Let TMG (ISA) redirect the user from https to http

This is an issue I’ve had twice in my life so I thought I should write about it.

The Problem

This applies to Microsoft ISA Server 2006 and TMG.

On our website we have logic that detects whether a page is HTTPS worthy.  If the page is deemed worthy (like a form), then the user is redirected to the same page but on https.
E.g.  http://www.mysite.com/someform.aspx redirects to  https://www.mysite.com/someform.aspx
However, if the page is not HTTPS worthy, like a plain content page, the opposite happens.  If HTTPS redirect to HTTP.
E.g. https://www.mysite.com/somecontent.aspx redirects to http://www.mysite.com/somecontent.aspx

So, this all works great with no ISA or TMG involved.  However, ISA/TMG does not like to fallback to HTTP if it is already serving the user on HTTPS.
In fact, ISA/TMG will actually rewrite the content in the 301/302 redirect message  to be in HTTPS if the client is already viewing the website in HTTPS, even if the web server is saying “please redirect to HTTP”.

To be clear, I’ll break it down.

  1. Request comes in for https://www.mysite.com/somecontent.aspx,
  2. We have decided that it doesn’t need to be HTTPS, so we will send a redirect command (aka response.redirect, 301 or 302) to the client: go to http://www.mysite.com/somecontent.aspx
  3. ISA/TMG being the proxy, decides that all content coming back to the client should still be HTTPS and therefore rewrites the 301/302 message as https://www.mysite.com.  Doh! Stupid ISA.
  4. Client receives the redirect message back to the exact same page that they were already on.
  5. Possible infinite redirect loop.  YAY!

The Solution

In your web publishing rule in ISA/TMG create a content rewrite rule for translating http://www.mysite.com to http://www.mysite.com.
That’s not a typo. It’s the same URL twice in the URL translation.  If you add this to your rule ISA/TMG will leave your web server references alone and NOT try rewrite them.

I hope this also saves you some pain one day.



Post a comment or leave a trackback: Trackback URL.


  • Bob Eastman  On May 7, 2012 at 7:48 pm

    You have save me also!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: