Configure http to https redirection for Outlook on the web in Exchange Server

Article
02/22/2023

By default in Exchange Server, the URL https://<ServerName> redirects users to https://<ServerName>/owa. But, if anyone tries to access Outlook on the web (formerly known as Outlook Web App) by using http://<ServerName> or http://<ServerName>/owa, they'll get an error.

You can configure http redirection for Outlook on the web so that requests for http://<ServerName> or http://<ServerName>/owa are automatically redirected to https://*<ServerName>*/owa. This requires the following configuration steps in Internet Information Services (IIS):

Remove the Require SSL setting from the default website.
Restore the Require SSL setting on other virtual directories in the default website that had it enabled by default (except for /owa).
Configure the default website to redirect http requests to the /owa virtual directory.
Remove http redirection from all virtual directories in the default website (including /owa).
Reset IIS for the changes to take effect.

For the default SSL and http redirect settings on all virtual directories in the default website, see the Default Require SSL and HTTP Redirect settings in the default website on an Exchange server section at the end of this topic.

What do you need to know before you begin?

Estimated time to complete this procedure: 15 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "IIS Manager" entry in the Outlook on the web permissions section of the Clients and mobile devices permissions topic.
The procedures in this topic might cause a web.config file to be created in the folder %ExchangeInstallPath%ClientAccess\OAB. If you later remove http redirection for Outlook on the web, Outlook might freeze when users click Send and Receive. To prevent Outlook from freezing after you remove http redirection, delete the web.config file in %ExchangeInstallPath%ClientAccess\OAB.
Secure Sockets Layer (SSL) is being replaced by Transport Layer Security (TLS) as the protocol that's used to encrypt data sent between computer systems. They're so closely related that the terms "SSL" and "TLS" (without versions) are often used interchangeably. Because of this similarity, references to "SSL" in Exchange topics, the Exchange admin center, and the Exchange Management Shell have often been used to encompass both the SSL and TLS protocols. Typically, "SSL" refers to the actual SSL protocol only when a version is also provided (for example, SSL 3.0). To find out why you should disable the SSL protocol and switch to TLS, check out Protecting you against the SSL 3.0 vulnerability.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

Step 1: Use IIS Manager to remove the Require SSL setting from the default website

Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to press Windows key + Q, type inetmgr, and select Internet Information Services (IIS) Manager in the results.
Expand the server, and expand Sites.
Select Default Web Site. and verify Features View is selected at the bottom of the page.
In the IIS section, double-click SSL Settings.
On the SSL Settings page, clear the Require SSL check box, and in the Actions pane, click Apply.

Note: To perform this procedure on the command line, open an elevated command prompt on the Exchange server (a Command Prompt window you open by selecting Run as administrator) and run the following command:

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:access -sslFlags:None -commit:APPHOST

Step 2: Use IIS Manager to restore the Require SSL setting on other virtual directories in the default website

When you change the Require SSL setting on a website in IIS, the setting is automatically inherited by all virtual directories in the website. Because we're only interested in configuring Outlook on the web, you need to restore the Require SSL setting for other virtual directories that had it enabled by default.

Based on the information in the Default Require SSL and HTTP Redirect settings in the default website on an Exchange server section, use the following procedure to restore the setting on the other virtual directories where Require SSL was enabled by default:

In IIS Manager, expand the server, expand Sites, and expand Default Web Site.
Select the virtual directory, and verify Features View is selected at the bottom of the page.
In the IIS section, double-click SSL Settings.
On the SSL Settings page, select the Require SSL check box, and in the Actions pane, click Apply.
Repeat the previous steps on each virtual directory in the default website that had Require SSL enabled by default (except for /owa). The only virtual directories that don't have Require SSL enabled by default are /PowerShell and /Rpc.

Note: To perform these procedures on the command line, replace <VirtualDirectory> with the name of the virtual directory, and run the following command in an elevated command prompt:

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/<VirtualDirectory>" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST

Step 3: Use IIS Manager to configure the default website to redirect to the /owa virtual directory.

In IIS Manager, expand the server, and expand Sites.
Select Default Web Site. and verify Features View is selected at the bottom of the page.
In the IIS section, double-click HTTP Redirect.
On the HTTP Redirect page, configure the following settings:
Select the Redirect requests to this destination check box, and enter the value https://*<OWAUrl>*/owa (For example, https://webmail.contoso.com/owa).
In the Redirect Behavior section, select the Only redirect requests to content in this directory (not subdirectories) check box.
In the Status code list, verify Found (302) is selected.

When you're finished, click Apply in the Actions pane.

Note: To perform this procedure on the command line, replace <OWAUrl> with the URL of the OWA virtual directory, open an elevated command prompt and run the following command:

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:httpredirect -enabled:true -destination:"https://<OWAUrl>/owa" -childOnly:true

Step 4: Use IIS Manager to remove http redirection from all virtual directories in the default website

When you enable redirection on a website in IIS, the setting is automatically inherited by all virtual directories in the website. Because we're only interested in configuring redirection for the default website, you need to remove the redirect setting from all virtual directories. By default, no directories or virtual directories in the default website are enabled for redirection. For more information, see the Default Require SSL and HTTP Redirect settings in the default website on an Exchange server section.

Use the following procedure to remove the redirect setting from all virtual directories in the default website (including /owa):

In IIS Manager, expand the server, expand Sites, and expand Default Web Site.
Select the virtual directory, and verify Features View is selected at the bottom of the page.
In the IIS section, double-click HTTP Redirect.
On the HTTP Redirect page, change the following settings:
Clear the Only redirect requests to content in this directory (not subdirectories) check box.
Clear the Redirect requests to this destination check box.
In the Actions pane, click Apply.
Repeat the previous steps on each virtual directory in the default website.

Note: To perform these procedures on the command line, replace <VirtualDirectory> with the name of the virtual directory, and run the following command in an elevated command prompt:

%windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/<VirtualDirectory>" -section:httpredirect -enabled:false -destination:"" -childOnly:false

Step 5: Use IIS Manager to restart IIS

In IIS Manager, select the server.
In the Actions pane, click Restart.

Note: To perform this procedure on the command line, open an elevated command prompt on the Exchange server and run the following commands:

net stop w3svc /y

net start w3svc

How do you know this worked?

To verify that you have successfully configured http to https redirection for Outlook on the web, perform the following steps:

On a client computer, open a web browser and enter the URL http://<ServerName>. On the local server, you can use the value http://127.0.0.1 or http://localhost.
Verify that you're redirected to Outlook on the web in https, and verify that you can log in successfully.
Open the URL http://<ServerName>/owa (or http://127.0.0.1/owa or http://localhost/owa).
Verify that you're redirected to Outlook on the web in https, and verify that you can log in successfully.

Default Require SSL and HTTP Redirect settings in the default website on an Exchange server

The default Require SSL and HTTP Redirect settings for the default website and all virtual directories in the default website on an Exchange server are described in the following table.

Website	Virtual directory	Require SSL	HTTP Redirect
Default Web Site	n/a	yes	none
Default Web Site	API	yes	none
Default Web Site	aspnet_client (directory)	yes	none
Default Web Site	Autodiscover	yes	none
Default Web Site	ecp	yes	none
Default Web Site	EWS	yes	none
Default Web Site	mapi	yes	none
Default Web Site	Microsoft-Server-ActiveSync	yes	none
Default Web Site	OAB	yes	none
Default Web Site	owa	yes Subdirectories: auth: yes Calendar: no Integrated: yes oma: yes	none
Default Web Site	PowerShell	no	none
Default Web Site	Rpc	no	none

Additional resources

Documentation

View or configure Outlook on the web virtual directories in Exchange Server

Summary: Learn how to view and configure the properties of Outlook on the web virtual directories in Exchange Server 2016 or Exchange Server 2019
Exchange Server certificate signing of PowerShell serialization payloads

Learn more about the certificate signing of PowerShell serialization payloads feature in Exchange Server on-premises.
Default settings for Exchange virtual directories

Summary: Learn about the default virtual directory settings on Mailbox servers in Exchange 2016 and Exchange 2019.
Configure certificate based authentication in Exchange Server

Summary: Learn how to configure Exchange 2016 CU1 or later to use certificate based authentication for Outlook on the web and ActiveSync.
Configuring SSL offloading in Exchange 2013: Exchange 2013 Help

How to configure SSL offloading in Exchange Server
Exchange Server TLS configuration best practices

Learn about Exchange Server TLS configuration best practices.
Simplify the Outlook Web App URL: Exchange 2013 Help

How to simplify the Outlook Web App URL in Microsoft Exchange Server
OWA, ECP, or EMS can't connect after removing a self-signed certificate from Exchange Back End website - Exchange

Fixes an issue that several client protocols such as ECP, OWA, Exchange ActiveSync, and Exchange Management Shell can't connect. Because you removed the Microsoft Exchange Self-Signed certificate from the Exchange Back End website, and cleared the IIS cache.

Training

Module

Configure client connectivity to Microsoft 365 - Training

This module examines how clients connect to Microsoft 365. It also provides instruction on how to configure name resolution and Outlook clients, and how to troubleshoot client connectivity.

Certification

Microsoft Certified: Windows Server Hybrid Administrator Associate - Certifications

As a Windows Server hybrid administrator, you integrate Windows Server environments with Azure services and manage Windows Server in on-premises networks.

The future is yours

Share via