Saturday, April 23, 2016

NetScaler VPX - load balance Exchange - Part 5 (SSL Offloading)

SSL Offloading with Exchange 2010

By default, SSL connections to the Exchange server (such as OWA) remain encrypted until they reach the Exchange server itself. This is a very secure configuration because the data is never unprotected between the two end-points. In some cases, in finance or in the defense industry for example, such a configuration may be mandatory.

Like other load balancing solutions, the NetScaler allows this type of configuration, usually known as "SSL pass through". The encrypted data arrives from the remote end-point, passes through the NetScaler, and is redirected to the local end-point, remaining in an encrypted state from start to finish.

The advantage of SSL pass through is the high level of security that it provides.

Another configuration is possible however: the NetScaler can decrypt the SSL traffic as it arrives and relay it to the local end-point (Exchange, for example) in "clear text". This configuration is less secure but has some advantages:

  • It relieves the Exchange servers of the encryption and decryption workload.
  • It allows the NetScaler to process data at Layer 7 (that would otherwise be obfuscated by encryption) and use other types of persistence (COOKIEINSERT for example) rather than the basic SOURCEIP persistence type that has notable limitations - especially when clients connect to resources via NAT (Network Address Translation).
  • The NetScaler can analyze the content of the packets and peform various actions based on this content (directing traffic to a certain virtual server IPs or rewriting a URL).

Yes, that summary of SSL offloading benefits does assume some knowledge of load balancing concepts such as "persistence". If these terms are unfamiliar, I would recommend that you consult either Citrix documentation on the subject or perform an online search with your preferred search engine.

In either case (SSL pass through or SSL offloading), we must import and install the certificate used by the Exchange server for encryption/decryption so the NetScaler can perform this task instead. I completed this process in an earlier blog post.


I will now configure SSL offloading for OWA (it can also be configured for other forms of client access such as Outlook Anywhere or Active Sync). We must make some changes on the NetScaler and then some changes on the Exchange server(s).

NetScaler changes for SSL Offload

First, we go to the following section in the NetScaler management GUI:

NetScaler > Traffic Management > Load Balancing > Services

We click on "Add":

Note: the first service for offloaded SSL has already been created. You can choose a different name, one that makes the most sense for you, or that respects whatever naming convention you may have in your organization.

I configure the service with the following settings (yes, this was for the first HTTP service) and then I repeat as needed. In other words, if I have a second Exchange server, I will create a service for it as well.

Now I have the following services. I will replace the last two services (that use SSL - port 443) with the first two services (that use HTTP - port 80):

The services, each of which is associated with a backend resource server (Exchange in this case), are bound to a "virtual server" to which clients connect using its "VIP" or virtual IP.

I will adjust the service bindings (replacing the SSL services with the HTTP services) at this location:

NetScaler > Traffic Management > Load Balancing > Virtual Servers

I hightlight the lb_vs_OWA virtual server and click on "Edit":

Click on the "Load Balancing Virtual Server Service Bindings":

We will have to remove the SSL bindings first. Otherwise, this is what will happen...

Click on "Add Binding":

"Click to select" the new bindings:

Select the HTTP services for OWA (SSL Offload):

Click on Bind:

An error message displays:

We must first unbind each of the SSL services...

And then we can bind the HTTP services.

The service bindings for the lb_vs_OWA virtual server should look like this:

Exchange changes for SSL Offload

Out of curiosity, I wanted to see what would happen if I tried to establish an OWA connection without making any adjustments on the Exchange side.

What happens? A "403 - Forbidden: Access is denied" error:

If I change the NetScaler services to SSL again, the error does not occur, so I know that the requirements for SSL on the Exchange server are the problem. Indeed, we have to uncheck these requirements for SSL offloading to work.

In fact, we have to make two changes on each of our Exchange servers (EX13-1 and EX13-2):

  • Add a "SSLOffloaded" REG_DWORD key to the registry
  • Disable the SSL requirement on the OWA virtual directory.

We add this key ("SSLOffloaded") at this location in the registry:

Note: right-click on "MSExchange OWA", select "New" and create a new DWORD key with the name "SSLOffloaded" and a value of 1.

Note: the path is visible at the bottom of the screenshot above.

Next, we open IIS Manager, navigate to the "owa" virtual directory and open "SSL Settings":

We uncheck the "Require SSL" box, click on "Apply" (under Actions) and then execute the command "iisreset /noforce":

Note: we repeat the process on the other load balanced Exchange servers.

Now when I attempt to access OWA, I can not only access the page but also login successfully:

No comments:

Post a Comment