ISA 2006 in DMZ for Activesync/OWA only Exchange 2003

Hi ISA experts!  I am an ISA newbie building my first ISA server for Smart
Phone access to email for our sales reps.

Exchange OWA works internally.  I am the Exchange Admin and am fairly
confident that Exchange is setup correctly although the FE/BE topology is
new to me as well.

My network guy wants ISA to live in the DMZ like this:

Public IP >> Edge switch (translates to private ip)>> ISA 2006 >> DMZ Switch
(translates another private ip to internal ip for FE server) >> internal
network (AD, Exchange FE/BE servers).  I'm not sure if this is even
feasible.

I have done the certificate on FE and exported it then imported it on ISA,
published the rule using the wizard, single network config on ISA.  The only
port we have open between DMZ and internal network is 443.

When I try to connect using a smart phone, I can get a username/password
prompt, but it fails to authenticate to ISA.  What am I missing?   I have
read on some websites that the smart phone needs the certificate installed
manually, but I don't buy that.  It defeats the purpose of being able to
deploy a remote solution.  Besides, I tried that and it still doesn't work.

Figured it out myself.

Figured it out myself.  Had to create another rule to allow LDAPS port 636
Inbound.  For some reason the default protocol rule is for Outbound so that
would not work in my DMZ scenario.

When I enabled a rule for inbound to each of my DCs, pre-authentication
worked like a charm.  Now I just need to add users to an AD group to allow
access.