Members-only Printer-friendly version

Internet Connection Sharing (ICS)

Windows XP offers a simple way to share an Internet connection with multiple computers in a SOHO. The feature that makes this possible is Internet Connection Sharing (ICS). For ICS to work, you need a computer with two network connections: an internal (private) connection, which is usually a LAN interface card, and an external (public) connection, which is usually a high-speed or dial-up Internet connection. When ICS is configured on the external connection, it will be shared with the computers that connect to the internal interface.

The task of configuring ICS is very simple, but the implications of enabling ICS require some consideration. When you enable ICS, Windows XP changes the IP configuration of the internal interface by assigning it a static IP address (192.168.0.1), and is configured to act as a DHCP and NAT server for the internal clients. Clients that connect to the internal interface to access the shared Internet connection must be configured to obtain an IP address and DNS configuration automatically. If you already have DHCP server installed on the internal network, you will need to disable it to prevent conflict with addresses assigned by ICS.

This IP configuration is mandatory and automatically implies the limitation of ICS: the DHCP component of ICS can assign IP address from the class C network 192.168.0.0 /24 only (range 192.168.0.2 -192.168.0.254). If you want to share an Internet connection amongst more than 253 computers, or for other, or multiple subnets, you will need to implement NAT included in RRAS on a Windows 2000/2003 Server. However, it is possible to have two internal network cards, which allows you to share the Internet connection with computers attached to a different network medium, e.g. an internal interface connected to a wired Ethernet network and an internal interface for wireless clients. To make this configuration work, you will need to create a network bridge between the two internal interfaces. The available private IP addresses will be assigned to computers on both internal segments.

As I mentioned before, configuring ICS is a simple task. All you need to do is enable a checkbox on the public interface (the modem or the NIC to cable router for example). The checkbox is located on the Advanced tab of the public interface’s Properties and is labelled Allow other network users to connect through this computer's Internet connection.

When you enable ICS, the following additional options become available:
- Establish a dialup connection whenever a computer on my network attempts to access the Internet. This option is available on dial-up connections and allows internal client to setup the connection, even while the client on which ICS is enabled is not actively using the connection.
- Home network connection: When multiple internal interfaces are installed, the Home network connection drop down box allows you to select which interface is the ‘private network connection’.
- Allow other network users to control or disable the shared Internet connection. When this option is enabled, internal clients can disconnect or connect the internet connection for the entire internal network.

Instead of configuring ICS manually, you can also use the Network Setup Wizard. The Network Setup Wizard allows you to choose the Internet (public) connection, the private connection, and create floppy disks to configure the internal clients.

Internet Connection Firewall (ICF)     Back to top

Another useful feature in Windows XP for small office and home office networks with an internet connection is the Internet Connection Firewall (ICF). ICF restricts access to services on the local computer by blocking the corresponding TCP and UDP ports. Although it does not offer the best available security, it should be enabled on Windows XP computers connected directly to the internet.

To enable ICF, enable the Protect my computer and network by limiting or preventing access to this computer from the Internet option on the Advanced tab of the Properties of the interface connected to the Internet.

When Internet Connection Sharing (ICS) is enabled, you can enable ICF for the shared interface to protect the entire internal network. ICF should not be used on VPN connections as it interferes with file sharing and print services.

If you want to allow users on the Internet to access services on your local computer, or on a internal computer using your shared Internet connection, you can configure ICF to allow incoming traffic for certain services. To allow traffic from specific services, you need to specify the corresponding TCP and/or UDP port on the Services tab of the Advanced Settings. (click Settings button below the ICS options on the Advanced tab).

For example, if you run IIS on the local network and you want users on the Internet to be able to access your HTTP web server, you must enable the Web Server (HTTP) option to allow incoming traffic on port 80. When ICS is enabled on the computer and a web server running on an internal computer must be available to Internet users, you can edit the listed service to specify the name or IP address of that computer.

In addition to the services listed by default, you can also add your own allowed services:

The Security Logging tab of the Advanced Settings allows you to configure the log settings for the ICF.

Logging is not enabled by default. You can enable it for dropped packets and or successful connections. The default log file is pfirewall.log and is stored in the %systemroot% (i.e. C:\Windows\) folder. The default size limit is 4096 KB.

On the ICMP tab of the Advanced Settings you can allow different types of ICMP messages. For example, if you want to enable a remote computer on the Internet to be able to ping your computer running ICF, you should enable the option Allow incoming echo request.


ICF and ICS are featured designed primarily for SOHOs and not for large domain environments. ICF can cause undesirable issues if clients in a network enable ICF on their LAN interfaces. Instead, large network should use better alternatives such as dedicated firewalls. Active Directory provides a group policy setting called Prohibit the use of ICF on your DNS domain network that can be used to prevent ICF from being enabled in a certain domain.