Thursday, 3 December 2015

HTTP to HTTPS OWA redirect | Exchange 2013 and 2016

Introduction


In this post, I’ll demonstrate how to redirect HTTP OWA requests to HTTPS for both Exchange 2013 and 2016. This simplifies the OWA URL and is easier for end users to remember as they don’t have to type https://.

OWA over HTTP


When we try to browse to OWA using the HTTP address, in our case http://mail.litwareinc.com/owa, we get the error below:

"The website declined to show this webpage (HTTP 403 Forbidden)"

image

Background information


OWA is set up as a virtual directory in IIS on Exchange 2013 CAS and MBX servers and on Exchange 2016 servers. The virtual directory is configured on an IIS website of which there are two when Exchange is installed: “Default Web Site” and “Exchange Back End”. See below:

image

On each of these web sites, there are bindings which specify which server IP, port number and host header the web site is configured to respond to. The bindings for the “Default Web Site” include port 80 and 443:

image

The bindings for the Exchange Back End site include port 81 and 444:

image

So, as you can see, our Exchange server is listening for connections on port 80 as it is a listed port on the “Default Web Site”. So, why does OWA not work on port 80?

The problem is that the Default Web Site is configured to require SSL:

image

Before you go ahead and just untick “Require SSL”, that’s a good start but it’s only part of the solution. Keep reading for the recommended way to do this.

How to configure HTTP to HTTPS redirect for OWA


To configure this redirect and also require SSL, go through the steps below:

1) Click on “Default Web Site” in IIS on your Exchange 2013 CAS or multirole server or on your Exchange 2016 server. Then double click on “HTTP Redirect”

image

2) Tick “Redirect requests to this destination” and type in the full OWA URL e.g. https://mail.litwareinc.com/owa. Also tick “Only redirect requests to content in this directory (not subdirectories)” then click Apply.

image

3) Double click on “Default Web Site” to return to the home menu then double click on SSL settings:

image

4) Untick “Require SSL” then click on Apply:

image

5) Click on the Autodiscover virtual directory then double click on HTTP Redirect:

image

6) Untick “Redirect requests to this destination” then click Apply:

image

7) Repeat steps 5 and 6 for the other virtual directories under the “Default Web Site” which are listed below:

  • ECP
  • EWS
  • MAPI
  • Microsoft-Server-ActiveSync
  • OAB
  • OWA
  • PowerShell
  • RPC


8) Reset IIS so that the settings take effect:

iisreset /noforce

image

9) Confirm the settings are correct and that you can now open up OWA by browsing to http://mail.litwareinc.com/owa:

If you refresh the page using CTRL-F5 or open up a new browser instance and browse to http://mail.litwareinc.com, you will see it now redirects to https://mail.litwareinc.com/owa and we can log in without a problem:

image

image

image

Conclusion


In this post, we’ve gone through the steps to configure an HTTP to HTTPS redirect for OWA on Exchange 2013 and Exchange 2016. Stay tuned for more Exchange tips and tricks!

6 comments:

  1. Shouldn't we then go in and re-check "require SSL" on these virtual directories?

    ReplyDelete
  2. Microsoft recommend not doing it this way now apparently. The way to setup the redirect is to go into iisstart.htm and set the redirect and SSL. THis way the settings do not inherit down through all the other Virtual Directories. Either way works but this way is less manual work and less chance for issues later on.

    ReplyDelete
  3. Microsoft recommend not doing it this way now apparently. The way to setup the redirect is to go into iisstart.htm and set the redirect and SSL. THis way the settings do not inherit down through all the other Virtual Directories. Either way works but this way is less manual work and less chance for issues later on.

    ReplyDelete
  4. Yes you should require SSL on the other virtual directories. Opiate, Microsoft has published the article above here https://support.microsoft.com/en-us/kb/975341 so they must support it.

    ReplyDelete
  5. I think that make a rule with urlrewrite 2.0 is more simple.

    ReplyDelete
  6. hi , need some help , im trying making owa into port 1188 from 443 , how can i change it ? cause i able access with port 1188 , but the server cant return me from 1188 , even i changed the IIS from 443 to port 1188

    ReplyDelete