PerformanceGuard automatically places computers that belong to the same IP subnet in the same group. This type of group is called a network group because only computers that belong to a certain IP network can be a member of this group.

Only PerformanceGuard can place computers in these groups, based on the IP addresses and subnet masks of computers that have PerformanceGuard agents installed. If a computer is moved to another subnet (that is the computer's IP address changes), PerformanceGuard will automatically move the computer to the corresponding network group.

Automatic Network Groups

If a suitable network group doesn't exist when the PerformanceGuard agent on a computer reports to PerformanceGuard, PerformanceGuard automatically creates a new network group that fits the IP address and netmask of the computer.
The new group is by default called Net a.b.c.d/x where a.b.c.d is the network address and x is the netmask length of the network.

Set Up Network Grouping Rules

There may be situations where you want to control the creation of new network groups. You can do this by setting up network grouping rules: Select ADMINISTRATION > Computer Grouping > Network Grouping and then select the Create New tab.

A rule consists of a network, a minimum netmask length and a maximum netmask length.

The network identifies the IP addresses for which the rule applies. You specify the network as a network address and a netmask length.

The minimum netmask length field controls the maximum size for network groups within the specified network by setting a lower limit for the network group mask length. The maximum netmask length controls the minimum size by setting an upper limit for network group mask length.

The number of network groups resulting from a single network grouping rule can at most be 2^(maximum netmask length - network netmask length).

Join Small Networks into Larger One (Useful for VPN Connections)

Imagine that you specify a network grouping rule with the network 10.2.4.0/22 and a maximum netmask length of 24. That would mean that within the network 10.2.4.0/22 no network group can be created that has a netmask that's higher than 24.

Now, if the PerformanceGuard agent reports an IP address of 10.2.5.130 and a netmask length of 26, you would expect that the computer would be placed in a network group called 10.2.5.128/26.

However, because of your rule the network group will be 10.2.4.0/24. This is because the computer's IP address falls within the network 10.2.4.0/22, and there's an upper limit of 24 on the netmask length.

Split Large Networks into Smaller Ones (Useful for Networks Divided into Smaller VLANs)

Imagine that you specify a network grouping rule with the network 10.2.0.0/16 and a minimum netmask length of 24. That would mean that within the network 10.2.0.0/16 no network group can be created that has a netmask that's lower than 24.

Now, if the PerformanceGuard agent reports an IP address of 10.2.5.130 and a netmask length of 16, you would expect that the computer would be placed in a network group called 10.2.0.0/16.

However, because of your rule the network group will be 10.2.5.0/24. This is because the computer's IP address falls within the network 10.2.0.0/16, and there's a lower limit of 24 on the netmask length.

Explicitly Define Your Network Groups (Useful for Citrix ICA Clients)

If you specify a rule with the network 10.2.4.0/22 and a maximumnet mask length of 22, it means that within the network 10.2.4.0/22 one network group can be created.

So, if you specify a maximum netmask length that's equal to the netmask length of the network, you have explicitly defined a network group.

Computers Behind NAT-Enabled Routers

Computers behind NAT (Network Address Translation)-enabled routers usually have IP addresses in private address ranges, such as 192.168.0.0/16 and 10.0.0.0/8. Because of this you may experience that computers on different physical locations have the same private IP addresses configured. To avoid conflicts, PerformanceGuard will group the computers based on the public IP address of the router instead.

The public IP address of the router is defined as the client endpoint of the TCP communication between the server that runs PerformanceGuard and the PerformanceGuard agent. If you have several NAT-enabled routers behind each other, PerformanceGuard will only recognize the first public router.

Whether a router is NAT-enabled or not is decided by comparing the client endpoint IP address and the reported agent IP address. If they don't match, PerformanceGuard assumes that Network Address Translation has taken place.

In PerformanceGuard such network groups will be called something like Net 123.76.76.42/192.168.101.0/24, which means computers located on private subnet 192.168.101.0/24 behind a router with a public IP address of 123.76.76.42.

Unwanted Network Groups

Automatically generated network groups can't be deleted from within the PerformanceGuard web interface. This is because they would be recreated by PerformanceGuard if you don't set up appropriate network grouping rules to prevent the creation of the unwanted network groups. Thus, the solution is to set up network grouping rules that'll prevent the automatic creation of the network groups that you don't want.