OWA for external users

Hello folks,
I have been tasked to provide OWA access for external users. Currently there is no external email access besides mobile phone through Goodlink tech. Outlook / OWA is accessible only internally and now there is a requirement to make this available to sales people who are on the road and need to check their mail. I am trying to get the most practical solution which does not require a lot of work. Someone has suggested we need to install a Edge transport server but I was wondering if there is some other way. Right now our email are sent / received through a smtp-relay server. Thanks in advance for you time and suggestions.

Kind regards,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

How many Exchange servers do you have?

Veerappan SundaramSenior Technical ConsultantCommented:
What version of Exchange server(s) you have?

There is no easy way to setup setup OWA securely (very much needed and important)

Basic Needs are:
1. Public DNS entry with public IP address to publish your OWA URL (https://owa.companyname.com)
2. You should have one of the below servers in your DMZ
      a. MS Exchange 2010/2013 Edge server.
      b. MS Forefront UAG/TMG server
3. Firewall rules has to be setup for TCP 443/80, 53, 3268/389
4. You need a SSL certificate from a publicly trusted CA (VeriSign, GoDady, etc)

Since you wanted to have simple way - (Highly not recommended)
In case of Exchange 2010/2013, you should have a CAS array.
  1. You need Public DNS entry with public IP address to publish your OWA URL
  2. SSL certificated from a publicly trusted CA (VeriSign, GoDady, etc)
  3. Create a NAT on your firewall between Public IP and CAS array IP, allow TCP port 443/80
  4. Install the public certificate on you CAS servers.
  5. You need configure the External OWA URL on all CAS servers.

Arjun VyavahareTechnical ConsultantCommented:

Simply configure Internet Public IP address with your CAS role (Server) and open port 443,80, 53, 3268,389 in firewall.

And simply access either Public IP address from WAN like or if you have DNS published then access owa using DNS i.e. https://owa.xyz.com/owa.

I hope this will help you.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Adam FarageEnterprise ArchCommented:
Im a little confused by some of the responses here, esp for opening stuff like LDAP (TCP 389) and security.

Here are the steps at a high level overview, I can dive deep into any of them if you have questions...

Add the proper ExternalURL and InternalURL to the OWA and ECP virtual directory (this will be something like mail.company.com/owa and mail.company.com/ecp)
Make sure a valid public SSL certificate is applied to the IIS service on the CAS (you can view the SSL certificates by doing Get-ExchangeCertificate | FL). This certificate *must* have the OWA ExternalURL in there or users will get hit with an invalid SSL certificate error when going to OWA.
Open TCP 443 on your firewall to allow connections from outside users to be NAT / Port Forwarded to the CAS or CAS Array (if you have one)
Put a DNS A record in Public DNS for your OWA namespace (as I stated above its usually mail.company.com)
Test - it should work

As for security, Microsoft has even said themselves that you do not need a third party reverse proxy (or IIS AAR) unless its a compliance requirement. This is from Greg Taylor, Principle Program Manager Lead in the Exchange group.

As for the ports that the person above me posted, he isnt talking about TMG / UAG or ISA... so can you explain to me why those ports are required? Exchange will encapsulate over HTTPS the authentication packet so TCP 389 does not need to be open unless there is a reverse proxy, and the same goes with TCP 3265 (LDAP-S). TCP 80 should NOT be open unless he is doing a URL redirection from HTTP to HTTPS, as the server would need to be open.
Of all of the responses, I agree mostly with Adam.

First, you don't need TMG or an Edge Server.  In a single-server environment, you most likely wouldn't have TMG and definately would not have an Edge Server.  It is what Microsoft has been doing for years with Small Business Server and now Essentials.

Second, the only port you need to open is 443.  OWA does not need 80, although, for ease of use, having users type in mail.yourdomain.com and then IIS redirects the request to HTTPS is sometimes very sought after.

The other ports, 53 - Domain Name System (DNS), 389 - Lightweight Directory Access Protocol (LDAP) and 3268 - msft-gc, Microsoft Global Catalog (LDAP service which contains data from Active Directory forests); are definately not needed.  As a matter of fact, not a single Exchange service requires these ports open.

Third, while it is recommended it is not necessary to use a commercial public certificate, you can use a self-signed certificate if you are only doing OWA.  If, however, you start using ActiveSync, then you will want to get a commercial public certificate (you can still use ActiveSync with self-signed certificates, but I don't want to be the one to install the self-signed certificate on supported devices).

Antonio02Author Commented:
Thank you so much for your responses. I will give these suggestions a try and let you know how it goes. Unfortunately we are currently under a change freeze so it will have to be done after the holidays.

Thanks again.
Adam FarageEnterprise ArchCommented:
Noo problem. It should be really simple, it gets more complex if you are honestly worried about "attack surface area" (over TCP 443.. *sigh*) and implement a reverse proxy.

Also completely ignore the "Edge" server comment from the other expert. He was most likely referring to a reverse proxy which is *not* required, as the EDGE role in Exchange 2007+ is a SMTP role (Exchange's built in smarthost, which normally goes into the DMZ)
Antonio02Author Commented:
Thanks Adam,

I presented this solution to management and they seem to be reluctant with opening the Exchange server to the outside world. They feel we should deploy a edge server in the DMZ and have the Edge server communicate with the HT servers. Any thoughts on pros/cons with using the Edge transport.

I also want to know if there will be any affect on the existing configuration (outgoing /incoming emails from the internet) if we install a edge server. I understand new connectors are created when a edge server is installed.

Thanks so much for your time.
Adam FarageEnterprise ArchCommented:
Hey Antonio,

I think you are getting this a tad bit mixed up. I will explain both solutions, and provide a bit of reference.

So as for the EDGE transport role, that can be deployed internally or externally (e.g: DMZ). This is solely for TCP 25 (SMTP) traffic and does a few different things:

1) if placed into the DMZ (which is what occurs 9/10th of the times) it will reduce the exposed space of Exchange to the internet
2) if configured you can also do simple virus scanning / anti-malware and spam scanning on the device (although its a little finicky from what I have seen in the past)

Here is a good article on setting this up: http://exchangeserverpro.com/exchange-2010-install-edge-transport-server/

As for your other inquiry which was opening OWA, there was an excellent blog about this in the past from Principle Program Manager Lead Greg Taylor at Microsoft: http://blogs.technet.com/b/exchange/archive/2013/07/17/life-in-a-post-tmg-world-is-it-as-scary-as-you-think.aspx

Companies (including Microsoft) expose OWA (over TCP 443) all the time without a reverse proxy. If management though is still concerned even after reading this article from the Microsoft Exchange Product Group, you have third party options to act as a "reverse proxy" (TMG / ISA / UAG are EOL sooner than later, and I am not 100% sure if you can still buy UAG), or you can use IIS AAR through Server 2012 R2. This would also be deployed in the DMZ.


The concept in setting it up would be the same for Exchange 2007 / 2013 as it would be for Exchange 2013.
What Adam has stated is spot on.  You have to realize that you are not opening the Exchange server up to the outside world.  All you are doing is providing the outside world access to services provided by the Exchange server.  And, when configured correctly, this access is audited, secured and restricted.

The success' (and failure's) of configuring Exchange for public employee access are well documented and tested.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Antonio02Author Commented:
Thanks Guys for all your help. Much Appreciated!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.