:) OK, that's better. Yes, you can configure the VPN clients to use both the Firewall client and the Web Proxy client configuration and configure those clients to use an ISA Firewall that's not the one that they're connected to. You can even have the VPN clients take advantage of your internal WPAD entries when they connect to the VPN server and contact the internal DNS server. However, its not quite that easy. The reason for that is that autoconfig will configure the LAN connection's Web proxy config, and you need to configure the VPN client connection to use the Web proxy configuration. Like Jim mentioned, the easiest way to do this is using the CMAK, unless you want your users to configure this manually. The CMAK won't configure the Firewall client, but WPAD will do that when the VPN client connects to the network. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR Sent: Thursday, November 15, 2007 4:58 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN users and proxy Did I say ISA client again? I need to add some kind of rule on my outlook. Of course I was talking about the firewall client, what else? ;-) -------------------------- Sent from my BlackBerry Wireless Device ----- Original Message ----- From: isalist-bounce@xxxxxxxxxxxxx <isalist-bounce@xxxxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx> Sent: Wed Nov 14 20:14:13 2007 Subject: [isalist] Re: VPN users and proxy I have an answer, but you have to call the FIREWALL client by it's correct name ;) Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA ASST MGR Sent: Wednesday, November 14, 2007 2:59 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] VPN users and proxy I have 1 ISA 2004 EE configured as a proxy/firewall for internal users and is also acting as a VPN server (1 IP there is configured to accept VPN connections). Since for the VPN users the ISA itself is the gateway (when they are connected), they are going to internet trough that same ISA server. There is any way to force those VPN clients to use another internal ISA server (ISA 2006 EE) as a proxy? For sure doesn't work simply specifying the name of that other ISA server on the IE or proxy client, because I already tried. Both ISA servers are on the same subnet (the VPN server and the one I want them to use as proxy). Thanks Regards Diego R. Pietruszka MSC (USA) - Interlink Transport Technologies