Internet Connection Sharing (ICS)
XP offers a simple way to share an Internet connection with multiple
computers in a SOHO. The feature that makes this possible is Internet
Connection Sharing (ICS). For ICS to work, you need a computer with
two network connections: an internal (private) connection, which
is usually a LAN interface card, and an external (public) connection,
which is usually a high-speed or dial-up Internet connection. When
ICS is configured on the external connection, it will be shared
with the computers that connect to the internal interface.
The task of configuring ICS is very simple, but
the implications of enabling ICS require some consideration. When
you enable ICS, Windows XP changes the IP configuration of the internal
interface by assigning it a static IP address (192.168.0.1), and
is configured to act as a DHCP and NAT server for the internal clients.
Clients that connect to the internal interface to access the shared
Internet connection must be configured to obtain an IP address and
DNS configuration automatically. If you already have DHCP server
installed on the internal network, you will need to disable it to
prevent conflict with addresses assigned by ICS.
IP configuration is mandatory and automatically implies the limitation
of ICS: the DHCP component of ICS can assign IP address from the
class C network 192.168.0.0 /24 only (range 192.168.0.2 -192.168.0.254).
If you want to share an Internet connection amongst more than 253
computers, or for other, or multiple subnets, you will need to implement
NAT included in RRAS on a Windows 2000/2003 Server. However, it
is possible to have two internal network cards, which allows you
to share the Internet connection with computers attached to a different
network medium, e.g. an internal interface connected to a wired
Ethernet network and an internal interface for wireless clients.
To make this configuration work, you will need to create a network
bridge between the two internal interfaces. The available private
IP addresses will be assigned to computers on both internal segments.
I mentioned before, configuring ICS is a simple task. All you need
to do is enable a checkbox on the public interface (the modem or
the NIC to cable router for example). The checkbox is located on
the Advanced tab of the public interface’s Properties
and is labelled Allow other network users to connect through
this computer's Internet connection.
you enable ICS, the following additional options become available:
- Establish a dialup connection whenever a computer on my network
attempts to access the Internet. This option is available on
dial-up connections and allows internal client to setup the connection,
even while the client on which ICS is enabled is not actively using
- Home network connection: When multiple internal interfaces
are installed, the Home network connection drop down box
allows you to select which interface is the ‘private network
- Allow other network users to control or disable the shared
Internet connection. When this option is enabled, internal
clients can disconnect or connect the internet connection for the
entire internal network.
of configuring ICS manually, you can also use the Network Setup
Wizard. The Network Setup Wizard allows you to choose the Internet
(public) connection, the private connection, and create floppy disks
to configure the internal clients.
Connection Firewall (ICF)
useful feature in Windows XP for small office and home office networks
with an internet connection is the Internet Connection Firewall
(ICF). ICF restricts access to services on the local computer
by blocking the corresponding TCP and UDP ports. Although it does
not offer the best available security, it should be enabled on Windows
XP computers connected directly to the internet.
enable ICF, enable the Protect my computer and network by limiting
or preventing access to this computer from the Internet option
on the Advanced tab of the Properties of the interface
connected to the Internet.
Internet Connection Sharing (ICS) is enabled, you can enable
ICF for the shared interface to protect the entire internal network.
ICF should not be used on VPN connections as it interferes with
file sharing and print services.
you want to allow users on the Internet to access services on your
local computer, or on a internal computer using your shared Internet
connection, you can configure ICF to allow incoming traffic for
certain services. To allow traffic from specific services, you need
to specify the corresponding TCP and/or UDP port on the Services
tab of the Advanced Settings. (click Settings
button below the ICS options on the Advanced tab).
example, if you run IIS on the local network and you want users
on the Internet to be able to access your HTTP web server, you must
enable the Web Server (HTTP) option to allow incoming traffic
on port 80. When ICS is enabled on the computer and a web server
running on an internal computer must be available to Internet users,
you can edit the listed service to specify the name or IP address
of that computer.
addition to the services listed by default, you can also add your
own allowed services:
Security Logging tab of the Advanced Settings
allows you to configure the log settings for the ICF.
is not enabled by default. You can enable it for dropped packets
and or successful connections. The default log file is pfirewall.log
and is stored in the %systemroot% (i.e. C:\Windows\) folder. The
default size limit is 4096 KB.
the ICMP tab of the Advanced Settings you can
allow different types of ICMP messages. For example, if you want
to enable a remote computer on the Internet to be able to ping your
computer running ICF, you should enable the option Allow incoming
ICF and ICS are featured designed primarily for SOHOs and not for
large domain environments. ICF can cause undesirable issues if clients
in a network enable ICF on their LAN interfaces. Instead, large
network should use better alternatives such as dedicated firewalls.
Active Directory provides a group policy setting called Prohibit
the use of ICF on your DNS domain network that can be used
to prevent ICF from being enabled in a certain domain.