Forum Discussion

pmilot's avatar
Icon for Altostratus rankAltostratus
Feb 12, 2014

F5 SSL Offload for Exchange 2013



I'm currently working on an large Exchange deployment (400,000 mailboxes) project where F5 will be used to load balance Exchange CAS servers and provide SSL offload.


Would anyone be able to provide real world metrics on SSL TPS for a sizeable install base to help us size our HSM capacity requirements. If you can also share connections per second and HTTP requests per second that would also be helpful.


Thanks Patrick


13 Replies

  • I should have included, but for that very reason we license the MAX SSL option for our platforms.


  • It would be significant, even restarting a few CAS servers at one time spikes the incoming TPS over 3-6k (we have over 30 CAS servers in the forward facing pool). I'm happy to say we have never had to do a peak daytime failover, but I have to imagine it would likely reach MAX SSL decrypts for the platform briefly if we did.


  • Hi Casey,


    What would you expect you're TPS to peak at for the 300k org if you had to failover and re-establish all those connections ?




  • On the largest 2010 org with nearly 300k users we operate about 1.5m concurrent connections at around 2.5GB/s throughput. We have noticed that 2013 tends to open more connections than 2010. So keep that in mind.


  • Thanks allot for the info Casey and Michael. This is the best data point I've received thus far.




  • I likely should have noted that I'm an exchange hoster and all client connectivity is external. There are zero connections that originate from the LAN.


  • Big thank you to Casey for sharing his statistics. However, I would like to point out that Exchsnge 2010 and 2013 deployments are drastically different. With 2010, all LAN-based connections are using RPC, which does not use SSL on F5. Thus, typically, only external connectivity into Exchange would consume SSL TPS. In 2013, all communications are SSL-based, so the load on the system should increase as compared to 2010 deployment.


  • mikeshimkus_111's avatar
    Historic F5 Account

    Hi pmilot, SSL offloading is currently unsupported in Exchange 2013:



    As soon as it becomes supported again, we'll add offloading for 2013 to the F5 solutions.






    • hooleylist's avatar
      Icon for Cirrostratus rankCirrostratus
      It looks like Exchange 2013 SP1 supports SSL offload: Aaron
    • pmilot's avatar
      Icon for Altostratus rankAltostratus
      Hi Mike, You are correct and yes I was aware. SSL Offloading was not the right term to describe our deployment. We are actually decrypting at the LTM/APM layer and re-encrypting for the CAS servers. Pat
  • We run multiple Exchange orgs with a total user count of over 400k.


    Our largest at just under 300k Exchange 2010 seats, and our current TPS is under 2000 2K keys a second during peak hours. We are currently running a Viprion 2400 there.


    We also have a few Exchange 2007 orgs with LTM 6900s and they have a combined user install base of over 120k seats and they run about an additional 800-900 TPS (combined) during the day.