Gateway placement is quite straight forward (depending on your environment.)
Basically ALL email will be going through the Universal Server, and then the policy applied on the server determines if it gets encrypted or not. This means that the MX records have to point to the WAN IP of the Universal Server.
Once the MX records are pointing to it (for incoming) then you will be receiving email through it. Keep learn mode on initially and look through the logs to make sure everything is working ok.
For outgoing, you need to add the mail route, and the mail proxy to receive from the exchange server, and to send email straight out using DNS. (you can use a 2 way proxy rather than x1 1 way)
Thats it!