Script: Set-Exchange2010RedirectSSL.ps1 – Redirecting the Root Web Site to /owa and Forcing SSL in Exchange 2010
A common practice is to redirect the default website to the OWA site in IIS. This allows for a shorter URL for users to remember, and catches those who don’t append “/owa “. It’s a simple enough task for an administrator to do, but I wanted to script it so that I could include it in other Exchange 2010 build scripts to help streamline the process.
Another common practice is to force SSL on specific virtual directories to help enhance security of client access to Exchange. This can take a few extra minutes, but can easily be scripted as well, so I combined both into a simple script. Some of the initial code came from colleague and Exchange Ranger Mark Smith, but I converted it to PowerShell, and added some checks and balances.
Run the script after installing Exchange, and pass it the destination to forward to. An example would be
.\Set-Exchange2010RedirectSSL.ps1 -url "https://mail.ucunleashed.com/owa"
This will redirect the root site to the URL listed. If you don’t specify the ForceSSL option, it will automatically secure the recommended virtual directories. To override that, set it to $false, such as
.\Set-Exchange2010RedirectSSL.ps1 -url "https://mail.ucunleashed.com/owa" -ForceSSL $false
The script starts by verifying the web-http-redirect feature is installed. If not, it will install it. Then, the script will backup the current IIS config, apply the changes, then do an IISRESET for them to take effect.
If you’re not sure of how to run it, there is built in help. Just run
Get-Help .\Set-Exchange2010RedirectSSL.ps1
UPDATE:Â I forgot to mention that the script also assigns permissions to the web.config file for the Offline Address Book to resolve a problem where downloading of the OAB would stop in the middle after configuring HTTP redirection. Microsoft Exchange PFE Bhargav Shukla has pointed out that this was mentioned in fellow MVP Henrik Walther’s post OAB issues after simplifying the OWA 2010 URL? As mentioned earlier, I got initial code from someone else, and didn’t realize that Henrik had already posted about it. So rather than go into details on the issue, please visit Henrik’s excellent post if you’d like more info. Thanks to both Henrik and Bhargav.
Installation
Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.
Donations
I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.
Download
v1.5 – 04-29-2014 – Set-Exchange2010RedirectSSL.v1.5.zip
v1.4 – 01-27-2014 – Set-Exchange2010RedirectSSLv1.4.zip
v1.3 – 01-30-2012 – Set-Exchange2010RedirectSSL.v1.3.zip
v1.2 – 10-19-2011 – Set-Exchange2010RedirectSSL.v1.2.zip
v1.0 – 04-26-2010 – Set-Exchange2010RedirectSSL.zip
Changelog
See the changelog for this script which details all versions and their features
Does this script work on Exchange 2010 SP1??
This script sets a redirect on autodiscover and powershell. Wont that break things?
I’ll do some more testing this weekend. If needed, I’ll update the script. Thanks for the info!
I’m not seeing it set redirect on PowerShell. Autodiscover still works, but I’m gonna tweak the script.
Check this article that explains what directories should be excluded from redirection http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/
New version posted which resolves that issue, and another issue I discovered if you used -forcessl $false.
Many thanks for this script. I looked at many of the other guides on the Internet and even the Microsoft redirect directions broke OWA. Spent many hours trying to figure it out.
Your script worked flawlessly.
Great work!
Does this script not break the RPC over HTTP, somehow its not working, after i did the script ???
It didn’t break it on my environment. What do your logs say?
Excellent work!
Migrating Exchange 2003 to 2010, old users are pointing to http://mail.domain.com/exchange but new OWA is https://mail.domain.com/owa
I cannot figure out how to redirect /exchange to /OWA I am currently getting an apparent ASP Server Error in ‘/’ Application. web.config error. Does this script enable this or is something just broke in my case? For the Vdir redirect is check and sent to /owa.
Ok I had to run it twice (to fix all the mistakes I previously made 🙂 and everything is getting redirected perfectly now, thanks for this.
Glad to see it’s working for you.
I ran the script as instructed, saw it apply everything, however now it’s not working. I’m still getting an HTTP500 error when going to the shortened URL, which in my case is http://mail.company.org
However, when I go directly to the long URL: https://mail.company.org/owa which I put in as the destination to forward to in the script, it works.
I have the same symptom but when i created redirection manually, with the mentioned script. did you solve the problem?
I have the same symptom but when i created redirection manually, without the mentioned PS script. Did you solve the problem?
I used this script on one server and it seemed to work, then on the next reboot it did not. I tested on a second server and it would not work at all. The initial redirect in left blank when checking IIS?
Any ideas people this script would be such a blessing if it worked.
FYI – If you are using Backup Exec 2012 to backup Exchange 2010 and try to do a restore, the restore will fail until you remove the redirect on the EWS virtual directory. BE 2012 uses EWS rather than MAPI for communication with Exchange.
Don’t use this script on SBS 2011 if you for instance have:
remote.domain.tld (Remote Web Access: Remote Workspace)
owa.domain.tld
running the script on owa.domain.tld/owa will also break remote.domain.tld, so that it redirects to owa.domain.tld and makes the Remote Web Access site unaccessible…
Awesome! This script worked great on 2k8-R2 exch2010-sp2
I had been having issues with either the owa redirect working and breaking the EMC, or vice versa. It was maddening pouring over all kinds of articles on the net only to come up with a half working solution.
This script fixed all the issues I was seeing. Thanks again Pat!
Does this work if you are running multiple authoritative domains? Example: I need to be able to get to owa for authoritative domains abc and xyz so I want the users for those domains to be able to get there by going to mail.abc.com or mail.xyz.com and be in the right place for OWA for those authoritative domains.
This does not cover scenarios like that. Sorry!
I always thought the OAB permission issue was just with new OAB virtual directories. I don’t at all understand how setting redirection would only cause issues with one virtual directory and not the others. Regardless, excellent script. May I ask permission to wrap your script in another gui based powershell script (with full attributes to you of course)? I’m looking to create an Exchange 2010 (and possibly 2013) quick configuration script generation tool and your script is far better format than my own powershell notes (and it addresses that stupid oab issue).
Thanks!
Zach
I believe that the RpcWithCert virtual directory should be RequireSSL and Require client cert. currently require cert doesn’t get applied.
The command for the RPCWithCert VD should be:
.\appcmd set config “Default Web Site/RpcWithCert” /section:access /sslFlags:”Ssl, SslNegotiateCert, SslRequireCert, Ssl128″ /commit:apphost
How can I undo all the changes by the script? I keep getting “An unexpected error occurred and your request couldn’t be handled” messages. Users are pissed, so I think I’ll just deal with the non-redirect issue instead.
SP2 for Exchange 2010 broke my redirect. This script worked for me!
Does this work for Exchange 2013?
No. Some redirection is built into 2013.
Not sure if this is due to the new version out today, but just ran this on a new server build and had two errors at the beginning of the script. I saved a screenshot here for you –
https://dl.dropboxusercontent.com/u/17520956/DTS/ehloworld/Capture.JPG
Sorry, hit OK too fast.
Everything else in the script seemed to run fine, but the redirection didn’t work. I didn’t back anything out yet since the machine isn’t in production if you need more details.
I have the same issue as Pat , My OS is Windows 2012 and on Rollup 5 for SP3.
This script is generating this error now, it never did this before:
Property ‘SupportsPaging’ cannot be found for type ‘System.Management.Automation.CmdletBindingAttribute’.
At C:\Users\safariland\Desktop\Set-Exchange2010RedirectSSLv1.4\Set-Exchange2010RedirectSSL.ps1:57 char:16
+ [CmdletBinding <<<< (SupportsShouldProcess = $True, SupportsPaging = $True)]
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException
The term 'Get-WindowsFeature' is not recognized as the name of a cmdlet, function, script file, or operable program. Ch
eck the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\safariland\Desktop\Set-Exchange2010RedirectSSLv1.4\Set-Exchange2010RedirectSSL.ps1:95 char:24
+ if ((Get-WindowsFeature <<<< web-http-redirect).installed -eq $false){
+ CategoryInfo : ObjectNotFound: (Get-WindowsFeature:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Forgot to mention; this is on Exchange 2010 SP3 rollup 5, on Windows 2008 R2.
What version of the script are you using?
I found I had to run this script in plain old Powershell without having the Exchange powershell modules loaded. So just run a straight powershell (As admin) and see if that works. For whatever reason, when the Exchange modules were loaded, it was having issues with the get-windowsfeature. No idea.
Get-WindowsFeature is not really directly related to Exchange. So it shouldn’t be an issue. I’ve run it both ways, and it ran fine.
Understood re: get-windowsfeature. What was odd is on the machines I had issues on, if I opened Powershell by using the Exchange powershell console and simply tried to use get-windowsfeature, it couldn’t be found (Outside of the script.) Really weird. But if I just open powershell without Exchange, get-windowsfeature works fine.
Well, that’s correct. Get-WindowsFeature is not available until you import the ServerManager module.
You’re right, I’m sorry – it’s coming back to me now. I couldn’t import servermanager, THAT was the problem. Once I did it under a regular old PS shell, it was fine.
I figured that out and imported that feature. However, I still get the other error.
Cody – open the script in notepad. Search for the line that reads:
[CmdletBinding(SupportsShouldProcess = $True, SupportsPaging = $True)]
and change it to
[CmdletBinding(SupportsShouldProcess = $True)]
Version 1.5 works. I’ve noticed that this script doesn’t work as it used to. It used to set the SSL options correctly on the default web site and on the sub-directories. Now even after this script runs I have to go through each sub-directory (virtual directory) and set SSL to enforce. I had to un-check SSL enforce on the default web site. I also had to enable kernel mode authentication on the EWS virtual directory too (auto-discover would fail until this was done). I was sure this script did all of that SSL work at one point.
Thank you… D/L’d and ran it on my CAS boxes. Exchange 2010SP3 now redirects happily.
The newest version doesn’t run at all for me.. I used 1.31 and that works great.
Does anyone have a script like this that works on Exchange 2016 ?