“Best practices” is to place the OWA server behind your firewall and open 80 and 443 to the world. you’ll need to forward these ports through the public IP to the server. that’s all it should need to function. If you’re also using RWW, you’ll want to 3389 and 4125 open to the RWW server, but they do NOT have to be open to the OWA server.
if it’s all on the same machine, which is typical, open 25, 110 (is using POP3) 80, 443, 3389 and 4125.
hope that helps,