Configuring Windows Firewall for the ISatPhone


One of the issues with most low-speed and/or expensive internet connections (e.g. sat-phones) is that many computer programs these days like to "phone home" and update themselves whenever they see an open internet connection. You don't want the bill for doing a Windows Update via satellite, and you also don't want a bunch of update programs hijacking your connection every time you try to check mail-- this can slow down a Sailmail connection to the point that it becomes impossible to complete a connection before it times out, at your expense.

This is particularly important for the Inmarsat IsatPhone Pro, which because of its slow speed and unrestricted internet access is particularly vulnerable to unwanted internet traffic. (Iridium does not have this issue because their internet gateway blocks most ports).

The traditional method of dealing with unwanted internet traffic is to turn off all of the automatic update services, and do program updates manually. Besides Windows updates there are also anti-virus updates, Adobe reader, Skype, etc. The problem is that the list can be long, and it is very difficult to find all of them. And for Win-7 there are some core networking services that also like to jump on open connections.

Windows Firewall has been updated for Windows-7 (and Vista) with the catchy name "Windows Firewall with Advanced Security". This firewall limits incoming connections as before, but adds the ability to control outgoing connections. This is useless in most circumstances and is disabled by default, but limiting outgoing connections is perfect for dealing with those pesky auto-updater's.

Win-7 separates network connections into three types: Public, Work, and Home. (Work and Home are basically the same, except in a business network with a domain controller). Each of these has a separate "profile" for what is allowed, and not. What we want to do is get into the firewall settings for the "public" profile (normally used for untrusted networks) and block all outgoing connections, except for Sailmail connections.

Here are the details. The following guide is written for Win-7 but should also work with Vista.

1. Open Windows Control Panel (Start button, "Control Panel").
2. Select large or small icon view, then open "Windows Firewall".
3. On the left, click on "Advanced Settings". This opens the "Windows Firewall with Advanced Security" window.

Have a look at the overview, in the center. There are three "profiles": Domain profile, used only in corporate networks with domain-controllers; "Private", used for trusted home or work networks; and "Public", which is used for public networks i.e. sat-phones, public wifi, etc. The active profile is shown as "Active".

There are three settings under each profile: For each, the firewall should be on (green icon), inbound connections (that don't match a rule) are blocked (red icon), and outbound connections are allowed (green icon). This is the default state, and the rules for outbound connections are not used. We're going to adopt the unused outbound rules and apply them to "public" networks for Sailmail connections.

(This page is also where you can reset the firewall settings back to the default policy, under the "Action" menu).

4. The next step is to click on "Outbound rules" on the left. These are all of the possible connections, mostly disabled but none of them used because outbound connections are all allowed. So delete them all-- ctrl-A to select all, then click "delete" on the right (or the delete key on the keyboard). This will take a few seconds.

5. Now, on the right side, click on "New Rule" and step through the setup wizard:
a. For "Rule Type" select "Program", click Next.
b. Make sure "This program path" is selected, and click "Browse".
c. Select "Computer", "Local Disk (C:)", and "Program Files (x86)"
(or just "Program Files" for 32-bit versions of Win-7),
then select "Airmail3.exe" (or just "Airmail3"),
then click the "Open" button, and then click "Next".
d. On the next page select "Allow the connection", and click "Next".
e. Leave all three boxes checked, to apply to all profiles, and click "Next".
f. Then give your new rule a descriptive name like "Airmail connections to Sailmail",
and click "Finish"
6. Now go back to the "Advanced security" window (if not already there).

If you also want to connect from Viewfax in order to download weather directly from Saildocs, then repeat the steps above under #5 except select "Viewfax" instead of Airmail, and give that rule a different name such as "Viewfax connections to Saildocs".

7. Before leaving the "Outbound Rules" page, check the new entries: The only entry (or two) should be Airmail (and Viewfax), Profile "All", Enabled "Yes", and Action "Allow".
8. Now click the back-arrow button in the upper-left, or "Windows Firewall with Advanced Security". on the left. This gets you back to the overview page.
9. Now click "Windows Firewall Properties" in the center panel, below the profile summaries. This opens a new window, with four tabs.
10. Click on the "Public Profile" tab. "Firewall state" should be "On" and "Inbound connections" should be "Block (default)".
11. Change the "Outbound Connections" setting to "Block", then click OK.

Now check the overview page: Under "Public Profile" Windows Firewall should be on (green), followed by two red icons- inbound connections blocked and outbound connections blocked.

You are done, close that window. If you are currently connected to a network that you designated as "public" (wifi, etc) you will find that almost nothing works-- web browsers, email, etc. But Airmail will connect to Sailmail, and you can download weather with Viewfax-- just what you want if you are using a satellite connection.

The simplest way to allow unrestricted outbound connections for normal internet or WiFi connections is to designate them as "Work" networks-- blocking outbound connections only applies to "Public" networks. To change this, go back to "Network and sharing center" and click on "public network" in the center of the window, under the network name. And also click on "Change advanced sharing options" and turn off network discovery, and file and printer sharing.

Alternately, leave the network type set to "Puplic" and change the settings for the Public profile: Go back to Windows Firewall, Advanced Settings (steps 1-3 above). Then click "Windows Firewall Properties", select the "Public" tab, and change "Outbound connections" to "Allow (default)" rather than "Block", per steps 9-11 above.

Happy connecting, Jim
sysop@sailmail.com
2011-11-03