I have a newExchange Server 2007 implementation and I'm trying toverify thatI've configured the correctfirewall access rules. I have a total of three servers: 1) Domain controller on the internalLAN. This server is a global catalog server and also has Exchange Server 2007 installed with the mailbox, client access, hub transport and unifiedmessaging roles. This server is also the primary DNS server.2) A second domain controller on the internal LAN. This server is also a global catalog server. It does NOT have Exchange. It isa second DNS server.3) Edge Transport Server NOT a member of the domain. This server has two NICs. One is connected to the DMZ interface on the firewall. The second NIC is connected to the internal LAN (configured to use the two internal DNS servers).My question has to do with opening the Secure LDAP port between the hub transport server (LAN) and the edge transport server. For the edge transport server I have, in my firewall (SonicWALL TZ 170),two "address objects". One "object" isa private IP address on the DMZ.The second "object" isa public IP address. Technically, this second "object" is in the WAN zone, while the private IP is in the DMZ zone. The public IP address of the second "object"is where my MX records will be pointing. In order to allow secure LDAP traffic on port 50636 from the hub transport server to the edge transport server, I need to create a rule that has the hub transport server's internal LAN IP address as the source and one of or both of the edge transport objects as the destination. There appear to be three possibilities:1. Source: hub transport server (internal LAN IP address) - Destination: edge transport server (internal DMZ IP address) -or-2. Source: hub transport server (internal LAN IP address)- Destination: edge transport server(public IP address) -or-3. Source: hub transport server (internal LAN IP address)- Destination: edge transport server (BOTH internal DMZ and public IP addresses)I guess the thing that confused me was a technet article on planning for Edge Transport Servers. It lists the network interface (where the Secure LDAP port needs to be open for EdgeSync synchronization) as "Inbound from the internal network". But it also lists the network interface where the LDAP port 50389 needs to be open to make a local connection to ADAM as "Local only". If I'm understanding the "Local only" part correctly, the firewall access rule for LDAP 50389 should be: Source: hub transport server - Destination: edge transport server internal DMZ IP address ONLY. Does this imply that the Secure LDAP port 50636 is NOT local only, and therefore needs to be open from the hub transport server to the edge transport server's public IP address as well?Thanks,Adam V.

Hi,The port 50389 is used to make a local connection to ADAM which provides a LDAP interface for clients to authenticate and make directory requests. The process is performed by Edge serveritself.It does not have to be open on the perimeter network firewall.For the Edge Synchonization, the 50636 must be open for successful EdgeSync synchronization which is used for directory synchronization from Hub Transport servers to ADAM. To set up the rule, the IP address must be internal IP address between the Hub and Edge server.ThanksAllen