?
Solved

Exchange redirect to HTTPS

Posted on 2006-05-15
10
Medium Priority
?
502 Views
Last Modified: 2008-02-01
I think I'm rapidly using up my quota of exchange questions!

I currently have a front-end/back-end exchange 2003 architecture running on Windows server 2003 R2 and have attempted to configure http to https redirection per Microsoft's KB article 839357.

I have configured and successfully installed the SSL cert named email.domain.com for the front end server and can access the server internally by either using the URL http://email.domain.com/exchange or by using http://machine_name.domain.com/exchange.  SSL works as well for https://email.domain.com/exchange

After following the instructions carefully I cannot get a redirect to https from http://email.domain.com/exchange.  I receive a login prompt where after 3 attemps I get an Error:  Access is denied message.  I've tried other clients with no success.  I've restarted IIS services and still doesn't work.  I have verified that anonymous access is turned on for the default webpage and for the CustomErrors virtual directory.

Thank you very much in advance for your assistance!

0
Comment
Question by:jasgbair
  • 3
  • 3
  • 2
8 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16686538
The redirect methods are rapidly loosing their value, as they break other features, such as Exchange Active Sync.
Instead, what I do is put a link on the public web site that redirects the user to the SSL version, then shutoff the access to port 80. The users then either remember the public web site address (www.domain.com/mail - redirecting to https://mail.server.com/exchange - or the SSL connection.

Having port 80 open to the internet is a big risk anyway, and I like to limit the risk by having the least holes open to the Internet.

Otherwise your problem sounds like classic authentication settings.
Ensure that anonymous access is granted to /exchweb
Integrated and basic to /exchange and /public and integrated only to /exadmin

Simon.
0
 
LVL 7

Expert Comment

by:northcide
ID: 16687506
https redirects do NOT BREAK other functions.  there are workarounds for everything, including active sync.

http://support.microsoft.com/default.aspx?scid=kb;en-us;555053

I have many exchange servers running owa https redirects with activesync, sharepoint, etc running just fine.
0
 
LVL 8

Expert Comment

by:bilbus
ID: 16687573
<meta HTTP-EQUIV="REFRESH" content="0; url=https://www.website.com\exchange" target="_blank" onclick="return openNew(this.href);">https://www.website.com/exchange">

all one line

i use this, works just fine
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 7

Expert Comment

by:northcide
ID: 16687583
In theory that works but there are simple ways around it and it will not force https in all situations.  You are better off doing it in such a manner that IIS truly forces SSL to be used.
0
 
LVL 8

Expert Comment

by:bilbus
ID: 16688005
if you set exchange to only accept ssl in the /exchange dir i dont see how there is a problem
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16688917
SSL redirects break other features because of their use of the require SSL option.

Enabling require SSL on the /exchange virtual directory breaks OMA and Exchange Active Sync.
http://support.microsoft.com/default.aspx?kbid=817379

Furthermore, having port 80 open to the internet is a big security risk - redirect or not. It is an anonymous access port and should a vulnerability be discovered in IIS that uses port 80, it will be rapidly exploited. People forget how quickly Code Red spread around the internet a few years ago.

The only 100% way to work is to not allow any http connections. I usually force the users to enter the https part - if they forget, they get an error message. They will quickly learn. For the stubborn ones, put an entry on to the public web site.

Simon.

0
 
LVL 7

Expert Comment

by:northcide
ID: 16689773
as with just about any other thing a sys admin is tasked with sometimes additional configuration is required when making changes.  the following article outlines how to "fix" oma and active sync when forms based authentication is enabled in OWA - which is actually the root issue.  active sync doesnt like forms based authentication and ssl is required for forms based authentication.

http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm

I have this workaround at about 20 different locations currently and everything works magically.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16689824
That is basically the same fix as outlined in KB article 817379
Thing is, you don't even have to go that far. The problems with FBA and EAS can be fixed by changing some authentication settings on the virtual directories.  
http://www.amset.info/exchange/mobile-omafba.asp

Simon.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question