Barracuda Networks SSL VPN Administrator'S Manual Download

Page: 1 / 124

Barracuda Networks Inc.
3175 S. Winchester Blvd.
Campbell, CA 95008
http://www.barracuda.com

B a r r a c u d a S S L V P N A d m i n i s t r a t o r ’ s G u i d e

V e r s i o n 1 . 5 . x

Summary of Contents for SSL VPN

Page 1: ...Barracuda Networks Inc 3175 S Winchester Blvd Campbell CA 95008 http www barracuda com B a r r a c u d a S S L V P N A d m i n i s t r a t o r s G u i d e V e r s i o n 1 5 x...

Page 2: ...3 All rights reserved Use of this product and this manual is subject to license Information in this document is subject to change without notice Trademarks Barracuda SSL VPN is a trademark of Barracud...

Page 3: ...Deployments 16 SSL VPN Concepts 17 Security Policy and Resource Management 17 Organizational Control 18 Chapter 3 Getting Started 19 Initial Setup 20 Prepare for the Installation 20 Connect Barracuda...

Page 4: ...Network Connector 35 About The Barracuda Network Connector 36 System Requirements 37 Network Connector Interface 37 Connecting a Client to the Barracuda SSL VPN 38 Client Configurations 38 Up and Dow...

Page 5: ...rwards 65 Types of Attributes 65 How to use Attributes 65 Session Variable 67 Microsoft Exchange 2003 RPC HTTPS 68 RPC HTTPS 68 Configuration 68 Prerequisites 69 Configuring the Barracuda SSL VPN as a...

Page 6: ...hentication Manager 92 VASCO Digipass Token Configuration 93 Secure Computing SafeWord 93 Chapter 11 Monitoring the Barracuda SSL VPN 95 Monitoring Tasks 96 Viewing Performance Statistics 96 Setting u...

Page 7: ...107 Using Special Characters in Expressions 108 Examples 108 Appendix C Limited Warranty and License 111 Limited Warranty 111 Exclusive Remedy 111 Exclusions and Restrictions 112 Software License 112...

Page 8: ...viii Barracuda SSL VPN Administrator s Guide...

Page 9: ...Introduction 9 Chapter 1 Introduction This chapter provides an overview of the Barracuda SSL VPN and includes the following topics Overview 10 Features of the Barracuda SSL VPN 11...

Page 10: ...a SSL VPN integrates with third party authentication mechanisms to control user access levels and provide single sign on Enables access to corporate intranets file systems or other Web based applicati...

Page 11: ...network drives and are safely removed after the session ends The Barracuda SSL VPN Agent transparently encrypts all files copied to and from mapped drives Single Sign On The Barracuda SSL VPN integrat...

Page 12: ...Auditing and Reporting All resource access via the Barracuda SSL VPN is audited Reports are available in real time showing a comprehensive look at privilege usage failed logins file and intranet use...

Page 13: ...Concepts 13 Chapter 2 VPN Concepts This chapter provides an overview of the Barracuda SSL VPN and includes the following topics Basic Terminology 14 Barracuda SSL VPN Configurations 15 SSL VPN Concept...

Page 14: ...on your internal network Web Forwards A type of Resource for defining HTTP HTTPS based access Network Places A type of Resource for defining access to file systems Applications A type of Resource for...

Page 15: ...iguration Advantages BEHIND your corporate firewall Typical Deployment Allows all authentication to be handled by the Barracuda SSL VPN Only ONE firewall rule is needed to allow only secured traffic i...

Page 16: ...for Typical Deployments Clustered Deployment If you have a pair of Barracuda SSL VPNs that you would like to load balance then the load balancer would be placed between your firewall and the Barracuda...

Page 17: ...ome working for all of these employees and as a result each department requires secure access to relevant shared areas and resources on the company network In addition the managers have a level of res...

Page 18: ...tration type privileges The Managers Policy has Resource Access Rights attached which would allow managers to perform create edit and delete actions for example This enables managers to perform admini...

Page 19: ...to your corporate network This is followed by the configuration of the Barracuda SSL VPN itself which is performed over two separate Web interfaces the Administrative interface for system related item...

Page 20: ...ch type of deployment is most suitable to your network For more information on the deployment options see Barracuda SSL VPN Configurations on page 15 2 Verify you have the necessary equipment Barracud...

Page 21: ...but if not entered at this step then they must be entered in step 3b of Configure Administrative Settings on page 22 Select Exit The new IP address and network settings are applied to your Barracuda...

Page 22: ...N from the Web administration interface Make sure the system being used to access the Web interface is connected to the same network as the Barracuda SSL VPN and that the appropriate routing is in pla...

Page 23: ...l as transmitting all secured traffic These will also be the ports over which the ssladmin account will log in for configuring SSL VPN user access and usage policies on the SSL VPN Management Interfac...

Page 24: ...re Update page Verify that the installed version matches the Latest General Release The Download Now button next to the Latest General Release is disabled if the Barracuda SSL VPN is already up to dat...

Page 25: ...The SSL VPN Management configurations however will need to be done in order for any users to access your protected resources To complete the SSL VPN Management configurations 1 Log in as the ssladmin...

Page 26: ...other troubleshooting Access to this interface can be restricted to specific IP addresses by changing the Administrator IP Range as described on Step 4c of Configure Administrative Settings on page 2...

Page 27: ...Configuration Settings This chapter outlines the various options available for configuration from both the Administrative and SSL VPN Management interfaces Administrative Settings 28 SSL VPN Settings...

Page 28: ...he port used by your users and the ssladmin account to access the Barracuda SSL VPN default ports are 80 and 443 Change the length of time after which idle Web interface connections will be terminated...

Page 29: ...owing types of certificates Default Barracuda Networks certificates are signed by Barracuda Networks On some browsers these may generate some benign warnings which can be safely ignored No additional...

Page 30: ...ts In order for an individual user to use the Barracuda SSL VPN they must either have an account in a user directory that has been imported onto the Barracuda SSL VPN or have access to a resident acco...

Page 31: ...d have at least one Policy attached to it to determine who is allowed access to the Resource and to what extent Complete details of each Resource type is available in Chapter 6 Resources beginning on...

Page 32: ...ROL NAC page allows you to limit access to network resources based not just by users but also on a variety of other factors such as the time of day the connecting system s OS operating system and brow...

Page 33: ...stall an SSL certificate on the Barracuda SSL VPN for this hostname to ensure your users are able to determine that they are connecting to a genuine Barracuda SSL VPN that is registered to your organi...

Page 34: ...34 Barracuda SSL VPN Administrator s Guide...

Page 35: ...The Barracuda Network Connector Resources are the key entities that a user of the system will interact with The following topics are covered in this chapter About The Barracuda Network Connector 36 Co...

Page 36: ...consists of two components the server side component which opens up server interfaces and the client side component which connects to these interfaces It is through these connections that data is tran...

Page 37: ...Connector can be installed on the following systems Microsoft Windows 2000 XP Vista Linux 2 4 or higher with integrated TUN TAP driver Macintosh 9 x 10 x Intel based Network Connector Interface The B...

Page 38: ...nd the closing commands when the client disconnects These are called the Up Commands and the Down Commands and must be added into the configuration The exact commands may differ based on the operating...

Page 39: ...hat user will see a Network Connector page on their RESOURCES page From there the client for the desired operating system can be downloaded Microsoft Windows 1 Go to the RESOURCES Network Connector pa...

Page 40: ...ce it is installed return to the RESOURCES Network Connector page of the SSL VPN Management interface Click the More link under Actions and select Launch Network Connect Client 6 This will start the c...

Page 41: ...ntly requires that the user is running the GNOME Desktop and has the gksudo command installed Support for other desktops may be added 6 After the client has been downloaded the user will be presented...

Page 42: ...de VPN server For the Client Configuration field enter the exact name of the Network Connector client that was created above 3 To connect simply click the icon and select connect The icon should turn...

Page 43: ...ter 6 Resources Resources are the key entities that a user of the system will interact with The following topics are covered in this chapter Web Forwards 45 Network Places 48 Applications 50 SSL Tunne...

Page 44: ...administrator s responsibility to create these Resources and provide a secure working environment for the remote user population Without the right configuration of Resources accessing areas of the co...

Page 45: ...policy settings can restrict those users that can even access the Web Forward Because different Web applications have different behavior it is necessary to have different types of Web Forward to acce...

Page 46: ...plication are known If the Web site runs on the root of the Web server i e http example com then there are no defined paths to proxy so another method will have to be used NOTE If the target site has...

Page 47: ...to the number of ways it is possible to create links in many different languages this proxy type is not always successful However it is possible to create custom replacement values to get a Web site w...

Page 48: ...lders a remote user can access the organization s network through the standard Windows Explorer interface without actually needing to log into the Barracuda SSL VPN When using Windows XP or later alon...

Page 49: ...aved as long as it supports random access can be accessed and is fully modifiable Another difference is that WebDAV supports only local buffering For any file needing to be edited WebDAV will download...

Page 50: ...i e Application Type Hostname of the remote machine For example an Application Shortcut can be created to allow users access to their office pc desktop from home To use Microsoft s Remote Desktop an...

Page 51: ...is to secure the SMTP POP protocols used for email access In short anything that uses TCP IP client server architecture will usually be able to be secured in this manner There are two types of tunnel...

Page 52: ...SSL VPN Agent is mainly used by Resources such as SSL tunnels and Web Forwards The session parameters affect how the active session behaves and includes such things as session inactivity timeout which...

Page 53: ...scribes how the Barracuda SSL VPN is able to achieve control of users and resources and the relationships between them The following topics are covered in this chapter Overview 54 Access Control Archi...

Page 54: ...a significant part of remote access the Barracuda SSL VPN solution has been designed to allow for either coarsely grained or finely grained access control This approach allows the product to mirror m...

Page 55: ...esources can have a range of permissions to limit how they may be assigned When a resource is assigned to a user the user must be restricted to the access rights given For example a super user may cre...

Page 56: ...uctured and organized system This is often imperative as the user base grows The administrator however is not categorized as a standard user in fact the administrator is classified as the administrato...

Page 57: ...r objective that a user wishes to achieve This could be something as simple as a user accessing their email client to read their mail In this case the Resource would be the email Similarly an intranet...

Page 58: ...assigned Policies that grant them fewer privileges A user of the system who has the need to manage a particular user database for instance must have a higher degree of trust and consequently is grant...

Page 59: ...into their respective areas Resource Rights Items that can be managed in this area are all Resources such as Web Forwards Profiles and Network Places can all have their create edit and delete actions...

Page 60: ...gainst your Windows domain Once you have entered the relevant properties in the configuration page a connection is made to the domain controller and when the service account has been authenticated the...

Page 61: ...d If an OU called Marketing was stored under the Employees OU to add Marketing the correct syntax would be OU Marketing OU Employees with the separating comma being used to separate each element in th...

Page 62: ...each filter Every Organizational Unit must begin with OU If a hierarchy structure is being included be sure to separate each element with a comma Also avoid using unnecessary spacing Clear the organi...

Page 63: ...Advanced Configuration This chapter details advanced configuration options and attributes The following topics are covered in this chapter Attributes 64 Session Variable 67 Microsoft Exchange 2003 RP...

Page 64: ...butes can be used with application shortcuts For example an attribute can be created which defines a hostname to use with a VNC Server application shortcut The attribute is created within the Manage S...

Page 65: ...pportPassword attributes are submitted during authentication into the Web site The FORM object takes the supportId and identifies the username then takes the supportPassword as the associated password...

Page 66: ...iving e g smb examplepath com users attr myNetHome 3 When this is executed the system replaces the attr myNetHome with the user attribute value 4 Each user is now able to define this attribute specify...

Page 67: ...ace this with the username being used in this current session This means that if the user s home share on the network is named the same as the username used to log into the appliance as might be the c...

Page 68: ...and access to this service is provided by way of authorized policies RPC HTTPS RPC over HTTP allows Microsoft Outlook clients to access Microsoft Exchange server over the internet The MAPI protocol us...

Page 69: ...onfiguring the Barracuda SSL VPN as a RPC Proxy Browse to the Outlook configuration settings under Manage System Advanced Configuration From here the Exchange server can be specified along with the as...

Page 70: ...70 Barracuda SSL VPN Administrator s Guide 2 From mail setup access Email Accounts 3 Select Add a new email account from the wizard options...

Page 71: ...Advanced Configuration 71 4 Under server type select Microsoft Exchange Server 5 Under the Exchange server settings select the newly configured Exchange server and the name of your new mailbox...

Page 72: ...that you check the Connect to my Exchange mailbox using HTTP checkbox 7 Selecting the Exchange proxy settings button opens a final window in which the FQDN of the Barracuda SSL VPN should be keyed int...

Page 73: ...ed to use the same Windows account as the one the user is currently logged on with the system will prompt for the Barracuda SSL VPN authentication credentials After which if the user is recognized as...

Page 74: ...relies on a Web forward The following provides basic steps on how to configure the mail check feature 1 Create a Web forward that connects to the mail server and check that it works correctly No user...

Page 75: ...it takes the individual user s authentication details to connect to their account and retrieve mail details 4 Once all the user details have been provided the user should log back into the system The...

Page 76: ...76 Barracuda SSL VPN Administrator s Guide...

Page 77: ...the Barracuda SSL VPN 77 Chapter 9 Agents of the Barracuda SSL VPN This chapter explains the roles of various agents of the Barracuda SSL VPN Agent The Barracuda SSL VPN Agent 78 The Barracuda Server...

Page 78: ...user session to provide SSL tunneling and application launching facilities provided by the appliance The Barracuda SSL VPN Agent is launched by a small Java applet placed on all pages that require acc...

Page 79: ...rce assigned to you directly from the taskbar icon Clicking the right mouse button over the Agent icon will present a list of resources that can be executed directly from the Agent By opening the Tunn...

Page 80: ...e port on the firewall protecting the remote network This same process can be used to access resources inside the LAN from a Barracuda SSL VPN residing in a DMZ In the diagram below the appliance sits...

Page 81: ...ources Installing the Server Agent Client Before any routing can begin the Server Agent client needs to be installed on a machine This machine should be sufficiently placed so that the destined routes...

Page 82: ...a higher level of security a certificate can be used instead of a simple password Confirm Password Confirmation of above password 5 Once installed the client needs to be started This is run as a proce...

Page 83: ...means of verifying a user s identity this can be in the form of a password or a key code To allow for greater security the Barracuda SSL VPN uses authentication schemes to provide a multiple staged a...

Page 84: ...selves that is they cannot be combined with other Authentication Modules When a user starts the authentication process they first have to enter a Username Once the Username is submitted checks are mad...

Page 85: ...ses this certificate as a means of authenticating itself to the server The server aware of the provided certificate is able to verify the client and automatically grant authentication Since a unique c...

Page 86: ...sed Authentication Scheme and it is the simplest and easiest to configure The length format and expiration of passwords are all configurable however initially these parameters are defaulted and whenev...

Page 87: ...ed to authenticate the user The client side private key is used to sign the ticket This ticket is then sent to the server On receipt the server uses the corresponding public key to validate the signat...

Page 88: ...t Authentication Key can force users to create their own identities 1 Select the Update Authentication Key action 2 This takes us to the Update Identity window From here the user s identity can be upd...

Page 89: ...privileges When the appliance scans a device such as a USB key it tries to find the Authentication Key This key should be in the root directory of the device in a sub folder called sslvpn ids So in or...

Page 90: ...P Authentication the password can only be used once and once only not only that the expiration of the password is measured in minutes and not days so even the OTP s existence is short lived Any email...

Page 91: ...sents this to the user A comparison is made between the current answer and the preset answer if a match is made the user is authenticated This authentication method is a secondary option only and must...

Page 92: ...tificate authentication to present a certificate to the appliance making textbook use of the something you know something you have security methodology by combining a secret passphrase with the certif...

Page 93: ...ver with their product therefore you will need to use an external RADIUS server i e FreeRADIUS to provide the RADIUS component of this solution Secure Computing SafeWord The Barracuda SSL VPN applianc...

Page 94: ...94 Barracuda SSL VPN Administrator s Guide...

Page 95: ...VPN This chapter describes the monitoring tasks you can perform from the Web interface Monitoring Tasks 96 Note For more detailed information about a specific page in the Web interface view the online...

Page 96: ...the value exceeds the normal threshold These values will fluctuate based on the amount of traffic that is being handled but if any setting remains consistently in the red for a long period of time ple...

Page 97: ...busy The Task Errors section will list an error until you manually remove it from the list The errors are not phased out over time Understanding the Indicator Lights The Barracuda SSL VPN has five ind...

Page 98: ...98 Barracuda SSL VPN Administrator s Guide...

Page 99: ...Maintenance 99 Chapter 12 Maintenance This chapter provides general instructions for general maintenance of the Barracuda SSL VPN Maintenance Functions 100...

Page 100: ...lowing about the backup file Do not edit backup files Any configuration changes you want to make need to be done through the Web interface The configuration backup file contains a checksum that preven...

Page 101: ...s 3175 S Winchester Blvd Campbell CA 95008 attn RMA your RMA number Reloading Restarting and Shutting Down the System The System Reload Shutdown section on the BASIC Administration page allows you to...

Page 102: ...tact Barracuda Networks Technical Support for additional troubleshooting tips As a last resort you can reboot your Barracuda SSL VPN and run a memory test or perform a complete system recovery as desc...

Page 103: ...d clears out all configuration information Enable remote administration Initiates a connection to Barracuda Central that allows Barracuda Networks Technical Support to access the system Another method...

Page 104: ...104 Barracuda SSL VPN Administrator s Guide...

Page 105: ...About the Hardware 105 Appendix A About the Hardware This appendix provides hardware information for the Barracuda SSL VPN The following topics are covered Hardware Compliance 106...

Page 106: ...ause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user in encouraged to try one or more of the following measures Reorient or r...

Page 107: ...ported by the Barracuda SSL VPN Table B 1 Common Regular Expressions Expression Matches Operators Zero or more occurrences of the character immediately preceding One or more occurrences of the charact...

Page 108: ...used s Space character shortcut for n r t s Non space character Miscellaneous Beginning of line End of line b Word boundary t Tab character Table B 2 Special Characters Table B 3 Regular Expressions E...

Page 109: ...Regular Expressions 109 FREE FREE FREE V GRA FREE VIAGRA FREE VEHICLEGRA etc Table B 3 Regular Expressions Example Matches...

Page 110: ...110 Barracuda SSL VPN Administrator s Guide...

Page 111: ...d warranty extends only to you the original buyer of the Barracuda Networks product and is non transferable Exclusive Remedy Your sole and exclusive remedy and the entire liability of Barracuda Networ...

Page 112: ...NG THE BARRACUDA SOFTWARE BY USING THE BARRACUDA SOFTWARE YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE DO NOT USE THE SOFTWARE IF YOU DO N...

Page 113: ...ECESSARY SERVICING REPAIR OR CORRECTION 6 License YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED ZERO COST LICENSE TO BARRACUDA FOR ANY PATENTS OR OTHER INTELLECTUAL PROPERTY R...

Page 114: ...omer may have paid Barracuda Networks the required license fee and Customer s use of the Energize Update Software shall also be limited as applicable and set forth in Customer s purchase order or in B...

Page 115: ...reasonable security measures to protect and maintain the confidentiality of such trade secrets and copyrighted material Title to Energize Update Software and documentation shall remain solely with Bar...

Page 116: ...G FROM A COURSE OF DEALING LAW USAGE OR TRADE PRACTICE ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED SUCH WARRANTY IS LIMITED IN DURA...

Page 117: ...to know that what they have is not the original so that any problems introduced by others will not reflect on the original authors reputations Finally any free program is threatened constantly by soft...

Page 118: ...e anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component i...

Page 119: ...R INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY O...

Page 120: ...ovided with the distribution The name Carnegie Mellon University must not be used to endorse or promote products derived from this software without prior written permission For permission or any other...

Page 121: ...Your own attribution notices within Derivative Works that You distribute alongside or as an addendum to the NOTICE text from the Work provided that such additional attribution notices cannot be constr...

Page 122: ...r express or implied See the License for the specific language governing permissions and limitations under the License Source Code Availability Per the GPL and other open source license agreements the...

Page 123: ...e Type 29 certificates 29 character tags 105 111 Concepts 17 configuration reloading 101 D Default Barracuda Networks certificates 29 definitions updating 24 101 diagnostic memory test 103 E Energize...

Page 124: ...SNMP alerts 96 SSL Certificate Configuration 29 SSL certificates 29 ssladmin user 26 SSL only access 29 statistics 96 subscription status 24 system reboot 101 shutdown 101 system alerts 96 T tasks 97...

Search results

Summary of Contents for SSL VPN

Reviews:

Related manuals for SSL VPN

Brands by name

Popular brands

Barracuda Networks SSL VPN, Administrator'S Manual

Search results

Summary of Contents for SSL VPN

Reviews:

Related manuals for SSL VPN

Brands by name

Popular brands