Inline means that the responses are imbedded within the quoted text of the original message... I have again attached the original set of messages to the bottom of this mail, if you look closely in that mail, you will see lines that begin with *'s... These are Jim's comments and questions to you..... Regarding the VPN clients... If you have the clients go through their VPN DUN connectiods and uncheck the box labeled "Use Default gateway on remote network" then the users will pass all internet traffic out to the internet and not through the VPN... This keeps them from using double bandwidth on your Internet connection for their web surfing while connected to the VPN... Of course, you can't log and control their web surfing this way though... If you want to be able to log and control their surfing through the VPN and ISA, then you will need to fill in the Proxy server settings on Internet Explorer (or Netscape, whatever)... In any case, you will need to do this for your dial-in RAS clients if you want them to get out to the Internet through your ISA server's connection... Win98 works just fine when requiring authentication with the Proxy settings filled in... Remember that the authentication will be in the form of Domain\Username (for NT4 style domains) or Username@xxxxxxxxxx (for Win2K domains).... Not to be sarcastic, but sounds like a pretty poor setup if you can't contact the remote users via email, corporate web page, etc with a set of instructions that will help them and make their connection more usable / user friendly? HTH JoeP -----Original Message----- From: jeff hooper [mailto:jeff.hooper@xxxxxxxxxx] Sent: Wednesday, November 14, 2001 12:17 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Internet Access through RAS or VPN http://www.ISAserver.org I don't understand what you mean by Inline? I have clients that are going out as SecureNat on my other ISA servers, and it's not possible for me to contact my remote users to tell them to put in the web settings. (Which I require authenication so the 98 don't usually get out that way anyway.) So how can I make my dial-in users go out through securenat on the same box.. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: JoePochedley@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, November 14, 2001 11:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Internet Access through RAS or VPN http://www.ISAserver.org Inline... Jim Harrison MCP(NT4, 2K), A+, Network+, PCG ----- Original Message ----- From: "jeff hooper" <jeff.hooper@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, November 14, 2001 08:05 Subject: [isalist] Internet Access through RAS or VPN http://www.ISAserver.org Routing and Remote access is setup on a box with ISA server in firewall mode. The VPN and Modem pool work great. I want the people that dial-in to be able to get back out and surf. Right now the only way I can get this to work is with the Firewall client. Here is the setup. Internal interface has static routes to everything. * if you're using RRAS, make your routes in there; not in the "route -p add" command External interface has default gateway on it. RAS Users get private IP when they dial-in ie. 172.20.20.2-254 * is this subnet in the LAT? I have tried both selecting the RRAS as router w/lan and demand-dial routing, with remote access server always selected. I have setup a client access group with the IP's of my dial-in users, to allow all protocols, and all sites. (This is what lets my Firewall client users out, but doesn't let my RAS users be SNAT clients for some reason.) *RRAS clients can't be SNAT because they use their own IP address as the default gateway another option is I have a different ISA server that is my default gateway that the SNAT is working on, but if I remove my default gateway from the external interface of course the external VPN can't get it because it won't talk to the outside.. but Dial-in came get out through the other ISA server.