While trying to configure MOSS in a secure environment that will be used for a DOTCOM site where the WFEs are in a different subnet than that of the SQL Server, CA, and Indexer we ran into some trouble administering services running on the WFEs. It turns out there are some ports that need to opened to allow communication through the firewall that sits between the subnet where the WFEs sit and the subnet where the CA box resides.
I found a great document and Visio diagram on TechNET that will help to configure firewall traffic.
Plan security hardening for extranet environments – TechNET article
Extranet hardening planning tool: back-to-back perimeter – Awesome Visio diagram that has it all!