Standalone VGA Grid User Guide
You are here: Stream > Stream to viewers > Restricting Viewers by IP Address

Restrict viewers by IP address

The Standalone VGA Grid permits you to restrict which computers can access broadcasts by building a list of allowed and/or denied IP addresses. You can do this at a global level for the system and can also override these settings on a per-channel basis. Both global and per-channel configuration procedures are described below.

IP address restriction is valid for the viewer only and does not affect the Admin panel or the mobile configuration interface.

If your viewer account has a password, your viewers must connect to the system from a computer (or gateway) with a permitted IP address and must also supply the username (viewer) and password before they can view the broadcast.

To restrict access by IP address, you need to know the IP addresses or range of addresses for your viewers. By default, all IP addresses are allowed to connect to the broadcast.

If you’re not familiar with creating allow/deny lists, refer to the examples below this procedure for assistance with crafting your lists.

To restrict viewers by IP address:

  1. Login to the Admin panel as admin. See Connect to the Admin panel.
  1. Select the Access passwords link in the Configuration menu; the password configuration page opens.
  2. Type allowed IP addresses or address ranges in the Allow IP’s field. Separate addresses with a comma.
  3. Type denied IP addresses or address ranges in the Deny IP’s field. Separate addresses with a comma.
  4. Click Apply.

To restrict viewers of a specific channel by IP address:

  1. Login to the Admin panel as admin. See Connect to the Admin panel.
  1. Select the Streaming link for the desired channel; the streaming configuration page opens.
  2. From the Access Control drop-down, select Use these Settings; local password and Allow/Deny IP lists are enabled.
  3. If desired, type a password for the viewer in the Viewer Password field.
  4. Type allowed IP addresses or address ranges in the Allow IP’s field. Separate addresses with a comma.
  5. Type denied IP addresses or address ranges in the Deny IP’s field. Separate addresses with a comma.
  6. Click Apply.

If a user attempts to connect to the stream from a disallowed IP address, access is denied. If connecting by internet browser, the message "IP address rejected." is displayed.

The following table describes the applicable fields.

IP Based Restriction Fields

LabelDescription/Options
Allow IP's

Enter individual IP addresses or IP address ranges, separated by commas. To specify a range, use a hyphen (-). Optional spaces improve readability.

Users connecting from addresses in this list are permitted to view broadcasts from the system, provided their IP address is not in the Deny IP’s list.

To allow all except IP addresses in the deny list, if any, leave the field blank.

You can use the Allow list by itself, or in conjunction with the Deny IP’s list as an exception to a rule in the allow list.

Deny IP's

Enter individual IP addresses or IP address ranges, separated by commas. To specify a range, use a hyphen (-). Optional spaces improve readability.

Users connecting from addresses in this list are not allowed to view broadcasts from the system, unless their IP address is in the Allow IP’s list. If a specific IP address is in both lists, access to the stream is denied.

You can use the Deny list by itself, or in conjunction with the Allow IP’s list as an exception to a rule in the allow list.

IP restriction examples

Allow list with distinct IP addresses

The simplest allow/deny list is to use the list of known IP addresses to craft a list of allowed IP addresses. All other addresses are denied access to the broadcast.

For example if your system is accessible on your local area network (LAN) and you want to make sure only the CEO’s specific desktop, laptop and tablet computers (with IP Addresses 192.168.1.50, 192.168.1.51, and 192.165.1.75, respectively) can connect to the broadcast, construct the following allow list:

Allow: 192.168.1.50, 192.168.1.51, 192.168.1.75

Allow list with a range of IP addresses

Sometimes you’ll want a range of computer IP addresses to connect to your system. This may happen when you have one range of IP addresses assigned to desktop computers (i.e. in the range 192.168.1.1 to 192.168.1.100) and another range assigned to boardroom computers (i.e. the range 192.168.1.200 to 192.168.1.250). If you only want the boardroom computers to connect to broadcasts from the system you can specify the range of boardroom IP addresses rather than needing to type in each individual address. The allow list looks as follows:

Allow: 192.168.1.200-192.168.1.250

Note that we could have specified two of the IP addresses in the previous example as a range.

Allow list with a range of IP addresses and one or more specific IP addresses

Putting the first two examples together, we want to permit access to IP addresses in the range of boardroom computers (192.168.1.200-192.168.1.250) and also want to add the desktop, laptop and tablet computers of the CEO (IP addresses 192.168.1.50, 192.168.1.51, and 192.168.1.75, respectively). Note the first two IP addresses are consecutive, so they can be added as a second range. Add these IP addresses to the list as follows:

Allow: 192.168.1.200-192.168.1.250, 192.168.1.50-192.168.1.51, 192.168.1.75

Your list can have multiple ranges and multiple distinct IP addresses, provided they are separated by commas.

Deny list with distinct IP addresses

Another simple allow/deny list is to use the list of known IP addresses to list specific denied IP addresses. All other addresses are allowed access to the broadcast.

For example imagine your system is accessible on your local area network (LAN) and you want to allow any computer on the LAN can access the stream except your publicly-accessible boardroom (with IP address 192.168.1.211). You can use the following deny list (leave the allow list empty) to permit all computers except the boardroom computer:

Deny: 192.168.1.211

As with allow lists, your deny list can specify a range of IP addresses, and can specify multiple ranges or distinct IP addresses in a comma-separated list.

Allow list with a range of IP addresses, distinct IP addresses and an exception

Building on the previous examples, consider the situation where you want the CEO’s computers (192.168.1.50, 192.168.1.51, 192.168.75) and all boardroom computers (192.168.1.200-192.168.1.250) to access the broadcast, with the exception of the public boardroom computer (192.168.1.211). Use both allow and deny lists to create the rule as follows:

Allow: 192.168.1.200-192.168.1.250, 192.168.1.50-192.168.1.51, 192.168.1.75

Deny: 192.168.1.211

Both lists can have multiple ranges and multiple distinct IP addresses, provided they are separated by commas.

Deny list with a range of IP addresses

Converse to the previous examples, consider the situation where you want every computer on the network to access the broadcast, with the exception of the CEO’s desktop, laptop and tablet computers. Additionally, boardroom computers should not be permitted with the exception of the cafeteria computer (IP address 192.168.1.222).

The deny list is an "exception" list for the allow list. So to craft the rule described above we need to allow all the computers in the local subnet, then deny specific sub-ranges including two groups of boardroom computers ensuring the cafeteria computer's IP address is not in the deny list:

Allow: 192.168.1.1-192.168.1.250

Deny: 192.168.1.200-192.168.1.221, 192.168.1.223-192.168.1.250, 192.168.1.50-192.168.1.51, 192.168.1.75

Copyright © 2017 Epiphan Systems Inc.