Barracuda SSL VPN V, SSL VPN V180, SSL VPN V680, SSL VPN V880, SSL VPN V280 User Manual

...

1. Barracuda SSL VPN - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1 Barracuda SSL VPN Release Notes 2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.2 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.2.1 Hardware Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.2.2 Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.2.2.1 Sizing CPU, RAM, and Disk for Your Barracuda SSL VPN Vx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2.2.2 How to Deploy Barracuda SSL VPN Vx Virtual Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.2.2.3 How to Enable Promiscuous Mode on VMware for the Barracuda Network Connector . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2.2.4 Barracuda SSL VPN Vx Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.2.3 High Availability Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.2.3.1 How to Configure a High Availability Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.2.4 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.4 Administrative Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

1.5 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1.5.1 How to Create and Modify User Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1.5.1.1 Example - Create a User Database with Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

1.5.2 Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

1.5.2.1 Hardware Token Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

1.5.2.2 How to Configure One-Time Password (OTP) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

1.5.2.3 How to Configure Public Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

1.5.2.4 How to Configure SSL Client Certificate Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

1.5.2.5 Example - How to Install and Configure YubiRADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

1.5.2.6 Example - Authentication with SMS Passcode RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

1.5.3 How to Configure Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

1.5.4 Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

1.6 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

1.6.1 Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

1.6.1.1 Custom Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

1.6.1.1.1 How to Create Custom Web Forwards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

1.6.1.2 How to Configure a Microsoft SharePoint Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

1.6.1.3 How to Configure a Microsoft Exchange OWA Web Forward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

1.6.2 Network Places . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

1.6.2.1 How to Create a Network Place Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

1.6.2.2 How to Configure AV Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

1.6.3 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

1.6.3.1 How to Create an Application Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

1.6.3.2 How to Configure Outlook Anywhere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

1.6.3.3 How to Configure ActiveSync for Microsoft Exchange Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

1.6.3.4 How to Configure Microsoft RDP RemoteApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

1.6.4 SSL Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

1.6.4.1 How to Create an SSL Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

1.6.5 Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

1.6.5.1 Requesting Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

1.6.5.2 Providing Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

1.6.6 Network Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

1.6.6.1 How to Configure the Network Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

1.6.6.2 How to Create a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

1.6.6.3 Advanced Network Connector Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

1.6.6.4 Using the Network Connector with Microsoft Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

1.6.6.5 Using the Network Connector with Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

1.6.6.6 Using the Network Connector with Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

1.6.7 How to Configure IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

1.6.7.1 How to Configure Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

1.6.7.2 How to Configure Remote Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

1.6.8 How to Configure PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

1.6.9 How to Configure Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

1.6.10 Provisioning Client Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

1.7 Advanced Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

1.7.1 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

1.7.2 Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

1.7.3 Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

1.7.3.1 How to Configure a Server Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

1.7.3.2 How to Configure the SSL VPN Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

1.8 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

1.8.1 Basic Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

1.8.2 Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

1.8.3 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

1.9 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

1.9.1 How to Configure Automated Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

1.9.2 Restore from Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

1.9.3 Update Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

1.9.4 How to Update the Firmware in a High Availability Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

1.10 Limited Warranty and License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Barracuda SSL VPN - Overview

The Barracuda SSL VPN is an ideal appliance for giving remote users secure access to network resources. The Barracuda SSL VPN only requires a browser to give remote users access from any computer. Built-in and third-party multi-factor authentication and network access control (NAC) only connects clients that meet chosen security standards. For secure remote access through smartphones and other mobile devices, the Barracuda SSL VPN supports both L2TP/IPsec and PPTP. The Barracuda SSL VPN is available as a hardware and a virtual appliance.

Where to Start

If you have the Barracuda SSL VPN Vx virtual appliance, start here:

Barracuda SSL VPN Vx Quick Start Guide Getting Started

If you have the Barracuda SSL VPN appliance, start here:

or Quick Start Guide for version 2.4 (PDF) Quick Start Guide for version 2.3 (PDF)

Getting Started

Key Features

Access Control – A multi-factor authentication process, with support for external authentication and third-party hardware tokens,

combined with NAC and multiple user databases.

– Make intranet resources available for your remote users and secure unencrypted connections before they leave theWeb Forwards

network.

– Provide remote users with a secure web interface to access corporate network file shares.Network Places

– Provide applications to remote client systems through the Barracuda SSL VPN Agent for remote access.Applications

– Create SSL Tunnels to allow secure connections from remote devices to the Barracuda SSL VPN by encrypting data forSSL Tunnels client/server applications.

Network Connector – An application that provides full, transparent network access for users requiring widespread network access. L2TP/IPsec / – Configure secure remote access through smartphones and other mobile devices.PPTP

Barracuda SSL VPN Release Notes 2.4

Upgrading to Version 2.x

When upgrading from version 2.3 (or earlier) firmware:

Backups taken from earlier firmware versions will NOT restore properly with the new backup/restore functionality found starting in version 2.4. Make new backups after the firmware update.

Mapped Drives:

WebDAV is now the default method for providing Mapped Drives and configuration settings have been changed accordingly. Windows 7 and Vista 64-bit clients will be prompted to uninstall the current Dokan driver and also given the option to increase the maximum file download size to 2GB when launching Mapped Drives. Client Certificates will need to be disabled when launching WebDAV Mapped Drives. Version 2.3.1.013 is not compatible with systems that are clustered.

When upgrading from version 2.1 firmware:

Replacement Proxy Web Forwards for OWA that were created prior to version 2.2 are no longer supported. If you have one, you will need to replace it using the new OWA Template. Go to the RESOURCES > Web Forwards page and delete the old Web Forward. Then create a new one using the Mail Web Forward category.

Please Read Before Updating

Before installing any firmware version, be sure to make a backup of your configuration and read all release notes that apply to versions more recent than the one currently running on your system.

Do not manually reboot your system at any time during an upgrade, unless otherwise instructed by Barracuda Networks Technical Support. The update process typically takes only a few minutes after the update is applied. The appliance web interface for the administrator will usually be available a minute or two before the SSL VPN user interface. If the process takes longer, please contact Technical Support for further assistance.

When configuring Barracuda Network Connector on Macintosh systems, note that DNS insertion and Up/Down commands are mutually exclusive.

What's new with the Barracuda SSL VPN Version 2.4.0.12

Fix: Clustering on new systems [BNVS-4678] Fix: High severity vulnerability: non-persistent XSS [BNSEC-2802 / BNVS-4542] Fix: High severity vulnerability: persistent XSS [BNSEC-2697 / BNVS-4543] Fix: Unknown severity vulnerability: [BNSEC-380] Fix: Unknown severity vulnerability: [BNSEC-335]

What's new with the Barracuda SSL VPN Version 2.4.0.10

Fix: External access blocked for non SSH ports [BNVS-4152] Fix: The most recent Scheduled Backup files are retained [BNVS-4614] Fix: High severity vulnerability: Unauthenticated, non-persistent XSS [BNSEC-1546 / BNVS-4210] Fix: High severity vulnerability: Unauthenticated, non-persistent XSS [BNSEC-1542 / BNVS-4211] Fix: High severity vulnerability: Clickjacking [BNSEC-509 / BNVS-4024] Fix: Med severity vulnerability: Cross Site Request Forgery (CSRF) [BNSEC-1247 / BNVS-4079] Fix: Med severity vulnerability: URL Redirection [BNSEC-727 / BNVS-3665] Fix: Low severity vulnerability: Requires a man in the middle, url redirection [BNSEC-1399 / BNVS-4147] Fix: Low severity vulnerability: Requires authentication, non-persistent XSS [BNSEC-1239 / BNVS-4078] Fix: Low severity vulnerability: Cross Site Request Forgery (CSRF), HTTP header injection, non-persistent X SS [BNSEC-1144 / BNVS-4026]

What's new with the Barracuda SSL VPN Version 2.4.0.9

New Features

The Device Configuration feature allows resources and other settings configured on the Barracuda SSL VPN to be provisioned directly to a user's device. Improved Sharepoint functionality, including supporting Sharepoint 2013. Policy time restrictions are more comprehensive. Improved browser NAC checking. Download functionality for all aspects of the system works faster and more reliably. Increased backup and restore capabilities (from the appliance interface).

Version 2.4.0.9 Fixes:

Backups

Show All Backups option on the ADVANCED > Backups page displays all backup files on the share [BNVS-4348] Only the requested number of SMB backups is stored [BNVS-4378] Status of SMB backup is reported accurately [BNVS-4376] Clustering information is excluded from backups [BNVS-4382]

Other

All Network Connector client configurations can be launched from the user interface [BNVS-4381] Fixed Java applet signing to conform to new security in Java 1.7u45 [BNVS-4516]

This error may still appear if the SSLVPN doesn't have a valid SSL certificate installed. A valid SSL certificate will beNote:

required for all SSL VPN devices as of the release of Java 1.7u51

Version 2.4.0.7:

Fix: Mapped drives time out according to the inactivity timeout setting under Profiles [BNVS-4337] Fix: Attempts to access hosts not in the Web Forward Allowed Hosts list displays error message [BNVS-4319] Fix: Can log off users with Network Connector sessions using the Sessions page [BNVS-4322] Fix: Set limitations on IP subnet range for PPTP and IPSec [BNVS-4325] Fix: Updated Code Signing Certificate Fix: Vulnerability - Information Disclosure [BNSEC-1839 / BNVS-4261] Fix: Vulnerability - Unauthenticated, XSS-Not Persistent [BNSEC-1542 / BNVS-4211] Fix: Vulnerability - Unauthenticated, XSS-Not Persistent [BNSEC-1546 / BNVS-4210] Fix: Vulnerability - Requires Man in the Middle, URL Redirection [BNSEC-1399 / BNVS-4147] Fix: Vulnerability - CSRF [BNSEC-1247 / BNVS-4079]

Fix: Vulnerability - Authenticated, XSS-Not Persistent [BNSEC-1239 / BNVS-4078] Fix: Vulnerability - CSRF, HTTP Header Injection, XSS-Not Persistent [BNSEC-1144 / BNVS-4026] Fix: Vulnerability - Click Jacking [BNSEC-509 / BNVS-4024] Fix: Vulnerability - URL Redirection [BNSEC-727 / BNVS-3665]

Version 2.4.0.3:

Feature: Bookmark aliases are created automatically for new and existing resources Fix: Server Agent service starts on Linux [BNVS-4244] Fix: Improved ActiveSync session disconnection handling [BNVS-4243, BNVS-4263] Fix: Prevent files that were in tmp directory from being deleted when they should not have been [BNVS-4188] Fix: Enabled uploading of certificates with PKCS #8 private keys [BNVS-4235] Fix: Account selection works correctly for Read Only mode Active Directory groups when using Internet Explorer [BNVS-4217] Fix: My Resources filter displays correct selection [BNVS-4258] Fix: Creating a new Certificate Authority is possible after deleting an existing one [BNVS-4233, BNVS-4255] Fix: Ssladmin session information is displayed correctly on clustered systems [BNVS-4225] Fix: Correction to AD password expiry message [BNVS-3591] Fix: Improvements to Microsoft Sharepoint 2013 checkout discard in Microsoft Office 2007 and 2010 [BNVS-4184]

Version 2.4.0.2 Fixes:

Graphs

Graphs display correctly in Internet Explorer version 10 [BNVS-4030]

Web Forwards

Path based web forwards display large pages containing multi-byte characters accurately [BNVS-4196] Web sites that switch between character encodings display extended chars (??, ??, etc.) correctly [BNVS-4102] Launching a Host File Redirect Tunneled Web Forward in Windows 7 closes the Command prompt window [BNVS-4101] Sharepoint 2010 documents can be edited [BNVS-4132]

IPsec/PPTP

Timeout option added for IPsec/PPTP sessions [BNVS-4155] When launching PPTP, if the connection already exists then a confirmation message is not displayed [BNVS-4194] IPsec PSK can include all valid symbols [BNVS-4081, BNVS-4125]

Mapped Drives

Webdav Mapped Drives do not timeout due to inactivity [BNVS-4090] Session timeout will disconnect Mapped Drives [BNVS-4128] Office 2013 documents work with Mapped Drives [BNVS-3778]

Sessions

Password can be entered after session has been locked due to browser closure [BNVS-4144]

Server Agent

The ADVANCED > Server Agents page refreshes correctly when an agent is enabled or disabled in Internet Explorer version 10 [BNVS-4119] Zip file containing the server agent client contains the correct version [BNVS-4120] Server Agent service starts on Linux [BNVS-4244]

Other

Improved notifications message handling under heavy load [BNVS-4058] NAC antivirus checking detects status of multiple installed AV products [BNVS-4099] Network Connector routes can be added in Mac OS X [BNVS-4100] Authentication schemes and NAC exceptions consider policy time restrictions [BNVS-3455] /32 CIDR notation is handled correctly by IP authentication [BNVS-3818]

Deployment

The Barracuda SSL VPN is typically deployed in the following configurations:

Direct Access DMZ Deployment – Behind the firewall, with direct access to all intranet resources. Multilayer Firewall DMZ Deployment – In a DMZ between the external and internal firewall. Additional ports have to be opened on the

internal firewall to access internal resources. Isolated Deployment – The Barracuda SSL VPN is reachable from the Internet. All resources connect via Server Agents which initiate the connection from inside the networks. No ports have to be opened.

Direct Access DMZ Deployment

The Barracuda SSL VPN is deployed behind the firewall. Only one port (443) has to be opened up by the firewall and forwarded to the SSL VPN. You have direct access to all services (authentication, file, web, etc.) in the intranet without further configuration.

Multilayer Firewall DMZ Deployment

The Barracuda SSL VPN is deployed in a DMZ behind the corporate before the internal network firewall. on thefirewall but All access to services internal network requires ports to be opened on the internal firewall. By deploying the Barracuda SSL VPN between the two firewalls, another security layer is added. It is also possible to install the Server Agent on a computer the internal network, which initiates an SSL tunnel on portin 443 from the inside of the network so you can limit the ports that you must open on the internal firewall.

Isolated Deployment

The Barracuda SSL VPN is deployed and isolated from the rest of the network. All resources are located in networks which are not directly accessible by the Barracuda SSL VPN. Server Agents inside the networks initiate tunnels to the SSL VPN and act as proxies for the local resources. This deployment minimizes security implications caused by opening various ports on the firewalls to access the resources located behind them.

In this Section

Hardware Specifications Virtual Systems High Availability Deployment Licensing

Hardware Specifications

Hardware Specifications of the Various Barracuda SSL VPN Models

Barracuda SSL VPN Model

180 280 380 480 680 880

Recommended Maximum Concurrent Users

15 25 50 100 500 1,000

Hardware

Rackmount Chassis

1U Mini 1U Mini 1U Mini 1U Mini 1U Full-size 1U Full-size

Dimensions (inches)

16.8 x 1.7 x 9 16.8 x 1.7 x 9 16.8 x 1.7 x 14 16.8 x 1.7 x 14 16.8 x 1.7 x 22.6 17.4 x 3.5 x 25.5

Weight (lbs) 8 8 12 12 26 46 Ethernet 1 x 10 / 100 1x Gigabit 1x Gigabit 1x Gigabit 2x Gigabit 2x Gigabit AC Input Current

(Amps)

1.0 1.0 1.2 1.4 1.8 4.1

Redundant Disk Array (RAID)

No No No Yes Yes Yes

ECC Memory No No No No Yes Yes Redundant

Power Supply

No No No No No Hot Swap

Warranty and Safety Instructions

Unless you are instructed to do so by Barracuda Networks Technical Support, you will void your warranty and hardware support if you open your Barracuda Networks appliance or remove its warranty label.

Barracuda Networks Appliance Safety Instructions Hardware Compliance.

The hardware configuration list in this table was valid at the time this content was created. The listed components are subject to change at any time, as Barracuda Networks may change hardware components due to technological progress. Therefore, the list may not reflect the current hardware configuration of the Barracuda SSL VPN.

Features

SSL Tunneling Yes Yes Yes Yes Yes Yes Barracuda

Network Connector

Yes Yes Yes Yes Yes Yes

Intranet Web Forwarding

Yes Yes Yes Yes Yes Yes

Windows Explorer Mapped Drives

Yes Yes Yes Yes Yes Yes

Citrix XenApp/VNC/NX /Telnet/ SSH/RDP Applications

Yes Yes Yes Yes Yes Yes

Remote Desktop Single Sign-On

Yes Yes Yes Yes Yes Yes

Antivirus Yes Yes Yes Yes Yes Yes L2TP/IPsec,

PPTP Mobile Device Support

Yes Yes Yes Yes Yes Yes

Client Access Controls

Yes Yes Yes Yes Yes Yes

Active Directory/LDAP Integration

Yes Yes Yes Yes Yes Yes

Layered Authentication Schemes

Yes Yes Yes Yes Yes Yes

Remote Assistance

No No Yes Yes Yes Yes

Multiple User Realms

No No Yes Yes Yes Yes

Barracuda SSL VPN Server Agent

No No Yes Yes Yes Yes

Hardware Token Support

No No Yes Yes Yes Yes

RADIUS Authentication

No No Yes Yes Yes Yes

Syslog Logging No No Yes Yes Yes Yes SNMP/API No No No Yes Yes Yes Clustering/High

Availability

No No No Yes Yes Yes

Virtual Systems

The Barracuda SSL VPN is available as a virtual appliance. Because it is mostly used after office hours, it is suitable a server mon hosting virtual achines that are used intensely during office hours but sit idle for the rest of the time. You can pair a Barracuda SSL VPN Vx with a hardware Barracuda SSL VPN appliance to create a high availability cluster. With a load balancer, you can create a configuration that uses the resources of the hardware Barracuda SSL VPN during the day when the is under high load and then use the virtual Barracuda SSL VPN to coverhypervisor the peak load in the evening when employees log in from home.

Deploying the Barracuda SSL VPN Vx

To deploy the Barracuda SSL VPN Vx, complete the following tasks:

Size the CPU, RAM, and Disk for your Barracuda SSL VPN Vx. Deploy the Barracuda SSL VPN Vx virtual images. (For VMware ) Enable Promiscuous mode on VMware for the Barracuda Network Connectorhypervisors . Set up the Barracuda SSL VPN with the Quick Start GuideVx .

Sizing CPU, RAM, and Disk for Your Barracuda SSL VPN Vx

Barracuda Networks recommends the following sizing for the initial deployment of your virtual appliance or the upgrade of existing installations.

Virtual Machine Sizing Requirements

Barracuda SSL VPN Vx Model Licensed Cores Recommended RAM Recommended Hard Disk

Space

V180 1 1 GB 50 GB V380 2 1 GB 50 GB V480 3 2 GB 50-200 GB V680 4 4 GB 200-500 GB V680 + additional cores license Limited only by license 1 GB per core 500+ GB

Provisioning CPUs/Cores

You must provision the number of cores in your hypervisor before the Barracuda SSL VPN Vx can use them. Each model can only use a set number of cores. For example, if you assign 6 cores to the Barracuda SSL VPN Vx 380 (which can only use 2 cores), the virtual machine turns off the extra cores that cannot be used.

To add cores:

Shut down your hypervisor. Go into the virtual machine settings. Add CPUs. The number of available CPUs that are shown will vary with your hypervisor licensing and version. In some cases, the number of CPUs that you can add must be a multiple of 2.

Provisioning Hard Drives

Provision your hard disk space according to the table. Barracuda Networks requires a minimum of 50 GB ofVirtual Machine Sizing Requirements hard disk space to run your Barracuda SSL VPN Vx.

From your hypervisor, you can either edit the provisioned size of the hard drives or add a hard drive.

To add a hard drive:

Shut down your Barracuda SSL VPN Vx.

Recommended VMware Provisioning Format

If you are using VMware, note that VMware tools support thin provisioning, which is not currently available in the virtual product lines. Barracuda Networks recommends using the provisioning format when allocating disk storage for your Barracuda NetworksTHICK virtual machine.

Take a snapshot of your virtual machine. Edit the settings in your virtual machine, and either increase the size of the hard drive or add a new hard drive. Restart the virtual machine. During the system , answer the pop-out console displays a message asking if you want to use the new additional space.bootup Yes after If you do not respond in 30 seconds, the pop-out console times out and defaults to . Resizing can take several minutes, depending onNo the amount of hard drive space.provisioned

How to Deploy Barracuda SSL VPN Vx Virtual Images

Barracuda offers three types of packages for virtual deployment. Follow the instructions for your to deploy the Barracuda SSL VPN Vxhypervisor appliance.

Package Type Hypervisors

OVF images

VMware ESX and ESXi 3.5 VMware ESX and ESXi 4 x. Sun/Oracle VirtualBox and VirtualBox OSE 3.2

VMX images

VMware Server 2.0+ VMware Player 3.0+ VMware Workstation 6.0 + VMware Fusion 3.0+

XVA images

Citrix Xen Server 5.5+

Deploying OVF Images

VMware ESX and ESXi 3.5

Use the OVF file ending in for this .-35.ovf hypervisor

From the menu in the VMware Infrastructure client, select .File Virtual Appliance > Import Select , and navigate to the fileImport from file BarracudaSSLVPN- <version#>-fw__FIRMWARE__-<version#vm >.ovf . Click to review the appliance information, review the End User License Agreement, and give the virtual appliance a name that isNext useful to your environment. Click .Finish After your appliance finishes importing, right-click it, select , and then click the green arrow to power on the virtualOpen Console appliance. Follow the instructions to provision your Barracuda SSL VPN Vx appliance. Quick Start Guide

VMware ESX and ESXi 4 x.

Use the OVF file ending in for this .-4x.ovf hypervisor

From the menu in the client, select .File vSphere Deploy OVF Template Select , and navigate to the fileImport from file BarracudaSSLVPN-vm3 1.0-fw__FIRMWARE__-20120327-4x. .ovf . Click to review the appliance information, review the End User License Agreement, and give the virtual appliance a name that isNext useful to your environment. Set the network to point to the target network for this virtual appliance. After your appliance finishes importing, right-click it, select , and then click the green arrow to power on the virtualOpen Console appliance. Follow the instructions to provision your Barracuda SSL VPN Vx appliance. Quick Start Guide

Sun/Oracle VirtualBox and VirtualBox OSE 3.2

Use the OVF file ending in for this .-4x.ovf hypervisor

From the menu in the VirtualBox client, select .File Import Appliance Navigate to the .BarracudaSSLVPN-vm3 1.0-fw__FIRMWARE__-20120327-4x. .ovf file Use the default settings for the import, and click .Finish Start the appliance.

If you are deploying the Barracuda SSL VPN Vx on a VMware hypervisor, complete How to Enable Promiscuous Mode on VMware for

after deploying the VM.the Barracuda Network Connector

Follow the instructions to provision your Barracuda SSL VPN Vx appliance. Quick Start Guide

Deploying VMX Images

VMware Server 2 x.

Put the files ending in and into a folder in your (which you can locate from the list on your server's. vmx . vmdk datastore Datastores summary page). From the VMware Infrastructure Web Access client's menu, select .Virtual Machine Add Virtual Machine to Inventory Navigate to the folder used in step 1, and click the file from the list under . BarracudaSSLVPN.vmx Contents Click .OK Start the appliance. Follow the instructions to provision your Barracuda SSL VPN Vx appliance. Quick Start Guide

VMware Player 3 x.

From the menu, select .File Open a Virtual Machine Navigate to the fileBarracudaSSLVPN.vmx . Use the default settings, and click .Finish Start the appliance. Follow the instructions to provision your Barracuda SSL VPN Vx appliance. Quick Start Guide

VMware Workstation 6 x.

VMware Fusion 3 x.

From the menu, select .File Open a Virtual Machine Navigate to the file.BarracudaSSLVPN.vmx Use the default settings, and click .Finish Start the appliance. Follow the instructions to provision your Barracuda SSL VPN Vx appliance. Quick Start Guide

Deploying XVA Images

Citrix XEN Server 5.5+

From the menu in the XenCenter client, select .File Import Browse to the file, and click .BarracudaSSLVPN-<version#>-fw__FIRMWARE__-<version#>.xva Next Follow the instructions to configure the and pages.Storage Networking When prompted, review the template information and click to import the template.Finish Right-click the resulting template, and select .New VM Follow the instructions to provision your virtual appliance.Quick Start Guide

How to Enable Promiscuous Mode on VMware for the Barracuda Network Connector

If your virtual appliance is running on a VMware hypervisor, you must enable promiscuous mode on the appliance so that Barracuda Network

can work correctly.Connector

About Promiscuous Mode

Place the virtual network adapter for the Barracuda SSL VPN Vx in promiscuous mode so that it can detect all frames that are passed theon virtual switch.

If you have already set up a Barracuda SSL VPN Vx did not enable promiscuous mode, you may see issues where the networksystem but connectivity seems intermittent. Experience suggests that the virtual interface does not receive all of the packets that it should. As a result,

VMware Player cannot edit the network / settings. This can cause problems when testing the Network Connector.vswitch

5. a. b. c.

Barracuda Networks recommends that you configure a port group to allow promiscuous mode.

Enable Promiscuous Mode on a vSwitch

Add a new port group, and set it to promiscuous mode. Then set your VM client to the port group.

Log into the client, and select the ESX host.vSphere Click the tab.Configuration From the in the left pane, select . Hardware menu Networking On the summary page for the virtual switch, click the link.Properties

In the properties window that opens, you can modify the configuration by port group. Under the tab, virtual port groups arevSwitch Ports listed. Under the tab, physical network interface cards in the server are listed. To see a summary of a port group'sNetwork Adapters settings, click its name. In the figure below, you can see that is set to (off).Promiscuous Mode Reject

Add a port group.

Under the tab, click .Ports Add Select and click . Virtual Machine, Next Enter a , and set the to to enable on the port group. This creates a VMware VLAN thatNetwork Label VLAN ID 4095 trunking lets the port group see the traffic on any VLAN without altering the VLAN tags. Click .Finish

6. a.

b. c. d.

7. a. b. c.

Set the port group to promiscuous mode.

Select your new port group, and click .Edit

Click the tab.Security From the list, select .Promiscuous Mode Accept Click , and then click .OK Close

Set your VM client to the new port group.

Right-click the Barracuda SSL VPN virtual machine, and select . Edit Settings In the left pane, click . Network Adapter 1 In the section, select the port group that you just created and click .Network Connection OK

Barracuda SSL VPN Vx Quick Start Guide

After your virtual appliance has been deployed, you must provision . You need yourit

Barracuda Vx license token, which you received via email or from the website when you downloaded the Barracuda SSL VPN Vx package. The license token is a 15 character string, formatted like this: .01234-56789-ACEFG

Complete the following steps:

Before You Begin Step 1. Enter the License Code Step 2. Open Firewall Ports Step 3. Log Into the Appliance Web Interface and Verify Configuration Step 4. Update the Firmware Step 5. Change the Administrator Password for the Appliance Web Interface Step 6. Route Incoming SSL Connections to the Barracuda SSL VPN Vx Step 7. Verify Incoming SSL Connections to the Barracuda SSL VPN Vx Next Step

Barracuda SSL VPN Administrative Interfaces Backing Up Your Virtual Machine System State

Before You Begin

Deploy the Barracuda SSL VPN Vx on your .hypervisor For more information, see .How to Deploy Barracuda SSL VPN Vx Virtual Images

Step 1. Enter the License Code

Enter the license token to start automatically downloading your license.

Start your virtual appliance. Open the console for the Barracuda SSL VPN virtual machine. When the login prompt appears, log in as with the password .admin admin In the text-based menu, set the IP address and, under , enter your Barracuda license token and default domain to complete Licensing provisioning. The virtual machine reboots after you finish the configuration.

Step 2. Open Firewall Ports

If your Barracuda SSL VPN Vx is located behind a corporate firewall, open the following ports on your firewall to ensure proper operation:

Port Protocol Direction Usage

22 TCP Out Remote diagnostics and service

(recommended)

25 TCP Out Email alerts and one-time

passwords 53 TCP/UDP Out DNS 80 TCP Out Energize Updates 123 UDP Out Network Time Protocol (NTP) 443 TCP In/Out HTTPS/SSL port for SSL VPN

access 8000 TCP In/Out External appliance administrator

port (HTTP)

8443 TCP In/Out External appliance administrator

port (HTTPS)

If PPTP or L2TP/IPsec access is required, also open the following ports:

Port Protocol Direction Usage

47 GRE In/Out PPTP 1723 TCP In PPTP 500 UDP In L2TP/IPsec 4500 UDP In L2TP/IPsec

Note: Only open the appliance administrator interface ports on 8000/8443 if you intend to manage the appliance from outside the corporate network.

Configure your network firewall to allow ICMP traffic to outside servers, and open port 443 to . You mustupdates.barracudacentral.com also verify that your DNS servers can resolve from the Internet.updates.barracudacentral.com

Step 3. Log Into the Appliance Web Interface and Verify Configuration

Log into the Barracuda SSL VPN Vx web interface, and finalize the configuration of the appliance.

In your browser, go to . https://<configured IP address for the Barracuda SSL VPN 8443>: Log into the Barracuda SSL VPN Vx web interface as the administrator:

: : Username admin Password admin

Go to the page and verify that the following settings are correct:BASIC > IP Configuration

IP Address, , and . Subnet Mask Default Gateway Primary DNS Server and .Secondary DNS Server (If you are using a proxy server on your network) .ProxyServer Configuration

Step 4. Update the Firmware

Go to the page. If there is a new available, perform the following steps to update theADVANCED > Firmware Update Latest General Release system firmware:

Click next to the firmware version that you want to install.Download Now When the download finishes, click to install the firmware. The firmware installation takes a few minutes to complete.Apply Now After the firmware has been applied, the Barracuda SSL VPN Vx automatically reboots. The login page displays when the system has come back up. Log back into the web interface, and read the Release Notes to learn about enhancements and new features.

For more information, see .Update Firmware

Step 5. Change the Administrator Password for the Appliance Web Interface

To prevent unauthorized use, change the default administrator password to a more secure password. Go to the page,BASIC > Administration enter your old and new passwords, and then click . This only changes the password the appliance web interface. TheSave Password for password for the user the SSL VPN web interface must be changed separately.ssladmin on

Step 6. Route Incoming SSL Connections to the Barracuda SSL VPN Vx

Route HTTPS incoming connections on port 443 to the virtual appliance. This is typically achieved by configuring your corporate firewall to port forward SSL connections directly to the Barracuda SSL VPN Vx.

Step 7. Verify Incoming SSL Connections to the Barracuda SSL VPN Vx

After you configure your corporate firewall to route SSL connections to the Barracuda SSL VPN Vx, verify that you can accept incoming SSL connections.

Ports for Remote Appliance Management

If you are managing the virtual appliance from outside the corporate network, the appliance administrator web interface ports on 8000/8443 need similar port forward configurations. Barracuda Networks recommends that you use the appliance web interface on port 8443 (HTTPS).

Test the connection by using a web browser from the Internet (not inside the LAN) to establish an SSL connection to the external IP address of your corporate firewall. For example, if your firewall's external IP address is 23.45.67.89, go to inhttps://23.45.67.89 your browser. When you are prompted to accept an SSL certificate, accept the warning and proceed to load the page.untrusted If you see the Barracuda SSL VPN login screen, this confirms that your appliance can receive connections from the Internet.

Next Step

Configure your virtual machine. For instructions, see .Getting Started

High Availability Deployment

High availability is available for the Barracuda SSL VPN 480 and above. Clustering two or three Barracuda SSL VPNs provides you with a high-availability, fault-tolerant environment that supports data redundancy and centralized policy management. After you configure one HA unit, configuration settings are synchronized across the cluster. You can cluster the Barracuda SSL VPN in two ways: simple high availability or high availability with a load balancer.

Simple High Availability

If you configure two or more Barracuda SSL VPNs in a high availability setup without a load balancer, configurations are synced between the units but only one unit processes traffic. The secondary unit is passive and monitors the health of the primary unit. If the active system becomes unavailable, the secondary unit takes over automatically.

For more information, see How to Configure a High Availability Cluster.

High Availability with a Load Balancer

If you want all clustered Barracuda SSL VPNs to process traffic, use a load balancer (such as the Barracuda Load Balancer) to direct traffic to the HA units while maintaining session persistence. You must have a load balancer to spread the load over all Barracuda SSL VPN cluster members. It is recommended that you configure the Barracuda Load Balancer in Bridge-Path (recommended) or Route-Path mode.

To cluster your Barracuda SSL VPNs with a load balancer, complete the following tasks:

Configure the Barracuda Load Balancer. For instructions, see or Barracuda Load Balancer Bridge-Path Deployment How to Set Up a

.Barracuda Load Balancer for Route-Path Deployment

Configure Simple High Availability. See .How to Configure a High Availability Cluster

How to Configure a High Availability Cluster

Follow these instructions to cluster your Barracuda SSL VPN systems. These instructions apply to both simple high-availability and for clustering with a load balancer.

In this article:

Before you Begin Adding an Appliance to the Cluster Simple High-Availability Creating a High-Availability Cluster Setting Non-Proxied Hosts Non-Clustered Data

High Availability Deployment How to Update Firmware of

Systems in a Cluster

Before you Begin

Log in to the appliance interface using the admin account, and perform the following steps for each system that will be in the cluster:

Complete the installation process. Make sure that each Barracuda SSL VPN are the same model. It is possible to mix hardware and virtual appliances. Make sure that each Barracuda SSL VPN is on exactly the same firmware version using the page.ADVANCED > Firmware Make sure that each Barracuda SSL VPN has the same time zone using the page.BASIC > Administration

3. a. b. c.

Create a backup of the existing Barracuda SSL VPN configuration using the page.ADVANCED > Backup Use the page to verify that no processes are running.ADVANCED > Task Manager On this page, enter the and click . This is the password shared by all Barracuda SSL VPNCluster Shared Secret Save Changes appliances in this cluster. It is limited to only ASCII characters.

Adding an Appliance to the Cluster

Any Barracuda SSL VPN appliance that is added to the cluster will have most of its local data (except user data and that specified in Non-Clustere

d Data overwritten with settings extracted from the cluster. The first system (the one identified first in the Add System field) is the source for the

initial settings.

In the field, enter the IP address of a system in the cluster (or, the first system if the cluster has not yet been created). AAdd System fully-qualified domain name can be entered, but could cause name resolution issues so is not recommended. Click . The time to complete the join depends on the number of users, domains, and the load on each Barracuda SSL VPNJoin Cluster appliance. During this time the configuration from the other system will be copied onto this system. The system will restart, and you will need to login and navigate to this page. On each system in the cluster, perform the following:

Refresh the page to view the updated status.ADVANCED > Linked Management Verify that the list contains the IP address of clustered system.Clustered Systems each Verify that the indicates that each clustered system is up and communicating with this system. The columnConnection Status displays green for each system that is available and red for each system that cannot be reached. Initially, it may take up to a minute for the status light to turn green. The field tells how long it takes to send updates to each ofSynchronization Latency the other systems in the cluster. The value of this field should be 2 seconds or less. If it is greater, configuration changes may not be propagated correctly. The column in the Clustered Systems table should usually show all systems in the cluster as being active. If a system is inMode standby mode, changes to its configuration are not propagated to other systems in the cluster.

(Optional) Distribute the incoming SSL traffic to each Barracuda SSL VPN using a load balancer.

Simple High-Availability

Simple High-Availability (HA) can be used in cases where more than one Barracuda SSL VPN is available to create a failover cluster but a load balancer is not in use. Only one SSL VPN system will actively process traffic. The other system(s) will act as passive backup(s).

In an HA cluster, a virtual IP address is used to access the SSL VPN service. If the active system becomes unavailable, one of the passive systems in the cluster will become active and serve requests directed to the virtual IP address. You will use the individual IP addresses of the systems in the cluster for management. When the originally active SSL VPN appliance becomes available again, it will act as a passive backup.

Creating a High-Availability Cluster

Use the following steps to create a high-availability cluster.

Complete the steps in the task above.Adding an Appliance to the Cluster In the section, enter the Virtual IP address.Simple High-Availability On the initially-active system, select the High-Availability Master option.

Setting Non-Proxied Hosts

If the Barracuda SSL VPN systems are using a proxy ( ), then you must also configure non-proxy hosts in theBASIC > IP Configuration Barracuda SSL VPN appliance interface on port 443. To do this, log onto each Barracuda SSL VPN appliance interface. From the ADVANCED >

page, make sure there is a non-proxied host entry for your IP range that the clustered systems are on (for exampleConfiguration > Proxies

192.168.0.*). Without this setting, data synchronization may not occur and your systems will not be truly clustered.

Non-Clustered Data

The following data is not propagated to each system in the cluster:

IP Address, Subnet Mask, and (on the page).Default Gateway BASIC > IP Configuration Primary DNS Server and (on the page).Secondary DNS Server BASIC > IP Configuration

Serial number (this will never change). Hostname (on the .BASIC > IP Configuration page) All SSL information, including saved certificates (on the page). > SSL CertificateBASIC Any advanced IP configuration (models 600 and above, on the page).ADVANCED > Advanced IP Configuration

Energize updates do not synchronize across systems in a cluster.

Administrator password. Cluster Shared Secret, though this must be the same for the cluster to work properly (on the page)ADVANCED > Linked Management . Time Zone (on the page).BASIC > Administration The appliance GUI and SSL VPN HTTP and HTTPS ports. Whether the latest release notes have been read. All customized branding (models 600 and above, on the page).ADVANCED > Appearance

Licensing

The Barracuda SSL VPN virtual and physical have . For both appliance types, add-on subscription licensesappliances both different base licences are also available.

In this article:

Hardware Licenses

LicensesVx

Subscription-Based Licenses

Energize Updates Instant Replacement Premium Support

Hardware Licenses

Hardware appliances are limited only by the performance of the appliance's hardware. There is no limit to how many users can concurrently connect to the appliance. To help you size the appliance, Barracuda Network provides a . If you arerecommended number of concurrent users using the appliance with more than the recommended number of users, its performance declines, but users can continue using it.

Vx Licenses

Virtual licenses are limited by the number of CPU cores that are licensed for the appliance model. There is no per user license. If you use your Barracuda SSL VPN Vx with more users than recommended, the performance of the appliance declines but no users are blocked. When your user base grows, you can upgrade the license and add additional cores to the virtual machine for increased performance.

Subscription-Based Licenses

The following subscription-based licenses are available:

Energize Updates

Energize Updates offer the latest firmware, application definition, and security updates for your system. It also includes standard technical support (24x5).

Instant Replacement

With Instant Replacement, a replacement for your Barracuda SSL VPN hardware ships within 1 day if your appliance fails. Every 4 years, your Barracuda SSL VPN is replaced by a new appliance with the latest hardware for your SSL VPN model. Standard technical support (24x7) is also included.

An active Energize Updates subscription is required for the Instant Replacement subscription.

Premium Support

Premium Support subscriptions offer the highest level of 24/7 technical support for mission critical environments. Barracuda Networks is committed to meeting the demands of these environments by providing a dedicated and highly-trained technical support team.

An active Energize Updates subscription is required for the Premium Support Subscription.

Getting Started

Follow the instructions in this guide after you complete the steps explained in the Barra

that shipped with your appliance.cuda SSL VPN Quick Start Guide (PDF)

For more questions about your Barracuda SSL VPN license, contact your Barracuda Networks sales representative.

4. a. b. c.

In this article:

Before You Begin Step 1. Install the SSL Certificate

Step 1.1. (Optional) Generate a CSR Request

Step 1.2. Upload Signed Certificates Step 2. Configure System Contact and Alert Email Addresses Step 3. Change the Administrator's Password for the SSL Interface VPN Web Next Steps

Administrative Interfaces Barracuda SSL VPN Quick Start Guide (PDF)

Before You Begin

Install Java Runtime version 1.6 or above on your client computers. Register a full DNS name for the Barracuda SSL VPN (e.g., ).sslvpn.example.com (Recommended) Purchase an SSL certificate signed by a trusted CA.

Step 1. Install the SSL Certificate

To prevent certificate errors whenever your users connect to the Barracuda SSL VPN, it is recommended that you install SSL certificate signed an by a trusted CA. You can generate the signing request directly on the Barracuda SSL VPN. Your SSL certificate must use the full DNS name (e.g., ) for the attribute.sslvpn.example.com Common Name

Step 1.1. (Optional) Generate a CSR Request

To generate a CSR request:

Log into the (e.g., appliance web interface ).https://sslvpn.example.com:8443 Go to the page.BASIC > SSL Certificate From the list, select .Certificate Type Trusted (Signed by a trusted CA) In the section, click . Trusted (Signed by a trusted CA) Edit Data In the window, enter the full DNS name (e.g., ), enter the requested information about yourCSR Generation sslvpn.example.com organization, and then click .Save Changes Click . Download CSR

You can now submit the CSR to your Certificate Authority.

Step 1.2. Upload Signed Certificates

When the certificates are uploaded to the Barracuda SSL VPN, the table displays the current status of the certificates.Certificate Candidates The column displays when all required certificates have been uploaded. Status OK

Log into the (e.g., appliance web interface ).https://sslvpn.example.com:8443 Go to the pageBASIC > SSL Certificate From the list, select .Certificate Type Trusted (Signed by a trusted CA) In the section, upload the certificates that you received from the CA in the following order:Trusted (Signed by a trusted CA)

Root CA certificate (PEM or PKCS12)

(Depending on your CA) Intermediate CA certificate (PEM or PKCS12)

SSL server certificate (PEM or PKCS12) Click .Use In the section, click .Synchronize SSL Synchronize

Your SSL certificate is now installed on both the appliance and the SSL VPN web interface. To avoid Java runtime certificate errors, use the full DNS name to connect to your Barracuda SSL VPN.

Step 2. Configure System Contact and Alert Email Addresses

Specify the email addresses of those who should receive notifications from the Barracuda SSL VPN and emails from Barracuda Central.

Log into the (e.g., appliance web interface .https://sslvpn.example.com:8443) Go to the page. BASIC > Administration In the Email Notification section, enter the email addresses of those who should receive system alerts and security news and updates. Click .Save Changes

Step 3. Change the Administrator's Password for the SSL Interface VPN Web

Change the password used by to log into the SSL VPN web interface. ssladmin

Log into the (e.g., with the default username and password of SSL VPN web interface https://sslvpn.example.com) ssladmin.

Click , and then go to the page.Manage System ACCESS CONTROL > Accounts In the section, locate the user and click . Accounts ssladmin More Select .Set Password Enter the new password and click . The password must conform to the password rules defined for the appliance.Save

Next Steps

After you set up and explore the Barracuda SSL VPN, you can complete the following tasks:

Task Articles

Configure a User Database. How to Create and Modify User Databases

Example - Create a User Database with Active Directory

Configure Authentication Schemes. Authentication Schemes Configure Policies. How to Configure Policies Configure Access Rights. Access Rights Configure Resources. Resources (Optional) Configure L2TP/IPsec or PPTP access. How to Configure IPsec

How to Configure PPTP

Administrative Interfaces

The Barracuda SSL VPN uses two administrative interfaces: the appliance web interface and the SSL VPN web interface.

Appliance Web Interface

You can access the appliance web interface at either of the following IP :addresses

https://<configured for the Barracuda SSL VPN 8443IP address >: or http://<configured for theIP address Barracuda SSL VPN 8000>:

This interface listens on port 8000 (HTTP) or 8443 (HTTPS). Log into this interface to configure all non-user facing options including network configuration, clustering, firmware upgrades, and Energize Updates. The default login credentials for the appliance web interface are:

User: admin Password: admin

SSL InterfaceVPN Web

You can access the SSL VPN web interface at:

https://<configured for the Barracuda SSL VPN>IP address

This interface listens on port 443 (HTTPS). Log into this interface to configure all settings for the SSL VPN service. It also includes all user facing settings and functionalities. The SSL VPN web interface can be used in two modes. You can switch between both modes by clicking the link in the upper right of the web interface:

Manage System – Manage VPN access to the system. Manage Account – Manage the account settings.

The default login credentials for the SSL VPN web interface are:

User: ssladmin Password: ssladmin

Access Control

To access and use the resources provided by the Barracuda SSL VPN, a user must be able to authenticate. Additionally, the user´s device must adhere to any configured network access control (NAC) policies. You can configure user authentication as either a single- or multi-factor process, using a combination of information stored in the authentication services and additional authentication procedures defined in the Barracuda SSL VPN. After users log in, the levels of access and privileges assigned to them on a per-resource basis are defined by the policies that you configured.

In this article:

User Databases Authentication Policies Network Access Control (NAC)

User Databases

Users and groups can be stored locally on the Barracuda SSL VPN´s built-in user database or retrieved from external authentication servers. User databases define where user information is stored. The Barracuda SSL VPN 380 and above can use multiple user databases. You can configure every user database with global access rights and delegate some Super User responsibilities to users in the usermanagement database.

For more information, see How to Create and Modify User Databases.

Authentication

User authentication is not limited authentication. For greater security, the Barracuda SSL VPN provides multi-factor authentication.to password You can choose to activate a combination of the following authentication procedures:

One-time passwords (sent via SMS or email) Authentication key Client certificates IP authentication PIN Security questions RADIUS Hardware token authentication (in combination with RADIUS or Client Certificates)

For more information on the available authentication schemes, see .Authentication Schemes

Policies

Policies are lists of users and groups that are attached to resources. Users can only access a resource if they are included in the policy attached to the resource. A resource can include multiple policies that contain separate lists of users and groups. You can grant different users with varying levels of access to a resource by assigning Access Rights to the user or group. To help you easily assign resources to everybody, a built-in Every

policy is included by default. You can delete the policy, locking out out all users who do not have a specific Profile, Authenticationone Everyone Scheme, or Access Right assigned to them. It is recommended that you create policies for every distinct user group. For example, in a company with three departments, you can create separate policies for each department, management user, and administrator.

For more information on Policies, see .How to Configure Policies

Network Access Control (NAC)

Network access control limits access to network resources, according to a variety of factors that are not connected to the user. Users who fail the NAC check are not allowed to log in until they have a conforming system. You can define exceptions for single users, so that they can continue using the service until they have time to update their system. User systems are evaluated by the following parameters:

Time of day Operating system (type and if it is up-to-date) IP and MAC address Browser type and version Antivirus state (installed/up-to-date) Firewall Version of plugins installed Type of connection (Wi-Fi) Domain membership

To configure NAC, go to . To define exceptions, go to Manage System > ACCESS CONTROL > NAC Manage System > ACCESS CONTROL >

.NAC Exceptions

How to Create and Modify User Databases

A user database specifies where user authentication information is stored. The Barracuda SSL VPN 380 and above support multiple user databases, letting you define different access policies for resources that are shared by users. The Barracuda SSL VPN supports authentication with the following services:

Active Directory

LDAP NIS OpenLDAP Built-in internal user database

Create the User Database

To create the user database:

Log into the . SSL VPN web interface Go to the page.Manage System > ACCESS CONTROL > User Databases Enter a for the database.Name In the section, select and configure the authentication service.Create User Database

Click . Add The user database is now listed in the section.User Database For more detailed information on how to create a user database with an external authentication service, see Example - Create a User Database

.with Active Directory

Delete the User Database

To delete a user database, go the page and click next to the user databaseManage System > ACCESS CONTROL > User Databases Delete that you want to remove.

Modify the User Database

To modify a user database, go the page and click next to the user database thatManage System > ACCESS CONTROL > User Databases Edit you want to modify. You can now edit all settings for the user database. You can change authentication services for a user database; for example, you can switch to using Active Directory after using the built-in user database.

Example - Create a User Database with Active Directory

On the Barracuda SSL VPN, you can use an external Active Directory server for a user database. If you are using multiple user databases, on the Barracuda SSL VPN 380 or above, each user database manages its own authentication server configuration, so you can configure multiple Active Directory servers on the same unit.

Access Control How to Create and Modify User Databases

Before You Begin

Before you begin, verify that your Barracuda SSL VPN can reach your Microsoft Active Directory server. If you deployed your Barracuda SSL VPN in a DMZ, open the necessary ports for read or read/write access to your Active Directory server.

You also need the following information:

Domain controller hostname

Domain

Service account name

Service account password

Configure the User Database to Use an Active Directory Server

In the user database, provide the information required to connect with the Active Directory server.

Go to the page.ACCESS CONTROL > User Databases

In the section, click the tab.Create User Database Active Directory

In the section, enter the following information: Connection

Domain Controller Hostname – The name of the domain controller. Domain – The domain. Service Account Name – The user with permissions read or read/write access to the Active Directory server. Writefor

permissions must be configured in the Advanced Settings.

Service Account Password – The password for the user. (Optional) Click to configure Backup Domain Controller, SSL, read/write access, and OU Filters.Show Advanced Settings Click .Add

After you add the user database, it appears in the section on the bottom of the page.User Databases

Authentication Schemes

To authenticate users with more than just their usernames and passwords, configure authentication schemes. Every authentication scheme comprises at least one authentication module, such as PINs, passwords, certificates, or one-time-passwords. You can add as many authentication modules as your security policy requires. You can also configure a secure, default authentication method and offer users an alternative method to log in. For example, you can require users to use their hardware token with client certification for normal logins, but allow them to log in with a password and PIN code if they are using a computer that cannot use hardware tokens.

Some authentication modules must be used with other authentication modules. These modules are referred to as "secondary" authentication modules because they require user information. Some modules can be used as primary or secondary authentication modules. The following table

lists the type of each available authentication module :

Authentication Module Type

Client Certificate Primary/Secondary IP Address Primary/Secondary Password Primary/Secondary PIN Primary/Secondary Public Key Primary/Secondary RADIUS Primary/Secondary OTP (One-Time Passwords) Secondary Personal Questions Secondary

Client Certificate

The Client validates an SSL client certificate installed in the browser's certificate store against the root certificate that is Certificate module uploaded to the Barracuda SSL VPN. The SSL client certificate can be installed manually, per Active Directory policy, or with a hardware token using the vendor's utility. It is recommended that you use the Client as a secondary module, because it authenticates the Certificate module browser and not the user directly. This is not the case when using hardware tokens or SSL client certificates containing user information that is checked when processing the login.

For more information, see . How to Configure SSL Client Certificate Authentication

IP Address

The IP Address module is useful when users always log in from the same computer with the same IP address. You must manually specify the allowed IP address for every user. If a user tries to authenticate from a computer with a different IP address, the login attempt is denied.

To configure the IP Address module, go to the page and specify the allowed IP address for each user. To let aACCESS CONTROL > Accounts user log in from any IP address, enter an asterisk ( ). *

Password

Password authentication is the classic authentication module and is used for almost every account. Passwords can be used either from external authentication sources, such as an Active Directory server, or from the built-in user database. You can define a password policy to ensure that only safe passwords are used. Passwords for external authentication methods can only be if the appliance has read/write access.changed

For more information on external authentication, see . How to Create and Modify User Databases

A PIN is a numeric password. Its length is configurable and usually varies between four and six digits. You can let users create their PINs during initial logins, or you can manually assign . After a PIN's configured lifetime, it expires and the user is asked to create a new PIN during thePINs next login. To prevent weak PINs, disable the use of sequential numbers (e.g., 1234).

To configure the PIN module, go to the section on the page. PIN ACCESS CONTROL > Security Settings

Public Key

Public key authentication is one of the most secure methods of authentication, because the authentication information can be stored on a removable medium such as a USB key device. You can generate the key files for every user, or you can reset the public keys for everyone, letting users generate the keys during initial logins. After the key is generated, the login applet searches external media and the user's home directory for available keys. The user selects the correct key and enters the matching to complete the login. passphrase

For more information, see . How to Configure Public Key Authentication

RADIUS

External RADIUS servers can be queried by the appliance to authenticate users. RADIUS servers are often used for external authentication methods that require users to enter a secondary challenge password.

RADIUS servers are also integrated with some hardware token solutions. The hardware token generates a login and the RADIUS passphrase server interfaces with the external security appliance from the hardware token vendor, validating the string from the hardware key generator. Challenge images can be used in combination with RADIUS authentication.

Because the RADIUS server is an external authentication service, it is not managed by the appliance. You must verify that the user information hosted on the RADIUS server corresponds to the information stored in the user database on the Barracuda SSL VPN.

For more information, see and Example - How to Install and Configure YubiRADIUS Example - Authentication with SMS Passcode RADIUS

. server

OTP (One-Time Password)

You can use one-time password (OTP) authentication as only a secondary authentication module. The OTP is generated by the appliance at login and is only valid for a short period of time. The OTP can be delivered by email or SMS (if an external SMTP to SMS service is available). If you do not want users to wait for OTPs during login, you can configure the appliance to deliver OTPs before login and set a longer expiration time (hours or days). If a user's OTP expires before it can be used, a new OTP is sent during the user's next login. External OTP systems (e.g., SMS

) interface with the Barracuda SSL VPN via the RADIUS server and not with the OTP authentication module.Passcode

For more information, see . How to Configure One-Time Password (OTP) Authentication

Personal Questions

You can use the Personal Questions module as only a secondary authentication module. It does not require any external servers or configuration. When users initially log in, they are asked five questions and their answers are stored by the module.

To authenticate a user, the module randomly selects one of the questions and compares the user input to the stored answer. If the preconfigured user input matches the answer, the user is logged in.

Hardware Token Authentication

Two factor or multi factor authentication is considered to be strong authentication, using a combination of the "something you know" and "something you have" principles. For the Barracuda SSL VPN these hardware solutions are based on two different authentication mechanisms, the RADIUS and the SSL Client Certificate authentication modules.

In this article:

Hardware Token Authentication using SSL Client Certificates Hardware Token Authentication using RADIUS Integration SafeNet iKey Aladdin eToken PRO RSA SecurID VASCO Digipass Secure Computing Safeword

Authentication Schemes Example - How to Install and Configure YubiRADIUS SSL Client Certificate Authentication

Hardware Token Authentication using SSL Client Certificates

The token or smart card contains an SSL client certificate which is used to authenticate to the system. Some vendors require software installed on the client, or card readers depending on the solution.

SafeNet iKey 2032 Aladdin eToken PRO

Hardware Token Authentication using RADIUS Integration

Other hardware token authentication servers use a built-in or external RADIUS server. The Barracuda SSL VPN queries the RADIUS server as a part of its multi factor authentication process. This way OTP and CryptoCard tokens can be used.

RSA SecurID VASCO Digipass Token Secure Computing Safeword

SafeNet iKey

This product uses a small USB device typically carried on your key chain. It uses SSL client certificates to present a certificate to the Barracuda SSL VPN. The user also has to enter a secret pass phrase, further improving security. The client computer must have a special utility (CIP) installed, which uploads the certificate on the USB token to the windows certificate store. The browser then uses this certificate when authenticating to the Barracuda SSL VPN.

Aladdin eToken PRO

Similar to the SafeNet iKey the Aladdin eToken uses an SSL client certificate to authenticate. It also uses a special software, which has to be manually installed on every client computer.

RSA SecurID

RSA SecurID uses its built-in RADIUS server to enable communication between the appliance and the RSA server. In combination with an Active Directory user database this method is especially powerful as account management may be centrally managed with both the appliance and RSA Authentication Manager reading accounts from your Active Directory domain.

VASCO Digipass

A VASCO server can authenticate with the Barracuda SSL VPN via an external RADIUS server. The VASCO server currently does not include a RADIUS server.

Secure Computing Safeword

Safeword servers include a RADIUS feature that can be used to authenticate to the Barracuda SSL VPN. Note that Safeword requires an Active Directory database and Internet Authentication Server (IAS) installed on the Domain Controller.

How to Configure One-Time Password (OTP) Authentication

One-time passwords (OTPs) are passwords that can only be used once in a predefined time frame, usually just minutes. You can configure the Barracuda SSL VPN to send the OTP to users by either email or SMS. OTPs do not require any special hardware or infrastructure. Any device that receives email or SMS can be used to receive the OTP.

To configure the Barracuda SSL VPN to send OTPs by email, configure the SMTP server and the OTP settings. To configure the Barracuda SSL VPN to send the OTPs by SMS, configure the SMTP server, the OTP settings, and an SMTP to SMS service.

Authentication Schemes Regular Expressions (Reference) Example - Authentication with SMS Passcode RADIUS server

In this article:

Prerequisites for Sending OTPs by SMS Step 1. Configure the SMTP Server Step 2. Configure the OTP Settings Step 3. (If Sending OTPs via SMS) Configure the SMTP to SMS Service

Prerequisites for Sending OTPs by SMS

If you want to send OTPs by SMS:

You must have an account for an SMTP to SMS service that can send SMS to cell phones in your country Determine the address format for sending SMS over email. Each service provider uses a different format. Every user must have the mobile.number attribute set.

Step 1. Configure the SMTP Server

Configure the SMTP server that will be used to send the OTPs.

Select the user database that you want to configure the SMTP server for. To configure an SMTP server for all user databases, select Glo

.bal View Go to the page.Manage System > BASIC > Configuration In the section, enter the settings for your SMTP server.SMTP Click .Save Changes

Step 2. Configure the OTP Settings

Specify when OTPs are sent, how they are sent, and what kind of OTPs are generated by the Barracuda SSL VPN.

Go to the page.Manage System > ACCESS CONTROL > Security Settings In the section, configure the following settings:One-Time Password

Send Mode – Select to send the OTP during user logins.At Login Method of password delivery – You can select either to send the OTP via email or to send the OTP toEmail SMS over Email

users' cell phones. Generation Type – Select the type of OTP that you want the appliance to generate. If you experience problems with character encoding in your emails or SMS, select . ASCII

Click .Save Changes

If you configured the Barracuda SSL VPN to send OTPs by email, no additional configurations are required. When the appliance sends an OTP, it obtains the email address of the user from the user database.

Step 3. (If Sending OTPs via SMS) Configure the SMTP to SMS Service

If you informationconfigured the Barracuda SSL VPN to send the OTPs by SMS, provide the required to connect with the SMTP to SMS service that you are using.

Open the page.Manage System > ACCESS CONTROL > Configuration In the section, enter the following information, depending on the requirements of your SMTP to SMS service provider: SMS

SMS Gateway Address – The email address for the SMS gateway. A common example would be: ${userAttributes.mobi leNumber}@example.com

SMS Provider Credentials – Usually the credentials and the text are entered here.

Click .Save Changes

How to Configure Public Key Authentication

The public key authentication module is a very secure authentication mechanism, combining a client certificate and a passphrase with the possibility to store the authentication keys on an external storage device. No external services or appliances are needed, all keys are generated

and managed by the Barracuda SSL VPN. The module can be used as primary or secondary authentication mechanism. The administrator has to generate a private and public key which is then uploaded to the Barracuda SSL VPN and stored on the users USB key device or home directory. When you authenticate with a public key, the following steps are followed:

The Barracuda SSL VPN generates a random ticket (certificate) The user selects the private key and enters the corresponding passphrase. The ticket is signed with the users private key and sent to the Barracuda SSL VPN. The Barracuda SSL VPN uses checks if the signed ticket is valid with its public key. If the check was successful, the user is logged in.

In this article:

Step 1. Create or Modify the Authentication Scheme Step 2. Configure Key Authentication Settings Step 3. Generate Keys

Creation and Distribution by Administrator Creation by Users on Login

Step 1. Create or Modify the Authentication Scheme

To use the public key authentication create or modify the authentication scheme and add the module to thePublic Key Authentication configuration. If you want users to generate their own initial public keys, the public key authentication module will query the users password to authenticate them before generating the new keys.

Step 2. Configure Key Authentication Settings

Configure the key authentication module:

Open the page.Manage System > RESOURCES > Security Settings In the section, configure the following settings: Key Authentication

Allow user to create initial authentication key Enforce Password Security Policy

Step 3. Generate Keys

There are two ways the keys can be generated:

Creation and Distribution by Administrator

The administrator can initialize the key for a user:

Open the page.Manage System > ACCESS CONTROL > Accounts Click on the link for the user you want to generate the key for.More Select . Generate Authentication Key Enter the . The Administrator can require the passphrase to conform to the password security policy.Passphrase Click . Generate Download the zip file.. Click .Close Distribute the key stored in the zip file to the individual user. Barracuda Networks recommends using a USB key for greater security.

Creation by Users on Login

The administrator can also reset the Authentication key, forcing the user to generate a new key at the next login. The user must enter his system password when generating the new key.

Open the page. Manage System > ACCESS CONTROL > Accounts In the section, locate the individual user who should create the authentication key and click .Accounts More Select . Reset Authentication Key

On the next log in the user will be asked to enter his password and a new passphrase. The Barracuda SSL VPN will then generate a zip file containing the authentication key, which the user can download.

How to Configure SSL Client Certificate Authentication

SSL client certificates are a very secure secondary authentication method. When this feature is enabled, users can provide an SSL client certificate, but it is not required by the server. During users' initial login, they must install the SSL client certificate into the certificate store of the

browser or operating system. After the initial setup is complete, the authentication process requires minimal user interaction. Users must only select the installed certificate when prompted, and the rest of the setup is completed automatically by the browser and the Barracuda SSL VPN.

The Barracuda SSL VPN validates the offered client certificate according to parameters that are defined by you. If you do not check for certificate attributes that are unique to each user, any user can log in with a browser that has a valid SSL client certificate. To prevent this, you must always combine SSL client certificate authentication with another authentication method like a password prompt.

In this article:

Before You Begin Step 1. Upload the Root Certificate Step 2. Configure Client Certificate Authentication Settings Step 3. Add the Client Certificate Authentication Module to an Authentication Scheme

Before You Begin

Create the following:

A root certificate. Client certificates. An authentication scheme using client certificates as a primary or secondary authentication method.

For more information on creating your own self-signed root certificates, see .How to Create Certificates with XCA

Step 1. Upload the Root Certificate

For every user database, you can create or upload a unique root certificate.

Open the page.Manage System > ADVANCED > SSL Certificates In the section, select from the Import Key Type A root Certificate Authority certificate you trust for client certificate authentication

listCertificate Type In the section, select the user database that you want to upload the root certificate to.Import Details Click , and select the root certificate file. The certificate file must have a cer or crt extension. Browse Click .Save

The certificate then appears in the section on the page.SSL Certificates Manage System > ADVANCED > SSL Certificates

Step 2. Configure Client Certificate Authentication Settings

Configure the settings for the client certificates.

Log into the . SSL VPN web interface Go to the page.Manage System > ACCESS CONTROL > Security Settings In the section, configure the client certificates settings.Client Certificates Click .Save Changes

Step 3. Add the Client Certificate Authentication Module to an Authentication Scheme

Log into the . SSL VPN web interface Go to the page.Manage System > ACCESS CONTROL > Authentication Schemes Edit an authentication scheme. Double-click to add the authentication module.Client Certificate Click .Save

Example - How to Install and Configure YubiRADIUS

This article provides step-by-step instructions on how to deploy the YubiRADIUS virtual appliance in context with Barracuda SSL VPN. Once YubiRADIUS is installed, Barracuda SSL VPN can be configured to act as a RADIUS client.

+ 67 hidden pages

Barracuda SSL VPN V, SSL VPN V180, SSL VPN V680, SSL VPN V880, SSL VPN V280 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Barracuda SSL VPN Release Notes 2.4

Deployment

Hardware Specifications

Virtual Systems

Sizing CPU, RAM, and Disk for Your Barracuda SSL VPN Vx

How to Deploy Barracuda SSL VPN Vx Virtual Images

How to Enable Promiscuous Mode on VMware for the Barracuda Network Connector

Barracuda SSL VPN Vx Quick Start Guide

High Availability Deployment

How to Configure a High Availability Cluster

Licensing

Getting Started

Administrative Interfaces

Access Control

How to Create and Modify User Databases

Example - Create a User Database with Active Directory

Authentication Schemes

Hardware Token Authentication

How to Configure One-Time Password (OTP) Authentication

How to Configure Public Key Authentication

How to Configure SSL Client Certificate Authentication

Example - How to Install and Configure YubiRADIUS