Hi, We have this network at the moment : LAN1 ------ISA-----Cisco Pix----internet-----Cisco Pix ------ LAN2 We have a VPN tunnel between the 2 pixes Employees can reach servers on LAN2 by using terminal services I can restrict the use of Terminal Services by adding a protocol definition of TerminalServers (tcp 3389) and adding a protocol rule for a group to allow Terminal Services. However, i can not restrict the sites they are allowed to use the Terminal Services on. I only want them to be using Terminal Services for LAN2, not for any other destination. How can i solve this problem ? Thanks in advance Met vriendelijke groet, Sebastian van Dijk