Here are the ISA Server/Forefront TMG HTTP Policy settings I use for ECP, OAB and Autodiscover. These settings were tested with Outlook 2007/2010 and Exchange 2007.

Setting and rule

*Exchange ActiveSync

*RPC over http
(Outlook 2003/2007)

General tab

Maximum headers length

32768

32768

Maximum payload length

10485760 (10 MB)

Any

Maximum URL length

1024

16384

Maximum query length

512

4096

Verify normalization

Yes

Yes

Block high bit characters

Yes

Yes

Block responses containing Windows executable content

Yes

Yes

Methods tab

Allow only specified methods

(see WEBDAV Methods http://msdn.microsoft.com/en-us/library/aa142917(EXCHG.65).aspx)

OPTIONS

POST

RPC_IN_DATA

RPC_OUT_DATA

GET

POST

Extensions tab

Action taken for file extensions

Allow only specified extensions

Allow only specified extensions

Extension list

. (dot)

.dll (rpcproxy.dll)

.asmx (Exchange Web Service)

.xml (for Auto discovery)

.lzx (for OAB)

.wsdl (Exchange Web Service)

Block requests containing ambiguous extensions

Yes

Yes

Headers Tab

Blocked headers

None

None

Signatures Tab

Blocked signatures:Request URL

./

\

..

%

:

./

\

..

%

&

http://blogs.technet.com/b/isablog/archive/2010/11/01/outlook-anywhere-and-activesync-http-filter-configuration.aspx