OWA for external users

Posted on 2014-12-23
Last Modified: 2015-01-14
Hello folks,
I have been tasked to provide OWA access for external users. Currently there is no external email access besides mobile phone through Goodlink tech. Outlook / OWA is accessible only internally and now there is a requirement to make this available to sales people who are on the road and need to check their mail. I am trying to get the most practical solution which does not require a lot of work. Someone has suggested we need to install a Edge transport server but I was wondering if there is some other way. Right now our email are sent / received through a smtp-relay server. Thanks in advance for you time and suggestions.

Kind regards,
Question by:Antonio02
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
LVL 34

Expert Comment

ID: 40515911
How many Exchange servers do you have?


Expert Comment

by:Veerappan Sundaram
ID: 40515961
What version of Exchange server(s) you have?

There is no easy way to setup setup OWA securely (very much needed and important)

Basic Needs are:
1. Public DNS entry with public IP address to publish your OWA URL (
2. You should have one of the below servers in your DMZ
      a. MS Exchange 2010/2013 Edge server.
      b. MS Forefront UAG/TMG server
3. Firewall rules has to be setup for TCP 443/80, 53, 3268/389
4. You need a SSL certificate from a publicly trusted CA (VeriSign, GoDady, etc)

Since you wanted to have simple way - (Highly not recommended)
In case of Exchange 2010/2013, you should have a CAS array.
  1. You need Public DNS entry with public IP address to publish your OWA URL
  2. SSL certificated from a publicly trusted CA (VeriSign, GoDady, etc)
  3. Create a NAT on your firewall between Public IP and CAS array IP, allow TCP port 443/80
  4. Install the public certificate on you CAS servers.
  5. You need configure the External OWA URL on all CAS servers.


Expert Comment

by:Arjun Vyavahare
ID: 40515985

Simply configure Internet Public IP address with your CAS role (Server) and open port 443,80, 53, 3268,389 in firewall.

And simply access either Public IP address from WAN like or if you have DNS published then access owa using DNS i.e.

I hope this will help you.

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 19

Expert Comment

by:Adam Farage
ID: 40516313
Im a little confused by some of the responses here, esp for opening stuff like LDAP (TCP 389) and security.

Here are the steps at a high level overview, I can dive deep into any of them if you have questions...

Add the proper ExternalURL and InternalURL to the OWA and ECP virtual directory (this will be something like and
Make sure a valid public SSL certificate is applied to the IIS service on the CAS (you can view the SSL certificates by doing Get-ExchangeCertificate | FL). This certificate *must* have the OWA ExternalURL in there or users will get hit with an invalid SSL certificate error when going to OWA.
Open TCP 443 on your firewall to allow connections from outside users to be NAT / Port Forwarded to the CAS or CAS Array (if you have one)
Put a DNS A record in Public DNS for your OWA namespace (as I stated above its usually
Test - it should work

As for security, Microsoft has even said themselves that you do not need a third party reverse proxy (or IIS AAR) unless its a compliance requirement. This is from Greg Taylor, Principle Program Manager Lead in the Exchange group.

As for the ports that the person above me posted, he isnt talking about TMG / UAG or ISA... so can you explain to me why those ports are required? Exchange will encapsulate over HTTPS the authentication packet so TCP 389 does not need to be open unless there is a reverse proxy, and the same goes with TCP 3265 (LDAP-S). TCP 80 should NOT be open unless he is doing a URL redirection from HTTP to HTTPS, as the server would need to be open.
LVL 34

Expert Comment

ID: 40516447
Of all of the responses, I agree mostly with Adam.

First, you don't need TMG or an Edge Server.  In a single-server environment, you most likely wouldn't have TMG and definately would not have an Edge Server.  It is what Microsoft has been doing for years with Small Business Server and now Essentials.

Second, the only port you need to open is 443.  OWA does not need 80, although, for ease of use, having users type in and then IIS redirects the request to HTTPS is sometimes very sought after.

The other ports, 53 - Domain Name System (DNS), 389 - Lightweight Directory Access Protocol (LDAP) and 3268 - msft-gc, Microsoft Global Catalog (LDAP service which contains data from Active Directory forests); are definately not needed.  As a matter of fact, not a single Exchange service requires these ports open.

Third, while it is recommended it is not necessary to use a commercial public certificate, you can use a self-signed certificate if you are only doing OWA.  If, however, you start using ActiveSync, then you will want to get a commercial public certificate (you can still use ActiveSync with self-signed certificates, but I don't want to be the one to install the self-signed certificate on supported devices).


Author Comment

ID: 40518886
Thank you so much for your responses. I will give these suggestions a try and let you know how it goes. Unfortunately we are currently under a change freeze so it will have to be done after the holidays.

Thanks again.
LVL 19

Expert Comment

by:Adam Farage
ID: 40519301
Noo problem. It should be really simple, it gets more complex if you are honestly worried about "attack surface area" (over TCP 443.. *sigh*) and implement a reverse proxy.

Also completely ignore the "Edge" server comment from the other expert. He was most likely referring to a reverse proxy which is *not* required, as the EDGE role in Exchange 2007+ is a SMTP role (Exchange's built in smarthost, which normally goes into the DMZ)

Author Comment

ID: 40534775
Thanks Adam,

I presented this solution to management and they seem to be reluctant with opening the Exchange server to the outside world. They feel we should deploy a edge server in the DMZ and have the Edge server communicate with the HT servers. Any thoughts on pros/cons with using the Edge transport.

I also want to know if there will be any affect on the existing configuration (outgoing /incoming emails from the internet) if we install a edge server. I understand new connectors are created when a edge server is installed.

Thanks so much for your time.
LVL 19

Assisted Solution

by:Adam Farage
Adam Farage earned 400 total points
ID: 40534864
Hey Antonio,

I think you are getting this a tad bit mixed up. I will explain both solutions, and provide a bit of reference.

So as for the EDGE transport role, that can be deployed internally or externally (e.g: DMZ). This is solely for TCP 25 (SMTP) traffic and does a few different things:

1) if placed into the DMZ (which is what occurs 9/10th of the times) it will reduce the exposed space of Exchange to the internet
2) if configured you can also do simple virus scanning / anti-malware and spam scanning on the device (although its a little finicky from what I have seen in the past)

Here is a good article on setting this up:

As for your other inquiry which was opening OWA, there was an excellent blog about this in the past from Principle Program Manager Lead Greg Taylor at Microsoft:

Companies (including Microsoft) expose OWA (over TCP 443) all the time without a reverse proxy. If management though is still concerned even after reading this article from the Microsoft Exchange Product Group, you have third party options to act as a "reverse proxy" (TMG / ISA / UAG are EOL sooner than later, and I am not 100% sure if you can still buy UAG), or you can use IIS AAR through Server 2012 R2. This would also be deployed in the DMZ.

The concept in setting it up would be the same for Exchange 2007 / 2013 as it would be for Exchange 2013.
LVL 34

Accepted Solution

it_saige earned 100 total points
ID: 40535833
What Adam has stated is spot on.  You have to realize that you are not opening the Exchange server up to the outside world.  All you are doing is providing the outside world access to services provided by the Exchange server.  And, when configured correctly, this access is audited, secured and restricted.

The success' (and failure's) of configuring Exchange for public employee access are well documented and tested.


Author Closing Comment

ID: 40550154
Thanks Guys for all your help. Much Appreciated!

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question