The default URL for Outlook Web Access i Exchange Server 2007 is https://<server FQDN>/owa. This URL is always an issue for end users who find it too long or complex. They either forget to use HTTPS in front of the URL, or to append /owa to the server name, or both. The first mistake results in an error saying SSL is required. The second loads the root of the site. I agree that this could be made more user-friendly so I always implement some form of rewrite or redirection. Typically I make OWA available at just <server FQDN>. No HTTPS or subfolder, e.g. owa.company.com. This requires two things; redirecting HTTP traffic to HTTPS and redirecting the root folder to the /owa subfolder.
Note: The final URL for OWA is always (almost) https://<server FQDN>/owa. We cannot disable HTTPS or publish OWA at the root of the site. But the URL users type can be simplified. This simplification is what I mean when I say redirect in this article.
Until recently the redirection to HTTPS and the subfolder OWA could be accomplished by first redirecting the root folder with IIS 7's HTTP redirect functionality and then editing the HTTP error page , typically 403, so that it would redirect to HTTPS instead of throwing an error. I have never liked this approach, especially the latter part. You could also use ISA Server 2006 in front of your Exchange server and do the same there. But recently a much better solution has arrived. The IIS team has released the URL Rewrite Module extension to IIS 7 which lets you perform advanced URL rewrites and redirects using, among other things, regular expressions.
How to simplify the OWA URL with URL Rewrite:
- Download and install the URL Rewrite extension on your CAS server.
http://www.iis.net/extensions/URLRewrite
Remember to get the version for your architecture. This will almost always be x64 unless you are in a lab and running the x86 version of Exchange 2007.
To avoid having to restart your server follow the steps in this post:
http://forums.iis.net/t/1153276.aspx
- Disable the Require SSL setting on the Default Web Site.
This is necessary for the redirection in URL Rewrite to work. This is not a security issue since URL Rewrite will force SSL for the entire site (except for OAB).
- Open the web.config file under your wwwroot folder.
This is usually under %systemdrive%\inetpub\wwwroot.
The web.config file does not exist by default, so change a setting on your site and change it back again to have IIS generate the file.
- Paste the following text in web.config in the <system.webserver> section:
<rewrite>
<rules>
<clear />
<rule name="Redirect root" enabled="true" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^$" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/owa/" appendQueryString="false" redirectType="Permanent" />
</rule>
<rule name="Exempt OAB from SSL" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="oab/*" />
<conditions logicalGrouping="MatchAll" />
</rule>
<rule name="Force HTTPS" enabled="true" stopProcessing="true">
<match url="(.*)" ignoreCase="false" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
This will create three new rewrite rules.
- Open the URL Rewrite item under Default Web Site.
- Your three new rules will look like this:
The rules will be processed from top to bottom.
|
Rule name |
Function |
|
Redirect root |
Redirects the root folder to /owa, and enforces HTTPS |
|
Exempt OAB from SSL |
Turns of the requirement for SSL for the /OAB subfolder.
This is the default Exchange 2007 setting. If you want to have SSL for the OAB folder as well, delete this rule and update the OAB URL setting in Exchange. |
|
Force HTTPS |
Enforces HTTPS for all requests to the site. |
Note that each rule has the Stop Processing flag set to True,
- Perform a test
All requests for the root folder or for the /owa folder missing SSL will now be redirected to the OWA logon page. All other subfolders are not redirected, except to enforce SSL, and can be accessed directly.
Note: The Exchange 2007 web folders usually inherit their SSL settings from the Default Web Site, so when you turn off the SSL requirement for the site you also turn it off for the web folders. If, for some reason, any of the subfolders manage the SSL setting in their own context (ie. they do not inherit the SSL setting from the site level) you have to disable Require SSL for those folders as well. If not, the URL Rewrite will not kick in and you will get an error instead of a redirect. The folders associated with Exchange 2007 are:
- Autodiscover
- EWS
- Exchange
- Exchweb
- Microsoft-Server-ActiveSync
- OAB
- Owa
- Public
- Rpc
- RpcWithCert
- UnifiedMessaging
All these should have their Require SSL Setting turned off. For any other folders you may have on the server you will have to decide for yourself if you want them to be included in the URL Rewrite SSL Enforce or manage their SSL settings individually. Also make sure to check any other folders that should have SSL active still has that setting set when you deactivate the requirement for the site.
I find this solution to simplifying the URL for OWA to be much more streamlined and elegant than any previous solution. The URL Rewrite filer is a module developed by Microsoft meaning it has been through the Secure Development Lifecycle (SDL). You have only one place to make all changes. You do not have to make changes to the default IIS configuration (ie. editing or changing the error pages).
Morgan
Update: When you disable the Require SSL setting in IIS you rely on URL Rewrite to perform the enforcement for SSL on your sites and directories. I have been in contact with the authorof URL Rewrite, asking him if this configuration is a security risk and if the enforcement of SSL through URL Rewrite is as strong as the one in IIS. His reply was that it was not but that this was a cause for concern in very few situations. You have been warned.