VM:Secure intercepts the COUPLE ACIEVENT when CP sends it through the ACI system. So, like LINKs, even if they are in your directory entry, the ESM is asked about them when they occur. So, we would assume that CP would pass the COUPLE through to the ESM to check on, regardless of how the COUPLE is done. However, these new rules will adhere to the NORULE setting so if you have NORULE ACCEPT, that would get you around this. If you are set up with NORULE REJECT, then yes, you would need to put a rule in for the TCPIP COUPLE to be covered. You could also put an ACCEPT in the VMXRPI CONFIG for TCPIP so that it could do COUPLE, whether VM:Secure is available or not.