From Jason Jones at http://forums.isaserver.org/m_2002027876/mpage_1/k…
==============================================================
Assuming FE in DMZ (domain member), BE on LAN (domain member).
Route relationship between DMZ and LAN (to allow intradomain)
Rules needed:
Front-End Exchange servers => Domain Controllers
DNS
Kerberos-Adm (UDP)
Kerberos-Sec (TCP)
Kerberos-Sec (UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
NTP
Ping
RPC (all interfaces)
Front-End Exchange servers => Back-End Exchange servers
HTTP
IMAP4
POP3
SMTP
Exchange Link State Routing (TCP691)
RPC over HTTP Information Store
(TCP6001)
RPC over HTTP DSReferral (TCP6002)
RPC over HTTP DSProxy (TCP6004)
Back-End Exchange servers => Front-End Exchange servers
Exchange ActiveSync Direct Push
(UDP2883)
==============================================================
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)