Hi KK, Your DMZ interface needs to be a subnet of your public block. Use private addresses on the internal network, since all LAT to non-LAT communcations are translated, so why waste good public addresses? Create packet filters to control access between the external network and the DMZ. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: kurzundknapp@xxxxxx [mailto:kurzundknapp@xxxxxx] Sent: Monday, March 31, 2003 7:40 AM To: [ISAserver.org Discussion List] Subject: [isalist] Howto setup a LAT DMZ http://www.ISAserver.org Hi all... Our security concept is implemented with a PIX firewall. The device has three interfaces named "external", "DMZ" and "internal". Since we have a whole B-class, all adresses within our registered range are in my LAT. Works pretty well for my web proxy clients to use the web proxy service. Well, I want to use some more features of our ISA server than just the web proxy service. I already installed integrated mode and physically have two NICs on the machine. As I have been testing and clicking around I noticed that some features (e.g. server publishing) requires "internal" and "external" addresses. Since our DMZ is implemented via routing (its a whole subnet of our B-class) ISA server does not let me publish any servers because all NICs are on the same subnet (the DMZ subnet). Is it possible to configure ISA server to recognize our DMZ subnet as external? Yours, KK