Hello! I am confused about the follow environment that I need to configure with ISA: 1) allow all my intranet users to access only my DMZ external FTP server 2) allow only some intranet machines to acess FTP servers on the internet. I have SNAT clients only. I didn´t setup the ISA as auxiliar DC (AD integrated), because I think that it´s no a trust environment. In case of some weakness the intruder have directly access to a DC. For the case 2 I had this rules: * Protocol Rules RuleName = InternetFTP Action = Allow Protocol = FTP Schedule = Always Applies To = List of Intranet Ips allowed to ftp in the internet * Site and content Rules: RuleName = ContensOpenAccess Destinations = All Schedule = Always Action = Allow AppliesTo = My Intranet IP Range HTTP Content = All content Groups OBS: My basic police is allow protocols, like HTTP, in the protocol rules, and in "sites and content rules" I use a ContentOpenAccess rule. To restric accesses to the internet I work with DENY rules based on external destinations, as unliked WebSites, and based on unliked content types. My problem is for the case 2? If I create a protocol rule that allow all intranet IPs for FTP protocol I can't restric them to my external FTP server in "site and content rules" because they can use the ContentOpenAccess rule to go to the internet. If I deny "all external destinations" except to my external-ftp-server the group of intranet users that can access internet ftp sites are too denied, because they are part of my intranet users, and they need to have access to the two places (my external-ftp-server and to the internet-ftp-sites). Could someone help me? Morvan.