Raj, Jim, John: Guys, guys, guys, calm down........ we're all professionals here - yes? (This is the first time I've used discussion pages for resolving an issue - didn't know I would start something!) ISA 2004 is being used as an application layer 'firewall' for OWA and possibly other web apps. In this way it should be working in a perfectly allowable configuration - reverse proxy mode. There is after all a network template for this. I'm pretty sure Tom's document that Raj mentions is one I've used, but could you send me it anyway? What I failed to mention is that the ISA server is out of the AD domain as is my common practice with software based systems. This would not be an issue surely? As I have said, I cannot see any packets attempting to talk to the front end. Also, I'm slightly concerned that I cannot select the certificate under 'bridging' but can in the 'listener' - is this an issue? (I have still selected 'switch to ssl') cool, laid back, regards, Walter.