OWA HTTP to HTTPS autoredirect best method - Exchange 2013 CU23 on Windows Server 2012 R2 (IIS8.5)
I am willing too to automatically redirect http owa requests to https, to make life easier for my end users.
My environment consists of Exchange 2013 CU23 on WIndows Server 2012 R2 (IIS 8.5).
I have read around of many "ways" to accomplish the task, other than the official one(s) from technet:
1) One is well explained here: https://blog.expta.com/2016/05/redirection-in-exchange-2013-cu6-and.html
It refers specifically to Exchange 2013 CU6+ and 2016. Basically he suggests to create an error page in IIS mmc for the error code 403.4 to answer with a 302 redirect to the correct URL (ie https://mail.contoso.com/owa). The reason is that with this method you don't need to mess with the Exchange virtual directories security settings, inheritance, etc.
2) Than there is this one, written by Ace Fekay: https://blogs.msmvps.com/acefekay/2013/04/16/redirect-owa-exchange-2010-exchange-2013-the-cool-and-easy-method/.
He claims to have had a talk with MS Support for other reasons, and while troubleshooting his issue they debated about the best way to accomplish the http->https autoredirect task. Briefly, they ended up saying that instead of applying settings to the "Default Website" root with the inheritance implications (the need to unset inherited settings on the subfolders where not needed and the risk of messing up things), it's way better to apply the redirect method only to the "iisstart.htm" file.
3) Technet provides two methods, quite similar but not identical.
3a)If you look for Exchange 2013, there is this one: https://learn.microsoft.com/en-us/exchange/simplify-the-outlook-web-app-url-exchange-2013-help
3b)If you look for Exchange 2016 and later, there is this one instead: https://learn.microsoft.com/it-it/exchange/clients/outlook-on-the-web/http-to-https-redirection?view=exchserver-2016
Basically, they differ on the "require ssl" unsetting part, where for 2013 you have been told to just unset the redirect for all the virtual directories that inherited the redirect setting from the root "Default Website"; for Exchange 2016-2019 you should remove both the inherited "redirect" setting on all vdirs and the "Require SSL" setting on all vdirs except for the /owa vdir.
Honeslty, I am quite confused on how to proceed. In the logic of "the simpler the better" I should opt for option 1) or 2). In the logic "follow the Technet bible" I should follow the 3rd option (but which one? 3a or 3b?).
I hope you can kindly give me some hint in order to make the best decision.
There's even other option, that is what I always used.
I believe this is the option that requires less administrative effort.
The one to use would come down to preference and how much you're comfortable applying the changes asked by some of the methods.
That's not a matter of "comfort" but about which one is less likely to break Exchange. ;) The less administrative effort is obtained with 1) or 2) i think. But I was expecting some "best practice". I feel never "comfortable" when doing unsupported stuff or when there is confusion on ways to do a thing. Exchange heavily relies on IIS, you know... Moreover Technet itself is quite confusing, since it provides two different howtos, and I doubt it is due to the Exchange version.
Hi @BK IT Staff
Microsoft recommends that follow the steps in the official documentation, and since you are using Exchange2013, follow the documentation for Exchange2013 (3a).
Use IIS Manager to simplify the Outlook Web App URL and force redirection to SSL
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Jame Xu-MSFT , thanks for answering. The documentation for Exchange 2013 consists of two steps. You mentioned just one. Intentional or not?
Sorry for that, not intentionally. You need to remove the redirect from the unwanted virtual directories after the configuration is complete, as shown in step two. Hope you are not misled. After the setup is complete, you could refer to this test to see if it is successful.
Thanks for your prompt answer @Jame Xu-MSFT . I will go ahead and follow your advice.
Hi @Jame Xu-MSFT , sorry to bother you again on this, but I was thinking on the steps described in the documentation, and on the way I know IIS is implemented. I am quite concerned about a thing.
The procedure basicacally says to set a redirect on the "Default website" level, and later remove the redirect from child folders, since every setting you make at the top level will be inherited by child elements.
The procedure also says to uncheck "require SSL", again at the top level "Default website" item. This setting I am pretty sure that will be inherited by all other child virtual directories. Currently all of them are set to "requre SSL", all but "Powershell" vdir.
Now, are you sure I do not have also to recheck "require SSL" on each child virtual directory, except for Powershell vdir? However, the official procedure for Exchange 2013 does not mention to do this step. Why?
Hi @BK IT Staff ,
The steps of the Exchange2013 document are indeed not as detailed as the steps of the Exchange2016 document, after searching, the http redirection steps of Exchange2013 and 2016 are almost universal, and you could also follow the steps in the Exchange2016 document. For your needs, redirect the http of owa to https, uncheck the default website needs SSL, the following subdirectories are not checked, and will not affect the redirection, if you are worried about the impact on other virtual directories, you could follow the exchange2016 document for http redirection operations.
Here is also a method of operation in the article, which you could also refer to：
Hello, is the reply helpful to you?
Hi, actually this part is not clear:
Do the subdirs not inherit the parent settings then as stated instead in Technet articles? Now, without making any change yet, the "Require SSL" check is checked on default website and all vdirs but Powershell one.
Hi @BK IT Staff ,
The subdirs will inherit the parent settings. Following the Exchange2013 document will not affect normal use (other subdirectories do not select "need SSL"). If you are worried about the problem, you can try to follow the steps in the Exchange2016 document, and if something goes wrong, just restore it.
Sign in to comment