Greetings list, I have an issue in the following scenario, my insight into ISA is still somewaht limited so right now I'm failing to understand this. I have a default internal network, I have a default external network, I have an added perimiter network I have only one nic enabled right now, I'm still testing web proxy features I want to enable web proxies for internal and perimiter networks which I think I did correctly, at least everything is working when traffic originates from my internal network However: my scenario includes various remote webservers only reachable via vpn tunnles. The remote web servers will only accept traffic originating in our internal network. Whilst playing around with this scenario I noticed the following: I have set up an access rule allowing everything from perimiter to ISA server, later on this will again be reduced to whatever is actually needed. On a host in the perimiter I entered the internal IP of ISA as the proxy, the perimiter actually gets 'routed' across a PIX sitting in between as well. I then try to access a remote web server, however, access is denied. ISA's monitor denies access to port 8080. The originating IP is taht of the actual host, target is ISA. The access rule permits everything from perimiter to ISA. I created the perimiter network as a network enabling the proxy on it as well as a network range containing the IPs of the perimiter network. I tried combinations of various objects in the access rule, finally opening up everything, but still I get an access denied which I don't get. Where is the error? (I'll gladly accept references to Tom's book or some website, this has probably been discussed somewhere before and I'm sorry if I'm bringing this up again) Thank you for your time Mit freundlichen Grüßen, kind regards, Milan Göllner Computer Services & Informationssysteme CAE Elektronik GmbH Military Simulation & Training 52220 Stolberg, Germany -- Tel: +49 (2402) 106 691 eMail: milan.goellner@xxxxxxxxxxx