A while back we published an article explaining the support constraints that surrounded deploying Exchange 2007 with multiple Outlook Web App (OWA) Virtual Directories (see here http://msexchangeteam.com/archive/2008/01/07/447828.aspx) and as this idea seems to come up more and more frequently, we wanted to do the same for Exchange 2010.

Microsoft supports using multiple OWA and Exchange Control Panel (ECP) virtual directories on a single Exchange 2010 Client Access Server, each in its own website. Each virtual directory must be listening on the standard port (TCP 443) for the site.

NOTE: You must ensure that the Default Web Site is set to All Unassigned for IP, or problems will occur with PowerShell.

There are usually three reasons for choosing this type of configuration. Each of these has slightly different considerations.

  1. Scenario 1: You have one Active Directory site facing the Internet, and are using a reverse proxy (such as Microsoft Forefront Threat Management Gateway or Unified Access Gateway) in front of Exchange. You are delegating credentials from that firewall to Exchange, meaning you have to use Basic or Integrated Windows Authentication (IWA) on the CAS and not Forms-based Authentication (FBA). Your requirement is to provide FBA for all users, internal and external.
  2. Scenario 2: You have a non-Internet facing Active Directory site and your requirement is to provide FBA for all users, internal and external.
    In this configuration, in order to provide external users access to OWA or ECP, a CAS in the Internet-facing site must proxy requests to the CAS in the non-Internet-facing site. This requires the CAS in the non-internet-facing site have IWA enabled, thereby disabling FBA.
  3. Scenario 3: You have different users within one organization who require a different OWA experience, such as a different customization of the Form Based login page, or different Public/Private File Access or Segmentation features.

If the objective of creating multiple sites is to allow a CAS to offer FBA to internal users, as well as accept proxy or delegated connections from an Internet-facing site or a reverse proxy, each virtual directory will have a different authentication method. The site accessed directly by the user population will be FBA-enabled, the site accepting proxy requests from the Internet facing site — or delegated authentication requests from the firewall, will have IWA enabled (or potentially Basic for the firewall scenario).

Microsoft strongly recommends OWA and ECP virtual directories in the Default Web Site be configured for IWA, leaving the InternalURL as with the default (Server FQDN), making that site and virtual directory the target of proxy requests from other Active Directory sites or delegated connections from the firewall.

Microsoft recommends creating the second OWA/ECP virtual directories in a new IIS web site with a different IP address, and using it for internal client access. By default the new virtual directories will be FBA-enabled, and have no internal or external URL values.