If you're going to secure your Exchange server, the best place for the front-end server is...

If you're going to secure your Exchange server, the best place for the front-end server is...

• At a hosted location
• Outside the firewall
• The internal network
• The internal network with ISA in the perimeter 

EXPLANATION

The generally accepted way of implementing a front end / backend configuration involves placing an ISA Server in front of the front end server.
The idea behind this configuration is that remote clients never interact directly with the front end server. Instead, the ISA Server is provided with a copy of the front end server's certificate, which allows it to impersonate the front end Exchange Server. Remote clients never actually communicate with the front end Exchange Server. Instead, remote clients communicate with the ISA server. The ISA server acts as a proxy server and forwards HTTP requests to the front end Exchange Server.
Part of the ISA server's job is to act as an application firewall for Exchange Server. What this means is that ISA server knows what types of communications are considered normal for an Exchange Server environment. It is therefore able to filter out abnormal and potentially malicious packets.
The merits of using an ISA server are sometimes debated though. The reason why this is a debated topic is that ISA Server is a software based firewall sitting on top of a Windows operating system. Some people feel that it is therefore vulnerable to the same types of attacks that any other Windows server would be.
My take on this issue is that ISA Server should be considered an essential part of a front end / back end configuration. ISA Server is not a generic firewall. It was developed by Microsoft with Exchange in mind. It contains lots of Exchange specific filtering rules that will help to keep your Exchange Server secure. At the same time though, I believe that the fact that ISA Server rides on top of a Windows operating system does pose a security threat. In my opinion, the best way to counter this threat is to place a hardware-based firewall at your network's perimeter and then have your hardware firewall forward the inbound HTTP requests to an ISA Server located behind it.