I hate to say it, but none of the experts comment on this because they don't run enterprise groupware and database software on their firewalls, and they certainly *never* run FTP servers with write access on their domain controllers! Arrrg!
Got to strongly disagree here. You can't install Exchange and SQL on a PIX, NetScreen or any other serious firewall. No security expert who wasn't a salesman or shill for some company hawking software would recommned putting these applications on a *firewall*. ISA Server firewalls are network firewalls, not "host based" firewalls. Host based firewalls, such as ZoneAlarm, etc. are more fitting for an SBS config. But you'll run into the same problem. Check out any firewall Web board or mailing list regarding running application on the firewall, and you'll hear much more strident replies to this issue. Making ISA Server firewall software part of the SBS package is a marketing gimmick, not a security decision, IMHO.