It is best practice to require users to use a secure connection for OWA. It is impractical to ‘train’ then to type a specific URL such as https://owa.myorg.com/exchange.
But, if you configure your OWA site to require SSL, when they type http://owa.myorg.com or just owa.myorg.com (which will default to http) they will not connect successfully.
So, how to allow them to use the lowest common denominator of owa.myorg.com but still connect them SSL?
Microsoft has a couple of KB articles describing method(s) that accomplish this by using a custom Active Server Page and in one case modified security: KB555053 and KB839357. They will both work but seem like overkill to solve a simple problem.
I have been accomplishing this for a number of clients over a number of years using the simple technique described here. It does not change the OWA site. It works for all versions of Exchange. It works for IIS 5, and 6, and should work for IIS 4 and 7. It works in an NLBWLB environment. It is compatible with Default Web Site applications other than Exchange installed.
Here how it would work for Exchange 2003 and IIS 6…
Log on as an administrator and open the IIS management snapin on the OWA server.
Create a new site:
Right click on the Web Sites node and select New>Web Site… When the Wizard opens select Next and give the new site a name such as ‘OWA Redirect’. Select Next and enter a host header that reflects your OWA URL such as owa.myorg.com. Select Next again and enter a path. Any path will do, we are going to change this in a moment. I just enter ‘c:’, leave the ‘Allow anonymous access to this site’ box checked and select Next twice and select Finish.
Modify the site:
Right Click on the newly created site and select ‘Properties’. Select the ‘Home Directory’ tab. Change ‘The content for this resource should come from:’ to ‘A redirection to a URL’. In the ‘Redirect to:’ box enter the same the same host header you used above preceded by ‘https://’ and followed by ‘/exchange’. For example: https://owa.myorg.com/exchange. Check the boxes ‘The exact URL entered above’ and ‘A permanent redirection for this resource’. Select Apply and OK to exit. Restart IIS.
If you now open a browser and connect with just owa.myorg.com, the host header will take you to the redirect site you just created which will in turn send you to https://owa.myorg.com/exchange. Since it is SSL (port 443) the host header is not applicable, you will connect to the Default Web Site and be prompted to log in.
If you have more than one OWA server you will obviously need to repeat this process on each of them.
Don’t forget to lock down the Default Web Site containing OWA per Microsoft’s recommendations and always use Forms Authentication where it is an option. This technique only makes it easier on the user (and hopefully you), it does not secure OWA.
I have yet to use this technique with an IIS 7 CAS server (installed on Server 2008) but it works for Exchange 2007 installed on 2003 and IIS 6. I have also never used it for IIS 4.
Whenever I think something simple will work and Microsoft recommends something more complex, I think I must be missing something.
Maybe I am.
If anyone can find an issue with this technique, please leave a comment.