We've been using Checkpoint until now, but are trying to implement an ISA server as a replacement. One thing we are having trouble with is Tunnelling. We have an Internal VPN server that communicates with other servers around the world using port 3265. Traffic between these servers is encrypted, and previously, all we needed to do was add a Checkpoint rule saying Source: Any Destination: IP of VPN Server Port: 3265 Action: Accept This would allow all such traffic to go to the VPN Server, and only that server. The two VPN servers would handle the entire communication process between them, authentication, encryption/decryption, etc. We did the same thing with cc:Mail Router over TCP/IP, which uses (IIRC) port 3264. With ISA 2004 we keep getting Denied Connection. It doesn't seem to want to allow traffic through uninspected. Has anybody else got non-standard application and port requirements, and if so, have you found a solution? Cheers, Kevin L. Bahrain Petroleum Company