Hi Brian, I believe that MS is changing these recommendations, because you should never extend the internal network security partition into the DMZ. There's no point to having a DMZ if you allow intradomain communications through the firewall. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp _____ From: Brian Parker [mailto:bparker@xxxxxxxxxxxxx] Sent: Sunday, September 28, 2003 11:23 AM To: [ExchangeList] Subject: [exchangelist] RE: E2k -in the DMZ segment ! http://www.MSExchange.org/ Hi Andrey You need to allow traffic for Port 139 RPC and (I think) LDAP 389 between DMZ and GC - see Micrsosoft article on Front End/Back End configuration. HTH Regards Brian Parker Senior Computing Officer