We want only certain users to access OWA from the Internet, but we don't want this restriction to prevent other...
users from accessing the internal LAN. Is this possible?
- If you have an available (i.e., unused) public IP address, add a private IP address to the current TCP/IP settings of your server's network card. This address will be mapped to the public address.
- Create a new DNS host entry for your system. For example, you might already have mail.yourdomain.com, but now you will add something like: mail2.yourdomain.com. Point this entry to the new public IP address (if you have one) or to the current public IP address.
- Drill-down in the ESM through your server object -> Protocols -> HTTP to the Exchange Virtual Server. Right-click on the HTTP node and select "New HTTP Virtual Server."
- In the properties of the new virtual server, provide a name such as "Internet Virtual Server," and click on the Advanced button to specify the new, private IP address and/or the host header (mail2.yourdomain.com) to distinguish it from the original virtual server. You'll want to edit the existing "All Unassigned" entry in there, instead of creating a new entry.
- In the Settings tab, enable forms-based authentication so that users will receive the OWA logon screen.
- If you're using the additional public IP address method rather than the existing IP address, configure your Internet firewall to direct inbound HTTP and/or HTTPS traffic for that IP address to your server's corresponding private IP address.
- Go into IIS Manager to view the new website that corresponds to your new virtual server. Note the directory on the hard drive, and then browse to that location. It should be the same path as the original virtual server, which typically is C:Program FilesExchSrvrExchWeb.
- Copy the ExchWeb directory and paste it into the ExchSrvr directory at the same level. You can call it ExchWebInternet.
- Set permissions on the new ExchWebInternet directory to give users the desired level of access. For example, set Deny permissions for those users (or security groups) that should NOT be able to access OWA through the Internet.
- If you are using SSL on your website, then you also should create a certificate for the new site. Be sure to specify a unique port number if you're using the same DNS name as the original site.
Once you've completed these steps, test the solution thoroughly using different user accounts.
Do you have comments on this Ask the Expert Q&A? Let us know.
Ask an Exchange Server question in our forum.
Dig Deeper on Exchange Server setup and troubleshooting
Related Q&A from Bradley Dinerman
Learn if you can send out polling questions through Exchange Server to recipients who don't use Microsoft Outlook. Continue Reading
If Microsoft Outlook and Outlook Web Access (OWA) display different out-of-office (OOF) messages, Cached Exchange Mode may be to blame. Continue Reading
Find out how to verify Exchange Server email forwarding to both internal and external email accounts. Continue Reading