I am still running the RC of ISA 2006. I'm trying to publish Exchange 2003 for RPC-over-HTTP. I'm not really fussed how it's done, but it's key that Outlook authentication is seamless.
I have tried with the forms-based authentication on the listener combined with NTLM, but Outlook won't authenticate unless I use basic auth (can't do that - lots of unhappy users when this goes live). OWA is a happy bunny however.
I have tried using HTTP auth for the listener but I can't get the Kerberos bit of it working properly. I've put in the SPN for the internal site and verified that ISA can delegate for this site in the AD properties. But it won't let me...
I have tried something similar, which makes OWA work but not OMA. I have found that the easiest thing to do is to add a SPN for the machine with the setspn utility. You then allow delegation in AD for the machine running ISA to the machine running exchange. As Tom described, with the diferrence, that you choose the SPN, that you previously added. This was a pain to get working, I also suggest that you watch the event log on both machines, the one housing exchange and the one running ISA.