Many IT departments place systems exposed to the Internet in their firewall's demilitarized zone (DMZ). This practice helps protect the servers from internal and external attacks. Placing servers in a DMZ also protects the internal network if an attacker compromises the exposed server.
You can place an Outlook Web Access (OWA) server in a DMZ, but it requires a lot of configuration. First, you must map the information store and directory service ports on the Exchange server to static ports. Otherwise, the Exchange server answers clients (including OWA) on a wide range of ports that you'll have to open.
You must also open ports 135, 137, 138, and 139 (among others) between the DMZ and your internal network in order for OWA to function correctly. However, opening these ports limits the effectiveness of putting an OWA server in the DMZ. If attackers compromise the OWA server, they'll have many ports going into the private network to work with.
Because placing an OWA server in a DMZ offers limited payback in terms of security as opposed to the amount of configuration it requires, many organizations opt to place the OWA server on the private network instead, which greatly simplifies configuration. No static mapping of ports on the Exchange server is required. Since the OWA server is still behind a firewall, it's just as protected against external attacks as it would be in a DMZ.
For highly security-conscience organizations, where every bit of extra security is worth it, placing the OWA server in a DMZ is worth the hassle. The rest of us might consider the alternative to be an acceptable compromise.