manualshive.com logo in svg

Barracuda SSL VPN V Series, Руководство пользователя, Страница: 29 / 96

Поделиться
Скачать
Barracuda SSL VPN V Series Скачать руководство пользователя страница 29

1.  

2.  

3.  

4.  

5.  

1.  

2.  

3.  

4.  

1.  

2.  

3.  

4.  

5.  

browser or operating system. After the initial setup is complete, the authentication process requires minimal user interaction. Users must only

select the installed certificate when prompted, and the rest of the setup is completed automatically by the browser and the Barracuda SSL VPN.

The Barracuda SSL VPN validates the offered client certificate according to parameters that are defined by you. If you do not check for certificate

attributes that are unique to each user, any user can log in with a browser that has a valid SSL client certificate. To prevent this, you must always

combine SSL client certificate authentication with another authentication method like a password prompt.

In this article:

Before You Begin

Step 1. Upload the Root Certificate 

Step 2. Configure Client Certificate Authentication Settings

Step 3. Add the Client Certificate Authentication Module to an Authentication Scheme

Before You Begin

Create the following:

A root certificate. 

Client certificates.

An authentication scheme using client certificates as a primary or secondary authentication method.

For more information on creating your own self-signed root certificates, see 

.

How to Create Certificates with XCA

Step 1. Upload the Root Certificate 

For every user database, you can create or upload a unique root certificate. 

Open the 

 page.

Manage System > ADVANCED > SSL Certificates

In the 

 section, select 

 from the 

Import Key Type

A root Certificate Authority certificate you trust for client certificate authentication

 list

Certificate Type

In the 

 section, select the user database that you want to upload the root certificate to.

Import Details

Click 

, and select the root certificate file. The certificate file must have a cer or crt extension. 

Browse  

Click 

.

Save

The certificate then appears in the 

 section on the 

 page.

SSL Certificates

Manage System > ADVANCED > SSL Certificates

Step 2. Configure Client Certificate Authentication Settings

Configure the settings for the client certificates.

Log into the 

SSL VPN web interface

Go to the 

 page.

Manage System > ACCESS CONTROL > Security Settings

In the 

 section, configure the client certificates settings.

Client Certificates

Click 

.

Save Changes

Step 3. Add the Client Certificate Authentication Module to an Authentication Scheme

Log into the 

SSL VPN web interface

Go to the 

 page.

Manage System > ACCESS CONTROL > Authentication Schemes

Edit an authentication scheme.

Double-click 

to add the authentication module.

Client Certificate 

Click 

.

Save

Example - How to Install and Configure YubiRADIUS

This article provides step-by-step instructions on how to deploy the YubiRADIUS virtual appliance in context with Barracuda SSL

VPN. Once YubiRADIUS is installed, Barracuda SSL VPN can be configured to act as a RADIUS client.

Содержание SSL VPN V Series

Страница 1: ...1 Web Forwards 44 1 6 1 1 Custom Web Forwards 44 1 6 1 1 1 How to Create Custom Web Forwards 47 1 6 1 2 How to Configure a Microsoft SharePoint Web Forward 48 1 6 1 3 How to Configure a Microsoft Exc...

Страница 2: ...1 8 Monitoring 80 1 8 1 Basic Monitoring 80 1 8 2 Notifications 82 1 8 3 SNMP 83 1 9 Maintenance 84 1 9 1 How to Configure Automated Backups 84 1 9 2 Restore from Backups 84 1 9 3 Update Firmware 85...

Страница 3: ...cess L2TP IPsec Configure secure remote access through smartphones and other mobile devices PPTP Barracuda SSL VPN Release Notes 2 4 Upgrading to Version 2 x When upgrading from version 2 3 or earlier...

Страница 4: ...to a user s device Improved Sharepoint functionality including supporting Sharepoint 2013 Policy time restrictions are more comprehensive Improved browser NAC checking Download functionality for all...

Страница 5: ...rompt window BNVS 4101 Sharepoint 2010 documents can be edited BNVS 4132 IPsec PPTP Timeout option added for IPsec PPTP sessions BNVS 4155 When launching PPTP if the connection already exists then a c...

Страница 6: ...SSL VPN between the two firewalls another security layer is added It is also possible to install the Server Agent on a computer the internal network which initiates an SSL tunnel on port in 443 from t...

Страница 7: ...urrent Amps 1 0 1 0 1 2 1 4 1 8 4 1 Redundant Disk Array RAID No No No Yes Yes Yes ECC Memory No No No No Yes Yes Redundant Power Supply No No No No No Hot Swap Warranty and Safety Instructions Unless...

Страница 8: ...ec PPTP Mobile Device Support Yes Yes Yes Yes Yes Yes Client Access Controls Yes Yes Yes Yes Yes Yes Active Directory LDAP Integration Yes Yes Yes Yes Yes Yes Layered Authentication Schemes Yes Yes Ye...

Страница 9: ...ores Recommended RAM Recommended Hard Disk Space V180 1 1 GB 50 GB V380 2 1 GB 50 GB V480 3 2 GB 50 200 GB V680 4 4 GB 200 500 GB V680 additional cores license Limited only by license 1 GB per core 50...

Страница 10: ...greement and give the virtual appliance a name that is Next useful to your environment Click Finish After your appliance finishes importing right click it select and then click the green arrow to powe...

Страница 11: ...gate to the file BarracudaSSLVPN vmx Use the default settings and click Finish Start the appliance Follow the instructions to provision your Barracuda SSL VPN Vx appliance Quick Start Guide Deploying...

Страница 12: ...properties window that opens you can modify the configuration by port group Under the tab virtual port groups are vSwitch Ports listed Under the tab physical network interface cards in the server are...

Страница 13: ...lick OK Close Set your VM client to the new port group Right click the Barracuda SSL VPN virtual machine and select Edit Settings In the left pane click Network Adapter 1 In the section select the por...

Страница 14: ...arracuda SSL VPN Vx Virtual Images Step 1 Enter the License Code Enter the license token to start automatically downloading your license Start your virtual appliance Open the console for the Barracuda...

Страница 15: ...e download finishes click to install the firmware The firmware installation takes a few minutes to complete Apply Now After the firmware has been applied the Barracuda SSL VPN Vx automatically reboots...

Страница 16: ...Load Balancer If you want all clustered Barracuda SSL VPNs to process traffic use a load balancer such as the Barracuda Load Balancer to direct traffic to the HA units while maintaining session persi...

Страница 17: ...tem is in Mode standby mode changes to its configuration are not propagated to other systems in the cluster Optional Distribute the incoming SSL traffic to each Barracuda SSL VPN using a load balancer...

Страница 18: ...e performance of the appliance declines but no users are blocked When your user base grows you can upgrade the license and add additional cores to the virtual machine for increased performance Subscri...

Страница 19: ...CA In the section click Trusted Signed by a trusted CA Edit Data In the window enter the full DNS name e g enter the requested information about your CSR Generation sslvpn example com organization an...

Страница 20: ...e Access Rights Access Rights Configure Resources Resources Optional Configure L2TP IPsec or PPTP access How to Configure IPsec How to Configure PPTP Administrative Interfaces The Barracuda SSL VPN us...

Страница 21: ...e stored locally on the Barracuda SSL VPN s built in user database or retrieved from external authentication servers User databases define where user information is stored The Barracuda SSL VPN 380 an...

Страница 22: ...ntrol limits access to network resources according to a variety of factors that are not connected to the user Users who fail the NAC check are not allowed to log in until they have a conforming system...

Страница 23: ...are using multiple user databases on the Barracuda SSL VPN 380 or above each user database manages its own authentication server configuration so you can configure multiple Active Directory servers o...

Страница 24: ...ken using the vendor s utility It is recommended that you use the Client as a secondary module because it authenticates the Certificate module browser and not the user directly This is not the case wh...

Страница 25: ...an use one time password OTP authentication as only a secondary authentication module The OTP is generated by the appliance at login and is only valid for a short period of time The OTP can be deliver...

Страница 26: ...t certificate to authenticate It also uses a special software which has to be manually installed on every client computer RSA SecurID RSA SecurID uses its built in RADIUS server to enable communicatio...

Страница 27: ...to send the OTP during user logins At Login Method of password delivery You can select either to send the OTP via email or to send the OTP to Email SMS over Email users cell phones Generation Type Sel...

Страница 28: ...the following settings Key Authentication Allow user to create initial authentication key Enforce Password Security Policy Step 3 Generate Keys There are two ways the keys can be generated Creation a...

Страница 29: ...se you can create or upload a unique root certificate Open the page Manage System ADVANCED SSL Certificates In the section select from the Import Key Type A root Certificate Authority certificate you...

Страница 30: ...a link to the image Click the link to download the image Extract the files and import the virtual machine into your VM host server The images show XenServer The default settings should be correct in m...

Страница 31: ...onfirm Disconnect from the network and reconnect using the network icon in the top right area of the screen With a web browser navigate to the IP address of the appliance which should present a Webmin...

Страница 32: ...ame and click Add Domain Click on the tab then click You may opt to set to although it may be simpler to Global Configuration General Auto provisioning Yes keep it set to initially Ensure that is set...

Страница 33: ...ewall needs to allow outbound access on TCP ports 80 and 443 to api yubico com api2 yubico com and api3 yubico com api4 yubico com api5 yubico com To get a client ID and API key go to Enter the email...

Страница 34: ...ame that should be used to connect and cache the users in DN format Enter the service password Set the schedule for how often YubiRADIUS should re cache the list of users hourly is recommended If you...

Страница 35: ...ported successfully Now go back to the tab and click on your domain you should now see which accounts may authenticate If you click on a group Domain the users should become visible note that there ar...

Страница 36: ...an be performed Go back to the main module under in the left menu YubiRADIUS Virtual Appliance Servers and click the tab Troubleshoot Keep the as Client Secret test Enter the username that has the Yub...

Страница 37: ...TROL Authentication Schemes a new authentication scheme which contains the RADIUS module Select click Select a policy which will be able to use RADIUS Add this authentication such as for example and c...

Страница 38: ...hostname or IP address for the YubiRADIUS appliance in the RADIUS Server field Keep the ports the same Enter the same shared secret as used in the YubiRADIUS RADIUS client configuration earlier Set t...

Страница 39: ...this user account Enter the username and click Login Insert the user s database password don t confirm with enter at this stage and immediately press the button so that the YubiKey password is a comb...

Страница 40: ...MS The user logs in with a username and password and then receives an SMS containing the OTP e g After entering the OTP the user is logged in For nc43sa multi factor authentication you can combine SMS...

Страница 41: ...the SMS Passcode RADIUS server Go to the page Manage System ACCESS CONTROL Configuration In the section enter the following information RADIUS RADIUS Server Enter the hostname or IP address of the SM...

Страница 42: ...ode authentication scheme is not the default scheme select it Enter your username When prompted enter your SMS Passcode password and then click Login After you receive the OTP via SMS enter the OTP in...

Страница 43: ...ersonal resources in the Manage Account mode of the SSL VPN web interface You can create an access right for a single user database or you can create an access right that is available to all user data...

Страница 44: ...ntials configure Web Forwards With Web Forwards sensitive information does not need to be placed outside of your corporate firewall Because all communication is secured with SSL additional encryption...

Страница 45: ...pn myco cc blog which the user can access https sslvpn example com blog images picture jpg The subdirectory of below is added to this Web Forward images blog https sslvpn example com blog page2 htm pa...

Страница 46: ...ystem s host file to enable direct routing to the destination site Upon launch of a Web Forward of this type the Barracuda SSL VPN automatically uploads the additional configuration information to the...

Страница 47: ...Proxy Tunneled Proxy Replacement Proxy Direct URL If you do not know what type of Web Forward to use Barracuda Networks recommends that you first try using the path based reverse proxy Note also that...

Страница 48: ...ccess Mappings Step 1b Restart the IIS Server Step 2 Create a Web Forward Related Articles Web Forwards Custom Web Forwards Step 1 Configure SharePoint Server To configure the settings for SharePoint...

Страница 49: ...Forward Related Articles Web Forwards Custom Web Forwards Step 1 Create a Web Forward To create and configure the Web Forward Log into the SSL VPN web interface Go to the page RESOURCES Web Forwards...

Страница 50: ...system the drive becomes available in the Windows Explorer just like any local drive This feature uses a WebDAV connection to a locally created SSL tunnel that gets routed through to the server In th...

Страница 51: ...s scanning Licensing When v is enabled the Barracuda SSL VPN scans files that are uploaded through the Barracuda SSL VPN for viruses and other malware You can determine the types of files to scan by s...

Страница 52: ...uration settings When the user clicks the application resource the application is started with the settings provided by the administrator Follow these steps to create an application resource In this a...

Страница 53: ...ficate If you are using a self signed certificate you must import it to the local certificate store on all the client machines on which you want to use Outlook If required open port 443 on your intern...

Страница 54: ...s authentication when connecting to drop down menu my proxy server for Exchange Click and then click OK Next The Exchange Server prompts you to connect and requests your credentials In the User Name f...

Страница 55: ...s In this article Before you Begin Step 1 Configure the Barracuda SSL VPN Step 2 Configure Exchange Server 2013 Step 3 Configure the Client Mobile Device for ActiveSync Connecting an Android Mobile De...

Страница 56: ...use one user database However If you are using multiple user databases then you need a different hostname for each user database that you want to use with ActiveSync except for the default user databa...

Страница 57: ...ted on the remoteapplicationnam Windows Server E g if the string in the rdp file is Navision remoteappliationname s Navision Remote Application Program Enter the value after the last colon of in the r...

Страница 58: ...address instead of the 127 0 0 1 localhost address as the source address In this article Step 1 Create a SSL Tunnel Step 2 Optional Configure Advanced Tunnel Settings Step 3 Test the SSL Tunnel Step 1...

Страница 59: ...requiring no separate installation Because the VNC application is downloaded on demand the user of the remote system must have administrator root rights The user must have the appropriate Access Righ...

Страница 60: ...following steps Step 1 Access the Remote Assistance Request Step 2 Connect to the Remote System Step 3 Close the Remote Assistance Request Create a Request for other Users Step 1 Access the Remote As...

Страница 61: ...de A component that when installed onto the remote system connects to the server interfaces client side When a client connects to the Barracuda SSL VPN with the Network Connector it is assigned a seco...

Страница 62: ...soon Server Interfaces Client Configurations as a server interface is created you can customize the configuration according to your requirements You can create or copy and configure your client setti...

Страница 63: ...address of 192 168 1 0 24 Barracuda SSL VPN on IP address and default gateway of 192 168 1 100 192 168 1 1 Main LAN network address of 192 168 50 0 24 The to publish for such a route would be Up Comm...

Страница 64: ...client configuration then select the desired method here Up and Down Commands Up commands are executed from a temporary script file created by the Barracuda SSL VPN when a remote client connects with...

Страница 65: ...ndows client installed on your remote system In this article Step 1 Install the Windows Client Step 2 optional Install the Client Configuration File Step 3 Launch the Network Connector Client Related...

Страница 66: ...he network connector on your Mac In this article Step 1 Install the Mac Client Step 2 Install the Client Configuration File Step 3 Launch the Network Connector Client Step 1 Install the Mac Client Ope...

Страница 67: ...twork Connector with Linux No separate client software is needed to connect from Linux systems to the Network Connector service since most modern Linux distros already contain the required support in...

Страница 68: ...icon will change to show a padlock How to Configure IPsec You can configure the Barracuda SSL VPN to allow L2TP IPsec connections from remote devices using an L2TP IPsec client that supports using a...

Страница 69: ...to exit the connection properties Connect to the IPsec server Step 3 Apply the Installation to the Client Device Once you are successfully connected Be aware that for this procedure the user must prov...

Страница 70: ...xample sslvpn example com Set IPsec pre shared key Select to enter the pre shared key Enable L2TP secret Clear this setting DNS search domains Enter the default domain for the protected network for ex...

Страница 71: ...dge of the screen tap the gear charm and then tap the currently Settings connected network icon The list will display and you will see the IPsec connection near the top Networks Select that connection...

Страница 72: ...see a resource an administrator can change the name of this RESOURCES My Resources Barracuda IPsec resource Click on the icon This launches the Barracuda SSL VPN Agent and configures the VPN connecti...

Страница 73: ...from the list VPN VPN type Select L2TP over IPSec Service name Name of your selection Select the service you created The status will show as Not Configured Enter the following Server Address The exter...

Страница 74: ...the default view for resources icons or lists or also affect agent timeouts and proxy settings If multiple profiles are configures users can select different profiles when logging in or the administra...

Страница 75: ...uration View Add In the list select the policies for which provisioning should be enabled and click Available Policies Add Click Add On the RESOURCES Configuration page in the Device Configuration sec...

Страница 76: ...e the agent These items can be provisioned in the form of a profile installed on the device The remote user can specify the name of the profile on the RESOURCES Device Configuration page Client Certif...

Страница 77: ...Exchange resource the Barracuda SSL VPN uses the server name stored in the policy attribute to connect to the correct server Messaging Messaging allows the user to send messages either to an individu...

Страница 78: ...uda SSL VPN The Server Agents initiates a HTTPS connection from inside of the network using port 443 It then waits for requests from the SSL VPN and forwards traffic for the local resources For exampl...

Страница 79: ...tep 2 Authorize Server Agents You need to authorize the Server Agents after the initial connection Log into the SSL VPN web interface Open the page Manage System ADVANCED Server Agents In the section...

Страница 80: ...ed from the taskbar The SSL VPN Agent is terminated when the users session ends by logging out or closing the browser For more information see How to Configure Profiles Monitoring The Barracuda SSL VP...

Страница 81: ...ing The screen displays all active sessions of users that are currently logged in Sessions Log into the SSL VPN Web interface Go to the page ACCESS CONTROL Sessions Expand a session by clicking where...

Страница 82: ...o monitor containing information regarding various events such as user login activities and configuration changes made the Web syslog output from the administrative interface of the Barracuda SSL VPN...

Страница 83: ...Configure SNMP v3 Enable SNMP Traps SNMP v2 Related Article Basic Monitoring IP address range from which the Network Management System will contact the Barracuda SSL VPN SNMP service SNMP community s...

Страница 84: ...d to always have working backups of your appliance In case of a hardware failure or system misconfiguration the backup files can be used to quickly restore the appliance to working order The administr...

Страница 85: ...Early Release EA The newest version of firmware available for early access from Barracuda Central Related Article How to Update the Firmware in a High Availability Cluster General Release GA firmware...

Страница 86: ...e You will have to log in again ADVANCED Linked Management Cluster Shared Secret If you are using a Simple High Availability Cluster Navigate to ADVANCED Linked Management In the section clear the val...

Страница 87: ...be furnished on an exchange basis All parts removed for replacement will become the property of the Barracuda Networks In connection with warranty services hereunder Barracuda Networks may at its dis...

Страница 88: ...MEET YOUR REQUIREMENTS THAT THE OPERATION WILL BE ERROR FREE OR CONTINUOUS OR THAT DEFECTS WILL BE CORRECTED NO ORAL OR WRITTEN INFORMATION GIVEN BY BARRACUDA OR AUTHORIZED BARRACUDA REPRESENTATIVE SH...

Страница 89: ...ME OF ACQUIRING SUCH COPY OR UPGRADE ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL ENERGIZE UPDATE SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE 2 USE OF UPGRADES IS LIMITED TO BARRACUDA NE...

Страница 90: ...OR TRADE PRACTICE ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD BECAUSE...

Страница 91: ...on is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outsid...

Страница 92: ...s are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and...

Страница 93: ...BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program and you want it to be of the greatest possible u...

Страница 94: ...ion THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED I...

Страница 95: ...or and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work 2 Grant of Copyright License Subject to the terms and...

Страница 96: ...mages or losses even if such Contributor has been advised of the possibility of such damages 9 Accepting Warranty or Additional Liability While redistributing the Work or Derivative Works thereof You...

Отзывы:

Нет отзывов