We want to put a firewall between our Exchange Server 2003 front-end and back-end servers. What's the maximum length of an HTTP header that might pass between the two servers?

The HTTP authentication header will likely be the longest of the headers passed between the front-end and back-end servers, although requests for items that are nested extremely deep in a public folder hierarchy might exceed your firewall's limit as well. Kerberos headers will generally be longer than basic or NT LAN Manager (NTLM) authentication headers. As a result, if you're using Kerberos, you might need to bump up the maximum header length to 5KB, depending on the complexity of your Kerberos implementation; otherwise, bumping up the maximum length to 2.5KB will cover you in most cases.