This post cover how to set this up when your Client Access server is running on Windows 2008 server without being published with ISA server.
Note: These steps are only for Exchange 2007 mailboxes, and will not work for the /Exchange virtual directory. Your PKI infrastructure should already be in place as well. This can be a Windows 2003 or Windows 2008 certificate server, or your favorite third party vendor.
First up is to see if the Client Certificate Mapping Authentication [Web-Client-Auth] component of IIS is installed. This component is not required to install Exchange 2007 so will most likely need to be installed. You can add this via Server Manager or with the ServerManagerCMD like below. A reboot of the server is required after the install.