Limiting the client logon to a specific class of devices

You can limit the SafeLinx Clients that are permitted to log on to the SafeLinx Server by device class. This capability is a security feature of the connection profile that is assigned to the mobile network connection (MNC) to which the client logs in. How devices are identified depends on the operating system of the SafeLinx Client.

About this task

During an initial logon attempt, the SafeLinx Client determines the class and operating system of the device and sends that information to the SafeLinx Server. The SafeLinx Server receives the device information and performs a case-insensitive search to see if the information matches any of the platform keywords and phrases as defined on the Connection profile's Security tab to see if there is a match.

If a match is found, the SafeLinx Client is permitted to successfully connect. If a match is not found, the SafeLinx Client login fails and the user is denied access and a message is issued. Examples of the error messages include:
Linux and Symbian OS
Your connection has been terminated because the operating system you are using for the SafeLinx Client is not allowed by the SafeLinx Server.
Windows and Windows CE
Your connection has been terminated because the operating system you are using for the SafeLinx Client is not allowed by the SafeLinx Server, or the version of the SafeLinx Client is not compatible with the SafeLinx Server.

The SafeLinx Server admin is responsible to determine which Keywords should be used to attempt the match and the decision of what to include in the list depends on the operating system of the SafeLinx Clients connection to this MNC. Follow the Procedure to know which platform keywords and phrases to include in the list.

Procedure

  1. Set the SafeLinx Server logging level to Log.
    1. Edit the properties of the SafeLinx Server, then click the Logging tab.
    2. Click Log in the Log level field, then click OK or Apply.
  2. Use the devices that you want in the restricted access list to connect to the SafeLinx Server,
  3. After successfully connecting each of the devices, view the SafeLinx Server message log file. The name of the file is wg.log by default. This file is located in /var/adm/ on Linux. This file is in the installation directory under logs\ on Windows.
  4. Search for ARTVERSION and identify the extended information that is listed for each of the devices with which you connected. As an example for each operating system, you might see:
    Linux
    Linux i686 SuSE Linux 9.0 - This example is a system running SuSE 9.0
    Symbian OS
    Symbian 7.0 UIQ 0x101FB2AE - The Symbian OS extended version information is a 32-bit identifier for each of the phone types. This example of UIQ 0x101FB2AE is for the Sony Ericsson P900. Another example includes S80 0x101f8ddb for the Nokia 9500 Communicator.
    Windows
    Microsoft Windows XP Professional version 5.1 Service Pack 1 (Build 2600)
    Windows CE
    Microsoft Windows CE PocketPC version 3.0 Hitachi SH-G1000
    Note: Extended version information is available for SafeLinx Client versions 5.1.0.1 and greater only.
  5. Add the keywords to the list in the connection profile. To add keywords to the access list:
    1. Edit the connection profile properties and click the Security tab.
    2. Select Restrict access by device platform name.
    3. The Allowed platform keywords or phrases section displays a list of the keywords that are to be used when searching for a matching client operating system. To add a keyword, type a word or phrase in the Text field, then click Add.
    4. Click OK or Apply.
    Note:

    Determine how restrictive you need to be when you add keywords or phrases to the list. If you want to restrict access to only devices using the Windows operating system, simply use the keyword windows. But if you must restrict access to a certain service pack level, then you need to be more specific.

    As another example, if you wanted to restrict access to only Tungsten C devices, use the keyword MT64. If you wanted to restrict access to only Tungsten W devices, use the keyword atc1. To restrict access to both devices, add each keyword as a separate entry in the list.

    As another example, if you wanted to restrict access to only the Nokia 9500 Communicator device, use the keyword 0x101f8ddb.