Barracuda Web Filter Administrator's Guide
Barracuda Web Filter Administrator’s Guide
Version 4.0
Barracuda Networks Inc.
3175 S. WInchester Blvd
Campbell, CA 95008
http://www.barracuda.com
1
Copyright Notice
Copyright 2004-2008, Barracuda Networks
www.barracuda.com
v40-081113-01-1113
All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice.
Trademarks
Barracuda Web Filter is a trademark of Barracuda Networks, Inc. All other brand and product names mentioned in this document are
registered trademarks or trademarks of their respective holders.
2 Barracuda Web Filter Administrator’s Guide
Administrator’s Guide
Contents
Chapter 1 – Introduction . . . . . . . . . . . . . . . . . . . . . . . . . .7
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Spyware-blocking techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Content-filtering techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
User and group-based policy control . . . . . . . . . . . . . . . . . . . . . . . 9
Application-blocking techniques. . . . . . . . . . . . . . . . . . . . . . . . . 10
Energize Updates minimize administration and maximize protection . . . . . . 10
Deploying the Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . 11
Inline pass-through (transparent) mode . . . . . . . . . . . . . . . . . . . . . 11
Forward proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2 – Getting Started . . . . . . . . . . . . . . . . . . . . . . . . 15
Network considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
External DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Internal DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Enterprise class Layer 3 switch, VLANS, VPN concentrators . . . . . . . 16
Firewall DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Internal servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
QoS/packet reconfiguration (Quality of Service, packet shapers) . . . . . 17
Mounting and cabling considerations . . . . . . . . . . . . . . . . . . . 17
Installing the Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . 18
Step 1. Verify that you have the necessary equipment . . . . . . . . . . 18
Step 2. Install the Barracuda Web Filter . . . . . . . . . . . . . . . . . . 18
Step 3. Configure the Barracuda Web Filter IP and network settings . . . 19
Step 4. Configure your corporate firewall . . . . . . . . . . . . . . . . . 20
Step 5. Configure the Barracuda Web Filter . . . . . . . . . . . . . . . . 20
Step 6. Update the Barracuda Web Filter firmware . . . . . . . . . . . . 21
Step 7. Verify your subscription status . . . . . . . . . . . . . . . . . . . 22
Step 8. Update the definitions . . . . . . . . . . . . . . . . . . . . . . . 23
Step 9. Integrate the Barracuda Web Filter into your network . . . . . . . 23
Step 10. Test and adjust the Barracuda Web Filter . . . . . . . . . . . . 24
Connecting the Barracuda Web Filter to your network . . . . . . . . . . . . . 24
Advanced Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Web Cache Control Protocol (WCCP) deployment . . . . . . . . . . . . . . . 26
Inline pass-through with pre-existing proxy deployment . . . . . . . . . . . . 27
Connecting inline to your network with a pre-existing proxy server . . . . . . . 29
Chapter 3 – Configuring, Monitoring, and Managing the
Barracuda Web Filter . . . . . . . . . . . . . . . . . 33
Configuring the Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . 34
Configuring system IP information . . . . . . . . . . . . . . . . . . . . . . . 34
3
Barracuda Web Filter Release 3.3
Controlling access to the Web interface. . . . . . . . . . . . . . . . . . . . . 34
Customizing the appearance of the Web interface . . . . . . . . . . . . . . . 34
Changing the language of the Web interface . . . . . . . . . . . . . . . . . . 35
Setting the time zone of the system . . . . . . . . . . . . . . . . . . . . . . . 35
Enabling and disabling virus protection . . . . . . . . . . . . . . . . . . . . . 35
Enabling and disabling Web caching . . . . . . . . . . . . . . . . . . . . . . 35
Setting up a syslog server to centrally monitor system logs . . . . . . . . . . 35
Advanced Configuration Topics. . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Setting up linked management . . . . . . . . . . . . . . . . . . . . . . . . . 36
Data propagated to the linked systems . . . . . . . . . . . . . . . . . . 36
Switching a system to standby mode . . . . . . . . . . . . . . . . . . . 36
Monitoring the Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . 38
Viewing performance statistics . . . . . . . . . . . . . . . . . . . . . . . . . 38
Understanding the indicator lights. . . . . . . . . . . . . . . . . . . . . . . . 39
Viewing the traffic log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Viewing the application log . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Viewing the warned activity list . . . . . . . . . . . . . . . . . . . . . . . . . 41
Automating the delivery of system alerts and notifications . . . . . . . . . . . 41
Viewing a list of infected clients . . . . . . . . . . . . . . . . . . . . . . . . . 41
Viewing system tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Managing the Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . 43
Backing up and restoring system configuration . . . . . . . . . . . . . . . . . 43
Updating the Barracuda Web Filter firmware . . . . . . . . . . . . . . . . . . 43
Updating the spyware, virus, and category definitions . . . . . . . . . . . . . 43
Replacing a failed system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Reloading, restarting, and shutting down the system . . . . . . . . . . . . . . 44
Using the built-in troubleshooting tools . . . . . . . . . . . . . . . . . . . . . 44
Rebooting the system in recovery mode . . . . . . . . . . . . . . . . . . . . 45
Reboot options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Generating System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Chapter 4 – Managing Users and Groups . . . . . . . . . . . . . . 49
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
About local users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
About domain users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Creating local users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Creating local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Creating local groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Creating IP address groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Integrating with a user authentication service . . . . . . . . . . . . . . . . . . . 52
Enabling LDAP domain user authentication. . . . . . . . . . . . . . . . . . . 52
To enable LDAP user authentication . . . . . . . . . . . . . . . . . . . . 52
About the optional Barracuda DC Agent software . . . . . . . . . . . . . 52
Installing the Barracuda DC Agent on your domain controllers . . . . . . 54
Exempting selected LDAP domain users from filtering . . . . . . . . . . . 54
Enabling NTLM domain user authentication . . . . . . . . . . . . . . . . . . 55
About NTLM authentication in Windows 2000 or 2003 AD domains . . . . 55
Reasons for using an NTLM authentication server . . . . . . . . . . . . . 55
Requirements for using an NTLM authentication server . . . . . . . . . . 55
Limitations when using an NTLM authentication server . . . . . . . . . . 55
Viewing and managing accounts . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4:
Administrator’s Guide
Chapter 5 – Managing Policies . . . . . . . . . . . . . . . . . . . . .57
Creating block and accept filters . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Filtering and blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Content filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Application filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Domain filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
URL pattern filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Custom categories filtering . . . . . . . . . . . . . . . . . . . . . . . . . 61
MIME type blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
IP-based exemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
IP-based blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Exception policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Block messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
HTTPS filtering option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Scope of HTTPS traffic filtering . . . . . . . . . . . . . . . . . . . . . . 63
Limitations for HTTPS traffic filtering . . . . . . . . . . . . . . . . . . . . 63
To enable the HTTPS traffic-filtering option . . . . . . . . . . . . . . . . 63
Testing Web site access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
About the Barracuda Spyware Removal Tool. . . . . . . . . . . . . . . . . . . . 65
Enabling the Barracuda Spyware Removal Tool . . . . . . . . . . . . . . 65
Chapter 6 – Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Generating system reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Appendix A – About the Barracuda Web Filter Hardware . . 69
Front panel of the Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . 70
Barracuda Web Filter 210, 310, and 410 . . . . . . . . . . . . . . . . . . . . 70
Barracuda Web Filter 610 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Barracuda Web Filter 810 and 910 . . . . . . . . . . . . . . . . . . . . . . . 72
Back panel of the Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . 74
Barracuda Web Filter 210, 310, and 410 . . . . . . . . . . . . . . . . . . . . 74
Barracuda Web Filter 610 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Barracuda Web Filter 810 and 910 . . . . . . . . . . . . . . . . . . . . . . . 75
Hardware compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Notice for the USA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Notice for Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Notice for Europe (CE Mark) . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Appendix B – Regular Expressions . . . . . . . . . . . . . . . . . . 79
Using special characters in expressions . . . . . . . . . . . . . . . . . . . . 80
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Appendix C – Limited Warranty and License . . . . . . . . . . . 81
Limited warranty. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5
Barracuda Web Filter Release 3.3
Exclusive remedy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Exclusions and restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Software license. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Energize Update Software license . . . . . . . . . . . . . . . . . . . . . . . 83
Open Source Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6:
Administrator’s Guide
Chapter 1
Introduction
This chapter provides an overview of the Barracuda Web Filter and includes the following topics:
• Overview on page 8
• Deploying the Barracuda Web Filter on page 11
7
Barracuda Web Filter Release 4.0
Overview
The Barracuda Web Filter is an integrated anti-spyware and content filtering solution that eliminates
spyware and other forms of malware from your organization.
The Barracuda Web Filter combines preventative, reactive, and proactive measures to form a
complete anti-spyware solution. The Barracuda Web Filter:
• Provides user and group-based policy control
• Stops spyware downloads (including drive-by downloads)
• Uses content filters to block access to Web site categories like gaming or online shopping sites
• Blocks access to applications like instant messaging and music streaming
• Blocks access to spyware Web sites
• Detects spyware access to the Internet
• Identifies infected machines
• Facilitates spyware removal by providing access to the Barracuda Spyware Removal Tool
The sections in this guide will detail the typical tasks that are performed by Web Filter administrators:
1. Installation
2. Configuring, Monitoring and Managing
3. Managing Users and Groups
4. Managing Policies
5. Reporting
Spyware-blocking techniques
The Barracuda Web Filter prevents spyware programs from being installed on your users’ systems
and also secures your organization against existing spyware by detecting spyware access to the
Internet and notifying you of infected systems. You can also configure the Barracuda Web Filter to
prompt infected users to run the Barracuda Spyware Removal Tool.
Table 1.1: Spyware Functions
Function Description
Spyware Web site Blocking Barracuda Networks continuously updates a list
containing thousands of known spyware download sites.
The Barracuda Web Filter blocks spyware at the source
by preventing browser and application access to these
locations.
Spyware Download Blocking Spyware is everywhere, even in apparently harmless
8 Chapter 1: Introduction
downloads from legitimate sites. The Barracuda Web
Filter unpacks and examines every individual file within
17 different types of archives. It also uses techniques to
examine password-protected archives.
Administrator’s Guide
Table 1.1: Spyware Functions
Function Description
Spyware Detection The Barracuda Web Filter not only identifies infected
machines on the network, but also blocks the spyware
communication from those infected systems to the
spyware servers on the Internet.
Spyware Removal The Barracuda Web Filter can be configured to
automatically prompt users to run the Barracuda Spyware
Removal Tool when spyware is detected on their system.
This feature allows users to proactively remove spyware
so they do not have to rely on network administrators to
perform this task.
The Barracuda Web Filter scans inbound traffic for the following malware over HTTP port 80 and
FTP port 21: spyware (such as keyloggers, Browser Helper Objects [BHOs], and data miners),
adware, trojans, and viruses. The Barracuda Web Filter also scans outbound traffic on all ports and
protocols to prevent spyware from communicating outside of your network.
Content-filtering techniques
In addition to protecting your network from spyware infections, the Barracuda Web Filter also uses
filters to protect your users from visiting offensive Web sites and to help enforce your organization’s
Internet usage policies.
To block access to offensive sites, the Barracuda Web Filter includes a URL list containing millions
of URLs classified into 58 categories for easy and efficient content filtering. This list is continuously
updated by engineers at Barracuda Central and delivered hourly via the Energize Updates
subscription service sold with the Barracuda Web Filter.
In addition, the Barracuda Web Filter allows you to create custom classification and specify domains
for filtering.
These content filters can help organizations comply with new security initiatives and standards.
User and group-based policy control
The Barracuda Web Filter allows you to create Content, Application, Domain, URL and MIME Type
based policies to control user access to online content. The policies can be created by users, groups
or in some cases by IP addresses. These filtering policies can be used to allow, block, warn or monitor
user requests to online content.
The Barracuda Web Filter also enables you to create exception policies for specific users and groups
to override general policies that prevent access to content or applications. These policies are useful in
providing executives and departments with additional control over the content they can access.You
can also use exception policies to allow users to bypass blocking filters during specific hours of the
day. For example, you can configure the Barracuda Web Filter to allow users to access shopping or
gaming sites only during non-business hours.
Overview 9
Barracuda Web Filter Release 4.0
Application-blocking techniques
Many organizations choose to block access to certain applications so they can minimize the amount
of non-essential traffic on their network and to prevent users from running applications that can
spread viruses or other malware. For this reason, the Barracuda Web Filter enables you to control
access to a variety of commonly used applications like Instant Messaging and Media. In addition,
application traffic can also be blocked based on MIME type or port number. For example, you can
use the MIME type blocking feature to prevent users from running executable files (.exe) or from
streaming music and video files over your network.
Energize Updates minimize administration and maximize
protection
To provide you with maximum protection against the latest types of spyware, Barracuda Networks
maintains Barracuda Central, a powerful operations center. From this center, engineers monitor the
Internet for trends in spyware and automatically deploy updates and definitions via Barracuda
Energize Updates.
By identifying spyware trends early on, the team at Barracuda Central can quickly develop new and
improved blocking techniques that are quickly made available to your Barracuda Web Filter.
Barracuda Central has identified over 2,000 spyware applications that are actively blocked and is
continuously adding to this list.
The following figure shows how Barracuda Central provides the latest rules and definitions through
the Energize Update feature.
Figure 1.1: Barracuda Energize Updates
10 Chapter 1: Introduction
Deploying the Barracuda Web Filter
You can deploy your Barracuda Web Filter so it is either inline with your core network components,
or you can deploy the system as a forward proxy. The following sections provide a brief overview of
each deployment type.
Inline pass-through (transparent) mode
Inline pass-through is the recommended type of deployment because it provides the strongest level of
protection against spyware. In this deployment, the Barracuda Web Filter is directly inline with your
core Internet network components, and all network traffic to the Internet passes through the Barracuda
Web Filter. In this mode, your Barracuda Web Filter is able to:
• Filter and scan all Internet traffic requests.
• Perform content filtering and scan downloads for spyware and viruses.
• Detect and block outbound spyware protocol requests.
• Scan all outbound traffic for spyware activity on all ports to detect infected clients.
Inline pass-through deployment requires you to have an understanding of your network topology
because even though the Barracuda Web Filter acts as a proxy, it does not participate in routing
protocols. As a result, you may need to set up static routes in your Barracuda Web Filter so it knows
how to properly route traffic.
Administrator’s Guide
The following table describes the advantages and disadvantages of deploying your Barracuda Web
Filter in inline pass-through mode.
Advantages Disadvantages
Supports application blocking May require setting up static routes in your Barracuda
Web Filter.
Supports automatic pass-through mode in
the event of a system failure (model 310
and above)
Does not require users to configure proxy
server settings in their Web browser
Uses perimeter transparency mode that
exposes client IP addresses (supports
corporate firewall rules)
Figure 1.2 illustrates a basic installation using the Inline Pass-Through deployment.
Initial setup requires an interruption to network traffic
while you make necessary cabling changes.
Deploying the Barracuda Web Filter 11
Barracuda Web Filter Release 4.0
Figure 1.2: Inline Pass-through Deployment
12 Chapter 1: Introduction
Forward proxy
The forward proxy deployment uses a proxy as an intermediary between a client and the Internet to
protect the client from being visible from the Internet. In a forward proxy deployment, only HTTP
Internet traffic passes through the Barracuda Web Filter. After the Barracuda Web Filter processes
clients’ requests, it sends the requests out directly to the Internet.
When deployed as a forward proxy, the Barracuda Web Filter shows all HTTP traffic as coming from
its own IP address instead of from the individual client IP addresses as is done in the inline passthrough deployment.
We recommend deploying the Barracuda Web Filter in forward proxy mode in the following
situations:
• You need to replace an existing forward proxy (such as Microsoft ISA Server) with the
Barracuda Web Filter.
• You do not want the Barracuda Web Filter to reside inline with all your network traffic and are
satisfied with the system only scanning HTTP traffic for viruses and spyware.
The following table describes the advantages and disadvantages of deploying your Barracuda Web
Filter in forward proxy mode.
Administrator’s Guide
Advantages Disadvantages
The initial setup of forward proxy mode
does not require any interruptions to your
network traffic.
Because the Barracuda Web Filter only scans
outbound HTTP traffic, the system cannot perform
the following functions in forward proxy mode:
• Block access to applications listed on the
BLOCK/ACCEPT > Applications page.
• Block access to applications that use the
destination IP address specified on the
BLOCK/ACCEPT > IP Block/Exempt page.
• Block access to applications that use the
destination port specified on the
> IP Block/Exempt
page.
• Inspect outbound traffic for spyware infection
activity.
Does not require the configuration of static
routes.
The Barracuda Web Filter does not scan non-HTTP
traffic for viruses and spyware.
Requires clients’ Web browsers to be configured with
the IP information of the forward proxy server
(Barracuda Web Filter).
Figure 1.3 illustrates a basic installation using the Forward Proxy Deployment.
BLOCK/ACCEPT
To set up the Barracuda Web Filter as a forward proxy without placing it inline, you must manually
direct all outgoing web traffic through the Barracuda. The initial setup of forward proxy mode does
not require any interruptions to your network traffic. This configuration is also known as "proxy on a
stick." For this to work, the Barracuda Web Filter will need to be connected to the same switch as the
network gateway (just one network hop away).
Once the Barracuda has been installed in this fashion, the following options must be configured on
BASIC > IP Configuration page:
the
Deploying the Barracuda Web Filter 13
Barracuda Web Filter Release 4.0
Set the Operating Mode to Active.
Set the Transparency, Client IP Visibility, or Pass Client IP addresses through WAN port option to
No.
In order to forward outgoing web traffic to the Barracuda Web Filter, it is required that all clients’
web browsers are configured with the IP of the Barracuda Web Filter as their forward proxy server,
on port 8080.
Figure 1.3: Forward Proxy Deployment
14 Chapter 1: Introduction
Administrator’s Guide
Chapter 2
Getting Started
This chapter provides general instructions for installing the Barracuda Web Filter.
This chapter covers the following topics:
Network considerations ...................................................................... 16
Installing the Barracuda Web Filter ....................................................18
Advanced Deployments ......................................................................26
15
Barracuda Web Filter Release 4.0
Network considerations
The Barracuda Web Filter appliance is designed for low-risk deployment because it is intended to be
a bridge within your network. The appliance can view Internet traffic that passes through the network
but does not affect its routing. To reduce the risk of interfering with important network traffic, initially
set the Barracuda Web Filter to monitor and log the spyware activity only. Determine which internal
servers and clients to exclude from spyware and virus scans.
These pre-installation considerations may help you understand some of the issues that may occur.
Routers
Make sure the default gateway is properly set to reach the Internet. Also, if you are testing the
Barracuda Web Filter in one portion of your network and move to another portion of the network for
deployment, make sure that you check the default gateway and make changes as necessary.
External DNS
Some of the considerations regarding DNS include the following issues:
Optimal DNS query response time—When the Barracuda Web Filter is in Active mode, it proxies all
Internet requests for the clients. As a result, the Barracuda Web Filter needs to resolve website
hostnames to IP addresses while proxying the HTTP requests made by the users. The response for
DNS queries needs to be optimal to allow the Barracuda Web Filter to look up and quickly process
these requests. A slow DNS server will cause the Barracuda Web Filter to respond slowly to clients,
which adds latency to their Internet access.
Requests for fully qualified Web application server names—If a user attempts to browse to a Web
site by specifying a Web server name is not a fully qualified name that includes the domain name, the
Barracuda Web Filter automatically appends the string
order to resolve the request. For example, if the user enters the server name
myserver.mydomain.com, the Barracuda Web Filter resolves the request using the hostname
myserver.barracuda.com.
barracuda.com to the unqualified name in
myserver instead of
Internal DNS
If you have an internal server that is only resolvable via an internal DNS, make sure that this DNS
server is used by the Barracuda Web Filter as a secondary DNS.
Enterprise class Layer 3 switch, VLANS, VPN concentrators
These device types are normally capable of handling multiple subnets and providing default routes to
clients. However, they may affect the Barracuda Web Filter deployment in the following ways:
• A Layer 3 switch can also be set up to have multiple VLANs (Virtual Local Networks) using
port assignments. There is no side effect by having VLAN tags in the traffic that is visible to the
Barracuda Web Filter. However, when the Barracuda Web Filter is set up to a single subnet, it
needs to have routes to process requests for other subnets.
• A standard solution is to add static routes to these foreign subnets. All Layer 3 switch subnets
should use its IP address as the gateway. In the case of a VPN concentrator, use the IP of the
concentrator as the default gateway for all the networks aggregated by that VPN concentrator.
16 Chapter 2: Getting Started
Administrator’s Guide
Firewall DMZ
A demilitarized zone (DMZ) is an area where any servers that access the Internet are placed. Servers
inside this zone may be configured to access certain servers within an internal network with their own
security rules set up. Normally these servers need to be accessible from the Internet, such as email
servers. The Barracuda Web Filter should not be deployed to protect these machines. The Barracuda
Web Filter is not designed to protect servers but to protect end user machines.
Internal servers
In most organizations, internal servers are protected by corporate firewalls that use port forwarding
rules to limit access to the servers. Port forwarding rules define the ports that can be used to access
the servers (such as HTTP, FTP, and mail servers). These servers should have optimal response time.
As a result, the server traffic must not be interrupted. Barracuda Networks recommends that you
exempt or bypass these servers from the Barracuda Web Filter. To reduce Layer 2 bridging overhead,
place a switch between the firewall and the Barracuda Web Filter and connect your server farm on a
different port on the switch. In this case, set up the servers parallel to the Barracuda Web Filter instead
of behind it, and the configure exempt IP addressing feature to exclude these IP addresses from server
exemption.
Cache
Caching provides faster access to repeatedly requested content by storing content locally on the
Barracuda Web Filter.The Barracuda Web Filter handles the data by using an LRU (Least Recently
Used) algorithm. The Barracuda Web Filter must be configured with the accurate time since it uses
the current time to ensure accurate cache updates.
QoS/packet reconfiguration (Quality of Service, packet shapers)
There are many products available that can control traffic in a LAN environment, specify priorities,
and size these different traffic types. Normally, this is done using a Layer 7 device on different types
of applications. The Barracuda Web Filter deployment is affected when the Barracuda Web Filter is
placed in front of these devices to benefit from the shaped data. Place the Barracuda Web Filter close
to the Internet to help reduce noise and overhead on both the Layer 2 bridging and HTTP proxy.
Mounting and cabling considerations
To install the Barracuda Web Filter you need to:
• Mount it on a rack or shelf
• Cable it to other network devices
The Barracuda Web Filter is designed to be installed in a data center with other networking devices
and servers. Its dimensions are suitable for a 19-inch rack. You must position it within cabling
distance of any switches or other devices that access the network segments that you want to protect.
The appliance can be mounted facing either direction in your rack, so consider which side will have
access to the ports and which will have access to the LED lights.
You may need access to the ports during installation, and you may need to use the back panel during
initial configuration.
Network considerations 17
Barracuda Web Filter Release 4.0
Installing the Barracuda Web Filter
These are the general steps to set up your Barracuda Web Filter. For more detailed instructions for
each step, see the following reference pages.
Step 1. Verify that you have the necessary equipment on page 18
Step 2. Install the Barracuda Web Filter on page 18
Step 3. Configure the Barracuda Web Filter IP and network settings on page 19
Step 4. Configure your corporate firewall on page 20
Step 5. Configure the Barracuda Web Filter on page 20
Step 6. Update the Barracuda Web Filter firmware on page 21
Step 7. Verify your subscription status on page 22
Step 8. Update the definitions on page 23
Step 9. Integrate the Barracuda Web Filter into your network on page 23
Step 10. Test and adjust the Barracuda Web Filter on page 24
Step 1. Verify that you have the necessary equipment
Before installing your Barracuda Web Filter, make sure you have the following equipment:
• Barracuda Web Filter (check that you have received the correct model)
• AC power cord
• Ethernet cables
• Mounting rails and screws (available for models 610, 810, and 910 only)
• VGA monitor (recommended)
• PS2 keyboard (recommended)
Step 2. Install the Barracuda Web Filter
To physically install the Barracuda Web Filter:
1. Fasten the Barracuda Web Filter to a standard 19-inch rack or other stable location.
CAUTION! Do not block the cooling vents located on the front and rear of the unit.
2. Connect a CAT5 Ethernet cable from your network switch to the LAN port on the front of your
Barracuda Web Filter, as shown in the following figure.
18 Chapter 2: Getting Started
Figure 2.1: Connecting the Barracuda Web Filter to your Network
Administrator’s Guide
The Barracuda Web Filter supports 10BaseT, 100BaseT, and Gigabit Ethernet (higher end models
only).
Do not connect any other cables to the unit. The connectors on the back panel are for diagnostic
purposes.
3. Connect the following hardware to your Barracuda Web Filter:
•Power cord
•VGA monitor
• PS2 keyboard
After you connect the AC power cord, the Barracuda Web Filter may power on for a few
seconds and then power off. This behavior is normal.
4. Press the Power button located on the front of the unit.
The login prompt for the administrative console displays on the monitor and the power light on
the front of the Barracuda Web Filter turns on. For a description of each indicator light, refer to
Understanding the indicator lights on page 39.
Step 3. Configure the Barracuda Web Filter IP and network settings
The Barracuda Web Filter is assigned a default IP address of 192.168.200.200. You can change the
address using the administrative console or by pressing and holding the RESET button on the front
panel.
Holding RESET for eight seconds changes the default IP address to 192.168.1.200. Holding the
button for 12 seconds changes the IP address to 10.1.1.200.
Installing the Barracuda Web Filter 19
Barracuda Web Filter Release 4.0
To set a new IP address from the administrative console:
1. Connect your keyboard and monitor directly to the Barracuda Web Filter.
2. At the barracuda login prompt, enter admin for the login and admin for the password.
The User Confirmation Requested window displays the current IP configuration of the
Barracuda Web Filter.
3. Using your Tab key, select Change and click Enter to change the IP configuration.
4. Enter the new IP address, subnet mask, and default gateway IP address for your Barracuda Web
Filter. Select Save
optional. Select
The new IP address and network settings are applied to your Barracuda Web Filter.
Step 4. Configure your corporate firewall
If your Barracuda Web Filter is located behind a corporate firewall, refer to Table 2.1 for the ports
that need to be opened on your corporate firewall to allow communication between the Barracuda
Web Filter and remote servers.
Table 2.1: Ports to Open on Your Corporate Firewall
to enter your changes. The Primary DNS and Secondary DNS files are
Exit.
Port Direction Protocol Description
22 In/Out TCP Remote diagnostics and technical
support services
25 Out TCP Email and email bounces
53 Out TCP/UDP DNS (Domain Name Server)
80 Out TCP Virus, spyware, category definition
updates, and firmware updates
123 In/Out UDP NTP (Network Time Protocol)
8000 Out TCP See Step 5. Configure the Barracuda
Web Filter
8001, 8002 In/Out TCP Synchronization between linked
systems. For more information, see
on page 20.
Controlling access to the Web
interface
on page 34.
In addition to the ports listed above, you may have to configure your corporate firewall to allow the
Barracuda Web Filter to email system alerts and reports. Some organizations create firewall rules that
only allow emails to be sent from the IP address of their email server. In this case, you should
configure your corporate firewall to allow emails to be sent from the Barracuda Web Filter as well.
If your Barracuda Web Filter is located in a DMZ, you may need to configure your corporate firewall
to allow the Barracuda Web Filter to send notifications to your internal email server.
Step 5. Configure the Barracuda Web Filter
After specifying the IP address of the Barracuda Web Filter and opening the necessary ports on your
corporate firewall, configure the Barracuda Web Filter from the administration interface. Make sure
the client’s computer that you configured the Barracuda Web Filter for is connected to the same
network and that the appropriate routing is in place to allow connection to the Barracuda Web Filter’s
IP address via a Web browser.
20 Chapter 2: Getting Started
Administrator’s Guide
To configure the Barracuda Web Filter:
1. From a Web browser, enter the IP address of the Barracuda Web Filter followed by port 8000.
For example: http://192.168.200.200:8000.
2. To log into the administration interface, enter admin for the username and admin for the
password.
3. Select BASIC > IP Configuration, and perform the following steps:
3a. Enter the IP address of your primary and secondary DNS servers (if these have not yet
been set up).
3b. Set Operating Mode to Audit.
3c. Set Enable Perimeter Transparency to one of the following depending your type of
deployment:
• For Inline Pass-Through deployment, select Yes to expose the IP addresses of your
clients instead of allowing all HTTP traffic coming from the Barracuda Web Filter.
• For Forward Proxy deployment, select No.
3d. (Optional) Configure any static routes.
3e. Click Save Changes.
Note: If the IP address of your Barracuda Web Filter on the IP Configuration page is changed,
you are disconnected from the Web interface. If this occurs, log in again using the new IP
address.
4. Select BASIC > Administration, and perform the following steps:
4a. Assign a new administration password to the Barracuda Web Filter (optional). This step
is highly recommended.
4b. Make sure the local time zone is set correctly.
Time on the Barracuda Web Filter is automatically updated via NTP (Network Time
Protocol). It requires that port 123 is opened for inbound and outbound UDP (User
Datagram Protocol) traffic on your firewall (if the Barracuda Web Filter is located
behind one).
It is important that the time zone is set correctly because this information is used to
determine the delivery times for messages and is displayed in certain mail reading
programs.
4c. If desired, change the port number used to access the Barracuda Web Filter
administration interface. The default port is 8000.
4d. Enter the amount of time for the session expiration length (in minutes) of your
administration interface session.
At expiration, you are required to log back into the administration interface.
4e. (Optional) Specify your local SMTP server. Enter the email address for your
Administrator to receive system and threat email alerts and notifications.
4f. Click Save Changes.
Step 6. Update the Barracuda Web Filter firmware
To update the firmware on the Barracuda Web Filter:
1. Select ADVANCED > Firmware Update.
2. Read the release notes to learn about the latest features and fixes provided in the new firmware
version.
3. Click Download Now next to Latest General Release. Click OK on the download duration
window.
Installing the Barracuda Web Filter 21
Barracuda Web Filter Release 4.0
Verify your subscriptions are current
Updating the firmware may take several minutes. Do not turn off the unit during this process.
Download Now is disabled if the Barracuda Web Filter is already up-to-date with the latest
firmware version.
The Barracuda Web Filter begins downloading the latest firmware version. You can view the
download status by clicking
4. Click Apply Now when the download completes.
5. Click OK when prompted to reboot the Barracuda Web Filter.
A Status page displays the progress of the reboot. Once the reboot is complete, the login page
appears.
Step 7. Verify your subscription status
After you install the Barracuda Web Filter, your Energize Update and Instant Replacement
subscriptions are most likely active. However, it is important you verify the subscription status so
your Barracuda Web Filter can continue to receive the latest virus and spyware updates from
Barracuda Central. The Energize Update service is responsible for downloading these virus and
spyware definitions to your Barracuda Web Filter.
To check your subscription status:
Refresh. A message displays once the download is complete.
1. Select BASIC > Status.
2. From the Subscription Status section, verify that the word Current appears next to Energize
Updates
and Instant Replacement Service (if purchased).
Figure 2.2 shows the location of the Subscription Status section.
Figure 2.2: Subscription Status
22 Chapter 2: Getting Started
Administrator’s Guide
Click to activate your
subscription
3. Enable your subscription:
3a. Click the Activate link as shown in Figure 2.3. The product activation displays in a
new browser window.
Figure 2.3: Location of the Activate Link
3b. In the Product Activation window, fill in the required fields and click Activate. A
confirmation page opens to display the terms of your subscription.
3c. After a few minutes, from the Barracuda Web Filter administration interface, click
Refresh in the Subscription Status section of the BASIC > Status page. The status of
your subscriptions displays as Current.
Note: If your subscription status does not change to Current, or if you have trouble filling out
Product Activation window, call your Barracuda Networks sales representative.
the
Step 8. Update the definitions
To update the spyware, virus, and category definitions:
1. Select ADVANCED > Energize Updates.
2. Check to see if the current version is the same as the latest version available for spyware, virus,
and category definitions. If the definitions are up-to-date, proceed to Step 9.
3. Click Update for each of these sections.
4. In the spyware, virus, and category definition sections, select Hourly or Daily for Automatically
Update. The recommended setting is Hourly for both spyware and virus definitions, and Daily
for category definition.
5. Click Save Changes.
Step 9. Integrate the Barracuda Web Filter into your network
Table 2.2 describes how to integrate the Barracuda Web Filter into your network depending on your
deployment type.
Table 2.2: Integrating your Barrauda System into your Network
Deployment Type Next Step
Inline pass-through Connect your Barracuda Web Filter to your network. For more
information, see Connecting the Barracuda Web Filter to your
network on page 24.
Forward proxy Configure your clients’ HTTP proxy settings from their browser to
access the Internet. See your Web browser’s technical
documentation for further information.
Installing the Barracuda Web Filter 23
Barracuda Web Filter Release 4.0
Step 10. Test and adjust the Barracuda Web Filter
After connecting your Barracuda Web Filter to the network, verify connectivity. Open your Web
browser from a machine on your network. If you cannot browse the Web, review the installation steps
to make sure your Barracuda Web Filter is properly configured and connected to your corporate
firewall and network switch.
If you can browse the Web without any issues, you are ready to adjust the settings on the Barracuda
Web Filter. The most common adjustment to make is to create filters that determine what traffic and
applications the Barracuda Web Filter blocks and accepts. For more information about the available
filters, refer to Monitoring the Barracuda Web Filter on page 38.
Go to the
BLOCK/ACCEPT > IP Block/Exempt page, and use the IP and Port Exemption section to
bypass scanning or filtering for clients or targeted servers. To avoid accidentally specifying a broader
than intended exemption range, be sure to apply the proper subnet mask.
Connecting the Barracuda Web Filter to your network
To connect the Barracuda Web Filter to your network:
1. Connect the Ethernet cable from your corporate firewall to the WAN port on the front panel of
the Barracuda Web Filter. This step may require disconnecting your internal network switch
from the corporate firewall.
Note: A crossover cable may be needed if your corporate firewall does not have a switchable
port and therefore cannot switch between RX and TX. Another solution is to place a switch
between the corporate firewall and the Barracuda Web Filter.
Note:
Ethernet bridge between the WAN and LAN ports.
You do not need to configure the WAN port. The Barracuda Web Filter creates an
24 Chapter 2: Getting Started
Figure 2.4: Connecting the Barracuda Web Filter to your Network
Administrator’s Guide
2. Connect an Ethernet cable from the LAN port on the Barracuda Web Filter to your internal
network switch Uplink port (if one is available).
Note: If your switch records the MAC address of an external device, make sure you delete all
pre-existing MAC address records from your switch.
3. Select BASIC > IP Configuration page in the administration interface, and set the Operating
Mode setting to Active.
Note: A hard bypass feature is available on the Barracuda Web Filter 310 and higher models.
4. If necessary, set up static routes on the BASIC > IP Configuration page. Setting up static routes is
often necessary in complex networks so the Barracuda Web Filter knows the proper way to
route traffic on your network.
Static routes are generally necessary to enable the Barracuda Web Filters to protect any client
machines that are at IP addressed outside of the native subnet of the Barracuda Web Filter.
For example, if the Barracuda Web Filter is assigned an IP address of 172.20.0.6 and a subnet mask
of 255.255.255.0 and uses the default gateway at 172.20.0.9, you will need to create a static route to
reach client machines in the 192.168.2.x range with a Netmask value of 255.255.255.0. The Gateway
Address should be inside 172.20.0.x.
Installing the Barracuda Web Filter 25
Barracuda Web Filter Release 4.0
Advanced Deployments
This section describes advanced installation topics that may apply to your Barracuda Web Filter
deployment.
Web Cache Control Protocol (WCCP) deployment
All Barracuda Web Filter models 410 and above can be deployed as WCCP cache engines on a
network with a WCCP capable core routing platform.
Because the WCCP control router or switch transparently redirects content requests, end users need
not configure browsers to use the Barracuda Web Filter as an HTTP proxy. This deployment means
that the Barracuda Web Filter is not inline and is not configured as a forward proxy.
In addition to compatibility with other WCCP capable routers, the Barracuda Web Filter supports
Cisco v1 and v2 routers. Enabling WCCP on your Barracuda Web Filter allows you to take full
advantage of your WCCP capable Cisco router’s ability to provide for failover and load balancing for
multiple Barracuda Web Filters connected to the router in a proxy configuration. For large
installations requiring high availability and fault tolerance, this is an attactive deployment option.
Note: WCCP allows Cisco routers/switches to forward non-http traffic to web cache servers, but the
Barracuda Web Filter only accepts http traffic (port 80) in this configuration. WCCP also allows
multiple Cisco routers to be connected to the same web cache server. The Barracuda Web Filter does
not support this feature and can only be connected to one WCCP router/switch. However, as always,
multiple Barracuda Web Filters can be connected to a single router/switch.
Note that NTLM and Kerberos authentication mechanisms will not work when the Barracuda Web
Filter is deployed using WCCP because they both require that the Barracuda Web Filter be a trusted
host in the Windows Domain and that it receive traffic directly from the users (as a proxy). In WCCP
deployments, the Barracuda Web Filter receives outgoing traffic via the Cisco Router.
Figure 2.5 shows this deployment method with two Barracuda Web Filters configured as WCCP
cache engines.
26 Chapter 2: Getting Started
Figure 2.5: WCCP Deployment
Administrator’s Guide
Inline pass-through with pre-existing proxy deployment
Another deployment type that is much less common than either Inline mode or Forward Proxy mode
is using the Barracuda Web Filter as an inline device that uses a pre-existing proxy server on your
network. This type of deployment is not recommended because it breaks the following features of the
Barracuda Web Filter:
• Infection reports do not display the IP addresses of infected clients.
• Infected clients cannot be automatically redirected to the Barracuda Spyware Removal Tool.
Advanced Deployments 27
Barracuda Web Filter Release 4.0
To resolve these issues, we recommend that you remove your pre-existing proxy server and deploy
the Barracuda Web Filter inline as described in
The Barracuda Web Filter can be placed on the client or the server side of the existing proxy server.
If the existing proxy server is performing user authentication, then the Barracuda Web Filter must be
placed on the server side of the proxy. In this deployment, the Barracuda Web Filter detects all
network traffic. The proxy server connects directly to the Barracuda Web Filter LAN port. This
connection may require a crossover cable. No special port or IP address is required. The Barracuda
Web Filter scans for all inbound and outbound HTTP traffic from the proxy server. All outbound
traffic on other ports is scanned for normal spyware communication. However, since the proxy server
will most likely hide user identity, the Barracuda Web Filter cannot apply any user, group or IP based
policies.
Figure 2.6 illustrates this deployment type.
Alternately, the Barracuda Web Filter can be placed inline on the client side of the existing proxy
server. The LAN Switch can be connected to the LAN port of the Barracuda Web Filter and the WAN
port of the Barracuda Web Filter can be connected to the Proxy Server. This will ensure that the
Barracuda Web Fitler can identify users before the requests are proxied. In this configuration, you
may have to ensure that the Barracuda Web Filter passes client IP addresses through to the proxy
server or that the proxy server can handle requests coming from the Barracuda Web Filter’s IP
address. However, this configuration may not work when the proxy server is performing strong user
authentication.
Inline pass-through (transparent) mode on page 11.
The placement of your pre-existing proxy server and its functionality will have an impact on the
Barracuda Web Filter deployment. Some configurations may require technical assistance from
Barracuda Technical Support.
28 Chapter 2: Getting Started
Figure 2.6: Inline Passthrough with Pre-existing Proxy Server Deployment
Administrator’s Guide
Connecting inline to your network with a pre-existing proxy
server
To set up the Barracuda Web Filter inline with your existing proxy server, place the proxy server
between the Barracuda Web Filter and your internal network switch.
If you have a proxy server, most HTTP requests are routed from your internal network through the
proxy server to the Barracuda Web Filter. When a Web site responds, the responding traffic goes
through the Barracuda Web Filter, which filters any spyware and viruses before allowing the traffic
to go through the proxy server and back to the clients.
The Barracuda Web Filter has been tested with Microsoft ISA and Squid proxy servers.
Advanced Deployments 29
Barracuda Web Filter Release 4.0
To connect your Barracuda Web Filter and existing proxy server to your network:
1. Connect your LAN port from your proxy server to the Uplink port of your internal network
switch.
Figure 2.7: Proxy Behind the Barracuda Web Filter
2. Connect the Ethernet cable from your WAN port of your proxy server to the LAN port on the
front panel of the Barracuda Web Filter.
Note: A crossover cable may be needed if your corporate firewall does not have a switchable
port and therefore cannot switch between RX and TX. Another solution is to place a switch
between the corporate firewall and the Barracuda Web Filter.
Note:
Ethernet bridge between the WAN and LAN ports.
3. Connect an Ethernet cable from the WAN port on the Barracuda Web Filter to the LAN port on
You do not need to configure the WAN port. The Barracuda Web Filter creates an
your firewall.
30 Chapter 2: Getting Started
Loading...