I've come to the conclusion that the protocol rules in ISA only work if the machine is running the firewall client, and probably many of you knew that already if it is true. My testing revealed if i create a destination set for my internal network. Then make a protocol rule to allow all ports and have the firewall client enabled, then i can connect out over the internet to a sql server i'm needing to contact. If i disable the firewall client then I cannot connect to it anymore. Here lies my problem, I do alot of VPN'ing to client networks, and upon doing so, I am not able to pcAnywhere or Remote Desktop into any of their machines including the server i just VPN'ed into. Any ideas? How can i unlock everything from the inside for an internal client without having to install the firewall client? Thanks, Koie Smith Nex-Tek, Inc. Technical Support Team