Internet Connection Sharing (ICS)
Windows XP offers a simple way to share an
Internet connection with multiple computers in a SOHO. The
feature that makes this possible is Internet Connection
Sharing (ICS). For ICS to work, you need a computer with
two network connections: an internal (private) connection,
which is usually a LAN interface card, and an external (public)
connection, which is usually a high-speed or dial-up Internet
connection. When ICS is configured on the external connection,
it will be shared with the computers that connect to the internal
The task of configuring ICS is very simple,
but the implications of enabling ICS require some consideration.
When you enable ICS, Windows XP changes the IP configuration
of the internal interface by assigning it a static IP address
(192.168.0.1), and is configured to act as a DHCP and NAT
server for the internal clients. Clients that connect to the
internal interface to access the shared Internet connection
must be configured to obtain an IP address and DNS configuration
automatically. If you already have DHCP server installed on
the internal network, you will need to disable it to prevent
conflict with addresses assigned by ICS.
This IP configuration is mandatory and automatically
implies the limitation of ICS: the DHCP component of ICS can
assign IP address from the class C network 192.168.0.0 /24
only (range 192.168.0.2 -192.168.0.254). If you want to share
an Internet connection amongst more than 253 computers, or
for other, or multiple subnets, you will need to implement
NAT included in RRAS on a Windows 2000/2003 Server. However,
it is possible to have two internal network cards, which allows
you to share the Internet connection with computers attached
to a different network medium, e.g. an internal interface
connected to a wired Ethernet network and an internal interface
for wireless clients. To make this configuration work, you
will need to create a network bridge between the two internal
interfaces. The available private IP addresses will be assigned
to computers on both internal segments.
As I mentioned before, configuring ICS is
a simple task. All you need to do is enable a checkbox on
the public interface (the modem or the NIC to cable router
for example). The checkbox is located on the Advanced
tab of the public interface’s Properties and is labelled
Allow other network users to connect through this computer's
When you enable ICS, the following additional
options become available:
- Establish a dialup connection whenever a computer on
my network attempts to access the Internet. This option
is available on dial-up connections and allows internal client
to setup the connection, even while the client on which ICS
is enabled is not actively using the connection.
- Home network connection: When multiple internal
interfaces are installed, the Home network connection
drop down box allows you to select which interface is the
‘private network connection’.
- Allow other network users to control or disable the
shared Internet connection. When this option is enabled,
internal clients can disconnect or connect the internet connection
for the entire internal network.
Instead of configuring ICS manually, you
can also use the Network Setup Wizard. The Network
Setup Wizard allows you to choose the Internet (public) connection,
the private connection, and create floppy disks to configure
the internal clients.
Internet Connection Firewall (ICF)
Back to top
Another useful feature in Windows XP for
small office and home office networks with an internet connection
is the Internet Connection Firewall (ICF). ICF restricts
access to services on the local computer by blocking the corresponding
TCP and UDP ports. Although it does not offer the best available
security, it should be enabled on Windows XP computers connected
directly to the internet.
To enable ICF, enable the Protect my
computer and network by limiting or preventing access to this
computer from the Internet option on the Advanced
tab of the Properties of the interface connected
to the Internet.
When Internet Connection Sharing (ICS)
is enabled, you can enable ICF for the shared interface to
protect the entire internal network. ICF should not be used
on VPN connections as it interferes with file sharing and
you want to allow users on the Internet to access services
on your local computer, or on a internal computer using your
shared Internet connection, you can configure ICF to allow
incoming traffic for certain services. To allow traffic from
specific services, you need to specify the corresponding TCP
and/or UDP port on the Services tab of the Advanced
Settings. (click Settings button below the ICS options
on the Advanced tab).
For example, if you run IIS on the local
network and you want users on the Internet to be able to access
your HTTP web server, you must enable the Web Server (HTTP)
option to allow incoming traffic on port 80. When ICS is enabled
on the computer and a web server running on an internal computer
must be available to Internet users, you can edit the listed
service to specify the name or IP address of that computer.
In addition to the services listed by default,
you can also add your own allowed services:
The Security Logging tab of the
Advanced Settings allows you to configure the log
settings for the ICF.
Logging is not enabled by default. You can
enable it for dropped packets and or successful connections.
The default log file is pfirewall.log and is stored in the
%systemroot% (i.e. C:\Windows\) folder. The default size limit
is 4096 KB.
On the ICMP
tab of the Advanced Settings you can allow different
types of ICMP messages. For example, if you want to enable
a remote computer on the Internet to be able to ping your
computer running ICF, you should enable the option Allow
incoming echo request.
and ICS are featured designed primarily for SOHOs and not
for large domain environments. ICF can cause undesirable issues
if clients in a network enable ICF on their LAN interfaces.
Instead, large network should use better alternatives such
as dedicated firewalls. Active Directory provides a group
policy setting called Prohibit the use of ICF on your
DNS domain network that can be used to prevent ICF from
being enabled in a certain domain.