So, you can't publish IIS7 FTPS through ISA because the FTP Access filter gives an Access Denied as soon as one tries an AUTH SSL (obviously). Since the FTP Access filter is responsible for dynamically configuring/allowing secondary port access, you can't turn it off either. So, if once makes their own protocol to specify FTPS (TCP 21 inbound, not 991 btw) with a large secondary outbound connection range, ISA fails with a "unknown protocol" on the outbound secondary connection. Is there some magic to making ISA recognize secondary outbound connections for PASV FTP connection within the publishing rule? t