Tom, The Netmon trace on the Exchange box (server name TELSTAR) for an external client which is authenticating through my ISA server (IP 10.0.1.8) for a user with no log on locally rights on the Exchange server gives the following results. 1. GET request from external client via ISA server to Exchange server with short authentication string: 000000D0 41 75 74 68 6F Autho 000000E0 72 69 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 rization:.Negoti 000000F0 61 74 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 42 ate.TlRMTVNTUAAB 00000100 41 41 41 41 42 34 49 49 6F 41 41 41 41 41 41 41 AAAAB4IIoAAAAAAA 00000110 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 3D AAAAAAAAAAAAAAA= 2. Response 401 Access Denied from Exchange server. At this point I think the browser (IE6) was trying unauthenticated access - at least that's what the IIS logs seem to show. 3. GET request from external client via ISA server to Exchange server with longer authentication string (basic authentication? I'm not sure it is because I can't read any clear-text password.) 00000030 47 45 54 20 2F 65 78 63 68 61 GET./excha 00000040 6E 67 65 2F 20 48 54 54 50 2F 31 2E 30 0D 0A 56 nge/.HTTP/1.0..V 00000050 69 61 3A 20 31 2E 31 20 49 4E 54 45 4C 53 41 54 ia:.1.1.INTELSAT 00000060 0D 0A 48 6F 73 74 3A 20 6D 61 69 6C 73 65 72 76 ..Host:..... ... Line removed for security reasons! ... 00000090 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent:.Mo 000000A0 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 zilla/4.0.(compa 000000B0 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B tible;.MSIE.6.0; 000000C0 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 3B .Windows.NT.5.1; 000000D0 20 51 33 31 32 34 36 31 29 0D 0A 41 75 74 68 6F .Q312461)..Autho 000000E0 72 69 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 rization:.Negoti 000000F0 61 74 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 44 ate.TlRMTVNTUAAD 00000100 41 41 41 41 47 41 41 59 41 4B 41 41 41 41 41 59 AAAAGAAYAKAAAAAY 00000110 41 42 67 41 75 41 41 41 41 46 41 41 55 41 42 41 ABgAuAAAAFAAUABA 00000120 41 41 41 41 42 67 41 47 41 4A 41 41 41 41 41 4B AAAABgAGAJAAAAAK 00000130 41 41 6F 41 6C 67 41 41 41 41 41 41 41 41 44 51 AAoAlgAAAAAAAADQ 00000140 41 41 41 41 42 59 4B 49 6F 47 30 41 59 51 42 70 AAAABYKIoG0AYQBp 00000150 41 47 77 41 63 77 42 6C 41 48 49 41 64 67 42 6C AGwAcwBlAHIAdgBl 00000160 41 48 49 41 4C 67 42 74 41 47 55 41 63 67 42 6A AHIALgBtAGUAcgBj 00000170 41 47 67 41 59 51 42 75 41 48 51 41 64 41 42 68 AGgAYQBuAHQAdABh 00000180 41 48 6B 41 62 41 42 76 41 48 49 41 63 77 41 75 AHkAbABvAHIAcwAu 00000190 41 48 4D 41 5A 51 42 6D 41 48 51 41 62 77 42 75 AHMAZQBmAHQAbwBu 000001A0 41 43 34 41 63 77 42 6A 41 47 67 41 4C 67 42 31 AC4AcwBjAGgALgB1 000001B0 41 47 73 41 61 67 42 6E 41 47 51 41 51 67 42 42 AGsAagBnAGQAQgBB 000001C0 41 44 59 41 4D 41 41 77 41 4C 4D 38 4F 36 57 50 ADYAMAAwALM8O6WP 000001D0 6A 38 62 44 41 41 41 41 41 41 41 41 41 41 41 41 j8bDAAAAAAAAAAAA 000001E0 41 41 41 41 41 41 41 41 41 48 49 45 66 50 65 49 AAAAAAAAAHIEfPeI ... Line removed for security reasons! ... (pretty similar to above) 00000200 78 6F 6D 38 4F 34 52 56 45 51 3D 3D 0D 0A 41 63 xom8O4RVEQ==..Ac 00000210 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C cept:.image/gif, 00000220 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 .image/x-xbitmap 00000230 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D ,.image/jpeg,.im 00000240 61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 age/pjpeg,.appli 00000250 63 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 70 6F cation/vnd.ms-po 00000260 77 65 72 70 6F 69 6E 74 2C 20 61 70 70 6C 69 63 werpoint,.applic 00000270 61 74 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65 78 63 ation/vnd.ms-exc 00000280 65 6C 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F el,.application/ 00000290 6D 73 77 6F 72 64 2C 20 2A 2F 2A 0D 0A 41 63 63 msword,.*/*..Acc 000002A0 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E ept-Language:.en 000002B0 2D 67 62 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F -gb..Accept-Enco 000002C0 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C ding:.gzip,.defl 000002D0 61 74 65 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A ate..Connection: 000002E0 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A .Keep-Alive.... 4. Response is HTTP status code 200 so it's authenticating with no problems. I'm not that good at interpreting netmon traces - see if you can work out what form of authentication is being used. I'm running a fairly simple network - one subnet 10.0.1.x, all Win2k native mode single domain with 3 DCs (one is the Exchange server) and an ISA box all patched to the latest service packs and hotfixes. Hope this helps. Is this an example of ISA passing something more than basic authentication to Exchange? As I've said before, the Exchange server is set to authenticate with basic or Integrated authentication; digest authentication is not selected. The ISA box is set for no authentication for incoming web request listeners