ISAServer.org has an excellent four part tutorial on using LDAP to pre-authenticate Outlook Web Access. You can find them here:

This is an excellent feature of ISA Server 2006 because it allows scenarios whereby ISA Server cannot be the edge firewall for whatever reason and is placed in the DMZ instead. LDAP allows for ISA Server to authentcate against Active Directory without the server being a member of the domain. However, once you configure LDAP authentication you cannot then use additional authentication methods such as RADIUS OTP and RSA SecurID. You can see this on the web listener Authentication tab, once you select the option to ‘Collect additional delegation credentials in the form’, LDAP is no longer selectable.

WebListener

I think that this is a bit of an oversight by the ISA Server team so it would be great to get this feature into an ISA Server 2006 Service Pack or the next version of ISA Server (2008, codename Nitrogen). If this is a feature that you might find compelling you can get feature requests into Micrsoft through their partners (if your aren’t one yourself) or look out for the next ISA Server beta when it pops up on Microsoft Connect.