I’ve done a number of intradomain communcations articles where I describe how to configure the ISA firewall to allow domain members to be placed in a secure, authenticated access DMZ segments. This is crucial information for properly securing front-end Exchange Servers.
As you probably already know, in order to secure front-end Exchange Servers, you need to place them in a security zone different from the back-end Exchange Server security zone. That’s because the front-end Exchange Server is an Internet facing device and the back-end Exchange Server is not Internet facing.
For comprehensive coverage on why the front-end Exchange Server needs to be in an authenticated access DMZ, check out Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 1: DMZ Design Concepts and Why the Front-end Exchange is Placed in the DMZ at http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part1.html
As good as I think my intradomain communcations are, I always knew that someone smarter and stronger than me would come up with something that could make them better. That smarter and stronger guy is Stanislas Quastana. He has a Blog post Segmenting Networks with ISA 2004 -- Filtering access to Domain Controllers at http://blogs.msdn.com/squasta/archive/2006/03/17/553805.aspx that nicely summarizes the protocols required and also the custom domain UUIDs you can use for RPC communications. Those UUIDs are golden!
Many thanks to Stanislas and his team for doing the hard work to discover those UUIDs.
Thomas W Shinder, M.D.
MVP -- ISA Firewalls