As you can tell I am a newbie with this - my thinking was have the user's connection from the Internet to our VPN servers be authernicated by an ISA server. I thought doing so would enable us to place domain wide remote access policies in one place and to audit our VPN connections. Am I way off base? thanks very much for the note.