Hi Bob, ATLAS production is halted due to DQ2's inability to move data to sites. Panda team and BNL are now proposing to move data around using a new component of Panda, the PandaMover, as a complimentary (or replacement, depend on your view). PandaMover runs at BNL and needs write access to Tier 2 site's Local Replica Catalog (LRC) database via web services. John Bartelt had successfully tested a technique that uses a well maintained Apache server as a front end proxy. The proxy: 1) only forwards a pre-defined set up URLs to the actual ATLAS LRC web server (GET and POST) 2) only provides service to a pre-defined set of outside IP addresses. Does this satisfy to security concern of opening ATLAS Tier 2 production web services to (pre-defined) outside IP addresses? regards, -- Wei Yang | [log in to unmask] | 650-926-3338(O)