Exchange 2010: How to redirect non-SSL Outlook Web App traffic to SSL

With Outlook Web App being an outwardly facing service that relies on the use of your organization’s internal credentials, it’s important to make sure that miscreants don’t get access to your security jewels — individual usernames and passwords. Using SSL for this traffic protects your organization and your users.

In this Exchange 2010 tutorial, I focus on how to make sure that users who visit http://webmail.yourorg.com are automatically redirected to https://webmail.yourorg.com/owa. I will not be covering the SSL certificate provisioning and installation process.

Step-by-step instructions

1. Log into your Exchange 2010 server with a user account that has administrative rights on the server.

2. Go to Start | Administrative Tools | Internet Information Services (IIS) Manager. This opens the IIS7 manager, which is used by Exchange’s Client Access Server role.

3. Once you’re in the IIS Manager tool, expand your computer link, choose Sites, and then select the Default Web Site option.

4. From the Features View, choose the HTTP Redirect option (Figure A).

Figure A

Choose the HTTP Redirect option

5. When you get to the HTTP Redirect page, do the following:

• Select the checkbox next to Redirect Requests To This Destination heading.


• In the box below, type in the full address - including HTTPS - for the site to which you’d like to redirect traffic. This would be the format: https://webmail.yourorg.com/owa.


• Make sure you also select the checkbox next to Only Redirect Requests To content In This Directory (Not Subdirectories). If you fail to do this, you’ll break some other functionality.



• In the Actions pane, click the Apply link to save your changes.

Your HTTP Redirect window should look like the screen in Figure B.

Figure B

The HTTP Redirect options page

This step alone, however, isn’t enough. In fact, let’s try it. Browse to http://webmail.yourorg.com. You’ll get a message indicating that access is denied. The reason: SSL is currently required for the top level directory (Figure C).

Figure C

The SSL redirect isn’t working.

In order for the redirect to work, the top level directory needs to be accessible without using SSL. In other words, it needs to be accessible via HTTP. To make that happen, you need to disable the SSL requirement on that directory. Once you do, the top-level directory is fully accessible via HTTP and then IIS can properly intercept your HTTP request and redirect you to the page that you specified earlier.

Now, follow these steps:

1. Select the top level directory - probably called Default Web Site - and browse to SSL Settings (Figure D).

Figure D

Choose the SSL Settings option

2. Double-click SSL Settings.

3. Deselect the checkbox next to Require SSL (Figure E).

4. In the Actions pane, click the Apply link to save your changes.

Figure E

Disable SSL on the top level directory

For the remaining important subdirectories, make sure that the settings are as follows.

	SSL	Redirect
aspnet_client	Enable SSL	Uncheck redirect
Autodiscover	Enable SSL	Uncheck redirect
ecp	Enable SSL	Uncheck redirect
EWS	Enable SSL	Uncheck redirect
Microsoft-Server-ActiveSync	Enable SSL	Uncheck redirect
OAB	Enable SSL	Uncheck redirect
PowerShell	Enable SSL	Uncheck redirect
Rpc	Enable SSL	Uncheck redirect

You need to make sure that you run through each of the directory settings since some of the changes you made earlier will have propagated down through the folder structure. Figure F gives you a look at one of the settings you’ll need to change.

Figure F

Set SSL and Redirect settings on each of the folders listed above

Once you’re finished, test your new settings. As you can see in Figure G, success!

Figure G

The HTTPS redirect is working now.

Now, users can just remember webmail.yourorg.com, and you can do the heavy lifting behind the scenes to both protect them (SSL) and make their lives easier (automatic redirection).