Barracuda SSL VPN Administrator’s Guide Version 1.0 Barracuda Networks Inc. 3175 S. Winchester Blvd Campbell, CA 95008 http://www.barracuda.
Copyright Notice Copyright 2008, Barracuda Networks www.barracudanetworks.com v1x-081201-01-1201 All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice. Trademarks Barracuda SSL VPN is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or trademarks of their respective holders.
INTRODUCTION .............................................................................................................................6 GETTING STARTED .........................................................................................................................9 DEPLOYMENT SCENARIOS ....................................................................................................................................
OVERVIEW .......................................................................................................................................................... 48 ACCESS CONTROL ARCHITECTURE ....................................................................................................................... 49 CREATING ACCOUNTS ..................................................................................................................52 PRINCIPAL TYPES ...........................................
CREATING A NEW WEB FORWARD........................................................................................................................ 79 EDITING A WEB FORWARD .................................................................................................................................. 85 DELETING A WEB FORWARD................................................................................................................................ 85 OUTLOOK WEB ACCESS AND MAIL CHECK ..................
Chapter 1 Introduction This chapter provides an overview of the Barracuda SSL VPN and includes the following topics: • Overview • Barracuda SSL VPN Models 6
Overview The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless remote access to internal network resources from any Web browser. Designed for remote employees and road warriors, the Barracuda SSL VPN provides comprehensive control over file systems and Web-based applications requiring external access. The Barracuda SSL VPN integrates with third-party authentication mechanisms to control user access levels and provide single sign-on.
Barracuda SSL VPN Models The Barracuda SSL VPN comes in a variety of models. Refer to the following table for the capacity and features available on each model: Feature Model 280 Model 380 Model 480 25 50 100 CAPACITY Recommended Max Users HARDWARE Rackmount Chassis 1U Mini 1U Mini 1U Mini Dimensions (in.) 16.8x1.7x14 16.8x1.7x14 16.8x1.7x14 Dimensions (cm.) 42.7x4.3x35.6 42.7x4.3x35.6 42.7x4.3x35.6 Weight (lbs. /kg.) Ethernet AC Input Current (Amps) 12 / 5.4 12 / 5.4 12 / 5.
Chapter 2 Getting Started This chapter provides an overview of The Barracuda SSL VPN detailing the initial installation and the basics of interacting with the system through the Management Console.
Initial Setup Checklist for Unpacking Thank you for purchasing the Barracuda SSL VPN. Match the items on this list with the items in the box. If any item is missing or damaged, please contact your Barracuda Networks Sales representative. • • • Barracuda SSL VPN AC Power Cord Ethernet Cables Required Equipment for Installation These are items that are needed for installing the Barracuda SSL VPN: • • VGA monitor PS2 keyboard Install the Barracuda SSL VPN To physically install the Barracuda SSL VPN: 1.
Password: admin 2. Configure the IP Address, Subnet Mask, Default Gateway, Primary DNS Server and Secondary DNS Server as appropriate for your network. 3. Save your changes. If you do not have a monitor and keyboard and want to set the IP using the RESET button on the front panel, press and hold the RESET button per the following table: IP address 192.168.200.200 192.168.1.200 10.1.1.
Set the Administrative Options To set the Administrative Options: 1. Select Basic Administration. 2. Assign a new administration password to the Barracuda SSL VPN. You cannot change the password for the Administrative Console, but this is only accessible via the keyboard which you can disconnect at any time. 3. Set the local time zone. The time on the Barracuda SSL VPN is automatically updated via NTP (Network Time Protocol), which requires port 123 to be opened for outbound UDP traffic on the firewall.
To take advantage of the features of the Barracuda SSL VPN, you must route HTTPS incoming connections on port 443 to the Barracuda. This is typically achieved by configuring your corporate firewall to port forward SSL connections directly to the Barracuda SSL VPN: Note: The Appliance Administrator Web interface ports on 8000/8443 will also need similar port forward configurations if you intend to manage the appliance from outside the corporate network.
ALWAYS read the release notes prior to downloading a new firmware version. Release notes provide you with information on the latest features and fixes provided in the updated firmware version. You can access the release notes from the Advanced > Firmware Update page. Note The apply process takes several minutes to complete. It is important to not power-cycle the unit during the download. Inbound and outbound traffic for mail continues when the update process is complete.
Deployment Scenarios The following diagrams have been provided to show some basic deployments. A brief description of some of the more major characteristics is also provided. Non-DMZ The first diagram depicts an installation of the Barracuda SSL VPN behind a firewall. Typically all port 443 (standard SSL port) traffic is routed through the firewall to the appliance. A proxy server could easily be included by placing it on the Internet facing side of the appliance should it be required.
Configuring your Firewall to Route Incoming SSL Connections to the Barracuda SSL VPN There are many implementations of firewalls using software or/and hardware to enforce an access policy. The way in which these rules are created can vary greatly. This being the case it may be necessary to consult the documentation accompanying the firewall being used. The appliance requires the firewall to forward all SSL encrypted traffic to it in order to function correctly.
Seeing the above dialog means that the appliance has successfully been contacted and has sent a reply to the client’s browser.
Appliance Administrator Web Interface The Appliance Administrator Web interface is accessed using a different port to the standard interface and allows management of the hardware and other low level functions of the appliance. This includes such tasks as checking the status of Energize Updates, updating the firmware and configuring networking settings.
Monitoring the Barracuda SSL VPN Checking Status Check the Basic > Status page for an overview of the health and performance of your Barracuda SSL VPN, including: • Active Sessions • The subscription status of Energize Updates. • System and hardware statistics, including CPU temperature and system load. Performance statistics displayed in red signify that the value exceeds the normal threshold. • Incoming and outgoing throughput on the network interface.
Configuring an SSL Certificate In order to only allow secured connections when accessing the Web administration interface, you need to supply a digital SSL certificate which will be stored on the Barracuda SSL VPN. This certificate is used as part of the connection process between client and server (in this case, a browser and the Web administration interface on the Barracuda SSL VPN). The certificate contains the server name, the trusted certificate authority, and the server’s public encryption key.
Updating the Firmware of Your Barracuda SSL VPN The Advanced > Firmware Update page allows you to manually update the firmware version of the system or revert to a previous version. The only time you should revert back to an old firmware version is if you recently downloaded a new version that is causing unexpected problems. In this case, call Barracuda Networks Technical Support before reverting back to a previous firmware version.
Using the Reset Button to Reset the LAN IP address The Barracuda SSL VPN is assigned a default IP address of 192.168.200.200. You can change this IP address using the Appliance Administrators Interface (Basic > IP Configuration) or by pressing the RESET button on the front panel. Pressing RESET for five seconds sets the LAN IP address to 192.168.200.200. Pressing RESET eight seconds changes the LAN IP address to 192.168.1.200. Pressing the button for 12 seconds changes the LAN IP address to 10.1.1.200.
SSL VPN Administrator Web Interface The SSL VPN Administrator interface is the main point of interaction between the administrators of the system and the system itself. This chapter introduces the reader to the SSL VPN Administrator interface and details its various functions. The sections included in this chapter are: • • • Purpose Switching Views Accessibility At the end of this chapter the reader should have an understanding of the management console and its purpose.
Accessibility Initially only the administrator of the system will be able to access the management console. The administrator has access to every task and action available in the console and with this right is assigned the task of creating accounts for his administrative team. In order to carry out administrative tasks as creating policies and users the administrative users must be assigned administrative control.
Configuring User Databases All user data used and managed by the appliance must be stored somewhere. The Barracuda SSL VPN allows the configuration of a number of databases to store this information. By the end of this chapter the reader should have an understanding of each type of database and be able to configure the appropriate one that suits their particular requirements.
Controller. Hostnames can also be specified with a port number if different from the Domain Controller Port parameter. Service Account Authentication The standard Active Directory database uses GSS‐API authentication for the service account. It is unable to authenticate credentials containing non‐English characters. The service account does not need to be fully qualified. • • • Domain: The domain the controllers are on for example, example.barracuda.com.
• • • • • Page Size: The number of objects returned in each paged request, the default should be acceptable in most cases. User/ Group Cache TTL: This is the minimum ‘Time to Live’ value which must be greater than 10 seconds. Default value of 300 seconds stores Active Directory user information in cache for 5 minutes before clearing the cache. The next required action fetches user details again caching for another 300 seconds.
Organizational Units (OUs) In Active Directory, ‘Organizational Units’ (OUs) are the key structure for organizing users, computers, and other object information into a more easily understandable layout. As the diagram below shows the organization structure has a root OU with three nested OUs below. This nesting enables the organization to distribute users across multiple logical structures for easier administration of network resources.
• • The time settings between the Active Directory server and the Barracuda SSL VPN appliance are synchronized. Kerberos authentication, used by Windows, allows only a few minutes of clock skew between Windows server and client. Ensure that both the domain controller and the appliance are synchronized to the same date and time to within one minute. Confirm that the Windows server is configured for Active Directory authentication. If using Windows NT4.
Configuring LDAP LDAP configuration is divided into five distinct areas. The first of these is the Configuration tab. • • • • • • • Hostname: Hostname of the server hosting the LDAP service. Port: Listening port of LDAP service. Protocol: LDAP protocol to be used. Options include, secured ‘SSL’ communication or ‘plain’, unsecured communication. Base DN of LDAP server: The ‘base DN’ represents the location where you want to start LDAP queries within the namespace.
The next tab, ‘Role Schema’ requires role information so the appliance can successfully link to the correct role classes at run time. • • • • Role class: The LDAP class object used to represent a Role. Rolename attribute: The ‘rolename’ attribute from the Role class, if one exists. Role membership attribute: The ‘role membership’ attribute from the Role class, if one exists.
Advanced System Configuration The Advanced System Configuration (Management Console Advanced Configuration) page allows the configuration of various security related parameters. Security affects all areas of the system and so this page divides the configurable items into their respective areas. User Interface Allow Open Webfolder in Firefox: When enabled, Firefox users will see the Open As Webfolder action for network places.
Active DNS Host Format: The format of the unique Active DNS hostname used to access reverse proxy web forwards. • Password Options This page contains all necessary information pertaining to the configuration of the password authentication module. • Max Logon Attempts Before Lock: A value of zero disables this option; the default value is 3 logon attempts if after 3 attempts the account is temporarily locked.
• • • • Maximum Logon Cookie Age: Maximum age of the cookie that is used persist the logon if the browser is closed. A value of -1 will mean that the user will have to logon every time the browser is opened. Multiple Sessions: Defines whether the same user can log on multiple times. This option configures whether the same user is able to log into the system more than once simultaneously. The final ‘Single Session per User / IP Address’ is the most restrictive.
Appearance Logon Page This page defines the logon preferences. All users are affected by the changes made to this page. • Site Name: Define a specific name for the site. When a user is presented with the logon page the title specified here is shown. • Welcome Text: You can configure a custom title for the logon page. Leave this blank to use the default title • Message Type: The type of message icon to show. This icon as well as the following message text I shown below the logon parameter.
SSL Certificates An SSL certificate can be configured for the purpose of encrypted communication between server and client. This page enables the management of this and other types of supported certificates. This chapter details the certificate related actions available to a user from importing new certificates and purchasing certificates. SSL Certificates Interface The SSL (Secure Sockets Layer) protocol is the standard method used in securing e-commerce transactions.
Creating a CA A Certificate Authority is required to be able to issue certificates to the clients. This process defines the appliance as the authority to be able to issue and validate the client certificates that will be used to log into the server. An external authority can also be used; the only thing required is the importing of the private key part of the certificates issued by this authority for each client so that the appliance is able to identify each client certificate being used to login with.
Step 1 Select the ‘Download CSR’ option available in the Action pane. Step 2 The ‘Download CSR’ action takes the content from the unsigned certificate currently in use and produces a CSR. When ready the system makes the CSR available for download. The file should be saved. Importing a Certificate Step 1 Select ‘Import Certificate or Key’ from the Action menu. Step 2 Next, select the ‘Input Type’.
Step 4 The system provides a summary of the action about to be performed. Selecting Back will allow the details to be modified. Once completed successfully the newly imported certificate will be visible from the main SSL certificate page.
Exporting Keys and Certificates If you need to retrieve the certificate or key for one that has been previously created then these can be exported again from the system through the export actions available against each certificate. For example if a certificate for an account has been lost then using these actions the certificate can be retrieved. To export a certificate simply select the export certificate action associated with the certificate.
Attributes As with any large user management system, functionality that allows for simpler administration is always welcome. User attributes are a simple concept that allow for drastically reduced administration overhead. This chapter aims to details what user attributes are and how to make the best use of them. What are Attributes? User attributes are simply attributes that perform a similar function to ‘environment variables’, and can be created by a user and used throughout the system.
Applications Attributes can be used with application shortcuts, an attribute can be created as below which defines a hostname and a port number. Here the attribute VNC Server is a defined by each user, specifying which server they wish to connect to when using the VNC application shortcut.
When the Web forward is configured the attributes are added to the authentication parameters. When the Web forward is finally executed the supportId and supportPassword attributes are submitted during authentication into the Web Site. The FORM object takes the supportId and identifies the username then takes the supportPassword as the associated password. Instantly any user is able to access the support Web Site using their credentials and this single Web forward.
Delete User Attribute Edit User Attribute Creating Attributes Step 1 Select Create User Attribute from the action box at the top right of the page. Step 2 The basic details of the attribute need to be completed first. • • • Step 3 Name: The name by which the system can reference the attribute. Description: Information about the attribute Class: Whether the attribute will be a user or policy based attribute. o User: User attributes become associated with users.
o o Step 4 Checkbox: you can specify a replacement name for the default true, false values. Text area: this parameter allows the dimensions of the text area to be displayed. By specifying a number such as 30x2 will set the area to be 30 characters width by 4 lines height. Once complete, hitting the ‘Finish’ button will store the attribute and it will be accessible from the user attributes page.
Fixed System Attributes User attributes created by the system such as those categorized under Security Questions are required by the system so cannot be removed nor edited; no available actions are associated with these. How to use Attributes Once a user attribute has been created it can be used throughout the system, wherever dynamic information can be loaded user attributes can be used. A user attribute is referenced via the attr command whilst a policy attribute is referenced by the policyAttr command.
The session variable refers to the values available during the course of the session. So as above the system would replace this with the username being used in this current session. This means that if the users home share on the network is named the same as the username used to log into the appliance (as might be the case in an Active Directory environment) then this Network Place will work and the home share of RobertsP would still be loaded.
Access Control This section details how the system can be accessed, from creating user account to giving users access rights to the system. Depending on what type of user database configured some functions are not accessible. By the end of this chapter the reader should have a strong understanding of how the access control infrastructure of the product is built up and how it achieves such a strong level of access control flexibility.
With trust playing such a significant part of remote access, the Barracuda SSL VPN solution has been designed to allow for either ‘coarsely grained’ or ‘finely grained’ access control. This approach allows the product to mirror more closely the actual trust relationships present in the real world. In conjunction with multi-tiered authentication schemes, our security model is much more advanced than those offered by conventional VPN solutions.
Utilizing this methodology, the Barracuda SSL VPN is able to maintain robust, secure, and flexible access control architecture. What is a Resource? A ‘resource’ is defined as an application, utility, data source, or any other privileged ability that when assigned will allow the user to conduct certain tasks. Think of it as the endpoint, or objective that a user wishes to achieve. This could be something as simple as a user accessing their email client to read their mail.
A ‘permission’ is a special part of a policy. It adds the final level of control to the access control framework. As we have seen, not only can we control what resources a principal can access, but with this sub-element we can add a lower-level layer to control exactly the functionality a user can perform on any given resource.
Creating Accounts Principals in their basic form refer to the users of the system upon which the services are delivered. Accounts are the means by which a principal is created within the system. An essential process in building a robust and flexible system is defining what your principal base is. This chapter details further what principals are and how the appliance manages these entities.
The action icons against each account performs functions on the associated account, their respective objective is detailed below: Delete account Edit account details Enable account – only visible if account is disabled (More…) Disable account – only visible if account is enabled (More…) Unlock account after authentication failure (More…) Unsupported Database Actions as ‘Create’, ‘Edit’, ‘Delete’ will not be accessible if the chosen user databases does not support external modification by the Barracuda SSL
Step 5 Once the account has been saved the system will ask for a password for the new account. A new password must be entered. In addition the ‘Force user to change password at next logon’ setting ensures that the user make his or her password secure by forcing them to change it the first time they logon to the system. Selecting Save will save the password against the new account. The newly created account should be visible from the main Accounts page.
Creating Groups Groups represent the alternative type of principal. Groups offer a more convenient type for larger enterprises with a greater user base. This chapter details what a group represents and how they are utilized. By the end of this chapter the reader should have a sound understanding of groups and how they can be used to provide structure to a user base.
Groups Interface Action Icon The action icons perform a particular function on the associated group. Available actions for a group are: Edit group Delete group Create New Group Step 1 If the user database allows for the inclusion of new databases then the ‘Create New Group’ action will be visible from the event pane on the right of the page. Step 2 The ‘Create Group’ page will open. The only detail required is the name of the group.
Creating Policies Polices are the main building blocks in the access control architecture of the Barracuda SSL VPN. They form the bond between a principal and a resource. This chapter covers policies, from their purpose and usage to their unique characteristics. By the end of this chapter the user should have a sound grasp of policy management and should be able to implement a structured policy framework. What is a Policy? On its own a policy is of little worth.
Policy Interface The policy screen displays a summary of available policies in the system. It is from this screen that we can create, edit and delete resources. Action Icons The action icon performs a particular function on the associated policy. Available actions for a policy are: Delete policy Edit policy details Create Policy Step 1 Selecting the ‘Create New Policy’ action from the event pane on the right will start the ‘Create New Policy’ wizard.
To add an account simply use the selection buttons; ‘Add’ to add an Account to the ‘Selected Accounts’ list box or ‘Remove’ to remove an Account. More details on this selection process can be found in the section titled, ‘System Navigation.’ If the system’s user database supports groups then these too can be added in the same way as accounts. For more information on groups please refer to the chapter titled, ‘Creating Groups’.
Editing a Policy By selecting the ‘Edit’ action icon besides the policy of concern (from the policy page) the ‘Edit Policy’ page will be shown. From this page the current details stored can be modified. Step 1 The tabs at the top of the page group the particular type of information, selecting each tab will allow you to modify the appropriate content. Step 2 To save any new changes click the ‘Save’ button at the bottom right of the page. If you wish to discard changes simply select the ‘Cancel’ button.
Creating Access Rights The final piece in the policy chain is the resource. Once a policy has been created and principals attached then these principals will require something to access – in this case a resource. Resources are defined in the system as two types. This chapter explains both types, detailing what they are and how to create these resources.
Edit resource permission Creating an Access Right Step 1 Select the type of access right from the action box. The wizard guides the user through the steps required to create a resource entity in the system. Step 2 The first step in the wizard is detailing basic information pertaining to the resource to be created. Required Information Mandatory fields are marked with a red dot ( ). Information must be entered for these fields.
Editing Access Rights By selecting the ‘Edit’ action icon against a resource permission, the ‘Edit Resource Permission’ page will be shown. From this page the current details stored can be modified. Step 1 The tabs at the top of the page group the particular type of information that can be edited; selecting each tab will allow you to modify the appropriate content. Step 2 To save any new changes click the ‘Save’ button at the bottom right of the page.
Authentication Schemes Authentication is the means of verifying a user’s identity; this can be in the form of a password or a code\key. To allow for greater security the Barracuda SSL VPN uses authentication schemes to provide a multiple staged authentication process. This chapter details authentication schemes, their purpose and how to implement a scheme.
Action Icons Delete policy Edit policy details Enable scheme Disable scheme Decrease priority of scheme Increase priority of scheme Creating an Authentication Scheme For this example we will create a three-tiered authentication process. It will be a scheme using the Password module as a primary method, then PIN and finally Personal Questions. Step 1 From the Authentication Scheme page select the only available action Create Scheme Step 2 This starts the authentication scheme wizard.
Topmost Module Must be a Primary Module At the top of the Selected Modules window there must be a module which can be a primary module. The system will not allow a scheme to be defined which does not have a primary module at the top of the list. Step 4 An authentication scheme needs to be attached to a policy. This restricts which users can actually access the scheme. Step 5 The final step is the summary. The system presents the details provided.
Authentication Modules As mentioned previously, there are differences in the level of control available for the configuration of a module. This section describes each of the modules.
Modifying a Password Once a password has been assigned to the account it can be altered at any time by both the administrator from the Management Console and by the user through the User Console. Management Console Step 1 Choose the account you wish to edit from the Accounts page (Management Console > Access Control > Accounts) by selecting the associated ‘More…’ button. Step 2 A new set of actions becomes available. Selecting Set Password allows the administrator to change the password for the account.
User Console This method is used by the user allowing them to securely modify their own password without any intervention by the administrator. Step 1 From the My Accounts section select Change Password. Step 2 The user is now able to change their password from the Change Password page. The user is expected to key in the original password as well before the change can occur.
The security function password structure is built around ‘regular expression’ syntax. Any valid expression will be accepted to parse passwords an example is given below: Expression Meaning X(n) X exactly n number of times X(n,m) X between n and m .[^\s]{n,m} Any character except white spaces with a length between n-m \w[n,m] Word character [a-z,A-Z,_,0-9] between n-m Personal Questions Authentication This is another commonly used authentication module.
Step 1 Open the ‘Edit Personal Details’ page from User Console > My Account > Personal Details Step 2 Select the Security Questions tab Once all the answers have been supplied pressing the Save button will store these for use during authentication.
Resource Management Resources are the key entities that a user of the system will interact with. Without such things, a user has no means of using or gaining any benefit from the system – it is the resources that provide the ‘value’ in an SSL VPN. This section covers the basics of resources; what they are, how they are used and finally ends with what types are available.
• • • • • Network Place: Provide network file system access Application: Deployment and execution of applications SSL Tunnel: Configure SSL tunnels for special tasks such as remote support Profile: User environment configuration Barracuda Network Connector: A virtual network adaptor that provides full TCP/IP into the network Each chapter is dedicated to one of these resources covering everything from creating to managing the resource.
The Barracuda SSL VPN Agent Many commonly used applications typically operate using unsecured protocols to facilitate the exchange of data. To the casual home user this is usually not a worry, though to the corporate user this is a critical vulnerability and one that leaves a business open to all manner of threats from password sniffing to industrial espionage. With modern encryption protocols like SSL, data from these applications can be “tunneled” inside SSL packets.
Executing Resources from the Barracuda SSL VPN Agent Once the Barracuda SSL VPN Agent is started you can execute any resource assigned to you from the directly from the taskbar icon. Clicking the right button the Agent icon will present a list of resources that can be executed directly from the Agent. By opening the Tunnel Monitor one can view any tunnels that are created through the life of the Barracuda SSL VPN Agent. From here you can also kill any active tunnels.
Web Forwarding Web forwards provide a secure way of remotely accessing a company’s intranet resources and as such are an essential tool in helping reduce the risk of unauthorized access to the corporate network. This chapter covers all the essentials to allow a super user to manage these resources, from what a Web forward is, how they work to managing them. Web forwards come in three types - tunneled, path based reverse proxy and replacement proxy. This chapter details each and when best to use each type.
Technical Overview The Barracuda SSL VPN provides four ways in which a Web forward can be created, and these are as follows: • • • • Tunneled: Suitable for static intranets, requires launch of the Barracuda SSL VPN Agent. Replacement Proxy: Suitable for Web applications which use absolute URLs with minimal JavaScript. Host Based Reverse Proxy: Suitable for Web applications which use relative URLs and tend to be more complex than those for replacement proxy.
Reverse Proxy Reverse proxy like replacements does not rely on the Barracuda SSL VPN Agent and again despite this the communication link remains encrypted due to the browser and the appliance. Unlike replacement Web forwards the content is neither altered from the moment it leaves the client to the response that is received, the appliance acts as a reverse proxy server for the target client. Unfortunately if the target site has links to other sites and are selected then those pages will not be secured.
Creating a new Web Forward Step 1 Select the Create Web Forward action. Step 2 Select the type of Web forward you wish to create. Step 3 Once selected the Web forward wizard will open. All Web forwards follow the same wizard process as below. The first step in the wizard is to provide details of the resource itself, the name and description of the resource. The final Web forward can be set as a favorite resource which will make this resource accessible from the favorite’s page.
Configuring a Replacement Proxy Web Forward Replacement details require two sets of information; the first is the basic information of the Web site. • • • Destination URL: The URL of the site you wish to access Encoding: This overrides the encoding of the HTTP response; this should be left as default unless otherwise informed by a Barracuda Central engineer. Restrict to hosts: This restricts what hostnames the user can access.
• • • • • Form Type: The type of form authentication to use, in most circumstances POST will be used to post the parameters listed in the Form Parameters box to the site. NONE disables form authentication and relies on HTML authentication only. Form Parameter: Specific form parameters for authentication should be provided here. These parameters map to the parameters on the form. As the example above pre, ixPerson, sPassword are all form parameters for this application.
Configuring a Reverse Proxy Web Forward As with replacement proxy this also requires two types of information, the basic URL information and the authentication details however unlike other Web forwards this is broken into host-based proxy and host-based proxy. The Path-Based Reverse Proxy Method • • • Destination URL: The URL of the site you wish to access Paths: Each additional path that needs to be proxied is added here.
and suffixed by example.com is generated (e.g. active32432432424.example.com) and used by the client browser to access the reverse proxy. The Barracuda SSL VPN is able to see this hostname and use the number embedded to look up the associated Web forward. • Host Header: This is another method used by the reverse proxy engine to determine whether a site should be proxied. A specific hostname can be set for a site this requires that the hostname defined resolves to the Barracuda SSL VPN.
ixPerson, sPassword are all form parameters for this application. During authentication these will be passed into the form with the provided values. As sPassword=${session:password} shows replacement parameters can also be used, we have used a session parameter for the form’s password field. The ixPerson parameter is the index list for forms username dropdown list, 6 is the index of the given username, when executed the form will lookup username 6 from the dropdown list.
Editing a Web Forward From the Web forwards page select the Edit action against the required Web forward and the Edit Web Forward page will be shown. From this page the current details stored about the Web forward can be modified. Deleting a Web Forward The Delete action removes a Web forward permanently from the system. Selecting the delete action against a Web forward will result in a warning message informing that the Web forward is about to be deleted, as shown below.
Outlook Web Access and Mail Check This mail check feature presents to the user an instant view of his or her email account status directly through the user console without having to start their email client to check for new email. This feature can be used to check for email (and launch your Web mail client) on any mail server that supports the POP3/IMAP protocols, including Microsoft Exchange. The mailbox icon is visible from the user console and shows the status of new or any unread messages.
mail server these are usually identical. If these are different, then each user needs to provide their mail authentication details on this screen. In addition the default mail folder (e.g. ‘inbox’) can be specified if needed.
Network Places Network places are another vital tool against defending unwarranted access to the corporate network. By configuring a network place in the Barracuda SSL VPN, this allows a user to securely access the company network without compromising the integrity of the network. This chapter covers the basics of network places and moves right through to managing these resources.
Network Places Interface The main network place page lists the available shares. This page is located under Management Console > Resources > Network Places The main page details which policy a network place is associated with and the available actions associated with each. Only those network places associated with a user’s policy are visible from the user console under User Console > Resources > Network Places.
Creating a new Network Place Step 1 From the main network places page the action menu in the top right presents the only available action which is, Create Network Place. Selecting this begins the creation wizard. Step 2 The first step in the wizard as with any resource is the name and the description of the required resource. This will be displayed on the main network places page. This particular resource can be added to the favorite page if so desired for ease of access.
• • • Host: Hostname of source filesystem Port: Port of source filesystem Path: Specific path that needs to be accessed on the host Replacement Variables The ${} indicates that replacement variables can be included in the resource definition. Click this icon will load the available variables that can be used. The session variables are values taken from the current session. The args variables are values taken from user defined attributes. • • Username: Username if the location is protected.
The final step is defining a drive letter for the network place. This feature allows a share to be mapped to a drive letter. Once mapped the user is able to access the network share through Windows Explorer no longer needing to connect to the Barracuda SSL VPN to see the content. • Drive: Select a drive to map to this network place.
File Management When a network place is executed the file system is opened in a new window. The window displays the content of the file. All the content from here and below can be managed; files removed, uploaded and even deleted as if you were connected directly to the file system. Depending on what permissions were selected during the configuration of the resource depends on what actions are available to the user. The full list of available actions against each file is listed below.
Editing a Network Place From the network place page select the Edit action against the required resource and the Edit Web Forward page will be shown. From this page the current details stored can be modified. Deleting a Network Place The Delete action removes a network place resource permanently from the system. Selecting the delete action against a network place will result in a warning message informing that the resource is about to be deleted, as shown below.
Step 3 Under the Network Tasks pane select Add a network place.
Step 4 This starts the Add network place wizard. Step 5 The wizard will briefly search for information about service providers and will then present you with the following screen. Select Choose another network location and click next. Step 6 Now you need to enter the fully qualified domain name to your Barracuda SSL VPN server.
In the screenshot above the Barracuda SSL VPN is https://remoteServer.co.uk and my network place as named in network places on the system is Public. When executed Web folders will locate communicate with the appliance at remoteServer.co.uk. It will then request the URI for a network place named Public. It is this URI that will then be mapped to the Web folder. Step 7 The Web folders client will attempt to connect to the resource and you will be prompted to enter your authentication details.
In ‘My Network Places’ a new shortcut is created. This shortcut can be moved to the desktop so that all a user needs to do to access the shared folder is double-click this icon and enter your Windows logon information.
Windows Explorer Drive Mapping This feature adds the ability for a user to create a network place and assign it a drive letter when using Microsoft Windows 2000 or later. The effect of this is that once the Barracuda SSL VPN Agent is running the drive becomes available under the user's Windows Explorer and like any other drive listed in Windows Explorer this drive can be accessed and any content accessible for the lifetime of the Agent.
Configuring Windows Explorer Drive Mapping A number of configuration properties can be accessed from Management Console > System Configuration > Windows Integration > Drive Mapping and are detailed below. • • • • • • • • • • Debug: Enable debugging for drive mappings. This should only be set if asked by a Barracuda Central engineer. Debug Flags: Flags for the above debug option. Streaming Threshold: The size at which files are streamed. Streaming maintains an open file on the remote filesystem.
Applications This feature of the Barracuda SSL VPN allows for the publishing of applications that are to be either downloaded or launched by your clients. The benefits of being able to distribute resources in this way are mainly linked with convenience and reduced costs of distributing applications and dependant software.
Delete Application shortcut Edit Application shortcut details Execute resource (user console) Publish a new Application In order to demonstrate the publishing of a new application this section will detail the steps required to use the UltraVNC Extension to create a VNC connection to a system. UltraVNC is easy to use, fast and free software that can display the screen of another computer (via internet or network) on your own screen.
• • Port: The port on which the remote is listening. If the VNC server uses display numbers instead of ports (i.e. if the VNC server is hosted on a Linux system), simply add 5900 to the display number to get the port number. Password: The password for the remote VNC server. Display Tab Each of the options is described briefly below: • • • • • • • Full Screen: When enabled the remote desktop session will take up the entire screen. Display Scale: Magnify or reduce the display area of the remote desktop.
Step 5 This page allows for the configuration of policies to be applied against the new application record. Policies can be added, removed or even configured from his page. When all relevant policies have been applied click the Next button which displays the summary page. Step 6 If all information on this page is correct press the Finish button to advance to the final wizard page.
SSL Tunnels SSL Tunnels allow for ad-hoc connections to be made between networked computers. What is an SSL Tunnel? An SSL Tunnel is simply a connection between two TCP enabled components. All of the data transmitted over a tunnel is encrypted using the SSL protocol. This is done the same way as other tunneling technologies. For example, a user may wish to create a secure tunnel to a TCP/IP enabled database.
Step 1 To create a new SSL tunnel, first click the “Create Tunnel” action from the SSL tunnel main page. This will then start the wizard, the first page of which follows. • • • Step 2 Name: The name to be used to identify the SSL tunnel. Description: A description of the SSL tunnel. Add to favorites: A checkbox that if selected will add the SSL tunnel to the favorites of the appropriate accounts. Once all the relevant values have been completed simply click the Next button.
• • • Destination Port: The port number of the host that forms the other end of the tunnel. The port on which the Barracuda SSL VPN creates a server that is connected via the tunnel to the Agent which then is in turned connected to the client application (a server of some kind, VNC server for example – in this case people on the appliance would be able to use a VNC viewer to display and control the remote desktop e.g. this would run on port 5900). Auto. Start: A checkbox that is disabled as default.
Step 6 Finally click on the Exit Wizard button to close and exit the wizard. The newly created SSL tunnel will now be displayed on the main page. In addition to this a new item will become available from the User Console as shown below (Navigation is: User Console Resources SSL Tunnels). SSL tunnels require the Barracuda SSL VPN Agent to be running in order to operate correctly.
Step 3 Selecting No will cancel the action and return to the SSL tunnels screen. Selecting Yes will remove the SSL Tunnel and return to the main SSL tunnels screen.
Profiles Profiles configure the general working environment for a user. The system provides two areas of control and they are the session and Barracuda SSL VPN Agent properties. This chapter covers all that is needed to use and manage profiles from creating to configuring them.
If a user has been given the permission to maintain profiles only those profiles associated with a user’s policy are visible from the user console under User Console > Resources > My Profiles.
Step 4 In the final step the wizard presents a summary of the profile. Pressing the Finish button will end the wizard and create the profile. As you will have noticed the configuration of the profile has not be done. The profile takes on the properties of the base profile. To configure this profile further the edit profile parameters action must be selected. This is detailed next.
Editing Session Details Replacement Variables The ${} indicates that replacement variables can be included in the resource definition. Click this icon will load the available variables that can be used. The session variables are values taken from the current session. The args variables are values taken from user‐defined attributes.
SSL VPN Agent Proxy Configuration • • • • • • • Type: Type of proxy server, this can also be configured to use whatever proxy the browser is using. Hostname: The hostname of the proxy server Port: Port number of proxy server Username: If proxy server requires authentication this will be the username provided. Leaving this blank will force authentication when the Agent connects to the proxy.
Selecting Yes will result in the removal of the resource from the system. If this profile is associated with any policies this link will also be removed along with all other associated links.
System Functions This chapter encapsulates features that affect the Barracuda SSL VPN as a whole from functions such as shutting down the server to viewing the status of the system. Auditing This powerful reporting tool allows for the real-time capture and analysis of user and system events. This ranges from items such as starting and stopping the system through to specific user events such as creating a favorite.
Creating a New Report Step 1 In the main page select the Create Audit Report action from action menu Step 2 This presents the report creation page. All tabs contain specific information to the report, each can be configured. For example, dates can be defined in the Date tab. The report below has been configured to report on the week’s auditing results. Those who can run this report can also be defined through normal policies by selecting the policy tab.
Step 3 Once saved this report should be visible from the main page These reports can be executed over and over again by pressing the execute icon against the appropriate report. Predefined dates such as 'Last Week and 'Last Month' are run relative to the current date.
Running One-Off Reports Not all reports need to be created beforehand before they can be executed. The auditing feature allows reports to created on the fly and run immediately. Step 1 Select the ‘Run Audit Report’ action from the action menu. Step 2 From here items for the report can be configured such as date ranges. Also items like the events you wish to record. Step 3 Once configured simply press the Run Report button.
This will generate the report and allow it to be downloaded. When the file download dialog appears simply save or open the file. The report should visible once opened as below.
Appendix A Regular Expressions The Barracuda SSL VPN allows you to use regular expressions in many of its features. Regular Expressions allow you to flexibly describe text so that a wide range of possibilities can be matched. When using regular expressions: • Be careful when using special characters such as |, *, '.' in your text. For more information, refer to Using Special Characters in Expressions on the next page. • All matches are not case sensitive. Table A.
Using Special Characters in Expressions The following characters have a special meaning in regular expressions and should be escaped (prepended by the backslash character \ ) when you want them interpreted literally: Examples Table A.3 provides some examples to help you understand how regular expressions can be used. \s Space character: shortcut for [ \n\r\t] [^\s] Non-space character Miscellaneous ^ Beginning of line $ End of line \b Word boundary \t Tab character Table A.2: Special Characters .
Appendix B Limited Warranty and License Limited Warranty Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or authorized Distributor selling the Barracuda Networks product, if sale is not directly by Barracuda Networks, Inc., ("Barracuda Networks") warrants that commencing from the date of delivery to Customer (but in case of resale by a Barracuda Networks reseller, commencing not more than sixty (60) days after original shipment by Barracuda Networks, Inc.
EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS MAKES NO OTHER WARRANTY, EXPRESS, IMPLIED OR STATUTORY, WITH RESPECT TO BARRACUDA NETWORKS PRODUCTS, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, AVAILABILITY, RELIABILITY, USEFULNESS, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE.
BARRACUDA SOFTWARE IS PROVIDED "AS IS" WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND BARRACUDA HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE BARRACUDA SOFTWARE, EITHER EXPRESSED OR IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTIBILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR ANY APPLICATION, OF ACCURACY, AND OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS.
extent of a conflict between the provisions of the foregoing documents, the order of precedence shall be (1) the written agreement, (2) the click-on agreement, and (3) this Energize Update Software License. License. Subject to the terms and conditions of and except as otherwise provided in this Agreement, Barracuda Networks, Inc., or a Barracuda Networks, Inc.
capabilities, functions, licensing terms, release dates, general availability or other characteristics of any future releases of the Energize Update Software. Proprietary Notices. Customer agrees to maintain and reproduce all copyright and other proprietary notices on all copies, in any form, of the Energize Update Software in the same form and manner that such copyright and other proprietary notices are included on the Energize Update Software.
Renewal. At the end of the Energize Update Service Period, Customer may have the option to renew the Energize Update Service at the current list price, provided such Energize Update Service is available. All initial subscriptions commence at the time of sale of the unit and all renewals commence at the expiration of the previous valid subscription.
Appendix C Compliance Notice for the USA Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This device complies with part 15 of the FCC Rules. Operation is subject to the following conditions: 1. This device may not cause harmful interference, and 2. This device must accept any interference received including interference that may cause undesired operation.