Hi, This is a long e-mail but I hope that the answer for this problem, if there is one, will be useful for many people. First, some background information: Here at work we have been used MS solutions for a long time and since two years ago we have been migrating several services for Unix/Linux. For the last few months, I've been evaluating the feasibility of migrating workstations for Linux, but there's a problem about controlling Internet access that I've not been able to solve so far. We use MS ISA server to restrict Internet access, by user and by application. For example, I can set it up so that user A can access HTTP servers and use instant messengers, while users from group B are allowed to access FTP servers and users from group C are forbidden any access (users and groups are stored in Active Directory). In order to work this way, ISA Server provides a client that is installed at the Windows workstations. This client intercepts all TCP/IP requests and redirects them to the ISA server, along with the credentials of the current logged user. No additional configuration is needed in any application, they just "think" they are directly connected to the Internet. I need a way to do the same with Linux clients. It may be a software that acts like the ISA Firewall Client, interoperating with MS ISA Server (this would be very useful during migration), or it may be an entirely Linux based solution (preferred long term solution). I've tried the following so far: 1. Configure applications to use ISA Server as the proxy server. . Positive point: Firefox can do NTLM authentication and interoperates well with ISA Server. . Negative points: Many applications can't be configured to use proxies. Those which can are not able to authenticate against ISA Server. Even if they were, it would be necessary to configure each application for each user. In Firefox, the user have to retype his credentials every time he opens the browser and java applets do not work (JVM can't authenticate against ISA Server) 2. Use NTLMAPS / APServer on the client side . Positive point: Firefox can access Internet using APServer without requesting user credentials and java applets work fine. APServer can do NTLM authentication and interoperates well with ISA Server. . Negative points: It's usefull for HTTP access only. Other applications suffer from the same problems described in the previous solution. APServer is not user-friendly enough to be used by normal users and I can't configure it to start automatically (for that, I would have to set it up with a user account that would not match the current logged user). 3. Use squid on the server side . Positive point: HTTP access can be restricted by AD user accounts. squid is able to authenticate users against AD. . It's another HTTP-only solution. squid capabilities of restricting access by group are limited. Browser special configuration is required. 4. On the client side, use a script that creates iptables rules dinamically when a user logs on, according to his credentials. . Positive point: work for all applications. Works with ISA Server in NAT mode as well as with a Linux based NAT solution. . Negative points: administration is a nightmare. It's difficult to work with groups. The restrictions are enforced on the client side and not on the server side, what lowers down security. My network spans over a 800 km area, with many buildings. Each building has support personnel who must have local root access to the workstations in the building, but should not be able to set up their own restrictions for Internet access. It's not possible to prevent them from editing the local iptables rules, once they have root privileges at the workstations. Is there a way to get the results I need using Linux clients? Thanks, Marcelo