Do you find the Support WebCast transcripts helpful?
Let us know!

Note This document is based on the original spoken Support WebCast transcript. It has been edited for clarity.

Clifton Hughes: Welcome to the Windows XP Internet Connection Firewall presentation (slide 2). My name is Clifton Hughes and this presentation will explore the Internet Connection Firewall included with Microsoft® Windows® XP. First, we're going to give an overview (slide 3), just basically cover the topics that we'll be discussing in this presentation. To start with we're going to talk about what is ICF and we'll give a good description of the Internet Connection Firewall, ICF considerations, considerations you should make before enabling or disabling ICF, how to enable or disable ICF, some of the advanced settings and configurations for ICF, common issues you may encounter when using ICF, and then additional references, including some troubleshooting, how tos, and descriptions of the Internet Connection Firewall.

What is ICF? First, let's define what ICF is (slide 4). We want to talk about just in general what is a firewall. Simply put, a firewall is a system designed to prevent unauthorized access to a private network or computer. Firewalls can either be software or hardware or in some cases a combination thereof. It's worth noting here that ICF is a software-only firewall.

How does ICF work? ICF monitors all network traffic on the connections for which it is enabled and any communications that originate from a source outside the ICF computer are dropped by the firewall.

We'll talk about services. ICF can be configured to allow access to network services running on the ICF-enabled computer and also ICF can be configured to create a security log to track the activity on the ICF-enabled connection. ICF can be configured to enable or disable Internet Control Message Protocol (ICMP) responses. Those last three bullet points basically are the advanced settings and we'll cover those in more detail later in this presentation.

ICF considerations (slide 5). First of all, on a stand-alone computer that is directly connected to the Internet, you definitely want to enable ICF in that scenario, whether it's a dial-up connection or a broadband connection, such as cable modem or digital subscriber line connection. These are scenarios where you definitely want a firewall in place for protection against hackers on the Internet. If you have a computer that is serving as an Internet Connection Sharing host, this computer should also have the Internet Connection Firewall enabled on the Internet connection that is being shared.

In this scenario generally you have two connections. One that is directly connected to the Internet and the other that is connected to your private network or your ICS client, and you want it enabled on the Internet side and not enabled on the private side. You should not enable the Internet Connection Firewall on the ICS client since they're not directly connected to the Internet and generally they would be protected by the ICS host. You should also not enable the Internet Connection Firewall on any computer that is behind an existing hardware firewall or a network address translation (NAT) router. In general, you should not enable ICS on any private network connection.

How do we enable or disable ICF (slide 6)? In most instances, ICF will be enabled by default when you run the Network Setup Wizard and/or the New Connection Wizard, which is part of the network connections in Windows XP. However, if you want to check and see if ICF is enabled or disabled for a particular connection, click Start, point to All Programs, point to Accessories, point to Communications, and then click Network Connections. At that point you can right-click the connection that you want to check and select Properties. Then on the Advanced tab of the Connections Properties page, you can then check or clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box, as shown in the screenshot on this slide. Make note that this is not a global setting. It has to be checked or cleared for each connection as needed. This makes it possible to have ICF enabled on the public Internet connection, for example on an ICS host, and then disabled on your private network connection connecting the ICS host to the private network.

Now we're going to talk about the advanced ICF setting (slide 7). The first setting that we see is services. Basically when ICF is enabled, it makes a button available down on the bottom of the Advanced tab of the Connections Properties called Settings (as seen on slide 6), and when you click the Settings button, it brings up these three tabs that we see on this screen here. First we'll talk about the Services tab. For example, for services, this basically allows you to share or make services that are running on your computer available to users on the Internet. For example, if you're running a File Transfer Protocol server on your computer, also called FTP, you can check the FTP and FTP Server check boxes to allow Internet users to access the FTP server that is running on your computer.

You can also use the Services screen for specifying certain ports that might be needed by Web applications or games that are not firewall-aware and they may require these settings in order for them to function correctly. It's also possible that you could run into some applications, especially older applications, Web-based apps and games, that may not function well behind a firewall and you may have to temporarily disable the firewall in order to get normal functionality out of the application. We'll talk more about some of these things in the troubleshooting section at the end.

Another function of the services is the ability to redirect the incoming request to another computer behind the one running ICF (slide 8). By default, the services setting will allow the incoming request to be received by the computer that ICF is enabled on. If you're running an FTP server or other network service on a computer behind an Internet Connection Sharing host, then you can edit the service as shown on this slide and change the settings to redirect the incoming requests to the other computer on your private network.

It only works - this is a note to make here - if you're running Internet Connection Sharing. If you're only running Internet Connection Firewall and not doing Internet Connection Sharing, then the service has to be running on the same computer. It will not work to redirect it. There's also a KB article that discusses this issue and it's referenced at the end of the presentation.

One of the additional advanced settings that we're going to talk about now is security logging, and by default, as with most of these settings, it's not enabled (slide 9). Rather than sending you notifications about activity on the ICF-enabled connection, ICF silently discards unsolicited communications. This stops common hacking attempts such as port scanning. If you wish to see the activity on the ICF-enabled connection, the settings on this dialog allow you to enable the creation of a security log file. You'll see from this dialog box that there are a couple of options. We can choose to log dropped packets. This option specifies that all dropped packets that originate either from the private network or from the Internet on this connection will be logged.

You can also choose to log successful connections. This option specifies that all successful connections that originate either from the private network or from the Internet on this connection will be logged. In that case, for example, if you're running your FTP server like we talked about; you'd then be able to track who was connecting to your FTP server and making successful connections to it. You can also change the file names, the location, and the size of the log file in this dialog box. By default, the file name is Pfirewall.log and it's stored in your Windows directory. These options are configurable here. Also note that ICF uses the World Wide Web consortium, or W3C, standard for firewall logging and logs such information as the date, the time, the action, the protocol, source and destination IP address, source and destination port, as well as the size of each packet that is logged.

Last, on the advanced settings, we'll talk about ICMP, or Internet Control Message Protocol (slide 10). Again, by default on this tab nothing is enabled. I do show Allow incoming echo request checked here. I did that for the screenshot. Basically these ICMP responses, by being disabled, prevent hackers from getting a response to a ping or from using a ping attack against your computer. If you need to be able to use ping for troubleshooting connectivity to your computer, you can enable the check box as I did on the screenshot to allow incoming echo requests, or you could temporarily disable ICF on the connection you're troubleshooting, if you need to do more than just ping. However, most commonly ping is what we'd be using this for so if you wanted to enable ping for troubleshooting that's how you would do it.

We'll talk now about some of the common issues (slide 11). This is not necessarily everything you might encounter when using a firewall, but these are some of the documented issues that we know about and some of the more common ones, we hope. Some things that you may run into. Web applications or games that may need direct access to the Internet may not function as expected if ICF or another software or hardware firewall is enabled. It's possible that you can configure the firewall for your application or game. The software vendor is the best place for information regarding their application's firewall support or also for finding out what port does that game or program require in order to function behind or through a firewall.

Another issue you may run into is enabling firewall software on your private network connection or on clients behind an Internet Connection Sharing host. This can cause problems with peer-to-peer connectivity, so file and printer sharing may stop functioning. You could also run into problems actually connecting to your Internet Connection Sharing host or connecting to the Internet depending on what you're doing. Enabling a firewall on a private network connection is generally not a good idea.

Remote assistance and/or Remote Desktop connections in Windows XP. You could have problems with these if both of the computers involved have ICF enabled or one or both are behind another third-party firewall software or hardware. Redirecting incoming Internet requests to a computer other than the one that is running the Internet Connection Firewall only works if the computer is also running Internet Connection Sharing, and we talked about that on the services redirection slide previously. Those are some of the common issues that you might run into.

Now what we're going to do is talk about some of the troubleshooting and article references that you might use in order to troubleshoot or work around some of these problems (slide 12). On this slide we have four KB articles and what I'm going to do basically is take each one and talk about it a little bit. I won't go into all the details, but just to give you an idea of what we're looking at here. The first article about troubleshooting common issues is Q240429 ("DirectX: Ports Required to Play on a Network") and this article is referencing the DirectX® ports that are needed to play on a network.

The basic gist of this article talks about the two main methods used by most DirectX games today, which is DirectX 8, the newer one, and DirectX 7. It outlines the port ranges that are needed for DirectX 7–based games and DirectX 8–based games. It's also worth noting that these are port ranges in a lot of cases, so there will be various ranges, for example, port 2300 through port 2400. In Internet Connection Firewall, there is no way to open a range of ports. You would actually have to open each one of those ports individually in order to get that game to function. In some cases it may not be advisable to try to do that, although it is possible. That's the bad news.

The nice thing is or the good news is, if you're using DirectX 8, that method is automatically supported by Internet Connection Sharing and the Internet Connection Firewall built into Windows XP. It also works with the Windows Millennium Edition Internet Connection Sharing, as well as any UPP, or Universal Plug and Play–compliant routers or Network Address Translation routers. A lot of the newer hardware routers or personal firewall products that are out there, those are actually supporting UPP now or making updates available in most cases so that they will support UPP, thus allowing DirectX 8–type games to function automatically without having to manually configure a bunch of ports.

It's also possible to do this by using Dxdiag, and this article outlines this. You can click Start, click Run, type dxdiag in the Open dialog, and then click OK. In the Dxdiag you can save all information to a text file, and in that text file you can determine whether or not your games support DirectX 8 or DirectX 7. So you'll know whether or not you have the hope of getting it to work through our Internet Connection Firewall or another Universal Plug and Play–compliant Network Address Translation router. That's the gist of this article. It goes through and talks a little bit about the UPP functionality and that you may need to contact the manufacturer of your hardware router to find out if it is UPP supported. That's pretty much all we're going to say about that one.

The next article is Q310608, "Remote Assistance May Not Work If Internet Connection Firewall Is Enabled." This is a scenario whereby you have an expert connecting to a novice. Those are the terms they use for the helper and the one being helped. The expert may receive a message when trying to make a Remote Assistance connection stating that the Remote Assistance connection could not be established. The scenario is one case where a novice user creates an invitation request, then enables Internet Connection Firewall, and then tries to establish the connection.

One of the workarounds here is to disable the Internet Connection Firewall or create a new Remote Assistance invitation while ICF is enabled, and then send the invitation to the expert. Another workaround or resolution in this article mentions restarting the novice's computer and then having the expert reestablish the Remote Assistance connection. These are just some of the known things that we have documented on Remote Assistance not functioning correctly if ICF is enabled.

On the next article, I'm not going to go into real great detail on it, but this is the "Supported Connection Scenarios for Remote Assistance," Q301529. {Editor's note: Clifton actually said Q310529, but the correct article ID number is Q301529.} This basically talks about the Windows XP Internet Connection Sharing, Windows Millennium Edition Internet Connection Sharing, and non-Universal Plug and Play NAT routers, as well as Universal Plug and Play–compliant NAT devices, and the various methods that you can use to establish a Remote Assistance connection depending on which one of these technologies you're running behind.

If you're running behind Internet Connection Sharing on Windows XP, then on the novice and the expert, you might want to use the Windows Messenger method to connect the Remote Assistance. There are also scenarios where you'll want to use the Save Invitation as a File and the Send Invitation as an E-mail methods. I'm not going to go into that one much more. Suffice it to say, this basically outlines the various methods you would use to connect and the various ICF implementations that you might be behind and which method to use with which implementation.

The next article is "Service Redirection Does Not Apply to Internet Connection Firewall," Q297942. We talked about this one on the second slide relating to services on the advanced settings portion of the presentation and it outlines pretty much what I've already said, but I'll restate it just to be sure. If you're running ICF only and not running the Internet Connection Sharing (ICS), then you'll have to have the service that you want to share running on the same computer with ICF. If you want to be able to redirect the service to another computer, then you have to be running Internet Connection Sharing on the computer that you're doing the redirection on. This article basically outlines that scenario and the steps to use to get it to work.

Those are our first four troubleshooting issues. Now we'll move on to the next four (slide 13). The first one on the next slide is Q298804, "The Internet Connection Firewall Can Prevent Browsing and File Sharing." We talked a little bit about this. This article just outlines that this is a known issue that, by design, is going to work that way, and it also mentions the ports that are used for sharing and SMB server message block communications in a Windows environment. It is possible that you could enable these ports on ICF or on another router or firewall in order for that to be passed. However, doing so would open you up to being accessed by the Internet and it's really not advisable or a good idea to do that.

So just bear in mind that, if you're putting ICF on a private connection, or in a scenario that we call an edgeless network, where, let's say you have multiple computers that are all directly connected to the Internet through a hub, Internet Connection Firewall can disrupt normal TCP/IP communications, file sharing communications over the TCP/IP protocol. So you need to either run another protocol or enable Internet Connection Sharing on one of the clients and make it the host, so that it can run the firewall and the other clients won't. This is an article that you can look at in more detail, but that's pretty much the gist of it.

The next article, Q316414 (" 'Ping: Transmit Failed, Error Code 65' Error Message When You Attempt to Ping Another Computer"). This is another symptom of having the Internet Connection Firewall, or in some cases and in this particular case, an actual third-party firewall software enabled under certain circumstances. In this case the "Ping: transmit failed, error code 65" is known to occur when you have the Internet Connection Sharing feature enabled and you're running firewall software from Zone Labs, such as ZoneAlarm or ZoneAlarm Pro. Basically it just means the ZoneAlarm program is not configured correctly for Internet Connection Sharing and there's information on their Web site (http://www.zonelabs.com/) to be able to configure it for ICS support, or Internet Connection Sharing support.

It's also worth noting though you can have problems pinging with any firewall software enabled on a client, because by default most firewall programs do block the ICMP messages or responses that are required for ping to function. That's simply a feature of most firewalls, so unless you configure it to allow ping to work by opening those ports, it's going to fail in some way or another, whether it's an error or a timeout or some other message indicating that it didn't go through or wasn't successful.

The next article Q283673, "HOW TO: Enable or Disable Internet Connection Firewall in Windows XP." This article basically goes over what we're already talked about, opening up the Network Connections and right-clicking on your connection and choosing Properties, going into the Advanced tab and then checking or unchecking the dialog box for enabling or disabling the Internet Connection Firewall. It's pretty straightforward. I don't need to go into much more detail than that. It just walks you through it, if you need a reference on how to do it or you forget how to get to it. That article is a good one for you.

The next one is Q308127 ("How to Manually Open Ports in Internet Connection Firewall in Windows XP"). This article is how to manually open ports on Internet Connection Firewall. Let's say you have an application that you determine from the manufacturer that it needs ports whatever, certain ports open in order for it function through a firewall, you can use this article to walk through the steps for opening up those TCP and/or UDP ports for your specific application needs. This article just takes you through those steps. It doesn't mention any particular program or port number, just the generic steps of how to do that. You will need that information specifically for your application from the manufacturer on what ports that it actually needs to have open in order for it to function. That pretty much concludes the troubleshooting issues.

On the next slide I have a couple of more references. The first one is a description of Windows XP Internet Connection Firewall. It's pretty much there for your reference. Q320855 ("Description of the Windows XP Internet Connection Firewall") covers most of the stuff we've talked about in this presentation today. That article is a real good overview of the connection firewall in Windows XP.

There is also a more general firewall article, Q321050 ("Description of a Personal Firewall"). This is one that's just a description of a personal firewall, so it's not ICF specific. It's more general and covers personal firewalls, the different types, some problems that you might encounter, a reference there, and it just gives you a good overview of what is a personal firewall. It's more for consumer, home user, and small business scenario. Then we also reference Microsoft Help and Support Web site, as well as the World Wide Web Consortium or http://www.w3.org/ Web site, where you can find some specs and such on firewalls and other World Wide Web standards.

That concludes it. That's going to be the end of our presentation. That's it. We're now going to have a question and answer session to try to answer the questions you may have regarding this presentation. I'll turn this over to Otto for that portion.

Otto Cate: Before we move on to the Q&A portion of for the WebCast today, I'd like to share with everybody a couple of program notes. If you'd like to have a copy of the PowerPoint® slides, be sure that you download that file from the Web site. The content is available to you from the Past Support WebCast page.

To access this information, including some details on all upcoming Support WebCasts, the easy-to-remember URL is http://support.microsoft.com/webcasts/. You can see that on the last slide. The Q&A portion of the Support WebCast is really intended to encourage further discussion of today's Support WebCast topic. Now, one-on-one product support issues are really outside the scope of what we're able to address. If you need some technical assistance, feel free to submit an incident on the Web or contact Product Support Services to speak to a Support Professional. It looks like we do have a few questions in the queue here. Before we jump in, I'd like to also introduce Mitch Lavender. He'll be helping us out today with the Q&A. Mitch is a Partner Technical Lead for the Networking team in Enterprise Platform Support. Thanks for joining us, Mitch.

The first question: Does Internet Connection Firewall interoperate with other software firewalls such as Norton and McAfee? I know that you mentioned in that article some information about Zone Labs, but it looks like this user is wondering about some of the other types of third-party firewalls.

Clifton: That's a great question. Actually, in general, it would not be a good idea to use more than one firewall software or hardware solution at a time. You can run into problems because they don't all operate the same way and you could possibly get unexpected results having multiples. What I would recommend doing is using the one that they feel most comfortable with. The one that we included as a free feature is not the most fully featured firewall on the market. There are products that are dedicated to that functionality and may serve their purposes much better. Generally speaking, no; we wouldn't want to use more than one firewall product at a time.

Otto: What is recommended when connecting two PCs, XP Home and Pro, to a cable modem without using a router? Are there some settings that works well on that configuration?

Clifton: There are different scenarios where there might be different answers. In general, that would indicate that both of those computers would have a direct connection to the Internet. In that scenario you would want protection on both computers. However, as we stated in the presentation, it could end up causing connectivity problems between the two computers if you were trying to share a printer or share files between the two computers.

You could do Internet Connection Firewall on both computers and use the NWLink IPX/SPX protocol for sharing files or printers between the two machines, and achieve the desired results. Ideally what you would want to do is connect one of the computers to the Internet and put a second network adapter in it to connect it to the other computer so that really you only have one point of vulnerability to the Internet rather than two. You could do it a couple of different ways, but that last part is the recommended method.

Otto: Is Internet Connection Firewall Active Directory® configurable via Group Policy objects?

Clifton: Not that I am aware of. I would have to say no. If you're in a domain environment and using Active Directory, you would probably want to use our full-blown ISA Server product, Internet Security and Acceleration Server, which is fully Active Directory aware and integrated. It does much more and is more much configurable and fully featured, and actually does much more than just the firewall.

Otto: We have a question here concerning using ICF and VPN, Virtual Private Network. Some of our users with Nortel's 4.15 VPN client on their home PC are unable to map corporate network drives from their home PCs while they're running XP when Internet Connection Firewall is enabled. Disabling Internet Connection Firewall allows those users to map through those drives. Others with identical broadband connections are able to map corporate drives during a VPN session with ICF enabled. This almost seems like it might be better handled via one-on-one support, but are there any general suggestions you might be able to give here that may explain why some ICF users are blocked from mapping corporate network drives in this type of configuration?

Clifton: In general, I would have to say you're right. It would be a support question. However, it sounds like there may be an issue with their ISP not having ports opened on a particular router perhaps. If some clients are able to do it and some are not, then there has to be something in between the clients that don't work and the end connection. That's my guess on that, but it is just a guess. There are possibly some things you can do. The other thing is, if it's a third-party VPN solution, if you're not using the built-in VPN support of Windows XP connecting to a Windows 2000 VPN server, I don't know the full functionality that you're going to get there using ICF.

I know our VPN stuff works with Internet Connection Firewall as long as you have a direct full connection to the Internet, but some ISPs, especially ones that use Point-to-Point Protocol over Ethernet or non-standard means of connecting their users to the Internet, they could be blocking ports or not allowing certain responses to come back to the end user. It doesn't make sense that disabling ICF would then allow that to work. It's really hard to say what's going on in that scenario.

Otto: We have a question here concerning which programs are recommended to basically not block. The user is asking about Svchost, Ntoskrnl, Services.exe, and Snmp.exe. His full question is: Should I block these Microsoft programs or let them pass through?

Clifton: I'd have to know more information. It doesn't give me enough information to know what he's trying to say. If you're talking about connecting from a client to a server, then those might be needed. It would just depend on whether or not those services were needed for a particular scenario. If you're just a general user on the Internet, it's hard to say. Those are not things that generally people on the Internet are going to need to connect to your machine.

So if he's asking should he enable those services on the Services tab, no. In general, not unless you're acting as a server for those services, that's pretty much what the Services tab is for. If you're running a service that you want users on the Internet to be able to allow them to connect to you, then that's when you enable those. Otherwise there's no need to enable any of those services for you to connect to the Internet. But I'm reading a lot into what you said, because there wasn't enough information in the question for me to know completely what he was asking.

Otto: Let's move on to the next question here. It looks like we've covered some of the general how-to as far as the ports opening and closing is concerned there. The full question here is: How do you go about opening protocol 47 (GRE) that's needed for VPN tunneling to an Internet Connection Firewall machine via PPTP? Simply opening TCP port 1723 and 47 does not seem to work, even after deleting and re-adding the incoming VPN connection in the network settings on the ICF machine. It looks like they've also tried deleting and re-adding the VPN Point-to-Point Tunneling Protocol firewall port that's automatically created. The connecting XP clients end up failing with an error 721. Is that something that you're familiar with?

Clifton: Not particularly. There's some documentation in the KB regarding that error. I'd have to look that up. However, I have gotten this to work simply by enabling the port 1723, because the GRE protocol does get passed automatically. So there may be something going on here not including the firewall. My question would be, and this would probably be more of a support question, if they disable the Internet Connection Firewall, does it work then; because there could be something going on the client side who's trying to connect that's actually preventing it.

[Follow-up answer: Based on the information given, this is a support issue. The problem is not with ICF/ICS or our built-in VPN. This works and the information about how to configure it is documented in KB article Q309524, "How to Configure Windows XP ICS for an Internal PPTP Server." There is no mention of enabling GRE 47 in this article, because there is no need to do so. This happens whenever you enable port 1723, as mentioned in the article. I have tested this and it works. It appears that there is a router, or other firewall or software interfering with the customer's connection to the VPN server/host, either on his ISP's side, or running as software on his computer, or there may be some other variable, that is an unknown.

Note that you can use the New Connection Wizard to create an Advanced, Incoming Connection for PPTP/VPN, which should automatically create the inbound service definitions for ICF/ICS, which allows these to pass the Firewall/HOST. Refer to KB article Q309524, "How to Configure Windows XP ICS for an Internal PPTP Server" to configure this manually. Also keep in mind that the service definitions for ICF/ICS are the same settings, so this applies whether you are using one or the other, or both ICF/ICS.]

Otto: It looks like they're tunneling through a machine via PPTP. Based on the answer to the previous question, it looks like that might also have something to do with it. Is that accurate?

Clifton: It's possible. Every point that you're going through has to be able to pass the GRE protocol 47 as well as the port 1723. So if at any point down the line, not just on the ICF-enabled connection that that protocol is not passed, which there are some ISPs and routers out there that by default don't pass protocol 47. It has to be able to be passed through every point along the way.

Otto: Can XP ICF, Internet Connection Firewall, of course, work with hardware firewalls and routers, or is it really even necessary?

Clifton: No. Again, this goes back to the question that was asked earlier. Generally speaking you want to use one or the other. A firewall is a firewall. If you're using the Internet Connection Firewall, you really don't have any need to use a hardware firewall and by the same token if you have a hardware firewall, you don't have any need to use the Internet Connection Firewall. Basically what I would recommend is going with the one that gives you the functionality and features that you require, and if that's the hardware firewall then just leave the built-in one disabled.

If you get everything you need out of the software one, then use it and don't go buy a hardware one if you haven't already. You're basically going to get the same basic functionality from any firewall product, whether it's hardware or software, and in general I don't recommend using them in conjunction with one another, because they do different things and could cause unexpected results.

Otto: Do you know of any plans for Internet Connection Firewall to be scriptable via VBScript?

Clifton: Not that I know of.

Otto: That functionality does not exist at this point, is that correct?

Clifton: Not that I'm aware of, no.

Otto: The user here is creating exceptions for particular trusted IP addresses. He's saying that this seems to be unsupported unless it's via an undocumented registry setting. Do you know if there may be plans to support creating exceptions for particular trusted IPs?

Clifton: No. Not in the Internet Connection Firewall that I'm aware of. That is a functionality of our full-blown ISA Server product where it has that and much functionality. It is also a feature of some of the other full-blown software products on the market like ZoneAlarm and Norton Internet, and some of the others have features like that. But at this time as far as I know it is not an option. Not to say that it can't be done. I just have not heard of that feature or functionality even in an undocumented means.

Otto: This is another VPN-related issue asking about troubleshooting a client access problem for a home network. It looks like they were using Cisco Client VPN version 3.51 at the time. Cisco had reported that it cannot run with ICS installed. The only way I could get it to recognize that ICS was turned off was to disable the ICF/ICS service in the Services control panel. I discovered that Internet Connection Firewall may be tied to the Internet Connection Sharing, same services tied to both functions.

Clifton: They are.

Otto: Do you know of a way to disable Internet Connection Sharing without having to disable the firewall?

Clifton: Yes. You uncheck it on the Advanced screen. There are two check boxes on the same screen on the Advanced Properties of the connection. You don't need to disable any services per se. You just uncheck that dialog. But keep in mind even with ICS enabled, ICS and ICF both are based on Network Address Translation (NAT) and there are some third-party VPN products out there that may have a problem with Network Address Translation (NAT) router or NAT-based firewall.

It's possible that we're looking at a limitation of their client software in conjunction with our NAT functionality built into ICS and ICF. But it is possible to enable and disable both of those, I don't know the right word to use, independently of each other. You can enable ICF and not enable ICS, and vice versa. Either one can be enabled or disabled on the same screen without having to manually disable any services.

Otto: The user wants to know if there is a way to avoid having to manually enable ICF at home and disable it at work. The configuration that he uses looks like he's wondering if there is some kind of automated or scripted way or some other method he can use to turn on and off, based on the location.

Clifton: No. Unfortunately, if it's the same connection or the same network adapter that's being used, there is no automated way that I know of. It's possible that there could be a registry setting involved that you could create a .reg file for. I don't know the registry setting offhand. It's possible that you could find that and create a registry file on the desktop to double-click, and then click OK to add it to the registry or whatever. But it's simply a matter of if you use a different network adapter; that would be one way. But in the case of a laptop where all you have is the one network adapter, unfortunately you have to check and uncheck that box each time.

Otto: Are you able to remote control the configuration of Internet Connection Firewall?

Clifton: It's possible to use the Remote Desktop feature, as long as you've allowed that feature to be passed through the firewall, which there's a service that you can check for Remote Desktop. Not specifically for that service, but because you can chose to Remote Desktop into a machine. Then the short answer would be, yes, you can by means of Remote Desktop, assuming that you had that service allowed in the ICF Services tab.

Otto: The question here is concerning Windows 2000: Does Microsoft provide any firewall services for Windows 2000? I know you had mentioned ISA (Internet Security and Acceleration) firewall. Does that work in the Windows 2000 environment?

Clifton: That is a server-only product. If you're running Windows 2000 Server you can purchase and add the Internet Security and Acceleration Server to your server for your LAN, but as a Windows 2000 client, no. Only if you were a client behind an ISA-enabled Windows 2000 Server would you have that functionality. There is no Windows 2000 Professional firewall client software beyond the bits that are included with the ISA Server full-blown server product.

Otto: Is it possible to export and import the firewall settings to an XML file?

Clifton: Not that I'm aware of. It might be possible to export the setting from the registry, but that's a guess on my part. It's not something that I've seen documented or tried to do. I'd have to do some digging into that to see if there are any options for that, but I don't think it would be in XML. It would be in the registry, if anything. I'm not even sure that that's an option, because I think the stuff in the registry is not in plain text that you can actually see.

Follow-up answer: This is not currently a feature of Windows XP Internet Connection Firewall; there is no information available regarding plans for this in the future. You can make a feature request for this to be added to future products, through the Contact Us Web site at http://www.microsoft.com/isapi/goregwiz.asp?target=/regwiz/forms/contactus.asp.

Otto: If I connect to the Internet through a broadband gateway that has NAT (Network Address Translation) enabled, but had no built-in firewall, should I go ahead and enable Internet Connection Firewall within XP?

Clifton: No. In general not, because basically what you have with a NAT is you have a private network address inside of the router and translating that into public addresses so nothing on the private network is routable to or from the Internet. In effect, you do have a firewall by using the NAT router. It's not explicitly called a firewall, but it does function much as a firewall does. In fact, our Internet Connection Firewall is based on Network Address Translation technology taken from the NAT functionality that was built into Windows 2000 Remote Access features.

Otto: It looks like we still have a few questions in the queue. I wanted to quickly touch base with everybody and see if we could solicit some feedback from our audience. If you happen to have some suggestions or future Support WebCast topics or some general comments about today's show or even the WebCast program as a whole, we'd love to hear from you. You can send e-mail to us at subweb@microsoft.com and I'll be able to pull those out and send them on to the appropriate managers. The e-mail link is also on the last slide.

Moving on to the next question: Can Internet Connection Firewall be used in conjunction with a VPN client in a remote access scenario? I know that we've touched a little bit on VPN client software. Does the functionality work well with the built in VPN software?

Clifton: In general when you're using VPN, you're going to be connecting to a private network say at your corporate location or your company's location. That connection itself you would normally not enable, nor is it even an option that I know of to enable the firewall on a VPN connection per se. What you normally have is an Internet connection established first, whether it be broadband or dial up, and on that connection you have the Internet Connection Firewall enabled.

Then through that connection, you establish the VPN connection. In that scenario, yes, it does work. You can have ICF enabled on your Internet connection and then make a VPN connection through that Internet connection and be on your corporate network with full access just as you normally would. At least as far as the Microsoft VPN solutions are concerned, I know that works. I use it at home all the time.

Otto: It looks like the user is actually just trying to get some information about logging. It's about slide 9, where we're talking about some of the logging options. Does the XP firewall here provide logging on attacks, similar to ZoneAlarm and such, for potential attacks I suppose?

Clifton: It does log any connection attempt if you have the features enabled. By default, it's not logging anything so you have to enable both the check boxes to get the full logging functionality. But yes, logging dropped packets would basically log any attempt to contact any port on that client. Now it's not going to be as descriptive. It's not going to give you this detailed explanation why for example I know ZoneAlarm does, but it does give you the information that a connection attempt was made on port so and so at this time from this IP address to this IP address. It does give you all that information.

Understanding it is another story. Knowing what it actually means or what attack type was actually used or what program was used, whether it was a scan attack or some other exploit attempt. That's just going to be the technical "goo" that you'd have to understand and know what the different attacks or exploits look like to know that a port attack coming in on certain ports would be meaning certain types of attacks. It really doesn't give you the detailed description that you would get, but the short answer is yes. It does log any attack attempts, if you have the Log dropped packets option enabled.

Otto: Are there certain protocols that are not blocked by Internet Connection Firewall? I thought that UPP and IPSec packets were automatically passed through the firewall. Is there a way to block these from coming into or out of the machine?

Clifton: First of all, to understand the UPP functionality, the way that works is it allows a request that originates from the ICF client to get a response back from the network from the Internet, if the request originates outside of the ICF computer. In other words, if I am on the Internet and I initiate a connection attempt to a computer running the ICF, then I get no response. The UPP functionality is only for an inside request being made to go out and allowing that request to come back in dynamically. That's the functionality of the UPP. There was another part of the question that I'm not sure I understood. What was the other service he mentioned besides UPP?

Otto: IPSec packets. Let me go ahead and repeat the question: Are there certain protocols that are not blocked by ICF? I thought UPP and IPSec packets were automatically passed through the firewall. Is there a way to block these from coming into and out of the machine?

Clifton: As far as I know, UPP isn't really considered a protocol. But UDP and TCP are the protocols that are blocked by ICF. If it's something besides UDP or TCP, then we're not going to be able to block it, because that is basically how a NAT functionality or NAT-enabled router or software functions is by taking those TCP and UDP ports and blocking them unless you explicitly allow a certain TCP or UDP port to be passed from the Services tab.

I'm not sure about the IPSec functionality there. I don't think that IPSec is necessarily considered a protocol either. But at the same time, it rides over the TCP/IP. It's going to be dependent on the ports to be opened for TCP/IP in order for it to pass. If something is coming in from the outside unsolicited, it's going to be blocked regardless of whether it's IPSec or not. At least that's my understanding of the functionality.

Otto: It looks like we have a deployment question here. Is there a way to configure Internet Connection Firewall in either the Unattend.txt or possibly Sysprep processes during setup?

Clifton: Good question. That's something that is well beyond what we're covering in this presentation. It is something we could look into and try to get back to him on. I would think that it would at least be configurable to be enabled or disabled. But as far as beyond that I don't know for sure that that's the correct answer or that there's more functionality that could be written into Unattend.

Otto: Next question here. It looks like we have another management type question here: Can Internet Connection Firewall be managed or maintained using SMS?

Clifton: I'm not sure. That would really be a question for SMS. But in general, my answer would probably be no, but I'm guessing. The Internet Connection Firewall is geared towards the home user or small business peer-to-peer network. If you're in a corporate environment or an environment where you're using SMS, that is something that you're going to be using most likely something besides our Internet Connection Firewall. You'll probably be using Proxy Server or Internet Security and Acceleration Server, and you'll be getting much more functionality than our little built-in free client.

Otto: Can multiple Remote Desktops be set up and accessible behind an Internet Connection Firewall, and how would we access a specific Remote Desktop PC from the outside?

Clifton: As far as I know it's not an option, at least not in the built-in functionality of the Remote Desktop client. However, it is possible that you could use different ports on the outside, but you would have to manually configure the services to redirect incoming requests on a given port to a different IP address of the other Remote Desktop client. While it may be possible, I don't think it's supported. It's not documented anywhere that I know of. That's not how it was designed to be used as far as I know. While it may be possible, I don't think it's something that we're getting a lot of calls for.

Otto: It looks like we have a follow up to that VPN tunneling port 47 question, the GRE. The original question was: How do you go about opening protocol 47 GRE that's needed for VPN tunneling to an ICF machine via PPTP? He's mentioning that you had asked whether disabling ICF works and it looks like it does. I'm wondering if that helps shed any further light on that scenario or if it's possibly something that might be best to follow it up via one-on-one support.

Clifton: One-on-one support would definitely be ideal for that question. However, it to me seems like that it's probably not a GRE issue, and that is may be some other port issue between the client and the server that the Internet Connection Firewall is not allowing through. 1723 TCP would be my guess. Again, it's hard to say. I know from experience that the GRE 47 protocol is enabled if you do set up an advanced connection and allow an incoming VPN connection on a Windows XP Pro box, because I've done that.

It automatically creates the port 1723 settings and automatically passes protocol 47 through the firewall. I've set that up and tested it for a KB article that I was involved in getting tech reviewed. I know that that works. I'd have to say that there's something else in the picture that we're just not seeing on the surface of this issue, and one-on-one support would probably be the best way to go to get to the bottom of it.

Otto: It looks like we have one last follow up here to one of the previous questions concerning the relationship with Cisco client VPN. It was actually the question that was talking about disabling Internet Connection Sharing versus Internet Connection Firewall. The user has come back stating that this is not listed on my Windows XP Pro setup. Is this something that you may have seen before or is this another one we should probably point to one-on-one support on?

Clifton: It is probably best to get them to one-on-one support. I'm not sure what he means by it's not listed on his setup. Maybe he's talking about the Advanced tab doesn't show Internet Connection Sharing as an option on the dialog.

Otto: That's what it sounds like.

Clifton: If that's the case, that's because he only has one network connection. Internet Connection Sharing will only be available if you have more than one connection. So it's not enabled or running, if it doesn't show up on the Advanced tab; so there's no need to disable it when it's not there. He may be trying to troubleshoot a known issue from Cisco, but that may not actually be his issue, if that makes sense. There could be something else going on that's unrelated to the work around or resolution that they've given him.

Otto: If ICS is disabled, will the service still show up and possibly run?

Clifton: There are services, I don't remember the service name off the top of my head, but there are services that are shared between ICS and ICF. It is the same service running. So if you're using ICF, but you don't see or have the box checked for ICS, then yes, the service will still be there and be running. If disabling that service works around the problem that you're having, then the problem is the Internet Connection Firewall, because that's what's left running if ICS is not present or not checked. I hope that helps clear that up.

Otto: In slide 10, "Advanced ICF Settings – ICMP," I understand the "Allow incoming…" check boxes, but could you explain better than the description given in that same dialog, the "Allow outgoing…" and "Allow redirect…" check box options. Could you provide examples of when you would want to enable one or more of these, in terms of troubleshooting or situations where a program (initiated from behind the firewall) might require these to be allowed in order to function properly? Are there any Microsoft programs you know of that might require any of these options to be checked?

Clifton: Ping responses and messages are the only thing that I know of that utilizes these options, the Outgoing responses are beyond the scope of the presentation, however they would not be utilized, or needed in most cases, or in any case that I can come up with. ICMP is only for ping messages regarding unreachable or non-responding hosts, etc. Router functions may utilize the outgoing requests, so if you were running Internet Connection Sharing, these could play more of a role, for example, if you're allowing a computer behind the ICS machine to host a service, like a Web site and you wanted to be able to ping it from the Internet through the ICS host machine, then the outgoing responses may be needed to allow the outgoing response to be sent. Basically other than ping troubleshooting, ICMP should not need to be enabled, and any traffic that originates from the private or firewalled connection, which would be allowed out anyway by default, and any response directly tied to the request that originated from the private or firewalled connection would be allowed back in dynamically. Here are some additional links to more information on ICMP for you to explore if needed as well:

Otto: It appears that we've answered all the questions that were submitted today so that's going to wrap up our session. I really wanted to thank Cliff and Mitch for coming out. You've given us a great presentation and helping out with the Q&A here. I definitely wanted to thank all of you for coming out as well. I hope that all of this content was useful to you. We hope that you have the opportunity to tune in again in the near future. Thanks and have a great day.