Here's one tip I discovered while building a Windows Communication Foundation output channel: The client channel can rewrite the URI sent in the wsa:To WS-Addressing header on the request message to the server.
Normally, the URI sent in wsa:To matches the destination URI passed in by the user when the client channel is created. However, the channel itself can override this value, by simply making sure that the RemoteAddress property returns an EndpointAddress instance intialized with the modified URL. WCF will then use the RemoteAddress property and use that value in the wsa:To header.
I found this pretty useful to clean sensitive URLs before they get used by the WS-Addressing infrastructure. Pretty useful if you don't want your messages to go around carrying usernames and passwords as part of the destination URL in the headers :-).