Problem
You’re attempting to publish / load balance your on-premise Exchange 2019 servers behind a Citrix ADC / NetScaler but notice that the health monitors created to check the health of the services (e.g. https://172.16.1.81/owa/healthcheck.htm) fail with the following error:
Failure – Time out during SSL handshake stage
The rest of the monitors are all reporting the same error:
Further troubleshooting reveals that this is due to the fact that the following server hardening registry keys are added to the Exchange 2019 servers:
ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL
AllowInsecureRenegoClients
REG_DWORD
0
AllowInsecureRenegoServers
REG_DWORD
0
Removing these entries one of the Exchange servers will correct the error allowing the probe to report that the server is up (note that it is partial because the other server still has the registry key):
Various forum discussions on Citrix points adjusting Deny SSL Renegotiation but none of the configuration settings corrected the issue for the environment I worked with:
https://discussions.citrix.com/topic/401441-basic-load-balancing-for-owa-exchange-2019/page/3/
Solution
After performing extensive troubleshooting but not able to come to a resolution, I decided to upgrade the Citrix ADC / NetScaler from NS13.0 52.24.nc to the latest build available at the time, which was NS13.0 67.39.nc:
NS13.0 52.24.nc
NS13.0 67.39.nc
This ended up resolving the issue with the services being correctly determined as UP:
Hope this helps anyone who might be facing this same issue as there isn’t much material available and the available solutions did not work for me.
4 Responses
For what it's worth, we are experiencing the exact same scenario you've laid out. We will be attempting an ADC FW update in the next week and hope to see the issue resolved as you reported!
Thank you Terence for your very helpful posts. The registry keys you noted regarding Renegotiation is the key! By default, the NetScaler is configured to DENY ALL renegotiation. The solution for me was to modify the default backend SSL profile (or create a new one) and select FRONTEND_CLIENT in the Deny SSL Renegotiation field, then and specify the SSL profile in the monitor.
Yes! Thank You. Was banging me head trying to figure out why the monitors on my ADC / Netscaler were not working for this one Exchange server. Removing those registry entries and restarting the IIS service fixed it.
I followed Almon's suggestion for the SSL profile and everything is working now. Thank you so much.