Iridium, Windows 10 and Firewalls

Introduction
After I upgraded my laptop from Windows 7 to Windows 10, I had all sorts of problems with our Iridium Sat Phone.  These notes are for me to be able to remember what I did to get it working...

 

Summary
The iridium driver that is installed by Windows 10 doesn't work and crashes - you have to download a new driver from Iridium.  Windows 10 has many background programs and applications that constantly try to access the internet.  This uses too much of your satellite bandwidth, so you have to configure Windows Firewall.  Basically, you have two sets of Firewall rules saved as files, which you load into the firewall depending whether you are using Wi-fi or your satellite phone.  This article has lots of background detail. 

 

Configuration
We have an Iridium 9555 sat phone connected via a USB cable to a Dell laptop with Windows 10.  We use Outlook 2010 for our email client.

There is a separate article about Configuring Outlook and a Sat Phone.

 

Iridium Driver
The first problem was that the Iridium drivers which Windows 10 installs automatically, caused a fatal error in Windows, which needed a reboot.  I found a reference on the SailMail.com website which gave a link to a new driver (http://siriuscyber.net/sailmail/Iridium Handset USB Driver Installer 6.3.9600.9520.exe).  This seems to work and since installing it, I had no crashes.

 

Firewall Problems
I use the data compression service from MailaSail (£120/year). They provide a utility (called Teleport-It) which compresses the emails both ways and also used to provide a "firewall" function in Windows 7 that controlled the satellite data connection, so that only email and Internet access was allowed.

Unfortunately, Windows 10 operates in a different way and is configured to expect a broadband connection and be constantly connected to the internet. This means that many of the programs (or Apps to be trendy) are constantly looking for a network connection and then connect without you knowing.  Windows itself sends out requests to the internet for loads of things like the current time, updates and app data.  This is obviously bad news for the very small satellite network connection and can completely swamp the bandwidth, so that you are not able to receive emails.    

Mailasail have not been able to control Windows 10 with their Teleport-It utility and have basically given up on a software solution.  They want you to buy a hardware firewall for £500.  I would rather stick pins in my eyes than pay £500, so I investigated software solutions.

 

Windows Firewall
I looked at various firewalls and discovered that the built-in Windows Firewall is rated as very powerful.  (Mailasail's Teleport-IT "firewall" actually just runs a script that amends the Windows Firewall rules.)  

The standard "Firewall with Advanced Security" is the main interface, but it's a little scary, so I invested $10US to buy the "advanced" version of "Windows Firewall Control" (WFC). This is just an interface over the top of Windows Firewall, but much easier to use and understand. (It's available from http://www.binisoft.org/wfc.php )

 

Understanding the emailing Process
The system basically works as follows:

1.   Outlook sends an email to localhost (127.0.0.1) on port 25.  

2.   The Teleport-it application is a proxy email server, which is running in the background.  It picks up the email and then sends it to the Mailasail server at xpm1.nippynetworks.com (91.220.24.70) on Port 9025.

3.   The Teleport-it proxy email server then checks for incoming mail on the Mailasail server at xpm1.nippynetworks.com (91.220.24.70) on Port 9110.  (If you're using IMAP instead of POP3 then it also uses Port 9143.)

4.  The incoming mail is passed onto Outlook.

 

Solutions
The basic requirement is to block every bit of network traffic going out, but allow the Mailasail Teleport-it application... 

There are four ways of achieving this:

1.    App Blocking.  Keep the hundreds of Windows Firewall Rules and then systematically block unwanted Network Requests.  This is the approach I took at first.  It's very laborious, but helps to understand what's going on and nearly achieves the objective - although there will still be some traffic getting through your connection, such as DNS requests (Port 53) which are small, but there can be many.  I was able to send and receive emails with acceptable download times (30-45 seconds to send the request email and about 60 seconds to receive an 18K GRIB file).  I could also easily switch to wi-fi network mode.

2.   Block Everything.  This involves deleting all of the Windows Firewall Rules and then adding in two rules to allow Teleport-It through the firewall.  You then set Windows Firewall Control to "Medium Filtering" mode and it will block everything apart from Teleport-It.   This approach works very well, but lots of your internet dependent apps and Windows will not be able to connect to the Internet, when you get back to having a proper Wi-fi signal.  

3.   Install another Firewall and configure that to Block everything apart from Tele-port-IT.  You can then enable the other Firewall when using the Sat Phone and disable it when using Wi-fi.  (I haven't tried this approach and there may be problems with conflicts.)

4.  Pay £500 for a hardware dongle that will do it all for you.

 

My Preferred Solution

Block Everything.

To use this method, I back up my "Normal" Windows Rules to a file and then restore a new set of Windows Rules only containing the two rules.  I then put Windows Firewall Control into "Medium Filtering" mode.  When I want to go back to Wifi mode, I restore the original rules.  It sound like a chore, but normally I either use Wifi or Satellite for days (or weeks) at a time, so it's not that much of a hassle.

The following notes cover the utilities to be able to manage the Windows Firewall and create the Sat Phone Rules. 

If you can't be bothered, you could download my SatPhone Rules file and follow the procedure in Sending and Receiving Emails in Windows 10.  (If your Teleport-It is in a different folder to mine then you will have to amend the program path in both rules.)

 

Windows Firewall Control (WFC)
This is just an interface over the top of Windows Firewall, but much easier to use and understand, than the standard Windows "Firewall with Advanced Security".

There is a help file containing a reasonable manual obtained by clicking on the User Manual button at the top right hand corner of WFC.  The following are my notes.

xxxxxx

Normally want it set to Medium Filtering, but if something stops working then can set to Low Filtering, to get it working again.

xxxxxx

This allows you to switch on notifications which will pop up whenever Windows Firewall blocks something trying to gain access to the Network, but hasn't been Allowed yet.

xxxxxx

Not much in here.  Set to Start Automatically at User Login.  The Shell Integration might be handy as well.

xxxxxx

Set up as in the screen shot.  Want to be creating Outbound rules on all locations.  There is a way of setting rules for Only Dialup connections, but that is buried in the property dialog for each rule and is too cumbersome to use.

This is where you BACKUP and RESTORE the firewall rules.

If you get into a mess, then you have two choices (do one or both):

1.  Restoring Windows Firewall default set of rules - will overwrite all of the existing firewall rules. The Windows Firewall default set of rules includes the firewall rules that are created when the operating system is installed.

2.  Windows Firewall Control recommended rules is a minimal set of firewall rules which can be used with Windows Firewall while the following functionalities are still available: 

  • Web browsing. An allow rule for the web browser is still required. 
  • Network discovery (discover other computers) 
  • Network printing 
  • Windows time synchronization 
  • Windows updates 

Note that this minimal set of rules contain only a few outbound rules and when only these rules are used, some of the features of the operating system may not work unless other required rules are added. This is a minimal set of firewall rules that can be used as a starting point.

 

xxxxxx

Secure Rules process will either disable rules or delete them that are not part of the Autorised Groups.  It then prevents applications from adding new rules in teh background.

BACK UP YOUR RULES BEFORE USING THIS FUNCTION

xxxxxx

Various useful tools

xxxxxx

Turn off "Automatic Check for Updates" - you also need a rule to block the app using the network connection... 

The free version doesn't let you use the Notifications function which is very useful. It's only $10US for a life time license.

 

Windows Firewall Control - Rules Manager
This is accessed by the button at the far left bottom corner and displays a separate window.  It displays a list of the Firewall rules, allowing you to edit, Add or delete rules.

xxxxxx

This screen shows a list of the Firewall rules colour coded - Red for Block, Green for Allow and Grey for disabled.

xxxxxx

 

If you double click on a Rule the Properties dialogue box is displayed.  There are lots of properties. The first third are pretty self explanatory.  It's best to take the time to give a good name for the rule because there are hundreds.  When adding a Rule, I always type in my name for the Group so that I can easily find the rules that I've created.  (The default group for a new Rule is "Windows Firewall Control".

xxxxxx

 

This is where you set up the IP address and Port number(s)

xxxxxx

This final section is where you define whether the Rule is outbound or Inbound and whether you want to Allow or Block the Program 

 

Monitoring Tools
Armed with the ability to block and allow programs to access the network connection, I now needed tools to monitor what applications were trying to access the Internet, so that I could block them...

1.  "WireShark" is, no doubt, among the best network monitoring tools available. It's free and allows you to analyze your network’s communications in as much details as you want. Unfortunately, it's for tech-heads and is terrifying to use.

2.  The "Windows Resource Monitor" shows which applications have "Network Activity" or a "TCP connection", which basically gives an indication of the apps that you may want to block.

3.  The easiest tool to use is Windows Firewall Control itself because it has a logging facility that shows all incoming and out-going network requests, it's cunningly called "Connections Log".

 

Windows Firewall Control - Connections Log
This is accessed by the button at the left bottom corner and displays a separate window.  It displays a list of the Outgoing and Incoming connections and allows you to add new Firewall Rules.

xxxxxx

The main panel displays the connections, showing the program, the IP address and port.  

The connections are filtered by Incoming/Outgoing and Allowed/Blocked.

You can also search by IP address, Name, etc

You can see all the extra connections made around the sending and receiving of emails.

If you double click on a Connection then the Add Firewall Rule dialog pops up.

 

Creating a SatPhone Firewall Rules File
This procedure tells you how to create a minimised set of rules which will only allow the Teleport-It email through the Firewall. 

1.  In WFC, go to the Rules tab and click on  "Export Firewall Rule to a File". Save your current Firewall Rules to a safe place. Label it as something meaningful like "2017-01-15 - WiFiRules" 

2.  Open the WFC Rules Manager.

3.  Take a deep breath, select and DELETE all of the Firewall Rules.

4.  Create two New ALLOW Rules - Teleport-IT Outgoing and Teleport-IT Incoming.  Allow the program to access all Ports and All IP connections.

5.  That's It.  If you have WFC Notification set On then you will now be getting loads of popups.

6.  In WFC, go to the Rules tab and click on  "Export Firewall Rule to a File". Save your SatPhone Firewall Rules to a safe place. Label it as something meaningful like "SatPhoneFirewallRules"

7.  You can now reload your backed up Wifi Rules whenever you want to.

 

To Test the SatPhone Rules

This assumes that you have followed the instructions in Configuring Outlook and a Sat Phone.

1.  Make sure that Windows Firewall Control is set to Medium Filtering and that you have loaded the SatPhone Firewall Rules file.

2.  While still connected to your wifi, make sure that in Outlook, the Work Off-line button is OFF. i.e. you are in normal wifi mode, which will get your personal email and your sailamail email.

3.  Click Send and Receive in Outlook.  You should only see connections from Outlook to localhost (IP:127.0.0.1) and a few connections from Teleport-it.  There may be some other connections to local host, but