cancel
Showing results for 
Search instead for 
Did you mean: 

Windows XP Restriction

KJMurphy_
New Contributor

Windows XP Restriction

Is there any way to not allow windows xp machines to connect to the vpn without using host checker? 

 

Thanks!

3 REPLIES 3
spuluka
Super Contributor

Re: Windows XP Restriction

Not really, host checker is the mechanism to test the host and decide whether or not they are allowed to connect.

 

you could make the host check policy just that one test of the OS check and only fail those that match XP everyone else would succeed.  But host checker would run on everything.

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
braker_
Frequent Contributor

Re: Windows XP Restriction

In general, Steve is correct. Host Checker is the only way to do this with full assurance

 

You can, however, use user-agent string matching in either a browser authentication policy or role mapping policy at the realm level for a non-invasive approximation. Just understand the the user-agent string can be modified by some browsers.

 

Use the browser authentication policy approach if you simply want to bar access with a generic 'you do not have permission login' message. Create a deny rule for *Windows XP* and a deny rule for *NT 5.1* (and one for *NT 5.2* if you want to include XP 64-bit) followed by an allow rule for * then enable 'only allow user matching the following user-agent policy'

 

Use the role mapping approach if you want to direct XP users to a special role (e.g. to provide limited access or a custom message). Create a rule with a custom expression like userAgent = '*NT 5.1*' OR userAgent = '*NT 5.2*' OR userAgent = '*Windows XP*' that maps to the special role and enable 'stop processing rules'. Move this rule to the top of your role mapping policy.

 

Note here that NT 5.2 includes XP 64-bit and Server 2003.

 

As always, test in a non-production realm before applying to a production realm.

KJMurphy_
New Contributor

Re: Windows XP Restriction

Thank you for the replies, We don't currently use host checker today which is the reason for looking another way. I think the agent string method will work for our needs