What are the significant considerations when designing and setting up a dmz for a relatively small office (15-20users) with a limited budget? The network traffic across the dmz will be inbound smtp (ms exchange), inbound http/s (owa), outbound internet traffic.
SnapOverflow
Based on the requirements you've given, you don't have a need for a true DMZ. A front end Exchange Server (to run OWA) must technically be on the domain, which means it actually has to be on the private network. And the number of ports you have to open make it prohibitive to consider anything else. Microsoft's solution is to use ISA as a software/application firewall and bastion host in front of the OWA server. Also, to use it to funnel SMTP traffic through.
I'm admitted not a big fan of ISA Server. I prefer a hardware solution which would include an SSL termination capability like an F5 BigIP or the like. However, it may be the right solution for you. Otherwise, you still want to make sure you have a decent, industry recognized hardware firewall solution like from Cisco or SonicWall. Understand the capabilities of the various models. Your reseller should be able to best help you determine the right fit for what you need.
The first thing to consider is whether you need a DMZ at all, for a small office with only a few services required would it be simpler and more secure to forward the ports you require to the internal network?