manualshive.com logo in svg

Barracuda SSL VPN V Series, Manual, Page: 25 / 96

Share
Download
Barracuda SSL VPN V Series Manual Download Page 25

Public Key

Public key authentication is one of the most secure methods of authentication, because the authentication information can be stored on a

removable medium such as a USB key device. You can generate the key files for every user, or you can reset the public keys for everyone, letting

users generate the keys during initial logins. After the key is generated, the login applet searches external media and the user's home directory for

available keys. The user selects the correct key and enters the matching 

to complete the login.

 

passphrase

For more information, see 

How to Configure Public Key Authentication

RADIUS

External RADIUS servers can be queried by the appliance to authenticate users. RADIUS servers are often used for external authentication

methods that require users to enter a secondary challenge password.

RADIUS servers are also integrated with some hardware token solutions. The hardware token generates a login 

and the RADIUS

 

passphrase

server interfaces with the external security appliance from the hardware token vendor, validating the string from the hardware key

generator. Challenge images can be used in combination with RADIUS authentication.

Because the RADIUS server is an external authentication service, it is not managed by the appliance. You must verify that the user information

hosted on the RADIUS server corresponds to the information stored in the user database on the Barracuda SSL VPN.

For more information, see 

 and 

Example - How to Install and Configure YubiRADIUS

Example - Authentication with SMS Passcode RADIUS

server

OTP (One-Time Password)

You can use one-time password (OTP) authentication as only a secondary authentication module. The OTP is generated by the appliance at login

and is only valid for a short period of time. The OTP can be delivered by email or SMS (if an external SMTP to SMS service is available). If you do

not want users to wait for OTPs during login, you can configure the appliance to deliver OTPs before login and set a longer expiration time (hours

or days). If a user's OTP expires before it can be used, a new OTP is sent during the user's next login. External OTP systems (e.g., 

SMS

) interface with the Barracuda SSL VPN via the RADIUS server and not with the OTP authentication module.

Passcode

For more information, see 

How to Configure One-Time Password (OTP) Authentication

Personal Questions

You can use the Personal Questions module as only a secondary authentication module. It does not require any external servers or configuration.

When users initially log in, they are asked five questions and their answers are stored by the module.

To authenticate a user, the module randomly selects one of the 

questions and compares the user input to the stored answer. If the

 

preconfigured

user input matches the answer, the user is logged in.

Hardware Token Authentication

Two factor or multi factor authentication is considered to be strong authentication, using

a combination of the "something you know" and "something you have" principles. For

the Barracuda SSL VPN these hardware solutions are based on two different

authentication mechanisms, the RADIUS and the SSL Client Certificate authentication

modules.

In this article:

Hardware Token Authentication using SSL Client Certificates

Hardware Token Authentication using RADIUS Integration

SafeNet iKey

Aladdin eToken PRO

RSA SecurID

VASCO Digipass

Secure Computing Safeword

Summary of Contents for SSL VPN V Series

Page 1: ...1 Web Forwards 44 1 6 1 1 Custom Web Forwards 44 1 6 1 1 1 How to Create Custom Web Forwards 47 1 6 1 2 How to Configure a Microsoft SharePoint Web Forward 48 1 6 1 3 How to Configure a Microsoft Exc...

Page 2: ...1 8 Monitoring 80 1 8 1 Basic Monitoring 80 1 8 2 Notifications 82 1 8 3 SNMP 83 1 9 Maintenance 84 1 9 1 How to Configure Automated Backups 84 1 9 2 Restore from Backups 84 1 9 3 Update Firmware 85...

Page 3: ...cess L2TP IPsec Configure secure remote access through smartphones and other mobile devices PPTP Barracuda SSL VPN Release Notes 2 4 Upgrading to Version 2 x When upgrading from version 2 3 or earlier...

Page 4: ...to a user s device Improved Sharepoint functionality including supporting Sharepoint 2013 Policy time restrictions are more comprehensive Improved browser NAC checking Download functionality for all...

Page 5: ...rompt window BNVS 4101 Sharepoint 2010 documents can be edited BNVS 4132 IPsec PPTP Timeout option added for IPsec PPTP sessions BNVS 4155 When launching PPTP if the connection already exists then a c...

Page 6: ...SSL VPN between the two firewalls another security layer is added It is also possible to install the Server Agent on a computer the internal network which initiates an SSL tunnel on port in 443 from t...

Page 7: ...urrent Amps 1 0 1 0 1 2 1 4 1 8 4 1 Redundant Disk Array RAID No No No Yes Yes Yes ECC Memory No No No No Yes Yes Redundant Power Supply No No No No No Hot Swap Warranty and Safety Instructions Unless...

Page 8: ...ec PPTP Mobile Device Support Yes Yes Yes Yes Yes Yes Client Access Controls Yes Yes Yes Yes Yes Yes Active Directory LDAP Integration Yes Yes Yes Yes Yes Yes Layered Authentication Schemes Yes Yes Ye...

Page 9: ...ores Recommended RAM Recommended Hard Disk Space V180 1 1 GB 50 GB V380 2 1 GB 50 GB V480 3 2 GB 50 200 GB V680 4 4 GB 200 500 GB V680 additional cores license Limited only by license 1 GB per core 50...

Page 10: ...greement and give the virtual appliance a name that is Next useful to your environment Click Finish After your appliance finishes importing right click it select and then click the green arrow to powe...

Page 11: ...gate to the file BarracudaSSLVPN vmx Use the default settings and click Finish Start the appliance Follow the instructions to provision your Barracuda SSL VPN Vx appliance Quick Start Guide Deploying...

Page 12: ...properties window that opens you can modify the configuration by port group Under the tab virtual port groups are vSwitch Ports listed Under the tab physical network interface cards in the server are...

Page 13: ...lick OK Close Set your VM client to the new port group Right click the Barracuda SSL VPN virtual machine and select Edit Settings In the left pane click Network Adapter 1 In the section select the por...

Page 14: ...arracuda SSL VPN Vx Virtual Images Step 1 Enter the License Code Enter the license token to start automatically downloading your license Start your virtual appliance Open the console for the Barracuda...

Page 15: ...e download finishes click to install the firmware The firmware installation takes a few minutes to complete Apply Now After the firmware has been applied the Barracuda SSL VPN Vx automatically reboots...

Page 16: ...Load Balancer If you want all clustered Barracuda SSL VPNs to process traffic use a load balancer such as the Barracuda Load Balancer to direct traffic to the HA units while maintaining session persi...

Page 17: ...tem is in Mode standby mode changes to its configuration are not propagated to other systems in the cluster Optional Distribute the incoming SSL traffic to each Barracuda SSL VPN using a load balancer...

Page 18: ...e performance of the appliance declines but no users are blocked When your user base grows you can upgrade the license and add additional cores to the virtual machine for increased performance Subscri...

Page 19: ...CA In the section click Trusted Signed by a trusted CA Edit Data In the window enter the full DNS name e g enter the requested information about your CSR Generation sslvpn example com organization an...

Page 20: ...e Access Rights Access Rights Configure Resources Resources Optional Configure L2TP IPsec or PPTP access How to Configure IPsec How to Configure PPTP Administrative Interfaces The Barracuda SSL VPN us...

Page 21: ...e stored locally on the Barracuda SSL VPN s built in user database or retrieved from external authentication servers User databases define where user information is stored The Barracuda SSL VPN 380 an...

Page 22: ...ntrol limits access to network resources according to a variety of factors that are not connected to the user Users who fail the NAC check are not allowed to log in until they have a conforming system...

Page 23: ...are using multiple user databases on the Barracuda SSL VPN 380 or above each user database manages its own authentication server configuration so you can configure multiple Active Directory servers o...

Page 24: ...ken using the vendor s utility It is recommended that you use the Client as a secondary module because it authenticates the Certificate module browser and not the user directly This is not the case wh...

Page 25: ...an use one time password OTP authentication as only a secondary authentication module The OTP is generated by the appliance at login and is only valid for a short period of time The OTP can be deliver...

Page 26: ...t certificate to authenticate It also uses a special software which has to be manually installed on every client computer RSA SecurID RSA SecurID uses its built in RADIUS server to enable communicatio...

Page 27: ...to send the OTP during user logins At Login Method of password delivery You can select either to send the OTP via email or to send the OTP to Email SMS over Email users cell phones Generation Type Sel...

Page 28: ...the following settings Key Authentication Allow user to create initial authentication key Enforce Password Security Policy Step 3 Generate Keys There are two ways the keys can be generated Creation a...

Page 29: ...se you can create or upload a unique root certificate Open the page Manage System ADVANCED SSL Certificates In the section select from the Import Key Type A root Certificate Authority certificate you...

Page 30: ...a link to the image Click the link to download the image Extract the files and import the virtual machine into your VM host server The images show XenServer The default settings should be correct in m...

Page 31: ...onfirm Disconnect from the network and reconnect using the network icon in the top right area of the screen With a web browser navigate to the IP address of the appliance which should present a Webmin...

Page 32: ...ame and click Add Domain Click on the tab then click You may opt to set to although it may be simpler to Global Configuration General Auto provisioning Yes keep it set to initially Ensure that is set...

Page 33: ...ewall needs to allow outbound access on TCP ports 80 and 443 to api yubico com api2 yubico com and api3 yubico com api4 yubico com api5 yubico com To get a client ID and API key go to Enter the email...

Page 34: ...ame that should be used to connect and cache the users in DN format Enter the service password Set the schedule for how often YubiRADIUS should re cache the list of users hourly is recommended If you...

Page 35: ...ported successfully Now go back to the tab and click on your domain you should now see which accounts may authenticate If you click on a group Domain the users should become visible note that there ar...

Page 36: ...an be performed Go back to the main module under in the left menu YubiRADIUS Virtual Appliance Servers and click the tab Troubleshoot Keep the as Client Secret test Enter the username that has the Yub...

Page 37: ...TROL Authentication Schemes a new authentication scheme which contains the RADIUS module Select click Select a policy which will be able to use RADIUS Add this authentication such as for example and c...

Page 38: ...hostname or IP address for the YubiRADIUS appliance in the RADIUS Server field Keep the ports the same Enter the same shared secret as used in the YubiRADIUS RADIUS client configuration earlier Set t...

Page 39: ...this user account Enter the username and click Login Insert the user s database password don t confirm with enter at this stage and immediately press the button so that the YubiKey password is a comb...

Page 40: ...MS The user logs in with a username and password and then receives an SMS containing the OTP e g After entering the OTP the user is logged in For nc43sa multi factor authentication you can combine SMS...

Page 41: ...the SMS Passcode RADIUS server Go to the page Manage System ACCESS CONTROL Configuration In the section enter the following information RADIUS RADIUS Server Enter the hostname or IP address of the SM...

Page 42: ...ode authentication scheme is not the default scheme select it Enter your username When prompted enter your SMS Passcode password and then click Login After you receive the OTP via SMS enter the OTP in...

Page 43: ...ersonal resources in the Manage Account mode of the SSL VPN web interface You can create an access right for a single user database or you can create an access right that is available to all user data...

Page 44: ...ntials configure Web Forwards With Web Forwards sensitive information does not need to be placed outside of your corporate firewall Because all communication is secured with SSL additional encryption...

Page 45: ...pn myco cc blog which the user can access https sslvpn example com blog images picture jpg The subdirectory of below is added to this Web Forward images blog https sslvpn example com blog page2 htm pa...

Page 46: ...ystem s host file to enable direct routing to the destination site Upon launch of a Web Forward of this type the Barracuda SSL VPN automatically uploads the additional configuration information to the...

Page 47: ...Proxy Tunneled Proxy Replacement Proxy Direct URL If you do not know what type of Web Forward to use Barracuda Networks recommends that you first try using the path based reverse proxy Note also that...

Page 48: ...ccess Mappings Step 1b Restart the IIS Server Step 2 Create a Web Forward Related Articles Web Forwards Custom Web Forwards Step 1 Configure SharePoint Server To configure the settings for SharePoint...

Page 49: ...Forward Related Articles Web Forwards Custom Web Forwards Step 1 Create a Web Forward To create and configure the Web Forward Log into the SSL VPN web interface Go to the page RESOURCES Web Forwards...

Page 50: ...system the drive becomes available in the Windows Explorer just like any local drive This feature uses a WebDAV connection to a locally created SSL tunnel that gets routed through to the server In th...

Page 51: ...s scanning Licensing When v is enabled the Barracuda SSL VPN scans files that are uploaded through the Barracuda SSL VPN for viruses and other malware You can determine the types of files to scan by s...

Page 52: ...uration settings When the user clicks the application resource the application is started with the settings provided by the administrator Follow these steps to create an application resource In this a...

Page 53: ...ficate If you are using a self signed certificate you must import it to the local certificate store on all the client machines on which you want to use Outlook If required open port 443 on your intern...

Page 54: ...s authentication when connecting to drop down menu my proxy server for Exchange Click and then click OK Next The Exchange Server prompts you to connect and requests your credentials In the User Name f...

Page 55: ...s In this article Before you Begin Step 1 Configure the Barracuda SSL VPN Step 2 Configure Exchange Server 2013 Step 3 Configure the Client Mobile Device for ActiveSync Connecting an Android Mobile De...

Page 56: ...use one user database However If you are using multiple user databases then you need a different hostname for each user database that you want to use with ActiveSync except for the default user databa...

Page 57: ...ted on the remoteapplicationnam Windows Server E g if the string in the rdp file is Navision remoteappliationname s Navision Remote Application Program Enter the value after the last colon of in the r...

Page 58: ...address instead of the 127 0 0 1 localhost address as the source address In this article Step 1 Create a SSL Tunnel Step 2 Optional Configure Advanced Tunnel Settings Step 3 Test the SSL Tunnel Step 1...

Page 59: ...requiring no separate installation Because the VNC application is downloaded on demand the user of the remote system must have administrator root rights The user must have the appropriate Access Righ...

Page 60: ...following steps Step 1 Access the Remote Assistance Request Step 2 Connect to the Remote System Step 3 Close the Remote Assistance Request Create a Request for other Users Step 1 Access the Remote As...

Page 61: ...de A component that when installed onto the remote system connects to the server interfaces client side When a client connects to the Barracuda SSL VPN with the Network Connector it is assigned a seco...

Page 62: ...soon Server Interfaces Client Configurations as a server interface is created you can customize the configuration according to your requirements You can create or copy and configure your client setti...

Page 63: ...address of 192 168 1 0 24 Barracuda SSL VPN on IP address and default gateway of 192 168 1 100 192 168 1 1 Main LAN network address of 192 168 50 0 24 The to publish for such a route would be Up Comm...

Page 64: ...client configuration then select the desired method here Up and Down Commands Up commands are executed from a temporary script file created by the Barracuda SSL VPN when a remote client connects with...

Page 65: ...ndows client installed on your remote system In this article Step 1 Install the Windows Client Step 2 optional Install the Client Configuration File Step 3 Launch the Network Connector Client Related...

Page 66: ...he network connector on your Mac In this article Step 1 Install the Mac Client Step 2 Install the Client Configuration File Step 3 Launch the Network Connector Client Step 1 Install the Mac Client Ope...

Page 67: ...twork Connector with Linux No separate client software is needed to connect from Linux systems to the Network Connector service since most modern Linux distros already contain the required support in...

Page 68: ...icon will change to show a padlock How to Configure IPsec You can configure the Barracuda SSL VPN to allow L2TP IPsec connections from remote devices using an L2TP IPsec client that supports using a...

Page 69: ...to exit the connection properties Connect to the IPsec server Step 3 Apply the Installation to the Client Device Once you are successfully connected Be aware that for this procedure the user must prov...

Page 70: ...xample sslvpn example com Set IPsec pre shared key Select to enter the pre shared key Enable L2TP secret Clear this setting DNS search domains Enter the default domain for the protected network for ex...

Page 71: ...dge of the screen tap the gear charm and then tap the currently Settings connected network icon The list will display and you will see the IPsec connection near the top Networks Select that connection...

Page 72: ...see a resource an administrator can change the name of this RESOURCES My Resources Barracuda IPsec resource Click on the icon This launches the Barracuda SSL VPN Agent and configures the VPN connecti...

Page 73: ...from the list VPN VPN type Select L2TP over IPSec Service name Name of your selection Select the service you created The status will show as Not Configured Enter the following Server Address The exter...

Page 74: ...the default view for resources icons or lists or also affect agent timeouts and proxy settings If multiple profiles are configures users can select different profiles when logging in or the administra...

Page 75: ...uration View Add In the list select the policies for which provisioning should be enabled and click Available Policies Add Click Add On the RESOURCES Configuration page in the Device Configuration sec...

Page 76: ...e the agent These items can be provisioned in the form of a profile installed on the device The remote user can specify the name of the profile on the RESOURCES Device Configuration page Client Certif...

Page 77: ...Exchange resource the Barracuda SSL VPN uses the server name stored in the policy attribute to connect to the correct server Messaging Messaging allows the user to send messages either to an individu...

Page 78: ...uda SSL VPN The Server Agents initiates a HTTPS connection from inside of the network using port 443 It then waits for requests from the SSL VPN and forwards traffic for the local resources For exampl...

Page 79: ...tep 2 Authorize Server Agents You need to authorize the Server Agents after the initial connection Log into the SSL VPN web interface Open the page Manage System ADVANCED Server Agents In the section...

Page 80: ...ed from the taskbar The SSL VPN Agent is terminated when the users session ends by logging out or closing the browser For more information see How to Configure Profiles Monitoring The Barracuda SSL VP...

Page 81: ...ing The screen displays all active sessions of users that are currently logged in Sessions Log into the SSL VPN Web interface Go to the page ACCESS CONTROL Sessions Expand a session by clicking where...

Page 82: ...o monitor containing information regarding various events such as user login activities and configuration changes made the Web syslog output from the administrative interface of the Barracuda SSL VPN...

Page 83: ...Configure SNMP v3 Enable SNMP Traps SNMP v2 Related Article Basic Monitoring IP address range from which the Network Management System will contact the Barracuda SSL VPN SNMP service SNMP community s...

Page 84: ...d to always have working backups of your appliance In case of a hardware failure or system misconfiguration the backup files can be used to quickly restore the appliance to working order The administr...

Page 85: ...Early Release EA The newest version of firmware available for early access from Barracuda Central Related Article How to Update the Firmware in a High Availability Cluster General Release GA firmware...

Page 86: ...e You will have to log in again ADVANCED Linked Management Cluster Shared Secret If you are using a Simple High Availability Cluster Navigate to ADVANCED Linked Management In the section clear the val...

Page 87: ...be furnished on an exchange basis All parts removed for replacement will become the property of the Barracuda Networks In connection with warranty services hereunder Barracuda Networks may at its dis...

Page 88: ...MEET YOUR REQUIREMENTS THAT THE OPERATION WILL BE ERROR FREE OR CONTINUOUS OR THAT DEFECTS WILL BE CORRECTED NO ORAL OR WRITTEN INFORMATION GIVEN BY BARRACUDA OR AUTHORIZED BARRACUDA REPRESENTATIVE SH...

Page 89: ...ME OF ACQUIRING SUCH COPY OR UPGRADE ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL ENERGIZE UPDATE SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE 2 USE OF UPGRADES IS LIMITED TO BARRACUDA NE...

Page 90: ...OR TRADE PRACTICE ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD BECAUSE...

Page 91: ...on is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outsid...

Page 92: ...s are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and...

Page 93: ...BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program and you want it to be of the greatest possible u...

Page 94: ...ion THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED I...

Page 95: ...or and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work 2 Grant of Copyright License Subject to the terms and...

Page 96: ...mages or losses even if such Contributor has been advised of the possibility of such damages 9 Accepting Warranty or Additional Liability While redistributing the Work or Derivative Works thereof You...

Reviews:

No comments