The groups to which the devices are assigned can be added and managed on the Groups tab (group management). Groups are used to group devices with similar functions in order to assign them common communication rules.
Note regarding the user interface!
The groups can currently only be configured on the classic user interface. See this note.
Adding a group
It is recommended to think about a reasonable arrangement of the devices into groups before adding the groups.
Groups can be added in the classic user interface by clicking on the Add group button on the Groups tab.
The Group name is a name that describes the group such clearly that it can be distinguished from other groups.
The checkbox Allow group members to connect can be used to determine whether devices within this group can connect to each other.
Managing the groups
The Groups tab shows a list of the added groups. The groups can be managed here. Moreover, the communication within a group and between different groups is determined here.
The Copy button can be used to add another group in which the parameters in the window are already preset with those of the copied group. Adjusting these parameters allows a quick adding of similar groups.
The Delete button can be used to delete this group.
The name of this group is indicated in the Group name column.
The button in the Internal connections column can be used to determine whether connections between the members of this group are allowed or denied.
The Connections from button can be used to determine from which groups incoming connections are accepted, i.e. devices in the checked groups can establish connections to devices in this group. Furthermore, these connections can be restricted to certain protocols, target stations and target ports (advanced group management). The names of the groups permitted for these connections are indicated on the button. The addition [LIMITED] indicates that additional restrictions have been specified for these connections.
The Connections to button can be used to determine to which groups outgoing connections can be established, i.e. devices in this group can establish connections to devices in the checked groups. Furthermore, these connections can be restricted to certain protocols, target stations and target ports (advanced group management). The names of the groups permitted for these connections are indicated on the button. The addition [LIMITED] indicates that additional restrictions have been specified for these connections.
Please note!
If a connection with one of the buttons Connections from or Connections to is specified, this will automatically be specified for the other direction as well.
Communication Rules
The communication rules determine whether PCs, INSYS routers and devices locally connected to them are allowed to connect to each other.
Communication within a group
The icom Connectivity Suite – VPN enables to permit or prohibit all devices that are in one group to communicate with each other. Prohibiting internal connections is reasonable for example, if devices of different customers are within one group. Determining the rules for internal communication takes place when adding the group and can always be changed on the Groups tab in the Internal connections column.
Communication between groups
The icom Connectivity Suite – VPN enables to determine rules for the communication between devices that are in one group and devices that are in another group. Determining the rules for the communication between the groups takes place on the Groups tab in the Connections from (incoming) or Connections to (outgoing) columns for the respective group. If, for example, incoming connections from another group (B) are permitted for a group (A), outgoing connections to group (A) will automatically be permitted for group (B), too.
Restrictions for the communication between groups
If connections between the devices of individual groups are permitted, access to the complete network behind this router is enabled for connections to a router. Therefore, it is possible to restrict these connections to certain protocols, target stations and target ports. This takes place when specifying the permitted connections by checking the checkbox Additional restrictions for allowed connection targets.
Protocol
It is possible to restrict the protocol used for the connection to TCP+UDP, TCP, UDP or ICMP. If a certain protocol is selected, only connections using this protocol can be established between the respective groups. Payload connections usually use TCP or UDP while the ping command for checking the availability uses ICMP.
Target station
It is possible to restrict the connections to certain devices in the network behind the router by specifying a target station. Only those part of the address will be specified for the target station that specifies the designation within the respective network. This information will be added to the network address to get the IP address of the target device. It is also possible to specify a target station that defines a whole IP address range using a netmask in CIDR notation. The following example illustrates the effectiveness of the specification of a target station:
.png "image(32).png")
In this example, the target station 0.0.0.7 is configured for connections to the devices in the lower group.. This means that connections to the device (camera) with the IP address 192.168.13.7 can be established in the network with the address 192.168.13.0 via the router with the IP address 192.168.13.1 for example. This is also effective accordingly for the other devices in this group.
The target station 0.0.0.12/30 is configured for connections to the devices in the upper group. This means that connections to the devices with the IP addresses 192.168.18.12 through 192.168.18.15 can be established in the network with the address 192.168.18.0 via the router with the IP address 192.168.18.1 for example. This is also effective accordingly for the other devices in this group.
Destination port
It is possible to restrict TCP and UDP connections to certain ports by specifying a target port. It is possible to specify several ports separated by commas or whole port ranges. The target port specification 80, 443, 1194-1199 permits connections via the ports 80, 443, 1194, 1195, 1196, 1197, 1198 and 1199 for example.