MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
OWA Security and Redirection
Enabling and enforcing SSL causes users to manually type the https:// portion or they get a 403;4 error page stating SSL is required. Additionally, users must manually add /exchange to the end of the website in order to connect to OWA.
How do I enable SSL and Form-based authentication? How can I automatically redirect requests from the http:// site to the https:// site? How can I automatically redirect the default website to the /exchange virtual directory?
The first step to configuring the server is to first obtain a certificate (create your own, or purchase one from a 3rd party such as Verisign or Thawte) and assign that certificate to the server. This is performed on the Default Web Site properties, under the Directory Security Tab. Once the certificate has been added, no additional configuration is needed on the Default Web Site. SSL does not need to be enabled. The following steps detail how to enable SSL, forms-based authentication and redirect the websites.
1. On the properties of the Exchange Virtual Directory, go to the same Directory Security tab and under the Secure Communications area, click on Edit. Choose Require Secure Channel (SSL) and check the box next to require 128-bit encryption. Follow the same steps for the Public Virtual Directory. 2. Now that you have enabled SSL, you can enable Forms-based authentication. Go into Exchange System Manager, and go to the properties of the Default HTTP Virtual Server. Under the Settings tab, check the box Enable Forms-based authentication. Optionally, modify the compression settings. Setting this to High will have the greatest performance improvement to users. Forms-based authentication will allow Exchange to display the OWA logon screen instead of the popup window asking for username and password. 3. Assuming that the only thing IIS does on your Exchange server is OWA, make the following change to redirect requests to the /exchange virtual directory. Open notepad and type the word redirect. Save the file with the name redirect.htm into the default web site directory. Now go to the properties of this file from within IIS Manager, and under the option The content for this resource should come from: choose A redirection to a URL. In the redirect to: box that is now able to be filled it, type /exchange.
*Note: If you have additional content on the default web site of your Exchange server and/or host other websites, be aware that after completing this step, requests to the default website will result in automatic redirection to the /exchange virtual directory. Make sure that you understand the impact of this change.
4. On the properties of your Default Web Site, go to the Documents Tab. Add redirect.htm to the list of documents, and move it to the top of the list. This ensures that the server checks for the redirect.htm file first and if it finds it, it will execute it. 5. Open up notepad again and paste the following code. Do not modify it. Save the file as owahttps.asp. <% If Request.ServerVariables("SERVER_PORT")=80 Then Dim strSecureURL strSecureURL = "https://" strSecureURL = strSecureURL & Request.ServerVariables("SERVER_NAME") strSecureURL = strSecureURL & "/exchange" Response.Redirect strSecureURL End If %> 6. In Windows Explorer, navigate to the wwwroot folder (x:\inetpub\wwwroot where x is the drive IIS is installed) and create a new folder called owaasp. Place the owahttps.asp file into this directory. Once the directory is created, it should show up in IIS admin. 7. The next step is to modify the Custom error for 403;4 (SSL required). Go into the properties of the Exchange Virtual Directory, and go to the Custom Errors tab. Scroll down and find 403;4 and choose Edit Properties. Change the message type to URL and in the URL, type, /owaasp/owahttps.asp. 8. Next, in IIS Admin, go to the properties of the owaasp folder and on the bottom, under the Application Pool, choose ExchangeApplicationPool. If the Application Pool is not available, Click the Create button next to Application Name and then you will be able to select the Application Pool. Once this is configured, requeststo http://servername.domain.com will now be redirected to https://servername.domain.com/exchange.