They only check in once despite the policy application of every 10 minutes, and the configuration choice is applied policy on the /all in the configuration console setting. I would think that if it were a fire wall issue it wouldn't allow the traffic by default, not just a single instance of the traffic. At first glance you would think it would be a domain issue, but i truly shouldn't matter as they are routed straight to the eset server. And it isn't every computer in the workgroup doing it, just most. Once I have the logs and don't see an immediate solution I'll revert with more. If I find a solution I will also report. I just wanted to make sure it wasn't a known issue or if someone had a similar problem what their experience was.