I think that is all you can use through owa. If you use isa you should consider the possibilities of ISA FP1 and secure exchange RPC publishing that will provide your clients with fully functional MS Outlook. The question is security, but I made research and there was no negative reports even with pre-FP1 RPC publishing, and the new one is improved. MS claims it is more secure than RPC over HTTP in w2k3, as isa can not scan content that is tunneled inside of http, and in secure rpc publishing, rpc is the protocol that transports messaging content and can be scanned for content and verbs/commands in use.All damage could be made on isa by DoS attack, freezing your isa, but it can not reach your exchange, which will keep functioning (for internal users). In that case your users can switch back to IE and OWA, until you recover isa. If you have isa array, your traffic could switch to second isa and would be no interruption of traffic at all. I have to say I don't have experience with this but it seems to be nice thing, and probably widely accepted in the future. Zoran