I just did an upgrade for Exchange 2010 from SP1, to SP3. Things seem to have gone well.
Hwoever I just noticed that http redirection to OWA is not working, giving back a 403 Forbidden error. If I go directly to https for the owa site, that works fine.
I'm not an IIS guru so I only did some basic checks. It appears http redirects at the Default Web Site level are fine, and the owa virtual directory shows the right info.
So in searching articles on this, I found the technet article about simplying the OWA Url. Here's the article:
In there is a section titled:
Use IIS Manager to simplify the Outlook Web App URL and force redirection to SSL
I reviewed this and noted at the bottom it said that you need to clear the checkbox in SSL Settings for Require SSL.
Now before the SP3 upgrade, I assume this was cleared since http redirect worked, and after going to SP3, there is a check in this box. I cleared it (did not do iisreset though) and this worked, http redirect is now functional.
So my only question is, is that it? Or should I do something else to ensure things are doing what they should now that SP3 is on? I admit I did not read the entire readme for the update so perhaps this was noted.
It seems I spoke too soon. While clearing the checkbox for Require SSL under SSL Settings for teh Default Web Site did suddenly make OWA do it's http redirect to https and it worked, as a safe measure I decided to to iisreset /noforce on the Exchange server anyway. 10 minutes later, neither site was accessible, no 403's or anything, just not accessible.
Services on the system showed IIS Admin not started though it is set to Automatic. Not wanting to mess with things further, I decided to reboot the server. Coming back up, my SSL ettings in IIS remain as I put them, yet, going to OWA via http now gives the 403.4 error, and going to https works fine. So redirection is again broken, but this time, I already have Require SSL cleared at the Default Web Site level. At the OWA level, is is still checked, however unchecking it is not good as it allows non-secure access to OWA.
One last note to add:
I am remoted into this server. From the server,a nd other servers that I'm logged into (VMs on the same host), all are getting the 403 Forbidden error trying to go to OWA via http, the error stating that "this website is secured with SSL, use SSL". But if I try it from my own location here outside of the network where the server is, it's fine and http redirects to https.
Maybe I just need to give it time - from what I've heard, IIS is a nuisance for doing anything real-time. I am fairly confident that this is not an issue related to the fact that I am inside or outside the network where the server is.
Any thoughts? I'll stop posting now and let somebody reply.
7.5 hours after my last post, nothing changed. Current condition:
I have verified that all steps are done as per this article, so SSL Settings and HTTP Redirect settings are done correctly for all mentioned vdirs and the default web site:
I'm not sure how to check but it seems the directories are not inheriting from above - if I toggle on/off the checkmark to use http redirect, the vdirs below do not change.
iisreset was done successfully after making sure of the settings above.
right now, if I visit http://domain.local from IE on the Exchange server, I get the big fancy 403.4 error page.
If I do it from IE on another server I get a basic 403.
If I go in IE on the Exchange server, and type the IP address such as http://192.168.50.50 I get redirected to the proper https URL for OWA (huh???).
And finally if I go to http://domain.com from outside the network, it successfully redirects to the https URL.
What am I missing? Thanks.
Just as an update, not too much has changed but some things may have. the Default Web Site has Require SSL checkbox cleared and it seems to have properly for any system EXCEPT the Exchange server. From IE on any othe server or PC, if I go to http://domain.local I get redirected to https://domain.local/owa no problem. But only on the Exchange server, I still get a 403.4 detailed error page. I'd love to know why this hpapens but in either case it doesn't affect anybody much. If I type https://domainlocal/owa manually, it works fine so the page itself is accessible from this machine, but for some odd reason in IE on this Exchange server http redirect I guess fails.
I'm not exactly sure what you mean by changingthe OWA address though. To be more accurate, the current external URL to get to OWAis sub.domain.com. The internal address is the same, and all redirection in IIS sends the user to https://sub.domain.com/owa . My apologies for not being more accurate - so we do already have 3 levels in the FQDN here. It's using a 5-domain SSL certificate which covers this extenral name, and also the internal name. The internal name is basically servername.domain.local .
This may or may not be related, but another issue I am having which may be invovled is that itseems http redirection is sending the user outside of the firewall and then back in again, so I am seeing some connection refused messages as a result (using Fiddler, it logs it that the external IP of this location actively refused the connection). So what it seems like is that if someone goes to http://mail.domain.com, IIS is sending them out of the firewall (because it is using a public Internet domain name) and back into the firewall again, by going to https://mail.domain.com/owa . So the firewall blocks it it seems, but only occasionally so that is puzzling to me.
Is it a bad idea if I were to set http redirect to send people going to http://mail.company.com to https://servername.domain.local/owa ? Any time somebody goes directly to the FQDN of the internal server name, it's fine, even for computers that can't access webmail at times. It's only via this http redirection to https://mail.company.com external domain nam does it have problems.