Restrict access to Outlook Web Access via Exchange System Manager

Learn how to configure Exchange System Manager (ESM) to restrict certain users from accessing Outlook Web Access (OWA), without limiting users' LAN access.

We have an Exchange server with both a private and a public IP address. We also have a group of users inside the internal network who must access their email through Outlook Web Access (OWA). Every OWA-enabled domain user can access the domain from the Internet using our public IP address or FQDN, but we would like a different configuration.

We want only certain users to access OWA from the Internet, but we don't want this restriction to prevent other...

users from accessing the internal LAN. Is this possible?

To restrict access to OWA from the Internet to a certain subset of users, you can create a second Exchange Virtual Server within the Exchange System Manager (ESM) for Exchange Server 2003. You then must apply permissions to that folder. Here are the basic steps:


  1. If you have an available (i.e., unused) public IP address, add a private IP address to the current TCP/IP settings of your server's network card. This address will be mapped to the public address.

  3. Create a new DNS host entry for your system. For example, you might already have, but now you will add something like: Point this entry to the new public IP address (if you have one) or to the current public IP address.

  5. Drill-down in the ESM through your server object -> Protocols -> HTTP to the Exchange Virtual Server. Right-click on the HTTP node and select "New HTTP Virtual Server."

  7. In the properties of the new virtual server, provide a name such as "Internet Virtual Server," and click on the Advanced button to specify the new, private IP address and/or the host header ( to distinguish it from the original virtual server. You'll want to edit the existing "All Unassigned" entry in there, instead of creating a new entry.

  9. In the Settings tab, enable forms-based authentication so that users will receive the OWA logon screen.

  11. If you're using the additional public IP address method rather than the existing IP address, configure your Internet firewall to direct inbound HTTP and/or HTTPS traffic for that IP address to your server's corresponding private IP address.

  13. Go into IIS Manager to view the new website that corresponds to your new virtual server. Note the directory on the hard drive, and then browse to that location. It should be the same path as the original virtual server, which typically is C:Program FilesExchSrvrExchWeb.

  15. Copy the ExchWeb directory and paste it into the ExchSrvr directory at the same level. You can call it ExchWebInternet.

  17. Set permissions on the new ExchWebInternet directory to give users the desired level of access. For example, set Deny permissions for those users (or security groups) that should NOT be able to access OWA through the Internet.

  19. If you are using SSL on your website, then you also should create a certificate for the new site. Be sure to specify a unique port number if you're using the same DNS name as the original site.

Once you've completed these steps, test the solution thoroughly using different user accounts.

Do you have comments on this Ask the Expert Q&A? Let us know.

Ask an Exchange Server question in our forum.

Dig Deeper on Exchange Server setup and troubleshooting