Hi Jerry, I have a similar issue and I don't believe it's a "problem", it's more of a result of the way VPN works/configured. I have users who VPN to our network to access SQL Server and other resources. When they connect, the IP of the VPN connection is now the gateway and it seems that all traffic on their machine now gets routed through the VPN. In order for VPN clients to a surf with a web browser, I had to open up those ports for VPN users going out of our network. What does the mean? All traffic from your VPN client machine is now routed through the VPN. Whether is it destined for your internet network or not, the VPN is now the gateway and all traffic flows thru it. As in your situation, all traffic would have to go back out through corporate. seems like a wasted round trip as well as a drain on bandwidth. Thor's reply was. Yes, there is a way, but it involves "routing tricks" which may or may not be easy for you to configure -- but I would encourage you to first think about the dangers of allowing your users to do whatever they want on an alternate pipe while connected up to your SQL server at the same time. Any malware, virus, or other nastiness that they may execute would have access to your SQL data in the context of the logged on user. It may be far more beneficial for you to control what the user can and can't do while connected up to your server. Barring that, you would need to configure the VPN client not to use the remote gateway, and then ensure that the SQL host was reachable via a route down the VPN. Thomas Shinder was kind enough to send me this. http://www.isaserver.org/tutorials/VPN_Client_Security_Issues.html Good Luck and let us know what you do. as I would prefer NOT to have clients surfing through our network. I would prefer only the traffic destined for our network to come through the VPN. Thanks! -Paul From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Thursday, August 21, 2008 1:26 PM To: isalist@xxxxxxxxxxxxx; isapros@xxxxxxxxxxxxx Subject: [isalist] Fwd: ISA Server 2006 VPN Question All, I'm not sure this got through the first time so I thought I'd send it again and also submit to isapros. ---------- Forwarded message ---------- From: Jerry Young <jerrygyoungii@xxxxxxxxx> Date: Aug 20, 2008 9:30 AM Subject: ISA Server 2006 VPN Question To: isalist@xxxxxxxxxxxxx All, I've set up a virtual environment on a workstation at my client's location and installed an ISA Server 2006 instance in this virtual environment (Hyper-V for those who are interested). The basic topology of the environment looks like the following: Corporate Network (treating as ISA external) | .---------. | ISA | --- Perimeter Network (treating as ISA perimeter) '---------" | Internal Network (treating as ISA internal) The Corporate Network is the corporate internal network; I'm simply using it as the "Internet" in this case. The setup is working fine and I can VPN into the ISA server from the Corporate Network and access resources on the other two legs. The "problem" is that doing so locks me out of the Corporate Network and I can no longer access those resources (Email, LCS, etc.) while connected. I was wondering if there were a way (aside from allowing traffic from VPN clients to pass through the ISA server to the Corporate Network again) to be able to maintain access to the Corporate Network resources. My client uses an SSL VPN Extender (Cisco) and that seems to work (access to local, home networking resources remains intact even while connected to the Corporate SSL VPN). Thoughts? -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer