You need to disable HTTP access to the website:
In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Web Sites, then expand Default Web Site.
In the console tree, right-click the EXCHANGE virtual directory, and then click Properties.
In the Default Web Site Properties dialog box, on the Directory Security tab, in the Secure communications area, click Edit.
In the Secure Communications dialog box, click the Require secure channel (SSL) check box, click the Require 128-bit encryption check box, and then click OK.