Collaboration

The innards of Microsoft's Internet Connection Sharing and network address translation

Connecting to the Internet cheaply is a necessity for most small businesses and home offices. Ivan Mayes examines Microsoft's Internet Connection Sharing (ICS), which gives networked PCs the ability to share a single connection to the Internet.


Internet Connection Sharing fundamentals
At least one of the PCs on the Small Office/Home Office (SOHO) local area network (LAN) must be operating on either Windows 98 Second Edition or Windows 2000 Professional. Additionally, it must have Internet Connection Services (ICS) installed, too. This machine will become the designated "gateway" that will provide the Transmission Control Protocol/Internet Protocol (TCP/IP) connection. The other PCs on the SOHO LAN will use the Win98 SE or Win2K machine in order to access the Internet (as long as they are capable of handling TCP/IP). These computers can be Microsoft 95 clients or even old 486 machines.
This article appears courtesy of TechRepublic's TechProGuild, the subscription Web resource for IT administration and support professionals. Among other great benefits, TechProGuild offers in-depth technical articles, e-books, and weekly chats moderated by industry experts on hot topics such as the latest OS developments and career advancement. Sign up now for a FREE 30-day trial of our TechProGuild service.
If you have to upgrade, you may have to shell out a lot of money for a new OS. (You can't download it from Microsoft for free, folks.) Paying Microsoft's fee, however, gets you the benefit of sharing a single Internet connection for all Microsoft clients (Win 3.x, 95, 98, and NT) plus the opportunity to add any non-Microsoft clients that support TCP/IP and have Internet browsers (unless you want a dedicated, hardcore Hyper Terminal box for some reason). ICS uses domain name service (DNS) and Dynamic Host Configuration Protocol (DHCP) to resolve Internet names—and frees you up from having to administer those specific areas of the SOHO network.

Installation
To install ICS, you'll need to follow these steps on your host computer (the clients on your private LAN won't have to go through this process):
  1. Click Start | Settings | Control Panel.
  2. Click the Add/Remove Programs applet.
  3. Choose the Windows Setup tab; scroll down and highlight (or check, if required) Internet Tools; click the Details button.
  4. Wait for the Internet Tools window to appear; select the check box for the first entry (which is Internet Connection Sharing); click OK to add it.

You may need to provide a CD or a directory location so that Windows can complete the installation. As with any installation, Windows will reboot.

After you install ICS, you'll notice the addition of an ICS adapter and an ICS protocol; these items are essential to the proper operation of ICS. Also, an ICS Wizard simplifies the configuration whenever you're ready to start.

Installed files
The following is a comprehensive list of the types of files that will find a home on your hard drive when you install ICS. In all, nine files will be added to the Windows\System directory:
  • Dynamic-link libraries: Icsapi32.dll, Icsconfg.dll, Issetup.dll
  • Executables: Icssetup.exe, Icsclset.exe, Icsmgr.exe
  • Virtual device drivers: Icshare.vxd, Icsharep.vxd
  • Text: Icsrm.txt

Three configuration information files will show up in the Windows\Inf directory: Ics.inf, Icshare.inf, and Icsharep.inf. Changes in the registry are pretty much confined to this created key and its subsets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ICSharing.

ICS bells, whistles, and knobs
So, what's behind the ICS curtain? In exchange for the 30.1 MB of space on your host gateway, you get an automatic dialer for any of the clients on the network. As long as your ICS host is up, any of the clients on the network can use the dial-up networking connection to your ISP.

Windows 98 SE gives you a stripped down version of DHCP and the DHCP Allocator, which automatically provides and configures gateway, name server, and IP address information for your private network. By default, ICS will set the IP address of the host or gateway computer to 192.168.0.1. The client PCs on your private network can be positioned statically to any IP address that falls in the range 192.168.0.2 to 192.168.0.253. ICS will assist in the creation of a diskette that you can use to auto-configure the clients on your mini-LAN.

As a bonus, you also get a Domain Name System (DNS) proxy. Essentially, it resolves names on the Internet for your private network clients, and throws the load off of your clients and onto your ICS host. If you haven't already figured it out, the ICS host will accomplish the lion's share of the work. However, these additional tasks are performed virtually unnoticed by the host, so you don't have to run out and buy an 850 MHz Athlon that's loaded with 128 MB of RAM. A 66/486DX with 32 MB is the minimum that you'll need to be able to load and run Windows 98 SE. Keep this in mind if you're considering setting up a box that will act only as an ICS gateway/server. Otherwise, the main box that you'll be using should exceed these requirements.

That's still not all! You'll also get Microsoft's network address translation (NAT), which allows your private network to participate on the public network (the Internet). I'll explain NAT in greater detail below.

ICS and NAT
If you've gotten this far, you know that every PC on the Internet is identified and found through the use of a unique, 32-bit IP address and that every PC participates in the exchange of data packets that are routed back and forth via this IP address. The ICS model takes an additional step by using NAT to sort your public IP traffic (from the Internet) from your private IP traffic (from your LAN). ICS exploits NAT by setting up your ICS host as a router. Basically, the nodes on your LAN become "clients" to your ICS enabled "host"—for all intents and purposes, your ICS host acts as a server.

By default, your NAT router/server/ICS host uses a range of IP addresses that are reserved specifically for private network usage. As a rule, it's a Class B network that begins with 192.168.xxx.xxx. However, a Class A network starting at 10.xxx.xxx.xxx is also a possibility, depending on the amount of subnets and nodes that you want to create. Since the Internet Engineering Task Force has set aside these IP address ranges, you won't find them hooked directly on the Internet. Hence, PCs on a private LAN are the only ones that are able to communicate because they can exchange packets between one another.

The NAT process
Let me illustrate the process. Let's say that you have built a home LAN and have configured a Windows 98 SE box with ICS. Your spouse, a marine biologist, is doing some research on the Internet in the spare room with a Windows 95 PC. Your spouse opens Internet Explorer and types in http://www.coreresearch.org.

The address in this box goes to the ICS host/NAT router (your Win98 SE box). The NAT router takes the request, strips the IP datagram packet by reformatting the source address in the datagram header so that it appears to come from the Win98 SE box, and creates a table that associates a TCP/UDP port number with the requesting IP address (the Win 95 box). This mapping is kept alive until the transaction is complete.

Then, the ICS-enabled box fires off the request into the public network of cyberspace for retrieval of the http information. Subsequently, it comes back to your ICS host/NAT router. When your ICS host receives these records from the Internet, it performs the reverse action of what I described earlier; the NAT router reconfigures the source address of the IP datagram by referring back to the table that it created when it mapped the requestor's IP to a TCP/UDP port, and finally by sending it back to the corresponding requestor (the Win 95 box) on your private network.

To put it simply, the only machine that actually comes into view on the Internet is your NAT router—it participates not only as a client on the very public network of the Internet, but also as a server on your private network at home. Each PC on your private LAN, though still able to access the Internet, will appear as if it were your ICS host. In the Linux world, it's the same basic principal as masquerading.

Obviously, it's advantageous to exploit one (usually high-speed) Internet connection. After all, it's not called Internet Connection Sharing for nothing! A latent effect of NAT is network security. As I mentioned above, the only visible machine on the Internet will be the NAT router—your Windows 98 SE box. The other boxes on your private network will be securely hidden away behind the wall of your ICS host/NAT router. Take into account the fact that a Web browser, such as Microsoft's Internet Explorer or Netscape's Navigator, usually gives out the originating IP address to any Web server that requests it. Since only the ICS host/NAT router has any information regarding your public IP, the clients on your LAN won't be able to give out their addresses. Thus, you can have multiple PCs on your home LAN that access the Internet to surf, download, and e-mail, but the only PC that will be recognized as having a live connection to the Internet will be your ICS host.

A word or two about security
Of course, it's important to make your Windows 98 SE box as secure as possible. An inexpensive software solution, such as Norton Internet Security 2000 or Black Ice Defender from Network ICE, provides extra security from hacking attempts and viruses, including the infamous distributed denial of service (DDoS) attacks.

Since we're on the topic of security, you need to know that File Sharing and Print Sharing may have a different reaction depending upon what type of connection you're using. If you're using a modem to provide a physical connection to the Internet, you're relying on dial-up networking. Dial-up networking will unbind File and Print Sharing from the dial-up adapter; you can check it in the Network Properties | Dial-Up Adapter Properties | Bindings tab. On the other end of the spectrum, Ethernet network interface cards (NICs) do not unbind File Sharing and Print Sharing by default. If you have an xDSL or cable Internet connection, double-check your Bindings:
  • In the Network applet in Control Panel, highlight the Internet Connection Sharing adapter and click Properties
  • Click the Bindings tab and enable or disable your chosen bindings by checking the appropriate box

Your ICS host computer's Network Configuration tab should list the Client for Microsoft Networks; a network adapter (a dial-up adapter would be the physical connection to the Internet); a second network adapter (the connection to your private network); the ICS adapter; the ICS Protocol | Network Adapter (again, the dial-up adapter for Internet connection); the ICS Protocol | Network Adapter (private network connection); and the ICS Protocol | Internet Connection Sharing Adapter.

By default, your listed Protocols will be TCP/IP (Home) | Network Adapter; TCP/IP (Shared) | Network Adapter (or Dial-Up Adapter); and TCP/IP | ICS Adapter. Make sure that you don't have the TCP/IP (Home) bound to the Dial-Up Adapter. If you do, you have probably switched the roles of your adapters. Either your project won't work at all, or in an extreme case, you'll attempt to connect your entire LAN out on the Internet—hence "putting it all out there."

The easiest way to fix this problem, or at least to check it, is:
  • Go to Start | Settings | Control Panel | Internet Options (or right-click the Internet Explorer on your desktop and choose Properties)
  • Choose the Connections tab; click on the Sharing button at the bottom of the dialog box
  • At the Connect to The Internet Using dialog box, choose the correct adapter that provides the physical connection to the Internet
  • At the Connect To My Home Network Using dialog box, choose the network adapter that corresponds with your private home network
  • Click OK, and you'll be prompted to restart Windows

Testing the connections
After you've established a connection with your ISP, crank up your ICS host and start your browser. Next, make sure that the clients on your private network can get out on the Internet. In the rare case that they can't, there are a few simple things that you can do to determine the source of the problem. In a Windows 9x client, open the WINIPCFG (Windows IP Configuration) utility by going to Start | Run, typing WINIPCFG, and clicking OK.

Under Ethernet Adapter Information, check your IP address; it should start with 192.168.0.xxx. Remember that the address 192.168.0.1, will be your ICS host's private network IP address. Your client should have any other number up to 254. If it doesn't, click Release, Renew, and then OK. The DHCP Allocator on the ICS host will assign it a private network IP address automatically. If all else fails, you can assign the client an IP address manually in the Network Configuration under Control Panel by highlighting TCP/IP and clicking Properties. Go to the IP address tab and click the "Specify an IP address" radio button. Under IP Address, type 192.168.xxx.xxx. Make sure that this address isn't being used elsewhere on your private LAN. Under Subnet Mask, use 255.255.255.0.

To test out your client, go to the DOS prompt and type the following: Ping 192.168.0.1

If you get a response, you know that you've successfully established TCP/IP communication on your private network. Your next task now lies in testing the Internet connection. So, from your client PC, ping the IP addresses of an Internet Web site. Ping the name from your ICS host to verify an active IP address that you can utilize. Again, at the DOS prompt, follow the syntax below (where yourfavoritewebsite is any URL that you want to specify).

Ping www.yourfavoritewebsite.com.
You should receive four responses that start with "Reply from xxx.xxx.xxx.xxx." Note that some Web sites may have protection and may not return a response. Try pinging a couple of different sites before you give up. Also, try pinging those Web sites from the client PC. Obviously, a response means success. If you don't receive any responses, you may want to reconsider the configuration of your ICS host.

Conclusion
On a final note, you'll want to make sure that you review your ISP usage agreement and ensure that everything is legal when you hook up your private LAN on ICS. Although nobody can really identify any machines behind an ICS host/NAT router, you risk getting booted from your ISP if you aren't compliant. And we wouldn't want that to happen, would we?

Ivan Mayes has been hacking around on typewriters and computers since he was 15, and he learned the ways of war on a Commodore 64. Ivan holds degrees in English and Spanish, and he's an MCSE. An equal computing opportunist, he is prone to use any computer, regardless of make, model, or operating system.

If you'd like to share your opinion, please post a comment at the bottom of this page or send the editor an e-mail.

Editor's Picks

Free Newsletters, In your Inbox