Since our webserver resides on IIS here at our company (SBS 2003), I had to secure one of the websites and make sure that whomever tried to access it via HTTP was automatically and transparently transferred over to HTTPS. There’s no “1-click” way to do it in IIS, it must be done in one of 2 ways:

1) Edit the HTML files to do a redirect

2) Use a redirection website

Since there was a bunch of PHP/HTML/other files in that particular website, it seemed much simpler to just go with the second option. Here’s a rundown of the steps to do it:

1. Open IIS Manager and select properties for the website for which you want to require SSL. For HTTP port, use anything other than 80, like 8989. For SSL port, use the default 443.
2. Now go to the “Directory Security” tab, click Secure Communications, click Edit, check the “Require secure channel (SSL)” box and check the “Require 128-bit encryption” box too. Restart IIS. If you try to browse http://yourserver.com:8888 you should receive a “The page must be viewed over a secure channel” message. If not, something is not working properly.
3. Now, create a new website in IIS, then name it something like “SSL redir for yourserver.com”. Choose port 80 as the HTTP port. For path, point it to anywhere in your server, like C:inetpubwwwroot (this doesn’t matter, we’re gonna change it). Give it read permissions. Now go to the properties of the newly created website, and select the “Home Directory” tab. Change “The content for this resource should come from:” to “A redirection to a URL”. In the “Redirect to:” textbox, enter https://yourserver.com. You can also optionally select “A permanent redirection for this resource”, which will cause bookmarks to update to the new URL. DO NOT select “The exact URL entered above” or “A directory below URL entered”. Restart IIS. Now try to browse to http://yourserver.com and it should redirect to https://yourserver.com automatically.

Little note: the redirect URL is sent back to the client, so if you type https://localhost as the redirect, the client browser will try to redirect to localhost on the client machine, which won’t exist. Same thing exists for NetBIOS names.

(Original source by James Kovacs, www.jameskovacs.com)

Tags: auto redirect, HTTPS, IIS6, redirect, SSL, windows