One Bad Pixel
When a good pixel go bad.
«
»

Redirecting OWA HTTP to HTTPS in Exchange 2013

After going through countless different methods of trying to get HTTP to HTTPS redirection working properly in Exchange 2013, I found the following method to work properly every time, without breaking all the other parts of the default website. The best part is, it’s a cookie-cutter operation, and requires no customization from one Exchange server to the next.

Part of the issue is that the OwaUrlModule does not play nice with Custom Error Pages or HTTP Redirection. This module is responsible only for rewriting / to /owa. Since we can do this much more controlled with the Rewrite module, let’s do that instead.

First, Go get the IIS 7 Redirect Module 2.0 from http://www.microsoft.com/en-us/download/details.aspx?id=7435

Next, open IIS, click on the Default Web Site. Double-click the “HTTP Redirection” icon and make sure it is not enabled.

Then, click on “OWA” inside the Default Web Site. Double-click the “SSL Settings” icon and make sure “Require SSL” is enabled. (This forces users to use https only)

Last, we need to edit the web.config file for the default website. There may be a way to manage these settings in IIS, but I’m not really sure. This file is a text file and can be edited with notepad. It should be located at c:\inetpub\wwwroot\web.config, unless you set your wwwroot folder somewhere else.

Start by finding the line that starts with “<add name=”OwaUrlModule” …” and add “<!–” to the beginning and “–>” to the end to disable the OwaUrlModule.

Then, find the section named “<system.webServer>” directly in the “<configuration>” section. This is not the one inside a “<location …” section. We need to add the following rewrite rules.


  <rewrite>
    <rewriteMaps>
      <rewriteMap name="Exchange Server" />
    </rewriteMaps>
    <rules>
      <clear />
      <rule name="Redirect root (Exchange Server)" enabled="true" stopProcessing="true">
        <match url="^$" />
        <conditions logicalGrouping="MatchAny" trackAllCaptures="false" />
        <action type="Redirect" url="/owa" appendQueryString="false" />
      </rule>
      <rule name="Exempt OAB vdir from SSL (Exchange Server)" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="oab/*" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
        <action type="None" />
      </rule>
        <rule name="Exempt PowerShell vdir from SSL (Exchange Server)" patternSyntax="Wildcard" stopProcessing="true">
        <match url="powershell" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
        <action type="None" />
      </rule>
      <rule name="Force HTTPS (Exchange Server)" enabled="true" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
          <add input="{HTTPS}" pattern="Off" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
      </rule>     
    </rules>
  </rewrite>

The whole web.config file should look something like:


<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <location inheritInChildApplications="false">
    <system.webServer>
      <modules>
        <!--<add name="OwaUrlModule" type="Microsoft.Exchange.HttpProxy.OwaUrlModule,Microsoft.Exchange.OwaUrlModule,Version=15.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" preCondition="" />-->
      </modules>
    </system.webServer>
    <system.web>
      <machineKey validationKey="AutoGenerate,IsolateApps" />
      <compilation defaultLanguage="c#" debug="false">
        <assemblies>
          <add assembly="Microsoft.Exchange.OwaUrlModule, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        </assemblies>
      </compilation>
    </system.web>
  </location>
    <system.webServer>
  <rewrite>
    <rewriteMaps>
      <rewriteMap name="Exchange Server" />
    </rewriteMaps>
    <rules>
      <clear />
      <rule name="Redirect root (Exchange Server)" enabled="true" stopProcessing="true">
        <match url="^$" />
        <conditions logicalGrouping="MatchAny" trackAllCaptures="false" />
        <action type="Redirect" url="/owa" appendQueryString="false" />
      </rule>
      <rule name="Exempt OAB vdir from SSL (Exchange Server)" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
        <match url="oab/*" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
        <action type="None" />
      </rule>
        <rule name="Exempt PowerShell vdir from SSL (Exchange Server)" patternSyntax="Wildcard" stopProcessing="true">
        <match url="powershell" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
        <action type="None" />
      </rule>
      <rule name="Force HTTPS (Exchange Server)" enabled="true" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
          <add input="{HTTPS}" pattern="Off" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
      </rule>     
    </rules>
  </rewrite>
        <httpErrors errorMode="DetailedLocalOnly">
        </httpErrors>
    </system.webServer>
</configuration>

Restart IIS (“iisreset” from command prompt) and test. It should redirect any requests for http://localhost (or whatever the url is) to https://localhost/owa. So far, this is good. This is the same function that the OwaUrlModule was performing.

Now, browse to http://localhost/owa, and it should redirect automatically to https://localhost/owa. This is what we were after. Notice in our rules that we also prevented this fix from breaking the powershell and OAB virtual directories, since they should not have SSL redirects.

I hope this helps someone else in the future!

 

Leave a comment!