Hi, > Do I then remove ldap from the authorize section so that it doesn't call > it every packet? I did a bunch of testing and it seems that I have to > do that to reduce the number of calls to our eDirectory servers. yes - only call it from the INNER check. otherwise you are in exactly the same situation alan