Any help is MOST appreciated. Setup prior to issue ocurring: NT 4 domain Multiple routed subnets on same frame backbone Serveral gateway to gateway segments using ISA 2004 SAP systems on separate domain operating on NT 4 Clients behind a gateway connection could utilize the SAP GUI (uses pure IP / TCP routing) and connect just fine. Setup changes: NT 4 domain upgraded to AD on 2003 SAP servers upgraded to 2000 servers except PDC/BDC (still NT4 domain separate from corporate domain) Issue: Currently ANY sap gui user can connect from a corporate network/frame connection. Currently clients behind a gateway connection can not connect to sap via the gui with error "WSAEConnRefused" which points to firewall, or such, blocking access. HOWEVER, if same client creates a client side vpn connection to the main office Gateway ISA server the gui works fine. Note that the SAP domain and the Main office gateway set on the same subnet, so the vpn client connection is obtaining an IP that is local to the SAP systems. Further notes: With a normal gateway connection, clients behind the gateway, can ping and tracert route the SAP server IP addresses. Routing is in place and functioning. All ISA gateway servers are on windows 2k, sp4, ISA sp2, FeaturePk 1 with all updates. They are also all in the RAS and IAS group in AD. Firewall logs show NO blocks of any connections to SAP IP's or their utilized ports. Folks, what am I missing here. Why are only gateway clients failing and why do they work on client vpn connection just fine. I really need some insight on this one and I have tried everything I know to try. Thanks -John