Groups

In this page, all groups that exist on the UTM are displayed in the table, and for each the following information is shown.

  • Name. The name of the group.

  • Provider. The provider where this group is located (e.g. Local, LDAP, etc).

  • Number of Members. The number of users in this group.

  • Additional Comment. Any remarks or descriptions provider for this group.

  • Actions. The available operation that can be carried out on the account.

Click on New group above the table to add a new local group. In the form that will show up, the following options can be specified for each user.

New Group

Basic

Name

The name of the group.

Enabled

Checkbox to enable/disable this group account.

Additional Comment

An additional comment.

Group Members

Edit members

In this part of the panel it is possible to assign membership to one or more users to this group. After clicking the Edit members it is possible to select and/or filter existing users to find matching users. Group membership is added by clicking on the + on the right of the user name. Users assigned to this Group are then show their action as Delete. Once added, the Edit members will then show the number of users selected inside the parenthesis of the button label.

VPN Options

Override the global OpenVPN configuration for this group

Tick this checkbox to allow the OpenVPN protocol to be used. This option will reveal a box in which to specify custom option for the group account, see below.

Override OpenVPN Options

Custom Client Routing

Direct all client traffic through the VPN (full tunnel)

If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed through the uplink of the UTM. The default is to route through the VPN only the client traffic to the internal networks (see next options).

Hint

If this is selected then relevant options below are hidden since they are not able to be used simultaneously.

Or push the following routes

When not using full tunnel mode, the user can optionally choose to select GREEN, BLUE, or ORANGE zones to be pushed to the client. These options have no effect if the corresponding zones are not enabled.

Push only these networks

If any networks is written here (one per line and in CIDR notation), only routes to these networks will be sent to the client.

Push Other Client Settings

Static IP addresses

Dynamic IP addresses are assigned by default to clients, but a static IP address provided here will be assigned to the client whenever it connects.

Note

If the client connects to a multicore VPN server running on the UTM, this assignment will not be taken into account.

Push these nameservers

Assign custom nameservers on a per-client basis here.

Push these search domains

Assign custom search domains on a per-client basis here.

Note

When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it is good practice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. Using this solution, several possible sources for errors and conflicts will be avoided. Indeed, there are several advantages, including: The automatic assignment of correct routes, without the need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name resolution, and easier WAN network setup.