25
Enforce HTTP to HTTPS Redirect in SmarterTools Products
Idea shared by Bruce Barnes - October 2, 2014 at 7:03 AM
Completed
While we have seen lots of discussion regarding solutions to enforce HTTP to HTTPS redirects with SmarterTools products, I don't believe this has ever been presented as a suggestion.
 
This is an official suggestion that SmarterTools include an Admin switch which can be enabled to enforce SSL / HTTPS encryption on SmarterTools products.
 
Additionally, if anyone has a temporary solution for the WEB.CONFIG file, which will do a valid HTTP/HTTPS url rewrite/redirect, and can share it, that would be an invaluable tool for those of us who would like to enforce this directly, and not use IIS to do so.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

19 Replies

Reply to Thread
1
Employee Replied
October 2, 2014 at 9:42 AM
Employee Post
Hey Bruce,
 
This is a suggestion that is made quiet often for all of the SmarterTools products.  As for SmarterStats, this is a feature that is planned to be included in the next major release of SmarterStats.  In the interim though there is not a web.config change or modification that I could think of to do this.  Someone else in the community might have a bit more insight, but as for now there just isn't a way to go about this.
 
Again though this is something that you can expect to see in a future release of SmarterStats.
 
Thanks
3
Steve Reid Replied
October 2, 2014 at 10:03 AM
I have used IIS with URL rewite to set this up before. It does add the rules into the web.config.
 
However the problem was on every upgrade this file gets overwritten.
 
Someone prior had recommended you add the url rewrite directly to the server level and not the actual website.
 
Once I did that the settings sticks and survives an upgrade.
 
The global file is located: C:\Windows\system32\inetsrv\config\applicationHost.config
 
it adds the following:
 
        <rewrite>
            <globalRules>
                <rule name="Redirect to HTTPS" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
                </rule>
            </globalRules>
        </rewrite>
 
 
And I have "IIS URL Rewrite Module 2" installed via web platform installer 4.5
 
0
Bruce Barnes Replied
October 2, 2014 at 10:22 AM
Steve, thanks for the suggested solution.
 
Does the GLOBAL REWRITE affect all of the hosted websites, or just those with SSL certificates?
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Hany Sobhy Replied
October 2, 2014 at 1:22 PM
Since I don't have too many domains, I use manual rules for each domain has certificate.
 
One to redirect the "webmail." (if used) and another for "mail."
 
And also use one to redirect another third domain to second domain
 
IIS 7 on Windows 2008 Standard and .Net 4
<rewrite>
    <rules>
        <!-- Redirect webmail to https site -->
        <rule name="Domain-1 Rule" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(webmail)\.domain-1\.ext/*" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-1.ext/{R:0}" />
        </rule>
        <!-- Redirect mail to https site -->
        <rule name="Domain-1 Rule HTTPS" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(mail)\.domain-1\.ext/*$" />
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-1.ext/Login.aspx" redirectType="Permanent" />
        </rule>
        <!-- Redirect webmail to https site -->
        <rule name="Domain-2 Rule" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(webmail)\.domain-2\.ext$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-2.ext/{R:0}" />
        </rule>
        <!-- Redirect mail to https site -->
        <rule name="Domain-2 Rule HTTPS" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(mail)\.domain-2\.ext/*$" />
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-2.ext/Login.aspx" redirectType="Permanent" />
        </rule>
        <!-- Redirect domain-3 to domain-2 https site -->
        <rule name="Domain-3 Rule" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(webmail)\.domain-3\.ext$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-2.ext/{R:0}" />
        </rule>
        <rule name="Domain-3 Rule HTTPS" stopProcessing="true">
            <match url=".*" />
            <conditions>
                <add input="{HTTP_HOST}" pattern="^(mail)\.domain-3\.ext/*$" />
                <add input="{HTTPS}" pattern="^OFF$" />
            </conditions>
            <action type="Redirect" url="https://mail.domain-2.ext/Login.aspx" redirectType="Permanent" />
        </rule>

    </rules>
</rewrite>
 
0
Bruce Barnes Replied
October 2, 2014 at 2:06 PM
Thanks, Hany!
 
Got a similar solution for IIS 6 on Server 2003.  I know it's sunset in November, but I have a lot of customers who don't have the budget to upgrade until sometime in 2015 or 2016.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Henry Timmes Replied
October 2, 2014 at 5:55 PM
Also I notice issues with the HTTPS redirect on heavy usage sites, The module will bug out and say "Too Many Redirects" and only a reboot will fix the issue. 
 
I had to enforce it in code on my website.. Something SmarterTools can do.. 
 
I'll give them a head start.. 
 
 If Request.ServerVariables("HTTPS") = "off" Then
            Response.Redirect("https://" & Request.Url.Host & Request.Url.AbsolutePath, False)
            Response.StatusCode = 301
            Response.End()
 End If
 
 
www.unlocktheinbox.com
2
Ant Replied
October 6, 2014 at 5:13 AM
Another solution is to run two different websites:
 
One whatever.domain.com that just listens on 443 that is the SmarterTools product.
 
One whatever.domain.com that listens on port 80. All this site contains is a web.config containing a urlrewrite 301 redirect to https://whatever.domain.com/. 
 
This solved the problem of minor version updates overwriting urlrewrites on the main site - http://forums.smartertools.com/threads/minor-version-updates-keep-url-rewrites.39091/ 
 
The global urlrewrite also works but each rewrite will be tested for each request across all sites running on the server. Seems like wasted effort for a lot of requests to me. 
1
Arthur Grandovskis Replied
January 14, 2015 at 7:28 AM
I found this solution to be the best for my own setup.
 
"Default Web Site" is set to use :80 with IP binding set to "All unassigned"
and no hostname specified. The wwwroot folder only contains a web.config file with the following inside it:
 
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpRedirect enabled="true" destination=https://your.domain.com />
    </system.webServer>
</configuration>
 
The second site would then be set up as per normal SmarterMail guidelines with the :443 with IP binding set to a local server IP address, hostname pointing to a domain name of your choice (i.e. your.domain.com). The appropriate SSL certificate is then selected.
 
Optionally you can enable "Require Server Name indication" but this will mean that older browsers will not be able to display the interface since they don't support this option. I have it enabled simply because I want to make sure that my customers' browser is up-to-date. 
 
Something to keep in mind: Any other domains that you may have pointing toward this web server but not explicitly set up in IIS will automatically be forwarded to SmarterMail login page (due to the above redirect rule)
 
Hope this makes sense :)
3
Douglas White Replied
March 25, 2015 at 11:26 AM
There is a good discussion on this on StackOverflow:
 
stackoverflow.com/questions/46347/iis7-http-https-cleanly
 
Once you're using SSL, you should run a Qualys SSL scan on your site to make sure you're happy with the implementation. The default Windows settings leave you with an F grade on the test in most situations.
 
I did a blog post with screenshots of the steps I took to get the F grade remedied to an A rating:
 
www.oceanbytes.org/2015/03/23/making-the-grade-with-ssl/
 
 
4
Lakshan Salgado Replied
April 28, 2015 at 8:07 AM
Are we going see a https redirect in place in version 14.x ? This has been a long time coming and is a significant one SM needs to focus on if not. We lost a possible new medical client the other day because we could not offer them web based internal https email. Bluntly, I don't want to be messing around with configs and workarounds when at this maturity level of SM we should have it.
0
Richard Frank Replied
April 11, 2016 at 5:36 AM
I'm sorry kicking this old threat.
I installed SM15 on my backup mail server and had to deal with the http > https redirect again
When you're using IIS than you can set the SSL Settings to Require SSL with a checkmark
If someone uses http he'll get a 403 error form
In IIS management you can edit the behaviour of the Error pages
Edit the settings of the 403 status code, select Respons with a 302 redirect and typ your Absolute URL
 
0
Michael Breines Replied
April 11, 2016 at 7:16 AM
We've heard a lot that security is going to be a big part of future versions. Hope that this enhancement isn't forgotten.
0
Paul Blank Replied
April 11, 2016 at 9:24 AM
Too bad we need to use a workaround; here is the easiest way I've found to do it:
 
I use enom.com as registrar for my domains. In my case, I just set up a "URL Redirect" for webmail.yourdomain.com that points at https//mail.yourdomain.com where mail.yourdomain.com is, of course, the public hostname/IP address of the SM server.
 
Inside the LAN, I use Windows DNS services to point users back at the LAN address of the SM server for mail.yourdomain.com (the enom DNS URL Redirect still works as expected).  Browser requests for hostnames that are not specifically defined on the Windows DNS server are, of course, forwarded to external Internet name servers.
 
The redirect works about 99.9% of the time.  Usually it's a browser problem where it doesn't work, and clearing the cache usually fixes it.
 
 
 
1
Michael Breines Replied
April 11, 2016 at 10:06 AM
Crazy we still have to work around this.
1
Hemen Shah Replied
April 12, 2016 at 1:29 AM
As this old thread is opened, would like to ask below there are couple of options seen in earlier posts but then too where would be better option to achieve
Redirect customer webmail urls to single secure webmail url
e.g:  http://cust1.domain.com  > https://secure.webmail.com
 
Thanks
2
Davina Morgan-Witts Replied
August 4, 2016 at 8:57 AM
Old thread this may be, but the need is there and continues to grow stronger.  I would dearly like to redirect any access to the smartermail to use HTTPS. Of course I can enforce HTTPS using IIS, but I want the redirect, not the enforcement.
 
It took me around 10 minutes to code something for one of our websites.  How hard can this be?
2
Michael Breines Replied
August 8, 2016 at 8:15 AM
Seems that security is a huge focus now for Smarter Tools, so it only makes sense to force HTTPS connections to the web interface. Right? Otherwise we've gone about all this effort to protect passwords etc only to let users send passwords those same passwords to the interface via HTTP. Wild.
1
Stephen Roesch Replied
August 26, 2016 at 9:01 AM
Here is my automated script that does this. I run it after every upgrade (because an upgrade wipes the web.config file). It is written in powershell.
 
# updateWebConfigforSmarterMail.ps1

# This powershell file adds the http->https forwarding xml nodes to a web.config file

Stop-Service "SmarterMail Service"

# This is the path to web.config
$webConfigPath = "C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\Web.config"

[xml] $webConfig = Get-Content($webConfigPath)

# This is the new node that we are adding, I'm basically dimming a new var and parsing as an xml node
[xml] $newNode=@"
<rewrite>
  <rules>
  <rule name="Redirect to HTTPS" stopProcessing="true">
    <match url="(.*)" />
      <conditions><add input="{HTTPS}" pattern="^OFF$" /></conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
  </rule>
  </rules>
</rewrite>
"@

# Now we just need to append the new node to the document in the correct place
$webConfig.configuration.'system.webServer'.AppendChild($webConfig.ImportNode(($newNode.DocumentElement),$true))

# Web.config now contains the rewrite rule, save it
$webConfig.Save($webConfigPath)

Start-Service "SmarterMail Service"
 
1
Andrea Rogers Replied
January 20 at 1:25 PM
Employee Post
Thank you all for your feedback! In the past, we've encouraged a URL rewrite in IIS in order to configure this functionality; however, I'm happy to report that rewrite is no longer necessary! The ability to force HTTPS will soon be included in all products: 
 
SmarterMail
The ability to force HTTPS has been added in SmarterMail 16.x and will be available upon that release within this first quarter of 2017. It will be found in the Miscellaneous Settings > Server Info section. The Administrator will see the following settings: Require SSL and Allow domains to override SSL Requirement
 
SmarterTrack
The ability to force HTTPS was added in SmarterTrack 11.0. In our current version, 12.x, this setting can be found at Settings > Configuration > Security > Options tab. The Administrator will see the following setting: Force all traffic over HTTPS.
 
SmarterStats
The ability to force HTTPS was added in SmarterStats 10.0. In our current version, 11.x, this setting can be found at Settings > General Settings > Options tab. The Administrator will see the following setting: Force all traffic over HTTPS.
 
 
Prior to enabling this setting in SmarterMail, SmarterTrack or SmarterStats, you must ensure the product is set up as a site in IIS and have a valid SSL certificate in place on the server. (Note: This option will not be seen to those using the Hosted SmarterTrack helpdesk, as a secure connection is already in place on the SmarterTools servers.)
 
Thank you all again for your participation on this thread! 
Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread