How to publish Exchange 2013 using VMware NSX load balancer/Firewall part2 – SSL Offloading

How to publish Exchange 2013 using VMware NSX load balancer/Firewall part2 – SSL Offloading

In part 1, we have have seen the very basic steps to load balance Exchange 2013 using VMware NSX.

in this part, we will take a look on how to configure SSL offloading on NSX, the major steps are:

– Export certificate to base64 format using openssl and import them into Edge server.

– Configure the application profile to listen on SSL requests.

– Modify the pool to listen on port 80.

– Configure SSL offloading on Exchange 2013.

– Test the configuration.


So let us start:

Export the certificate base64 format:

In order to install the certificate on NSX, you must have the certificate in base64 format, NSX doesn’t allow you to import .cer or PFX format, in order to do that you will need to use openssl to export the private key and the certificate contents.

This step will assume that you generated the SSL certificate on Exchange 2013 and used internal Microsoft CA (or commerical CA) and have the CA in pfx format (I used internal MS CA and used wild card certificate):

  1. Install Openssl from here you can use the light version.
  2. once installed download and configure the configuration file, use the steps here
  3. once installed, copy the PFX certificate and root CA certificate to a folder, and use the following command to export the certificate contents and private key  openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
  4. Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
  5. Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key 

repeat only step 3 for the root CA certificate, now you will have 3 files, root CA pem, certificate content key and private key, now open the NSX edge and install the certificate, first root CA


then the Exchange certificate



Once installed, you can modify the application profile to use the imported certificate and offload the SSL from Exchange server:


confirm the CA is selected:


Modify the pool to use port 80 instead of port 443:


Enable acceleration on the virtual server and you are ready to go:



Now you are ready to enable SSL offloading on the Exchange server, you can follow the steps from this article:

Once enabled, you can test and verify the configuration:




In part 3, we will look into more advanced features like transparency and cookies based presistence…


Leave a Reply

%d bloggers like this: