Released: November 2021 Exchange Server Security Updates

For those of you who can't really wait for a workaround for the OWA redirect issue, it's possible to workaround by using the URL rewrite module in IIS.

Adding the following rewrite rule seems to do the trick for us:

        <rewrite>
            <rules>
                <rule name="Fix OWA redirect" stopProcessing="true">
                    <match url="^(owa/auth.*)$" ignoreCase="false" />
                    <conditions trackAllCaptures="false">
                        <add input="{QUERY_STRING}" pattern="(.*?)\\u0026(.*?)\\u0026(.*?)\\u0026(.*)" ignoreCase="false" />
                    </conditions>
                    <action type="Redirect" url="{R:0}?{C:1}&amp;{C:2}&amp;{C:3}&amp;{C:4}" appendQueryString="false" redirectType="Permanent" />
                </rule>
            </rules>
        </rewrite>

NB:

- not sure if there's always exactly 3 matches (so if this isn't the case, multiple rules might be needed to account for the different possible cases

- for simplicity, this rule matches all uri's that start with owa/auth , although it might be better (performancewise) to use the full uri