Redirection in Exchange 2013 CU6+ and Exchange 2016

Monday, May 2, 2016

Beginning with Exchange 2013 Cumulative Update 6, the Exchange 2013/2016 application itself performs redirection from the default website to the /OWA virtual directory. That means that if a user goes to https://server.contoso.com Exchange will redirect the user's browser to https://server.contoso.com/owa.

This 301 redirect behavior may affect load balancer health checks if your load balancer does not support direct URL health checking. Application-level health checks should normally be made directly to the https://server.contoso.com/<protocol>/healthcheck.htm URL. Citrix NetScaler load balancers, for example, perform healthchecks by connecting first to the default website and then performing a GET /OWA command. Since Exchange 2013 CU6 and later redirect the client (the load balancer) to the /OWA virtual directory this breaks that functionality.

The only reference to this new behavior is in the support article, Load balancer marks Exchange server as down in an Exchange Server 2013 Cumulative Update 6 environment. At the time of this writing, the article says this behavior applies to Microsoft Exchange Server 2013 Standard and Enterprise and that, "Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the 'Applies to' section." I have confirmed with the product team that this is by design, not a problem. It also applies to all versions of Exchange 2016 Standard and Enterprise, as well. Microsoft will be updating the support article soon to reflect this.

Note that this behavior does not redirect HTTP requests to HTTPS. You still need to perform these redirects from the server or the load balancer. My preference is to do this from the server(s).

Here's how I recommend implementing HTTP -> HTTPS redirection on Exchange Servers:

  • Open Internet Information Services (IIS) Manager on the Exchange Server and select the server name.
  • Double-click Error Pages.
  • Click the Add action on the right and create a new error page for status code 403.4 that responds with a 302 redirect to https://server.contoso.com/owa as shown below.


Since the default website on Exchange servers is configured to require SSL, a user who tries to connect via HTTP will then get redirected to https://mail.contoso.com/owa, rather than getting an error page saying, "HTTP 403 Forbidden" and that SSL is required or you are required to log in.

With Exchange 2013 CU6 or later that's all you need to do. With older versions of Exchange you should create a default.htm file in the C:\inetpub\wwwroot folder with the following:
<html>
<meta http-equiv="REFRESH" content="0;url=/owa">
</html>
This will cause anyone who connects to https://mail.contoso.com to be redirected to https://mail.contoso.com/owa, which is now the default behavior with Exchange 2013 CU6 or later.