Use ISA to reverse-proxy web-based mail products, such as Outlook Web Access, whenever possible.
Use a second external IP Address, DNS host, and certificate if forms-based authentication for OWA is required to co-exist with OMA, ActiveSync, and RPC-HTTP.
Use Secure Sockets Layer (SSL) encryption whenever possible to secure Outlook Web Access.
Use forms-based authentication where possible to secure access and prevent unauthenticated traffic from touching the Exchange server.
Secure an OWA virtual server with the settings described in Table 12.1.