Problem
You’re attempting to publish / load balance your on-premise Exchange 2019 servers behind a Citrix ADC / NetScaler but notice that the health monitors created to check the health of the services (e.g. https://172.16.1.81/owa/healthcheck.htm) fail with the following error:
Failure - Time out during SSL handshake stage
The rest of the monitors are all reporting the same error:
Further troubleshooting reveals that this is due to the fact that the following server hardening registry keys are added to the Exchange 2019 servers:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
AllowInsecureRenegoClients
REG_DWORD
0
AllowInsecureRenegoServers
REG_DWORD
0
Removing these entries one of the Exchange servers will correct the error allowing the probe to report that the server is up (note that it is partial because the other server still has the registry key):
Various forum discussions on Citrix points adjusting Deny SSL Renegotiation but none of the configuration settings corrected the issue for the environment I worked with:
https://discussions.citrix.com/topic/401441-basic-load-balancing-for-owa-exchange-2019/page/3/
Solution
After performing extensive troubleshooting but not able to come to a resolution, I decided to upgrade the Citrix ADC / NetScaler from NS13.0 52.24.nc to the latest build available at the time, which was NS13.0 67.39.nc:
NS13.0 52.24.nc
NS13.0 67.39.nc
This ended up resolving the issue with the services being correctly determined as UP:
Hope this helps anyone who might be facing this same issue as there isn’t much material available and the available solutions did not work for me.