Hi Al, I agree with what you've mentioned below. The only reason we added the additional OWA zone was in order allow our IDS people to monitor all traffic between the appliance and OWA, and OWA and the Domain controllers inside. We actually left all ports open between the OWA zone and the trusted network at first, and then locked it tight so only the authentication and communication ports where open. Application Server To KDC Return traffic Initial ticket request 88/udp xxxx/udp Kerberos 5-to-4 ticket conversion 4444/udp xxxx/udp LDAP 389/tcp xxxx/tcp Used a host file entry on OWA for DCs. I think I got all of them. Cheers, Alex.