ISA 2004: Hosting a game of Locomotion

The usual disclaimers about third-party software apply here; we make no warranty, expressed or implied, about anything to do with anything, ever.

Cautionary Admonition: ISA is a serious network security product. Never use it for fun things like this. Or at least, don't do this at work.

Right. Now on to the fun bit.

I was able to get Chris Sawyer's Locomotion up and running for some hot two player action the other night - and by "hot two player action", I mean the most disgusting kind you can imagine: building competing rail networks (Oh, the filth! Sorry mum) - hosting the game while lurking behind my ISA Server 2004 box.

It worked pretty well, for at least a few hours. It wasn't exactly flawless, as it got a bit slow and jerky in places (and there was one rather odd total-resync moment) - but I think that's more to do with the bandwidth requirements of the game vs my 16K upload speed, rather than being an ISA Server thing per se.


The Manual Says
Open these ports: 6073, 2032** to 2400 (see Notes).

According to my firewall logs, all the connections were UDP, no TCP was used that I spotted.

You Will Need

A Protocol Definition
(in Firewall Policy, click the Toolbox tab in the task pane, New->Protocol)
Name: Locomotion
Primary Connections: 6073 UDP Receive then Send, and 2302-2400 UDP Receive then Send.
Secondary Connections: None, as we're doing this SecureNET style, and ISA doesn't do secondary connections for SecureNET clients.

You can separate them out into separate protocol definitions if it takes your fancy (which is what I did, but I don't think it's actually necessary - I'll confirm that next time I play...). The ports used are the DirectPlay8 regular set.

ISA 2000 might be able to do the same thing, with the problem being that you'd require multiple protocol definitions, as protocol ranges aren't supported for primary protocol connections (you'd need to create one for 6073 UDP, one for 2302 UDP, one for 2303 UDP and so on...) - if you're lucky, you might be able to reliably host with just two protocol defs published (6073 and 2302), but I wouldn't guarantee anything.

A Server Publishing Rule
Create a new Server Publishing rule that points the above definition from the External network, to your favourite gaming workstation's IP. On the workstation, don't forget to allow an exclusion for Locomotion.exe, or to punch the same holes through whatever client-side firewall you're using.

Notes:
**There may have been a typo in the manual - it appeared from testing that port 2302 was used as the lowest-numbered port, which makes sense because that's in the Directplay Range. If in doubt, ask Atari. If security's important to you and you're happy to experiment, I suspect it can usually be nailed down to 2302 only (assuming nothing else is using that port), but that's just guessing, YMMV. Incremental ports can be added easily enough if you start small (just be prepared to annoy the person at the other end with testing requests).

SecureNAT/SecureNET clients must be configured - as usual - with their default gateway routing back out through the ISA Server.

After playing, it's a good idea to disable the server publishing rule.


And that's all there is to it (I think!). If you're using XP SP2, the "Do you want to allow this program to hax0r the firewall?" exclusion dialog tends to be hidden by the Locomotion interface, so you might need to Alt-Tab after clicking into Host mode to click Unblock, or just add a manual Windows Firewall exclusion ahead of time. If you're using another firewall, You Know What Needs To Be Done (same ports, just on the workstation).

I didn't try using the ISA Firewall Client for this, though it's probably possible - I think that using the FWC, a Server Publishing rule wouldn't be required, and the port mapping would exist for only as long as the EXE in question was running. Might try it another time (I generally try to use SecureNAT at home), I haven't messed about with ISA 2004's Firewall Client nearly enough...