***INFORMATIVE email...my actual question is near the bottom***** Okay, I have written before about FTP publishing to non-standard ports: The application filter in ISA takes care of all the backend NAPT when FTPing to standard port 21, whether passive or active. However, it offers no such help when attempting to connect to a non-standard port. NOTE: in this instance, I am FTP'ing data to a machine in the DMZ (back to back) from an internal (LAT) client. Active mode is not possible at all because ISA does not translate the port to the FTP server, so as soon as IIS reads the PORT request, it realizes the IP address does not match where the request came from so you get the dreaded '500 Port Command Invalid' response. HOWEVER, in PASV mode, you can make the connection and ISA will translate the port and ip address ONLY IF YOU ALLOW THE OUTBOUND PORT OF THE SECOND REQUEST IT MAKES (that is, the ephermal port has to be open for outbound access on ISA). SO, this means I need to open all ports between 1025 - 5000 for outbound access on the internal ISA. I don't think that is a high security risk, so I am comfortable with doing it, but my question to this ISALIST, is what is the easiest way to do this? I really do not want to manually key in 3975 protocol entries and definitions! I was thinking a packet filter, but that was not working either. I created an ALLOW DYNAMIC local port to ALL remote and it didn't work. Anyhow, I know there were several other who are experiencing this problem of FTP to non-standard ports and so I hope this helps change that. I would love to talk with anyone who is having this problem...I understand it pretty well now. you know...for a seemingly robust product, there sure are alot of people who have problems with it... Logan