We have an OWA site that we want to remove. We dont want our users being able to see the OWA web site, and we don't want external threats to see our OWA site.
Other services like Autodiscovery are still needed to function.
In researching this, I only find items to recreate OWA, and it doesnt drill into enough detail as to what will happen if I only delete OWA. Additionally Microsofts Documentation on removing OWA just causes more confusion stating:
When you use this cmdlet, make sure that you don't accidentally delete the default Outlook on the web virtual directory.2
Questions
- Will deleting the OWA Directory from the Exchange Admin Center be enough?
- Will deleting the OWA Virtual Directory cause any issues with ECP, ActiveSync, Autodiscover, etc?
- Is there a better process that I should be following?
I tried to remove OWA virtual directory in my test environment with the command “ Remove-OwaVirtualDirectory -Identity “OWA (Default Web Site)” ”, after that, I found I can’t login on the OWA and the web page showed an HTTP 404 error, but other services “ECP”, ”Autodiscover” etc. still works. Therefore, if you remove the OWA VD, the internal/external access of OWA will be unavailable:
As the above result, if you delete the OWA VD, other services will still work.
To my knowledge, you could remove the external URL of the OWA VD in the EAC to block external access:
Or you could also perform another method(IP Addresses and Domain Restrictions Settings in the IIS) to limit external IP to access the OWA. Before that, you need add the server role “IP and Domain Restrictions” in the Server Manager:
After that, you could allow your internal server IP address to access the OWA in the IIS by clicking Add Allow Entry, and then deny unspecified clients to access by clicking Edit Feature Settings:
