This article describes how to automatically redirect an HTTP connection to an HTTPS connection in the Internet Information Services (IIS) console for Microsoft Office Outlook Web Access users. This article also describes how to modify the IIS Default Web Site so that clients can access the Outlook Web Access logon page by typing only http://<server name> instead of typing http://<server name>/exchange.
We recommend that you require a Secure Sockets Layer (SSL) connection for your Outlook Web Access users. An SSL connection encrypts the information that is sent to or received from the Microsoft Exchange Server. However, when you configure IIS to require SSL for all incoming Outlook Web Access requests, Outlook Web Access users who try to connect by using HTTP receive the following error message:
HTTP 403.4 - Forbidden: SSL required Internet Information Services
After the Outlook Web Access user receives the error message, the user must manually type https:// at the start of the URL to connect to the computer that is running Microsoft Exchange Server. You may want to configure IIS to automatically redirect the Outlook Web Access user's HTTP request to HTTPS to minimize user interaction and to make sure that all incoming requests are enabled for SSL.
To configure IIS to automatically redirect HTTP requests as HTTPS requests, follow these steps.
Important If the following conditions are true, you must mount and start the mailbox store before you can successfully complete these steps:
Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 is installed on a front-end server.
The mailbox store was dismounted.
Note Follow these steps on an Exchange front-end server that communicates with a clustered Exchange back-end server.
Create an Active Server Pages (ASP) webpage that contains the following code.
<%If Request.ServerVariables("HTTPS") = "off" Then Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & "/Exchange"End If %>
Name the webpage as follows:
In Windows Explorer, create the Inetpub\Wwwroot\CustomErrors folder, and then save the Owahttps.asp webpage file to that folder.
Start the IIS console.
In Windows NT Server 4.0 (IIS 4.0)
Note Follow these steps if you are running Microsoft Exchange Server 5.5 Outlook Web Access on Windows NT 4.0 Server together with the Windows NT 4.0 Option Pack. If you have an Exchange Server 5.5 mailbox server, and if the Outlook Web Access component is installed separately on a dedicated web server, follow these steps on the web server only.
Click Start, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Services, and then click Internet Services Manager.
Expand Internet Information Server, expand Computer Name, and then expand the website that the Outlook Web Access users use to access their Exchange server. By default, this website will be the Default Web Site.
Go to step 5.
In Windows 2000 Server (IIS 5.0)
Note Follow these steps if you are running Exchange Server 5.5, Exchange 2000, or Exchange 2003 Outlook Web Access on Windows 2000 Server.
Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
Double-click Computer Name to expand the computer object.
Expand the website that the Outlook Web Access users use to access their Exchange server. By default, this website will be the Default Web Site.
Go to step 5.
In Windows Server 2003 (IIS 6.0)
Note Follow these steps if you are running Exchange 2003 Outlook Web Access on Windows Server 2003.
Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
Expand Computer Name, and then expand Web Sites.
Expand the website that your Outlook Web Access users use to access their Exchange server. By default, this website will be the Default Web Site.
Go to step 5.
Right-click the CustomErrors folder, and then click Properties.
Under the Application settings section, click Create.
Make sure that CustomErrors is displayed in the Application name box.
Note For Exchange Server 2003 that runs on IIS 6.0, click ExchangeApplicationPool in the Application Pool list.
Click the Documents tab, and then add the Owahttps.asp file to the Enable default content page. Move the Owahttps.asp file to the top of the list.
Click the Directory Security tab, and then click Edit under Authentication and access control.
Click to select Enable anonymous access, and then click OK.
Under Secure communications, click Edit.
Click to clear the Require secure channel (SSL) check box, and then click OK two times.
Right-click the Exchange virtual directory, and then click Properties.
Click the Custom Errors tab, and then double-click 403.4.
In the Message Type list, click URL.
In the URL box, type /CustomErrors/Owahttps.asp, and then click OK.
Click the Directory Security tab.
Under Secure Communications, click Edit.
Click to select the Require secure channel (SSL) check box.
Note If you want to require 128-bit encryption, click to select the Require 128-bit encryption check box.
Click OK two times.
Note The Exchange virtual directory and the Public virtual directory are the only virtual directories that you have to configure to require SSL. If you have other virtual directories for which you want to require SSL, enable SSL on each virtual directory individually.
After you follow these steps, visit the http://<server_name>/exchange website. In this address, server_name is the name of the Microsoft Internet Information Service (IIS) server.
You should be automatically redirected to https://<server_name>/exchange and to the Logon.asp page.
Additionally, if you want to modify the IIS Default Web Site so that clients can access the Outlook Web Access logon page by typing only http://<server name> instead of typing http://<server name>/exchange, follow these steps.
Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
Start the Microsoft Management Console (MMC) IIS snap-in.
Right-click Default Web Site, click Properties, and then click the Home Directory tab.
Under When connecting to this resource, the content should come from, click A redirection to a URL.
In the Redirect to box, type /exchange.
Under The client will be sent to, click A directory below this one.
Stop and then start the Default Web Site.
For more information about how to simplify the Outlook Web Access URL, visit the following Microsoft TechNet website: