Firewalls and Exchange Servers

The main reason this guidance was developed was due to customers requesting that CAS be placed in a perimeter network.  See https://msexchangeteam.com/archive/2009/10/21/452929.aspx for more information on why that is not supported.  This same guidance, as the article indicates, is true for the other server roles, with the exception of Edge Transport as it was designed from a usage scenario to only communicate from the perimeter network to the internal network via SMTP and to allow connections (LDAP and SMTP) from the internal network.

As for what customers can do - If their plan is to open up all the defined ports between the Exchange and AD servers in Site A and all Exchange and AD servers in Site B, then this would be supported since one could argue that there isn't really a "firewall" between the two sets of servers anymore.  They will be able to get support  after deploying like that. And if an issue comes and then, while helping them debug it, its found that there was network traffic blocking going on which breaks some aspect of Exchange communications with other server roles in the AD Sites, then they would be helped at least help them get into a supported state (without traffic limitations between the Exchange servers and DCs).

Yes this adds complexity.  Yes it could break things.  Yes customers have reasons to do it.