Exchange 2013 SP1 SSL Offloading

One of the ‘new’ features in Exchange 2013 SP1 is SSL Offloading, although I can better say ‘re-introduced’ features since this was available in Exchange 2010 but not supported in Exchange 2013 RTM.

I’ve explained numerous time why you want to use SSL offloading in Exchange, but mainly because of performance reasons (load balancers typically have a dedicated chip for SSL decryption) and for SSL certificate management. Suppose you have 8 Client Access servers and *not* using SSL Offloading. In this case you have to manage the SSL certificate on each individual Client Access server. If you have an SSL offloading scenario you have only one SSL certificate to manage, and that’s the SSL certificate on the load balancer.

SSL Offloading can be configured for the following services:

  • Outlook Web App;
  • Exchange Admin Center;
  • Exchange Web Services;
  • Exchange Offline Address Book;
  • Exchange ActiveSync;
  • Autodiscover;
  • Outlook Anywhere;
  • Outlook Clients.

Note. You can perform SSL Offloading on a load balancer for the Mailbox Replication Proxy service (MRSProxy) but since SSL Offloading is not supported on the Client Access server for the MRSProxy you have to use SSL bridging.

There are two ways to configure SSL Offloading:

  • Using graphical tools like IIS Manager and the Exchange Admin Center
  • Exchange Management Shell

There’s actually a 3rd option as well, and that’s using the IIS Command Line utility AppCmd. You can use this tool as well to configure IIS settings.

IIS Manager and EAC

To configure SSL Offloading for OWA open IIS Manager, select the Default Web Site and select the OWA Virtual Directory. In the Results Pane double click on SSL Settings, uncheck the Require SSL option and click Apply to save the new setting.

image

Note. In Exchange 2010 you had to set the registry key SSLOffload in the “HKLM/System/CurrentControlSet/Services/MSExchange OWA” key but that’s no longer the case.

After changing this setting for OWA the OWA Application pool needs to be restarted. You can do this in the IIS Manager by recycling the MSExchangeOWAAppPool:

image

Most likely you are changing all Virtual Directories and Outlook Anywhere so it makes more sense to skip this App Pool recycling and this point and perform an IISRESET when you’re done with configuring all services.

Repeat these steps for the following Virtual Directories under the Default Web Site.

  • ECP;
  • EWS;
  • MAPI;
  • Microsoft-Server-ActiveSync;
  • OAB;
  • MAPI;
  • PowerShell (if needed).

Outlook Anywhere can be configured using the Exchange Admin Center. Logon the EAC and select Servers in the Feature Pane. Double click the appropriate server to open its properties. In the properties window select Outlook Anywhere. You’ll notice that the Allow SSL offloading is already enabled, this is by default.

image

If for some reason SSL offloading is not enabled, check the Allow SSL offloading checkbox and click save to continue.

Now that all Virtual Directories and Outlook Anywhere is enabled for SSL Offloading you can perform an IISRESET /noforce command to recycle all IIS services.

PowerShell

The preferred method (at least my preferred method J) is to use PowerShell of course. Open a PowerShell window and enter the following commands to enable SSL offloading for the OWA Virtual Directory:

Import-Module WebAdministration
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/OWA"

image

To recycle the Application Pool in PowerShell enter the following command:

Restart-WebAppPool MSExchangeOWAAppPool

Repeat these steps for ECP, OAB, EAS, EWS, Autodiscover and MAPI by using the following commands in PowerShell:


Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/ECP"

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/OAB"

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/EWS"

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/Microsoft-Server-ActiveSync"

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/Autodiscover"

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value "None" -PSPath IIS: -Location "Default Web Site/MAPI"

Since Outlook Anywhere is enabled for SSL Offloading by default there’s no need to change anything here. You can check this using the following command:

Get-OutlookAnywhere | select Server,*ssl*

image

If for some reason this is different and you want to enable SSL offloading using EMS you can use the following commands:

Get-OutlookAnywhere -Server AMS-EXCH01 | Set-OutlookAnywhere –SSLOffloading:$true -ExternalClientsRequireSsl:$true –ExternalHostName webmail.contoso.com -ExternalClientAuthenticationMethod Basic -InternalClientsRequireSsl:$true –InternalHostName webmail.contoso.com -InternalClientAuthenticationMethod Basic

When all Virtual Directories are configured execute an IISRESET /noforce command.

AppCmd

You can also use the Command Line (regular Command Prompt) utility AppCmd to change this same setting. Navigate to the C:\Windows\System32\Inetsrv directory and enter the following command:

appcmd set config “Default Web Site/owa” /section:access /sslFlags:None /commit:APPHOST

image

You can use the AppCmd command for this as well:

appcmd Recycle AppPool MSExchangeOWAAppPool

For the other Virtual Directories the AppCmd commands are this:

%SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/EWS" /section:access /sslFlags:None /commit:APPHOST

%SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/owa" /section:access /sslFlags:None /commit:APPHOST

%SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/ecp" /section:access /sslFlags:None /commit:APPHOST

%SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/Autodiscover" /section:access /sslFlags:None /commit:APPHOST

%SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/Microsoft-Server-ActiveSync" /section:access /sslFlags:None /commit:APPHOST

%SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/OAB" /section:access /sslFlags:None /commit:APPHOST

%SystemRoot%\system32\inetsrv\appcmd set config "Default Web Site/MAPI" /section:access /sslFlags:None /commit:APPHOST

iisreset /noforce

Summary

SSL Offloading is fully supported in Exchange 2013 SP1. You can use the IIS Manager / EAC or PowerShell to enable SSL Offloading but as you’ve seen SSL Offloading is enabled by default for Outlook Anywhere. A 3rd option to configure SSL offloading is using the (IIS) Command Line Utility AppCmd.

9 thoughts on “Exchange 2013 SP1 SSL Offloading”

  1. Hi Jaap. Great article but I am bit confused about all this ssl offload stuff. In our scenario we have 4 exchange 2013 CAS/MBX servers and we terminate SSL on Netscaler loadbalancer so the question is what should we do with all those setting? Should we uncheck “Require SSL” on IIS, and check “Allow SSL offloading” for outlook anywhere?

    Like

    1. Hi,

      it depends on what you want to do. Typically the SSL connection is terminated on the load balancer, and reecrypted to the Exchange servers. In this scenario you don’t have to do anything.
      If you don’t want to re-encrypt and use port 80 to talk to the Exchange server you have to follow these steps (but I hardly see this happen).

      Like

  2. How can I check with powershell what the settings are now? For instance:
    Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS: -Location “Default Web Site/Autodiscover”
    Even more, how to get the info for an array of servers?

    Like

    1. To check this setting you can use something like this in PowerShell:
      Get-WebConfigurationProperty -PSPath IIS: -Location “Default Web Site/Autodiscover” -Filter //security/access -name sslflags

      If you have multiple servers you can create a small script that creates an array in PowerShell and retrieve this setting for each individual server. A script is relatively easy, it should be possible to create a oneliner as well (but I always struggle with this :-))

      Like

  3. Hi Jaap, could you please help me out on SSL offloading an Exchange 2016 server? Can I use the above instructions one-to-one for Exchange 2016?

    If not, what would happen if I offload SSL (with a reverse proxy on HAProxy on my pfSense box) and let the Letsencrypt certificate on my Exchange 2016 expire (ofcourse with a valid certificate on pfSense)?

    Like

    1. Yes, this is not very different. When using SSL offloading the external certificate should be valid of course. On the Exchange server, you can use even the self-signed certificate without issues, also when the existing certificate expires that’s no problem. When re-encrypting traffic the certificate is only used for encryption, not for authentication.

      Liked by 1 person

Leave a reply to Artūras Rimonis Cancel reply