No. The Network Relationship between the Internal Network and the DMZ Network is a specific thing,...it is either NAT'ed or it is routed. Since this is a probably a Single Nic ISA "in the DMZ" then this "relationship" is totally effected and controled by whatever firewall you have between the LAN and the Internet.
Since your ISA is "in the DMZ" it is probably a Single Nic ISA,...this means that you have another Firewall between the LAN and the Internet. This means that this is the Firewall that has to allow the LDAP to pass to the Internal LAN. I cannot help with that, my familiarity is only with ISA..
Then after this firewall "allows" it,...then the ISA itself has to allow it on top of that. For a Single Nic ISA the rule would be:
From: LocalHost
To: Internal (yes, internal)
Protocol: LDAP
Users: "All Users"
If the network relationship between DMZ and the Internal LAN is "routed",...then the ISA's Internal Network defintion will need to include the LAN's IP Range inspite of the fact that the ISA is in the DMZ.
If the network relationship between DMZ and the Internal LAN is "NAT'ed",...then the ISAs Internal Network defintion would not need altered. The Firewall would do the "publishing" and the ISA would treat the Firewall as if it was the "LDAP Service".
That probably sound really confusing, but that is the best I know how to lay it out.
