Thanks Thomas Indirectly, yes, I have seen this newsletter - you probably could see that some of the info I pasted into my email was directly from the article: Howto use ISA server Packet Filters. It still doesn't really answer my question of whether or not it is possible. I agree that it is inadvisable. My angle here is that my company recently moved a client from an old Gauntlet NT Firewall to ISA. Some problems immediately became apparent: 1) ISA cannot, according to MS, create a packet filter (to a proper DMZ) for IP protocol 57 - an arbitrary protocol, but we use it for the group VPN links. 2) ISA cannot, according to everything I have researched, create a simple packet filter for inbound TCP connections from a DMZ to an internal SQL server for example. eg: webmail. However, web publishing and server publishing cover that angle even though there is a fairly heavy overhead of rulesets. Later, another problem reared its head - one of my client's suppliers hosts a server they need to connect to, on a custom TCP port. When the protocol rule is in place on ISA, speed is incredibly slow - perhaps 20 to 50 times slower than web access to a web server which is on their same subnet, behind the same firewall. As a test, we fired up the old Gauntlet, which used packet filters not proxy plug-ins, and the speed immediately came up to par with http access speeds ??? This is the reason for my queries regarding a packet filter. Francois -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 19 June 2003 08:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Packet filters ??? http://www.ISAserver.org Hi Francois, Did you see this one at www.isaserver.org? http://www.isaserver.org/pages/newsletters/July.asp HTH, Tom Thomas W Shinder