Hi William, OK, I now understand your problem. However, I do not understand the solution :-) The conventional wisdom is that all outbound communcations leave with a source address that is the primary address on the external interface of the ISA Server. However, as you've discovered, that is not true. That fact is, there is no documentation as to what changes the source address to change from the primary address to one of the secondary addresses. I suspect its related to VPN, but since I really have no idea as to what's going on, it could be anything. Since there is no way to bind a particular service to a particular port for outbound access, you can't depend on a particular address of the external interface to be used as an identifier by a remote host. You can provide the range, but forget out used a single address on the external interface as an authenticator. HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: Wednesday, July 02, 2003 1:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Change IP Address of VPN http://www.ISAserver.org Hi Tom Don't know if I understand. Are you asking whether a new resource record for my ISA's external IPis created in my DNS once a VPN client has connected? If so, I will check shortly... As for the clients unable to connect, I mentioned earlier that the problem is that RRAS seems to secure the external IP Address upon which the VPN has been established (well, that's my naïve understanding so far) and this then prohibits any other non-VPN connection to then leave ISA on that same IP Address. So ISA then decides to route all other traffic (such as my SAP/R3 traffic) through one of the other 2 IP Addresses, and the reason then why my connection fails is because the "receiving" firewall for my SAP/R3 connection doesn't permit that specific IP Address. It is configured to only allow the first address, and none others. Now I know that I can fix this by telling my parent company to accept my full range of addresses, but I am concerned for future problems arising from a similar scenario. That is why I wish to change the IP Address that VPN clients use to connect to my ISA Server (I wish to use the last of the 3 addresses and "dedicate" it to VPN connections only) so that all the other (normal) traffic goes through the first IP Address, as it currently does, and then all inbound VPN's are established on the last IP Address. Your comments?