Good point. The reason I mentioned ROUTE ADD is because my current configuration involves multiple sub-nets, using multiple internal Networks in ISA. So, I can't even get to the other subnet without passing through the ISA server, and reconfiguring the network at this point would be a nightmare. However, this looks like it will be changing in a few months with the installation of new fiber allowing us to have almost all of our subnets combined into one large subnet. At that point, a concept like this might actually be practical, with all of the DHCP clients having no default gateway. I was curious if anyone had any other ideas similar to this... -----Original Message----- From: David Haam [mailto:DavidH@xxxxxxxxxxxx] Sent: Wednesday, March 30, 2005 10:13 To: [ISAserver.org Discussion List] Subject: [isalist] RE: possible fix ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org It would be more "manageable" to design your IP routing infrastructure to have clients route on your internal network through what's put in as the default gateway, but not allow that final route outbound. Trying to manage manual routes and ROUTE ADD commands is a real pain. i.e. If you have only one internal subnet, it would be just eliminating the default gateway. If you have multiple internal subnets, just make sure that the "last hop" outbound is only for the server subnet (or using ACLs to allow only the SecureNAT devices to route out). Since your internal networking will be a solid IP routing infrastructure, all clients should be able to get to the ISA server to be proxy clients.