Thanks for the update gibson_hg. It was useful info but we didnt get it to work with that set up. i think it was a bad idea as you say with it being in the DMZ and ISA.
We have re-built BES on Windows 2003 server and this is in the same vlan as Exchange. The build went smooth and there are no errors in the logs now.. all looks good but still cannot activate a user!
Any ideas on what to look for??