Time to make your IIS website SSL only


You may have noticed that more and more websites are now coming up as SSL secured. We recently secured https://blog.millennia.cloud on a permanent basis, and going forward will not provide any content unencrypted over standard HTTP.

Because of open encryption offerings like Let’s Encrypt there is less and less reason to delay the upgrade of your site to SSL only. However note that you should still support an initial call via HTTP so users are not just blocked from your site if they don’t initially use the HTTPS prefix.

This is easy enough to do in website systems such as WordPress, but for IIS installations there are a few methods to achieve this. We detail our recommended one below.

We are assuming IIS8 for the basis of this set of instructions:

Converting your IIS8 site permanently to SSL secured


First of all if you haven’t done so then you need to make sure your site is listening on port 443 and bind it to an SSL certificate!


Adding SSL to a website

1) Download and install the URL Rewrite 2.0 module to your IIS server (download links as follows):

64bit URL Rewrite Module Download

32bit URL Rewrite Module Download

2) Once installed, open IIS Manager, expand the Sites container and select the website you wish to configure the HTTP redirection.

3) Once highlighted, double click the URL Rewrite option in the right hand pane. Select Add Rule and configure the following:

NAME section

  • Select: Blank Rule
  • Name: http to https
  • Match URL – Requested URL: Matches the Pattern
  • Match URL – Using: Regular Expression
  • Pattern: (.*)


  • Conditions: Add
  • Condition Input: {HTTPS}
  • Check if input string: Matches the Pattern
  • Pattern: ^OFF$
  • Click OK

ACTION section

  • Action type: Redirect
  • Redirect URL: https://{HTTP_HOST}/{R:1}
  • Redirect type: Permanent (301)
  • Click Apply

It is important that you do NOT check the “Require SSL” option for the site because this will likely present the user issuing a standard HTTP request with an error page, which doesn’t look good.

Do not enforce SSL!

Once these changes have been made your site will then automatically redirect to HTTPS when called and present the end user with a secure website page.

This proves that the site is genuine and not a spoof site set up to trap people into thinking they are on your site. It also gives users of your site more confidence that you take security and privacy of information seriously.

In addition you will find that the change attracts the attention of bots from Google and other search engines, which will reindex your site and give you a better ranking for being SSL secured.