>>Okay, so why do you think it worked with ISA2000, but not with ISA2004? >It didn't. This is the most probable reason why it might work for ISA2000 and not for ISA2004: One of the differences: Example request with URL: http://xxx.com/test.txt from SNAT client ISA proxy function for plugins: GetServerVariable(pfc,"URL",&url[0],&dwSize)) Returns for SNAT&FW client On ISA2004: "/test.txt" On ISA2000 same function for same clients returns: "http://xxx.com/test.txt"; This change has to be considered by any ISA ISAPI Proxy plug-in working with URLs. Regards David Farinic. P.S.: IMHO user credentials are not in question here as problem is that they don't see URL which breaks everything. User's credentials don't as u can still deploy "filter [SEX sites] for all clients" scenario. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Saturday, April 02, 2005 8:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SurfControl & SNAT http://www.ISAserver.org It didn't. Neither SurfControl nor WebSense work with clients that are *strictly* FW or SNAT on ISA 2000. They *can* work with ISA 2004 because a fundamental design change that allows the web proxy to obtain credentials for these users. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Saturday, April 02, 2005 8:43 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SurfControl & SNAT http://www.ISAserver.org Okay, so why do you think it worked with ISA2000, but not with ISA2004? There must be some fundamental design difference where it doesn't do a mass redirection of all web traffic through the proxy, like it did This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com