external source from MS Exchange team blog : View article...
A few months ago MS Exchange team published a Whitepaper detailing the steps required to securely publish Exchange to the Internet using TMG and UAG.
This document has recently been updated and the newest version is available here White Paper - Publishing Exchange Server 2010 with Forefront).
Additional a new whitepaper, about using IPsec to restrict access to OWA and Outlook Anywhere to machines has been released and it is available here: Using IPsec to Secure Access to Exchange
Exchange has for a long time now offered many different ways to access a mailbox from any location - but some of our customers still do not allow Outlook Anywhere (and OWA, though less so as OWA has many multi factor authentication solutions in the market) connections from the Internet. These customer's security teams tend to think of these connection mechanisms as 'insecure' because any machine can connect, there is potential for Denial of Service (DoS) and brute force passwords attacks, their security policy states 'two factor authentication' is required, and so on.
If you want a solution that works with all versions of Exchange, and can be deployed today, without significant additional investment, IPsec is an attractive solution. And co-incidentally, that's what the Whitepaper explains how to set up!
How IPSec Works - The Science Bit