How to configure SSL Offloading for Outlook Web Access in Exchange 2000 Server and in Exchange Server 2003

Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 have a configuration option that can help if you are using third-party Secure Sockets Layer (SSL) hardware accelerators. If the SSL session is terminated by an SSL hardware accelerator before the Microsoft Outlook Web Access server, Outlook Web Access does not recognize that the end-client is using SSL. In this scenario, the links for the Outlook Web Access client start with http:// instead of https://.

When you do not use an SSL hardware accelerator and the SSL session terminates on the Outlook Web Access server, the traffic flows from the client to the Outlook Web Access front-end server in HTTPS, and then to the back-end server in HTTP.

When you use an SSL hardware accelerator placed before the Outlook Web Access server and the SSL session is terminated by the accelerator, the traffic flows from the client to the SSL hardware accelerator in HTTPS, then to the Outlook Web Access front-end server in HTTP, and then to the back-end server.

In the second scenario, the Outlook Web Access front-end server recognizes traffic to the client as HTTP and does not recognize that the SSL session is being terminated before the traffic reaches the Outlook Web Access server. Therefore, when the back-end server renders the HTML pages, it uses http:// instead of https:// for all the links. When a user clicks any link in the rendered page, they receive a message that the request is denied because the server denies any non-HTTPS traffic. Even though the traffic is re-encrypted by the SSL accelerator when the traffic returns to the user, the links are broken.

Note Microsoft Exchange ActiveSync (EAS) and Outlook Mobile Access (OMA) do not support this functionality.

A supported feature that modifies the default behavior of the product is available from Microsoft. However, this feature is intended to modify only the behavior that this article describes. Apply this feature only to systems that specifically require it.

If the feature is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the feature.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific feature. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the feature is available. If you do not see your language, it is because the feature is not available for that language.Important This feature does not work if you are using Exchange 2003 and forms-based authentication. If you are using a hardware accelerator and forms-based authentication, you can resolve this issue by adding the following parameters to the following registry key.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: Value name: SSLOffloaded
Value type: DWORD
Data value: 1

If you are using both front-end servers and back-end servers, you only have to apply this registry data to the front-end server. If you are in a back-end-only environment, you have to apply this registry data to the back-end server.

Note If you are using Forms Based Authentication, you only have to apply the registry change. You do not have to apply the ISAPI filter change listed later in this article.

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Component: Outlook Web AccessThere is no installation package for this file. Instead, use the following procedure to apply the feature on the front-end server:

1. Copy ExFeHttpsOnFilter.dll to the Exchsrvr\bin directory.
   1. Open Internet Services Manager.
   2. Right-click the default Web site, and then click Properties.
   3. In the Properties dialog box, click the ISAPI Filters tab, and then click Add.
   4. In the Filter Name box, type ExFeHttpsOnFilter.dll.
   5. In the Executable box, type the full path and dll name. For example, if Exchange is installed on drive C in the default folder named Program Files, type c:\Program Files\Exchsrvr\bin\ExFeHttpsOnFilter.dll.
   6. Click OK.
   7. Make sure that the ExFeHttpsOnFilter filter appears before the ExchFilt filter in the list; if it does not, move the ExFeHttpsOnFilter filter up until it appears before the ExchFilt filter.
      
      Important ExFeHttpsOnFilter must appear before ExchFilt in the list.
2. Stop the IISAdmin service and start the W3SVC service.