This week's Q&A explores the problematic issue of configuring a firewall to allow instant messaging. We'll also look at why it's inadvisable to run Microsoft's Internet Connection Sharing (ICS) on computers networked through a router.

By Ron Pacchiano

Q. For the last few months I've been using a DSL modem for Internet access at home. Since signing up for broadband, I have enjoyed the high-speed tremendously; music and software updates download incredibly quick. Not long ago, a good friend of mine moved to another state, so we started using Windows Messenger to stay in touch with each other, and it has been working pretty well.

I recently mentioned to another friend of mine that I had got the DSL line, and he suggested that I purchase a firewall to protect my system from hackers or other deviants. So I went to my local CompUSA and purchased a Netgear Firewall router. After installing the router I noticed I could no longer connect to the Windows Messenger service. So I disconnected the router and connected my computer directly to the DSL modem, and everything works fine. Why is this is happening? Did I configure something wrong, or is my router simply defective? Thank you.

A. The good news is that I doubt your router is defective. The bad news is that it is a configuration issue between the IM client and the firewall. Worse yet, this particular problem isn't easily fixed. Before we talk about the problem specifically, let's first recap exactly what the role of the firewall is.

Basically, a firewall is a device that sits between your DSL modem and your computer – a sort of gateway that all of the data entering and exiting your network MUST pass through. Firewalls monitor network activity and filter out any unauthorized traffic. This traffic moves in and out of the router on ports. Different types of data travel over specific ports. For example, web traffic uses port 80; e-mail, ports 25 and 110; and FTP, port 21. This constant monitoring is what protects your PC from attacks.

Now, when your computer is connected directly to your DSL modem, data flows unrestricted between your computer and the Internet, allowing you to play online games, engage in voice chat, and in this case, use the Windows Messenger service. When we add the firewall into the equation, this can cause some applications to stop working because the firewall hasn't been configured to allow certain types of data to pass between it. This is done by design; it is not a bug.

Typically, to correct these problems all you would need to do is determine which ports are required by the services you are using and configure your router's port mapping feature to forward those ports to your machine. (Your IM friend, incidentally, will probably need to do the very same thing on his or her end.) With some services like FTP or e-mail this is pretty simple, as these applications use static or non-changing ports.

Configuring a firewall to support the advanced features of Windows Messenger, on the other hand, can be difficult because it uses a number of dynamically-assigned ports. Depending on the equipment that you and your friend have, it might not even be possible to use IM with your firewall.

There is a lot of technically detailed information available at http://www.microsoft.com/windowsxp/pro/techinfo/deployment/natfw/default.asp regarding how to configure firewalls and Network Address Translation (NAT) (define) routers to work best with Windows Messenger.

Microsoft recommends Universal Plug and Play-compatible (UPnP) routers in order to use all of Windows Messenger's features. They're able to more efficiently manage the constantly changing port mappings that are needed. You should check to see if your current router can be upgraded to support UPnP or, if not, consider getting a router that does supports it.

A quicker and easier way to accomplish what you want would to be to put your computer into the router's DMZ (demilitarized zone), which would let the router pass any traffic it encountered to your PC. However, this is not advisable (nor is keeping your PC connected directly to your DSL modem, for that matter), as it leaves your computer vulnerable to attack. Only do this on a PC that doesn't carry important data. This would temporarily solve your problem, but is by no means a permanent solution.

Q. My roommate and I are trying to configure our computers to share our Verizon DSL modem. So we went out and purchased a Linksys router and connected the network cable from the DSL modem to the router's WAN port, then connected both of our computers to LAN ports on the router. After we connected everything, we tried running Microsoft's Network Setup Wizard. When we did this, we got an error message that said, "Cannot complete the Network setup wizard: Other computers cannot connect to the Internet through this computer." We double-checked our cable connections and everything looks right. We are all using Windows XP Professional, and my roommate's computer is set up as the host. What do you think the problem could be?

A. Even though you didn't come right out and say it, your question implies that you're running Microsoft's Internet Connection Sharing (ICS) feature on the Windows XP host computer. When you're using a broadband router, you don't need to use Windows XP's ICS feature. ICS is necessary only when you lack a router, and instead connect the Internet connection directly to a PC. You then need a separate network card in that host PC to connect to your internal network and the machines on it. This is what allows you to share that broadband connection.

Having ICS installed and running is no doubt the cause of your problem. Disable it. To do this, just right-click on your network adapter and select "Properties," then click the "Advanced" tab, and uncheck the Internet Connection Sharing option.

Once that's been done, you need to make sure that both computers are set to "Obtain an IP address automatically." This will allow them to obtain an address from the router when you connect them to it. You might need to reboot the machines to ensure an address is issued.

At this point, if you didn't do it already, you need to configure the router to work with your Internet connection. This is typically done by using a web browser to connect to the router's default IP address (it's probably 192.168.0.1 or something similar). Logon information is provided in the documentation. Most routers come with a setup wizard to make this task easier for you. Once the configuration has been completed, a reboot of the router should be all you need to get your PCs surfing.

Use our feedback form to submit your questions on home or SOHO networking issues. We cannot guarantee to answer every question we get, but we'll consider them all.