One of the many issues that had to be shaken out after I upgraded our enterprise domains from 2003 to 2008 was the issue of trusts through a firewall. I know, I know lets get the elephant in the room out of the way:
"Don't put a firewall in the middle of a trust".
Feel better now? Well sometimes you have to. The interesting discovery for me, is that Microsoft changed the range of port numbers required. To make matters worse since the range of ports changed, an existing trust relationship may work sometimes. Since the endpoints may choose a port that was already in range. The following Microsoft article tells you everything you need to know for every level of domain controller OS.