1. Manuals
  2. Brands
  3. Barracuda Manuals
  4. Network Router
  5. SSL VPN V Series
  6. Manual

Barracuda SSL VPN V Series Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

1. Barracuda SSL VPN - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Barracuda SSL VPN Release Notes 2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1 Hardware Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.2 Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.2.1 Sizing CPU, RAM, and Disk for Your Barracuda SSL VPN Vx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.2.4 Barracuda SSL VPN Vx Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.3 High Availability Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.2.3.1 How to Configure a High Availability Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.2.4 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.4 Administrative Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.5 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.5.1 How to Create and Modify User Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.5.1.1 Example - Create a User Database with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.5.2 Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.5.2.2 How to Configure One-Time Password (OTP) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.5.2.3 How to Configure Public Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.5.2.4 How to Configure SSL Client Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
1.5.2.6 Example - Authentication with SMS Passcode RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1.5.3 How to Configure Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
1.5.4 Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
1.6 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.6.1 Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.6.1.1 Custom Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
1.6.1.1.1 How to Create Custom Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
1.6.1.2 How to Configure a Microsoft SharePoint Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
1.6.1.3 How to Configure a Microsoft Exchange OWA Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.6.2 Network Places . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
1.6.2.1 How to Create a Network Place Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
1.6.2.2 How to Configure AV Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1.6.3 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
1.6.3.1 How to Create an Application Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
1.6.3.3 How to Configure ActiveSync for Microsoft Exchange Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
1.6.3.4 How to Configure Microsoft RDP RemoteApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1.6.4 SSL Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
1.6.4.1 How to Create an SSL Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
1.6.5 Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1.6.5.1 Requesting Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
1.6.5.2 Providing Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1.6.6 Network Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.6.6.1 How to Configure the Network Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
1.6.6.2 How to Create a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
1.6.6.4 Using the Network Connector with Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
1.6.6.5 Using the Network Connector with Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
1.6.6.6 Using the Network Connector with Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
1.6.7 How to Configure IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1.6.7.1 How to Configure Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
1.6.7.2 How to Configure Remote Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
1.6.9 How to Configure Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
1.6.10 Provisioning Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
1.7 Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
1.7.1 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
1.7.2 Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SSL VPN V Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Barracuda SSL VPN V Series

  • Page 1: Table Of Contents

    ..........10 1.2.2.3 How to Enable Promiscuous Mode on VMware for the Barracuda Network Connector ......11 1.2.2.4 Barracuda SSL VPN Vx Quick Start Guide .
  • Page 2 1.7.3 Agents ................... 78 1.7.3.1 How to Configure a Server Agent .

  • Page 3: Barracuda Ssl Vpn - Overview

    Barracuda SSL VPN - Overview The Barracuda SSL VPN is an ideal appliance for giving remote users secure access to network resources. The Barracuda SSL VPN only requires a browser to give remote users access from any computer. Built-in and third-party multi-factor authentication and network access control (NAC) only connects clients that meet chosen security standards.
  • Page 4 What's new with the Barracuda SSL VPN Version 2.4.0.9 New Features The Device Configuration feature allows resources and other settings configured on the Barracuda SSL VPN to be provisioned directly to a user's device. Improved Sharepoint functionality, including supporting Sharepoint 2013.

  • Page 5: Deployment

    Multilayer Firewall DMZ Deployment – In a DMZ between the external and internal firewall. Additional ports have to be opened on the internal firewall to access internal resources. Isolated Deployment – The Barracuda SSL VPN is reachable from the Internet. All resources connect via Server Agents which initiate the connection from inside the networks. No ports have to be opened.
  • Page 6 Direct Access DMZ Deployment The Barracuda SSL VPN is deployed behind the firewall. Only one port (443) has to be opened up by the firewall and forwarded to the SSL VPN. You have direct access to all services (authentication, file, web, etc.) in the intranet without further configuration.

  • Page 7: Hardware Specifications

    Hardware Specifications Warranty and Safety Instructions Unless you are instructed to do so by Barracuda Networks Technical Support, you will void your warranty and hardware support if you open your Barracuda Networks appliance or remove its warranty label. Barracuda Networks Appliance Safety Instructions Hardware Compliance.

  • Page 8: Virtual Systems

    Remote Desktop Single Sign-On Antivirus L2TP/IPsec, PPTP Mobile Device Support Client Access Controls Active Directory/LDAP Integration Layered Authentication Schemes Remote Assistance Multiple User Realms Barracuda SSL VPN Server Agent Hardware Token Support RADIUS Authentication Syslog Logging SNMP/API Clustering/High Availability Virtual Systems...

  • Page 9: Sizing Cpu, Ram, And Disk For Your Barracuda Ssl Vpn Vx

    You can pair a Barracuda SSL VPN Vx with a hardware Barracuda SSL VPN appliance to create a high availability cluster. With a load balancer, you can create a configuration that uses the resources of...

  • Page 10: How To Deploy Barracuda Ssl Vpn Vx Virtual Images

    How to Deploy Barracuda SSL VPN Vx Virtual Images Barracuda offers three types of packages for virtual deployment. Follow the instructions for your hypervisor to deploy the Barracuda SSL VPN Vx appliance. Package Type Hypervisors VMware ESX and ESXi 3.5...

  • Page 11: How To Enable Promiscuous Mode On Vmware For The Barracuda Network Connector

    About Promiscuous Mode Place the virtual network adapter for the Barracuda SSL VPN Vx in promiscuous mode so that it can detect all frames that are passed virtual switch. If you have already set up a Barracuda SSL VPN Vx...
  • Page 12 Barracuda Networks recommends that you configure a port group to allow promiscuous mode. Enable Promiscuous Mode on a vSwitch Add a new port group, and set it to promiscuous mode. Then set your VM client to the port group. Log into the vSphere client, and select the ESX host.

  • Page 13: Barracuda Ssl Vpn Vx Quick Start Guide

    Accept Click , and then click Close Set your VM client to the new port group. Right-click the Barracuda SSL VPN virtual machine, and select Edit Settings In the left pane, click Network Adapter 1 In the Network Connection...
  • Page 14 The virtual machine reboots after you finish the configuration. Step 2. Open Firewall Ports If your Barracuda SSL VPN Vx is located behind a corporate firewall, open the following ports on your firewall to ensure proper operation: Port Protocol...
  • Page 15 8000/8443 need similar port forward configurations. Barracuda Networks recommends that you use the appliance web interface on port 8443 (HTTPS). Step 7. Verify Incoming SSL Connections to the Barracuda SSL VPN Vx After you configure your corporate firewall to route SSL connections to the Barracuda SSL VPN Vx, verify that you can accept incoming SSL connections.

  • Page 16: High Availability Deployment

    High Availability with a Load Balancer If you want all clustered Barracuda SSL VPNs to process traffic, use a load balancer (such as the Barracuda Load Balancer) to direct traffic to the HA units while maintaining session persistence. You must have a load balancer to spread the load over all Barracuda SSL VPN cluster members.
  • Page 17 It is limited to only ASCII characters. Adding an Appliance to the Cluster Any Barracuda SSL VPN appliance that is added to the cluster will have most of its local data (except user data and that specified in Non-Clustere d Data overwritten with settings extracted from the cluster.

  • Page 18: Licensing

    With Instant Replacement, a replacement for your Barracuda SSL VPN hardware ships within 1 day if your appliance fails. Every 4 years, your Barracuda SSL VPN is replaced by a new appliance with the latest hardware for your SSL VPN model. Standard technical support (24x7) is also included.
  • Page 19 To prevent certificate errors whenever your users connect to the Barracuda SSL VPN, it is recommended that you install SSL certificate signed by a trusted CA. You can generate the signing request directly on the Barracuda SSL VPN. Your SSL certificate must use the full DNS name (e.g.,...

  • Page 20: Administrative Interfaces

    How to Configure PPTP Administrative Interfaces The Barracuda SSL VPN uses two administrative interfaces: the appliance web interface and the SSL VPN web interface. Appliance Web Interface You can access the appliance web interface at either of the following IP addresses or http://<configured...

  • Page 21: Access Control

    Access Control To access and use the resources provided by the Barracuda SSL VPN, a user must be able to authenticate. Additionally, the user´s device must adhere to any configured network access control (NAC) policies. You can configure user authentication as either a single- or multi-factor process, using a combination of information stored in the authentication services and additional authentication procedures defined in the Barracuda SSL VPN.

  • Page 22: How To Create And Modify User Databases

    How to Create and Modify User Databases A user database specifies where user authentication information is stored. The Barracuda SSL VPN 380 and above support multiple user databases, letting you define different access policies for resources that are shared by users. The Barracuda SSL VPN supports authentication...

  • Page 23: Example - Create A User Database With Active Directory

    Before You Begin Before you begin, verify that your Barracuda SSL VPN can reach your Microsoft Active Directory server. If you deployed your Barracuda SSL VPN in a DMZ, open the necessary ports for read or read/write access to your Active Directory server.

  • Page 24: Authentication Schemes

    SSL client certificate installed in the browser's certificate store against the root certificate that is uploaded to the Barracuda SSL VPN. The SSL client certificate can be installed manually, per Active Directory policy, or with a hardware token using the vendor's utility.

  • Page 25: Hardware Token Authentication

    Because the RADIUS server is an external authentication service, it is not managed by the appliance. You must verify that the user information hosted on the RADIUS server corresponds to the information stored in the user database on the Barracuda SSL VPN.

  • Page 26: How To Configure One-Time Password (Otp) Authentication

    SafeNet iKey This product uses a small USB device typically carried on your key chain. It uses SSL client certificates to present a certificate to the Barracuda SSL VPN. The user also has to enter a secret pass phrase, further improving security. The client computer must have a special utility (CIP) installed, which uploads the certificate on the USB token to the windows certificate store.

  • Page 27: How To Configure Public Key Authentication

    Click Save Changes If you configured the Barracuda SSL VPN to send OTPs by email, no additional configurations are required. When the appliance sends an OTP, it obtains the email address of the user from the user database. Step 3. (If Sending OTPs via SMS) Configure the SMTP to SMS Service...

  • Page 28: How To Configure Ssl Client Certificate Authentication

    Reset Authentication Key On the next log in the user will be asked to enter his password and a new passphrase. The Barracuda SSL VPN will then generate a zip file containing the authentication key, which the user can download.

  • Page 29: Example - How To Install And Configure Yubiradius

    Barracuda SSL VPN. The Barracuda SSL VPN validates the offered client certificate according to parameters that are defined by you. If you do not check for certificate attributes that are unique to each user, any user can log in with a browser that has a valid SSL client certificate.
  • Page 30 A YubiKey A VM host server to load the Virtual Appliance An external user database, such as Active Directory or LDAP, that both Barracuda SSL VPN and YubiRADIUS servers can query Reference The YubiRADIUS configuration guide can be found here: http://static.yubico.com/var/uploads/pdfs/YubiRADIUS_Virtual_Appliance_3_5_1.pdf...
  • Page 31 Apply the settings and enter the user password to confirm. Disconnect from the network and reconnect using the network icon in the top right area of the screen. With a web browser, navigate to the IP address of the appliance, which should present a Webmin logon screen. Log in with user yubikey and password...
  • Page 32 Enter a valid domain name and click Add Domain Click on the Global Configuration tab, then click General . You may opt to set Auto-provisioning , although it may be simpler to keep it set to initially. Ensure that Append OTP to is set to Password...
  • Page 33 Go back to Global Configuration and click Validation Server . This configuration will use the YubiCloud validation servers. For this to work, your network's firewall needs to allow outbound access on TCP ports 80 and 443 to api.yubico.com, api2.yubico.com, api3.yubico.com, api4.yubico.com api5.yubico.com To get a client ID and API key, go to https://upgrade.yubico.com/getapikey/...
  • Page 34 Insert the resulting client ID and secret key in the Client ID API key fields and click Save Navigate to the Domain tab, then select your domain that was added earlier. Click the Users Import tab. Enter the hostname for your user database and set the Directory Type to either Active Directory...
  • Page 35 The users should now be imported successfully: Now go back to the Domain tab and click on your domain, you should now see which accounts may authenticate. If you click on a group, the users should become visible (note that there are currently no YubiKeys assigned).
  • Page 36 - Click the field and press the YubiKey button. This should authenticate successfully. The final appliance configuration step is to inform the system that the Barracuda SSL VPN will be a RADIUS client: - Access the Domain tab, then select your domain.
  • Page 37 - In the Add Client section, enter the IP address of the Barracuda SSL VPN, and set and confirm a shared secret (this will be needed for the Barracuda SSL VPN configuration). - Click The RADIUS client should now appear in the list:...
  • Page 38 Navigate to ACCESS CONTROL > Configuration and scroll to the RADIUS section. Enter the hostname or IP address for the YubiRADIUS appliance in the RADIUS Server field. Keep the ports the same. Enter the same shared secret as used in the YubiRADIUS RADIUS client configuration earlier. Set the Authentication Method to PAP.
  • Page 39 Now you can connect to the Barracuda SSL VPN via this user account. Enter the username and click Login Insert the user's database password (don't confirm with enter at this stage) and immediately press the YubiKey button (so that the...

  • Page 40: Example - Authentication With Sms Passcode Radius Server

    The user should now be logged on successfully: Example - Authentication with SMS Passcode RADIUS server You can use SMS Passcode servers to authenticate users with one-time passwords (OTP) that are sent via SMS. The user logs in with a username and password and then receives an SMS containing the OTP (e.g., ).
  • Page 41 Step 2. Create an Authentication Scheme Step 3. Test the SMS Passcode Authentication Step 1. Configure the RADIUS Server On the Barracuda SSL VPN, enter the configuration for the SMS Passcode RADIUS server. Go to the Manage System > ACCESS CONTROL > Configuration page.

  • Page 42: How To Configure Policies

    Every resource must have at least one policy attached. When users log into the Barracuda SSL VPN, they can only view resources for which they meet the following policy criteria: They are listed in one or more of the policies that are attached to the resource.

  • Page 43: Access Rights

    Go to the Manage System > ACCESS CONTROL > Policies page. In the Create Policy section, configure your policies. For each policy: Enter a name for the policy. Add the Accounts Groups that must be members of the policy.The Accounts that you add appear in the Selected Accounts...

  • Page 44: Resources

    For more information on the types of resources that you can configure on your Barracuda SSL VPN, see the articles that are linked in the following table:...
  • Page 45 Web Forward configuration when the Resource is launched. For example, when you create a Web Forward for http://sslvpn.myco.cc/b log and this blog page also contains images from a path called /images from the root of the server, the Barracuda SSL VPN adds /blog and /imag es to the Web Forward configuration.
  • Page 46 You must create configure your DNS server to resolve all generated subdomains to the IP address of the Barracuda SSL VPN. Tunneled Proxy A tunneled proxy uses the Barracuda SSL VPN Agent on the client to open up a SSL tunnel to the Barracuda SSL VPN. The clients browser connects to a localhost address (e.g., .

  • Page 47: How To Create Custom Web Forwards

    Forward. Direct URL The Direct URL type is a direct link to an external website. Traffic does not pass through the Barracuda SSL VPN. This should be used for linking to external resources, like for example search engines, Wikipedia, etc...

  • Page 48: How To Configure A Microsoft Sharepoint Web Forward

    Resource Categories section, and add the available categories that you want to apply to the Web Forward. If you want the Web Forward to automatically launch whenever users log into the Barracuda SSL VPN, scroll to the Details section and...

  • Page 49: How To Configure A Microsoft Exchange Owa Web Forward

    Adding a resource category to a Web Forward makes it available to the user on the My Resources page. You can also configure this Web Forward to be launched automatically every time a user logs into the Barracuda SSL VPN by setting Auto-Launch Network Places...

  • Page 50: How To Create A Network Place Resource

    Windows credentials. Configured Web Folders must go through the Barracuda SSL VPN server so that the share can be seen by the client operating system. For security reasons, the Barracuda SSL VPN only allows Web Folders that are mapped to existing Network Places This enforces policy restrictions;...

  • Page 51: How To Configure Av Scanning

    Licensing When v irus scanning enabled, the Barracuda SSL VPN scans files that are uploaded through the Barracuda SSL VPN for viruses and other malware. You can files to scan determine the types of by specifying a pattern or a specific filename. Any file matching one of the current pattern...

  • Page 52: How To Create An Application Resource

    Some tasks require the use of client-server applications. The Barracuda SSL VPN Agent on the client established a secure tunnel to the Barracuda SSL VPN and then launches the application specified by the application resource. Application definitions are regularly updated with ergize Updates .

  • Page 53: How To Configure Outlook Anywhere

    Outlook. If required, open port 443 on your internal firewall so that the Barracuda SSL VPN can communicate with the Exchange Server.
  • Page 54 Connection settings section, complete the following steps: In the Use this URL to connect to my proxy server for Exchange field, enter the Barracuda SSL VPN hostname. Check the option for On fast networks, connect using HTTP first, then connect using TCP/IP...

  • Page 55: How To Configure Activesync For Microsoft Exchange Servers

    Outlook. If required, open port 443 on your internal firewall so that the Barracuda SSL VPN can communicate with the Exchange Server.

  • Page 56: How To Configure Microsoft Rdp Remoteapp

    Barracuda SSL VPN hostname. Add an entry for this hostname in your external DNS servers so that it resolves to the public IP address of the Barracuda SSL VPN. When connecting mobile devices to the Barracuda SSL VPN, use this new user database hostname as the server address.

  • Page 57: Ssl Tunnels

    SSL Tunnels are used to encrypt data for client/server applications which normally do not use encryption. The tunnel is created by the SSL VPN Agent and terminated at the Barracuda SSL VPN (local tunnel). The remote user does not connect directly to the remote resource as in a VPN,...

  • Page 58: How To Create An Ssl Tunnel

    An outgoing SSL tunnel protects TCP connections that your local computer forwards from a local port to a preconfigured destination IP address and port, reachable by the Barracuda SSL VPN that the user is connected to. To use the tunnel, the application or browser connects to a random listener port on the 127.0.0.1 or 127.0.0.2 localhost address.

  • Page 59: Remote Assistance

    Requirements for Remote Assistance The Barracuda SSL VPN Agent requires the Oracle Java Virtual Machine (JVM) to be installed on both the remote and the help desk systems in order for the two-way communication tunnel to be initiated. Specialized VNC client/server software is used to access and control the remote system.

  • Page 60: Providing Remote Assistance

    The request is added to the My Remote Assistance Requests section. Step 2. Launch the Remote Assistance Request As soon as the helpdesk administrator has contacted you and requests access to your system, Click on your remote assistance request to launch the session. Once the assistance session has started, you can communicate with the assistant.

  • Page 61: Network Connector

    When a client connects to the Barracuda SSL VPN with the Network Connector, it is assigned a secondary IP address from the IP range defined in the network connector resource configuration. The network connector uses the assigned secondary IP and the configured published routes to determine which traffic to forward to the internal network.

  • Page 62: How To Create A Static Route

    Name and Primary DNS Server The default values are derived from the values already assigned to the Barracuda SSL VPN. The domain name configured here will be used whenever a requested system is identified only by its system name without the domain portion (i.e., not as an FQDN), and the primary DNS server will be used to resolve all supplied hostnames.

  • Page 63: Advanced Network Connector Client Configuration

    To configure an Up Command to create a static route on the client system when the configuration file is launched, proceed as follows: From the Barracuda SSL VPN web interface, log in as ssladmin and verify that you are in the Manage System mode.
  • Page 64 Up commands are executed from a temporary script file created by the Barracuda SSL VPN when a remote client connects with the Network Connector. This script can be used to create the needed static routes when the Barracuda SSL VPN is installed in a DMZ. For more information, How to Create a Static Route.

  • Page 65: Using The Network Connector With Microsoft Windows

    You can launch the client portion of the Network Connector remotely in one of two ways: By signing into the Web interface of the Barracuda SSL VPN and launching the Network Connector. By running the Network Connector in stand-alone mode.

  • Page 66: Using The Network Connector With Mac Os X

    Once installed, the Network Connector is ready for use by any user on the remote system who is logged in through the web interface of the Barracuda SSL VPN. Related Articles Network Connector...

  • Page 67: Using The Network Connector With Linux

    No separate client software is needed to connect from Linux systems to the Network Connector service, since most modern Linux distros already contain the required support in the OpenVPN NetworkManager-openvpn packages. However, a configuration file must be installed in order for the system to connect to the Barracuda SSL VPN. In this article: Step 1.

  • Page 68: How To Configure Ipsec

    Step 3. Apply the Installation to the Client Device Before you Begin On your organization's firewall, allow authentication traffic to and from the Barracuda SSL VPN. UDP over ports 500 and 4500 must be enabled to reach the Barracuda SSL VPN for L2TP/IPsec connections to function.

  • Page 69: How To Configure Mobile Devices

    Provision on the bottom of the page How to Configure Mobile Devices To configure your mobile device to connect to the Barracuda SSL VPN, follow the instructions given in the relevant article section: Configure an iOS Device Configure an Android Device...
  • Page 70 Edit Windows 8 RT Registry Entry If both your remote computer and the Barracuda SSL VPN are behind a router that uses NAT (which is the most common scenario), you will have to edit the Windows 8 RT registry to allow access to an L2TP/IPsec server behind NAT-T devices.

  • Page 71: How To Configure Remote Devices

    This opens the Create a VPN Connection window in Desktop mode. Enter the Barracuda SSL VPN IP address or host name, and enter a name for the connection. Click Create . The Networks widget will appear and give you the option to connect. This is not going to work yet though as you have not yet entered the preshared Key.
  • Page 72 This launches the Barracuda SSL VPN Agent and configures the VPN connection on your Windows 8 system. If these instructions do not work, your Barracuda SSL VPN is probably running an older version. Continue with the rest of this article. Windows 8 for IPsec Launch the browser on your remote system and log into the Barracuda SSL VPN.

  • Page 73: How To Configure Pptp

    Step 3. Download the Configuration to the Client Device Before you Begin On your organization's firewall, allow authentication traffic to and from the Barracuda SSL VPN. TCP over port 1723 and GRE (IP Protocol 47) forwarded to the Barracuda SSL VPN for PPTP connections to function.

  • Page 74: How To Configure Profiles

    On the Barracuda SSL VPN, configure PPTP to allow your remote users to authenticate and connect to the protected network. Log into the SSL VPN Web interface Navigate to the RESOURCES > PPTP Server page. Verify that you have selected the correct user database on the top right of the page.
  • Page 75 This functionality is supported on client devices running Microsoft Windows, iOS and Mac OS X 10.7 and above and requires Barracuda SSL VPN firmware version 2.4.0.9 or newer The Device Configuration feature allows you to provision resources and other settings configured on the Barracuda SSL VPN directly on a user's device.
  • Page 76 When shortcuts are created, they point at URLs on the Barracuda SSL VPN. For example, the shortcut looks like https://sslvpn.example.com/web forward/jira. By default, the Barracuda SSL VPN will attempt to generate an alias from the resource name when it is created. This will strip out any...

  • Page 77: Advanced Configuration

    Advanced Configuration In addition to the general setup and configuration utilities, the Barracuda SSL VPN provides an advanced configuration area that lets you specify extended settings such as advanced system wide User and Policy attributes, Messaging and the Barracuda SSL VPN Agent that secures unencrypted connections from the client device to the SSL VPN.

  • Page 78: Agents

    How to Configure a Server Agent The Barracuda Server Agent is used to proxy traffic for resources located in a network which can not be reached directly by the Barracuda SSL VPN. For this example the client will request a web resource hosted on the a.example.com...
  • Page 79 Step 1. Install the Server Agent Client For every network you want to connect to the Barracuda SSL VPN with a Server Agent, install the client on a system in the network that can reach all the resources you want to access via the SSL VPN.

  • Page 80: How To Configure The Ssl Vpn Agent

    The SSL VPN Agent is launched by a small applet placed on all pages that require access to the SSL VPN client. When the Agent has been started the Barracuda SSL VPN Agent taskbar icon is visible. While the SSL Agent is running, you can start all your resources from the icon in the taskbar.
  • Page 81 Web Interface Syslog SNMP Support Related Article SNMP Status and Performance The Status page displays information about the current status of the Barracuda SSL VPN server for the last 24 hours. Log into the SSL VPN Web interface Go to the BASIC >...

  • Page 82: Notifications

    Monitor Web Syslog SNMP Support The Barracuda SSL VPN offers the ability to configure the monitoring of various settings through SNMP, including traffic and policy statistics. For instructions on how to configure SNMP settings on the Barracuda SSL VPN, see...

  • Page 83: Snmp

    Version – Select SNMP Community String – Enter a password to authenticate the SNMP server. Allowed SNMP IP/Range – Enter the IP addresses or range from which the Barracuda SSL VPN should accept SNMP queries. Click Save Changes Configure SNMP v3...

  • Page 84: Maintenance

    IP address of the network management system. Click Save Changes Maintenance The following article section describes in detailed steps how to configure and restore backups of the Barracuda SSL VPN configuration and explains the procedure of firmware updates. In this Section How to Configure Automated Backups...

  • Page 85: Update Firmware

    Early Release EA firmware is available for early adopters who wish to test the latest firmware from Barracuda Networks, or who have a specific need for early access, such as a new feature or bug fix that would be beneficial to your environment...

  • Page 86: How To Update The Firmware In A High Availability Cluster

    Delete all entries from the list of clustered systems, except the unit you are logged in to. Step 2. Update the Firmware Update one unit first to verify that the upgrade applies successfully and the Barracuda SSL VPN is operating as expected. Then update the rest of the systems.

  • Page 87: Limited Warranty And License

    Barracuda Networks published specifications in effect as of the date of manufacture. Except for the foregoing, the software is provided as is. In no event does Barracuda Networks warrant that the software is error free or that Customer will be able to operate the software without problems or interruptions.
  • Page 88 The rights granted are limited to Barracuda's intellectual property rights in the Barracuda Software and do not include any other patent or intellectual property rights. You own the media on which the Barracuda Software is recorded but Barracuda retains ownership of the Barracuda Software itself.
  • Page 89 (including, without limitation, reasonable attorneys fees and other dispute resolution expenses) incurred by Barracuda Networks arising out of or relating to Customers (a) violation or breach of any term of this Agreement or any policy or guidelines referenced herein, or (b) use or misuse of the Barracuda Networks Energize Update Software.
  • Page 90 In no event does Barracuda Networks warrant that the Energize Update Software is error free or that Customer will be able to operate the Energize Update Software without problems or interruptions. In addition, due to the continual development of new techniques for intruding upon and attacking networks, Barracuda Networks does not warrant that the Energize Update Software or any equipment, system or network on which the Energize Update Software is used will be free of vulnerability to intrusion or attack.
  • Page 91 License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.
  • Page 92 In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3.
  • Page 93 will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation.
  • Page 94 THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE." Barracuda Products may include the libspf library which is Copyright (c) 2004 James Couzens & Sean Comeau All rights reserved. It is covered by the following agreement: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
  • Page 95 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity"...
  • Page 96 “open source” license agreements is available from Barracuda Networks at no charge. If you would like a copy of the source code or the changes to a particular program we will gladly provide them, on a CD, for a fee of $100.00. This fee is to pay for the time for a Barracuda Networks engineer to assemble the changes and source code, create the media, package the media, and mail the media.

This manual is also suitable for:

Ssl vpn v180Ssl vpn v680Ssl vpn v880Ssl vpn v280Ssl vpn v380Ssl vpn v480

Table of Contents