Hi David, I actually have an article "in the can" on this subject. There are a lot of ways of going this, but the technique mentioned by Shawn is best -- if you have public addresses avaialble, just give them a public address and put the WAP in front of the ISA Server. Another approach could be to create a LAT-based DMZ. This is especially good if hosts don't need to access the internal network. The LAT-based DMZ hosts can be exposed to the firewall policy while not being able to access resources on the internal network. If the WAP segment host does need access to the internal network for some reason, you can create a VPN connection and directly access resources on the internal network. HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx] Sent: Wednesday, May 28, 2003 7:30 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA Design Question: Best Practice http://www.ISAserver.org http://www.ISAserver.org You're right Shawn, I could use a segregated vlan (or a simple NAT?) and use one of the extra public IP's and then layout the CAT where it would be needed. The virus protection, I agree, would be thier problem. The answer is adequate for a small business, but is it the same process for a medium to large scale environments? -----Original Message----- From: Quillman Shawn (RBNA/CIT1.1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Wednesday, May 28, 2003 8:12 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA Design Question: Best Practice If you have extra public IP's, create a segregated vlan that is part of the subnet the outside of your firewall. 'Course they'd have to provide their own virus protection, but that's not really your problem since they wouldn't be on your network. From your point of view it'd be no different than if they were at their office, unless you allow all kinds of incoming traffic for that subnet. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx