Rsync outside the office on Nterprise Branch Office

Rsync server in main office behind BM3.7

Dynamic NAT on public card, Generic proxy for port 873 for Rsync,
access rule configured

unload ipflt and Rsync works

have set up simple TCP filter exceptions same as Craig's Beginner book
example for WebManager - Rsync can ping between servers, but won't
transfer files
tried simple exceptions similar to those used for GW - same problem

anybody got this working? or can offer clues?