Internet Connection Sharing in Windows CE
Summary: This article discusses Internet Connection Sharing (ICS) in Windows CE, which allows multiple computers and other network-ready appliances to share a single Internet connection. ICS consists of the Dynamic Host Configuration Protocol (DHCP) allocator, the Domain Name System (DNS) proxy, Network Address Translation (NAT), and AutoDial. ICS components can be customized to precisely meet the specifications for a particular unit. (11 printed pages)
What Is ICS?
Network Address Translation
Port Address Translation
Naming Service Devices
Creating an Internal Exposed Host
Configuration Web Page
Internet Connection Sharing (ICS) in Windows CE allows multiple computers and other network ready appliances to share a single Internet connection. Service devices (such as printers, scanners, and Web servers) can be shared as well. ICS consists of the Dynamic Host Configuration Protocol (DHCP) allocator, the Domain Name System (DNS) proxy, Network Address Translation (NAT), and AutoDial. Consistent with the modular approach to building a device operating system, the ICS components can be customized to precisely meet the specifications for a particular unit.
Windows CE ICS technology provides homes and small businesses with multiple computers the ability to share a single Internet connection. In addition to computers, ICS provides consumer appliances such web phones, smart TVs, and set-top boxes with access to the Internet through the internal network. Another benefit of connectivity is the ability to share computing devices like printers, scanners, and Web servers.
In a family with multiple computers and other Internet devices, ICS in Windows CE allows one person to surf the Web, another to play a game online, and a third to connect to a corporate network. The fast growing small office/home office market is ideal for the ICS because it allows multiple computers to share resources, such as printers and scanners, in addition to Internet access.
A device that runs on Microsoft Windows CE acts as a gateway between the Internet and the internal network. The device may be a dedicated gateway box whose main function is to provide ICS or a multi-purpose device, such as a digital set-top box connected to a telephone line, with additional features like ICS. The following illustration shows the relationship between the internal network, the gateway device, and the Internet.
ICS provides the following capabilities:
- Internet access for multiple users through a single connection, either through dial-up networking or a high-speed Ethernet.
- Dynamic Internet Protocol (IP) for connected devices using the DHCP allocator.
- Automatic name resolution using the DNS proxy.
- Seamless connectivity with any IP-attached device, including legacy Windows and non-Windows clients.
- Connected devices have comprehensive support for Internet protocols, such as Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), Internet Control Message Protocol (ICMP), File Transfer Protocol (FTP), and Point-to-Point Tunneling Protocol (PPTP). For other protocols that do not work natively through NAT, editor plug-ins can also be added to provide additional support.
- Configuration options for supporting servers on the private network.
- On-demand dial-up Internet connections.
Windows CE ICS offers OEMs a rich set of services to build smart and innovative devices for today's Internet market. Customized platform development allows OEMs to build systems that are flexible and integrates seamlessly with Windows and the Internet, thereby providing comprehensive access to applications and Internet services. Developers can also use the familiar Win32 programming environment and development tools.
The core technologies of ICS are the DHCP allocator, the DNS proxy service, NAT, and AutoDial. A sample configuration Web page utility is also provided. Configurable registry keys within each module allow further customization. Manufacturers can choose the modules that precisely meet the requirements of their target device, avoiding the overhead of unnecessary functionality.
The DHCP allocator is a subset of a DHCP server that automatically assigns IP addresses to client devices on the internal network. For a device or computer to participate in TCP/IP activities, whether a computer is talking to another computer on the internal network or sending a file to a printer, the client device must have a unique IP address. This IP address is assigned to the device in Windows CE in three ways.
- The DHCP allocator can be used to assign an IP address dynamically during a session.
- The device can be configured manually using registry keys. A user interface or a configuration Web page may be used to accomplish this.
- Windows CE can automatically assign itself an address from a pool of reserved set of IP address, which is known as Automatic IP. This method is not recommended because some ICS features require a static IP address for the gateway device.
The most common method uses the DHCP allocator. When the gateway boots, it sends out a discover packet to determine if a DHCP server is present. If there is not one present, which is typically the case in a small office or home office, it starts its DHCP allocator service to the internal network. However, the gateway continues to monitor the internal network to detect the presence of a DHCP server and turns its allocator service off when a server becomes available.
The allocator monitors User Datagram Protocol (UDP) port 67 for address assignment requests from internal network clients. A request triggers the allocator to generate an IP address using its own statically assigned IP address and subnet as seeds. Each assignment carries the address of the allocator as the gateway as well as the DNS server.
The allocator defends each address on the network before making an assignment to avoid conflicts. To avoid conflicts when devices are turned off, address assignments expire if their devices fail to renew the lease time, which is the period of time when the assignment is valid.
The following settings are configurable using registry keys:
- Lease time—specifies the length of time that the allocator keeps the address assignment
- Address table expiration—allows permanent address assignment
- Address table—stores address assignments
The DHCP allocator is only suitable when all the devices on the internal network have broadcast access to the gateway. When the network configuration has multiple routed segments, the DHCP allocator cannot access some machines; therefore a true DHCP server is required.
A DHCP server automates name resolution in Windows CE by supplying the address of DNS server to network clients. Because a typical home network does not have a DHCP server, the gateway device performs as the DNS server while there is no Internet connection. In most cases, the address of the Internet or corporate DNS server is not known until there is a connection. In this case, AutoDial can be used to automatically establish a connection. Once the connection is established, the gateway forwards all name resolution requests to the appropriate DNS server. In case of DNS resolution failure, the proxy tries the next DNS server in the configuration.
When a DNS server exists on the internal network, the DNS proxy is still useful. Usually the existing DNS server is configured to forward Internet name resolution requests to a DNS server with a static Internet address. This fails when the DNS server changes address. The existing DNS server can be configured to forward all name resolution requests to the DNS proxy, which handles the task dynamically. If the proxy does not find the IP address of the specified DNS server requested by the client, it tries the next server in the configuration.
The following settings are configurable using registry keys:
- Enable—turns the DNS proxy on or off
- Private interface—provides a list of private interfaces and allows the DNS proxy be turned on or off for each interface
- Public interface—provides a list of public interfaces for DNS requests and NAT outgoing packets
Windows CE ICS uses NAT technology to route TCP/IP packets between the internal network and the Internet. To the public network, only the IP address of the gateway device is known; therefore all incoming and outgoing packets must use this address. NAT allows the gateway device to provide all the internal network devices with access to the Internet while maintaining a single IP address by performing port address translation.
Additionally, the following NAT features enhance the ICS versatility:
- A NAT editor allows the gateway to monitor and potentially modify packets for protocols that do not work through the NAT natively.
- Static port mappings may be created to expose certain services (such as HTTP and FTP servers) on the internal network.
- A single exposed host on the internal network may be configured to bypass address translation and to accept all unrecognized traffic. This is useful for certain applications that do not work through the NAT and that do not have an editor.
- Packet filtering provides a layer of security by preventing unsolicited traffic to pass to local applications and servers running on the gateway.
All internal network devices and computers communicate to the public network (the Internet or the corporate network) through the gateway. The public network is only aware of the one public IP address; therefore, all outbound communications use the gateway's IP address. For each outbound session originating from a client computer, the ICS gateway associates a unique TCP/UDP port number to the source IP address. The source IP address and port number are stored in a mapping table that is used to keep track of all incoming and outgoing packets.
For example, when a computer on the internal network generates a request to a Web site on the Internet at port 80, the gateway stores the source IP address of the client computer and the port number in the mapping table. The gateway replaces the source address with its own, associates a new session port number, stores the information in the mapping table, and forwards the new packet to the Web site. After the Web site responds, the gateway receives a packet containing destination and source information. Then the gateway translates the packet information by using the mapping table and sends the packet to the appropriate client device, which originated the request.
NAT mappings expire after a certain period of time if not used. The default expiration time is 24 hours for TCP connections and 1 minute for UDP mappings. Both of these expiration times are configurable through the registry.
Certain applications embed network address or port information in the data stream. Examples of protocols that have these characteristics include FTP, PPTP, chat, and some multiplayer Internet games. ICS provides NAT editor application programming interfaces (APIs) that can monitor network traffic for certain types of configuration packets, thus allowing a transparent connection between a client computer and the public network.
For example, a multiplayer game sends a TCP configuration packet to a game server address and sends requests for permission to join the game. In the data portion of the packet, the client includes the ports that will be monitored for the return connection. The game server, in turn, receives the configuration and initiates new TCP sessions with the clients on the ports specified. Because the gateway is not aware of the configuration information specified in the data portion of the request, the additional ports are not included in the mapping table. Without a port mapping, the server on the Internet cannot find the waiting computer on the other side of the gateway. By providing a NAT editor, these new ports can be detected in the data stream and the gateway configured appropriately to support the game.
Windows CE ICS provides the capability to name devices on the internal network (such as printers, scanners, and Web servers) that offer specific services. Computers on the internal network and the public network access these services through the gateway.
For the gateway to direct service requests to a specified device on the internal network, incoming session requests must contain configuration information to find the server. Server mappings contain such information, which is defined through the registry.
The following settings are configurable using registry keys:
- Internal name—names the server on the internal network
- Internal port—stores the port number of the server
- Enable—turns the service on or off
- Port—stores the reserved port number on the gateway device and is usually the same as the internal port number
- Protocol—identifies the service protocol for the device
ICS also uses registry keys to keep track of mappings between internal device names and IP addresses. With each IP address, the configurable elements are the following:
- Device name—names the device associated with a particular IP address
- Expiration—specifies the time period in which the IP address is valid
Occasionally, a computer on the internal network requires direct access to the public network. Granting this access is accomplished by designating an internally exposed host, effectively bypassing address translation. This capability is important for handling new and unknown scenarios, as well as for allowing some multiplayer games without a NAT editor.
Because the internal exposed host receives all unknown traffic and any unsolicited packets from the public network, caution is recommended when using this setting because it removes a layer of security provided by NAT for the exposed host.
Every incoming packet destined for devices on the internal network passes through the gateway for address translation, unless destined for an internal exposed host. The gateway consults the mapping table to determine the destination device. If a mapping does not exist, the packet is not delivered to the private network. This way, the NAT provides minimal filtering capability, which helps protect the network from hackers who try to scan systems or connect to systems resources, while providing internal network clients with a rich browsing, collaboration, and game-playing experience.
The Packet Filtering feature of ICS extends the same protection to applications or servers running locally on the gateway. By enabling this feature, packets that do not match an existing NAT mapping are discarded immediately, even if local applications would otherwise process them. This prevents the gateway itself from being attacked.
Most Internet applications use the AutoDial feature to make a connection when a high-speed/broadband connection is not available. When an application on the internal network generates a network request, AutoDial attempts to connect to an Internet service provider (ISP) through a modem by dialing a preset list of telephone numbers without user input.
The following settings are configurable registry keys:
- Enable—turns the feature on or off
- Wait time—specifies the amount of time before attempting to retry
- Idle timeout—specifies the amount of time before the device drops the connection when there in no activity
- Name1, Name2, Name3—identifies the name the Remote Access Service (RAS) connectiods to dial when attempting to establish an AutoDial connection
Note Unlike Windows NT®, Windows CE supports only one AutoDial connection at a time.
ICS offers many features that are useful to different Internet ready devices and appliances. To take advantage of ICS versatility, these devices often need a user interface to allow customization. One approach for devices with a graphical user interface uses a control panel application to modify registry keys. Another approach uses a factory-set configuration, which does not allow user customization.
As a more adaptable solution, Windows CE includes a sample configuration Web page that shows original equipment manufacturers (OEMs) how to create a custom administration Web page. The setup requires a browser on a remote host and a factory-set IP address for the gateway device, but it does not require a display on the device itself. The administration Web page is useful for gateway and set-top boxes because these do not have display capability.
ICS is used in devices that connect to the Internet or a corporate network on one side and to one or more computers or appliances on the other side. As an intelligent gateway, the ICS device manages all network traffic, allowing multiple devices with access to the Internet through a single connection.
Digital set-top boxes with a cable connection. Adding ICS functionality to a set-top box with a fast Internet cable connection is a very useful scenario. In addition to providing the home with a rich digital and interactive Internet experience, the set-top box becomes a gateway sharing the Internet with everyone.
Set-top boxes with a dial-up connection. Many set-top boxes today include modems and phone line connections. The next logical step to having a dial-up connection and a hard drive is to connect to the Internet. As a software enhancement to the set-top box, ICS complements the television's entertainment features with the Internet's rich browsing and collaborative activities.
Standalone gateway boxes. As multiple computers in the home becomes commonplace, coupled with the proliferation of intelligent appliances that participate in the Internet (such as Web phones and Pocket PCs), the demand will continue to increase for gateway devices whose main function is to provide Internet sharing. Seamless interoperability with Windows clients and applications is a big plus for small office and home office users.
For more information about Windows CE and Windows CE–based devices, see http://www.microsoft.com/WindowsCE.
For more information about home networking, see http://www.microsoft.com/HOMENET.