HTTP to HTTPS redirects on IIS 7.x and higher

This is the most common requirement on most of the Exchange servers hosted on IIS. The server admins configure an http to https redirect.

Today I will be discussing few ways of doing this. I will keep updating this document as I find more ways to do so. I am considering OWA as a sub application under IIS for all the below examples. Here is the structuring of the Web Site:

In this case, we want all the requests (both HTTP & HTTPS) to be redirected on HTTPS to the application called "OWA" under the Default Web Site.

Method 1: Using IIS URL Rewrite Module

For this you will have to install the URL Rewrite module. (FYI, this is available for IIS 7 and higher only.)

Download from here:

Once installed, the URL Rewrite module would be listed under IIS section. There are few articles out there on this. Here are few to list:


These articles are definitely a great repository, however I observed that they have not addressed an important factor.

As specified in the above links add the below section in the web.config at the root of the site:

<?xml version="1.0" encoding="UTF-8"?>
        <rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
        <match url="(.*)" />
        <conditions logicalGrouping="MatchAny">
          <add input="{SERVER_PORT_SECURE}" pattern="^1$" />
          <add input="{SERVER_PORT_SECURE}" pattern="^0$" />
        <action type="Redirect" url="https://{HTTP_HOST}/OWA/" redirectType="Permanent" />

  In the above rule I’m checking whether the server variable "SERVER_PORT_SECURE" is set to 1 or 0. (I’m doing a permanent redirect in the above URL, it can be changed accordingly as per the requirement)  

You can find the complete list of IIS Server variables here:

SERVER_PORT_SECURE  A string that contains either 0 or 1. If the request is being handled on the secure port, then this is 1. Otherwise, it is 0.        

Alternatively, instead of the above server variable the following server variable "HTTPS" and "SERVER_PORT" can also be used correspondingly.

NOTE: Ensure the rewrite rule is disabled at each of the virtual directories/applications under the Default Web Site. Due to inheritance, the rule will cause the requests to end up in infinite loop calling itself repeatedly.        

Method 2: Using IIS Default Document (a default.asp page)

In this method we will introduce a sample asp page at the root of the website and then add the following piece of code:

        If Request.ServerVariables("HTTPS")  = "off" Then
                Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & "/OWA"
        ElseIf Request.ServerVariables("HTTPS")  = "on" Then
                Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & "/OWA" 
        End If

Alternatively you could use the following piece of code as well (ensure to change the port numbers as per the website configuration).

        If Request.ServerVariables("SERVER_PORT")=80 Then
                Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & "/OWA"
        ElseIf Request.ServerVariables("SERVER_PORT")=443 Then
                Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") & "/OWA" 
        End If


The logic is pretty simple, we are checking if the requesting is on HTTP (Port 80) or HTTPS (Port 443) and redirecting them to https://<HostName>/OWA.

There are obviously several ways to write the same code by checking other server variables.

Method 3: Using IIS HTTP Redirect Module

This is one of the simplest methods, but has a lot of limitations and ideally not used. Here is how we do it:

PRE-REQUISITES: HTTP Redirect module is installed and the website has a valid HTTPS binding in place.

  • Launch the IIS Manager.
  • Go to the HTTP Redirect module.
  • Fill the details as per the requirement as shown below:

This may not be ideal for all the scenarios as the user is redirected to a specified URL.

NOTE: Ensure the enforced redirection is removed from each of the virtual directories/applications under the Default Web Site. Due to inheritance, the requests will end up in an endless loop, redirecting to itself repeatedly.

Also ensure Require SSL is not checked at the Root of the website under SSL Settings, this may cause to throw an error page to the users when the browse the site over HTTP. It can be enforced at the application level.        

There is another way using custom error pages which has been documented here:

The author in the 2nd link claims that it doesn’t work on IIS 7.5 and higher versions due to updates in the configuration security.

I haven’t found the time to test and write it up and neither am I sure if the above actually works. Once I have tested I will add it up here.

Comments (27)

  1. itworkedinthelab says:

    hi there

    just wanted to point out that ex 2013 from cu1 does this for you

    build in

    also does the /owa redirection

  2. That's good to know. 🙂

  3. Alan says:

    I did as you advised and giving this infinite loop ..

    what should I do to resolve?

  4. Alan,

    Which method did you use? Also did you go through the  NOTE section at the end. There is a possibility of the request going in a infinite loop if not setup correctly.

  5. Shuaib says:

    I have multiple local web applications hosted at IIS server with custom ports, only one web application is SSL enabled with port 82, how can I redirect http://<servername / IP Address>:82 request to https://<servername / IP Address>:82, because I have recently installed SSL certificate and it is working fine, now the users who have bookmark the site with http are facing issue. please guide.  

  6. Hakan says:

    Note that if you use URL rewrite and ONLY want to redirect from http to https (e.g. to

    Then remove

    <add input="{SERVER_PORT_SECURE}" pattern="^1$" />

  7. Thanks for the suggestion Hakan.

  8. Jace says:

    Hi Guys,

    Just need some advise/clarification. Just wanted to ask if there is a way to take out the port number on the URL ( I have added a redirection rule from http to https – non-standard port(444).



  9. John says:

    Using Method 2 above I get redirected to HTTPS but not to my sub-directories specified after the trailing backslashes. Any idea why not?


            If Request.ServerVariables("HTTPS")  = "off" Then

                    Response.Redirect "https://&quot; & Request.ServerVariables("HTTP_HOST") & "/RDWeb"

            ElseIf Request.ServerVariables("HTTPS")  = "on" Then

                    Response.Redirect "https://&quot; & Request.ServerVariables("HTTP_HOST") & "/RDWeb"

            End If


  10. Troy says:

    Same issue as John, except I'm using Method 1. I can't get it to redirect to a subdirectory. It keeps defaulting back to the root directory. i.e. https://localhost/  

    I've set the rewrite up on a subdirectory as I'm not interested in securing the whole site, only a particular subdirectory.

    so.. below is where the server takes me when I enter in an address.

    http://localhost/test = https://localhost/

    http://localhost = http://localhost

    https://localhost/test = https://localhost/test

    code below


                   <remove name="HTTP/S to HTTPS Redirect" />

                   <rule name="HTTP/S to HTTPS Redirect" enabled="true" patternSyntax="Wildcard" stopProcessing="true">

                       <match url="(.*)/test/" />

                       <conditions logicalGrouping="MatchAny">

                           <add input="{SERVER_PORT_SECURE}" pattern="^1$" />

                           <add input="{SERVER_PORT_SECURE}" pattern="^0$" />

                           <add input="{HTTPS}" pattern="^OFF$" />


                       <serverVariables />

                       <action type="Redirect" url="https://{HTTP_HOST}/test" appendQueryString="true" redirectType="SeeOther" />


    i've tried

    <action type="Redirect" url="https://{HTTP_HOST}/test" …..

    <action type="Redirect" url="https://{HTTP_HOST}{R:0}" …..

    <action type="Redirect" url="https://{HTTP_HOST}{R:1}" …..

    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" …..

    <action type="Redirect" url="https://{HTTP_HOST}{R:1}/test" …..

    <action type="Redirect" url="https://{HTTP_HOST}{R:1}/test/" …..




    Any idea's on what I'm doing wrong?



  11. Simon says:

    i found that having Require SSL ticked on for the web site prevented any rules from working

  12. Werner says:

    I've struggled with the infinite loop issue for a while now and this post was the only one I found that mentions something about it.

    "Ensure the rewrite rule is disabled at each of the virtual directories/applications under the Default Web Site. Due to inheritance, the rule will cause the requests to end up in infinite loop calling itself repeatedly."

    How would you go about fixing this if you didn't have access to IIS, say for example hosting a site in a shared hosting environment or a cloud service such as Azure?

  13. @Werner

    you do have access to IIS on Cloud Services. Launch a run prompt and type "inetsrv". This will take you to the default installation folder of IIS. Under this browse to the config folder. Here you will find the ApplicationHost.config. this is the config file used by IIS.

    You could also type "inetmgr" which would launch the IIS Manager console. HTH

  14. byrollo says:

    senza attivare ASP si può usare un redirect sull'html aggiungento al file di default questo meta-tag

    <meta http-equiv="refresh" content="2;">

  15. Rob says:

    The ASP redirect works perfectly for some basic OWA port redirection… just remember to install the ASP feature on the web server though as it took me far longer than it should of to realise that's why it wasn't working at first haha!

  16. jgezau says:

    This works perfectly, the only issue I have now is that is also trying to redirect to https when I'm running in local host. I have to comment out that section in web.config in order to continue working. How to redirect ONLY when the application is deployed in server and not when is running in local host?


  17. jgezau says:

    Hi, regarding my previous comment. I found a way to accomplish this. Instead of adding this rule in Web.config, I add it to Web.Release.config under <system.webServer> and is only active when I deploy the application to the server. Oh, and I'm using Method 1 by the way


       <rewrite xdt:Transform="Insert">





  18. Thanks, method 1 works well for me. A slight variation on that is to create the rule via URL Rewrite within the IIS Manager (if you don't have easy access to the Web.config code itself). The steps I found to work are here though the end result is still the same, eg the module adds the required text to the site's Web.config, as such you may need to ensure you've downloaded an updated copy of the web.config (otherwise if you make changes and re-upload it from dev you may overwrite the new rule and lose the redirect).

  19. Dave says:

    Hitting the Redirect Loop issue which you took the time to advise watching out for. Trying to use Url Rewrite method.

    But I don't comprehend your suggested fix. I can find the ApplicationHost.config file, but what good is the knowledge of the location of that file? How do I fix it?

  20. Sean says:

    For what it's worth, only way I got this to work was to not require SSL, and to redirect to this instead:  https://{HTTP_HOST}{HTTP_URL}

  21. Luisz says:

    The IIS URL Rewrite module seems perfect except that it breaks client side caching.  I know this is an old post, but does anyone know if there is a way to fix this?  

  22. Mayur Pawar says:

    Hello Kaushal,

    I have tried third option above but am getting Uncaught ReferenceError: WebForm_DoPostBackWithOptions is not defined error. I need to redirect http to https its working if i use your method but when i click any link button or anything i am getting error above.Please let me know if you have any solution on this.

  23. Haseet says:

    What is the solution if we want to keep port 80 blocked.

  24. Greg Gum says:

    I finally got the Redirect to work correctly!  

    The problem: The redirect works for ALL bindings on a site.  So if you add a redirect to a https://… and both http and https are both bound to the same site, then after the redirect from http to https occurs, then https also redirects to https!  Thus the endless loop.

    The fix: Create two sites, one for the redirect which has bindings ONLY for http, and then a second site which has bindings ONLY for https.

    Magic, it now works because the secure site has no redirect.  Everything which comes in on http goes to the insecure site which redirect to the secure site.  Everything which goes to the secure site, stays at the secure site.

    This IS the correct way to redirect from http to https.

  25. Matthew C. James says:

    Way to start the New Year @Greg Gum! He is correct. This is definitely the easiest way to redirect without the need to create and place new redirect files.

  26. @Greg. that is the correct way. Ensure the redirection is a permanent redirect i.e., 301.

    belated new year wishes 🙂

  27. Teemu Landi says:

    Method 2 works fine with brackets