Dan, Its generally a bad idea to put the firewall client on the server itself due to the way that the firewall client will dynamically create packets filters to allow any outbound packet from the server (unless that packet type has been explicitly denied). This could potentially create 'holes' in your firewall (such as if the IIS server were infected with a trojan). I'm not quite sure what you mean by your second question. It appears you want to know why external firewall clients cannot reach an internal server? If this is correct then the question doesnt make sence. Only internal clients can make use of firewall/secureNAT, external clients will either come in via server or web publishing rules Hope this helps -----Original Message----- From: Daniel L. Miller [mailto:dmiller@xxxxxxxxx] Sent: 12 October 2002 18:20 To: [ISAserver.org Discussion List] Subject: Server clients I know I've seen this before, but why is it a bad thing for the IIS server to be a firewall client? And why can I only get to my internal servers (through the external interface) via the firewall client and not securenat?