I have two PCs on my home network. I've just installed Windows XP on the host system; the other is running Win 98 Second Edition. Unfortunately, when I enable Internet Connection Firewall (ICF) on the host PC, the client can no longer connect to certain programs. Can the firewall be configured so the client works as it did before I enabled ICF?
You don't mention exactly which applications are giving you problems, so we'll have to make some generalizations here. To begin with, the role of the Microsoft Internet Connection Firewall (or any firewall, for that matter) is to monitor the traffic traveling in and out of your network.
This traffic enters and exits the computer via various ports; the firewall can tell what type of traffic is using the network by tracking which port the data is destined for -- HTTP, for instance, uses port 80, and e-mail ports 25 and 110. Any traffic not specifically defined or known to the firewall is typically blocked to prevent unauthorized access.
In order for an application to pass data outside of your local network, you need to tell the firewall which ports the program or service is going to be using. Microsoft's ICF can be easily configured in this way by adding a Service to its Services List. The latter contains information on the service type, the related TCP or UCP ports, and the IP address of the host system.
ICF and Internet Connection Sharing (ICS) have some services already predefined, so Web access and e-mail are available from the moment ICF is enabled. If the application you want to use hasn't already been defined, you'll need to add its parameters to the Services List. A program's port usage can be found either in its documentation or by contacting the vendor.
To add a service to the Services List, open the Control Panel and click on Network Connections. Right-click on the connection being protected by ICF and select Properties, then select the Advanced tab and press the Settings button. On the Services tab, click Add and you'll see the Service Settings dialog box. Here you'll enter the service name, the IP address of the computer hosting the service, and the TCP or UCP port numbers the service will use. When finished, click OK to update the Services List. Your application should now work without any problems.
We say "should" because some applications -- such as Microsoft NetMeeting or Windows Messenger and other instant messaging services -- use a wide number of ports or dynamically assigned ports for moving traffic and can be tricky to get working behind a firewall. In this type of situation, you might consider placing the application in a Demilitarized Zone (DMZ), which resides outside of the firewall, but a system in the DMZ is vulnerable to attack and should not contain any sensitive data. (An October 2001 Microsoft TechNet page offers a lot of geeky details regarding how to configure firewalls and Network Address Translation (NAT) routers to work with Windows Messenger.)
Remember, too, that ICF is a very basic firewall and does not allow for extensive configuration changes. An upgraded version, along with a big push for automatic updates via a facelifted Windows Update, will appear in the security-conscious Windows XP Service Pack 2 scheduled to arrive in mid-2004, but you might not want to wait to invest in a third-party software firewall or a good hardware router with a built-in firewall.
