Use ISA to reverse-proxy web-based mail products, such as OMA and EAS whenever possible.
Use a second external IP address, DNS host, and certificate if forms-based authentication for OWA is required to co-exist with OMA, ActiveSync, and RPC-HTTP.
Use POP and IMAP sparingly and only when it can be secured through ISA server and when configured to use SSL encryption.
Configure the SMTP Screener component to filter both inbound and outbound SMTP traffic where possible.
Use a third-party SMTP anti-virus product to further extend the capabilities of ISA's SMTP Screener service.
Consider placing Exchange and other messaging servers in a dedicated screened subnet that is secured by an ISA Server.