I hear what your saying Jim but my reading strongly suggests that even if you config a default GW the FW client s\ware will intercept all calls (inc DNS) and redirect to ISA anyway. Muqeem suggested that its best to give clients only one way out - again I understand the logic Muqeem but again the FW client will intercept anyway and infact configuring your clients with a default GW may be a good idea since they could fallback to a secureNAT client if something goes wrong with the FW s\ware. Any other suggestions? Nigel -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, 27 November 2001 23:07 Subject: Re: Why Tom recommended NOT to use a gateway for FW Clients A host with a default route to the ISA via its default gateway becomes a secureNAT client. If you don't want them to become secureNAT, don't point their default gateways to the ISA server.