I'm in the process of setting up Sonicwall Hosted Email Security (HES) and my Domain Controllers are currently Windows 2003 servers (in the process of upgrading them now). I have a SonicWall NSA 3500 firewall.
In order for HES to integrate easily with our users, they need port 389 open for LDAP queries. I found a single IP address that HES uses to query LDAP and I opened and nat'd port 389 ONLY for this single IP address.
Does this pose a security risk. I'm thinking that is does not, because port 389 is only open to one IP address. But I'm not sure with today's sophisticated hacking methods if I'm okay to leave it setup this way long term.
One last thing, I did consider LDAPS (ssl), but because I'm a month or so away from upgrading my Domain Controllers, I didn't want to go down this road until my migration is complete.