Hi anyone Please bear with me on what is probably quite a common and maybe a simple question. I have spent quite a lot of time looking for what I think is a simple answer and I still can't get a simple answer. I have gone through Technet, ISA homepage and isaserver.org and so far I have either not found the answer or I have found it, and I haven't understood. Quite simply, ISA help says a packet filter can be created to allow traffic flow between the internal network and the external network. To me, an example of this would be to ceate an TCP filter to allow the following: outbound traffic from source_TCP:dynamic to destination_TCP:1100 and from Internal IP 192.168.168.168 to External IP 196.44.44.44 My difficulty in answering this question is that I have not seen anything on Microsoft Technet or ISA homepage or isaserver.org which says that this is impossible. But, I have seen many references which say it is not advisable. Also, in tests on my systems, I have not been able to get even the simplest packet filter working from the externel network to the internal network or vice versa. I know that it is recommended to use server publishing for external - internal traffic, and I do use it in our environment, but I still would like a definite answer - just for arguments sake, can I create such a packet filter and if so, what addresses are applied for the local and remote computers? ISA Help says the following: IP packet filters are defined by the following parameters: Protocol, port, and direction. The filter allows or blocks traffic at the specified port, using the specified protocol. Local computer. The IP address of the computer in the INTERNAL network for which communication is open or blocked. You can specify a range or a single IP address on the ISA Server computer. Remote computer. The IP address of the computer on the Internet for which communication is allowed or blocked. Practical experience and isaserver.org tutorials says the following: ISA Server uses packet filtering to control inbound and outbound access to and from the EXTERNAL interface of the ISA Server. Packet filtering is the ISA Server's first line of defense against INBOUND attack. You should always use Protocol Rules to allow outbound access to external network resource for internal network clients. You should Web Publishing and Server Publishing Rules to allow inbound access from external network clients to internal network servers. Basically, to me, this means that packet filters apply to the EXTERNAL NIC and the PERIMETER (DMZ) NIC ONLY, NOT the internal NIC. Looking at the layout of the packet filter creation tool, it specifically mentions external network and perimeter network, NOT internal network at all. Please assist me with this, the answer may well be all too obvious to others, but it's driving me nuts. Thanks Francois