Yes OWA is installed by default in Exchange Server 2003. To test it, type the following into the address bar of Internet Explorer or the installed Web browser on a computer on the local area network http://exchange_server_name/exchange. Either a logon page or dialog box will appear depending on whether or not you are using forms based authentication.
Now when it comes to publishing OWA to the Internet, there are some security implications that need to be addressed first. You should know that OWA relies on the HTTP protocol which transmits data unencrypted or “in the clear” by default — including user names and passwords. Therefore, it is not recommended that OWA be published to the Internet or other untrusted networks in this manner.
There are ways to securely publish OWA to the Internet using what is known as a reverse proxy or intelligent firewall solution such as Microsoft Internet Security & Acceleration (ISA) Server, which in addition to encryption, also provides URL filtering to ensure that only legitimate requests are forwarded to Exchange.
The bare minimum secure configuration, if you will, consists of deploying OWA behind a firewall using SSL on port 443. To do this, you need to use a home grown certificate generated from an enterprise or standalone certificate authority (CA), or a commercial/public CA. The difference is that if you use a home grown CA, clients will not trust the publisher by default which will result in certificate warnings; however, using Web browsers, this can be overcome simply by choosing to continue to browse to the Web site. On the other hand, if you also plan on deploying mobile devices, which is a feature that is also installed and enabled by default in Exchange Server 2003, you will need a commercial/public CA because they do not handle certificate warnings and errors as gracefully. Otherwise, you will have to install the home grown CA root certificate on each and every mobile device. The same is true for other clients — desktop and laptops, if you want to prevent the untrusted certificate warning from appearing.
Here is a good reference for configuring SSL for Exchange Server 2003.
OK — back to the script.
If you have only one Exchange Server 2003 mailbox server, deploying OWA is relatively simple. On the other hand, if you have more than on mailbox server, then you will be better off deploying a front-end and back-end topology and publishing the front-end server to the Internet instead. The reason is because the client will contact the front-end server which will in turn authenticate the user and contact the appropriate mailbox server. Without a front-end server, users would have to contact a specific mailbox server, multiple URLs would have to be published and so on. Since you only mention one Exchange Server 2003 server, I’ll tie off further front-end and back-end topology discussion here.
Something else that you will be interested in doing, however, is enabling forms based authentication (FBA). This is performed in Exchange System Manager.
Here is a good reference for configuring forms based authentication.
If you need help with generating a home grown SSL certificate, then refer here.