Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1
Topic Last Modified: 2008-03-18

You can use a third-party Secure Sockets Layer (SSL) hardware accelerator or similar hardware appliance in front of Microsoft Exchange Server 2007 servers that have the Client Access server role installed to offload SSL requests for Microsoft Office Outlook Web Access. However, when you use this kind of appliance, you might have to configure SSL offloading. If you do not configure this setting, the user interface may not respond to client requests even though users have authenticated to Outlook Web Access. When you configure SSL offloading, you must turn off the requirement for SSL on the Outlook Web Access virtual directory.

When you use a third-party SSL hardware accelerator or similar appliance to terminate SSL requests before they reach your Client Access servers, the requests are recognized and processed by the Client Access server as HTTP requests. Therefore, when the Exchange 2007 server displays the HTML pages, it uses http:// instead of https:// for all the links. When a user clicks any link in a rendered page, they receive a message that the request is denied because the server denies any non-HTTPS traffic. Although the traffic is re-encrypted by the SSL accelerator when the traffic returns to the user, the links are broken.

Note:
When you do not use a third-party SSL hardware accelerator or similar appliance and the SSL session terminates on the Client Access server, the traffic flows between the Client Access server and Mailbox server by using MAPI.
Note:
Microsoft Exchange ActiveSync does not support SSL offloading.

Before You Begin

To configure SSL offloading for Outlook Web Access, you must perform the following procedure on each of your Client Access servers.

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Caution:
Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

Procedure

To configure SSL offloading for Outlook Web Access in Exchange 2007

  1. In Internet Information Services (IIS) Manager, right-click the Web site where you host your Outlook Web Access virtual directories, and then click Properties.

    Note:
    This Web site is usually named Default Web site.
  2. On the Directory Security tab, in Secure Communications, click Edit.

  3. In Secure Communications, clear Require Secure Channel (SSL).

  4. Click OK as needed to save your changes, and then close the properties page.

  5. Start Registry Editor.

  6. Locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA.

  7. On the Edit menu, click New, and then click DWORD Value.

  8. In the details pane, name the DWORD value SSLOffloaded.

  9. In the details pane, right-click SSLOffloaded, and then click Modify.

  10. In the Edit DWORD Value dialog box, in Value data, type 1.

  11. Restart the IIS Admin Service (IISAdmin). To do this, open a Command Prompt window, and then type iisreset /noforce.

For More Information

For information about how to configure this setting on computers that are running Microsoft Exchange 2000 Server or Exchange Server 2003, see Microsoft Knowledge Base article 327800, How to configure SSL Offloading for Outlook Web Access in Exchange 2000 Server and in Exchange Server 2003.