Anyone done much with Secure Gateway? I've got 2 of them (1 for failover). Pretty neat from what I've played with so far, fairly easy to setup. My question is on network placement. My network goes internet -> pix -> ISA -> trusted. There is nothing on my network that sits in the DMZ server wide, just a concentrator. All my servers and such are published through ISA. The exception being Citrix, which will go through the gateway only. Things are static nated from the PIX's external interface to it's internal. ISA's external interface matches with PIX's internal, and ISA"s internal matches the trusted network. For the purpose of the gateway, I can put it outside So I can stick the gateway out in the DMZ, or I can stick it on the trusted network behind ISA. Right now it's behind ISA so I ISA is publishing the gateway on port 80/443. Nothing else can get to the gateway on any other port. Should I leave it like this, or am I loosing some benefits of the gateway and/or opening myself up to risk. One of the points of ISA is to not have to put servers in a DMZ and use ISA to publish them, so it makes sense from that aspect.