I have isa server in cache mode, clients are web proxy clients. I have configured content rules allowing access to defined destinations to specific groups of users. Are you saying this is not possible, that to authenticate outbound internal requests I need ISA in integrated mode with a firewall client?