So I finally got around to publishing our Windows Sharepoint Services 3.0 server through the ISA box. I set it up with Kerberos Delegation as to avoid any authentication issues and of course Forms Based Authentication. First thing I found out was that you do not want anything on the initial landing page that takes time to load such as a world clock/weather web part that has 4 countries in it. Let's just say ISA tacked on an extra 30 seconds to the load time of the page. Anyway, the next thing was getting All the Link translation mappings right like redirecting http to https for internally hardcoded links, netbios to dns, etc. (And all this on top of setting up Alternate Access Mappings (AAM) on the sharepoint server.
Then I noticed that Extranet users were getting prompted for authentication when they tried to open Office docs (.doc/.xls/.ppt). After much digging, I found the resolution on a message board.
"turn on persistent cookies (Web Listener | Forms | Advanced Form
Entertainingly enough, when I went into the help for that setting it specifically lists that this setting is exactly for this Sharepoint problem! ARGH.
So I enabled mine for the 'only on private computers' and voila, the darn things works fine now.
*Caveat: They do warn you when you turn this on that it does create a cookie on the client machine that may contain sensitive data. Personally, if you fall into the following two scenarios I don't think that's a problem.
1.) You encrypt your laptop users' machines.
2.) You can't stand users whining about extra prompts.
Make sure that you pay attention to how long the Private and Public session timeouts since you're now using a persistent cookie.
Note: Some vista boxes may need a patch: