owa is part of exchange, it is a basic feature of it. It can be turned on or turned off, but by default it is enabled. https is enabled and you can use self signed certificates, by default a self signed certificate is added at time of exchange install with 2007 and 2010.
owa is webmail. owa can be accessed by any browser that I have come across. owa has been part of exchange as long as I have been setting it up...this goes back to 5.x at the very least. owa with forms based auth is part of 2003 and needs https to function. rpc over https (aka outlook anywhere also needed for active sync) has been a function since 2003.
on the same token that webmail address is the same used for outlook anywhere and active sync by default. As an admin you can change this, however. This is also enabled for the users by default. The admin has the choice to disable.
These are all out of the box features of exchange. The exchange client access server just needs ports 25, 443 and/or 80 opened to it. You need a client access server for exchange to function. The client access server can be standalone or have a database with it. In a more secure environment the CAS server would sit outside of the network in a DMZ area. This is where the outside would connect. You can have multiple CAS servers for different roles. One for smtp, one for web functionality, you can even seperate it out further if the admin wishes, but you only need one for smtp,web (this would include owa, outlook anywhere, and active sync for the apple iOS and droid devices), and database. My installs are rather simple, I have one server for all web services, all https certificates are for all services.
here is a random portal that I stubled across which is owa:https://exchange.concate.com
here are some owa screenshotshttp://kb.iu.edu/data/avsg.html