Back in 2009 I wrote a blog about the possibility of Microsoft supporting two-factor or multi-factor authentication for some Exchange services. For organizations which require high security, such as the DoD, allowing external access to email requires additional protection. With Exchange 2007 and prior versions there was no easy way (or any way!) to natively support certificate based two-factor authentication for services like Exchange ActiveSync.
To my surprise and great delight, Microsoft just released a lengthy whitepaper on how to enable certificate based two-factor authentication with Exchange 2010 and Microsoft ForeFront TMG or Microsoft Forefront UAG. The table below is directly from their whitepaper and shows you the different authentication scenarios and which product(s) support that scenario.