E2K7: Exch ActiveSync SSL Offload
W2K8 SP2 / E2K7 SP2 RU2With E2K3, for Exch ActiveSync, we have SSL Offload setup. Now, I have to migrate my mobile users from the E2K3 server to E2K7. SSL has been turned off for the MSAS vdirectory and Client Certificates ignored and the URL has been changed from https to http. We have tested using the CAS server for Exch ActiveSync and it works messages are pushed to the mobile device, synching works, etc. Our SSL is setup whereby each AD site has it own SSL box.However, http://technet.microsoft.com/en-us/library/bb885060(EXCHG.80).aspx states that Microsoft Exchange ActiveSync does not support SSL Offloading.Please can someone address this issue as a major issue for our mobile device program?many thanks
February 19th, 2010 5:17pm
Hi,As stated in the technet articles Microsoft Exchange ActiveSync does not support SSL offloading so it's not a supported environment and when getting issues with it Microsoft may not gone help you. But it may work.Regards,JohanExchange-blog: www.johanveldhuis.nl
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2010 6:17am
Hi,
SSL offloading _is_ supported in Exchange 2007 for Activesync, what isn't supported without SSL is CAS-CAS proxying of EAS between Active Directory Sites.
Also in regards to HTTP links noted here: 'When you use a third-party SSL hardware accelerator or similar appliance to terminate SSL requests before they reach your Client Access servers, the requests are recognized and processed by the Client Access server as HTTP requests. Therefore, when the Exchange 2007 server displays the HTML pages, it uses http:// instead of https:// for all the links. When a user clicks any link in a rendered page, they receive a message that the request is denied because the server denies any non-HTTPS traffic. Although the traffic is re-encrypted by the SSL accelerator when the traffic returns to the user, the links are broken.'
This is not true for Activesync, but is correct for Outlook Web Access.
I believe the data on this TechNet article will be updated to reflect this at some point in the near future.
So if you plan to just support Activesync for users from the Internet you will find it works, as shown from your testing, if you plan to do any Site to Site proxying then you will find that's where it will break.I hope this helps,Oliver
Oliver Moazzezi | Exchange MVP, MCSA:M, MCTS:Exchange 2010, BA (Hons) Anim | http://www.exchange2007.com | http://www.exchange2010.com | http://www.cobweb.com |
February 22nd, 2010 4:44pm
OliverThank you!I had called Microsoft in 11/2009 and I was told exactly what you said that cas-to-cas proxying is not supported but our SSL is not setup using cas-case, we have an SSL box in each site where we provide EAS and multiple URLS. I had to call Microsoft again last week and the support rep asked me to read bb885060 whereby OWA is supported in an SSL Offload situation but in the article it clearly stated in a Note: Microsoft Exchange ActiveSync does not support SSL offloading.I have tested, it works because if it did not, I would be in a lot of trouble with my company.The only thing I have not been able to get to work is to have the CAS proxy besides for an E2K7 mailbox but an E2K3 mailbox. I have the perms set correctly but cannot get that to work.-e
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2010 5:06pm
OliverThank you!I had called Microsoft in 11/2009 and I was told exactly what you said that cas-to-cas proxying is not supported but our SSL is not setup using cas-case, we have an SSL box in each site where we provide EAS and multiple URLS. I had to call Microsoft again last week and the support rep asked me to read bb885060 whereby OWA is supported in an SSL Offload situation but in the article it clearly stated in a Note: Microsoft Exchange ActiveSync does not support SSL offloading.I have tested, it works because if it did not, I would be in a lot of trouble with my company.The only thing I have not been able to get to work is to have the CAS proxy besides for an E2K7 mailbox but an E2K3 mailbox. I have the perms set correctly but cannot get that to work.-e
Hi,Cool glad I could be of help :-)In regards to the CAS serving Activesync to legacy 2003 mailbox enabled users, this is supported.Ensure Integrated Auth is enabled on the Backend Exchange 2003 virtual directories. Ensure you do not have SSL setup on the Backends either, otherwise it won't work.OliverOliver Moazzezi | Exchange MVP, MCSA:M, MCTS:Exchange 2010, BA (Hons) Anim
| http://www.exchange2007.com | http://www.exchange2010.com | http://www.cobweb.com |
February 22nd, 2010 5:12pm