The boundary of an organization does not always coincide with its firewall. A member of an organization that is outside the firewall may wish to access internal Web services with the same ease and security that are common within the firewall. At the same time, the firewall should still be able to perform adequate access control, logging, and auditing. In this paper, we describe a new technique for secure Web tunneling, which permits the desired outside access to internal Web services. We argue that this technique is preferable to alternatives such as special firewall configurations, IP tunneling, and reverse proxies. We describe an implementation of Web tunneling that relies mostly on common, off-the-shelf components.