When you define an Auth server you have to enter its IP address and select souce interface, so you can set connection to Auth server in any zone (also inside a VPN tunnel).
For Domain Controller you may use LDAP or install on any domain member server Internet Authentication Service (IAS) and use RADIUS between NetScreen and that server.
For authentication, you may use transparent authentication (Server Auth) inside the protocol HTTP (or FTP or Telnet) or if the connection to the WebMail is encrypted (SSL), you may use WebAuth for user authentication. When you set WebAuth as a authentication method, user have to connect first to WebAuth IP address and authenticate, then connect to the WebMail.
The credentials used for authentication to the firewall will not be passed to the WebMail server.
If you want to authenticate users transparently on gateway using SSL and pass credentials to WebMail you should use Secure Access instead of firewall for authentication.
You may then disable SSL on WebMail and freeing its CPU resources for emails instead of securing...
