If you have setup your ISA reverse proxy correctly, you should be able to use a web browser from an external Internet connection to your OCS Front End root path without an "Error 500 - Service Principal Name Incorrect" error.
If you receive that error, it most likely means that your OCS pool/front end internal certificate is incorrect in some way. Make sure the "This rule applies to this published site" field under the "To" tab in the ISA rule matches the Subject Name and the first Subject Alternative Name (SAN) of the OCS pool internal certificate. ISA 2006 RTM "ignores" any SAN entry below the first one.
Keep in mind that the 'Web Components' of OCS 2007 are just a published IIS web site on the front end server(s). If you recreate the internal certificate, you will have to use the IIS manager for the 'Default Web Site' to assign the new certificate to the front end web site. Using the Certificate Wizard inside the OCS snap-in will not do it for you.
When ISA 2006 SP1 is released, it is supposed to support SAN SSL certificates closer to the way Exchange 2007 and OCS 2007 them.
Once you are past that stage, you should be able to browse with your web browser to https://myisa.contoso.com/Etc/Place/Null/SlideFiles/Blank.png and receive a 704x528 blank PNG image. Of course, replace myisa.contoso.com with the actual external FQDN of your setup.
