Hello Ronny, you may use ISA for this task, but i think it's better to place ISA behind your FW-1. Internet -> FW-1 -> ISA -> LAN You are lowering the risk of your ISA getting compromised. In this scenario you can also use the Authentication and personalized logging feature of ISA. More secure is this scenario with a DMZ Internet -> FW-1 -> LAN | ISA Well you lose the authentication Information based on NT or W2K if you use these Domains in your LAN, but if ISA gets compromised, its not standing in your LAN. An even better scenario is this Internet -> FW-1 -> ISA -> FW-1 -> ISA -> LAN DMZ Now you can benefit of the authentication mechanism of ISA and having a real second layer of security. As ever it depends on the $ and the level of security your customer may need. Best wishes Holger Reichert Buisness Manager Holysword gbr www.holysword.de Ronny wrote: I have a weird scenario.. A Checkpoint FW1 is in place and runs fine. The client wants to add a server that will do some antivirus scanning on HTTP. Checkpoint's CVP protocol does this, but is single threaded and basically will kill everything. We are looking into placing an ISA server, with the AntiVirus stuff before the checkpoint FW. Since the users are already comforable with using the FW1, here's my question: can I configure ISA to just allow all traffic through. All the FW rules will be handled by the Checkpoint FW. I also would like to have all the clients be SNAT, because I don't want to setup any software on the users' desktops. Please let me know your thoughts. Thanks RS ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: holger.reichert@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')