You want to establish an external trust between two domains where there is an ISA 2004 or ISA 2006 in between.  Establishing trust requires Kerberos, LDAP, DNS, CIFS & the big problem is the RPCs… one idea is to strict the RPC port on the DCs using registry and open this specified range on the ISA which will be not less than 100 port per the recommendations, other idea was to create an IPSEC tunnel between both DCs and open the IPSC ports only on the firewall however the cons of this solution is the complexity & the exposure of both DCs communication between each other. With ISA 2004 & 2006 the RPC filter will help you establish this, the filter listens for the RPC port maper 135 request and depending on the UUID the ISA sees which port is required to be opened for such service and dynamically open the port for the communication till the session ends. So based on this great cool feature only the below ports are only required to be opened on the ISA.


DNS Query

Kerberos-Sec (UDP)              88  UDP SEND/RECEIVE

LDAP                                     389 UDP SEND/RECEIVE

LDAP (UDP)                          389 TCP OUTBOUND

Microsoft CIFS (TCP)            445 TCP OUTBOUND

RPC (All interfaces)             135 TCP OUTBOUND

Note: PING is required and don’t forget to establish a name resolution mechanism, I would recommend DNS conditional forwarding for both domains