A very long time I used ha-proxy for lb to publish Exchange OWA/Active-Sync in to the WWW. After the installation with NSX-T. I have the opportunity to replace my old ha-proxy configuration with the integrated LB from NSX-T. I would like to replace the ha-proxy for internal MAPI namespace. Normally that will be used often KEMP LB or ha-proxy. With NSX-T you can also replace this product. To Replace MAPI Namespace lb is very simple that will be used only TCP for lb.

I will not write how to deploy the LB that can you read here.
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-D39660D9-278B-4D08-89DF-B42C5400FEB2.html

I will show you some configuration where not included in the knowledge base.

To protect your Administrator interface from external access. In my old ha-proxy configuration I had a ACL to protect ecp from external.

For the OWA rule you must add a forwarding rule with this options.

For your SSL configuration you need your domain certificate and intermediate certificates also.
You need Client SSL and Server SSL. You can use twice the same certificate,.

Before you can assign the certificates you have to import the certificates for your domain and the intermediate certificates under System = >Certificates

After importing the certificates you can assign this to your Virtual Servers HTTP 7 rule.
Trusted CA Certificates means your intermediate certificate.