Allo, I've had a bit of a hunt around for this answer but its eluded me yet. We've got a really simple flat network with no 'gateway' defined in the dhcp gateway options. All the clients have the firewall client installed. The isa server has 2 nic, on internal and one external. The isa internal nic has the isp dns addresses but no gateway, the external has no dns and the router gateway. I've changed all the access rules that pertain to the users to be for authenticated users or a specific group so there are no 'all users' rules other than denies. We use a few programs that I've setup specific protocols for and looking at the sessions monitoring tab I see them connecting as firewall clients. However when I filter sessions for securenat clients I still see between 10-20 clients showing up. It seems to be fairly active with sessions appearing and disconnecting but some connections stay connected all the time. Is this client applications trying to connect via the securenat unauthenticated route, failing and then connecting as a firewall client? I'd like to be able to trace what these securenat clients apps are, but the client username and application name always remain empty. Is there a way of tracking these using the logging features? I've tried picking one of the ips that are long time securenat connected and logging that client ip but it doenst show up anything beyond anonymous denied wspad entrys to the isa server. Apologies for the long winded nature of this question.