is the https://:4100 intended to be used from Internet ANY) ?
i would like to additionally secure an HTTPS proxy to an internal exchange OWA
I don't believe so. That is traditionally used to manually authenticate so that you can do things like group-based Internet policies/ group-based firewall rules.
I have seen some instances where administrators used this to externally "authenticate" and then RDP straight into machines but this is ill-advised when compared to solutions like VPN (either IKEv2 or SSLVPN) since the traffic is not being encrypted, rather you are simply authenticating on the firewall before it allows you to what you want to do.
This article should help you on your OWA stuff, it is based on the Web UI but it should still work:
i allready have this proxy setting + lockdown url pathes
but Microsoft so often has zero day problems with exchange that i do not feel happy with this.
My advice would be to get a decent endpoint product loaded on the Server like EPDR or something to have a better chance detecting Zero days. That and having a decent third-party spam filter that can help monitor email in transit for you.
Customers do use it to do this, and we support it as such:
(Use Authentication to Restrict Incoming Connections)https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/authenticate_to_restrict_traffic_c.html
If you have a firewall that supports the access portal feature, you can also use that to secure connections to an OWA server:
(Firebox Access Portal Integration with AuthPoint and On-Premise Outlook Web Access)https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/AccessPortal-reverse proxy-saml_authpoint-OWA.html
WatchGuard Customer Support