A custom app running (classic SBS config) on the server that requires TCP 57017 access through the firewall to an Internet-based IP cannot connect; the following shows up in the ISA monitoring: Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 0.0.0.0 SRV - TCP - - 59628 0 0 0 0x800733f5 0x0 0x0 Firewall 5/14/2007 4:41:29 PM 142.123.123.123 57017 VE Update Denied Connection SBS Internet Access Rule 172.16.100.2 Local Host External - - 0.0.0.0 SRV - TCP - - 59628 0 0 0 0x800733f5 0x0 0x0 Firewall 5/14/2007 4:41:32 PM 142.123.123.213 57017 VE Update Denied Connection SBS Internet Access Rule 172.16.100.2 Local Host External - - I have this custom protocol-base policy with free reign to the Internet anonymously to isolate the problem, but I still get denied by the last policy in the list. I have searched ISA help, support.microsoft.com, microsoft.com, and http://msdn2.microsoft.com/en-us/library/ms812624.aspx. Am I asking too much from Microsoft? And is this TCP 57017 dependent app $hitware or what! Did I mention that I am having lots of fun dealing with the svchost/Automatic updates issue which Microsoft royally f***** up on for millions of customers! Thanks! ...D