InternetClient -> DMZ LTM (if port 80 redirect to 443) 443 -> ISA -> Internal LTM -> OWA pool over 443
InternalClient -> Internal LTM (if port 80 redirect to 443) -> OWA Pool over 443
Make sense? On the Internet flow, I left out the handshake between ISA and AD LDAP authentication which uses a internal VIP to our global catalog. By the way, one reason we front ended ISA with the LTMis due to our data center config. What you do not see is the GTM that can give the address of either data center based on the availability of the ISA servers. So the LTM's monitor the availablility of the ISA servers.