Wednesday, October 13, 2010

Exchange Server 2010 SP1 – SSLOffloading

 

If you will be leveraging a Hardware Load Balancer for your Exchange 2010 environment there are some additional Exchange specific setting modification required to get this working, whether you are using PassThrough, SSLOffloading or ReverseSSL (aka SSLBridging).

  • System Requirements for this configuration:   EXCHANGE SERVER 2010 “SP1”

Options for Load Balancing Exchange 2010 CAS Servers using Hardware Load Balancer:

  • Pass Through

image

    • Simple and a very common deployment method
      • Configuration Requirements
        • Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
          "RpcTcpPort"="60001"
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
          "TCP/IP Port"=dword:0000ea60 
  • Reverse SSL (aka SSL Bridging) ---  Recommendedimage

    • More advanced configuration, and more advanced forms of loadbalancing available.
      • Benefits:
        • Secure communications end-to-end; no passwords in clear text between HLB and CAS
        • Less configuration required on Exchange 2010 than SSLOffloading below.
        • If your Exchange 2010 CAS are already configured, the only configuration remaining is   Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
          "RpcTcpPort"="60001"
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
          "TCP/IP Port"=dword:0000ea60
      • Disadvantages:
        • Does not offload (encryption and decryption) cpu processing from the CAS Servers.
           
  • SSLOffloading 

    (Note the script as the end of this article will configure all of these parameters for you)

image

    • More advanced forms of loadbalancing available.   (This Article provides steps to configure)
      • Configuration Requirements
      • Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
        "RpcTcpPort"="60001"
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
        "TCP/IP Port"=dword:0000ea60
    • Remove “Require SSL from Default Website and All Exchange Virtual Directories on each CAS Server
    • Enable Outlook Anywhere, Set Authentication Basic and Set Outlook Anywhere SSLOffloading to TRUE
    • Set OWA for SSLOffloading

      New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD
    • Modify the web.config file for Autodiscover and EWS

      # Configure web.config files
      $path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
      (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config
      $path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path
      (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config

 

Important
If you configure SSL offloading on an Exchange 2010 CAS server, all user passwords will be sent in clear between the HLB device(s) and the CAS servers, so it's important the traffic is sent over a secure network not accessible by malicious users. If the security policy within the organization states that all passwords should be sent in an encrypted form (even when occurring over a secure network), it's recommended to enable reverse SSL on the HLB device(s). In addition, it's recommended to enable reverse SSL, if the organization does not have a secure network in place between the HLB device(s) and the CAS servers or if there's no noticeable performance gain of offloading SSL to the HLB device(s) in the environment.

SCRIPT to Configure CAS for SSLOffloading

 #This script will configure the Exchange 2010 Client Access Servers

# for Hardware loadBalancer with SSLOffloading enabled.
#
# System Requirements: EXCHANGE SERVER 2010 "SP1"
#
#
# Set registry key

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD

# Assign Static Port for MSExchangeAB

New-Item -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType REG_SZ

# Assign Static Port for MSExchangeRPC

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 0000ea60

# Disable RequireSSL on websites

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None

 

# Configure web.config files

$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path

(

Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config 

$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path

(

Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config 

# Configure Outlook Anywhere

$enabled = Get-OutlookAnywhere –Identity "$($env:COMPUTERNAME)\RPC*"

If ($enabled)

{Set-OutlookAnywhere –Identity

"$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true}

Else

{

Write-Host "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"}

Write-Host -f Red "NOTE: Run `"iisreset /noforce`" to complete the process"

2 comments:

  1. All the contents you mentioned in post is too good and very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts. cheap wildcard ssl

    ReplyDelete
  2. Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)

    ReplyDelete