Network Grouping

Owned by Martin Moghadam
Last updated: Dec 03, 2019
7 min read

PerformanceGuard automatically places computers that belong to the same IP subnet in the same group. This type of group is called a network group because only computers that belong to a certain IP network can be a member of this group.

Only PerformanceGuard can place computers in these groups, based on the IP addresses and subnet masks of computers that have PerformanceGuard agents installed. If a computer is moved to another subnet (that is the computer's IP address changes), PerformanceGuard will automatically move the computer to the corresponding network group.

This section describes what PerformanceGuard does to place computers that have PerformanceGuard agents installed in the correct network groups.

  1. The PerformanceGuard agent reports the configured IP address and subnet mask length of a computer.
  2. PerformanceGuard calculates the network address of the computer by applying the subnet mask to the IP address.
  3. For each row in the table NETWORK_GROUPING it's checked whether the IP address of the computer is contained in the network identified by the columns network_address and mask_length.
  4. There may be more than one row/network that matches the IP address. If more than one row is found, PerformanceGuard selects the one with the highest mask_length, that is the most explicit network.
  5. If a match is found, PerformanceGuard changes the network address and subnet mask of the computer to comply with the specified maximum value of the subnet mask length in the column max_length.
  6. The group_location table is checked for an exact match with this network address and netmask length. If an exact match isn't found, a new network group is created with the specified network address and subnet mask.
  7. The computer becomes a member of the network group matching the network address and subnet mask length.

Example:

  1. A computer has the IP address 10.1.2.193 (193 in base 10 equals 1100 0001 in base 2) with subnet mask length 26.
  2. Then the network address of the computer must be 10.1.2.192 to 10.1.2.255.
  3. The table NETWORK_GROUPING contains a row with the values 10.0.0.0, 8, 24 for network_address, mask_length and max_length respectively.
  4. The IP address 10.1.2.193 fits into the network 10.0.0.0/8, so PerformanceGuard must apply the max_length of 24 to the network address of the computer. This yields 10.1.2.0/24.
  5. PerformanceGuard must now check the table GROUP_LOCATION for an exact match with the network 10.1.2.0/24. If an exact match isn't found, a new network group 10.1.2.0/24 is created
  6. The agent becomes a member of the network group 10.1.2.0/24.

Computers Behind NAT-Enabled Routers

Computers behind a NAT (Network Address Translation)-enabled router usually have IP addresses in private address ranges, such as 192.168.0.0/16 and 10.0.0.0/8. Because of this you may experience that agents on different physical locations have the same private IP addresses configured. To avoid conflicts, PerformanceGuard will group the agents based on the public IP address of the router instead.

The public IP address of the router is defined as the client endpoint of the TCP communication between the server that runs PerformanceGuard and the PerformanceGuard agent. If you have several NAT-enabled routers behind each other, PerformanceGuard will only recognize the first public router.

Whether a router is NAT-enabled or not is decided by comparing the client endpoint IP address and the reported agent IP address. If they don't match, PerformanceGuard assumes that Network Address Translation has taken place.

In PerformanceGuard, the network groups are called something like Net 123.76.76.42/192.168.101.0/24, which means computers located on private subnet 192.168.101.0/24 behind a router with a public IP address of 123.76.76.42.

The following describes the complete process of putting computers behind NAT-enabled routers into the correct network groups:

  1. The PerformanceGuard agent reports the configured IP address and subnet mask length of the computer when started.
  2. The network address of the computer is calculated by applying the subnet mask to the IP address.
  3. For each row in the table NETWORK_GROUPING it's checked whether the IP address of the computer is contained in the network identified by the columns network_address and mask_length.
  4. There may be more than one row/network that matches the IP address. If more than row is found, PerformanceGuard selects the one with the highest mask_length, that is the most explicit network.
  5. If a match is found, PerformanceGuard changes the network address and subnet mask of the computer to comply with the specified maximum value of the subnet mask length in the column max_length.
  6. The PerformanceGuard frontend server knows the socket address of the TCP connection with the PerformanceGuard agent. If the reported computer IP address isn't identical to the socket IP address that the frontend server knows from the communication with the computer, it's assumed that the computer is behind a NAT-enabled router. The IP address of the NAT router is assumed to be the socket IP address.
  7. If the computer is behind a NAT-enabled router, a new check is performed against the NETWORK_GROUPING table. This time, PerformanceGuard will check for a rule that matches the NAT router IP address with a subnet mask length of 32.
  8. If a match is found:
    1. PerformanceGuard sets a network address by changing the public router address and subnet mask to comply with the specified maximum value of the subnet mask length in the column max_length.
    2. The group_location table is checked for an exact match with this network address and subnet mask length. If an exact match isn't found, a new network group is created with the specified network address and subnet mask.
    3. The computer becomes a member of the network group matching the network address and subnet mask length.
  9. If a match isn't found, a special type of network group is created where the socket/router IP address is part of the network address.
    1. The group_location table is checked for an exact match with the router address, network address and subnet mask length.
    2. If an exact match is nor found, a new network group is created with the specified router address, network address and subnet mask.
    3. The computer becomes a member of the network group matching the network address and subnet mask length.


Examples: A computer behind a NAT router with the IP address 34.45.123.94 is configured with the internal IP address 192.168.1.57 and subnet mask length 24. No network grouping rules exists. The computer will be placed in a group called Net 34.45.123.94/192.168.1.0/24.

A computer behind a NAT router with the IP address 34.45.123.94 is configured with the internal IP address 192.168.1.57 and subnet mask length 24. A network grouping rule exists for the network 34.45.0.0/16 with a maximum network mask length of 24. The computer will be placed in a group called Net 34.45.123.0/24.

A computer behind a NAT router with the IP address 34.45.123.94 is configured with the internal IP address 192.168.1.57 and subnet mask length 24. A network grouping rule exists for the network 192.0.0.0/8 with a maximum network mask length of 16. The computer will be placed in a group called Net 34.45.123.94/192.168.0.0/16.

A computer behind a NAT router with the IP address 34.45.123.94 is configured with the internal IP address 192.168.1.57 and subnet mask length 24. A network grouping rule exists for the network 192.0.0.0/8 with a maximum network mask length of 16. A network grouping rule exists for the network 34.45.0.0/16 with a maximum network mask length of 24. The computer will be placed in a group called Net 34.45.123.0/24.


Citrix ICA Clients

  1. The Citrix server reports the IP address of the ICA Client, but unfortunately not the subnet mask.
  2. The network address is set to the IP address with a subnet mask length of 32.
  3. For each row in the table NETWORK_GROUPING it's checked whether the IP address of the ICA Client is contained in the network identified by the columns network_address and mask_length.
  4. There may be more than one row/network that matches the IP address. If more than row is found, select the one with the highest mask_length, that is the most explicit network.
  5. If a match is found, change the network address and subnet mask of the ICA Client to comply with the specified maximum value of the subnet mask length in the column max_length.
  6. The group_location table is checked for any match with network address and subnet mask. That is any network group that's large enough to contain the network address and subnet mask
  7. If any match is found, the network group with the highest subnet mask length (that is the smallest and most specific network) is chosen, and data from the ICA Client will belong to this group.
  8. If no match is found, a new network group should be created from the ICA Client IP address. If no match was found in the NETWORK_GROUPING table, the subnet mask length is still 32, and it must be changed to a default value of 24 before the group is created.

Let's look at an example:

  1. The ICA Client has the IP address 10.1.2.193.
  2. The network address of the ICA Client is set to be 10.1.2.193/32.
  3. The table NETWORK_GROUPING contains a row with the values 10.0.0.0, 8, 16 for network_address, mask_length and max_length respectively.
  4. The IP address 10.1.2.193 fits into the network 10.0.0.0/8, so we must apply the max_length of 16 to the network address of the ICA Client. This yields 10.1.0.0/16.
  5. We must now check the table GROUP_LOCATION for any match with the network 10.1.0.0/16.
  6. If a match is found, the ICA Client belongs to that network group, for example 10.1.0.0/16.
  7. If a match isn't found, a new network group 10.1.0.0/16 is created, and the ICA Client will belong to the new group.

Here's another example:

  1. The ICA- client has the IP address 10.1.2.193.
  2. The network address of the ICA Client is set to be 10.1.2.193/32.
  3. The table NETWORK_GROUPING contains a row with the values 10.2.0.0, 16, 16 for network_address, mask_length and max_length respectively.
  4. The IP address 10.1.2.193 doesn't fit any rows in the NETWORK_GROUPING table.
  5. We must now check the table GROUP_LOCATION for any match with the network 10.1.2.193/32.
  6. If a match is found, the ICA Client belongs to that the network group, for example 10.1.0.0/16.
  7. If a match isn't found, a new network group 10.1.2.0/24 is created, and the ICA Client will belong to the new group.

Search this documentation

On this page

In this section