none
OWA IIS Folder Setting Rxd's RRS feed

  • Question

  • Hi All,

    I am looking for virtual directory and application folder setting recommendations pertaining to the following folders and settings on an Exchange 2010 install.  I installed Exchange Service Pack 1 and it changed settings in OWA and left it non-functional.  I then applied roll-up 3 to the SP1 and it seemed to resolve the issue.  However, I just want to make sure I have all my folders locked down and encrypted so my setup will be as secure as possible (I had it all set before).  My users are using OWA to access email and I also have users using their mobile phones w/ ActiveSync.

    Here are the folders I am concerned with:

    • aspnet_client
    • Autodiscover
    • ecp
    • EWS
    • Exchange
    • Exchweb
    • Microsoft-Server-ActiveSync
    • OAB
    • owa
    • PowerShell
    • Public
    • Rpc
    • RpcWithCert

    The settings I am concerned with and want a recommendation for, for each folder, are the following:

    • HTTP Redirect
    • SSL settings

    I know that the Default Web Site where these folders reside needs to have the SSL settings unchecked (disabled) and needs to have HTTP redirection set, which I currently have setup.

    Thanks for any advice!  Much appreciated in advance

    Friday, May 13, 2011 6:06 PM

Answers

  • The Default Web Site does not have to have HTTP redirection set.  That is optional.

    As to providing you all the settings on all the virtual directories, you're sure asking for a lot.

    Let me make a suggestion to you.  Exchange 2010 installs "secure by default".  If you've mucked with the settings to the point that you're concerned about it not being secure, then build a lab and install Exchange there, and then compare its settings with your production settings.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Marked as answer by Gen Lin Wednesday, May 25, 2011 2:17 AM
    Friday, May 13, 2011 10:14 PM
    Moderator
  • Hi,

    By default, the HTTP redirection is not enabled for Default Web Site and SSL settings/Require SSL is enabled for all folders.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    • Marked as answer by Gen Lin Wednesday, May 25, 2011 2:16 AM
    Tuesday, May 17, 2011 6:19 AM

All replies

  • The Default Web Site does not have to have HTTP redirection set.  That is optional.

    As to providing you all the settings on all the virtual directories, you're sure asking for a lot.

    Let me make a suggestion to you.  Exchange 2010 installs "secure by default".  If you've mucked with the settings to the point that you're concerned about it not being secure, then build a lab and install Exchange there, and then compare its settings with your production settings.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Marked as answer by Gen Lin Wednesday, May 25, 2011 2:17 AM
    Friday, May 13, 2011 10:14 PM
    Moderator
  • Thanks for the reply.  The settings I am concerned about are just 2 settings for the specified folders, not all settings.  I agree, all settings for all folders would be too much.  The 2 settings: 1) HTTP Redirect and 2) SSL settings.  I had to tweak with the settings after Exchange 2010 sp1 broke OWA to see if I could get it to work, with no luck.  Basically, sp1 changed settings on me from what I had worked hard to setup with a MS support tech.  So, my changes were basically to bring OWA back to where it was pre-sp1, but I don't know what those 2 settings where for each of those folders.  Then, I downloaded and installed Exchange 2010 sp1 roll-up 3, which fixed the issue and everything can connect, but I still want to verify those 2 settings for security purposes, as maybe something I changed has left OWA/activesync non-secure, which I worked hard on w/ a previous tech.  If anyone has these 2 settings for the listed folders from a similar setup and could save me having to build an exchange server in a lab environment, that would save me a lot of time.  Thanks!
    Friday, May 13, 2011 11:22 PM
  • HTTP Redirect will cause problems with most of the virtual directories.  The rule is that if you use HTTP Redirect, you have to configure it very specifically, and it propagates down to the virtual directories so you have to through each one and turn it off because it'll break some of them.  I believe the sensitive ones are ActiveSync and OAB, but just turn them all off because there's no need for HTTP redirection on them since nobody types them in a URL on purpose.

    If everything is working, then don't worry about SSL.  If you're worried, then enable SSL on all virtual directories except OAB and PowerShell.

    Hope this helps.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Saturday, May 14, 2011 6:31 AM
    Moderator
  • Thanks Ed!  Just the info I was looking for.  I setup my folders accordingly, except for the HTTP redirect setting for Powershell and OAB which I left turned on.  2 Questions:

    • Why would OAB and Powershell not need SSL? 
    • I left HTTP redirection "turned on" on OAB and Powershell, as this was the way it was set after roll-up 3 fixed sp1 issues (I don't believe I set these folders while tinkering to fix post sp1 issues).  It seems that w/ SSL turned off on these folders then at least if someone attempts to access those folders via the web, it will go to a secure location.  Having said this, will the HTTP redirection setting turned on for those 2 folders mess anything up in any way I am not seeing?

    Thanks again for input you may have!

    Sunday, May 15, 2011 4:02 AM
  • 1.  I'm not sure, actually, I just know that's the way it's set up by default.  It probably has to do with the way clients call them.

    2.  I am just giving you the same advice that I've seen numerous times and has always worked for me.  If you change it and it works for you, then congratulations!

     


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Sunday, May 15, 2011 5:12 AM
    Moderator
  • Thanks Ed for the reply and all the help!
    Tuesday, May 17, 2011 12:01 AM
  • Hi,

    By default, the HTTP redirection is not enabled for Default Web Site and SSL settings/Require SSL is enabled for all folders.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    • Marked as answer by Gen Lin Wednesday, May 25, 2011 2:16 AM
    Tuesday, May 17, 2011 6:19 AM