I've come across an odd situation I'm hoping someone has seen before. Lots of background on this one, so please excuse the length. W2K Server, SP4, all patches, ISA w/Feature Pack 1. All clients are secure NAT, I have a client address set to limit the access of certain groups of internal users by IP (they get a limited set of protocols and only get 4-5 websites due to a restrictive destination set). I also have another group of machines in a client address set that have no protocol restrictions and no destination set restrictions. All of this setup works flawlessly and has for well over a year. Now here is where it gets fun, all users need to access a webserver using non-standard port 8080. Sounds pretty simple, right? Create a protocol rule for outbound 8080 and we're done right? Not exactly. I created an outbound 8080 rule, permit it for both client address sets and the non-restricted group can reach the site, the restricted group cannot. Thinking that this is odd, I added the new site to the destination set as an allowed host for the restricted group, I entered both www.server.com and www.server.com:8080, just in case ISA was doing something funning with the traffic - still no luck. My next thought was that maybe it was the Listener for Outgoing Web Requests creating the conflict so I changed the port for that and restart related services, still no luck. Running out of ideas on this one, anyone seen (and solved) this before? Thanks!