OK, here's an odd one for you. I've almost completed my transition from ISA 2006 to TMG. Yesterday I reconfigured DHCP so that all my clients started using TMG as their default gateway. We then discovered a problem. One of the users needed to FTP a file to someplace offsite. Something he does regularly to this site. (I hadn't discovered this problem because those of us testing the firewall don't use FTP much.) His FTP failed when using Windows Explorer to do the FTPing. I tried replicating the problem from the command line, while monitoring the activity from TMG. My FTP also failed. The command line returned this error: 502 Active FTP not allowed. 550 Access is denied. However, TMG returned no errors at all. After a while, I hit upon the FTP filter. It has a checkbox that is checked by default that is labeled "Read Only" and says "When Read Only is selected, FTP uploads will be blocked." I unchecked that box and tried again. The upload from the command line failed again, with a slightly different error: 502 Active FTP not allowed. 550 No port specified. Again, no errors reported by TMG. However, the FTP now works from Windows Explorer. So, a couple of oddities come to mind. 1. Why is it that the default in an "allow" rule is to have the filter block the traffic you just allowed? Seems weird to me. 2. Why does FTP work from Windows Explorer but not from the command line? Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC