Networking

Exchange 2010: How to redirect non-SSL Outlook Web App traffic to SSL

In this Exchange 2010 tutorial, Scott Lowe shows how to make sure that users who visit http://webmail.yourorg.com are automatically redirected to https://webmail.yourorg.com/owa.

With Outlook Web App being an outwardly facing service that relies on the use of your organization's internal credentials, it's important to make sure that miscreants don't get access to your security jewels -- individual usernames and passwords. Using SSL for this traffic protects your organization and your users.

In this Exchange 2010 tutorial, I focus on how to make sure that users who visit http://webmail.yourorg.com are automatically redirected to https://webmail.yourorg.com/owa. I will not be covering the SSL certificate provisioning and installation process.

Step-by-step instructions

1. Log into your Exchange 2010 server with a user account that has administrative rights on the server.

2. Go to Start | Administrative Tools | Internet Information Services (IIS) Manager. This opens the IIS7 manager, which is used by Exchange's Client Access Server role.

3. Once you're in the IIS Manager tool, expand your computer link, choose Sites, and then select the Default Web Site option.

4. From the Features View, choose the HTTP Redirect option (Figure A). Figure A

Choose the HTTP Redirect option

5. When you get to the HTTP Redirect page, do the following:

  • Select the checkbox next to Redirect Requests To This Destination heading.
  • In the box below, type in the full address - including HTTPS - for the site to which you'd like to redirect traffic. This would be the format: https://webmail.yourorg.com/owa.
  • Make sure you also select the checkbox next to Only Redirect Requests To content In This Directory (Not Subdirectories). If you fail to do this, you'll break some other functionality.
  • In the Actions pane, click the Apply link to save your changes.
Your HTTP Redirect window should look like the screen in Figure B. Figure B

The HTTP Redirect options page
This step alone, however, isn't enough. In fact, let's try it. Browse to http://webmail.yourorg.com. You'll get a message indicating that access is denied. The reason: SSL is currently required for the top level directory (Figure C). Figure C

The SSL redirect isn't working.

In order for the redirect to work, the top level directory needs to be accessible without using SSL. In other words, it needs to be accessible via HTTP. To make that happen, you need to disable the SSL requirement on that directory. Once you do, the top-level directory is fully accessible via HTTP and then IIS can properly intercept your HTTP request and redirect you to the page that you specified earlier.

Now, follow these steps:

1. Select the top level directory - probably called Default Web Site - and browse to SSL Settings (Figure D). Figure D

Choose the SSL Settings option

2. Double-click SSL Settings.

3. Deselect the checkbox next to Require SSL (Figure E).

4. In the Actions pane, click the Apply link to save your changes.

Figure E

Disable SSL on the top level directory

For the remaining important subdirectories, make sure that the settings are as follows.

 

SSL

Redirect

aspnet_client

Enable SSL

Uncheck redirect

Autodiscover

Enable SSL

Uncheck redirect

ecp

Enable SSL

Uncheck redirect

EWS

Enable SSL

Uncheck redirect

Microsoft-Server-ActiveSync

Enable SSL

Uncheck redirect

OAB

Enable SSL

Uncheck redirect

PowerShell

DISABLE SSL

Uncheck redirect

Rpc

Enable SSL

Uncheck redirect

You need to make sure that you run through each of the directory settings since some of the changes you made earlier will have propagated down through the folder structure. Figure F gives you a look at one of the settings you'll need to change. Figure F

Set SSL and Redirect settings on each of the folders listed above
Once you're finished, test your new settings. As you can see in Figure G, success! Figure G

The HTTPS redirect is working now.

Now, users can just remember webmail.yourorg.com, and you can do the heavy lifting behind the scenes to both protect them (SSL) and make their lives easier (automatic redirection).

Keep up with Scott Lowe's posts on TechRepublic

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

9 comments
EricR82
EricR82

Wow! Great article. I had found Microsoft's steps but they left out the first part about changing the SSL settings on the root directory.


Thanks also to @AstroCreep for saving me any headaches tomorrow morning.

dphilips1425
dphilips1425

I must have missed something on this. On my test network when I make these changes I can't get EMC or EMS to connect to the CAS server, and Outlook over https seems to stop working. All that is connecting is OWA and ECP. Does anyone have ideas on where to get my setup on track? Thanks.

etamayo
etamayo

Followed these steps perfectly, but my outlooks can't download the address book again, any idea, please the status is "Offline address book Connecting to Microsoft Exchange"

Hogsbreath
Hogsbreath

Good article. We just deployed Exchange 2010 and are in the testing phase with a small pilot group. It is nice to see the settings in one place to have as a reference as we just recently went through this.

The 'G-Man.'
The 'G-Man.'

to rid a page that just says - this site only accepts https...please... Well in 2007 anyway

Scott Lowe
Scott Lowe

dphilips - Thank you for the correction. I have updated the post to indicate that SSL for the PowerShell directory should not be enabled. Scott Lowe

dphilips1425
dphilips1425

Thanks for sharing this config. I knew what we needed but now I have a way to do it.

Editor's Picks