WinRoute supports UPnP protocol (Universal Plug-and-Play). This protocol enables client applications (i.e. Microsoft MSN Messenger) to detect the firewall and make a request for mapping of appropriate ports from the Internet for the particular host in the local network. Such mapping is always temporary — it is either applied until ports are released by the application (using UPnP messages) or until expiration of the certain timeout.
The required port must not collide with any existing mapped port or any traffic rule allowing access to the firewall from the Internet. Otherwise, the UPnP port mapping request will be denied.
To configure UPnP go to the Security Settings folder in Configuration → Advanced Options.
This option enables UPnP.
If WinRoute is running on Windows XP, Windows Server 2003, Windows Vista or Windows Server 2008, check that the following system services are not running before you start the UPnP function:
SSDP Discovery Service
Universal Plug and Play Device Host
If any of these services is running, close it and deny its automatic startup. In WinRoute, these services work with the UPnP protocol in Windows, and therefore they cannot be used together with UPnP.
Note: The WinRoute installation program detects the services and offers their stopping and denial.
If this option is enabled, all packets passing through ports mapped with UPnP will be recorded in the Filter log (see chapter 22.9 Filter Log)).
If this option is enabled, all packets passing through ports mapped with UPnP will be recorded in the Connection log (see chapter 22.5 Connection Log).
Apart from the fact that UPnP is a useful feature, it may also endanger network security, especially in case of networks with many users where the firewall could be controlled by too many users. A WinRoute administrator should consider carefully whether to prefer security or functionality of applications that require UPnP.
Using traffic policy (see chapter 7.3 Definition of Custom Traffic Rules) you can limit usage of UPnP and enable it to certain IP addresses or certain users only.
Example:
The first rule allows UPnP only from UPnP Clients IP group. The second rule denies UPnP from other hosts (IP addresses).