- It relieves the Exchange servers of the encryption and decryption workload.
- It allows the NetScaler to process data at Layer 7 (that would otherwise be obfuscated by encryption) and use other types of persistence (COOKIEINSERT for example) rather than the basic SOURCEIP persistence type that has notable limitations - especially when clients connect to resources via NAT (Network Address Translation).
- The NetScaler can analyze the content of the packets and peform various actions based on this content (directing traffic to a certain virtual server IPs or rewriting a URL).
First, we go to the following section in the NetScaler management GUI:
NetScaler > Traffic Management > Load Balancing > Services
We click on "Add":
Now I have the following services. I will replace the last two services (that use SSL - port 443) with the first two services (that use HTTP - port 80):
NetScaler > Traffic Management > Load Balancing > Virtual Servers
I hightlight the lb_vs_OWA virtual server and click on "Edit":
Click on the "Load Balancing Virtual Server Service Bindings":
We will have to remove the SSL bindings first. Otherwise, this is what will happen...
Click on "Add Binding":
"Click to select" the new bindings:
Select the HTTP services for OWA (SSL Offload):
Click on Bind:
An error message displays:
We must first unbind each of the SSL services...
And then we can bind the HTTP services.
The service bindings for the lb_vs_OWA virtual server should look like this:
Exchange changes for SSL Offload
What happens? A "403 - Forbidden: Access is denied" error:
In fact, we have to make two changes on each of our Exchange servers (EX13-1 and EX13-2):
- Add a "SSLOffloaded" REG_DWORD key to the registry
- Disable the SSL requirement on the OWA virtual directory.
We add this key ("SSLOffloaded") at this location in the registry:
Next, we open IIS Manager, navigate to the "owa" virtual directory and open "SSL Settings":
Note: we repeat the process on the other load balanced Exchange servers.