Thanks all for your all. I'm using exchange 2003 with one owa front end and one back end mailbox server. I found that the "exchange" virtual directory is listed in IIS both on OWA front end and back end server. When using owa to access mail, I will type https://owa.mydomain.com/exchange. Does it mean the exchange directory is visible to public, does it store mailbox information, any security concern on it? if yes, how can I enhance its security? Thanks again Patrick

Hi Patrick, The only exchange directory that is available to the public, should should be the front end as that ius the job of the edge server. Check you firewall or NAT to ensure it is going to the right place; https://owa.mydomain.com/exchange = IP of front end server The back end can be used for internal web access :) Once you have checked your firewall and patch level you should be well secured. Lew

No. The exchange directory is visible and accessible only to those authenticated user. As you mentioned, you need to type https://owa.mydomain.com/exchange. It means the message between client and FE is encrypted. For enhance the security of BE , you can set DMZ zone. Then set FE inside DMZ, and BE behind DMZ. For more information about FE/BE topology , you can access http://technet.microsoft.com/en-au/library/aa996980(EXCHG.65).aspx

No. The exchange directory is visible and accessible only to those authenticated user. As you mentioned, you need to type https://owa.mydomain.com/exchange. It means the message between client and FE is encrypted. For enhance the security of BE , you can set DMZ zone. Then set FE inside DMZ, and BE behind DMZ. For more information about FE/BE topology , you can access http://technet.microsoft.com/en-au/library/aa996980(EXCHG.65).aspx