Script to configure Exchange Server 2010 for SSLOffloading

When using a hardware load balancer you sometimes come across the need of configuring Exchange Server to support SSLOffloading. In my case I use a Citrix Netscaler to publish Exchange Server in a scenario where I have enabled SSLOffloading in the Citrix Netscaler. So, in order for this to work configuration changes needs to be done in Exchange Server 2010.

The script below configures both Exchange 2010 RTM and SP1, it also configures basic authentication in IIS for ECP, EWS and OWA.

# This script will configure the Exchange 2010 RTM and SP1 Client Access Servers for SSLOffload
# It applies when using Hardware loadBalancer with SSLOffloading enabled
# Created by Martin Sundström 2011-09-26
Write-Host -f DarkGray "This script will configure the Exchange 2010 RTM and SP1 Client Access Servers for SSLOffload"

# Set SSLOffload registry key for OWA 
Write-Host -f DarkGray -f DarkGray "Setting SSLOffload registry key for OWA..."

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD 

Write-Host -f DarkGray -f DarkGray "Done!"
Write-Host -f DarkGray -f DarkGray ""

# Assign Static Ports"
Write-Host -f DarkGray "Assigning static ports..."

# Assign Static Port for MSExchangeAB 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters -Type Directory
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType String 

# Assign Static Port for MSExchangeRPC 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC -Name ParametersSystem -Type Directory
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 59532

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""

# Disable RequireSSL on websites
Write-Host -f DarkGray "Disabling RequireSSL on websites..."

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None 
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None 
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None 

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""

# Configure Outlook Anywhere
Write-Host -f DarkGray "Configure Outlook Anywhere"

$enabled = Get-OutlookAnywhere -Identity "$($env:COMPUTERNAME)\RPC*" 
If ($enabled) 
	Set-OutlookAnywhere -Identity "$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true
	Write-Host -f DarkGray "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""

# This part of the script only applies to Exchange Server 2010 RTM, a version check will be made:
$VersionCheck = ((get-exchangeserver -identity ($env:COMPUTERNAME)).AdminDisplayVersion | Out-String ).StartsWith("Version 14.1")

If ($VersionCheck = $False)
	# Configure web.config files
	Write-Host -f DarkGray "Configuring web.config files for RTM..."

	$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
	(Get-Content $path\web.config) | Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}  | Set-Content $path\web.config
	$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path 
	(Get-Content $path\web.config) | Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config  

	Write-Host -f DarkGray "Done!"
	Write-Host -f DarkGray ""

# Run IISReset
Write-Host -f DarkGray "Running `"iisreset`" to complete the process..."


Write-Host -f DarkGray ""

Feel free to use and edit as you need and don’t hesitate to drop a comment if you find any errors or have any questions!

Configure Lync 2010 voice using a SIP gateway and an uncertified SIP trunk, step-by-step – Part 1

I got an idea the other day, I want to set up a Lync Server 2010 server and implement voice capabilities using a ordinary uncertified SIP trunk. this will hopefully give some of you out there an idea of what needs to be done for this to work without the need of an expensive certified trunk.

For the test I will use a ordinary consumer grade SIP trunk from the Swedish provider Cellip. Since the point is not to use a Lync certified enterprise SIP trunk I need something to handle the incoming trunk and then transfer it to Lync Server 2010.

I got a tip from Cellip that an Intertex IX78 is what I need. This product was actually something that I had never heard of, but I contacted Intertex and they where kind enough to provide me with a unit that I could use for my test.

Action plan

I already have a Lync Server 2010 deployed in my environment without phone configuration so I will exclude the Lync Server 2010 installation from this guide, more information on this in a step-by-step format can be found here.

  1. SIP enable users
  2. Configure the Intertex IX78 to handle the incoming SIP trunk and forward it to Lync Server 2010
  3. Configure Lync Server 2010 to receive incoming and outgoing calls

The Intertex IX78

First, I will start by giving you some information about the Intertex IX78 which I have found is a very useful piece of equipment. I have never had the privilege to work with it before but while performing this test I have got the opportunity to test it. The IX78 can actually do a lot of things and much more then what I have used it for, for example, it has a built-in advanced ADSL modem, supports wireless 802.11b/g, and provides back-up PSTN connectivity for emergency call handling. It is also the only firewalls in their market segment that I have heard of that fully addresses real-time, SIP-based Multimedia applications on the LAN.

But I will focus a bit more on the SIP functions of the IX78. One of the best functions that I have tested is the LAN SIParator module. This module enables one to add the IX78 while keeping an existing firewall that is thereby made SIP capable. This is great in production environment since it requires minimal changes in the existing firewall configuration. Let me explain this a bit more by showing you the setup I am using for this lab.

To start with, I am using a ADLS internet connection provided by Telia Sonera AB, one of Sweden’s largest ISPs. To connect to this I use a standard Zyxel ADSL modem, and it is quite old to be honest. Then, I have the Intertex IX78 running as a LAN SIParator with one leg on the internal network for connection to the Lync 2010 server and one leg connected to a Microsoft Threat Management Gateway (TMG) 2010 that I use as the primary firewall.


When using the LAN SIParator module I do not have to make any changes to my TMG which is very good. You might think that running this setup could cause disruption to the traffic passing through the IX78, but so far I have hade no trouble at all and have seen no loss in bandwidth or quality. It is absolutely doing its job and doing it great.

I am not going to make this a review of the IX78 but I would absolutely recommend it to anyone who thinks about implementing a solution similar to this. More information regarding the Intertex IX78 can be found on the Intertex homepage here.



To be able to perform this test I needed someone to provide me with a trunk. Because they where recommended to me from at least two friends the choice fell on Cellip. Cellip is one of Sweden’s largest providers of communications solutions based on both mobile and PSTN to both companies and private persons.

I contacted Cellip as well and they set me up with an account with plenty of credit, a big thank you to Cellip for making the effort of helping me with this project. I am not going to walk you through the process of setting up a Cellip account since that is very easily done. If you need any assistance the excellent support will guide you through it. I have contacted them a couple of times during this project and they have been most helpful. You can find more information regarding Cellip on their homepage here.


SIP Enable a User

First I will start with SIP enabling a user that we will use for this test. I have created the user Test User1 for this test with the following configuration:

First name: Test
Last name: User1
User name: test.user1
SIP address: test.user1@sundis.local
Telephone number: 335

To SIP enable a user you need to open the Lync Server 2010 Control Panel. And then navigate to the Voice tab.


Click on Enable User to open the New Lync Server User window.


Click on Add to find the user you want to enable.


Enter the name of the user and click Find, or simply click Find to list all available users. Select the user you want to add and then click OK.


You will see that the user we selected now is listed in the Users box. Choose to assign your user to a pool, in my case I have only got one. You also need to make sure that the correct SIP URI is selected, I use an internal address for my SIP URI and specify it accordingly. Under Telephony, choose Enterprise Voice in the dropdown menu and enter the internal extension number that you want to use, make sure that you prefix the number with TEL:. We will keep the rest of the settings as default, click Enable to finish.


The user we just enabled now shows up in the list.


That is all we have to do to enable our user for voice, now we will take a look a the Intertex IX78.

Configuring the Intertex IX78

We want to configure the IX78 to run in WAN SIParator 1 mode to match the previously described scenario, we also need to configure SIP Trunk settings and network settings. To help us with this configure the IX78, Intertex has implemented a very good wizard in the IX78.

Note: Before proceeding, please contact Intertex and make sure that you have a firmware that fully supports the use of WAN SIParator 1 mode.

After you log on you are met by the home page of the IX78, it gives us the top menu which includes quick links to all topics and you also have a number of different links on the home page.

To get started with the Configuration wizard, navigate back to the home page and click on the Configuration Wizard link.

ix7805On The first page of the Configuration Wizard tells us we need to log in. The user name and password you need is provided by Intertex and is a way of controlling the licenses that you need to be able to use the different functions that the IX78 includes. If you don’t have a username and password please contact Intertex and they will get you settled.

To continue, click on Log In  next to The PBX Wizard.


Enter the username and password you provided to you by Intertex and click on Log In to continue.


In this step you need to choose the PBX you are using, in our case it is Lync 2010. Choose Microsoft OCS 2007/Lync 2010 and click Next to continue.


Under Select your Internet access, select the following settings to configure the Cellip trunk. Change these settings to match the information needed for your provider.

Trunk Service: Service 1 – No accounts need to be registered
SIP Server:

Under Select your firewall configuration, select Use the E-SBC as WAN SIParator® 1, connecting the existing firewall to the ET4 port of the E-SBC and sharing a single WAN IP-address and click Next to continue.


Now you have the option to configure your network settings, if you did not do it before starting the guide change the settings to match you environment. If you already have configured networking for your device like me, check Keep current settings. and then click next to continue.


More network settings, change the IP-address if you need to, click next to continue when ready.ix7811

In the next step it is time to enter the IP-address for your PBX, in other words, your Microsoft Lync 2010 Server. In my case it is, enter the IP-address for your server and then click next  to continue.


In my case I only have one number from Cellip so I do not have to worry about Called-ID. Check the option matching your requirements and then click next to continue.


Since we use internal extensions in Lync we will configure the IX78 to forward calls using internal extensions, choose The PBX uses internal extension numbers on its SIP trunk. then enter your external number assigned to you by your trunk provider and the internal extension matching that number.When finished, click next to continue.


We will not configure any optional phones, click next to continue.


You can skip the next page to, click next to continue.


the last page before completing this wizard is a summary showing you the settings you have made. Take a moment to go through the settings and click Download when finished. This configures the device, if you press Exit you will quit the Wizard discarding all changes.


When the Wizard closes, navigate to the start page of your IX78 and open the SIP Trunk page.


Now we need to go through the SIP Trunk settings. Go through all of these blocks and make sure that your settings matches the ones I have in this example except for phone numbers and IP-addresses.




Now your IX78 should be all set and this concludes part one in this series. In post two we look at the Lync configuration.

Part 1 in this series can be found here!

Part 2 in this series can be found here!