Forcing SSL In IIS

Eric Randle posted about how to force SSL on an IIS website while still allowing normal access to redirect to the secured version.

I faced a problem recently where I needed to secure a web site so it can only  be accessed via HTTPS, and if someone accessed the page via HTTP it would flip it to HTTPS.  Through some searching I did find a solution that worked quite well.  Unfortunatley IIS6 doesn't provide the option to "Flip to HTTPS", it would be nice, but I had to find some code to do the job for me.  First thing first, set the site or virtual directory to Force SSL


Next I created a virtual directory outside of my webroot and named it "forcessl", make sure you do not Force SSL on the forcessl virtual directory.  Then I installed .NET 2.0 framework since I am going to use a .NET solution.  I ensured that the site and virtual directory were using .NET 2;


Now that I have .NET 2.0 installed, the virtual directory created, and forced SSL on my site, I can create a file called "forcessl.aspx".  Here is the code;

You then just modify the 403.4 error message to use the newly created forcessl.aspx.

Another method of forcing SSL in IIS can be found on Microsoft's Support site.

Force SSL on IIS 6 -  [Eric Randle]

Originally posted on Sun Sep 23, 2007