Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Bypass Stateful Packet Inspection - ISA 2006

Posted on 2011-03-16
5
Medium Priority
?
1,437 Views
Last Modified: 2012-05-11
Good Afternoon,

I need to disable SPI between a couple of IP Addresses from an external network to a device on my internal network through ISA 2006.

We are running a clinical trial and the application/device that needs to upload the data is being blocked by ISA due to it's inbuilt SPI

Has anyone done this before?

Thanks,

Gerald
0
Comment
Question by:gezzam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35154326
Not a chance. Stateful packet inspection is a fundamental process that is responsible - in part - for  the integrity of sessions and connections. No way you'd turn that off.
0
 

Author Comment

by:gezzam
ID: 35154338
Can I create a rule between the two IP addresses that disable SPI for that rule only?

The documentation from the trial company states that

Stateful Packet Inspection (SPI): If your network uses SPI, consider setting rules in the Firewall to not perform SPI on traffic originating from or terminating to the IP addresses listed in this document.

or

Could I turn it off temporarily just to see if this is the cause so I can investigate further
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35154455
Not as far as I am aware, it is an inherent feature. The only devices that allow this sort of thing are routers - and ISA Server is not a router.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 35167097
The "Trial company" is wrong.  They are misuing and abusing the term "Stateful Inspection".   Stateful Inspection means to inspect the "State" of the Connection to be sure that it is valid and intact.  This is done at the connection itself and is primarily to determine that the Source and Destiantion have remained consistant as opposed to being hyjacked and one of them being impersonated.

What they probably really mean is Application Layer Inspection (ALI),...some times also called Deep Inspection.  This can be turned off but is a real hassle to configure.  What really needs to be done here is inform us enough about how this product works and the nature of how it communicates, like the traffic profile and the actual Protocol it uses.
0
 

Author Comment

by:gezzam
ID: 35177181
Thanks for the update, the trail company is supplying the client with a Wireless 3G Modem to upload, so it's not going on our network now so it has ceased to be an issue.

Thanks for the responses though.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question