{"id":560,"date":"2019-10-07T10:16:53","date_gmt":"2019-10-07T15:16:53","guid":{"rendered":"http:\/\/itblog.ldlnet.net\/?p=560"},"modified":"2019-10-07T10:16:53","modified_gmt":"2019-10-07T15:16:53","slug":"outlook-web-app-owa-http-to-https-redirection","status":"publish","type":"post","link":"https:\/\/itblog.ldlnet.net\/index.php\/2019\/10\/07\/outlook-web-app-owa-http-to-https-redirection\/","title":{"rendered":"Outlook Web App (OWA) HTTP to HTTPS Redirection"},"content":{"rendered":"\n

For most companies today, we want to make access to OWA easy for the users. Most folks will just type in mail.domain.com\/owa or something of the like to get to the OWA page. If you don’t use HTTPS by default though, you will not be able to access OWA and will get an error on the page. We need to be able to redirect the HTTP query to go to SSL or HTTPS so that you get the proper logon page and have the access secured by SSL PKI as per the security standard.
Now, most bigger companies will install a load balancer that will program the redirection to HTTPS when the request is made before it hits the Exchange Server. But, for small companies, like mine, that cannot afford a load balancer, we need a native way in Windows and Exchange to be able to perform the same task and have it redirect to HTTPS so that your users are not confused when typing in the address.<\/p>\n\n\n\n

The following shows how to configure IIS so that it natively redirects all HTTP requests for OWA to HTTPS.<\/p>\n\n\n\n

By default in Exchange Server, the URL https:\/\/<ServerName><\/em> redirects users to https:\/\/<ServerName><\/em>\/owa. But, if anyone tries to access Outlook on the web (formerly known as Outlook Web App) by using http:\/\/<ServerName><\/em> or http:\/\/<ServerName><\/em>\/owa, they’ll get an error.<\/p>\n\n\n\n

You can configure http redirection for Outlook on the web so that requests for http:\/\/<ServerName><\/em> or http:\/\/<ServerName><\/em>\/owa are automatically redirected to https:\/\/<ServerName><\/em>\/owa. This requires the following configuration steps in Internet Information Services (IIS):<\/p>\n\n\n\n

  1. Remove the Require SSL<\/strong> setting from the default website. <\/li>
  2. Restore the Require SSL<\/strong> setting on other virtual directories in the default website that had it enabled by default (except for \/owa)<\/font><\/strong>. <\/li>
  3. Configure the default website to redirect http requests to the \/owa virtual directory. <\/li>
  4. Remove http redirection from all virtual directories in the default website (including \/owa). <\/li>
  5. Reset IIS for the changes to take effect.<\/li><\/ol>\n\n\n\n

    Step 1: Use IIS Manager to remove the Require SSL setting from the default website<\/h3>\n\n\n\n
    1. Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to press Windows key + Q, type inetmgr, and select Internet Information Services (IIS) Manager<\/strong> in the results. <\/li>
    2. Expand the server, and expand Sites<\/strong>. <\/li>
    3. Select Default Web Site<\/strong>. and verify Features View<\/strong> is selected at the bottom of the page. <\/li>
    4. In the IIS<\/strong> section, double-click SSL Settings<\/strong>.
      \"SSL1\"
      <\/li>
    5. On the SSL Settings<\/strong> page, clear the Require SSL<\/strong> check box, and in the Actions<\/strong> pane, click Apply<\/strong>.
      \"SSL2\"<\/li><\/ol>\n\n\n\n

      Note<\/strong>: To perform this procedure on the command line, open an elevated command prompt on the Exchange server (a Command Prompt window you open by selecting Run as administrator<\/strong>) and run the following command:<\/p>\n\n\n

      %windir%\\system32\\inetsrv\\appcmd.exe set config \"Default Web Site\" -section:access -sslFlags:None -commit:APPHOST<\/pre>\n\n\n\n
      Step 2: Use IIS Manager to restore the Require SSL setting on other virtual directories in the default website<\/h3>\n\n\n\n
      When you change the Require SSL<\/strong> setting on a website in IIS, the setting is automatically inherited by all virtual directories in the website. Because we’re only interested in configuring Outlook on the web, you need to restore the Require SSL<\/strong> setting for other virtual directories that had it enabled by default.<\/p>\n\n\n\n
      Based on the information in the Default Require SSL and HTTP Redirect settings in the default website on an Exchange server<\/a> section, use the following procedure to restore the setting on the other virtual directories where Require SSL<\/strong> was enabled by default:<\/p>\n\n\n\n
      1. In IIS Manager, expand the server, expand\u00a0Sites<\/strong>, and expand\u00a0Default Web Site<\/strong>.<\/li>
      2. Select the virtual directory, and verify\u00a0Features View<\/strong>\u00a0is selected at the bottom of the page.<\/li>
      3. In the\u00a0IIS<\/strong>\u00a0section, double-click\u00a0SSL Settings<\/strong>.
        \"SSL3\"
        <\/li>
      4. On the\u00a0SSL Settings<\/strong>\u00a0page, select the\u00a0Require SSL<\/strong>\u00a0check box, and in the\u00a0Actions<\/strong>\u00a0pane, click\u00a0Apply<\/strong>.
        \"SSL4\"
        <\/li>
      5. Repeat the previous steps on each virtual directory in the default website that had\u00a0Require SSL<\/strong>\u00a0enabled by default ***(except for \/owa)***<\/font><\/strong>. The only virtual directories that don’t have\u00a0Require SSL<\/strong>\u00a0enabled by default are \/PowerShell and \/Rpc.<\/li><\/ol>\n\n\n\n
        NOTE: PLEASE REMEMBER TO NOT CHECK THE “Require SSL” FOR THE \/OWA DIRECTORY. THIS WILL CAUSE A 403 Access Denied ERROR WHEN TRYING TO REDIRECT.<\/strong><\/p>\n\n\n\n
        Note<\/strong>: To perform these procedures on the command line, replace <VirtualDirectory><\/em> with the name of the virtual directory, and run the following command in an elevated command prompt:<\/p>\n\n\n
        %windir%\\system32\\inetsrv\\appcmd.exe set config \"Default Web Site\/\" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST<\/pre>\n\n\n\n
        Step 3: Use IIS Manager to configure the default website to redirect to the \/owa virtual directory.<\/h3>\n\n\n\n
        1. In IIS Manager, expand the server, and expand\u00a0Sites<\/strong>.<\/li>
        2. Select\u00a0Default Web Site<\/strong>. and verify\u00a0Features View<\/strong>\u00a0is selected at the bottom of the page.<\/li>
        3. In the\u00a0IIS<\/strong>\u00a0section, double-click\u00a0HTTP Redirect<\/strong>.
          \"\"
          <\/li>
        4. On the\u00a0HTTP Redirect<\/strong>\u00a0page, configure the following settings:<\/li>
        5. Select the\u00a0Redirect requests to this destination<\/strong>\u00a0check box, and enter the value \/owa.<\/li>
        6. In the\u00a0Redirect Behavior<\/strong>\u00a0section, select the\u00a0Only redirect requests to content in this directory (not subdirectories)<\/strong>\u00a0check box.<\/li>
        7. In the\u00a0Status code<\/strong>\u00a0list, verify\u00a0Found (302)<\/strong>\u00a0is selected.When you’re finished, click\u00a0Apply<\/strong>\u00a0in the\u00a0Actions<\/strong>\u00a0pane.
          \"\"<\/li><\/ol>\n\n\n\n
          Note<\/strong>: To perform this procedure on the command line, open an elevated command prompt and run the following command:<\/p>\n\n\n
          %windir%\\system32\\inetsrv\\appcmd.exe set config \"Default Web Site\" -section:httpredirect -enabled:true -destination:\"\/owa\" -childOnly:true<\/pre>\n\n\n\n
          Step 4: Use IIS Manager to remove http redirection from all virtual directories in the default website<\/h3>\n\n\n\n
          When you enable redirection on a website in IIS, the setting is automatically inherited by all virtual directories in the website. Because we’re only interested in configuring redirection for the default website, you need to remove the redirect setting from all virtual directories. By default, no directories or virtual directories in the default website are enabled for redirection. For more information, see the Default Require SSL and HTTP Redirect settings in the default website on an Exchange server<\/a> section.<\/p>\n\n\n\n
          Use the following procedure to remove the redirect setting from all virtual directories in the default website (including \/owa):<\/p>\n\n\n\n
          1. In IIS Manager, expand the server, expand\u00a0Sites<\/strong>, and expand\u00a0Default Web Site<\/strong>.<\/li>
          2. Select the virtual directory, and verify\u00a0Features View<\/strong>\u00a0is selected at the bottom of the page.<\/li>
          3. In the\u00a0IIS<\/strong>\u00a0section, double-click\u00a0HTTP Redirect<\/strong>.
            \"\"
            <\/li>
          4. On the\u00a0HTTP Redirect<\/strong>\u00a0page, change the following settings:<\/li>
          5. Clear the\u00a0Only redirect requests to content in this directory (not subdirectories)<\/strong>\u00a0check box.<\/li>
          6. Clear the\u00a0Redirect requests to this destination<\/strong>\u00a0check box.<\/li>
          7. In the\u00a0Actions<\/strong>\u00a0pane, click\u00a0Apply<\/strong>.
            \"\"
            <\/li>
          8. Repeat the previous steps on each virtual directory in the default website.<\/li><\/ol>\n\n\n\n
            Note<\/strong>: To perform these procedures on the command line, replace <VirtualDirectory><\/em> with the name of the virtual directory, and run the following command in an elevated command prompt:<\/p>\n\n\n
            %windir%\\system32\\inetsrv\\appcmd.exe set config \"Default Web Site\/\" -section:httpredirect -enabled:false -destination:\"\" -childOnly:false<\/pre>\n\n\n\n
            Step 5: Use IIS Manager to restart IIS<\/h3>\n\n\n\n
            1. In IIS Manager, select the server.<\/li>
            2. In the\u00a0Actions<\/strong>\u00a0pane, click\u00a0Restart<\/strong>.
              \"\"<\/li><\/ol>\n\n\n\n
              Note<\/strong>: You can also perform an IISRESET from and Elevated PowerShell Prompt.<\/p>\n\n\n\n
              My biggest take away from this was NOT setting the SSL Requirement Properly in the \/owa directory when configuring this. By default, the setting is to Require SSL, but to redirect properly, you have to have that Virtual Directory in IIS set to NOT Require SSL.<\/em> Having the 403 error was driving me crazy. I had to get someone else to look at it, but they didn’t catch it either! That is why I made a point to write this article with the \/owa catch in mind. I hope this helps!<\/p>\n\n\n\n
              HAPPY CONFIGURATION!
              POSITIVE LIFE WILL BRING SUCCESS!<\/h2>\n\n\n\n
              REFERENCES:<\/strong>
              Configure http to https redirection for Outlook on the web in Exchange Server<\/a><\/em>
              Default Require SSL and HTTP Redirect settings in the default website on an Exchange server<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
              For most companies today, we want to make access to OWA easy for the users. Most folks will just type in mail.domain.com\/owa<\/p>\n
              Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":161,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,2,16],"tags":[9,149,151,173,174,170,167,217,127],"class_list":["post-560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exchange","category-general","category-windows","tag-exchange","tag-exchange-2016","tag-exchange-2019","tag-http","tag-https","tag-iis","tag-owa","tag-redirect","tag-ssl","odd"],"_links":{"self":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/comments?post=560"}],"version-history":[{"count":2,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/560\/revisions"}],"predecessor-version":[{"id":571,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/posts\/560\/revisions\/571"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media\/161"}],"wp:attachment":[{"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/media?parent=560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/categories?post=560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.ldlnet.net\/index.php\/wp-json\/wp\/v2\/tags?post=560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}