Collaboration

Windows XP's Internet Connection Sharing opens up client connectivity options with Server Publishing

Make Windows XP work Internet magic by employing ICS and its Server Publishing features. Tom Shinder explains the configuration of ICS and Server Publishing to give your internal network clients an opportunity to do more than just compute.

Windows XP includes a number of useful networking services that allow you to connect your internal network clients to the Internet. One of these is Internet Connection Sharing (ICS), which lets you connect multiple computers on your internal network to the Internet using a single Internet-connected interface on the ICS computer.

I’ll explain how to get ICS set up and configured, and then I’ll focus on one particularly useful feature included with the Windows XP ICS: Server Publishing, which actually allows inbound access to selected services for external, Internet clients. You’ll learn how to create Server Publishing Rules and Service Definitions so that you can allow external clients to access any Internet services. Once you understand how server publishing works with ICS, you can start doing some really fun things, like publishing an Exchange 2000 server.

How ICS and Server Publishing work
ICS provides traditional network address translation (NAT) services for privately addressed (RFC 1917) clients on your internal network. NAT allows the private address clients to access publicly addressed resources on the Internet by replacing the private address in the internal network client’s request with the public address of the external (Internet-connected) interface on the ICS computer. The Windows XP ICS includes a number of NAT editors that allow network applications (such as FTP), which require secondary connections, to work behind the ICS server. In addition, the Windows XP ICS NAT server supports Universal Plug and Play (UPnP). The UPnP interface allows internal network clients behind the ICS NAT to use complex Internet application protocols, such as those required by the new Windows XP MSN Messenger.

Server Publishing, sometimes referred to as reverse NAT or port forwarding, is actually the reverse of the NAT that ICS performs for internal network clients. When you publish an internal network server, you’re actually publishing a particular service on that server. You tell ICS to listen on a particular port on the external interface of the ICS machine and forward any messages that are sent to that port to a designated port on the internal network server.

For example, suppose you have a Web server on the internal network and you want people on the Internet to access the Web server. To do this, you would configure ICS to listen on TCP port 80 of the ICS machine’s external interface. When an Internet user sends a request to the IP address of the external interface of the ICS server, TCP port 80, that request is then forwarded to the internal Web server. The Web server will send its reply to the ICS machine, which in turn forwards the reply to the machine that made the initial request.

ICS also lets you perform port redirection. For example, your ISP might not want you to run a Web server on your network, so it blocks inbound packets directed to TCP 80. You can still run a Web server on a different port by having ICS listen on a different port for HTTP requests.

Limitations of port redirection
Many ISPs block incoming requests to ports 21 (FTP), 25 (SMTP), 80 (HTTP), 110 (POP3), 119 (NNTP), and 143 (IMAP4) to prevent you from running servers on your network. Port redirection allows you to get around this problem. The drawback is that users must know the alternate port number you’re using on the external interface of the ICS computer. Fortunately, third-party services allow users to connect to your domain name using traditional ports. The service automatically forwards the requests to the external interface of your ICS machine to the alternate port you’re using.

Setting up Internet Connection Sharing in XP
You can configure ICS in one of two ways, depending on your requirements and level of experience:
  • Manual configuration
  • ICS Home Networking wizard

Manual configuration gives you the most options and flexibility. The ICS Home Networking wizard lets you automate the process and is the preferred solution for people with a limited understanding of TCP/IP networking.

Manual configuration
Manual configuration lets you integrate ICS into an already functional network. The Windows XP Help files give you the strong impression that you cannot have a domain controller, DHCP, DNS, or WINS on your internal network and that you must allow the ICS networking configuration wizard to take care of everything for you. This is patently untrue. You can configure connection sharing without having to worry about artificial limitations suggested by the Help file and various Windows XP manuals.

Perform the following steps to carry out a manual configuration of ICS on your network. The following procedure assumes you have the default Windows XP interface configuration:
  1. Click Start, right-click on My Network Places, and click Properties.
  2. Right-click on your external interface and click Properties (see Figure A).

Figure A
Accessing the external interface properties

  1. In the external interface’s Properties dialog box, click on the Advanced tab. Place a checkmark in the Protect My Computer And Network By Limiting Or Preventing Access To This Computer From The Internet, Allow Other Network Users To Connect Through This Computer’s Internet Connection, and Allow Other Network Users To Control Or Disable The Shared Internet Connection check boxes (Figure B). Click OK.

Figure B

  1. You’ll see a warning dialog box (Figure C) informing you that the IP address on the internal interface of the ICS will be changed to 192.168.0.1. Let it make the change; you’ll undo the changes after the wizard is finished. Click Yes.

Figure C
ICS will change the IP address on the internal interface.

  1. The IP address on the internal interface is changed to 192.168.0.1, which is fine if you need to use the DHCP reallocator and DNS proxy services provided by ICS. However, if you already have a well-defined internal networking services infrastructure, you’re probably not interested in ICS taking things over. Change the IP addressing information on the internal interface of the ICS computer back to what you had before.

The internal interface only requires an IP address and a subnet mask. You might want to include a WINS server address if you maintain a WINS server on your internal network. The external interface of the ICS computer should have an IP address, subnet mask, default gateway, and DNS server address(es) provided by your ISP. If you use a dial-up connection, these are provided via Internet Protocol Control Protocol (IPCP). If you use a router to connect to the Internet, point the default gateway of your external interface to the LAN interface IP address on your router.

All internal network clients that access the Internet through the ICS device must be configured to use the IP address of the internal interface of the ICS computer as their internal gateway. This causes all internal network machines to send nonlocal network requests to the ICS computer.

Using the ICS Home Networking wizard
If you’re setting up a new network that doesn’t have an established networking services infrastructure, you can simplify by using the Home Networking wizard. This wizard will walk you through the steps in configuring the ICS device and also create a floppy disk that you can use to configure the internal network clients to use the ICS device.

Perform the following steps to run the wizard:
  1. Click Start, right-click on My Network Places, and click Properties.
  2. Right-click on your external interface and click Properties.
  3. Click the Set Up A Home Or Small Office Network link on the left of the Network Connections window (Figure D).

Figure D
Starting the Home Networking wizard

  1. Read the information on the Welcome page and click Next.
  2. Read the information on the Before You Continue page and click Next.
  3. On the Select A Connection Method page, (Figure E) select the most appropriate configuration and click Next.

Figure E
Selecting how the ICS machine connects to the Internet

  1. On the Select Your Internet Connection page, select the interface that represents your external interface. Note in the figure (see Figure F) that I’ve renamed the interfaces in the computer to make it easier to recognize which interface is internal and which is external. Click Next.

Figure F
Selecting the external interface

  1. On the Give This Computer A Description And Name page, leave the Computer Name as it is, unless you have a compelling reason to change it. You can put in whatever Computer Description you like (Figure G). Click Next.

Figure G

  1. On the Name Your Network page, you can type in the name of a workgroup. Note that if you use the wizard, you cannot have your internal network computers be members of a Windows NT 4.0 and Windows 2000 domain. They must all be members of a workgroup. That’s why you’ll only want to use the wizard on a new or very simple network. Click Next.
  2. Review the configuration on the Ready To Apply Network Settings page and click Next.
  3. The wizard will take a few minutes to set up the ICS computer with the settings you’ve entered.
  4. On the You’re Almost Done page (Figure H), you have a number of choices. You can create a network setup disk and run a configuration file on each machine on the internal network. This automatically sets the machines up as DCHP clients and makes them members of the same workgroup as the ICS machine. This allows the clients to use the ICS DHCP allocator and DNS proxy features. In this example, I’ve selected Just Finish The Wizard. Click Next.

Figure H

  1. Click Finish on the Completing The Network Setup Wizard page.

After completing the wizard, you can run the setup disk or manually reconfigure the internal network clients to use the internal interface of the ICS computer as their default gateway and DNS server.

Configuring Server Publishing
After the ICS machine is all set up, you’re ready to configure Sever Publishing. I’ll go over the following subjects related to ICS Server Publishing:
  • Configuring Server Publishing Rules
  • Creating New Server Service Definitions

Server Publishing Rules
A Server Publishing Rule is nothing more than configuring a port-forwarding rule so that packets received on a certain port on the external interface of the ICS computer are forwarded to a particular IP address and port on the internal network. Setting up Server Publishing Rules is very easy with ICS. You don’t have any complex configuration changes to make, and the interface is straightforward. If you’re familiar with the Windows 2000 RRAS NAT service, you’ll recognize some common elements.

Perform the following steps to configure the Server Publishing Rules:
  1. Click Start, right-click on My Network Places, and click Properties.
  2. Right-click on your external interface and click Properties.
  3. Click on the Advanced tab and then click on the Settings button.
  4. In the Advanced Settings dialog box (Figure I), place a checkmark in the check box for every service on the internal network you wish to publish. In this example, I’ve selected the Remote Desktop service. Click Edit.

Figure I
This will allow you to create a Terminal Services session with the Remote Desktop service or Terminal Server on your internal network.

  1. In the Service Settings dialog box (Figure J), type in the IP address of the internal computer you want to publish. In this example, the internal computer is a domain controller running the Windows 2000 Terminal Services. I recommend using an IP address for better performance. After entering the IP address, click OK.

Figure J
Pointing the Server Publishing Rule to the internal server

  1. Click OK in the Advanced Settings dialog box and then click OK in the Interface Properties dialog box.

You can test this publishing rule by going to a client machine on the Internet. On this machine, open the Remote Desktop Connection or Terminal Services client software and type in the IP address of the external interface of the ICS machine as the site you want to connect to. If you have everything configured correctly, the client software will open a Terminal Services or Remote Desktop connection.

Creating new Service Definitions
The built-in Service Definitions let you publish the most common Internet services. The Service Definitions include:
  • FTP Server
  • IMAP3 and IMAP4 Server
  • SMTP Server
  • POP3 Server
  • Remote Desktop (RDP) Server
  • Secure Web Site (HTTPS) Server
  • Telnet Server
  • Web (HTTP) Server

If you want to access services other than these, you’ll need to create your own Service Definition (Publishing Rule). For example, suppose your ISP is blocking inbound TCP 80 to prevent users from setting up Web servers. You can create your own Service Definition so that you can publish your Web server on a different port. Here’s how:
  1. On the Advanced Settings page, click the Add button.
  2. In the Service Settings dialog box (Figure K), type a Description Of Service so you can easily identify it. Type in the IP address of the internal network server, the external port that the ICS computer will be listening on, and the internal port that the internal network server will listen on. In this example, the ICS computer will listen on port TCP 878 for HTTP requests and forward requests received on TCP port 878 to the internal Web server on TCP 80. Click OK after entering the information.

Figure K
Configuring a new Service Definition

  1. The new Service Definition is saved and automatically selected. Click OK in the Advanced Settings dialog box and then click OK in the external network interface Properties dialog box. The settings will take effect immediately.

Security is always job one
Note that security is always job one when you expose servers to the Internet. Even though these servers are behind your Internet Connection Firewall (ICF), you still need to update any server you make available to Internet hosts with the latest security patches and configure the services in a secure manner. Microsoft gives you plenty of advice on how to secure your Web and other servers.

Conclusion
The Internet Connection Service allows internal network clients to access the Internet via a single connection to the Internet. ICS doesn’t just allow outbound access for internal network clients, though; it also allows inbound access to selected services for external, Internet clients. By using Server Publishing Rules and Service Definitions, you can allow access to a wide variety of internal network services to Internet hosts.
5 comments
pat570
pat570

Hello. This is a GREAT guide..my question is: if I have a webserver running on a CLIENT...NOT the gateway pc where ICS is...if I enable a service (port forwarding) to my client.. should I see a listener running on that port on my ics machine?? I cant get it working... I run a packet sniffer on the external side.. it receipts the tcp syn...and replies with a syn/rst and doesnt forward anythin to the internal side. any thouhts?? Pat in PA

Nils5906
Nils5906

Great! Thanks for the help.

techrepublic.funchords
techrepublic.funchords

This article has been out since 2002? I can't believe I'm the first to say thanks! Very complete and easy to follow. I have no problem referring someone with limited technical knowledge to this URL. Great job!

farfolomew
farfolomew

This is the best ICS article i've read. It explains all the little details that the Microsoft Help fails to do, such as whether the host in the service definition should be the ICS computer or the internal computer hosting the service. Windows Help says to set that value to the ICS computer, but obviously that doesn't make sense. So anyways, thanks for clearing that up :) Anyways, my question pertains to how ICS interacts with the Windows Firewall. For example, if I add a service definition to listen for port XXX on TCP, then won't I also have to go into the Windows Firewall exceptions and add port XXX to the list? Otherwise, the Windows Firewall will not even acknowledge that port, correct? Or does Windows realize that the ports ICS is set to listen on SHOULD also be given Firewall exemption rules? Thanks!

farfolomew
farfolomew

Well after some digging on Google I stumbled across this excerpt from the Syngress book "Configuring and Troubleshooting Windows XP Professional" on pg 8: "...ICF works in concert with ICS to provide access for unsolicited traffic. For example, if you have configured the ICS service definition to allow Web server (HTTP) traffic, ICF will allow this traffic. Disabling the service definition for the Web Server will result in ICF dropping that traffic..." and "...If you enable a service definition for a particular application, you automatically configure ICF to allow traffice associated with that application. You should always consider the consequences of allowing any traffice through ICF. The less traffic you allow into your network, the more secure it will be..." So it would seem Windows is, indeed, smart and knows to allow ICS Service Definitions in through the Windows Firewall. Good info to know :).