Barracuda Networks SSL VPN Specifications

B a r r a c u d a S S L V P N A d m i n i s t r a t o r ’ s G u i d e Version 1.0 Barracuda Networks Inc. 3

10 Initial Setup Checklist for Unpacking Thank you for purchasing the Barracuda SSL VPN. Match the items on this list with the items in the box. I

100 Configuring Windows Explorer Drive Mapping A number of configuration properties can be accessed from Management Console > System Configuration

101 Applications This feature of the Barracuda SSL VPN allows for the publishing of applications that are to be either downloaded or launched by

102 Delete Application shortcut Edit Application shortcut details Execute resource (user console) Publish a new Application In order to demonstra

103 • Port: The port on which the remote is listening. If the VNC server uses display numbers instead of ports (i.e. if the VNC server is hosted on

104 Step 5 This page allows for the configuration of policies to be applied against the new application record. Policies can be added, removed or ev

105 SSL Tunnels SSL Tunnels allow for ad-hoc connections to be made between networked computers. What is an SSL Tunnel? An SSL Tunnel is simply

106 Step 1 To create a new SSL tunnel, first click the “Create Tunnel” action from the SSL tunnel main page. This will then start the wizard, the

107 • Destination Port: The port number of the host that forms the other end of the tunnel. The port on which the Barracuda SSL VPN creates a server

108 Step 6 Finally click on the Exit Wizard button to close and exit the wizard. The newly created SSL tunnel will now be displayed on the main pa

109 Step 3 Selecting No will cancel the action and return to the SSL tunnels screen. Selecting Yes will remove the SSL Tunnel and return to the mai

11 Password: admin 2. Configure the IP Address, Subnet Mask, Default Gateway, Primary DNS Server and Secondary DNS Server as appropriate for your

110 Profiles Profiles configure the general working environment for a user. The system provides two areas of control and they are the session and

111 If a user has been given the permission to maintain profiles only those profiles associated with a user’s policy are visible from the user conso

112 Step 4 In the final step the wizard presents a summary of the profile. Pressing the Finish button will end the wizard and create the prof

113 Editing Session Details Replacement!Variables!The!${}!indicates!that!re placement!variables!can!be!inclu ded!in!the!resource!definition.!Cli ck

114 SSL VPN Agent Proxy Configuration • Type: Type of proxy server, this can also be configured to use whatever proxy the browser is using. • Hostn

115 Selecting Yes will result in the removal of the resource from the system. If this profile is associated with any policies this link will also be

116 System Functions This chapter encapsulates features that affect the Barracuda SSL VPN as a whole from functions such as shutting down the se

117 Creating a New Report Step 1 In!the!main!page!select!the !Create!Audit!R eport!action!fro m!action!menu! Step 2 This!presents!the!report!c reat

118 Step 3 Once!saved!this!report!sh ould!be!visible!fr om!the!main!page! These reports can be executed over and over again by pressing the execut

119 Running One-Off Reports Not all reports need to be created beforehand before they can be executed. The auditing feature allows reports to create

12 Set the Administrative Options To set the Administrative Options: 1. Select Basic  Administration. 2. Assign a new administration password to t

120 This will generate the report and allow it to be downloaded. When the file download dialog appears simply save or open the file. The report

121

122 Appendix A Regular Expressions The Barracuda SSL VPN allows you to use regular expressions in many of its features. Regular Expressions allow

123 Using Special Characters in Expressions The following characters have a special meaning in regular expressions and should be escaped (prepended b

124 Appendix B Limited Warranty and License Limited Warranty Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or authorized Dis

125 EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS MAKES NO OTHER WARRANTY, EXPRESS, IMPLIED OR STATUTORY, WITH RESPECT TO BARRACUDA NETWORKS PRO

126 BARRACUDA SOFTWARE IS PROVIDED "AS IS" WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND BARRACUDA HEREBY DISCLAIMS ALL WARRANTIES

127 extent of a conflict between the provisions of the foregoing documents, the order of precedence shall be (1) the written agreement, (2) the click

128 capabilities, functions, licensing terms, release dates, general availability or other characteristics of any future releases of the Energize Upd

129 Renewal. At the end of the Energize Update Service Period, Customer may have the option to renew the Energize Update Service at the current list

13 To take advantage of the features of the Barracuda SSL VPN, you must route HTTPS incoming connections on port 443 to the Barracuda. This is typica

130 Appendix C Compliance Notice for the USA Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This device

14 ALWAYS read the release notes prior to downloading a new firmware version. Release notes provide you with information on the latest features and f

15 Deployment Scenarios The following diagrams have been provided to show some basic deployments. A brief description of some of the more major chara

16 Configuring your Firewall to Route Incoming SSL Connections to the Barracuda SSL VPN There are many implementations of firewalls using software or

17 Seeing the above dialog means that the appliance has successfully been contacted and has sent a reply to the client’s browser.

18 Appliance Administrator Web Interface The Appliance Administrator Web interface is accessed using a different port to the standard interface and

19 Monitoring the Barracuda SSL VPN Checking Status Check the Basic > Status page for an overview of the health and performance of your Barracuda

2 Copyright Notice Copyright 2008, Barracuda Networks www.barracudanetworks.com v1x-081201-01-1201 All rights reserved. Use of this product and this

20 Configuring an SSL Certificate In order to only allow secured connections when accessing the Web administration interface, you need to supply a di

21 Updating the Firmware of Your Barracuda SSL VPN The Advanced > Firmware Update page allows you to manually update the firmware version of the s

22 Using the Reset Button to Reset the LAN IP address The Barracuda SSL VPN is assigned a default IP address of 192.168.200.200. You can change this

23 SSL VPN Administrator Web Interface The SSL VPN Administrator interface is the main point of interaction between the administrators of the system

24 Accessibility Initially only the administrator of the system will be able to access the management console. The administrator has access to every

25 Configuring User Databases All user data used and managed by the appliance must be stored somewhere. The Barracuda SSL VPN allows the configur

26 Controller. Hostnames can also be specified with a port number if different from the Domain Controller Port parameter. Service!Account!Authenti

27 • Page Size: The number of objects returned in each paged request, the default should be acceptable in most cases. • User/ Group Cache TTL: This

28 Organizational Units (OUs) In Active Directory, ‘Organizational Units’ (OUs) are the key structure for organizing users, computers, and other obje

29 • The time settings between the Active Directory server and the Barracuda SSL VPN appliance are synchronized. Kerberos authentication, used by Wi

3 INTRODUCTION ...6 GETTI

30 Configuring LDAP LDAP configuration is divided into five distinct areas. The first of these is the Configuration tab. • Hostname: Hostname of th

31 The next tab, ‘Role Schema’ requires role information so the appliance can successfully link to the correct role classes at run time. • Role cla

32 Advanced System Configuration The Advanced System Configuration (Management Console  Advanced  Configuration) page allows the configuration

33 • Active DNS Host Format: The format of the unique Active DNS hostname used to access reverse proxy web forwards. Password Options This page co

34 • Maximum Logon Cookie Age: Maximum age of the cookie that is used persist the logon if the browser is closed. A value of -1 will mean that the u

35 Appearance Logon Page This page defines the logon preferences. All users are affected by the changes made to this page. • Site Name: Define a

36 SSL Certificates An SSL certificate can be configured for the purpose of encrypted communication between server and client. This page enables th

37 Creating a CA A Certificate Authority is required to be able to issue certificates to the clients. This process defines the appliance as the autho

38 Step 1 Select the ‘Download CSR’ option available in the Action pane. Step 2 The ‘Download CSR’ action takes the content from the unsigned cer

39 Step 4 The system provides a summary of the action about to be performed. Selecting Back will allow the details to be modified. Once complet

4 OVERVIEW ...

40 Exporting Keys and Certificates If you need to retrieve the certificate or key for one that has been previously created then these can be exported

41 Attributes As with any large user management system, functionality that allows for simpler administration is always welcome. User attributes are

42 Applications Attributes can be used with application shortcuts, an attribute can be created as below which defines a hostname and a port number.

43 When the Web forward is configured the attributes are added to the authentication parameters. When the Web forward is finally executed the su

44 Delete User Attribute Edit User Attribute Creating Attributes Step 1 Select Create User Attribute from the action box at the top right of the

45 o Checkbox: you can specify a replacement name for the default true, false values. o Text area: this parameter allows the dimensions of the text

46 Fixed!System!Attributes!User!attributes ! created!by!the!system!such!as!th ose!categorized! under!Security!Questions!are!required!by!the ! syste

47 The session variable refers to the values available during the course of the session. So as above the system would replace this with the username

48 Access Control This section details how the system can be accessed, from creating user account to giving users access rights to the system. De

49 With trust playing such a significant part of remote access, the Barracuda SSL VPN solution has been designed to allow for either ‘coarsely grain

5 CREATING A NEW WEB FORWARD...

50 Utilizing this methodology, the Barracuda SSL VPN is able to maintain robust, secure, and flexible access control architecture. What is a Resou

51 A ‘permission’ is a special part of a policy. It adds the final level of control to the access control framework. As we have seen, not only can we

52 Creating Accounts Principals in their basic form refer to the users of the system upon which the services are delivered. Accounts are the means

53 The action icons against each account performs functions on the associated account, their respective objective is detailed below: Delete accoun

54 Step 5 Once the account has been saved the system will ask for a password for the new account. A new password must be entered. In addition the

55 Creating Groups Groups represent the alternative type of principal. Groups offer a more convenient type for larger enterprises with a greater u

56 Groups Interface Action Icon The action icons perform a particular function on the associated group. Available actions for a group are: Edit gro

57 Creating Policies Polices are the main building blocks in the access control architecture of the Barracuda SSL VPN. They form the bond between

58 Policy Interface The policy screen displays a summary of available policies in the system. It is from this screen that we can create, edit and de

59 To add an account simply use the selection buttons; ‘Add’ to add an Account to the ‘Selected Accounts’ list box or ‘Remove’ to remove an Accoun

6 Chapter 1 Introduction This chapter provides an overview of the Barracuda SSL VPN and includes the following topics: • Overview • Barracuda SSL V

60 Editing a Policy By selecting the ‘Edit’ action icon besides the policy of concern (from the policy page) the ‘Edit Policy’ page will be shown. Fr

61 Creating Access Rights The final piece in the policy chain is the resource. Once a policy has been created and principals attached then these

62 Edit resource permission Creating an Access Right Step 1 Select the type of access right from the action box. The wizard guides the user throug

63 Editing Access Rights By selecting the ‘Edit’ action icon against a resource permission, the ‘Edit Resource Permission’ page will be shown. From t

64 Authentication Schemes Authentication is the means of verifying a user’s identity; this can be in the form of a password or a code\key. To allo

65 Action Icons Delete policy Edit policy details Enable scheme Disable scheme Decrease priority of scheme Increase priority of scheme Creatin

66 Topmost!Modu l e!Must!be!a!Primary!Module!At!the!top!of!the ! Selected!Modules!window!there!must!be!a!module!which!can!be!a ! primary!module.!Th

67 Authentication Modules As mentioned previously, there are differences in the level of control available for the configuration of a module. This se

68 Modifying a Password Once a password has been assigned to the account it can be altered at any time by both the administrator from the Management

69 User Console This method is used by the user allowing them to securely modify their own password without any intervention by the administrator. S

7 Overview The Barracuda SSL VPN is an integrated hardware and software solution enabling secure, clientless remote access to internal network resour

70 The security function password structure is built around ‘regular expression’ syntax. Any valid expression will be accepted to parse passwords an

71 Step 1 Open the ‘Edit Personal Details’ page from User Console > My Account > Personal Details Step 2 Select the Security Questions tab

72 Resource Management Resources are the key entities that a user of the system will interact with. Without such things, a user has no means of u

73 • Network Place: Provide network file system access • Application: Deployment and execution of applications • SSL Tunnel: Configure SSL tunnels

74 The Barracuda SSL VPN Agent Many commonly used applications typically operate using unsecured protocols to facilitate the exchange of data. T

75 Executing Resources from the Barracuda SSL VPN Agent Once the Barracuda SSL VPN Agent is started you can execute any resource assigned to you from

76 Web Forwarding! Web forwards provide a secure way of remotely accessing a company’s intranet resources and as such are an essential tool in helpi

77 Technical Overview The Barracuda SSL VPN provides four ways in which a Web forward can be created, and these are as follows: • Tunneled: Suitabl

78 Reverse Proxy Reverse proxy like replacements does not rely on the Barracuda SSL VPN Agent and again despite this the communication link remains e

79 Creating a new Web Forward Step 1 Select the Create Web Forward action. Step 2 Select the type of Web forward you wish to create. Step 3 Onc

8 Barracuda SSL VPN Models The Barracuda SSL VPN comes in a variety of models. Refer to the following table for the capacity and features available

80 Configuring a Replacement Proxy Web Forward Replacement details require two sets of information; the first is the basic information of the Web sit

81 • Form Type: The type of form authentication to use, in most circumstances POST will be used to post the parameters listed in the Form Parame

82 Configuring a Reverse Proxy Web Forward As with replacement proxy this also requires two types of information, the basic URL information and the a

83 and suffixed by example.com is generated (e.g. active32432432424.example.com) and used by the client browser to access the reverse proxy. The Barr

84 ixPerson, sPassword are all form parameters for this application. During authentication these will be passed into the form with the provided value

85 Editing a Web Forward From the Web forwards page select the Edit action against the required Web forward and the Edit Web Forward page will be sho

86 Outlook Web Access and Mail Check This mail check feature presents to the user an instant view of his or her email account status directly throug

87 mail server these are usually identical. If these are different, then each user needs to provide their mail authentication details on this screen

88 Network Places Network places are another vital tool against defending unwarranted access to the corporate network. By configuring a network p

89 Network Places Interface The main network place page lists the available shares. This page is located under Management Console > Resources >

9 Chapter 2 Getting Started This chapter provides an overview of The Barracuda SSL VPN detailing the initial installation and the basics of interacti

90 Creating a new Network Place Step 1 From the main network places page the action menu in the top right presents the only available action which i

91 • Host: Hostname of source filesystem • Port: Port of source filesystem • Path: Specific path that needs to be accessed on the host Replac

92 The final step is defining a drive letter for the network place. This feature allows a share to be mapped to a drive letter. Once mapped the user

93 File Management When a network place is executed the file system is opened in a new window. The window displays the content of the file. All the c

94 Editing a Network Place From the network place page select the Edit action against the required resource and the Edit Web Forward page will be sho

95 Step 3 Under the Network Tasks pane select Add a network place.

96 Step 4 This starts the Add network place wizard. Step 5 The wizard will briefly search for information about service providers and will then

97 In the screenshot above the Barracuda SSL VPN is https://remoteServer.co.uk and my network place as named in network places on the system is Pub

98 In ‘My Network Places’ a new shortcut is created. This shortcut can be moved to the desktop so that all a user needs to do to access the shar

99 Windows Explorer Drive Mapping This feature adds the ability for a user to create a network place and assign it a drive letter when using Microsof