Regedit: HKLM\System\CurrentControlSet\Services\MSExchangeOWA –> Create new DWORD with name value “SSLOffloaded” and set value to “1” (no quotes on values)
  • Restart IIS

 

EWS, Autodiscover, OAB, and the rest (for each CAS server):

  • Clear “Require SSL” in IIS for each virtual directory and select Accept Client Certificates (EWS, Autodiscover, etc.)
  • Edit web.config file to force HTTP for EWS (c:program files\microsoft\Exchange Server\V14\ClientAccess\exchweb\ews\)
    • Change all occurrences of the term httpsTransport to httpTransport
    • Important: this is case sensitive…I got errors when it was set to httptransport (no capital “T”)
  • Edit web.config file to force HTTP for Autodiscover (c:program files\microsoft\Exchange Server\V14\ClientAccess\exchweb\autodiscover\)
    • Change all occurrences of the term httpsTransport to httpTransport
    • Important: this is case sensitive…I got errors when it was set to httptransport (no capital “T”)

Other Important Notes:

  • Any databases created before the CAS Array is set up will need to be reconfigured to point to the CAS Array (definitely the default databases that are created)
    • Run: Set-MailboxDatabase “DBName” –RPCClientAccessServer “CASArrayName”

6 comments:

  1. I have been trying to figure this out for three days straight now and your insight resolved my issue. thanks a million!!!!!

    ReplyDelete
  2. Tim, saw your post regarding DigiScope on the MS site and I appreciate it. Lets get you some experience with DigiScope so that you are well versed in the product. Please contact me at troyw@lucid8.com

    ReplyDelete
  3. All the contents you mentioned in post is too good and very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts. cheap wildcard ssl

    ReplyDelete
  4. Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)

    ReplyDelete