Put it this way, the firewall client will handle all tcp/udp transaction and that's about it. If you wish to do other things like ping (icmp) or vpn (gre) then you need to be a snat client. So think of it as know what it needs to be when using certain actions Brian Tirch Entre Information Services Mct,mcse4.0/2000,ccna,cca,a+,n+ -----Original Message----- From: Nigel Carroll [mailto:nigel@xxxxxxxxxxxxxxx] Sent: Wednesday, November 28, 2001 7:16 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW Clients http://www.ISAserver.org I hear what your saying Jim but my reading strongly suggests that even if you config a default GW the FW client s\ware will intercept all calls (inc DNS) and redirect to ISA anyway. Muqeem suggested that its best to give clients only one way out - again I understand the logic Muqeem but again the FW client will intercept anyway and infact configuring your clients with a default GW may be a good idea since they could fallback to a secureNAT client if something goes wrong with the FW s\ware. Any other suggestions? Nigel -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, 27 November 2001 23:07 Subject: Re: Why Tom recommended NOT to use a gateway for FW Clients A host with a default route to the ISA via its default gateway becomes a secureNAT client. If you don't want them to become secureNAT, don't point their default gateways to the ISA server. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: btirch@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')