The FW client only intercepts Winsock calls. Any app using functionality below that will effectively circumvent the FW client. If the host is secureNAT, then they have a better (not guaranteed) chance of using ISA. If the host isn't secureNAT, they get nada outside the immediate subnet. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG ----- Original Message ----- From: "Nigel Carroll" <nigel@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, November 28, 2001 04:16 Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW Clients http://www.ISAserver.org I hear what your saying Jim but my reading strongly suggests that even if you config a default GW the FW client s\ware will intercept all calls (inc DNS) and redirect to ISA anyway. Muqeem suggested that its best to give clients only one way out - again I understand the logic Muqeem but again the FW client will intercept anyway and infact configuring your clients with a default GW may be a good idea since they could fallback to a secureNAT client if something goes wrong with the FW s\ware. Any other suggestions? Nigel -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, 27 November 2001 23:07 Subject: Re: Why Tom recommended NOT to use a gateway for FW Clients A host with a default route to the ISA via its default gateway becomes a secureNAT client. If you don't want them to become secureNAT, don't point their default gateways to the ISA server. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')