Solved

Bypass Stateful Packet Inspection - ISA 2006

Posted on 2011-03-16
5
1,401 Views
Last Modified: 2012-05-11
Good Afternoon,

I need to disable SPI between a couple of IP Addresses from an external network to a device on my internal network through ISA 2006.

We are running a clinical trial and the application/device that needs to upload the data is being blocked by ISA due to it's inbuilt SPI

Has anyone done this before?

Thanks,

Gerald
0
Comment
Question by:gezzam
  • 2
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35154326
Not a chance. Stateful packet inspection is a fundamental process that is responsible - in part - for  the integrity of sessions and connections. No way you'd turn that off.
0
 

Author Comment

by:gezzam
ID: 35154338
Can I create a rule between the two IP addresses that disable SPI for that rule only?

The documentation from the trial company states that

Stateful Packet Inspection (SPI): If your network uses SPI, consider setting rules in the Firewall to not perform SPI on traffic originating from or terminating to the IP addresses listed in this document.

or

Could I turn it off temporarily just to see if this is the cause so I can investigate further
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35154455
Not as far as I am aware, it is an inherent feature. The only devices that allow this sort of thing are routers - and ISA Server is not a router.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 35167097
The "Trial company" is wrong.  They are misuing and abusing the term "Stateful Inspection".   Stateful Inspection means to inspect the "State" of the Connection to be sure that it is valid and intact.  This is done at the connection itself and is primarily to determine that the Source and Destiantion have remained consistant as opposed to being hyjacked and one of them being impersonated.

What they probably really mean is Application Layer Inspection (ALI),...some times also called Deep Inspection.  This can be turned off but is a real hassle to configure.  What really needs to be done here is inform us enough about how this product works and the nature of how it communicates, like the traffic profile and the actual Protocol it uses.
0
 

Author Comment

by:gezzam
ID: 35177181
Thanks for the update, the trail company is supplying the client with a Wireless 3G Modem to upload, so it's not going on our network now so it has ceased to be an issue.

Thanks for the responses though.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question