HOWTO: Common URL Redirection Techniques for IIS, Summary

For the next several entries, I am focusing on this frequently asked topic:

How do I rewrite / redirect / forward / mask requests from one URL to another with IIS?

Common questions that fall into this topic include:

  • Redirect requests from http://server to https://server (i.e. SSL-only site, Exchange/OWA login)
  • Redirect requests from http://external to http://internal and back (i.e. expose internal server to outside)
  • Redirect requests from /app/username/bob to /app.asp?username=bob (i.e. courtesy/pretty URLs)
  • Do any of the above either transparently (client URL/location bar does not change) or explicitly

I see these and similar questions asked over, and... over, and... over, and then some, and I rewrite my explanation again and again... and the MS newsgroup reader periodically sweeps my replies away, over and over. Hmm... sense any frustrating pattern here? ๐Ÿ˜‰

Hey, it may be the first time you asked the question, but it is not the first time I have answered it... so pardon me for being a little terse; I get that way when I am tired. This is my attempt at giving you the full, cogent details, hopefully once and for all. ๐Ÿ™‚

My main goals are to:

  1. Establish a "redirection taxonomy" to help you recognize and classify the type of redirection you want to perform.
  2. Show how to implement (or give reasons why it is not possible) each type of redirection using either built-in IIS "core" feature, custom ISAPI Filter DLLs, custom ISAPI Extension DLLs, or custom ASP script pages (I consider ASP as an arbitrary ISAPI Extension DLL which allows script code to make underlying IIS function calls).
  3. Along the way, explain any random, related tidbits that have been asked before.

As expected, the more sophisticated types of redirection require custom code installed as add-ons to IIS, but we are all grown-ups here who can either purchase binaries or copy/paste/compile code, right? Good! Now, I plan to show you how to do all these things without purchasing any add-on modules, but through explanation you should also rapidly see WHY you would want to purchase an existing solution - anyone mention SUPPORTABILITY!?!

Basic Types of Redirection

In my taxonomy, the web server can perform three types of redirection to handle any given request from the client:

  1. Client-Side Redirection - The server sends a "302 Redirect" response with a Location: header containing the new URL, and the client makes another request to the new URL.
  2. Server-Side Redirection  - The server transparently rewrites the request URL to another URL which remains on the same website as the original.
  3. Server-Side Forwarding - The server transparently rewrites the request URL to another URL which does NOT remain on the same website as the original. Note the new website can be on another machine, but not necessarily.

Before reading any further, I advise you to take a good look at the above classification and determine which type your question falls under. In particular, Server-Side Redirection/Forward have been described by people using colorful phrases such as:

  • Courtesy/Pretty URL
  • URL shadowing
  • URL masking
  • Publishing/Exporting internal website to be accessible externally
  • Redirecting URL on one web server to be handled by another web server
  • One web server reverse-proxying another server
  • Force HTTP requests to HTTPS/SSL
  • Etc...

In any case, I believe they all fall into exactly one of the three buckets in my taxonomy. If your desired redirection does NOT fall under exactly one of the three buckets or does not fall under ANY of my three buckets... feel free to add a Comment or post a private Contact email to me. I am open to suggestions/change. Really. ๐Ÿ˜›

Some Subtle Points

Some people distinguish redirections by whether the URL location/address bar changes in the client. This classification is problematic because:

  • HTML Frames can give the illusion of a non-changing URL location/address bar because web browsers usually only display the parent frame's URL, but anyone can browse the HTML to determine where the content is really coming from. After all, the user must have download the HTML in plain text in order for the browser to display it. Thus, the non-changing URL location/address bar hides absolutely nothing and achieves no security.
  • Server-Side Redirection/Forwarding also change the response without changing the client's URL location/address bar, and both are very different things from HTML Frames.

Some people are surprised that POST requests do not have transparent Client-Side Redirection. Well, let us pretend we are the browser and look at things from its perspective, and you tell me whether Client-Side Redirection should be transparent or not:

  • I just sent this large 4GB entity body to the server and got this 302 Redirect back. Should I go ahead and automatically POST the the 4GB entity body to the new URL? What if I am on a dial-up?
  • I just sent my username/password with a form over SSL and got this 302 Redirect back. Should I send it again over UNENCRYPTED HTTP to the new URL?

Other Subtle Point

Now, another common user statement which frequently follows the question about how to rewrite URLs on IIS is that: "Apache has had these three types of redirection built in forever, so why is IIS so far behind?" Well, let us look at the situation objectively, apples-to-apples.

Actually, Apache "core" does NOT perform ANY sort of redirection. You need to install and configure add-on modules like mod_redirect to get Client-Side Redirection, mod_rewrite to get Server-Side Redirection, and mod_proxy to get Server-Side Forwarding. So, the ability to redirect is NOT built-in; the modules happen to be in common distros and configuration is baked into httpd.config and .htaccess, so it appears built-in when you are really talking about availability of add-on modules bundled with Apache core.

Now, IIS "core" performs Client-Side redirection, configurable via the HttpRedirect property... so IIS "core" is not really behind feature-wise. Also, you need to install add-on modules to get Server-Side Redirection and Server-Side Forwarding behavior, so IIS is not really behind Apache in extensibility, either.

Where things differ is availability. No one seems to provide modules to do Server-Side Redirection or Server-Side Forwarding on IIS for free. At least, I am not aware of any free/open-source add-on IIS modules which implement those Server-Side behaviors; I only know of for-fee modules like ISAPIRewrite.

So, before you come barging into IIS forums/newsgroups asking for free code and complaining about the lack of free modules - consider contributing to the common cause if you can - because only then can you help improve the availability of public modules for IIS. I know that many people have written their own versions to perferm Server-Side Redirection/Forwarding, but none have donated their code for public use. It is all locked up on internal servers owned by private companies.

HOWTO Implement Redirections, Index

Ok, that is enough preface for now. Here are all the redirection possibilities that I can think of right now, categorized by the type of redirection performed, technology used to perform the redirection, and amount of coding involved. Get ready for this index to be updated with links...

  • Client-Side Redirection using:

    • IIS "Core" (no code) - HttpRedirect
    • IIS "Core" (script code) - HttpErrors and ASP
    • ASP (script code) - Response.Redirect
    • ISAPI Filter (compiled code) - SF_REQ_SEND_RESPONSE_HEADER

  • Server-Side Redirection using:

    • IIS "Core" (no code involved) - IIsWebFile and ScriptMaps
    • ASP (some code involved) - Server.Transfer and Server.Execute (ASP only)
    • ISAPI Filter (compiled code) - SetHeader( "url" ) in SF_NOTIFY_PREPROC_HEADERS or SF_NOTIFY_AUTH_COMPLETE
    • ISAPI Extension (compiled code) - HSE_REQ_EXEC_URL and HSE_REQ_EXEC_UNICODE_URL and Wildcard Application Mapping

  • Server-Side Forwarding using:

    • ISAPI Filter (compilied code) - Using WinHttp
    • ISAPI Extension (compiled code) - Using WinHttp and Wildcard Application Mapping


Comments (150)

  1. Can you update this article with a HOWTO on exposing http://internal via http://external by ISAPI proxy?

  2. David.Wang says:

    http://internal via http://external is already included by Server-Side Forwarding, which I will eventually get to (see that entire list…).

  3. Rahul says:

    Hi David,

    I am waiting to read this article and am particularly interested in Core IIS Serverside redirects.

    When do you plan to update this?

    Could you please point me to some other resources in the meantime as I need to configure an installation just now.

    Rahul (

  4. David Wang says:

    ISAPI Rewrite would be an example of a commercial implementation of an ISAPI Filter that does Server-Side Redirection and Server-Side Forwarding.

    Now, I do not plan on disturbing anyone’s business model with my blog entry samples. I am only going to show the basics of how things work and help those that are curious.


  5. You know,

    Usually "how to’s" are articles that show "how to" actually do something. Yours is sort of a let’s define the terminology around the "how to" in question.

    I’ve already spent about an hour bumming around the web looking for a redirect in the following simple situation.

    I have lots of domain names. My business model calls for just a few (3) websites (the "Big Three") which cover everything I’m interested in. I would like to have it set up so that the cheapo businesscard domains (not the "Big Three") have a "click to enter" spot. That "click to enter" causes their browser to go to one of my "Big Three." When their browser arrives there, I want the local client side html code to note which cheapo businesscard site they came from, and to automatuically redirect them to the appropriate subdirectory. Is that really so difficult ?

    I enjoyed your somewhat pompous but thorough layout of the problems of redirection, although it did not seem to cover this possibility. I was told that this was do-able. Is it not do-able on a IIS, even if I wish to buy a solution ? If it is buyable, where or how should I look for this snippet of code ??


    Doug Keachie

  6. David Wang says:

    Doug – I am not certain your scenario even involves redirection, since the user must "click to enter" and that action essentially counts as navigation, not redirection.


  7. OK,

    As it turns out, and cannot make a "Click to Enter" button on the business card site. I’ll literally have to instruct them there on how to cut and paste the addy into their browser bar.

    "Please highlite the following address, then copy it (CTRL-C), and then find the address bar in your browser, and paste it there (CTRL-v) to see complete details."


    I could of course add on all the subdirectory information at this point, for each instance, but it would look "complicated" or "tricky" (dangerous) and so I’m hoping to send them immediately to the appropriate subdir when they hit the main site,, based on the business card site of origin.

    Is this possible to do this redirection with client side html or other code that is pretty much universally recognized ? I’ll settle for just Windows compatible, if necessary.



  8. Paul Noeldner says:

    How to redirect 401.1 using IIS? It used to work but have recently heard it doesn’t in some new release configurations, apparently some kind of security lockdown default? Others eg 401.3 redirect fine.

  9. David Wang says:

    Paul – please define the type of redirection you wanted to accomplish for 401.1, noting that the only ways for you to know a 401.1 happened are:

    1. FILE type CustomError of 401.1 is sent


    And neither allow any sort of server-side redirection.

    Plus, 401.1 means that IIS does not have a valid user token to use for request proceossing, so Server-side redirection/forwarding cannot reasonably expect to work.

    So, please clarify what you are asking.


  10. David Wang says:

    Doug – I still do not understand why you insist on doing things your way because it doesn’t seem easy nor does it seem to work. You do not want people to copy/paste anything (in general, you cannot expect users to do the right thing much less follow instructions).

    I see no reason why you cannot implement something platform agnostic and that works for all browsers given what I had described earlier, and you have not given a reason why it does not work.

    I certainly cannot do it for you; I will only tell you it is very possible and very easy. Whether you do it that way, that is up to you.


  11. Aaron says:

    Do you happen to know how to setup a redirect (IIS 6) for the 503 service unavailable message? I figured it would be in the IIS settings but i don’t see anything. What i want to do is redirect users to a page saying ‘connection limit’ reached. Something a little more informative than the default message. I’ve been looking all day and can’t find any details on this. Any help would be appreciated.

  12. David Wang says:

    Aaron – What you are asking for is not exactly a redirect.

    The 503 Service Unavailable message is actually sent by HTTP.SYS when the Application Pool is disabled and cannot be customized.

    HTTP.SYS sends the pre-canned 503 message because the associated Application Pool configured to handled that request is disabled, so it cannot send requests to IIS6 w3wp.exe and hence HTTP.SYS sends the 503 response instead.


  13. Erick Perez says:

    I have the situation to use the Server Side Forwarding or Proxy.

    I want my main IIS with and SSL certificate to handle and redirect to another IIS, but that all communications gets done with my main IIS in the middle.

    Comments and or code are welcomed.

  14. Melissa says:

    I appreciate that you keep your site going and allow comments. To me feedback is an interesting part of a website… Your site is a very great website and I make your site for my homepage!.

  15. Max says:

    David, can you please clarify is this issue is a policy or a bug in IIS6?

    Since IIS6 does not preserve POST verb it kills ASP.NET postback via 40x redirect URL.

  16. Dac says:

    see The URL Redirection service

  17. Trevor says:

    Thanks a bunch David.  My URL IIS rewrite filter stopped working when I moved to Server 2003 due to the worker process isolation mode not supporting the SF_NOTIFY_READ_RAW_DATA event.  Your suggestion to use the SetHeader("url") function in the SF_NOTIFY_PREPROC_HEADERS event worked perfectly.  In fact it is a better approach than my original design.

    Thanks again.


  18. Chen says:

    Hi, David,

    I am wondering how to rewrite the to

    Could I wirte the script with asp only to impletment it? And how to?

    Thank you


  19. David.Wang says:

    Chen – what sort of URL redirection do you want to perform? Client-side redirection? Server-side redirection? Please classify it according to the taxonomy I provided to describe your problem and locate possible solution routes.


  20. Bryant says:

    Hi, David,

    Could you tell me how to force HTTP requests to HTTPS/SSL, and Force HTTPS/SSL requests to HTTP?

    Thank you

  21. Eyal says:

    Hi David.

    When using the option of:

    ‘Client-Side Redirection – The server sends a "302 Redirect" response with a Location: header containing the new URL, and the client makes another request to the new URL’

    How do you make sure that the client will request the new URL Automatically?

    Where can I find a sample code for this option?



  22. David.Wang says:

    Eyal – it is not possible to make sure that the client will request the new URL automatically.

    This is HTTP. The server cannot control what the client does outside of sending it a response. The HTTP specification does not say that the client has to redirect automatically.

    Thus, the server can only give the client hints such as "this is a 302 redirection; here is the address at the Location: header". The client can choose to ignore the Location: header and/or pop up a dialog if it wants to – such as when a POST is redirected.

    Client-Side redirection can be performed without writing code. It all depends on what you want to do.


  23. Dean says:

    I donโ€™t believe I see an answer to this scenario #3 Server-Side Forwarding – The server transparently rewrites the request URL to another URL which does NOT remain on the same website as the original. Note the new website can be on another machine, but not necessarily.

    Iโ€™m splitting my site and need to forward links that come to me formatted like this:

    They need to be redirected to:  

    how might this be done using IIS, asp or any combination of either?

  24. David.Wang says:

    Dean – Server-Side Forwarding is when is NEVER visible to the user even though it does the work on behalf of

    If is supposed to be visible to the user, then this is best done as a Client-Side Redirection using simple 302.


  25. chen says:

    hi, David,

    Thank you for your reply.

    I don’t understand what do you mean the client-side or server-side. I rent a space but I have no operate right to the server. I can only write some asp script to the server. And I know for Aparch server there is a rewrite url modul to do that, and there are IIS rewrite program to do that on the server. But these both don’t fit for me.

    Do I clear state the question?

  26. David.Wang says:

    Chen – By client-side or server-side, I mean:

    When the client makes a request to:

    Do you want the URL bar in the browser to say:




    If you want the browser to say #1 then you use server-side redirection. If you want the browser to say #2 then you use client-side redirection.

    After you determined what sort of redirection you want to do, you can look through the above index I laid out on how to accomplish the task using the technology and server control you have.


  27. Erlend says:

    Hi David,

    I wondered if you have ever experienced a problem that is driving me completely nuts ๐Ÿ˜‰ I’m performing server-side rewrite through the SF_NOTIFY_PREPROC_HEADERS event and modifying the ‘url’ with SetHeader. This should be quite straight forward, but unfortunately it hasn’t been for me. On the first request to a given url that needs rewriting IIS decides to translate my rewrite into a client side redirect :/ When hiting the back button and retrying the request the rewrite is performed correctly. Closing the browser and retrying it behaves exactly the same way. The only other thing I’m doing in the code is adding a custom header value to be interpreted by the ISAPI extension that eventually processes the request.

    Do you know of any situations that could lead IIS to send the client side redirect instead of performing the server side rewrite?


  28. David.Wang says:

    Erlend – Can you give the exact request you sent? As well as IIS version.

    Try using WFetch from to make test requests and see what actually gets returned. I do not trust using the browser to debug issues when an ISAPI is involved because ISAPI can have arbitrary behavior that confuse browsers. You need a dumb client like WFetch so that you know what is really going on.

    I presume you are talking about the URLs that require courtesy redirects – i.e. http://server/vdir where /vdir exists as a folder. In those cases IIS will automatically send back a 302 redirection to http://server/vdir/ , which the browser transparently follows. However, ISAPI Filter sees both requests to http://server/vdir and http://server/vdir/ , so it should be able to rewrite.

    I do not know of any situations where IIS will send a response without first calling SF_NOTIFY_PREPROC_HEADERS (which is what you are claiming)… unless you send a response from SF_NOTIFY_READ_RAW_DATA, but that is ultra-gross.


  29. Lei says:

    Hi David,

    Thanks for your great article!

    Currently I need to redirect http://server_name/virtual_directory_name/subfolder1/*.* to http://server_name/virtual_directory_name/subfolder2/handler.aspx?filename=*.*

    How to achieve that in IIS? Thank you.

  30. David.Wang says:

    Lei – Please read my earlier comment to Chen. It is not clear what sort of redirection you want.


  31. Erlend says:

    Hi David,

    I think I was being alittle unclear. I’m running IIS6 btw.

    I’m changing the url through SF_NOTIFY_PREPROC_HEADERS and it always gets called. The problem is that on the first call from a browser (I’ll try with WFetch but haven’t had time yet) IIS sends a 302 back to the browser as a result of my changing the url, but on all subsequent calls the request gets processed like I want it to. I do suspect now though that this could be a single server issue (and might have to do with something being incorrectly installed) because I have tried it on two different servers today and I do not see the same problem.

    Thanks for you input.


  32. Lei says:

    Hi David,

    Thank you for your reply!

    I think I need server-side redirection. Actually, I want all user request from http://server_name/virtual_directory_name/map/*.* to be redirected to http://server_name/virtual_directory_name/main/handler.aspx?filename=*.*. Thus, I could use a single file handler.aspx.cs to handle all request from subfolder "map" of the virtual directory.

    How to implement this in IIS? My IIS version is 5.1. Thanks!


  33. David.Wang says:

    Erlend – I do not see anything wrong with IIS sending back a 302 as a result of your changing the URL.

    Expected behavior depends on the exact URL that was actually processed, IIS configuration for the URL that got processed, Filesystem configuration, and any behavior-modifying ISAPIs configured on the server.


  34. David.Wang says:

    Lei – Please read my earlier comment to Chen.

    Do you want the user to see:


    in their browser’s Address/URL/Location bar.


  35. Lei says:

    Hi David,

    I want the user to see: http://server_name/virtual_directory_name/map/*.* Thus, I think I need server-side redirection. So How to implement?



  36. David.Wang says:

    Lei – ISAPI Filter.

    I have not filled in that index with links, so you can either:

    1. Figure it out (not terribly hard)

    2. Piece it together from my various ISAPI Filter code samples

    3. Obtain an ISAPI Filter from another vendor for fee ( or free (

    4. Wait for sample code


  37. Lei says:

    Hi David,

    Thank you for your reply!

    When I locate the subfolder of the virtual directory in IIS, I also can use "redirect to a URL" option to achieve the goal. So I wonder what’s the difference between configure this in IIS and using ISAPI filter?

    By the way, I miss one point in my previous post. I want to redirect all requests to a subfolder to a single .aspx file except a file like a.aspx in that subfolder. Is this possible using ISAPI filter? Could you direct me some reference links about coding ISAPI filter?

    Really thanks for your solution!


  38. David.Wang says:

    Lei – The difference, as I mentioned earlier, is that:

    1. the UI configuration of "IIS Core (no code) – HttpRedirect ", is only Client-Side Redirection

    2. while ISAPI filter can be anything you want (notice that ISAPI Filter is under all three categories) – you just need to write the code

    MSDN contains documentation about ISAPI Filter API, how it works conceptually, and how to use it. This blog also contains lots of information and sample code to do various useful things. You also need to know how to code custom logic like "redirect all requests to a single .aspx file except a file like a.aspx in that subfolder".


  39. Jason says:

    I’m trying to force IIS to display a custom HTTP 403 page instead of the canned one.  I went into IIS and there is no custom errors listing for 403.* so I used Metabase Explorer and added a line to the 6008 HttpErrors under the "root" of my site id.  I do get the error when trying to view the custom errors in iis admin, so I know it’s there, but I am not able to see this new page…only the canned one.

    Is there a trick to get that active?  I executed a cmd line iisreset and still nothing.  My file is in the iishelp/common folder along with the rest of the error .htm files and the entry in the 6008 HttpErrors metabase list matches the other ones, but still no luck.

    Any help would be appreciated.


  40. Stian says:

    Thanks for a good article!

    I want the users to see ""

    in their browser’s Address/URL/Location bar.

    The real system will be like this:

    The reason I want this is to make it look more pretty.

    Thanks for any reply.

  41. David.Wang says:

    Stian – you want Server-Side redirection on IIS, where * is configured in DNS to give the IP/Host to come to your ONE website which has this redirection active.

    Then, have either an ISAPI Filter or ISAPI Extension rewrite the URL based on the Host header.

    Microsoft has already written such an ISAPI Filter to do this for hosters – contact those folks, get in the program, and get the help and support for free:

    Note: Since you want mass shared hosting, you don’t need the rich website bindings of IIS – and you will see IIS scales just as well if not better than Apache, given comparable extensibility modules and mechanisms.


  42. David.Wang says:

    Hooray, another 10K entry. Been waiting for this for a while now.


  43. Mark says:

    Hi David,

    I want users to be redirected to and see the following in their browers:

    The old file resides at:

    If I understand correctly, this would be a client-side redirect.  Is there a way to accomplish said redirect on IIS in a manner analogous to Apache’s .htaccess redirect?  That is, can I create a single file in which multiple redirects are defined, without actually maintaining the old files (i.e., about.html) in the root directory?

    Thanks in advance for your help,


  44. David.Wang says:

    Mark – sure. In the blog entry, I listed FIVE ways that you can do this on IIS, from declarative configuration analogous to Apache’s custom module configuration in .htaccess all the way through customization through code.

    To what degree of flexibility do you want?

    For example, the built-in HttpRedirect functionality in IIS can handle this. Or you can use HttpErrors to catch the file-not-found. Or write your own configurable ISAPI Filter or ISAPI Extension.


  45. Mark says:


    Thanks for the reply.  Sorry if I seem a little dense; I’m not a server administrator, but rather an (amateur) web designer.

    I have about 10 HTML pages that have been relocated, and I’d like to create a single, .htaccess-like file to handle these redirects.  Because I don’t have the ability to change any of the IIS settings, the file has to be something I can FTP to the server.

    Any suggestions?

    Thanks again,


  46. David.Wang says:

    Mark – Redirection settings are IIS configuration changes which can only be done as server administrator, so you cannot do what you want in the way you want.

    What you are asking for is "delegated administration of server configuration", something that Apache loosely offers with .htaccess files. Existing IIS versions do not work like that. IIS7 will support the sort of delegated administration you want in the way you ask (xcopy deploy application+server configuration as files).

    Thus, for the time being, you will need to maintain old stub files to serve as meta-redirect to the new files.


  47. Ty says:


          Very nice article. After a couple of hours of hunting, yours was the clearest explanation of the options. I’m curious about why there seems to be such a dearth of info on server-side forwarding. It seems to me that it should be a common deployment strategy to have a web tier in front of an ‘application’ tier, for performance and security, on large sites. For example, I believe it’s common to run Apache (alone) in front of, say, WebLogic, and serve static data from the Apache web tier, and dynamic data from the Weblogic app tier. Now, in the Microsoft world, this same architecture would be IIS locked down and acting only as a web server in the web tier for static content, and IIS running as a .NET app server on the app tier. This gives you some  load benifits, some security benifits (only app tier can touch databases, for example, with web tier on DMZ).  But this does require server-side forwarding. So why isn’t this a well-known technique with tools (ISAPI filters) supplied by Microsoft? I must be wrong – it must not be common at all. What do you think? Thanks again!


  48. David.Wang says:

    Ty – What you want to do is best done with Microsoft ISA Server (firewall + reverse proxy + forward proxy). It is designed to properly resolve and securely re-route network traffic between multiple network segments at the right networking layer. While you CAN do those tasks with a web server, you should not – and that is why Microsoft does not supply it. Just because many people like to do something does not make it “right”; it only means it is popular.

    The lone Apache running mod_proxy and mod_forwarder is basically poor-man’s implementation of ISA. It “works”, sorta, but it has major problems such as:
    1. It is level 6/7 routing – inefficient networking
    2. It is level 6/7 routing – effectively considered a middle-man attack against most every security protocol such as SSL, SSL Client Certificate, or Kerberos

    In other words, the model you describe primarily works for the anonymous, insecure web – like mass web hosting, company web presence, toy authentication schemes like Basic, Digest, or custom cookie auth supported by Apache, etc.

    If you want to build secure applications to make financial transactions, that entire infrastructure really does not work. What you end up doing is either settling for a weaker authentication solution that “works” but you pray you never get attacked, or you re-invent Kerberos and re-implement it.

    I will put it this way – everytime you use or build a custom authentication / authorization scheme, it is probably less secure than what is offered for free in Microsoft Windows. Most of the time, custom authentication protocol gets “invented” because the author did not understand existing open standards and brazenly thinks he is good enough. This is why I trust the open standards like Kerberos and SSL. I do not trust random custom authentication scheme…


  49. Ty says:

    Thanks David. I’m now looking into ISA. Is this a widely used architecture in the industry? In other words, do folks commonly implement and deploy 2- and 3-tier architectures using ISA/IIS/DB? Is it done primarily for security or performance, or both?

  50. David.Wang says:

    Ty – I cannot really comment because I am not involved with the deployment/design/architecture of IIS solutions. Other blog readers probably have better experience/comments/recommendations than I.

    From my perspective, those are all arbitrary design-decisions specific to a given deployment and are mostly requirements solvable by existing ISA/IIS/DB features.

    For example, security is always relative. Some people are ok with web servers directly on the Internet; others want web servers behind a firewall; some want a DMZ; others do not. Similarly for performance. Some people are ok with a central proxy server caching; other’s don’t care; and others want individual IIS servers to cache; etc. It all depends on requirements, and everyone differs. You should do whatever makes sense, not merely what "everyone else is doing". Though I would not be surprised to see everyone independently coming to the same conclusions since we are logical. ๐Ÿ™‚

    I am on the IIS product team, so I look at the problem space a little more technically than practically.

    i.e. I care about level 6/7 routing being inefficient and a man-in-the-middle security attack… while most Consultants/Implementers just want to "make it work" and usually do not care about such details or just wants them "solved".

    From my viewpoint, ISA/IIS/DB is the most logical arrangement because that is how we designed it. ISA provides "Edge" services like Firewall, Forward Proxy for internal Clients and Reverse-Proxy for internal servers. So, ISA supports sophisticated network routing as well as easily "publish" internal IIS web servers to be visible to the outside world. Of course, ISA also supports Caching of IIS, just as IIS supports kernel-mode caching as well as user-mode caching of its responses. Meanwhile, IIS does not assume that there is security protection around it, so it comes pre-secured and locked down so that it can run directly on the Internet, but for added functionality some people may open more ports or run more sensitive apps on IIS… and then you’d need to arrange for better protection.


  51. frank says:

    David, it’s great that are love Microsoft so much, but when you say "While you CAN do those tasks with a web server, you should not – and that is why Microsoft does not supply it." – it seems laughable that Microsoft is finally doing just that in their IIS 7.0 Beta.

    Considering how easy it is, it is pretty pathetic that it took them 7 major versions to get in there…

  52. David.Wang says:

    frank – You’re not the only person that does not understand, so you need to read this blog entry:

    Basically, IIS has never been treated like a competitive product. It has been treated as a platform that just needed to be "good enough" to provide for the needs of other Microsoft servers/applications.

    Hence, because ISA, Exchange, Sharepoint, FrontPage, etc exist to do various tasks, IIS does not do them and our architecture gets skewed as well.

    For example:

    1. We hacked major features in IIS for Exchange because they needed it, and eventually no one ends up using it.

    2. ISA is the product to do reverse-proxy and IIS is inefficient layer to do reverse-proxy, there is no motive for the IIS team to do it. Never mind that mod_proxy exists because IIS is not a "product" to compete in the webserver space. And since IIS is not competing in the webserver space, it affects decisions in the overall extensibility API.

    3. IIS3/4 existed to push ASP; IIS5/6 existed to fix problem of bad user apps. IIS7 exists to lay the foundation to compete in the web server space.

    From my perspective, it is pretty pathetic that:

    1. Apache loses market share to a non-competitor like IIS

    2. IIS took so long to get a product-like identity

    So, I suggest that you simply be happy that Microsoft is taking interest in the web server space and get ready to see *real* competition and improvements in this space. In other words, see IIS7 like our first version as a product in the web server space. That’s how we see it.

    And, if you think mod_proxy or RequestForwarder is "easy", then think again. The maintainer of mod_proxy will tell you about its difficulties, and we also know what is not done.


  53. frank says:

    David, people use IIS because they are locked into using a Microsoft solution for everything. If IIS was a stand alone product from a stand alone company it would have died a quiet death years ago.

  54. David.Wang says:

    frank – thanks for finally agreeing with my point. If IIS was stand alone and treated as a product by Microsoft it probably would have changed long ago, too.


  55. frank says:

    Yes, we agree. It is a piece of shit, and has been for years. Good luck with version 7.0. I hope it is a re-write.

  56. David.Wang says:

    frank – … thanks.

    However, it sounds like you are just talking rhetoric because if you’ve even seen/used IIS5 and IIS6, you should immediately know that IIS6 is already the engineering rewrite you talk about. IIS7 is merely the refactoring of that rewrite into a completely open, modular, and componentized architecture (itself a huge undertaking).

    IIS6 is already very well received and very easy to adopt. Marketing/Evangelism have very little problems with IIS6, so you will start seeing big market share movements (check out the last six months of Netcraft for world-wide "market share"). It is mostly irrational customer resistance that make it interesting.

    And if it is not obvious already, IIS7 will be a classic "embrace and extend" aimed right at the big design flaws inherent in Apache due to its quest to be cross-platform.

    Yup, it will be fun to have competition, and the best part is that the customer will win. Hard for you to argue against that. ๐Ÿ˜‰


  57. Aaron says:

    David, I have a situation where I have one main website that serves content for multiple data-driven websites. These little websites each have their own domain name. I want to do the following:

    when a user types in, have their browser show:

    but the content will actually come from

    Can you tell me how to achieve this with IIS 6/WIN2k3 ?



  58. Aaron says:

    David, I have a situation where I have one main website that serves content for multiple data-driven websites. These little websites each have their own domain name. I want to do the following:

    when a user types in, have their browser show:

    but the content will actually come from

    Can you tell me how to achieve this with IIS 6/WIN2k3 ?



    (aaronmurray   @ can you email me when you post a reply? Thanks

  59. David.Wang says:

    Aaron – you want Server-Side Redirection.

    As I indicated earlier, it can be achieved with IIS6 and requires an extensibility module. You can either write the module, find a free one, or purchase one.

    This blog entry’s comments mention several choices that you should investigate and pursue.


  60. Khan says:

    Hi David, Although I have read the entire article and new to .net I have the following question.

    I am trying to achieve a rewrite or whatever I can do to not change the url in the follwoing scenario.

    site resites at

    Have shared ssl space on

    When the user is on

    I would like the site to bring in the page from the shared ssl and for the address to remain as is.  Can you shed some light


  61. Khan says:

    Just forgot to mention I have no control over the admin of the server, but can write code, so if the job can be done with .net it would be brilliant.

  62. DotNetInterop says:

    Another option for a free IIS mod_rewrite type thing – .

    It does regular expressions, works with IIS5 or IIS6, includes RewriteCond, and does redirects.

  63. Leah says:

    For a planned outage, I need to redirect 15 SSL sites to 1 non-SLL site.  How do I redirect SSL to Non-SSL?  


  64. David.Wang says:

    Leah – If the SSL sites themselves need to be down (i.e. you are doing something with the server itself), then you need to do the redirection at the DNS or Network router stage. If the SSL sites and the server itself is down, IIS obviously cannot perform any redirection so you need to do it at the network upstream.

    If the SSL sites themselves remain operational during the outage, then simply configure the IIS "HTTP Redirection" property of each SSL website to point to the non-SSL website. See IIS documentation on MSDN for more details.


  65. James says:

    David – Great article. I think I’m closer to understanding all the redirections.

    I’m assuming this is server side redirection. This is for sharepoint.

    The orginal address is:

    To make it easier for users I’d like to have: and be redirected to the original address.

    This is just for ease of use. Once redirected they can see the original address.

    I saw your reply to Stian for hosters. Is that what I would use or is there a easier way for me?


  66. djs says:

    Am I missing something or is there absolutly nothing on your site that actually describes how to do any of these redirection techniques?

  67. David.Wang says:

    djs – yeah, I have not gotten around to fleshing out this index entry with example configurations and code samples.

    I have just provided the taxonomy to categorize and cover this problem space so that people can commonly communicate solutions. On its own, it is already sufficient enough to help many people identify/resolve their issue.

    I may come back to flesh out some parts of this problem space, but I will not provide/support coded solutions. Only sample, illustrative code.


  68. Amit says:


    I want to redirect the http request from IIS6 to 10g server.(http request means jsp and oracle forms from IIS.client request for jsp and oracle but it needs to redirect to 10g AS.)

  69. David.Wang says:

    Amit – can you clarify the exact type of redirection that you want, based on the classification outlined in this blog entry?


  70. Suhas says:

    Hi David,

    I want to redirect to a local IP address in my LAN network connected to the machine running IIS so that externally I can access the internal IP address of LAN.


  71. Eamon says:

    Hey David,

    No questions from me, just wanted to say good work on the post. Was very informative, helped clarify a lot of things and pointed me in the right direction. Needless to say, thanks to your post I got my reverse proxy configuration sorted with everything up and running the way it should.

    Many thanks,


  72. Paul says:


    I have a subdomain in a website. I kinda got it for free. now I also have a free webhosting and I want to forward any requests made to my subdomain to my webhost. eg:

    this would display the

    but the url would not change.

    The problem is I dont have access to their IIS configuraion. Al I can do is upload a file to it. So could I do this using thje web.config mod?

  73. iiscool says:

    Paul – I am guessing that your old hoster supports, so in your global.asa, read the original url(/paul/about.html), modify it to  and do a response.redirect. This will let the client (say, IE) know that the url has now changed to and it automatically requests the new url seemlessly.

  74. Alexey says:

    Here is a question that has caused me a lot of sleepless hours already.

    First – some background:

    I have a "replicated" site – in effect, it’s a database-driven app that displays different contact information depending on the URL that was entered.  So for example, when I enter "" the page that will be brought up will have my contact info.  However, what makes this site "replicated" is the fact that virtual directory "alexey" does not in fact exist within the site.  The 404 error is configured in IIS to redirect to a custom handler that parses the URL, uses the dummy virtual directory to do a database lookup, places some info in session variables and then builds the real URL based on this information retrieved from the database (the real URL may look someting like "", where all the numeric portions are values that came back from DB, and those ARE real virtual directories)

    Now – the Question:

    I want to be able to maintain that pretty (but nonexistent!) "" URL throughout the users browsing of the site.  Whether or not actual page names appear at the end of it is immaterial – the main thing I care about is that the main portion of the URL does not change into that long and convoluted one.  This would be an example of Server Redirect, but I am having difficulty getting it to work with non-existent virtual directories.  Can you offer any advice?

  75. Alexey says:

    Oh, and something I forgot to mention – these database entries are created dynamically as users sign up on the site, so I never know at any given point what "dummy" virtual directory may exist in my database.  There could be hundreds, even thousands, and it is not feasible for me to maintain any kind of a config file (like most of the commercial URL rewrites seem to require).  I need for this functionality to work "on-the-fly", preferably something I can call from the code-behind .VB file of my app.

  76. David.Wang says:

    Alexey – I would not bother with non-existent virtual directories because that is an artifact of your implementation choice of using the 404 custom error to redirect, which really does not suffice for your needs.

    You have a custom URL mapping. The mapping has to be stored somewhere, either in a config file or dynamically calculated by code stored inside an ISAPI Filter that does the rewriting.

    Since you want to maintain the illusion of the vanity URL to the end-user, you must also change all outgoing response URLs to map back to the vanity URL, or else the end-user will see the convoluted URLs again.

    You will likely have to write an ISAPI Filter to route requests from vanity URL to convoluted URL, and since the ASP.Net application will only see its URL as the convoluted URL, you will either need to pass the vanity URL around, or write an ASP.Net httpModule to filter the response and munge any convoluted URL back to vanity URL.

    It is at this point that you wish the ASP.Net application itself directly supports vanity URL instead of you retro-fitting hacks to give 85% functionality and 50% performance.


  77. Naica says:


    I have an web app that shows in a frame ASP.NET 1.1 pages. The web app is used from outside our internal network so it goes through the firewall. In order to call an aspx page I have to redirect from app to something like: is mapped to our web site (IIS 6.0) using port 1004, and vd1 is a virtual directory under the web site and this is where the mypage.aspx sits.

    All worked fine up to now, and still work as long the new pages we create are in ASP.NET 1.1.

    I developed a page in ASP.NET 2.0 and put it in vd1 as mynewpage.aspx. It works but some things failed to work (session is lost, AJAX not working properly…) so I decided to create a new web site on same web server, let’s say myws and then deployed my page there. All fine it works perfect, but now I can’t access the page from main app because points to the old web site and obviously the page can’t be found there.

    Now comes the question. How can I keep my new aspx page on my new web site and do a redirect to this web site when page is called from client.

  78. says:


    I’m interested in the server-side redirection using the IIS "Core" (no code involved) – IIsWebFile and ScriptMaps technique.

    I believe you use the IIsWebFile to set up default file handling and then add the ScriptMap property to route all the traffic to some dll to do the redirection.

    I don’t understand what .dll to use for the script processor.  Is it aspnet_isapi.dll?  How do I tell it the target server and port?

    The larger goal is this:


    must transparently redirect incoming requests to:



  79. David.Wang says:

    Brad – I do not see how your goal is Server-Side Redirection.

    You want to rewrite URLs between two different websites, which is Server-Side Forwarding.


  80. says:


    Per your taxonomy:

    "Server-Side Redirection  – The server transparently rewrites the request URL to another URL which remains on the same website as the original."

    If I understand what you mean by "remains on the same website as the original" as the URL in the address bar does not change, then this is what I want.

    Let me rephrase the proposition this as:

    must transparently redirect incoming requests to:


    and the user and more importantly, his browser, must still believe he is on:


    I believe the laypersons lingo for what I’m trying to do is "reverse proxy" where the proxy device is the only device with a public ip address and direct access to the outside internet — and it also contains an private ip address on our internal network and can act as a sort of bridge.

    Granted, I’m not a taxonomist, and I’m new to isapi extensions and filters and web server and tcpip configuration on any platform.  If you can point me to learning resources, I will refrain from re-asking questions here which may be better suited to another forum.

    After rescanning the post history I see you’ve responded to "stian" in April 2006 which may contain some information that I have missed.  I will continue digging.


  81. rllaneis says:

    i’m thinking of doing server-side forwarding, basically: -> (on a different machine), where the client still sees ""

    these sites are behind ISA, do i need to publish or will the publishing rule will suffice?

    i have yet to start this, so i’m open for suggestions and changes, the goal is that the client access our portal site and click on a link inside it that will redirect them to our apps site without knowing so, meaning the url is still the portal site link (e.g.

  82. Dale Leonard says:

    I’ve been banging my head over this one for a few days.

    I have a customer that is trying to make sure 301 redirects to

    They have some ASP pages and some such.


  83. steven swink says:

    I’d like to accomplish something similar to Myspace’s vanity url. i.e. I’d like for users to use a vanity url to access thier dynamically generated web page without changing the url in the browser. When a user requests the page, I need to run some code that will parse the username (I guess using GET or similar), match the username to a database entry that holds specific information about that user’s page (myspace) and build the corresponding HTML. Is this possible with a ISAPI filter?

  84. Sean says:

    So how do you do it?  I want to map to

    That is easy to do in java but how do you do it in IIS 4?

  85. drupal says:

    Here is another way to Redirect www to non www version of site

    Options +FollowSymLinks

    RewriteEngine on

    RewriteCond %{HTTP_HOST} .

    RewriteCond %{HTTP_HOST} !^

    RewriteRule (.*)$1 [R=301,L]

  86. André says:

    I have a domain called

    The real stuff is located in

    On the server is masked forwarded to

    Everything was working just fine… BUT…

    When I started to use AJAX it only works nice when the URL is used. From the nice AJAX interface does not work. It rewrites the whole page!

    To understand me: go to the URL´s and click "Cinturones"

    Can somebody give me the solucion? I am really lost for 2 weeks now…

  87. Steve says:


    For server-side redirection, can you talk to the choice of ISAPI filter versus ISAPI extension? Am I right in thinking that they are very similar but that the filter is site-wide whereas the extension can be different on different virtua directories within the site>

    Thanks for a great site.

  88. Johan says:

    Hi David,

    Currently working with CMS which also implements isapi filters. My problem is this: cms has a little bug, if you put yout URL as http://server/cultures/en-us/site the request fails as there is no trailing / (should read http://server/cultures/en-us/site/ )

    What i was thinking is creating a filter that adds the / if it was omitted. Then, add my filter above cms filter.

    I used getHeader, do my check and add a "/" if required, then setheader my new url. That part works, the problem is the site loads but cms filters werent applied (its almost that after my filter finishes it skips over the rest of the filters in the isapi list in iis.)

    Any ideas? iis 6.

    Thanks, Johan

  89. Steve says:


    First my environment is IIS6.0 and ASP.NET 2.0.

    Let’s say that I have a request come in "appl.aspx?someparams" and I want to redirect that to "somepage.special" to be handled by whatever ISAPI extension is configured to handle ".special", then how can I do this? Maybe the "somepage.special" came from a database lookup.

    I looked at a HttpModule in the ASP.NET pipeline capturing the authorizeRequest event (I have forms authentication and url authorization in place) and doing it from there using the request.redirect method. That gets me client side redirection.

    But what if I don’t want to go back to the client, what if I want server-side redirection (but from within ASP.NET), that is, I want to go back to the top of the ISS processing sequence (or at least before where it is picking the ISAPI extension to process the request)?

    I thought that calling server.execute or server.transfer might do it, but from what I’ve read, it can only do this for another ASP.NET page (e.g. to "somepage.aspx" and not to "somepage.special").

    What are your thoughts on this?


  90. Steve says:


    First my environment is IIS6.0 and ASP.NET 2.0.

    Let’s say that I have a request come in "appl.aspx?someparams" and I want to redirect that to "somepage.special" to be handled by whatever ISAPI extension is configured to handle ".special", then how can I do this? Maybe the "somepage.special" came from a database lookup.

    I looked at a HttpModule in the ASP.NET pipeline capturing the authorizeRequest event (I have forms authentication and url authorization in place) and doing it from there using the request.redirect method. That gets me client side redirection.

    But what if I don’t want to go back to the client, what if I want server-side redirection (but from within ASP.NET), that is, I want to go back to the top of the ISS processing sequence (or at least before where it is picking the ISAPI extension to process the request)?

    I thought that calling server.execute or server.transfer might do it, but from what I’ve read, it can only do this for another ASP.NET page (e.g. to "somepage.aspx" and not to "somepage.special").

    What are your thoughts on this?


  91. Josh says:

    For all redirection and url rewriting stuff, I use IIS Mod-Rewrite

    It’s a must have tool on every IIS server. But since it’s compatible with Apache’s mod_rewrite, I guess Microsoft will never adopt such Apache style functionality.

  92. David.Wang says:

    Josh – I’m not certain why you think that Microsoft will never adopt Apache style functionality. Microsoft is not obtuse to ignore good ideas — remember "embrace and extend"?

    For example, IIS7 takes the best of Apache and improves on every aspect:

    – Completely customizable core request engine – similar to Apache. Complete modularity improves security, reliability, control.

    – Completely customizable, schematized, and performant distributed configuration system – better than Apache because it’s good enough to be on-by-default, while no one turns on .htaccess if they cannot accept its performance penality

    – Completely customizable, extensible UI which plugs with the core and distributed config – superior to Apache without add-ons.

    Does IIS7 currently lack the breadth of modules of Apache? Absolutely. But IIS7 has all the right ingredients and support to surpass Apache, and all the Netcraft (etc) numbers support it.


  93. IT programmer says:

    Alot of reading here with no real answers

  94. David.Wang says:

    IT programmer – unfortunately, that is by-design. You can read my BIO for the details.

    There are plenty of people and places to swap code snippets or answers and you should go there if that is your intent.

    If you want to know how something works such that you can help yourself, this is the right forum because it is my intent to help you.

    If you just want quick answers to questions on how to do something to resolve an issue, sorry, that is not my intent and my blog will not be useful in that manner.


  95. QED says:

    Good material, there is no school like old school.

  96. Paul B says:

    Hi David,

    I’m a bit new to this re-direction game so please forgive me if I am bing a bit thick. I have a bit of a problem that I am hoping you might be able to help me with. We need to set up a Web Site in IIS with its own server certificate. I then need this sites to forward to a single internal URL. When we set up a helloworld.htm in the web site, and browse to it we can see that the certificate is being "presented" to the client browser. I thought that all we needed to do was create a default.asp to do a response.redirect to the internal web site and the client browser will be re-directed but will be presented with the certificate first, but that does not seem to be the case. Is there a simple way to redirect to an internal http page from an Https external page with the certificate still being presented to the client?


    We have a site that a company wishes to use, however out site is developed for a number of customers. The site is the same, but the company wishing

    We are hosting an ebXML message handler for a number of companies which are all communicating with one single company.

  97. Paul B says:

    Hi David,

    Please ignore the ramblings at the bottom of the last post, bit of a cut and paste crisis


  98. Arijit Upadhyay says:

    Mass Shared Hosting on Windows with IIS6 – – Posted on Monday, September 26, 2005

    Is the solution still valid? Because I cannot seem to find the "ISAPI Filter or ISAPI Extension rewrite the URL based on the Host header" on their website –

    Has it been removed in Version 4.5?

  99. David.Wang says:

    Paul B – You should use ISA Server 2006 for this task. It will do SSL Endpoint termination and HTTP routing.

    You want to do "Server Side Forwarding" (SSL is irrelevant to the discussion since it happens before HTTP, which is where the redirection happens). That requires a reverse proxy add-on module.

    You tried "Client Side Redirection" with response.Redirect


  100. David.Wang says:

    Arijit – the ISAPI Filter is part of the hosting solution. You will not find a link to just download.


  101. Gary says:

    Hi David,

    Thanks for allowing me to ask a question. On my IIS webserver, sometimes the IP address is displayed in the URL, i.e. instead of Is it possible to have some re-write on this, or do the re-writes normally exclude the domain part of the URL.

    Many thanks in advance for any advice you can offer.


  102. Paul B says:

    Hi David,

    Thanks for the reply but I don’t think we can use ISA Server 2006. We have one IP address, which I need to share between a number of our customers, each of which have their own certificate. You can only set up an ISA Server Web listener to listen on one IP address (unless you know different), and we have a domain name, e.g. pointing to that IP address. I believe you can only have one certificate for each listener. Because of this limitation, we thought that for each customer they can put their company name at the end of the URL, e.g.,, …etc, and we have set up an SSL tunelling rule to pass requests stright to our IIS. IIS will have a seperate web site in IIS each with their own certificate so that the supplier is presented with the correct certificate for the customer (we have tested this and this seems to work). Each of these URLs then need to be forwarded on the server side to another single internal URL, e.g. http:\internalserverAnotherWebPage, but we want the customer not to see this URL, as far as they are concerned we need them to think they are POSTing to Its the forwarding the request to the internal site that we are stuck on

    Is it possible to do this?


  103. Yunus says:

    How to set url dummy @total application execution

  104. Yunus says:

    How to set dummy  url @ runtime  application execution in ASP.Net



  105. David.Wang says:

    Paul B – You want Server Side Forwarding, which is certainly possible on IIS but you will have to purchase or find an ISAPI Filter to do it.

    I do not believe your scheme to multiplex multiple SSL Certificates over one external IP/Port works. Certainly not for certificates that look like and It can work for certificates that look like and

    The "Magic" is in your tunnel rule that appears to magically know to route https://www.MyMainDomain/company1 traffic to an internal IIS website with its own SSL certificate for company1. Tell me how can the tunnel figure out the URL to tunnel SSL traffic to the correct IIS website when it is encrypted? And if it doesn’t figure out the URL, IIS certainly has no way to figure out which website (and server certificate) is supposed to be used.

    Anyways, you can use ISA Server in place of the internal IIS server to do the reverse proxying task that you wan.


  106. David.Wang says:

    Gary – fix your web pages to not give the IP. And don’t use IP address in as your hostname or redirection hostname.

    You never want to have code that is rewriting your outbound request looking for to rewrite to That would just kill performance and scalability.


  107. Dave says:

    David, I am your alter-ego looking for a point in the right direction.  I’ve done hardware for many years and plenty of admin, but coding is "magic." I’m tryin’ tho.  

    In short, I’ve got an IIS server and an edge server on one subnet and Exchange 2007 (hub, mailbox, CAS) on another.  As I understand your article, I need Server-Side Forwarding, but I’ve never done it before and don’t know where to begin.

    Any references you’d like to share?  

    I hope it will lead to a better understanding of your other articles. . .



  108. ken says:

    Thanks for your guide but… sorry I can’t resist:

    "Actually, Apache "core" does NOT perform ANY sort of redirection. You need to install and configure add-on modules like mod_redirect to get Client-Side Redirection, mod_rewrite to get Server-Side Redirection, and mod_proxy to get Server-Side Forwarding. So, the ability to redirect is NOT built-in"

    Apache on ubuntu linux:

    1) open terminal

    2) write: sudo a2enmod rewrite

    3) mod rewrite installed and working

    No more than 10 seconds.

    And as far as I know, software modularity is an advantage, instead of a disadvantage.

    Come on David, I believe you can find a better way to defend iis against apache.

  109. David.Wang says:

    ken – actually, I am not saying anything about modularity nor "defending"

    My point is simple — if you want to compare two web servers, compare apples to apples.

    People tend to treat mod_rewrite, mod_proxy, etc as indistinguishable and fundamental part of Apache when you and I know that they are simply add-on modules which are often bundled together in various combinations on various distros.

    These same individuals then complain that IIS does not have mod_rewrite, mod_proxy, etc — and thus Apache is superior.

    Uh, no… compare apples to apples. If you install add-on equivalent of mod_rewrite, mod_proxy, etc onto IIS, it is just as capable as Apache. Their argument holds no water, in my opinion.

    I compare IIS and Apache closer to how Apache core developers view the world — web server core to web server core. And here’s my fact — I know that comparing IIS6 core to Apache 1.x core and 2.x cores, the comparison is a wash — but IIS7 web server core just runs circles around apache 1.x and apache 2.x core.


  110. David.Wang says:

    Dave – think of another way to expose the CAS server to the other subnet. If they two subnets are truly supposed to be separated, use ISA Server 2006 to bridge them. If they are not supposed to be separated, then what’s wrong with your network topology?


  111. Gregg says:

    We have recently switched to a ‘canned’ web server, and now calls to the root ( get redirected via 302 to  Why is their server treating it as a 302 (and adding the ‘Check’ variable) and not just displaying the /dir/homepage.asp without rewriting the url?  Documents tab has dir/homepage.asp set as the ‘default content page’, and there are no ISAPI filters, no custom HTTP headers for the site.  There is a load balancer up front, but the results appear to be coming from IIS:

    Tested at 3/25/2008 6:11:35 PM / from


    Result code: 302 (Found / Moved Temporarily)

    Date: Tue, 25 Mar 2008 18:11:36 GMT

    Server: Microsoft-IIS/6.0


    Content-Length: 177

    Content-Type: text/html

    Set-Cookie: ASPSES…

    Cache-Control: private

    New location:


    Result code: 200 (OK / OK)

    Date: Tue, 25 Mar 2008 18:11:36 GMT

    Server: Microsoft-IIS/6.0

    Content-Type: text/html

    Set-Cookie: ShopperID=D67…

    Cache-Control: private


  112. David.Wang says:

    Gregg – No IIS feature ever adds the Check=1 querystring

    Thus, it looks like you are seeing 302 redirection made by custom code running on IIS. This is either from:

    1. Default Document at

    2. *-scriptmap applicable at

    3. ISAPI Filter, either Global or per-website

    4. User-configured HttpRedirect at

    5. Networking layer between IIS and browser

    You will have to find the custom code and change its behavior.


  113. Morris says: has a great discussion about forwarding requests and includes recent links for products that serve the purpose (perhaps biased – it is missing ISA and ISAPIrewrite…).

  114. Flank says:

    "Where things differ is availability" uhhhhh – should it read: If its not available then its no use for the user?

  115. David.Wang says:

    Flank – Not really. I am pointing out that IIS is no less capable than Apache, including add-on behavior.

    The difference is the availability of the add-on — Apache tends to be bundled with a bunch of different modules activated, whether you want it or not, while IIS comes locked down and requires choices that tend to require money in return for support.

    Both usage models have their suitable niche. The key difference is the availability of the add-on.


  116. Armando says:

    Hi David, cheers for your paper and posts. They have opened my eyes in the world of URL redirect.

    I have a location A ( that I want to redirect to a location B (100.200.300.400/virtual_directory), and I do not want the end-user to see the IP, I want the user to see the location A in the address bar.

    While I am looking for the solution, I am doing clint-side redirect directly with IIS through it’s core function "A redirection to an URL", but the problem is that the URL in the address bar shows the IP address that I redirected to from the location A.

    What I want to accomplish is a server-side redirect that when the end-user enters location A ( the user is redirected to the location B (100.200.300.400/virtual_folder) located in another server, and keep the location A ( in the address bar.

    Any help with this regard will be appreciated.

    Thanks in advance.


  117. sharlyne says:

    Hi David. I’m new to IIS and found your post interested. I have been reading several sites to try to redirect to and have come to a stump. I want the user to see in their address bar so I believe I need server-side redirection.

    I have been reading the MS support documents on setting redirection in the IIS to a website, but it doesn’t redirect the "?id=1" portion of the url. I’ve tried the different syntax in the redirect $q $v etc, but none of it works. for example, with the redirect url of$v$q if I submit I will get the page

    If I leave out the syntax $v$q, then I just get What am I missing?

    Could you point me in the right direction? I see my question is similar to Armando. I have also done what he had in IIS.



  118. David.Wang says:

    sharlyne – If you want and to go to the same website, then you do not want to setup redirections.

    Just setup and as Host headers in your IIS website.

    Then change the DNS record to make both and point to your IIS webserver.

    Your question actually is not similar to Armando, who wants to mask the redirection. You want to have both hostnames point to the same content.


  119. ROY says:

    Hi David ..

    I want to make a redirection like this

    the user request


    he will get the file in url


    Is this possible ? And How?


  120. wolf says:

    Microsoft should  make it easy to redirect HTTP to HTTPS in IIS

    Apache has done it many years ago.

  121. BK says:

    "Get ready for this index to be updated with links…"

    OK, it’s 3 years later and you haven’t updated the links.

    Too bad, it would have been a helpful article.

  122. David.Wang says:

    BK – Sorry. I just ran out of time since publishing the blog entry. I have a lot of other, often competing interests. You may want to spend a little more time and figure it out because the clues are everywhere.


  123. prasad yalamanchili says:

    Hi David,

    We have two urls and being hosted from the same website or one virtual directory. When the user enters either the first url or second url we need to prepend portal/ to the respective url and also change http mode to https mode when making the actual call. I guess this is a basic redirection using response.redirect but how to do this for two different url’s for the same website (Same IP Address and same virtual folder name and actual folder content).  Greatly appreciate your wonderful input in this regard. IIS 6.0, Windows 2003. Thanks a lot for your time.

  124. andri sofiyab says:

    Can you update this article with a HOWTO on exposing http://internal via http://external (IIS) by SQUID?

  125. tommy9un says:

    I hope my comments do not go against the spirit of this post.   But I do have a question and maybe someone can help me as well.  There are many reason for redirecting or forwarding requests.  Each has its own tools:

    ARR for IIS 7


    ISAPI Rewrite lite and full (includes proxy module)

    Site and Virtual folder redirect

    Wild card redirect

    HTML meta tags


    The above is not meant to be a comprehensive list but illustrate the some of the tools that I’ve looked at.  I can’t seem to find the right mix to solve my problem.  My issue is that I need

    1. ISA to filter the request  – web server publishing

    2. IIS_1 to server the static file – published site from ISA

    3. IIS_1 should forward dynamic content requests to IIS_2 – IIS_2 is invisible from ISA

    4. IIS_2 is the only server in the stack that has the .Net engine and can make DB connection

    There are several ways to classify N-tier application.  For my purpose, I say I need to have three tier app: ISA, IIS1, IIS2.  There is also a user and a DB cluster.  This is a generic .Net hosting env that we are building for all MS & .Net apps.  They way we plan to scale this env is by increasing the number of app servers (IIS_2 in this example) leaving the first to tier pretty constant.  

    Ok, if I had IIS7, I think I would be using ARR for this.  But I only have IIS 6 and I can’t find a way to do this correctly.  This should be pretty much textbook stuff. But it seems everything I read just talks about redirecting request.  In contrast, I am looking to build a hierarchy to separate static and dynamic content to servers on different tiers. Those from the java world will probably recognize this as Apache with Websphere plug-in or iPlanet-Weblogic combo.

    Not only do the requests have to be hierarchical, but they also need to be application aware.  Meaning that session cookies, authentication, and etc have to be preserved and passed on through to the last server in the chain.  Oh, and I want to be able to do some end of month reporting and audit of the http logs.

    Anyone? Help?!

  126. rtait says:


    I am writing an ISAPI Filter where I redirect all user requests to a login page.  I am using the SetHeader() method to set the "url" header.  I am also creating another custom header that I intend to use in the login page.  This is working, but I have one problem.  I would like the address that appears in the login page address bar to be the actual login page address.  Currently, it is showing up as the address of the originally requested page.

    I tried solving this by doing a ServerSupportFunction("302 redirect"), in the ISAPI Filter, but that doesn’t retain my custom header.

    Thanks, in advance, for any help you can provide.

  127. David.Wang says:

    rtait – You want the 302 redirect to transfer state (the value of the custom header) to the Login Page.

    Have the 302 Redirect send the value of the Custom Header as a querystring parameter to the Login Page.

    You cannot use Custom Headers to hide the value from the user because Browser is doing the redirect and browsers do not send custom headers.

    Depending on the redirect, you may be able to Set a Cookie with the value of the Custom Header and have the browser send the Cookie (since it belongs to the same Domain) to the Login Page.

    All other choices involve implementing custom protocol over XMLHTTP and is no longer HTTP itself.


  128. rtait says:


    Thanks for the info.  I understand your explanation.

    I really don’t want to use a querystring.

    Can you elaborate on your idea regarding setting a cookie?  I did try setting the "cookie:" header, but like you said the browser is doing the redirect – so that doesn’t work.

    Thanks gain.

  129. David.Wang says:

    rtait – From the server side, you should be using "Set-Cookie:" response header to set a cookie. Depending on the domain of the cookie being set, the browser may then choose to send the "Cookie:" header on its request to your redirected Login page.


  130. Andre Alexanian says:

    David, can you answer prasad yalamanchili’s question from September 18, 2008 2:58 AM, I have the same problem.



  131. Brent Cranmer says:

    Our organization has gone through a name change from domain A to domain B. We have an application (app1) that has always been accessed on https. I need to cut the application over to the domain B URL and want to know if there’s a way to do the following redirect: to

    Our users have the old https URL bookmarked as we never had a redirect for http:// setup. Obviously I want to minimize impact to the users and not have to depend upon them to update their bookmarks to be able to continue to access app1.



  132. David.Wang says:

    Brent – just set up HTTP Redirect on the website for to send redirection to

    HTTP Redirect supports other parameters on the redirection as well. Only thing that won’t work is a POST request to – browsers will not transparently re-POST to

    You want to use HTTP 301 Permanent Redirection to transparently push the transition. Then, you can stop paying money to keep the registered and a website running to redirect for it.


  133. Colleen says:

    Hi David,

    I am new to this environment and need a little help.

    Currently we have several websites within our company, an advertisement has gone out without the www in front of our website. The business would like to modify our IIS to allow for both entries. One using the and one using  I thought this would be easy enough… I’ve tried it two ways…


    I went into the IIS properties of the current website and added another host header name – website minus the www.  


    I tried adding another website called for example… once this was created I went into the properties and Home Directory – clicked "A redirection to a URL" and entered the full web address… including the http://www.. so I would have entered

    Neither one of these are working…  Do you have any ideas on what I am missing within these steps???

    Any help would be greatly appreciated.

    Thanks so much


  134. David.Wang says:

    Colleen – What you are missing is outside of IIS configuration. Make sure DNS is setup correctly to resolve both website with and without www. to your web server.

    Both of your actions should work. First option allows user to browse the website with and without www. and wouldn’t notice the difference. Second option would make all users would did not type www. redirect to see in their URL location bar the www. hostname.


  135. Steve B says:

    Hi David,

    I have a group that uses IIS 6 on Win 2003 EE with SP2.  The have a main DNS entry registered to an host and IP which works just fine and has only a single site being hosted. So there is a default page non-ssl. We have added another environment on another server with a new hostname and IP same server type and O/S. What they want is to have some sort of rewrite that will allow clients to get to either environment but disply the link back to the browser. Is this possible?

    Example: would keep the client on the existing box, no problem.  But if a client should choose the second environment from the default page it has to go to another server, but they want to the client to see in the URL display on the browser, yet I don’t think it is possible.

    Since they didn’t consider this when archieteching this years ago there is a lot of code and e-mail that they don’t want to change so now I have to find them the mythical unicorn.

    Can I do this with mod_rewrite?

    Any help would be aprreciate, my eyes are bleeding from all this reading and I am confused.

  136. John G says:

    This blog doesn’t say anything about anything.  It has been going for three years and there is nothing in here.  It needs to be deleted so it doesn’t show up on the search engines.

  137. Aldo M says:

    Hi David

    Our company web server is used to serve data through port 443 – SSL with a certificate installed and running fine – at (443). (80) on that same server is currently not serving pages.

    We would like to have a web site outside our company at (not .com). Is it possible to redirect only port 80 traffic to a different IP address/web site?

    Any help would be appreciated.

    Thanks so much for a great article.

  138. govind says:

    Great article …very help contents….thanks buddy….you simply rocks…!!!!!!!!!

  139. fkinuselessarticle says:

    u suck with ur article and ur fkin ego

  140. rob merritt says:

    Hi I am trying to redirect a url


    to avoid purchasing a 2nd cert

    the code I have will repoint to the new contect however the URL remains the same and I still get barked at by the cert. I am trying to get this to act like mod_rewrite in apache (you’d think MS would have a tool to do this)


    // REDIRECTOR.CPP – Implementation file for your Internet Server

    //    redirector Filter

    #include "stdafx.h"

    #include "redirector.h"


    // The one and only CRedirectorFilter object

    CRedirectorFilter theFilter;


    // CRedirectorFilter implementation







    BOOL CRedirectorFilter::GetFilterVersion(PHTTP_FILTER_VERSION pVer)


    // Call default implementation for initialization


    // Clear the flags set by base class

    pVer->dwFlags &= ~SF_NOTIFY_ORDER_MASK;

    // Set the flags we are interested in



    // Load description string




    _tcscpy(pVer->lpszFilterDesc, sz);

    return TRUE;


    DWORD CRedirectorFilter::OnPreprocHeaders(CHttpFilterContext* pCtxt,



    char buffer[256];

    DWORD buffSize = sizeof(buffer);

    BOOL bHeader = pHeaderInfo->GetHeader(pCtxt->m_pFC, "url", buffer, &buffSize);

    CString urlString(buffer);

    urlString.MakeLower(); // for this exercise

    if (urlString.Find("gscs.") != -1) //we want to redirect this file



    char * newUrlString= urlString.GetBuffer(urlString.GetLength());

    pHeaderInfo->SetHeader(pCtxt->m_pFC, "url", newUrlString);



    //we want to leave this alone and let IIS handle it



    DWORD CRedirectorFilter::OnEndOfNetSession(CHttpFilterContext* pCtxt)


    // TODO: React to this notification accordingly and

    // return the appropriate status code



    // Do not edit the following lines, which are needed by ClassWizard.

    #if 0

    BEGIN_MESSAGE_MAP(CRedirectorFilter, CHttpFilter)




    #endif // 0


    // If your extension will not use MFC, you’ll need this code to make

    // sure the extension objects can find the resource handle for the

    // module.  If you convert your extension to not be dependent on MFC,

    // remove the comments arounn the following AfxGetResourceHandle()

    // and DllMain() functions, as well as the g_hInstance global.


    static HINSTANCE g_hInstance;

    HINSTANCE AFXISAPI AfxGetResourceHandle()


    return g_hInstance;


    BOOL WINAPI DllMain(HINSTANCE hInst, ULONG ulReason,

    LPVOID lpReserved)


    if (ulReason == DLL_PROCESS_ATTACH)


    g_hInstance = hInst;


    return TRUE;



  141. Javier says:

    Hello, this is my case: I have a URL and I have another URL which is an easy url for the visitors to remember. Now when someone comes thru the short url and I do a redirect to my regular long url I know I’m losing session info and some other stuff. Is there a way to redirect/formard the short url to the long one? i.e. when I type and hut enter I would like to load … many thanks for the help!


  142. Kirrin says:

    Don’t want to seem silly here, but did I miss the actual HOW-TO? I do not see any instructions on how to get this done. What I would like to do (based on your taxonomy), is server-side redirection or http://external to http://internal, with the external never changing. I however do not see your instructions on getting this done.

    Could you please point me to where the instructions actually are?

    I would really like to have a look at your instructions as I’m required to implement this soon. Much appreciated.


  143. kyle says:


    in method OnUrlMap,

    pCtxt->ServerSupportFunction(SF_REQ_SEND_RESPONSE_HEADER, "403 Forbidden", NULL, NULL);


    it work well in IIS 6.0, but in IIS 7.0, i receive page like HTTP/1.1 403 Forbidden, [HTTP/1.1 403 Forbidden] this content show in the page, could you give me some advice? please send me email:

    thank you in advance!

  144. David Hazar says:

    Here is a tutorial I wrote with specific examples on how to set up server-side IIS redirection.  Examples include redirecting Exchange to SSL and redirecting with Parameters.

    <a href=’‘></a>

  145. Robert says:

    I would greatly appreciate assistance.

    We have only one server running windows 2008 server, and exchange 2010 server, and apache.

    When we type in the URL, IIS does not transer it to port 8080 (Where Apache is configured to listen to), and you get the following error "403 – Forbidden: Access is denied.".   if you type in the browser, everything works.  

    What needs to be configured to allow incoming HTTP to be forwarded to port 8080?

    Any guidance or links to solve this would help.

    Thanks in advance

Skip to main content