Exchange 2010 – Multiple OWA/ECP Directories Part 1   16 comments

***Edited New-ECPVirtualDirectory cmdlet text – August 12th, 2011***

This document was written to provide step by step instructions for anyone wanting to configure multiple OWA and ECP directories in Exchange 2010. The document will go through a setup and configuration which can provide the baseline for any configuration variation required by an organization needing this type of solution. This document will NOT provide a one stop solution for all scenarios. The solution provided was based on the article by the Exchange Team which can be found here.

Note: The sample configurations shown were done primarily through Exchange Management Shell (EMS). Some of these tasks can be completed through Exchange Management Console (EMC); however, showing them through EMS allows an easily repeatable process through scripting or copy and paste.


The biggest reason (in my opinion) to have this configuration is in situations where the organization wants to prevent internal Outlook Web App (OWA)/Exchange Control Panel (ECP) traffic in remote sites from coming into the primary site and then back to the remote (via CAS proxy). However, there are 3 common reasons identified by the Exchange Team which calls for this solution, one of which is the reason identified above.

Scenario 1: There is one Active Directory site facing the Internet, and there is a reverse proxy (such as Microsoft Forefront Threat Management Gateway or Unified Access Gateway) in front of Exchange. The reverse proxy is configured to delegate credentials to Exchange, meaning the CAS servers are configured to use Basic or Integrated Windows Authentication (IWA) and not Forms-based Authentication (FBA). The requirement is to provide FBA for all users, internal and external.

Scenario 2: There is a non-Internet facing Active Directory site and your requirement is to provide FBA for all users, internal and external.

In this configuration, in order to provide external users access to OWA or ECP, a CAS in the Internet-facing site must proxy requests to the CAS in the non-Internet-facing site. This requires the CAS in the non-internet-facing site have IWA enabled, thereby disabling FBA.

Scenario 3: There are different users within one organization who require a different OWA experience, such as a different customization of the Form Based login page, or different Public/Private File Access or Segmentation features.

Part 1 of this document will provide the basic setup required for creating multiple sites with different configurations. In part 2 of this document I will show you how to take these basic steps and use them (with some tweaks) to configure a remote site that has two or more CAS servers configured with Windows Network Load Balancing (WNLB).

Prep Work:

In order to get the ground work ready for multiple OWA and ECP virtual directories there are a few things that need to be done.

Step 1: IP Address

Obtain a second IP address and add it to the NIC of your server.

NOTE: If the servers are configured in a Windows NLB cluster please refer to the second part of this document. As there are a few differences that will be required in order for it to work properly.

Above I have shown I have two IP addresses assigned to this NIC. (Primary IP) and .100 for the secondary IP.

Step 2: DNS

Add a DNS entry for that secondary IP address for the name we will want to use in the new FBA OWA web site. I have chosen “testwebmail”. Be sure there is a valid SSL certificate (recommended to have UC or SAN SSL certs) on the server which has the new name “testwebmail” that will be used in the certificate.

NOTE: In order to configure SSL communication during the creation of the new website, a certificate is required. Ensuring it has the correct name, is from a trusted Certificate Authority, and is in the valid date range will avoid certificate errors seen by clients. For more information see this TechNet article.

Step 3: New Web Site

Create a new web site in IIS on the Client Access Server and bind it to the new IP address used in step 1.

To do this open “Internet Information Services” from the Administrative Tools menu. Expand down to “Sites”. You should see the “Default Web Site” listed similar to what’s shown below.

Right click on “Sites” and select “Add Web Site”

Now a box will come up where information will be required to be filled in. I have provided some information for each field that requires input.


  1. Site Name – I like to keep mine simple for easy management when in EMS so I named it “FBA”.
  2. Select the physical path where the files will be – I put mine in the inetpub directory under a new folder called FBA.
  3. In the “Type” field, select “https” in the drop down menu.
  4. Enter the IP address that was added from Step 1. This is called the binding.
  5. Select the SSL certificate in the drop down menu.

Once finished you should see this:

Now the ground work is complete and we can move into Exchange and begin our configuration. But wait!…there is someone in my head telling me I should bind the primary IP address to the Default Web Site before moving to Exchange. DON’T LISTEN!!!!! Doing this will actually break powershell. The Exchange Team made a note in their article as well. Good thing I read that article AFTER I already broke it the first few times I tried this. 🙂

Configuring Exchange

Step 4: Adding Exchange Virtual Directories

The web site has been created and bound to the secondary IP address of our server. Also the DNS record that will be used to access the new FBA OWA page was added to DNS. The next step is to go into EMS and begin adding our virtual directories for OWA and ECP.

Login to the Exchange server and open the Exchange Management Shell. Then run Get-OWAVirtualDirectory and Get-ECPVirtualDirectory to see the default OWA and ECP directories.


NOTE: Notice the names. In previous steps I mentioned I used a short simple name for the web site I will be adding these new directories to. This is because in EMS the name will always appear as “owa (SiteName)” and “ecp (SiteName)”. With a shorter name it makes it easier to work with in EMS.

Now run the cmdlets to create a new OWA and ECP site.

New-OWAVirtualDirectory –Name FBA –WebSiteName FBA –InternalUrl



New-ECPVirtualDirectory  –WebSiteName FBA –InternalUrl


At this point the virtual directories are created with default settings using FBA. Now we have two OWA and two ECP sites both configured to use FBA.

Step 5: Configure the Virtual Directories

To configure the virtual directories we will disable FBA on the Default Web Site OWA and ECP virtual directories.


Set-OWAVirtualDirectory –Name “OWA (Default Web Site)” –WindowsAuthentication $true –BasicAuthentication $false –FormsBasedAuthentication $false


Set-ECPVirtualDirectory –Name “ECP (Default Web Site)” –WindowsAuthentication $true –BasicAuthentication $false –FormsBasedAuthentication $false


NOTE: This sample is configuring the default site with Windows Authentication. This is for scenarios where internal users are not to be prompted or for remote sites that require CAS Proxy functionality to work while allowing local users to access the FBA page locally without going across the WAN. Verify this is needed for the situation and make adjustments to the authentication mechanism as needed.


I like to setup the FBA to not require the domain name as a part of the logon. This prevents less calls to the help desk and end user confusion. Some situations will require the domain name as a part of the logon. For example, in an environment with multiple domains.

To do this simply type the following:

Set-OWAVirtualDirectory –Name “OWA (FBA)” –LogonFormat Username –DefaultDomain


Step 6: Verify the Virtual Directory Configuration

Once the virtual directories are configured, verification of the settings can be accomplished with the following cmdlets:


Get-OWAVirtualDirectory | FL Name,*Url,*Authentication,LogonFormat,Defaultdomain


Get-ECPVirtualDirectory | FL Name,*Url,*Authentication,LogonFormat,Defaultdomain


NOTE: “FL” stands for format-list. I don’t want all the output provided by a format-list so I have specified specific parameters I want to see the values of. For more information on how to manipulate the output see this link.

With the above output I can verify that OWA and ECP directories are configured as desired. The directories on the Default Web Site are configured for Windows Authentication and the directories on the FBA web site are configured for FBA with logon format I want.

The final step in the configuration is to run iisreset on the Exchange server to ensure the settings take effect. It is not necessary to open a command prompt. This can be run from EMS.



NOTE: Because this was a lab environment I did not run iisreset with the /noforce switch. However, if you have active connections to the systems that you do not want to interrupt you should use the /noforce switch.


Now there are two different web sites, each configured with a different authentication mechanism for the OWA and ECP virtual directories. This can allow more flexibility in how clients access OWA/ECP as well as reduce WAN traffic in a remote site scenario where CAS Proxying would normally be used.

The posts are provided “AS-IS” with no warranties, and confers no rights




Posted February 28, 2011 by Chris Morgan in Exchange/UC

Tagged with , ,

16 responses to “Exchange 2010 – Multiple OWA/ECP Directories Part 1

Subscribe to comments with RSS.

  1. Hello, I am not able to find Part 2 of this series.
    Can you please help me with this. I am stuck with NLB configuration.


  2. Pingback: IT Musings » Blog Archive » Exchange 2010 - Seperate OWA authentication

  3. Excellent articale. With this I was able to setup external authentication to windows based authentication (due to site to site cas to cas access) and internal authentication to form based!
    Thank You

  4. Hi Chris, Please correct the text under “New-ECPVirtualDirectory..” – in your picture you don’t have -Name but you do in text and it fails when you have
    -Name in the command 🙂 otherwise fantastic!

  5. Great article!
    Save my time.
    I used this for two OWA’s and two different certificates (from internal CA and existing external wildcard).

    One small error: the entry “New-ECPVirtualDirectory –Name FBA –WebSiteName FBA –InternalUrl” should be without “-Name FBA”, like on image: “New-ECPVirtualDirectory –WebSiteName FBA –InternalUrl“.


  6. I am still new to this whole process. Please advise: You say “where the files will be”. Problem I am having is with which files? I have made an exact copy of the ECP (that’s under the Client Access directory) and used it as the physical path for the second site, but then it gave me an error page when I try to load the site. Says “Object moved to here”.
    Is this something to do with the Application Pool only allowing one ECP site linked to the server or what can I look at?

  7. please post NLB part. i am also stuck in NLB . it’s really help to me.

  8. Very useful article, thanks!

    We altered the addition of the secondary IP slightly as we didn’t want it automatically registering with DNS (only want the Primary IP to do this) so we used the command (requires a hotfix or SP1 for 2008 R2) – netsh int ipv4 add address “network connection name” skipassource=true.


  9. Pingback: Exchange 2010 – Seperate OWA authentication « cobracommunications

  10. I was hoping this would give instructions on setting up two URLs for Scenario 3. Where the CAS servers are in a CAS array with WNLB. Part 2 never made it??

  11. When is part 2 going to be published?! I am in a scenario where I need to set this up with NLB in the picture. Well actually my scenario is that I have 2 companies that have merged and they want to keep their OWA URLs unique.

  12. I had an NLB. What I did was add a second interface to both CAS, follow all the steps above using the new interface instead of adding an additional IP. Then I created a second NLB cluster using the second interface and added the binding for the NLB address just as you would for the dedicated. Worked like a charm.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: