Hello,

i have little confusion that someone may be able to help me understand.

We have classic scenario with Exchange 2013 CU7.

- 2 backend servers

- 2 frontend servers

frontend servers are load balanced with balancer that have possibility of SSL offloading and i did it only on CAS servers as described here.

I did change, however backend gave some error about certificate.

In IIS i changed certificate to be same as on CAS servers, and no warnings anymore, and that leaves me a question, do i need to do anything on backend servers or SSL offloading on CAS servers is enough?

Thanks in advance and regards,

Ivica

The backend servers need to have the default self-signed Exchange certificate bound to the back-end website in IIS.  That should be done automatically but I've seen it become misconfigured, though only on servers with both Mailbox and CAS roles.

Hi,

According to your post, I notice that you have disable SSL and enable SSL offloading in all CAS server.
If I misunderstand your concern, please do not hesitate to let me know.

We need to know something before configuring SSL Offloading in Exchange 2013.
1. To use an existing certificate on your Client Access servers and on the device you are terminating the SSL connections with, export the certificate with the private key on a Client Access server and import or install it on the device.
2. To use a new certificate, you must use EAC or the Shell to create, import, and enable the new certificate.

Therefore, we can enable SSL Offloading and renew certificate in CAS server.

Thanks

Hello Allen,

Thanks for replies.Yes, all cas servers have same public certificate, and it is imported.

Then i followed post in technet and done this  .

Imported certificate on our load balancers.
and my understanding is that all steps are fullfilled.

I was only concerned about Mailbox role IIS service and certificate there, so basically i don't need to go there and reconfigure anything?

Thanks again,

Ivica

Not unless something got misconfigured.