Friday, June 18, 2010

SSL Offloading in Exchange 2010

UPDATE: Note that this post is based on Exchange 2010 RTM.  Guidance has been changed slightly for SP1.  Please see the wiki post HERE.

In one of my recent Exchange 2010 deployments at a client, the design was a highly available 3-node Exchange environment with all roles (MB, CAS, HUB) installed on each server.  So we configured DAG for the 3 nodes which relies on Windows Failover Clustering service.  For a CAS array, high availability can be implemented with either Windows Network Load Balancing (NLB) or using a Hardware Load Balancer (HLB).  Windows Failover Clustering and NLB cannot be installed on the same server so that left using a HLB to load balance the CAS service. 

The weapon of choice was a Citrix Netscaler.  A great thing about using  HLB is the ability to use SSL Offloading.  This provides many benefits with the biggest being scalability by taking off the SSL processing overhead off of the Exchange servers.  So enough of that, let’s get into how to configure it and one of the gotchas that I ran into.  I am not going to talk about the Netscaler side of the configuration, just the Exchange side.

SSL Offload

First things first:

  • Configure all internal and external URLs for the CAS services
  • Configure the CAS Array for the cluster by executing: New-ClientAccessArray –Name “CASArrayName” –Fqdn “mail.domain.com” –Site “AD Site where array lives”

Outlook Anywhere (for each CAS server):

  • Server Configuration –> Client Access
  • In the action pane, Enable Outlook Anywhere
  • In the wizard, fill out the external host name, select the authentication method and check Allow secure channel (SSL) offloading
  • Finish wizard

OWA (for each CAS server):

  • Clear “Require SSL” in IIS for Default Web Site and select Accept Client Certificates
  • Clear “Require SSL” in IIS for OWA virtual directory and select Accept Client Certificates
  • Regedit: HKLM\System\CurrentControlSet\Services\MSExchangeOWA –> Create new DWORD with name value “SSLOffloaded” and set value to “1” (no quotes on values)
  • Restart IIS

 

EWS, Autodiscover, OAB, and the rest (for each CAS server):

  • Clear “Require SSL” in IIS for each virtual directory and select Accept Client Certificates (EWS, Autodiscover, etc.)
  • Edit web.config file to force HTTP for EWS (c:program files\microsoft\Exchange Server\V14\ClientAccess\exchweb\ews\)
    • Change all occurrences of the term httpsTransport to httpTransport
    • Important: this is case sensitive…I got errors when it was set to httptransport (no capital “T”)
  • Edit web.config file to force HTTP for Autodiscover (c:program files\microsoft\Exchange Server\V14\ClientAccess\exchweb\autodiscover\)
    • Change all occurrences of the term httpsTransport to httpTransport
    • Important: this is case sensitive…I got errors when it was set to httptransport (no capital “T”)

Other Important Notes:

  • Any databases created before the CAS Array is set up will need to be reconfigured to point to the CAS Array (definitely the default databases that are created)
    • Run: Set-MailboxDatabase “DBName” –RPCClientAccessServer “CASArrayName”

9 comments:

  1. I have been trying to figure this out for three days straight now and your insight resolved my issue. thanks a million!!!!!

    ReplyDelete
  2. Tim, saw your post regarding DigiScope on the MS site and I appreciate it. Lets get you some experience with DigiScope so that you are well versed in the product. Please contact me at troyw@lucid8.com

    ReplyDelete
  3. Quickbooks user mainly get this error quickbooks won't open may be due windows operating system getting corrupted or damaged, that user can rectify by updating their system or reinstalling new windows

    ReplyDelete
  4. Your process to send invoices to your clients can be hampered by a com error quickbooks 2017. An update from Microsoft usually fixes the issue.

    ReplyDelete
  5. Learn how to remove QB errors using the Quickbooks file doctor tool. Quickbooks file doctor can be installed by downloading the QuickBooks tool hub and selecting it from the list of available utilities.

    ReplyDelete
  6. Hi.....
    To configure SSL Offloading for Autodiscover on Exchange 2010 RTM, open the IIS Manager and expand the Default Web Site. Under the Default Web Site select the “Autodiscover” virtual directory. Under features view, double-click on “SSL Settings”.
    You are also read more How to apply for a Business Loan Online

    ReplyDelete
  7. QuickBooks is a accounting programming stacked with various sorts of elements and applications stacked in its munitions stockpile. Quickbooks tool hub is created by Intuit an American programming organization. QuickBooks significantly focuses on little and medium-sized endeavors to give and join cloud-based bookkeeping applications that are fit for tolerating business installments, charge installments, charge executions, and finance capacities.

    ReplyDelete
  8. As we all know, QuickBooks is the most popular accounting and financial management software that we can rely on for complex business accounting. No matter how perfect software is, there are always errors and glitches in it. QuickBooks is no exception and occasionally encounters errors that interrupt any ongoing task and sometimes even prevent QuickBooks from running if so there is an article for you all go through it for once quickbooks error code 6147 0 .

    ReplyDelete
  9. how to start over on turbotax tax preparation in the United States was a time-consuming process. It is now one of the most popular tax preparation tools in the United States, and it is based on the American tax system. However, there may be times when you need to upgrade TurboTax in order to keep the software running well. You might be wondering how to reinstall TurboTax after upgrading it.

    ReplyDelete