HTTP to HTTPS redirects on IIS 7.x and higher

***Updated post on 8th May 2017***

This is the most common requirement on most of the Exchange servers hosted on IIS. The server admins configure an http to https redirect.

Today I will be discussing few ways of doing this. I will keep updating this document as I find more ways to do so. I am considering OWA as a sub application under IIS for all the below examples. Here is the structuring of the Web Site:

In this case, we want all the requests (both HTTP & HTTPS) to be redirected on HTTPS to the application called "OWA" under the Default Web Site.

Method 1: Using IIS URL Rewrite Module

For this you will have to install the URL Rewrite module. (FYI, this is available for IIS 7 and higher only.)

Download from here:

Once installed, the URL Rewrite module would be listed under IIS section. There are few articles out there on this. Here are few to list:


These articles are definitely a great repository, however I observed that they have not addressed an important factor.

As specified in the above links add the below section in the web.config at the root of the site:

In the above rule I'm checking whether the server variable "SERVER_PORT_SECURE" is set to 1 or 0. (I'm doing a permanent redirect in the above URL, it can be changed accordingly as per the requirement)

If you want to include the query string in the re-written url, then you can add appendQueryString="true" under the action section.

You can find the complete list of IIS Server variables here:

SERVER_PORT_SECURE A string that contains either 0 or 1. If the request is being handled on the secure port, then this is 1. Otherwise, it is 0.

Alternatively, instead of the above server variable the following server variable "HTTPS" and "SERVER_PORT" can also be used correspondingly.

NOTE: Ensure the rewrite rule is disabled at each of the virtual directories/applications under the Default Web Site. Due to inheritance, the rule will cause the requests to end up in infinite loop calling itself repeatedly.

Method 2: Using IIS Default Document (a default.asp page)

In this method we will introduce a sample asp page at the root of the website and then add the following piece of code:


Alternatively you could use the port numbers in the above code to achieve the same (ensure to change the port numbers as per the website configuration).

Method 3: Using IIS HTTP Redirect Module

This is one of the simplest methods, but has a lot of limitations and ideally not used. Here is how we do it:

PRE-REQUISITES: HTTP Redirect module is installed and the website has a valid HTTPS binding in place.

  • Launch the IIS Manager.
  • Go to the HTTP Redirect module.
  • Fill the details as per the requirement as shown below:

This may not be ideal for all the scenarios as the user is redirected to a specified URL.

NOTE: Ensure the enforced redirection is removed from each of the virtual directories/applications under the Default Web Site. Due to inheritance, the requests will end up in an endless loop, redirecting to itself repeatedly.

Also ensure Require SSL is not checked at the Root of the website under SSL Settings, this may cause to throw an error page to the users when the browse the site over HTTP. It can be enforced at the application level.

There is another way using custom error pages which has been documented here:

The author in the 2nd link claims that it doesn't work on IIS 7.5 and higher versions due to updates in the configuration security.

I haven't found the time to test and write it up and neither am I sure if the above actually works. Once I have tested I will add it up here.

Comments (52)

  1. itworkedinthelab says:

    hi there

    just wanted to point out that ex 2013 from cu1 does this for you

    build in

    also does the /owa redirection

  2. That's good to know. 🙂

  3. Alan says:

    I did as you advised and giving this infinite loop ..

    what should I do to resolve?

  4. Alan,

    Which method did you use? Also did you go through the  NOTE section at the end. There is a possibility of the request going in a infinite loop if not setup correctly.

  5. Shuaib says:

    I have multiple local web applications hosted at IIS server with custom ports, only one web application is SSL enabled with port 82, how can I redirect http://<servername / IP Address>:82 request to https://<servername / IP Address>:82, because I have recently installed SSL certificate and it is working fine, now the users who have bookmark the site with http are facing issue. please guide.  

  6. Hakan says:

    Note that if you use URL rewrite and ONLY want to redirect from http to https (e.g. to

    Then remove

    <add input="{SERVER_PORT_SECURE}" pattern="^1$" />

  7. Thanks for the suggestion Hakan.

  8. Jace says:

    Hi Guys,

    Just need some advise/clarification. Just wanted to ask if there is a way to take out the port number on the URL ( I have added a redirection rule from http to https – non-standard port(444).



    1. Santosh P says:

      You have to specify port if you are not using standard protocol like http (80port) / https (443port) / ftp (21port)

  9. John says:

    Using Method 2 above I get redirected to HTTPS but not to my sub-directories specified after the trailing backslashes. Any idea why not?


            If Request.ServerVariables("HTTPS")  = "off" Then

                    Response.Redirect "https://&quot; & Request.ServerVariables("HTTP_HOST") & "/RDWeb"

            ElseIf Request.ServerVariables("HTTPS")  = "on" Then

                    Response.Redirect "https://&quot; & Request.ServerVariables("HTTP_HOST") & "/RDWeb"

            End If


  10. Troy says:

    Same issue as John, except I'm using Method 1. I can't get it to redirect to a subdirectory. It keeps defaulting back to the root directory. i.e. https://localhost/  

    I've set the rewrite up on a subdirectory as I'm not interested in securing the whole site, only a particular subdirectory.

    so.. below is where the server takes me when I enter in an address.

    http://localhost/test = https://localhost/

    http://localhost = http://localhost

    https://localhost/test = https://localhost/test

    code below


                   <remove name="HTTP/S to HTTPS Redirect" />

                   <rule name="HTTP/S to HTTPS Redirect" enabled="true" patternSyntax="Wildcard" stopProcessing="true">

                       <match url="(.*)/test/" />

                       <conditions logicalGrouping="MatchAny">

                           <add input="{SERVER_PORT_SECURE}" pattern="^1$" />

                           <add input="{SERVER_PORT_SECURE}" pattern="^0$" />

                           <add input="{HTTPS}" pattern="^OFF$" />


                       <serverVariables />

                       <action type="Redirect" url="https://{HTTP_HOST}/test" appendQueryString="true" redirectType="SeeOther" />


    i've tried

    <action type="Redirect" url="https://{HTTP_HOST}/test" …..

    <action type="Redirect" url="https://{HTTP_HOST}{R:0}" …..

    <action type="Redirect" url="https://{HTTP_HOST}{R:1}" …..

    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" …..

    <action type="Redirect" url="https://{HTTP_HOST}{R:1}/test" …..

    <action type="Redirect" url="https://{HTTP_HOST}{R:1}/test/" …..




    Any idea's on what I'm doing wrong?



  11. Simon says:

    i found that having Require SSL ticked on for the web site prevented any rules from working

  12. Werner says:

    I've struggled with the infinite loop issue for a while now and this post was the only one I found that mentions something about it.

    "Ensure the rewrite rule is disabled at each of the virtual directories/applications under the Default Web Site. Due to inheritance, the rule will cause the requests to end up in infinite loop calling itself repeatedly."

    How would you go about fixing this if you didn't have access to IIS, say for example hosting a site in a shared hosting environment or a cloud service such as Azure?

  13. @Werner

    you do have access to IIS on Cloud Services. Launch a run prompt and type "inetsrv". This will take you to the default installation folder of IIS. Under this browse to the config folder. Here you will find the ApplicationHost.config. this is the config file used by IIS.

    You could also type "inetmgr" which would launch the IIS Manager console. HTH

  14. byrollo says:

    senza attivare ASP si può usare un redirect sull'html aggiungento al file di default questo meta-tag

    <meta http-equiv="refresh" content="2;">

  15. Rob says:

    The ASP redirect works perfectly for some basic OWA port redirection… just remember to install the ASP feature on the web server though as it took me far longer than it should of to realise that's why it wasn't working at first haha!

  16. jgezau says:

    This works perfectly, the only issue I have now is that is also trying to redirect to https when I'm running in local host. I have to comment out that section in web.config in order to continue working. How to redirect ONLY when the application is deployed in server and not when is running in local host?


  17. jgezau says:

    Hi, regarding my previous comment. I found a way to accomplish this. Instead of adding this rule in Web.config, I add it to Web.Release.config under <system.webServer> and is only active when I deploy the application to the server. Oh, and I'm using Method 1 by the way


       <rewrite xdt:Transform="Insert">





  18. Thanks, method 1 works well for me. A slight variation on that is to create the rule via URL Rewrite within the IIS Manager (if you don't have easy access to the Web.config code itself). The steps I found to work are here though the end result is still the same, eg the module adds the required text to the site's Web.config, as such you may need to ensure you've downloaded an updated copy of the web.config (otherwise if you make changes and re-upload it from dev you may overwrite the new rule and lose the redirect).

  19. Dave says:

    Hitting the Redirect Loop issue which you took the time to advise watching out for. Trying to use Url Rewrite method.

    But I don't comprehend your suggested fix. I can find the ApplicationHost.config file, but what good is the knowledge of the location of that file? How do I fix it?

  20. Sean says:

    For what it's worth, only way I got this to work was to not require SSL, and to redirect to this instead:  https://{HTTP_HOST}{HTTP_URL}

  21. Luisz says:

    The IIS URL Rewrite module seems perfect except that it breaks client side caching.  I know this is an old post, but does anyone know if there is a way to fix this?  

  22. Mayur Pawar says:

    Hello Kaushal,

    I have tried third option above but am getting Uncaught ReferenceError: WebForm_DoPostBackWithOptions is not defined error. I need to redirect http to https its working if i use your method but when i click any link button or anything i am getting error above.Please let me know if you have any solution on this.

  23. Haseet says:

    What is the solution if we want to keep port 80 blocked.

  24. Greg Gum says:

    I finally got the Redirect to work correctly!  

    The problem: The redirect works for ALL bindings on a site.  So if you add a redirect to a https://… and both http and https are both bound to the same site, then after the redirect from http to https occurs, then https also redirects to https!  Thus the endless loop.

    The fix: Create two sites, one for the redirect which has bindings ONLY for http, and then a second site which has bindings ONLY for https.

    Magic, it now works because the secure site has no redirect.  Everything which comes in on http goes to the insecure site which redirect to the secure site.  Everything which goes to the secure site, stays at the secure site.

    This IS the correct way to redirect from http to https.

  25. Matthew C. James says:

    Way to start the New Year @Greg Gum! He is correct. This is definitely the easiest way to redirect without the need to create and place new redirect files.

  26. @Greg. that is the correct way. Ensure the redirection is a permanent redirect i.e., 301.

    belated new year wishes 🙂

  27. Bruce Patin says:

    I tried to print this page and got blank on every page, using both IE and Chrome. I had to copy and paste it into Word.

  28. Teemu Landi says:

    Method 2 works fine with brackets

  29. This is perfectly working for me.

    Thanks for suggestion.

  30. Chris says:

    Using IIS 8.5 and the URL Rewrite you provide it redirects to the root of the site and removes the subfolder portion of the URL.
    redirects to

    I have the rewrite in the subfolder “folder2” above so how can we have it redirect to the same subfolder? I also have Windows Authentication enabled for this folder.

  31. Igor Rodionov says:

    We have a website that needs to be redirected from http to htts, but port 80 is disabled (recent company policy). My understanding that none of the above solutions will work, is that the right assessment?

  32. La Rambox says:

    Excellent article merci pour le partage

  33. iGanja says:

    Your example, although helpful, is WAY too specific to a single application, yet the title of your post implies this is a generic solution. Had you considered that some of us (nay, maybe most of us) simply want to redirect from http to https, you could have written this with that in mind, OR titled your post appropriately! So, if I have this correct, in Method 1, you are redirecting BOTH http AND https to a single https path. YES! this will cause an infinite redirect all by itself, especially if you have other virtual directories. Hakan, makes this suggestion in comments, and you even acknowledged it, yet did NOT rewrite your post to make this clear? WOW! Perhaps you should delete this post and redirect this thread to

    1. Thanks for pointing out. I am not working on IIS much these days. I have edited the rule to work correctly now. Thanks for the feedback.

      1. Reuben says:

        Please help me. I have the exact code in method 2 but my code keeps returning “500 Internal Server Error”. I have been struggling for days without success. My site is hosted with godaddy.

  34. of course like your web-site however you have to test the spelling
    on quite a few of your posts. A number of them are rife with spelling problems and I in finding it very bothersome to tell the truth on the other hand I will surely come back again.

    1. Thanks for the feedback. I will have to accept that I have been lazy enough to not correct the spelling mistakes.

  35. yump3 says:

    This piece of writing is genuinely a good one it helps new net people,
    who are wishing in favor of blogging.

  36. I’m really loving the theme/design of your blog.
    Do you ever run into any internet browser compatibility
    problems? A handful of my blog visitors have complained about my site not working
    correctly in Explorer but looks great in Firefox.
    Do you have any solutions to help fix this problem?

  37. Excellent article merci pour le partage

  38. John Tan says:

    Is Method #1 the most suitable way to make sure user is browsing securely on website,
    say when user type in to the browser address bar like or ?

  39. maritim says:

    Have you ever thought about including a little bit more than just your articles?
    I mean, what you say is fundamental and all. Nevertheless think of if you added some great photos or videos to
    give your posts more, “pop”! Your content is excellent but with pics and clips, this website could definitely be one of the best in its field.
    Wonderful blog!

    1. Thanks for the feedback. I will include pics and try to come up with videos as time permits.

  40. Minh says:

    Or you just you a simple javascript code to redirect:
    var url = window.location.href;
    url = url.replace(‘http’, ‘https’);

    1. Not a clean solution, as it may not work as this has a client side dependency.

  41. yalda says:

    Thanks, using URL Rewrite solved my problem. but It was not clear for me because I’m not professional and found this step by step guide maybe is helpful for other guys here:

  42. Rushabh Shah says:

    We have added SSL Certification at the domain level. Therefore, all application under Default Website is https enable only. However, we want to redirect all HTTP traffic thru https. Is option to configuring HTTP Redirect with redirect URL is appropriate based on our scenario. Instead of configuring each application/website? How secure is HTTP Redirect method? Should we use URL Re-write?

  43. Hey very cool site!! Man .. Excellent .. Superb .. I’ll bookmark
    your website and take the feeds also? I am satisfied to seek out numerous useful
    info here in the post, we want work out extra techniques on this
    regard, thanks for sharing. . . . . .

  44. Bruce says:

    Hi, I am using your URL rewrite and works fine for some cases.

    This works fine: redirects to

    But the following doesn’t work as expected: redirects to

    Note how the query string got duplicated. I have played around with the appendQueryString attribute but get the same result whether true or false.

    Am I doing something wrong?

    Also, thanks for your blog post.


    1. Can you try to change the URL under actions to this “https://{HTTP_HOST}/{R:0}”

Skip to main content