Tech Notes

ZoneAlarm Products and Windows Internet Connection Sharing (ICS)

Summary
ZoneAlarm Plus and ZoneAlarm Pro fully support Internet Connection Sharing (ICS). ZoneAlarm does not fully support ICS.

Background
ZoneAlarm Plus and ZoneAlarm Pro support ICS fully. Simply include the New Network Detected in the Trusted Zone. Both ZoneAlarm Plus and ZoneAlarm Pro provide outbound anti-Trojan protection (application control) on each client PC they are installed on, as well as inbound control on the ICS/NAT gateway PC. (ICS client machines have inbound protection via ICS/NAT). Follow the instructions below to configure ZoneAlarm Plus or ZoneAlarm Pro for use in an ICS environment.

Before installing a ZoneAlarm product, please make sure you have ICS set up correctly with the ability to connect to the Internet. Confirm your environment functions with the functionality you want, from all PCs on your network. Be sure to update your ICS program to the latest version available from the manufacturer.

Here are some useful links to help you get set up ICS correctly (simply look for a link to Internet Sharing, or to your Operating System):

• http://www.practicallynetworked.com
• http://www.homenethelp.com
• http://www.wown.info

Note: Links to sites other than zonelabs.com are provided for your convenience. ZoneAlarm does not provide, and is not responsible for, the content users may find on such sites.

There are several possible configurations when using ZoneAlarm Plus or ZoneAlarm Pro with ICS at High security:

• Install ZoneAlarm Plus or ZoneAlarm Pro on all PCs on your network. Adjust the setttings to strongest security. For personal use, you may use ZoneAlarm, ZoneAlarm Plus or ZoneAlarm Pro on the client machines, but to use the High Internet setting, you must use ZoneAlarm Plus or ZoneAlarm Pro on the gateway machine.
• Install ZoneAlarm Plus or ZoneAlarm Pro on only the ICS gateway machine. If you do this, you will be protected against inbound threats, but your client PCs will not have outbound Trojan protection (application control).

Note: As there are numerous Internet Sharing systems now available, you may need to adapt the text below to your unique software and setup; see your manual or Help files (click Start, then Help) for IP address information, as well as how to find such information for your system. (Search your Help files for WINIPCFG or IPCONFIG.)

To configure for ICS:

1. Verify that the DHCP and DNS boxes are checked in ZoneAlarm Plus or ZoneAlarm Pro. To find out how to do this:
   - Open ZoneAlarm Plus or ZoneAlarm Pro and press F1.
   - From the search tab, type "blocking ports" (no quotes).
   - Double-click on "Blocking and Unblocking Ports."
2. Make sure that your local subnet has been added to the Trusted zone. To find out how to do this:
   - Open ZoneAlarm Plus and ZoneAlarm Pro and press F1.
   - From the search tab, type "subnet" (no quotes).
   - Double-click on "Adding to the Trusted Zone."
3. Configuration steps can be found in the help files as well. To find out how to do this:
   - Open ZoneAlarm Plus or ZoneAlarm Pro and press F1.
   - From the search tab, type "ICS" (no quotes).
   - Double-click on "Internet connection sharing."

As long as you leave the Trusted Zone security level at Medium, your computer will have access.

The free product ZoneAlarm does not support Windows Internet Connection Sharing (ICS), and is not recommended on the ICS gateway PC. If you do decide anyway to use free ZoneAlarm on the ICS gateway machine, Internet Zone must be set to Medium setting (ZoneAlarm on the ICS client machines can have Internet Zone set to High). Note that if the Internet Zone is set to medium, the PC will not be stealthed, so this is not recommended. On some systems, Generic Host Process (GHP) or SERVICES.EXE may ask for server rights to connect to DNS; if so, add your DNS servers to your Trusted zone only; then give server rights to GHP and SERVICES.EXE for the Trusted zone only. In addition, ZoneAlarm does not have automatic network configuration, so the ICS network must be added to the Trusted Zone manually.

Note that ZoneAlarm products do not support the use of multiple software firewalls, as there is the potential for conflict. This includes third party software firewalls, as well as the firewall built into Windows XP.

Date Published
September 30, 2003