I have found that my OWA has the clickjacking vulnerability, My Exchange is 2010 and i have the TMG 2010 configured so OWA is available to my users from the web.
I applied the solution http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/
but it did not work. It would help if Microsoft would acknowledge this issue and design a fix that can be applied easily.
