What are my options for creating 2 different OWA sites for my organization? I need two sites because I need to limit a sub-set of people from using OWA from outside the local network while maintaining their ability to use it inside the local network. I have an Exchange 2007 server that some of the users I want to keep from outside access are on and a 2010 server that some of the users I want to keep from outside access are on. I have the CAS server roll setup on each server along with all the other roles. I would like to do this without changing too much about my setup, like adding another CAS, etc... Any advice, suggestions?

are you using ISA or TMG ? you can achieve that by create a web listener and have authentication at the TMG/ISA server and allow it for specific users.

Unfourtanetly not, I have third party firewall and threat protection systems. Any way to just create two different OWA sites on Exchange server 2007 and 2010?

yes you can, open IIS and Create a website at the same level as "default web site" give it a name like "OWAExt" and Select default settings then you need either to select a different port number for HTTP and HTTPs like 81 and 444 or add another Network Card to the server then you will be able to use port 80 and 443 after that you will need to run the New-OWAVirtualDirectory command from the powershell. http://technet.microsoft.com/en-us/library/bb123752%28v=exchg.80%29.aspx http://technet.microsoft.com/en-us/library/bb123752.aspx

Thanks. Do you know if this is a supported configuration? From my initial research it seems you can only have one OWA site per CAS? Do I need to turn off forms based authentication on my main OWA site to get this to work?

Also, do I need to use different ports if I assign the new site it's own IP address?

i don't know it it supported or not, but i think it should be. for the ports you don't need to assign different ports if each site will have its own IP. check this, i think will help you setting up the configuration: Hi all, I have this scenario that works for me: The default Web Site provides OWA access to all internal users with Basic Authentication. The second web site allow external Owa access for only some users with Form Basic Authentication. Here the procedure i used: Create AD Group ex: OWA_EXT_USR - IN IIS Create a new WEB SITE - New IP - Ports 80 / 443 - Name WebMAIL - Default Path - C:\inetpub\wwwroot Install Certificate (HTTPS) for External User Copy the Folders: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ecp to Ex: C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\Owa C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\ecp ON IIS - ISAPI and CGI Restrictions Give Permission ALLOW to this DLL C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\Owa\auth\owaauth.dll On Exchange Power Shell new-owairtualDirectory -WebSiteName "WebMAIL" -Path "C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\Owa" New-ecpVirtualDirectory -WebSiteName "WebMAIL" -Path "C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\ecp" Fix Virtual Directory Path Exchange Exchweb Public In IIS - change - The Virtual Directory Path ....\V14\ClientAccess\Owa to ....\V14_ext\ClientAccess\Owa In Exchange Console - Server Configuration > Client Access > <server> > Outlook Web APP > owa (Mail) > Properties Authentication > Use one or more standard authentication methods > FBA - Server Configuration > Client Access > <server> > Exchange Control Panel > ECP (Mail) > Properties Authentication > Use one or more standard authentication methods > FBA Now NTFS Permission Folder C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\Owa SYSTEM FULL ADM FULL OWA_EXT_USERS READ C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\Owa\auth SYSTEM FULL ADM FULL FULL OWA_EXT_USERS READ Authenticated user READ C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\Owa\auth\*.* SYSTEM FULL ADM FULL FULL OWA_EXT_USERS READ & Execute Authenticated user READ & Execute C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\Owa\14.0.636.21 SYSTEM FULL ADM FULL FULL OWA_EXT_USERS READ Authenticated user READ C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\ecp SYSTEM FULL ADM FULL OWA_EXT_USERS READ C:\Program Files\Microsoft\Exchange Server\V14_ext\ClientAccess\ecp\14.0.636.21 SYSTEM FULL ADM FULL FULL OWA_EXT_USERS READ Authenticated user READ Reset IIS Now you can Control the access to this OWA using the group OWA_EXT_USERS

Excellent, Thanks. I will let you know how it goes. I am hoping to not have to do this and that management will reconsider this request, but it is nice to have this ready to go if they don't.

Management has decided against blocking OWA for people, so I don't have to implement this. Thanks for your help.