Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


OWA for external users

Posted on 2014-12-23
Medium Priority
Last Modified: 2015-01-14
Hello folks,
I have been tasked to provide OWA access for external users. Currently there is no external email access besides mobile phone through Goodlink tech. Outlook / OWA is accessible only internally and now there is a requirement to make this available to sales people who are on the road and need to check their mail. I am trying to get the most practical solution which does not require a lot of work. Someone has suggested we need to install a Edge transport server but I was wondering if there is some other way. Right now our email are sent / received through a smtp-relay server. Thanks in advance for you time and suggestions.

Kind regards,
Question by:Antonio02
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
LVL 34

Expert Comment

ID: 40515911
How many Exchange servers do you have?


Expert Comment

by:Veerappan Sundaram
ID: 40515961
What version of Exchange server(s) you have?

There is no easy way to setup setup OWA securely (very much needed and important)

Basic Needs are:
1. Public DNS entry with public IP address to publish your OWA URL (
2. You should have one of the below servers in your DMZ
      a. MS Exchange 2010/2013 Edge server.
      b. MS Forefront UAG/TMG server
3. Firewall rules has to be setup for TCP 443/80, 53, 3268/389
4. You need a SSL certificate from a publicly trusted CA (VeriSign, GoDady, etc)

Since you wanted to have simple way - (Highly not recommended)
In case of Exchange 2010/2013, you should have a CAS array.
  1. You need Public DNS entry with public IP address to publish your OWA URL
  2. SSL certificated from a publicly trusted CA (VeriSign, GoDady, etc)
  3. Create a NAT on your firewall between Public IP and CAS array IP, allow TCP port 443/80
  4. Install the public certificate on you CAS servers.
  5. You need configure the External OWA URL on all CAS servers.


Expert Comment

by:Arjun Vyavahare
ID: 40515985

Simply configure Internet Public IP address with your CAS role (Server) and open port 443,80, 53, 3268,389 in firewall.

And simply access either Public IP address from WAN like or if you have DNS published then access owa using DNS i.e.

I hope this will help you.

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 19

Expert Comment

by:Adam Farage
ID: 40516313
Im a little confused by some of the responses here, esp for opening stuff like LDAP (TCP 389) and security.

Here are the steps at a high level overview, I can dive deep into any of them if you have questions...

Add the proper ExternalURL and InternalURL to the OWA and ECP virtual directory (this will be something like and
Make sure a valid public SSL certificate is applied to the IIS service on the CAS (you can view the SSL certificates by doing Get-ExchangeCertificate | FL). This certificate *must* have the OWA ExternalURL in there or users will get hit with an invalid SSL certificate error when going to OWA.
Open TCP 443 on your firewall to allow connections from outside users to be NAT / Port Forwarded to the CAS or CAS Array (if you have one)
Put a DNS A record in Public DNS for your OWA namespace (as I stated above its usually
Test - it should work

As for security, Microsoft has even said themselves that you do not need a third party reverse proxy (or IIS AAR) unless its a compliance requirement. This is from Greg Taylor, Principle Program Manager Lead in the Exchange group.

As for the ports that the person above me posted, he isnt talking about TMG / UAG or ISA... so can you explain to me why those ports are required? Exchange will encapsulate over HTTPS the authentication packet so TCP 389 does not need to be open unless there is a reverse proxy, and the same goes with TCP 3265 (LDAP-S). TCP 80 should NOT be open unless he is doing a URL redirection from HTTP to HTTPS, as the server would need to be open.
LVL 34

Expert Comment

ID: 40516447
Of all of the responses, I agree mostly with Adam.

First, you don't need TMG or an Edge Server.  In a single-server environment, you most likely wouldn't have TMG and definately would not have an Edge Server.  It is what Microsoft has been doing for years with Small Business Server and now Essentials.

Second, the only port you need to open is 443.  OWA does not need 80, although, for ease of use, having users type in and then IIS redirects the request to HTTPS is sometimes very sought after.

The other ports, 53 - Domain Name System (DNS), 389 - Lightweight Directory Access Protocol (LDAP) and 3268 - msft-gc, Microsoft Global Catalog (LDAP service which contains data from Active Directory forests); are definately not needed.  As a matter of fact, not a single Exchange service requires these ports open.

Third, while it is recommended it is not necessary to use a commercial public certificate, you can use a self-signed certificate if you are only doing OWA.  If, however, you start using ActiveSync, then you will want to get a commercial public certificate (you can still use ActiveSync with self-signed certificates, but I don't want to be the one to install the self-signed certificate on supported devices).


Author Comment

ID: 40518886
Thank you so much for your responses. I will give these suggestions a try and let you know how it goes. Unfortunately we are currently under a change freeze so it will have to be done after the holidays.

Thanks again.
LVL 19

Expert Comment

by:Adam Farage
ID: 40519301
Noo problem. It should be really simple, it gets more complex if you are honestly worried about "attack surface area" (over TCP 443.. *sigh*) and implement a reverse proxy.

Also completely ignore the "Edge" server comment from the other expert. He was most likely referring to a reverse proxy which is *not* required, as the EDGE role in Exchange 2007+ is a SMTP role (Exchange's built in smarthost, which normally goes into the DMZ)

Author Comment

ID: 40534775
Thanks Adam,

I presented this solution to management and they seem to be reluctant with opening the Exchange server to the outside world. They feel we should deploy a edge server in the DMZ and have the Edge server communicate with the HT servers. Any thoughts on pros/cons with using the Edge transport.

I also want to know if there will be any affect on the existing configuration (outgoing /incoming emails from the internet) if we install a edge server. I understand new connectors are created when a edge server is installed.

Thanks so much for your time.
LVL 19

Assisted Solution

by:Adam Farage
Adam Farage earned 1200 total points
ID: 40534864
Hey Antonio,

I think you are getting this a tad bit mixed up. I will explain both solutions, and provide a bit of reference.

So as for the EDGE transport role, that can be deployed internally or externally (e.g: DMZ). This is solely for TCP 25 (SMTP) traffic and does a few different things:

1) if placed into the DMZ (which is what occurs 9/10th of the times) it will reduce the exposed space of Exchange to the internet
2) if configured you can also do simple virus scanning / anti-malware and spam scanning on the device (although its a little finicky from what I have seen in the past)

Here is a good article on setting this up:

As for your other inquiry which was opening OWA, there was an excellent blog about this in the past from Principle Program Manager Lead Greg Taylor at Microsoft:

Companies (including Microsoft) expose OWA (over TCP 443) all the time without a reverse proxy. If management though is still concerned even after reading this article from the Microsoft Exchange Product Group, you have third party options to act as a "reverse proxy" (TMG / ISA / UAG are EOL sooner than later, and I am not 100% sure if you can still buy UAG), or you can use IIS AAR through Server 2012 R2. This would also be deployed in the DMZ.

The concept in setting it up would be the same for Exchange 2007 / 2013 as it would be for Exchange 2013.
LVL 34

Accepted Solution

it_saige earned 300 total points
ID: 40535833
What Adam has stated is spot on.  You have to realize that you are not opening the Exchange server up to the outside world.  All you are doing is providing the outside world access to services provided by the Exchange server.  And, when configured correctly, this access is audited, secured and restricted.

The success' (and failure's) of configuring Exchange for public employee access are well documented and tested.


Author Closing Comment

ID: 40550154
Thanks Guys for all your help. Much Appreciated!

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question