Okay, so it is rule-based, that narrows down the troubleshooting significantly... When I ditch the "must use HTTPS" option in the listener (I cannot do it in the rule), I get this these three log entries when trying to access the website: HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 12241 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. 0x0 0x0 Web Proxy Filter 1/30/2007 10:18:58 PM 24.213.58.250 80 http Failed Connection Attempt Web Server 75.128.225.6 anonymous External GET http://www.mapsnet.org/ 0x0 0x0 Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 80 HTTP Closed Connection 75.128.225.6 External Local Host - - 0x0 0x0 Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 80 HTTP Initiated Connection 75.128.225.6 External Local Host - - And when I say I cannot disable the option in the rule, this is why: I've recreated this rule many times, and the web publishing wizard always grays out the options that seem to be relevant... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, February 01, 2007 12:32 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 The rule, not the website is returning that result. 12211 is an ISA; not an IIS response code. You get this in your ISA logs because your rule is configured this way. Your rule reacts this way because you told it to. Users get a 403 because their request doesn't match ISA policy requirements. Ditch the "must use HTTPS" option in the rule and troubleshoot the rule-based denial. All mail to and from this domain is GFI-scanned.