I have a somewhat strange problem with one of my ISA2004 installations. It is a pretty simple setup. Only the default rule and one Access Rule called "My Rule" : Allow outbound FTP and HTTP for all Authenticated users. Client setup as secure NAT, but with proxy settings enabled. Now HTTP traffic flows through the ISA with no problems, and the ISA correctly logs the username of the user. FTP traffic is blocked, and according to the logs, by the My Rule, and not by the default rule, which it should be if the Internet Explorer did not authenticate to the ISA. Using a packet sniffer I can see that for HTTP the traffic is sent to the ISA on TCP 8080, but for FTP the traffic is sent on TCP 21 as SYNs only (no Syn Ack) When installing the Firewall Client and trying FTP using the commandline FTP util, the connection is successfull and allowed by My Rule. Using the packet sniffer I can see the client connect on TCP 1745 (Which I believe to be the FW Client communication on the ISA server). When trying FTP from Internet Explorer (both with and without proxy settings), the connection is denied by My Rule, and with the packet sniffer I see traffic on TCP 21. I have tried several clients, and all with the same problem. Has anybody seen this kind of behavior from an ISA 2004 server before ? /Michael