AltostratusHi,
I'm currently working on an large Exchange deployment (400,000 mailboxes) project where F5 will be used to load balance Exchange CAS servers and provide SSL offload.
Would anyone be able to provide real world metrics on SSL TPS for a sizeable install base to help us size our HSM capacity requirements. If you can also share connections per second and HTTP requests per second that would also be helpful.
Thanks Patrick
NimbostratusWe run multiple Exchange orgs with a total user count of over 400k.
Our largest at just under 300k Exchange 2010 seats, and our current TPS is under 2000 2K keys a second during peak hours. We are currently running a Viprion 2400 there.
We also have a few Exchange 2007 orgs with LTM 6900s and they have a combined user install base of over 120k seats and they run about an additional 800-900 TPS (combined) during the day.
Hi pmilot, SSL offloading is currently unsupported in Exchange 2013:
http://social.technet.microsoft.com/Forums/exchange/en-US/39315d05-d764-4afa-b9c6-e341f7b14384/does-exchange-2013-cu1-now-support-ssl-offloading
As soon as it becomes supported again, we'll add offloading for 2013 to the F5 solutions.
thanks
Mike
Altostratus
Cirrostratus
CirrusBig thank you to Casey for sharing his statistics. However, I would like to point out that Exchsnge 2010 and 2013 deployments are drastically different. With 2010, all LAN-based connections are using RPC, which does not use SSL on F5. Thus, typically, only external connectivity into Exchange would consume SSL TPS. In 2013, all communications are SSL-based, so the load on the system should increase as compared to 2010 deployment.
NimbostratusI likely should have noted that I'm an exchange hoster and all client connectivity is external. There are zero connections that originate from the LAN.
CirrusAltostratusThanks allot for the info Casey and Michael. This is the best data point I've received thus far.
Pat
CirrusCasey - how many concurrent connections does that Exchange traffic generate?
NimbostratusOn the largest 2010 org with nearly 300k users we operate about 1.5m concurrent connections at around 2.5GB/s throughput. We have noticed that 2013 tends to open more connections than 2010. So keep that in mind.
AltostratusHi Casey,
What would you expect you're TPS to peak at for the 300k org if you had to failover and re-establish all those connections ?
Thanks
NimbostratusIt would be significant, even restarting a few CAS servers at one time spikes the incoming TPS over 3-6k (we have over 30 CAS servers in the forward facing pool). I'm happy to say we have never had to do a peak daytime failover, but I have to imagine it would likely reach MAX SSL decrypts for the platform briefly if we did.
NimbostratusI should have included, but for that very reason we license the MAX SSL option for our platforms.
