Forum Discussion
F5 SSL Offload for Exchange 2013
Hi,
I'm currently working on an large Exchange deployment (400,000 mailboxes) project where F5 will be used to load balance Exchange CAS servers and provide SSL offload.
Would anyone be able to provide real world metrics on SSL TPS for a sizeable install base to help us size our HSM capacity requirements. If you can also share connections per second and HTTP requests per second that would also be helpful.
Thanks Patrick
- casey_tomlinsonNimbostratus
I should have included, but for that very reason we license the MAX SSL option for our platforms.
- casey_tomlinsonNimbostratus
It would be significant, even restarting a few CAS servers at one time spikes the incoming TPS over 3-6k (we have over 30 CAS servers in the forward facing pool). I'm happy to say we have never had to do a peak daytime failover, but I have to imagine it would likely reach MAX SSL decrypts for the platform briefly if we did.
- pmilotAltostratus
Hi Casey,
What would you expect you're TPS to peak at for the 300k org if you had to failover and re-establish all those connections ?
Thanks
- casey_tomlinsonNimbostratus
On the largest 2010 org with nearly 300k users we operate about 1.5m concurrent connections at around 2.5GB/s throughput. We have noticed that 2013 tends to open more connections than 2010. So keep that in mind.
Casey - how many concurrent connections does that Exchange traffic generate?
- pmilotAltostratus
Thanks allot for the info Casey and Michael. This is the best data point I've received thus far.
Pat
- casey_tomlinsonNimbostratus
I likely should have noted that I'm an exchange hoster and all client connectivity is external. There are zero connections that originate from the LAN.
- Great data point. Thanks!
Big thank you to Casey for sharing his statistics. However, I would like to point out that Exchsnge 2010 and 2013 deployments are drastically different. With 2010, all LAN-based connections are using RPC, which does not use SSL on F5. Thus, typically, only external connectivity into Exchange would consume SSL TPS. In 2013, all communications are SSL-based, so the load on the system should increase as compared to 2010 deployment.
- mikeshimkus_111Historic F5 Account
Hi pmilot, SSL offloading is currently unsupported in Exchange 2013:
http://social.technet.microsoft.com/Forums/exchange/en-US/39315d05-d764-4afa-b9c6-e341f7b14384/does-exchange-2013-cu1-now-support-ssl-offloading
As soon as it becomes supported again, we'll add offloading for 2013 to the F5 solutions.
thanks
Mike
- hooleylistCirrostratusIt looks like Exchange 2013 SP1 supports SSL offload: http://technet.microsoft.com/en-us/library/dn635115%28v=exchg.150%29.aspx http://www.jaapwesselius.com/2014/02/28/exchange-2013-sp1-ssl-offloading/ Aaron
- pmilotAltostratusHi Mike, You are correct and yes I was aware. SSL Offloading was not the right term to describe our deployment. We are actually decrypting at the LTM/APM layer and re-encrypting for the CAS servers. Pat
- casey_tomlinsonNimbostratus
We run multiple Exchange orgs with a total user count of over 400k.
Our largest at just under 300k Exchange 2010 seats, and our current TPS is under 2000 2K keys a second during peak hours. We are currently running a Viprion 2400 there.
We also have a few Exchange 2007 orgs with LTM 6900s and they have a combined user install base of over 120k seats and they run about an additional 800-900 TPS (combined) during the day.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com