So, unless I misunderstood your problem, it sounds to me that there's a problem with your approach. The HTML iframe tag takes a URL in its src attribute, much like an img tag. Your web browser then downloads the src of the iframe just as it would an image. In other words, with iframes, images, external scripts and css - your web browser sends HTTP get requests on your behalf to download those resources. So, if the "public cannot see web apps" on your intranet, then they won't be able to see them with an iframe - because the user will be the one requesting the iframe's src, not the portal server. To your question, there are various ways to tackle your problem, though there will be effort involved: - move the desired secured intranet applications to the DMZ (probably security risks) - write new portlets that access the same data/services as your internal apps (large development effort) Good luck, Andy View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4205423#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...