Manage Group - icom Connectivity Suite

The communication rules determine whether the partcipants in the icom Connectivity Suite - VPN, i.e. PCs, INSYS routers and devices locally connected to them, are allowed to connect to each other.

The communication rules are configured in the classic user inteface on the Groups tab.

Communication within a group

The icom Connectivity Suite – VPN enables to permit or prohibit all devices that are in one group to communicate with each other. Prohibiting internal connections is reasonable for example, if devices of different customers are within one group.

Determining the rules for internal communication takes place when adding the group and can always be changed on the Groups tab in the Internal connections column. To do this, click on the button in the Internal connections column to specify whether connections between the devices in this group are allowed or denied.

Communication between groups

The icom Connectivity Suite – VPN enables to determine rules for the communication between devices that are in one group and devices that are in another group. Determining the rules for the communication between the groups takes place on the Groups tab in the Connections from (incoming) or Connections to (outgoing) columns for the respective group. If, for example, incoming connections from another group (B) are permitted for a group (A), outgoing connections to group (A) will automatically be permitted for group (B), too.

To configure the communication rules for the respective group, click on the corresponding buttons and specify to which other groups this group is allowed to communicate.

Restrictions for the communication between groups

If connections between the devices of individual groups are permitted, access to the complete network behind this router is enabled for connections to a router. Therefore, it is possible to restrict these connections to certain protocols, target stations and target ports. This takes place when specifying the permitted connections by checking the checkbox Additional restrictions for allowed connection targets.

To configure the restrictions, select the checkbox for the respective group and restrict communication accordingly. For information on the individual parameters, see the notes and examples below.

Protocol

It is possible to restrict the protocol used for the connection to TCP+UDP, TCP, UDP or ICMP. If a certain protocol is selected, only connections using this protocol can be established between the respective groups. Payload connections usually use TCP or UDP while the ping command for checking the availability uses ICMP.

Target station

It is possible to restrict the connections to certain devices in the network behind the router by specifying a target station. Only those part of the address will be specified for the target station that specifies the designation within the respective network. This information will be added to the network address to get the IP address of the target device. It is also possible to specify a target station that defines a whole IP address range using a netmask in CIDR notation. The following example illustrates the effectiveness of the specification of a target station:

In this example, the target station 0.0.0.7 is configured for connections to the devices in the lower group.. This means that connections to the device (camera) with the IP address 192.168.13.7 can be established in the network with the address 192.168.13.0 via the router with the IP address 192.168.13.1 for example. This is also effective accordingly for the other devices in this group.

The target station 0.0.0.12/30 is configured for connections to the devices in the upper group. This means that connections to the devices with the IP addresses 192.168.18.12 through 192.168.18.15 can be established in the network with the address 192.168.18.0 via the router with the IP address 192.168.18.1 for example. This is also effective accordingly for the other devices in this group.

Destination port