I have OWA 2000 in a perimeter network/firewall and Exchange 2000 in our internal LAN. I have disabled the public and private store on OWA as a security measure. However, I noticed that OWA is using port 691/TCP (Exchange routing) to try to connect to Exchange. Is this normal or is someone trying to hack?
Most likely that is normal traffic. Specifically, it is Link State Algorithm (LSA) traffic that is being exchanged by your Exchange servers via SMTP. This algorithm is based on the Open Shortest Path First (OSPF) protocol from networking technology, and transfers link state information between routing groups by using the X-LSA-2 command verb over SMTP and by using a Transmission Control Protocol (TCP) connection to port 691 in a routing group.
Exchange 2000 uses routing link state information to route messages and the routing table is regularly updated. The Microsoft Exchange Routing Engine listens for routing link state information on TCP port 691. The LSA propagates outing status information between Exchange 2000 servers.