Thanks for the pdq response. The config is an interesting one. I have a watchguard x1000 firewall on a test internet connection, so no registered domain name for this. The ISA Server is connected to the DMZ segment of the x1000. I also have another machine on the dmz segment. Whether I come at it through the x1000, or from the machine in the dmz, I get the same response. The firewall takes all http requests and pushes them at the isa using static nat. The rule settings for the publishing rule are below, and since posing that, I tried putting in the external ip address of the ISA (ip of the dmz link), but that did not work, then I tried that in conjunction with changing where the request comes from etc, and none of those seemed to make much of a difference. I should not think this is the directory browsing issue as the error is: Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) So the link I posted in my last mail I am hoping to use to try and put the correct settings in place together. Whether I use the IP Address of the ISA, or the internal dns name of the tsfarm in the publics address page it seems to make no difference, and I even began with having it set to listen for all, so am a but confused on this one, especially as I have had simple http listeners work on different ISA 2K4 SP1 boxes in the past. To save scrolling: The rule I have set on the ISA Server has the following properties: Action Tab: Set to allow From Tab: set to External To Tab: netbios name of the network loadbalancer, with 'Request appear to come from ISA' selected Traffic Tab: HTTP only Listener Tab: Listener I created listens on port 80 only and uses integrated authentication Public Name Tab: currently set to all requests Paths Tab: set to /tsweb (as per the documentation for TSWEB) Bridging Tab: Web server is selected with redirect http to port 80 Users Tab: is currently all users Schedule Tab: always Link Translation Tab: nothing configured Thanks Clayton All mail to and from this domain is GFI-scanned.