Sometimes you have to configure things a specific way, understood. Keep in mind that a public certificate, from a company such as verisign, can be distributed to users dynamically (when they first use the portal), because many of these CAs are trusted by IE. Secondly, you are exposing the IP address of every citrix server, because these addresses will be contained within the ica file distributed by WI. Lastly, setting 128 bit encryption (I'm assuming) on all your published apps will create overhead when it isn't needed (internally). So my question is, what is your rule for NAT. I'm assuming here that you have configured WI for NAT by default, except when the requestor's IP range is x (internal). If this is already the case, confirm this: External | DMZ | Internal DMZ -> Internal : Ports 1494, XML Port. WI has DNS or Hosts to resolve all server IPs External -> DMZ : 80/443 to WI or Proxy Applicance External -> DMZ -> Internal : Port 1494 to all servers If that's all good, check time-out settings. I can't think of anything else at the moment. ******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id=320 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm