HTTP redirect to HTTPS
Is it possible to allow port 80 and "transform" it to HTTPS/443?
Like if someone tries to connect to our webmail server on port 80 they will be redirected to port 443 at the firewall.
I did try to setup HTTP that points in to mailserver on 443 but no luck..
Sign In to comment.
You need to set up a redirect from HTTP to HTTPS on your web server.
but will that cause security issues as we open port 80 towards mailserver from internet? Just for a short while that is as it will be redirected to https..
You have 2 choices - implement a redirect or not.
If not, then your users will need to access the mail server by HTTPS on their access attempt.
I can try to access Gmail using HTTP and I get redirected to HTTPS for the connection session. Most web sites do have redirect set up.
ok thanks, so I guess it is somehow "safe" and I also have IPS enabled
I am curious as to what mail server needs port 80 open in the first place. Microsoft Exchange only needs ports 25 and 443 open inbound.
for redirection to https (443)
That part was understood. However, port 80 is probably one of the most scanned ports on the Internet, so using it adds a layer of risk. On all Exchange servers I have managed (2003 through 2016), I only opened 25 and 443.
On Exchange Server, port 80 does not NEED to be open for it to function. One may have a PREFERENCE to have 80 open for lazy users, but it is not NEEDED for sending/receiving mail or for using OWA. That was my point of "what mail server needs port 80 open in the first place."
Understood. We have it open for our lazy users only and it´s not possible to logon using http/80 as you will be redirected to https/443 login page
If there are any newly-discovered port 80 vulnerabilities in IIS, then you still leave it vulnerable, in spite of the redirect to 443. It is my understanding that the redirect to 443 only takes place due to host headers or something else in the web browser page for an OWA connection. I am talking about directed packet attacks to port 80. I like to leave as little an attack surface open as possible.
As long as you are aware of it, that's my point.
Thanks, I fully understand your point... I will have another thought about it.
Contrary to popular belief, users CAN be trained...just don't give them a choice! TELL them to use https://whatever, then block port 80. If they want their email badly enough, they'll do it. They may do it kicking and screaming, but they still will do it!
Another alterative to somewhat protect exchange itself from exposing port 80 directly to the internet is by using a different snat to forward requests on port 80 to a simple apache/ngninx web server that could then do the redirection.
*the additional security exposure would be a separate topic. I'm just offering an alternative method to achieve the goal