Thursday, November 7, 2013

Exchange 2013 CU2 redirection of OWA from HTTP to HTTPS

There's a lot of mis-information out there on the net right now about how to properly do redirection of the Outlook Web Access URL from an HTTP request to an HTTPS request. Most of this is due to how Exchange and OWA have changed over the past few versions... but some of this confusion comes from Microsoft itself, and their Technet articles! If you check out the Technet article "Simplify the Outlook Web App URL" at http://technet.microsoft.com/en-us/library/aa998359%28v=exchg.150%29.aspx, the article guides you through modifying the SSL settings, changing the HTTP redirect option, then going back through and cleaning up the mess you made in IIS due to properties inheritance on sub directories of the default website. What's worse, it doesn't even work!

 As it turns out, this process is actually just a copy/paste from the Exchange 2010 process: http://social.technet.microsoft.com/wiki/contents/articles/921.simplify-the-outlook-web-app-url-in-exchange-server-2010.aspx

So... what's the right way to do this? A custom error page! It's so much simpler than all of the mess above, and the changes that are made to IIS7 to make it happen are much less intrusive, requiring no cleanup or anything.

1) First of all, log into your Exchange 2013 CU2 CAS server and open IIS7.

2) In the IIS7 Management Console, expand sites and select the Default Web Site (not the Exchange Back End site!)

3) In the center area, double click on the Error Pages icon, then on the right hand side under Actions click on "Add".

4) In the Add Custom Error Page window, under status code, enter 403.4. For the response action, select the third option "Respond with a 302 redirect" and under the Absolute URL field enter your full url, such as https://email.domain.com/owa. Don't forget the /owa on the end! Click OK to close the window.

5) Open up a command prompt and type "iisreset" to apply the changes.

That's it! Now try browsing to http://email.domain.com and validate that you are indeed redirected to https://email.domain.com/owa. So much easier! The other real benefit is that you can leave the "require SSL" box checked on the default website and OWA subdirectory using this process, and you don't have to mess with the HTTP redirect option, which has the tendency to break all of your subdirectories by applying the redirection to them as well!

7 comments:

  1. Andrew, we seem to find the same issues and write documentation on it. I guess you can call that Great Minds think alike :-)

    http://blog.korteksolutions.com/redirection-for-http-to-https-on-exchange-2013-cu2-cas-server-does-not-work-technet-article-incorrect/

    ReplyDelete
  2. It looks like Microsoft has updated the Technet article to include the actual configuration for Exchange 2013 on Win 2012. http://technet.microsoft.com/en-us/library/aa998359(v=exchg.150).aspx

    I tested the newly published method and it worked. This seems to be closer to the way it was done in Exchange 2010.

    ReplyDelete
  3. And what happend if i browse https://email.domain.com ? I don't get redirected. Thats why i have to do the redirection on the default website level.

    ReplyDelete
  4. Listen UP !!!!
    10*s of Manhours. The normal guides tell you to to use the http redirect for the default site.

    a) Didn't work for me
    b) http://sub.domain.com/sdfjöaskdqwe -> Redirects to OWA -> PERFEKT
    b) 1) works without subdomains also

    c) You are my fucking HERO

    Thank You

    ReplyDelete
  5. Hi, for some reason the redirect mail.server.com/owa displays the website declined to show this webpage, •This website requires you to log in. It is working for mail.server.com without owa and all other variables after owa.

    ReplyDelete
  6. ECP does not work when redirecting with error pages.

    ReplyDelete
  7. Since I've been referring back to this site for many years, thought I'd share the Powershell oneliner I've learnt to do this:

    Add-WebConfiguration -filter system.webserver/httperrors -location "IIS:\Sites\Default Web Site" -value @{statuscode=403; substatuscode=4; path="https://mail.contoso.com/owa"; responsemode='Redirect'}

    ReplyDelete