Hi Daniel, I don't know if ISA supports VPN client/server connections using IPSec tunnel mode, but I doubt it for the same reasons that ISA doesn't support gateway to gateway VPN connections. If you want to establish a gateway to gateway configure between two ISA Servers, or an ISA Server firewall/VPN server, and a Windows 2000 machine, I've got that scenario covered over at www.isaserver.org/shinder: Joining Networks over the Internet with a Gateway to Gateway VPN: ISA Server to Windows 2000 RRAS - Part 1 Date - Mar 20, 2003 Section - Tutorials :: Configuration - General One scenario frequently comes up on the Web boards and mailing list is how to configure a gateway to gateway VPN when one side is running ISA Server and the other side is running only the Windows 2000 RRAS NAT and VPN Server. This is a common scenario for companies who are willing to make the expenditure for a heavy duty firewall at the main office, but only want to provide basic NAT and VPN gateway services at a remote office. Joining Networks over the Internet with a Gateway to Gateway VPN: ISA Server to Windows 2000 RRAS - Part 2 Date - Mar 23, 2003 Section - Articles We finish up our discussion on configuring an ISA Server to Win2k RRAS gateway to gateway VPN link in part 2 of this article. If there is a CP firewall in front of the ISA firewall, or in front of the Windows 2000 RRAS VPN, then you need to pass through the VPN protocols to the ISA VPN gateway or Windows 2000 VPN gateway. For example: Win2k VPN -- CP -- Internet -- ISA Firewall The gateway to gateway link can be established between the ISA firewall and the Win2k VPN as long as you pass the PPTP through the CP box to the Windows 2000 VPN. And if you were using Windows Server 2003 for the VPN gateway behind the CP box on on the ISA firewall, you could take advantage of NAT-T and just pass the UDP 500 and UDP 4500, plus IP Protocol 50 (ESP) through. In fact, you do not even need to pass UDP 1701 through the CP box because its encapsulated in the UDP 4500 header, but that filter does need to be enabled on the ISA firewall. Check out: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/windowsserver2003/proddocs/deployguide/dnsbf_vpn_uzuu.asp For help on the static packet filter config on an upstream firewall/router. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Accioly, Daniel [mailto:daniel.accioly@xxxxxxxxxxxxx] Sent: Thursday, August 07, 2003 2:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: VPN with checkpoint http://www.ISAserver.org Tom, So ISA just supports client-to-gateway VPN connections? I need to establish a site-to-site VPN and I have an ISA on one side and a Checkpoint VPN-1 SmallOficce on the other. Would be a good solution to install a W2K Server behind my checkpoint FW and establish the VPN connection between the ISA and the Server? Can you also tell me where can I find more information about it? Thank you! Daniel