I'm going to need to chain a couple of ISA servers, I think, and need to check if my thinking it correct before I do so. I could use a bit of advice from those of your typically supporting larger environments. The network is setup with 2 main hubs with a bunch of branch offices hanging off each one. The Main Office has a T1 to the Internet. The other hub has no Internet access except through the Main Office. However, the hubs all have DSL or cable Internet connections. The only firewall in the network sits between the Main Office and it's T1 to the Internet. They completely trust the Internal network regardless of whether the branch has its own Internet access or not. My goals are: Stop trusting the branch offices Separate the web facing servers from the LAN servers Eliminate general purpose web traffic over the T1 lines Eventually setup VPN instead of T1 between branch offices and hubs Current setup: Main office (vintage checkpoint) T1 to Internet Main office T1 to Other Hub Main office T1 lines to branch offices Other Hub T1 lines to branch offices Some branch offices have Cable Internet routers and all are getting them soon along with the Other Hub location Proposed placement of ISA servers: Main Office Internal Network (ISA here) - (T1 line) -- Other Main Hub of Network with Internal facing servers only - (ISA here) -- Cable Connection to Internet and branch offices Main Office web servers -(T1 line) - (ISA here) - Internet and Branch Offices Another way of looking at it: ISA Web servers ISA Internal servers - T1 Other Hub - Internal servers - ISA - Internet and Branches Have I missed any ISA servers? Amy