Troubleshooting Q&A - January 8, 2004
Controlling Internet Access for Specific Apps with Windows XP's ICF
This week's Q&A reveals how to enable specific applications to connect to the Internet through Windows XP's Internet Connection Firewall. We'll also explore how Uplink ports on network hubs differ from regular ports.
By Ron Pacchiano
Q. I have two PCs on my home network. I have just installed Windows XP on the Host PC. My other PC is running Windows 98 Second Edition. The problem I have is that when I enable Internet Connection Firewall (ICF) on the host computer, the client computer can no longer connect to certain programs. Can the firewall be configured so that the client works as it did before I enabled ICF? Please help me!
A. In your question you fail to mention which applications are giving you problems, so we’ll have to make some generalizations here. The role of the Microsoft Internet Connection Firewall (or any firewall for that matter) is to monitor the traffic that travels in and out of your network.
This traffic enters and exits the computer through ports. The firewall can tell what type of traffic is traveling through the network by tracking which port the data is destined for. Some examples of service types and their related port numbers are HTTP, which uses port 80; FTP, port 21; and TELNET, port 23. Any traffic not specifically defined within the firewall is typically blocked to prevent unauthorized access to your network.
In order for an application to pass data outside of your local network, you need to tell the firewall which ports that service is going to be using in order to allow that data to pass. The Microsoft Internet Connection Firewall can be easily configured to do this by adding a Service to its Services List. The Services List contains information on the service type, the related TCP or UCP ports, and the IP address of the host system.
ICF and ICS (Internet Connection Sharing) have some services already pre-defined, so web traffic and e-mail can be used from the moment ICF is enabled. If the application you want to use hasn’t already been pre-defined, then you’ll need to add its parameters to the Services List. The port usage of the application you want to use can be found either in the documentation or by contacting the vendor.
To add a service to the Services List, simply open the Control Panel and click on Network Connections. Right-click on the Connection being protected by ICF and select Properties. Next select the Advanced tab and press the Settings button. On the Services tab, click Add and you’ll see the Service Settings dialog box. Here you’ll put the service name, the IP address of the computer hosting the service, and the TCP or UCP port numbers the service will use. When finished, click OK to update your Services List. Your application should now work without any problems.
Some applications, like Microsoft NetMeeting for example, use a wide number of ports for moving traffic and can be very difficult to get working behind a firewall. In this type of situation it might be necessary to place the application in a Demilitarized Zone (DMZ), which resides outside of your firewall. A system in the DMZ is vulnerable to attack and should not contain any sensitive data. You should remember that ICF is a very basic firewall and does not allow for extensive configuration changes. Depending on the applications you’re trying to use, you might need to consider investing in a good hardware router with a built-in firewall.
Q. I have an older 3COM Office Connect 8-port hub and noticed that one of the ports on it is labeled Uplink. I was curious as to what the difference is between the Uplink Port and the other ports on the hub. What is the Uplink port used for? Thank you!
A. The differences between the uplink port and a regular port are pretty straightforward. Basically, an uplink port on a hub or switch allows you to use a regular, or straight-through, Ethernet cable to join one hub or switch to another one. Without the presence of the uplink port the only way for you to connect these two devices would be to use a crossover cable.
The reason for this is that each Ethernet port on the hub has two transmit pins and two receive pins, one Positive (+) and one Negative (-) of each. The transmit pins at one end of a cable have to be connected to the receive pins at the other end of the cable.
To accomplish this, the transmit and receive pins in a regular port cross each other, thereby allowing the transmit pins on the hub to communicate with the receive pins on the PC’s network adapter and vice versa. In order for two hubs to communicate with each other when using a straight-through cable, one end must cross over (regular port) and one end must not (uplink port).
Putting it simply, if a crossover cable is used to connect the hubs, then the ports at both ends must be the same kind of port (both regular ports). If a straight-through cable is used to connect them, then the ports must be different (a regular and an uplink). You can usually find a button on the side of the hub or switch that will change the status of the port from an uplink port to a regular one.
Newer hubs and switches are equipped with auto-sensing ports that allow the port itself to identify whether a straight-through or crossover cable has been connected to it and then configure itself accordingly, eliminating the need to choose — and the potential confusion that can result. I hope this clears things up.
Best of luck!
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|