Would like to move to ISA 2004 form ISA 2000. Busy testing / learning (Using Toms book) On ISA 2000 we allow L2TP and PPTP VPN client access. However we limit the PPTP access to a small number of users where we have NAT-T issues. To make them more secure we disable the default filters that allow PPTP access from all external addresses . Then we ceate filters that allow PPTP access only from the IP addresses of our PPTP users (we make the get a fixed IP address from the ISP). We can't seem to do the same in ISA 2004. When we allow PPTP VPN client access the system policy allows access from all external addresses. Doesn't seem to be any way of disabling this so we can ceate our own rule Any ideas how I can get this to work MW (Am looking at certificate based EAP-TLS for PPTP access as an alternative but have problem - will post another query)