Sorry man. For the romaing profiles not to be downloaded to the client on a VPN connection enable slow link detection in group policy as described in the following link: http://support.microsoft.com/?id=227260 That will make sure that roaming profiles do not get downloaded. For my response, the DC will not have to be the VPN server for this scenario. The firewall will just have to pass the credentials the user specifies and have them authenticated by the DC using IAS. The firewall will still manage the connections, but the domain controllers will authenticate users. Jim