Enable SSL Offloading in CAS Array

Conceptual diagrams: The following diagram illustrates client connectivity with SSL Offloading (SSL acceleration) enabled:

Configuring SSL Offloading for Outlook Web App (OWA)

To configure SSL offloading for Outlook Web App (OWA), you must perform two steps on each CAS server in the respective CAS array. First, you must add a SSL offload REG_DWORD key. To do so, open the registry editor and navigate down to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

Under this registry key, create a new REG_DWORD key named “SSLOffloaded” and set the value for this key to “1

Next disable the requirement for SSL on the OWA virtual directory. To do so,  open the IIS Manager and expand theDefault Web Site. Under the Default Web Site, select the “owa” virtual directory. Under features view, double-click on “SSL Settings”.

Finally, open a command prompt window and run “

iisreset /noforce

in order for the changes to be applied.

Configuring SSL Offloading for Exchange Control Panel (ECP) 

Unlike OWA, configuring SSL offloading for the Exchange Control Panel (ECP) doesn’t require a registry key to be set. Well, to be more specific ECP will use the same registry key as the one we set for OWA.

So in order to enable SSL offloading for ECP, the only thing we need to do is to disable the SSL requirement on the ECP virtual directory. To do so, let’s open the IIS Manager and expand the Default Web Site. Under the Default Web Site, select the “ecp” virtual directory. Under features view, double-click on “SSL Settings”.

So in order to enable SSL offloading for ECP, the only thing we need to do is to disable the SSL requirement on the ECP virtual directory. To do so, let’s open the IIS Manager and expand the Default Web Site. Under the Default Web Site, select the “ecp” virtual directory. Under features view, double-click on “”.

Now uncheck ”

Require SSL

” and click “

Apply

” in the Actions pane.

Finally, open a command prompt windows and run “

iisreset /noforce

” so that the changes are applied.

Configuring SSL Offloading for Outlook Anywhere (OA)

To enable SSL offloading for Outlook Anywhere only requires one step which depending on whether Outlook Anywhere already is enabled or not can be done via the Exchange Management Console (EMC) or the Exchange Management Shell (EMS).

If you haven’t yet enabled Outlook Anywhere yet, you can select to use SSL offloading when running the “

Enable Outlook Anywhere

” wizard. You can access this wizard by right-clicking on the respective CAS server in EMC and select “

Enable Outlook Anywhere

” in the context menu.

This brings up the wizard where you enter the external host name to be used and check “

Allow secure channel (SSL) offloading

”.

If you already enabled Outlook Anywhere in your environment, you need to use the Set-OutlookAnywhere cmdlet to enable SSL offloading. If this is the case, open the Exchange Management Shell and type the following command:

Set-OutlookAnywhere –Identity CAS_server\RPC* -SSLOffloading $true

Running the above command will disable the requirement for SSL for the RPC virtual directory in IIS, which means we don’t need to do so manually like it’s the case with the other services/protocols.

Configuring SSL Offloading for the Offline Address Book (OAB)

To enable SSL offloading for the Offline Address Book (OAB) you just need to remove the SSL requirement on the OAB virtual directory. To do so, let’s open the IIS Manager and expand the Default Web Site. Under the Default Web Site select the “OAB” virtual directory. Under features view, double-click on “SSL Settings”.

Now uncheck ”

Require SSL” and click “Apply” in the Actions pane.

Finally, open a command prompt windows and run “iisreset /noforce” so that the changes are applied.

Configuring SSL Offloading for Exchange ActiveSync (EAS)

Some of you may probably recall you have read on Microsoft TechNet and various other places, that it isn't supported . This used to be true but is now fully supported (although the Exchange documentation on Microsoft TechNet hasn’t been updated to reflect this yet).

SSL offloading for Exchange ActiveSync is only supported at the Internet ingress point. It’s still not supported in CAS-CAS proxy scenarios between Active Directory sites.

Configuring Exchange ActiveSync to support SSL offload is very simple. You only need to remove the requirement for SSL in IIS. To do so, let’s open the IIS Manager and expand the Default Web Site. Under the Default Web Site select the “Microsoft-Server-ActiveSync” virtual directory. Under features view, double-click on “SSL Settings”.

Now uncheck ”Require SSL” and click “Apply” in the Actions pane.

Finally, open a command prompt windows and run “

iisreset /noforce

” so that the changes are applied.

 Configuring SSL Offloading for Exchange Web Services (EWS)

With Exchange 2010 SP1 and SP2, you will no longer need to modify the web.config file. Performing the process below with the new SP1 or SP2 files will cause EWS to fail activation. To offload SSL for EWS, you only need to remove the SSL requirement from the IIS virtual directory as described in the steps above.

To configure SSL offloading for Exchange Web services in Exchange 2010 RTM, you must perform two modifications. The first one is to remove the SSL requirement for the EWS virtual directory in IIS. To do so, let’s open the IIS Manager and expand the Default Web Site. Under the Default Web Site select the “EWS” virtual directory. Under features view, double-click on “SSL Settings”.

Now uncheck ”Require SSL” and click “Apply” in the Actions pane.

Next step is to make a change to the configuration file (web.config) for the EWS virtual directory. This file can be found under C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\ews and be modified using a text editor such as Notepad.

It's recommended you take a backup of the web.config file before you perform the next step.

In the web.config file, replace all occurrences of “

httpsTransport

” with “

httpTransport

” and then save the file.

The new SP1 web.config file contains binding entries for both 

httpTransport

 and 

httpsTransport 

that match the Binding name.  For example, there is an 

EWSHttpBinding

 and an 

EWSHttpsBinding

 now.

Finally, open a command prompt windows and run “

iisreset /noforce

” so that the changes are applied.

With Exchange 2010 SP1, you will no longer need to modify the web.config file. To offload SSL for EWS, you only need to remove the SSL requirement from the IIS virtual directory.

Configuring SSL Offloading for Autodiscover Service (AS)

To enable SSL offloading for the Autodiscover service, you must perform the same steps as those applied to the Exchange Web service virtual directory.

With Exchange 2010 SP1 and SP2, you will no longer need to modify the web.config file. Performing the process below with the new SP1 or SP2 files will cause Autodiscover to fail activation. To offload SSL for Autodiscover, you only need to remove the SSL requirement from the IIS virtual directory as described in the steps above.

To configure SSL Offloading for Autodiscover on Exchange 2010 RTM, open the IIS Manager and expand the Default Web Site. Under the Default Web Site select the “Autodiscover” virtual directory. Under features view, double-click on “

SSL Setting

s”.

Now uncheck ”

Require SSL

” and click “

Apply

” in the Actions pane.

Next you need to change the configuration file (web.config) for the Autodiscover service virtual directory. This file can be found under 

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover

 and be modified using a text editor such as Notepad.

It's recommended you take a backup of the web.config file before you perform the next step.

In the web.config file, replace all occurrences of “

httpsTransport

” with “

httpTransport

” and then save the file.

The new SP1 web.config file contains binding entries for both 

httpTransport

 and 

httpsTransport 

that match the Binding name.  For example, there is an 

AutodiscoverBasicHttpBinding

 and an 

AutodiscoverBasicHttpsBinding

 now.

Finally open a command prompt windows and run “iisreset /noforce” so that the changes are applied.