One thing that is often forgotten after configuring an OWA Web Publishing Rule on the ISA firewall is configuration of the HTTP Security Filter. This is unfortunate, as the HTTP Security Filter is one of the core security technologies that makes the ISA firewall superior to the typical "hardware" firewall you may have in use today.
If you have configured the HTTP Security Filter for your OWA rule, here are three tips that can help you out with configuration and troubleshooting of the OWA Web Publishing Rule:
Blocking .exe file extensions and enabling Block responses containing Windows executable content for Outlook Web Access will block access to the S/MIME control. If the S/MIME control is required for Outlook Web Access on Exchange Server 2003, do not include .exe in the blocked extensions list or enable Block responses containing Windows executable content.
Blocking .dll file extensions for Outlook Web Access will block access to the online spelling checker that is built into Outlook Web Access.
Including the strings ".." (two dots), "%" (percent sign), and "&" (ampersand)can prevent certain types of potential attacks but it will also reduce access to certain e-mail messages. An e-mail message subject line forms part of the URL to access the message and thus any e-mail message containing one of these characters will be blocked. A balance must be found between extra security and functionality. Do not include the ":" (colon) character in this list because this will block access to the majority of e-mail messages. Many message subject lines contains RE: and FW: if they are replies or forwards.
For detailed information on configuring the HTTP Security Filter, check out HTTP Filtering for ISA 2004 Firewalls at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx
Thomas W Shinder, M.D.
MVP -- ISA Firewalls