A few months ago, Microsoft published a Whitepaper detailing the steps required to securely publish Exchange to the Internet using TMG and UAG. (That document has recently been updated by the way, and the newest version is available: White Paper – Publishing Exchange Server 2010 with Forefront).
Also, here’re two related Whitepapers. The first is about using IPsec to restrict access to OWA and Outlook Anywhere to machines you control or manage, and it is available here: Using IPsec to Secure Access to Exchange.
“By allowing remote access to Exchange to users who’re based outside the safety of the corporate network, an organization enables its employees to take full advantage of the tech their company provides. When considering remote access, an organization must also consider how to secure their corporate info. There’re several different ways to secure access to corporate info, including VPNs, Direct Access, and IPsec. When enabling and requiring IPsec on endpoint that’s used to publish Exchange to Internet, only machines with the right credentials can establish a connection.” Download.
The second paper is about using certificates to authenticate to Exchange, from a user perspective though, not machine, and specifically when using Exchange ActiveSync or OWA. The paper: Using TMG and UAG to Securely Publish Outlook Web App and Exchange Activesync with Certificate Based Authentication, is available here.