DNS queries made by or directly via the TCP/IP stack do indeed avoid the FW client. Application GHB* queries, on the other hand, can either be Winsock or not, depending on how the app is written. That's why there isn't a "this / that" answer to the question of FW client functionality. It's dependent on too many things; some of which you control at the ISA server, others that are controlled by the application developers. Witness the issues getting MSNIM voice to work; file transfers work just fine using the FW client (given proper settings in ISA), but voice fails, because it doesn't play nice with the FW client GHBN functionality. Mark Strangways can verify this; we spent a weekend trying to figure out what was happening. Jim Harrison MCP(NT4, 2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ ----- Original Message ----- From: "Nigel Carroll" <nigel@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, November 29, 2001 05:11 Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW Clients http://www.ISAserver.org Thanks guys for all your feedback but I think Armando has got the best answer as to why NOT to put a default GW on your FW clients - that being that if you have a routed network then ALL non local subnet traffic will be sent to ISA wether or not it is ultimately destined for the internet therefore putting unnecessary burden on your ISA server. And yes and as Jim, Brian and others have pointed out you may want to do this as a form of security since withOUT a GW non winsock and non tcp\udp traffic could not be sent to the internet from the FW client. BTW Jim did you suggest that client DNS lookups do NOT use winsock calls since they occur at a lower level? Nigel -----Original Message----- From: Armando Treviño López--- [mailto:armando.trevino@xxxxxxxxxxx] Sent: Thursday, 29 November 2001 3:54 Subject: RE: Why Tom recommended NOT to use a gateway for FW- Clients Another issue is that if you configure all computers as SNAT clients, all IP traffic is routed by the ISA server (Not only internet, but also intranet traffic if you have different networks in your LAN or WAN). So maybe this will use more server resources. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')