See attached Word document for some good information on ISA server, Kerberos and ProClarity.
Sean Flanagan [MSFT]
One of the most common case subjects at Microsoft support is with regard to permissions being passed from one server to another in a distributed environment. Security best practices recommend that company web servers be separated from database servers, domain controllers and other core service servers. The separation of roles to different servers presents the challenge of authenticating to a chain of those servers. By far, Kerberos is the method of choice for delegating credentials in a distributed environment. It is also the only protocol in a Microsoft Windows Active Directory environment capable of passing credentials over a second hop (that is, over a connection from a middle tier server to one or more back end servers when the connection to the middle tier is initiated by a third client machine). By design, Kerberos has a number of security restrictions which make it difficult to use outside of a trusted domain or forest. Microsoft Internet Security and Acceleration Server (ISA Server) can effectively extend the boundaries of Kerberos Delegation outside the domain so users accessing the company website over the Internet (without a VPN) can take advantage of Kerberos Delegation and not be prompted for credentials at each ‘hop’ in the environment. ISA Server can do this by taking advantage of Kerberos features which do not require a Ticket Granting Ticket (TGT) from the client workstation to access resources."