hi, I'd like to add into this that if you upgrade to 2.0 then the EAP is simpler and quicker - and your LDAP wont get hit with each request. it'll only get the bare required outside and then the essential inner tunnel stuff. alan