Yup, the ICA (& RDP) protocol API's all report the actual IP address of the connecting client and not the IP address that is being routed through in this case ! It suck's but that's how the protocol works unfortunately. You can't even tracert them because it's not a valid IP address, unless anyone know's a way to ID the IP of the connecting router involved and if so I'd love to know how (obviously you can trawl though Winsock call's and inet stuff but is there a higher level way to achieve this) ? Mark -----Original Message----- From: Bill Beckett [mailto:Bill.beckett@xxxxxxxxxxxxxxxxx] Sent: 27 October 2004 14:10 To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] OT - IP address Just wanted to know if anyone has any thoughts on this. I check our security logs every day and noticed something that to me at least, is odd. A user logs in from home and said user has a broadband connection and a wireless router (Linksys, netgear, that variety). If I check the security log and look at when the user disconnected from their session it has the EXTERNAL address provided by the ISP. However, if I go into Citrix Metaframe Admin and look at their disconnected session which is still hanging out there, hit the Information tab, it gives me the internal address (192.x.x.x in this case) of the PC behind the router. So, eventvwr gives the ISP assigned IP while MFAdmin gives the interal IP. Anyone know why the difference?