How to configure SSL Offloading for Outlook Web Access in Exchange 2000 Server and in Exchange Server 2003 (327800)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Server
This article was previously published under Q327800
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 have a configuration option that can help if you are using third-party Secure Sockets Layer (SSL) hardware accelerators. If the SSL session is terminated by an SSL hardware accelerator before the Microsoft Outlook Web Access server, Outlook Web Access does not recognize that the end-client is using SSL. In this scenario, the links for the Outlook Web Access client start with http:// instead of https://.

When you do not use an SSL hardware accelerator and the SSL session terminates on the Outlook Web Access server, the traffic flows from the client to the Outlook Web Access front-end server in HTTPS, and then to the back-end server in HTTP.

When you use an SSL hardware accelerator placed before the Outlook Web Access server and the SSL session is terminated by the accelerator, the traffic flows from the client to the SSL hardware accelerator in HTTPS, then to the Outlook Web Access front-end server in HTTP, and then to the back-end server.

In the second scenario, the Outlook Web Access front-end server recognizes traffic to the client as HTTP and does not recognize that the SSL session is being terminated before the traffic reaches the Outlook Web Access server. Therefore, when the back-end server renders the HTML pages, it uses http:// instead of https:// for all the links. When a user clicks any link in the rendered page, they receive a message that the request is denied because the server denies any non-HTTPS traffic. Even though the traffic is re-encrypted by the SSL accelerator when the traffic returns to the user, the links are broken.

Note Microsoft Exchange ActiveSync (EAS) and Outlook Mobile Access (OMA) do not support this functionality.

MORE INFORMATION

A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next Microsoft Exchange 2000 Server service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Important This feature does not work if you are using Exchange 2003 and forms-based authentication. If you are using a hardware accelerator and forms-based authentication, you can resolve this issue by adding the following parameters to the following registry key.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA

Value name: SSLOffloaded
Value type: DWORD
Data value: 1

If you are using both front-end servers and back-end servers, you only have to apply this registry data to the front-end server. If you are in a back-end-only environment, you have to apply this registry data to the back-end server.

Note If you are using Forms Based Authentication, you only have to apply the registry change. You do not have to apply the ISAPI filter change listed later in this article.

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Component: Outlook Web Access
File nameVersion
ExFeHttpsOnFilter.dll 6.0.6337.0
There is no installation package for this file. Instead, use the following procedure to apply the feature on the front-end server:
  1. Copy ExFeHttpsOnFilter.dll to the Exchsrvr\bin directory.
    1. Open Internet Services Manager.
    2. Right-click the default Web site, and then click Properties.
    3. In the Properties dialog box, click the ISAPI Filters tab, and then click Add.
    4. In the Filter Name box, type ExFeHttpsOnFilter.dll.
    5. In the Executable box, type the full path and dll name. For example, if Exchange is installed on drive C in the default folder named Program Files, type c:\Program Files\Exchsrvr\bin\ExFeHttpsOnFilter.dll.
    6. Click OK.
    7. Make sure that the ExFeHttpsOnFilter filter appears before the ExchFilt filter in the list; if it does not, move the ExFeHttpsOnFilter filter up until it appears before the ExchFilt filter.

      Important ExFeHttpsOnFilter must appear before ExchFilt in the list.
  2. Stop the IISAdmin service and start the W3SVC service.
Modification Type:MajorLast Reviewed:3/17/2006
Keywords:kbHotfixServer kbExchange2000preSP4fix kbQFE kbExchange2000preSP4fea kbinfo KB327800 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.