>ISA runs DNS too, and the internal clients point to this DNS. This MS DNS >server is setup to refer to the ISPs DNS upstream if it can't resolve. Do you mean forward the request? Is the DNS setup as Cache only, or is there a zone configured? >When a user attempts to access a service (POP3/WWW) or site by domain name, >there is a noticeable pause of many seconds (upto 20 seconds) before the name >is resolved, and access begins. These clients are operating as SecureNAT, >and the browsers point to the 8080 web proxy. IP filtering is on. If the client is SecureNAT, then don't you leave the web proxy blank? John Tolmachoff IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com