Considering that this server is a member of the domain, yes you would have to allow Kerberos communications as well from the FE to the GC/DC's. DNS, etc is also required. However, the kerberos authentication for the client, IIRC is done from BE to FE server and then proxied to the domain controllers so you would have that allowed from FE to BE as well. It's been a while since I last looked at this in depth, but you could probably get absolute clarification faster if you look at the logs on the firewall for what's being attempted. Best bet is not to put Exchange or domain members in the DMZ in the first place. Better to just leave them internal and use ISA or something similar to project them into the DMZ. Any layer-7 firewall device that understands the communications and can terminate SSL should be fine. Much simpler, more reliable because of the simplicity and works well in many environments. Al -----Original Message----- From: ravi [mailto:rrb@xxxxxxxxxxx] Sent: Thursday, November 18, 2004 3:39 PM To: [ExchangeList] Subject: [exchangelist] RE: Kerberos authentication from FE to BE http://www.MSExchange.org/ I have opened all the necessary ports like 389,3268 to DC/GC and 25,80 to BE. Everything is working well but i see this warning on my FE. My concern: is opening port 88 to DC enough? or do we have to open 88 to BE also for kerberos authntication to work? thanks for your help. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: al.mulnick@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx