HTTP redirect to HTTPS

Hi,

Is it possible to allow port 80 and "transform" it to HTTPS/443?
Like if someone tries to connect to our webmail server on port 80 they will be redirected to port 443 at the firewall.
I did try to setup HTTP that points in to mailserver on 443 but no luck..

/Martin

Comments

  • You need to set up a redirect from HTTP to HTTPS on your web server.

  • Thanks..
    but will that cause security issues as we open port 80 towards mailserver from internet? Just for a short while that is as it will be redirected to https..

  • Not really.
    You have 2 choices - implement a redirect or not.
    If not, then your users will need to access the mail server by HTTPS on their access attempt.

    I can try to access Gmail using HTTP and I get redirected to HTTPS for the connection session. Most web sites do have redirect set up.

  • ok thanks, so I guess it is somehow "safe" and I also have IPS enabled

  • I am curious as to what mail server needs port 80 open in the first place. Microsoft Exchange only needs ports 25 and 443 open inbound.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • for redirection to https (443)

  • @Mada said:
    for redirection to https (443)

    That part was understood. However, port 80 is probably one of the most scanned ports on the Internet, so using it adds a layer of risk. On all Exchange servers I have managed (2003 through 2016), I only opened 25 and 443.

    On Exchange Server, port 80 does not NEED to be open for it to function. One may have a PREFERENCE to have 80 open for lazy users, but it is not NEEDED for sending/receiving mail or for using OWA. That was my point of "what mail server needs port 80 open in the first place."

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Understood. We have it open for our lazy users only and it´s not possible to logon using http/80 as you will be redirected to https/443 login page

  • If there are any newly-discovered port 80 vulnerabilities in IIS, then you still leave it vulnerable, in spite of the redirect to 443. It is my understanding that the redirect to 443 only takes place due to host headers or something else in the web browser page for an OWA connection. I am talking about directed packet attacks to port 80. I like to leave as little an attack surface open as possible.

    As long as you are aware of it, that's my point.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • Thanks, I fully understand your point... I will have another thought about it.

  • Contrary to popular belief, users CAN be trained...just don't give them a choice! TELL them to use https://whatever, then block port 80. If they want their email badly enough, they'll do it. They may do it kicking and screaming, but they still will do it!

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

Sign In to comment.