How much additional load does SSL processing put on an IIS Web server (more specifically, an Exchange 2000 front-end server used exclusively for handling about 1,000 external OWA clients)? As a follow up question, do you recommend offloading SSL processing to an SSL appliance (i.e., a Sonic Wall SSL appliance)?
The vast majority of processing time required for SSL is during the session establishment. Encrypting traffic during the actual session requires minimal processing overhead. So, the statistics the SSL vendors generally show are generated by having clients rapidly open new SSL sessions -- a situation that almost never really happens.
In my opinion, you should only consider this option if your current OWA front-end server is processor-bound. Watch the performance administrative tool, or even Task Manager, to see if the processor(s) are consistently above 30% utilization during peak time. If it is, consider both SSL accelerators and a simple processor upgrade. Chances are, you'll get more scalability for your money if you upgrade your server's processor. Upgrading the server's processor will improve the performance of all processor-bound tasks, and it's probably much cheaper than an SSL accelerator. Also, adding an SSL accelerator adds complexity to your solution, which costs you by increasing administrative time and potential problems during patches and upgrades. Further, SSL accelerators are yet another point of failure in your network -- one more thing to worry about breaking.
So, my advice is to upgrade your server's processors if, and only if, you really are processor-bound. Tuning OWA performance is very complex, and slow responsiveness can happen for many different reasons. One of the least likely causes of that slow responsiveness is SSL session establishment overhead.
This was first published in January 2003