Exchange 2010 SSL Offloading using Zen Load Balancer- Part IV

 

 

Hello World,

Finally, we will conclude this 4-part article related to the SSL offloading configuration that can be used within an Exchange infrastructure.  In part III of this article, we have configured the Zen Load Balancer in such way that the Exchange Traffic to CAS servers are load balanced.  The configuration is not complete.  We still need to configure our Certificates accordingly on the Zen Load Balancer and we need to tweak our Exchange servers in order for them to use the SSL Offloading configuration.

I. Configuring the Certificates on the Zen Load Balancer

 To perform this taks, we will need to go through 3 stetps :

  • Step 1 – Export Certificates from the Exchange Server
  • Step 2 – Convert the Certificate to .pem format
  • Step 3 – Import the certificate in the Zen Load Balancer

Step 1 – Export SSL Certificates from Exchange

Open your Exchange Console. Expand the Server Configuration Node and Click on it.  On the mid pane, you select one of you CLient Access Server.  In the mid pane (bottom section), you will see the certificates used by Exchange.  Identify the Certificate that have been issued to you by your Certificate Authority, and right-click on it.  Then Simply select Export Certificate

Click on image for better resolution

The Export certificate Wizard starts.  In the Page, specify where to store the exported File and also provide a password. Press The Export Button

 

Click on image for better resolution

Check that you receive green ticks. If everything is OK, you can press Finish…

 

Click on image for better resolution

 

You’ve just exported your certificate

 

Step 2 – Convert the certificate from pfx format into pem format

The Zen load Balancer (version 2 -release client 1) support import of certificates.  However, the software accepts only .pem files.  Before beign able to import the file, you will first need to convert the format.  To do this, you can simply use the following web site interface (if you are running in a test environment).

 

Click on image for better resolution

In a production environment where you need to convert from .pfx form to .pem format, it’s highly recommended to use the OpenSSL utility on your own machine/network.  This way you do not have to expose your private key.  You have to download the OpenSSL utility. When done, you can open a command prompt and type the following command to convert your .pfx file int .pem file.

openssl pkcs12 -in c:\certs\exchangeCertificate.pfx -out c:\certs\ExchangeCertificate.pem –nodes

You will be prompted for a password.  Enter the password you have used during the Export operation. When done, you will have a .pem certificate that can be imported into the Zen Load Balancer appliance.

Step 3 – Import the Certificate into the Zen Load Balancer Appliance

From your browser, go to the Web interface management of the Zen Load Balancer.  On the menu, click on Manage and then click on certificates

 

Click on image for better resolution

The Manage Certificate pages opens up.  Click on the Green arrow to import your certificate files.  You will see a popup box asking for the location of the pem file.  Browse to this location and press Upload.

Click on image for better resolution

 

If everything went fine, you should see your new certificate.

Click on image for better resolution

To finalize you installation, you should edit the Outlook WebApp Farm settings and ensure that your are using the newly imported certificate.

 

Click on image for better resolution

II. Finalizing the Exchange configuration for SSL Offloading Support

This link explains how to configure your Exchange 2010 SP1 to work in conjunction with SSL offloading feature. The link will explain the configuration to be performed for all Exchange services that you want to offload. In this post, we will simply focus on two services : Outlook WebApp and the Exchange Control Panel(ECP).

 

To configure SSL offloading for Outlook Web App and ECP, you will need to create a registry key on each CAS servers that are member of your CAS Array.  Open your registry editor (regedit) and go to the following location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

Under this registry key, create a new REG_DWORD key named “SSLOffloaded” and set the value for this key to “1

Click on image for better resolution

After adding this registry key, we will need to disable the SSL requirements for the OWA directory and for the ECP directory.  We will simply open our IIS Manager, expand the Default Web site and locate the owa virtual Directory.  In the mid pane, double-click on the SSL settings (padlock icon)

 

Click on image for better resolution

 

In the SSL Setting page, uncheck the box Require SSL

 

Click on image for better resolution

 

You will need to perform this operation also on the ECP virtual directory.  Click on the ecp virtual directory, double-click on the SSL Settings and in the SSL settings page, ensure that the Require SSL check box is not ticked

 

Note:

To offload Offline Address Book, Active Sync, Autodiscover Service, Exchange Web Services, you simply need to remove the SSL requirements within the IIS Manager by locating their virtual directories

For Mailbox Replication Proxy Service, to enable SSL offloading, you will need to edit the web.config file located under  C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\ews.  In the file, search for MRSProxyHttpsBinding, click Find Next twice.  When arrived at this point, remove the “s” from the line <httpsTransport authenticationScheme=”Negotiate” maxReceivedMessageSize=”1048576″ />

For more information, please have a look at this detailed description about SSL offloading

 

Final Notes

That’s it. We did it !  You have offloaded your SSL connection through your Zen Load Balancer.  If you open your web browser,uisng the FQDN used by your certificates, and where the IP address of the load balancer is associated to, you will see that you can access easily (and with no certificates prompt messages) your Outlook WebApp/ecp web interface.

Click on image for better resolution

All in all, the process is really not complex and you can find a lot of information on how to ssl offload an Exchange Infrastructure.  I’ll need to perform some additional tests regarding sticky clients and the Zen load balancer but so far, I haven’t encounter any issues.

I hope that you enjoyed this long but quite interesting step by step guide.

Till next Time

See Ya

 

Article in this series :

12 thoughts on “Exchange 2010 SSL Offloading using Zen Load Balancer- Part IV

  1. Emilio,

    Thank for the comments and positive remarks….
    Appreciate….

    Till next post (related to Zen load balancer°

    see ya

  2. How can you import intermediate certificate, if you have the certificate that needs intermediate from CA to be installed?

    Thnx

  3. Hello there,

    Based on the zen load balancer documentation, You can see the following information “The uploaded certificate file must contain a PEM-encoded certificate, optionally a certificate chain from a known Certificate Authority to your server certificate and a PEM-encoded private key (not password protected).”

    I’m assuming that you can concatenate the certificates into a single file…The best example (and explanation) I’ve found can be found at http://www.digicert.com/ssl-support/pem-ssl-creation.htm

    Check the second option, you pem file should contain these sections
    —–BEGIN CERTIFICATE—–
    (Your Primary SSL certificate: your_domain_name.crt)
    —–END CERTIFICATE—–
    —–BEGIN CERTIFICATE—–
    (Your Intermediate certificate: Cert_CA.crt)
    —–END CERTIFICATE—–

    Hope this help

    Till next time
    see ya

  4. any chance for exchange 2013 documentation(just basic not ssl offload since its not supported yet only at sp1)
    thanks

  5. when using exchange 2010 or 2013 any way to kill connections to a “dead” back end cas server
    so clients don’t get “hanged” when one of the back end “dies”?

    thanks

  6. Hello There,

    the post is on its way… we will soon publish an update of the article for Exchange 2013….but you will have to wait a little bit…(at least a month) I’m really busy right now…. I’m running again multiple projects at the same time…not easy

    Till next time
    see ya

  7. If you are using Casp array + load balancer solution, you should not need to disconnect back end cas server. To be more precise;

    Exchange 2013 does not use persistence connections so no need to disconnect clients
    Exchange 2010 when using in conjunction with cas array and load balancer, the load balancer (if configured correctly) will detect the dead back end server and connection will be redirected to the remaining CAS server

    Hope this help
    Till next time

    see ya

  8. Hi,

    I’m using the stable V2 and I don’t seem to have the option for SSL offloading. Has this changed in the final release or have I missed something on the install?

    Thanks

  9. Hello, didn’t install V2 yet

    Do you see options to import and manage certificates….? if Yes, you can configure ssl offloading using the instructions on the post.

    I’ll try to install v2 this week and see if there major changes (but I do not think)

    Hope this help

    Till next time

  10. I have been able to upload the certificate, but still no options to configure this. I have even installed another instance to see if I missed something on install, but unfortunately no options there either.

    Thanks

  11. Hello Neil,

    You will not find a checkbox to configure SSL. In Zen load balancer, you import the certificates and you configure your https profile and you are done for ssl offloading configuration. Then you move to your exchange and configure it accordingly for ssl offloading

    The 4 part series describes the configuration of ssl offloading…..If you read the posts and follow the instructions, you should be good to go

    Hope this help

    Till next time
    See ya

Leave a Reply