One of the ‘new’ features in Exchange 2013 SP1 is SSL Offloading, although I can better say ‘re-introduced’ features since this was available in Exchange 2010 but not supported in Exchange 2013 RTM.
I’ve explained numerous time why you want to use SSL offloading in Exchange, but mainly because of performance reasons (load balancers typically have a dedicated chip for SSL decryption) and for SSL certificate management. Suppose you have 8 Client Access servers and *not* using SSL Offloading. In this case you have to manage the SSL certificate on each individual Client Access server. If you have an SSL offloading scenario you have only one SSL certificate to manage, and that’s the SSL certificate on the load balancer.
SSL Offloading can be configured for the following services:
- Outlook Web App;
- Exchange Admin Center;
- Exchange Web Services;
- Exchange Offline Address Book;
- Exchange ActiveSync;
- Autodiscover;
- Outlook Anywhere;
- Outlook Clients.
Note. You can perform SSL Offloading on a load balancer for the Mailbox Replication Proxy service (MRSProxy) but since SSL Offloading is not supported on the Client Access server for the MRSProxy you have to use SSL bridging.
There are two ways to configure SSL Offloading:
- Using graphical tools like IIS Manager and the Exchange Admin Center
- Exchange Management Shell
There’s actually a 3rd option as well, and that’s using the IIS Command Line utility AppCmd. You can use this tool as well to configure IIS settings.
IIS Manager and EAC
To configure SSL Offloading for OWA open IIS Manager, select the Default Web Site and select the OWA Virtual Directory. In the Results Pane double click on SSL Settings, uncheck the Require SSL option and click Apply to save the new setting.
Note. In Exchange 2010 you had to set the registry key SSLOffload in the “HKLM/System/CurrentControlSet/Services/MSExchange OWA” key but that’s no longer the case.
After changing this setting for OWA the OWA Application pool needs to be restarted. You can do this in the IIS Manager by recycling the MSExchangeOWAAppPool:
Most likely you are changing all Virtual Directories and Outlook Anywhere so it makes more sense to skip this App Pool recycling and this point and perform an IISRESET when you’re done with configuring all services.
Repeat these steps for the following Virtual Directories under the Default Web Site.
- ECP;
- EWS;
- MAPI;
- Microsoft-Server-ActiveSync;
- OAB;
- MAPI;
- PowerShell (if needed).
Outlook Anywhere can be configured using the Exchange Admin Center. Logon the EAC and select Servers in the Feature Pane. Double click the appropriate server to open its properties. In the properties window select Outlook Anywhere. You’ll notice that the Allow SSL offloading is already enabled, this is by default.
If for some reason SSL offloading is not enabled, check the Allow SSL offloading checkbox and click save to continue.
Now that all Virtual Directories and Outlook Anywhere is enabled for SSL Offloading you can perform an IISRESET /noforce command to recycle all IIS services.
PowerShell
The preferred method (at least my preferred method J) is to use PowerShell of course. Open a PowerShell window and enter the following commands to enable SSL offloading for the OWA Virtual Directory:
Import-Module WebAdministration Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/OWA"
To recycle the Application Pool in PowerShell enter the following command:
Restart-WebAppPool MSExchangeOWAAppPool
Repeat these steps for ECP, OAB, EAS, EWS, Autodiscover and MAPI by using the following commands in PowerShell:
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/ECP" Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/OAB" Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/EWS" Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/Microsoft-Server-ActiveSync" Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/Autodiscover" Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/MAPI"
Since Outlook Anywhere is enabled for SSL Offloading by default there’s no need to change anything here. You can check this using the following command:
Get-OutlookAnywhere | select Server,*ssl*
If for some reason this is different and you want to enable SSL offloading using EMS you can use the following commands:
Get-OutlookAnywhere -Server AMS-EXCH01 | Set-OutlookAnywhere –SSLOffloading:$true -ExternalClientsRequireSsl:$true –ExternalHostName webmail.contoso.com -ExternalClientAuthenticationMethod Basic -InternalClientsRequireSsl:$true –InternalHostName webmail.contoso.com -InternalClientAuthenticationMethod Basic
When all Virtual Directories are configured execute an IISRESET /noforce command.
AppCmd
You can also use the Command Line (regular Command Prompt) utility AppCmd to change this same setting. Navigate to the C:\Windows\System32\Inetsrv directory and enter the following command:
appcmd set config “Default Web Site/owa” /section:access /sslFlags:None /commit:APPHOST
You can use the AppCmd command for this as well:
appcmd Recycle AppPool MSExchangeOWAAppPool
For the other Virtual Directories the AppCmd commands are this:
%SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/EWS" /section:access /sslFlags:None /commit:APPHOST %SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/owa" /section:access /sslFlags:None /commit:APPHOST %SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/ecp" /section:access /sslFlags:None /commit:APPHOST %SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/Autodiscover" /section:access /sslFlags:None /commit:APPHOST %SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/Microsoft-Server-ActiveSync" /section:access /sslFlags:None /commit:APPHOST %SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/OAB" /section:access /sslFlags:None /commit:APPHOST %SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/MAPI" /section:access /sslFlags:None /commit:APPHOST iisreset /noforce
Summary
SSL Offloading is fully supported in Exchange 2013 SP1. You can use the IIS Manager / EAC or PowerShell to enable SSL Offloading but as you’ve seen SSL Offloading is enabled by default for Outlook Anywhere. A 3rd option to configure SSL offloading is using the (IIS) Command Line Utility AppCmd.
Hi Jaap. Great article but I am bit confused about all this ssl offload stuff. In our scenario we have 4 exchange 2013 CAS/MBX servers and we terminate SSL on Netscaler loadbalancer so the question is what should we do with all those setting? Should we uncheck “Require SSL” on IIS, and check “Allow SSL offloading” for outlook anywhere?
LikeLike
Hi,
it depends on what you want to do. Typically the SSL connection is terminated on the load balancer, and reecrypted to the Exchange servers. In this scenario you don’t have to do anything.
If you don’t want to re-encrypt and use port 80 to talk to the Exchange server you have to follow these steps (but I hardly see this happen).
LikeLike
How can I check with powershell what the settings are now? For instance:
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS: -Location “Default Web Site/Autodiscover”
Even more, how to get the info for an array of servers?
LikeLike
To check this setting you can use something like this in PowerShell:
Get-WebConfigurationProperty -PSPath IIS: -Location “Default Web Site/Autodiscover” -Filter //security/access -name sslflags
If you have multiple servers you can create a small script that creates an array in PowerShell and retrieve this setting for each individual server. A script is relatively easy, it should be possible to create a oneliner as well (but I always struggle with this :-))
LikeLike
Hi Japp, just wondering if it has to be done on a per virtual directory basis rather than set at the root Default Web Site.
LikeLike
Hi Jaap, could you please help me out on SSL offloading an Exchange 2016 server? Can I use the above instructions one-to-one for Exchange 2016?
If not, what would happen if I offload SSL (with a reverse proxy on HAProxy on my pfSense box) and let the Letsencrypt certificate on my Exchange 2016 expire (ofcourse with a valid certificate on pfSense)?
LikeLike
Yes, this is not very different. When using SSL offloading the external certificate should be valid of course. On the Exchange server, you can use even the self-signed certificate without issues, also when the existing certificate expires that’s no problem. When re-encrypting traffic the certificate is only used for encryption, not for authentication.
LikeLiked by 1 person