WIXLIB

Configuration and Advanced ConceptsBarracuda SSL VPNBarracuda Networks Confidential1

Agenda OverviewAccess ControlResourcesDeploymentAdvanced ConceptsBarracuda SSL VPN2

OverviewBarracuda Networks Confidential3

Web Interfaces – Appliance and SSL VPN Appliance Interface connects over port 8000– Used for network configurations– SSL certificate uploads– Troubleshooting, EU, and firmwareupdates SSL VPN Interface connects over HTTPS– Client login for resource access– Admin login to configure resources,authentication, and policies

Upload SSL Certificate From the Appliance Interface– Obtain a Certificate Authority (CA) signed SSL certificate to upload toyour device– First generate a CSR– Download the CSR and submit to the CA– Upload Signed Certificate - Use this boxto upload the certificate (in PEM/Apacheor PKCS12 format) that you receivedfrom your certificate authority.

Barracuda SSL VPN Agent Lightweight Java based VPN client Needed for more complex applications– Drive mapping– Proxying of rich Web applications– Remote Desktop sessions Launched automatically when required Terminated when sessions are no longer active

Barracuda SSL VPN Agent Dependencies––SSL capable web browser withJava installedJava 1.1 is supported, althoughJava 1.5 is recommended Windows Specific–––––––––Microsoft RDPEricomFirefox portable (not yet released)PuTTYPuTTY portable telnetPuTTY portable SSHRAdminUltraVNCWinSCP Mac Specific–Mac RDC Linux Specific–RDesktop OS independent (Java based)––––––––Citrix ICAElusiva RDPJTANX ClientRDPTN5250VNCUNITTY (SSH Client)

Access ControlBarracuda Networks Confidential8

User Database Internal user database, or synchronize with:––––Active DirectoryEnhanced Active DirectoryLDAPNIS OU Filter– List accounts and roles onlyfrom OU’s that are selected.– Exclude OU’s that are notneeded.– Ability to exclude builtingroups

Policy Based Management Permission to access resources aregranted via policies, which in turncontain a set of logical groupingsACCESS RIGHTSUSER DATABASE A policy grants access to a set ofusers and/or groups to selectedresources.ADLDAP All resources must be attached to apolicy; furthermore, in order for auser to access a particular resource,their user account or group mustalso be attached to the same Policy.A user or group can be a member ofmultiple policies, and resources canbe attached to multiple policies.This way, it is possible to easily setup a powerful set of permissions forall users of the TION SCHEMESNISACCOUNTS/GROUPSPASSWORDONE-TIME PASSWORDUSERSNETWORKCONNECTDISTRIBUTION GROUPSRADIUSIP AUTHENTICATIONCLIENT CERTIFICATE

Authentication Schemes Methodologies of validating user credentials submitted by theclient browser against the user database. Support for eight modules, which may be used individually or incombination with one another, to create entication KeyClient CertificateIP AuthenticationOne-Time Password (Secondary)PasswordPersonal Questions (Secondary)PIN NumberRadius

Authentication Schemes Two types of Authentication Modules: Primary and Secondary– Primary Authentication Module may appear anywhere in the list of selectedmodules– Secondary Authentication Module may only appear after a primary AuthenticationModule.– Support for many Authentication Modules, which may be used individually or incombination with one another to create authentication schemes.– Once an authentication scheme has been created, it is applied to a policy– A user can be a assigned multiple authentication schemes. For example, a userauthenticating with their password, hardware token, and coming from a trustedIP, will be granted additional resources than just authenticating with a password.

Authentication Schemes Authentication Key––Authentication keys are generated on your Barracuda SSL VPN and are passed out to users viacomputer or a USB flash drive.When authenticating using this module, the Barracuda SSL VPN will scan client drives for theauthentication key or ask the user to provide a path to the key's file.

Authentication Schemes Client Authentication– Client certificate authentication is a mechanism of authenticating againstan SSL certificate stored in the client browser– Client certificates can be generated by the Barracuda SSL VPN or byother keystores such as Active Directory.– Automatic authentication process requiring minimal interaction– The user is required to install the certificate into the browser– Future access only requires the user to select the certificate during logon

Authentication Schemes IP Authentication–––IP authentication determines and validates the IP address of client during logon.Per user IP restrictions can be configured by navigating to Access Control Accounts, selecting theappropriate user, and clicking on the edit icon adjacent to the user's name.Under the section Authorized IP you can enter in a specific address, a CIDR network range, or a wildcardaddress to restrict from which IP addresses the user can log on.

Authentication Schemes One-Time Password–––One-time password authentication sends a randomly generated password to the user via email orthrough SMS.This is a secondary authentication scheme meaning it can not be the primary or only mode ofauthentication.OTP is configured on the Advanced Configuration page.

Authentication Schemes Password– The password module authenticates using a typical username / passwordpair.– This is the most commonly used Authentication Scheme. Personal Questions– Under the Personal Questions module the user is presented with apersonal security question selected at random.– Security questions, such as Mother's Maiden Name, can be configuredby the user on his or her attributes page within the Barracuda SSL VPNweb user interface. PIN Number– The PIN number authentication module uses a string of digits as apassphrase for a user.

Authentication Schemes Radius–––The RADIUS (Remote Authentication Dial In User Service) authentication module allows the BarracudaSSL VPN to authenticate users against an external RADIUS server.Radius authentication is used with RSA SecurID, VASCO, Secure Computing and CryptoCard. The useof hardware token authentication allows for access using a one-time password token.Radius Configuration is made on the Advanced Configuration tab.

Access Rights Allow a super user to delegate administration tasks to normallyunprivileged users. This is fully modular; required rights can be delegated asneeded without compromising other more sensitive areas of thesystem. There are three types of access rights:– Personal rights, which change the ability for a user to edit or use itemson their account, such as maintaining attributes, using the Agent etc.– Resource rights, which control access to edit, create and deleteresources on the system.– System rights, which give access to system configuration options.

Access Rights To create a access right, login with the ssladmin account and navigate toAccess Control Access Rights.––––Select the Type of access right that you wish to create.You can add available rights by highlighting desired rights and clicking the Add button to move them to the right handcolumn.Select the policies to which you would like to attach the access right as a resource, and click Add to move them to theright hand column.Review the settings that you created and click Add to make the rights available.

Access Rights Since this user is a member of the IT Admins Policy, he can now configure/manage resources. Notice how he does NOT have access to other configs like Access Control or the Advanced tab

ResourcesBarracuda Networks Confidential22

Resources Resources are the main entities an end user willwant to access once connected to the BarracudaSSL VPN.Within the Barracuda SSL VPN, a resource isdefined as an application, utility, data source, orany other privileged data source or interface thatwhen assigned will allow the user to conductcertain tasks.The following types of resources are available––––––Web ForwardsNetwork PlacesApplicationsSSL TunnelsProfilesNetwork Connect

Resources Web Forwards– Proxy any intranet Web site– Rich web applications (OWA) supported– Four web forwarding techniques: Tunnelled ProxyHost-based Reverse ProxyPath-based Reverse ProxyReplacement Proxy

Web Forwards Tunneled Proxy– A tunneled proxy uses the SSL VPN Agent to open up atunnel from the local client to the destination web URL.– This type of forward does not modify the data stream, butwill only work as long as all links stay on the samedestination host (external links will jump out of thetunnel).

Web Forwards Path-based reverse proxy– Generally the best proxy type to use, if possible.– A path-based reverse proxy web forward only works forweb sites that exist solely in sub-directories of the root ofa web server.– This type of forward does not modify the data stream.– The proxy works by matching unique paths in the requestURI with the configured web forwards.– For example, if you have a web site that is accessiblefrom the URL http://example.com/blog you can configurethe reverse proxy web forward with a path of /blog sothat all requests to the SSL VPN server URLhttps://sslvpn/blog are proxied to the destination site.– This type of proxy will only be suitable if you know thepaths used by the web application. If your web site runson the root of the web server, i.e. http://example.com,there are no defined paths to proxy so another methodwill have to be used.

Web Forwards Host-based reverse proxy– A host-based reverse proxy works in a similar way to apath-based reverse proxy, but is not restricted tosubdirectories. However, the host must resolve properlyvia DNS.– Can be used to tunnel traffic for sub domains and otherhosts where the site does not have a path to identify.– This means that web sites working on the root of a webserver, https://webapp.example.com cannot be proxiedautomatically by the Reverse Proxy because there is nopath to identify. To get around this we have developed afeature called Active DNS which modifies the hostnameof the request so that we can identify the correctresource to forward to.

Web Forwards Replacement proxy– A replacement proxy is generally used if any of the otherweb forward types cannot be used.– This proxy type attempts to find all links in the web sitecode and replace them with links pointing back to theSSL VPN server.– Due to the number of ways it is possible to create links(in many different languages), this proxy type is notalways successful.– However, it is possible to create custom replacementvalues to get a web site working via a replacement proxyweb forward.

Network Places Access Windows, SFTP and FTP filesystemsMap drives using the SSL VPN AgentEdit files directly across the SSL VPNSingle Sign on using username and password variablesAutomatically detects which type of network share that isbeing configured.

Network Places There is a choice of Automatic, Windows Network, FTP or SFTP.Automatic attempts to detect which type to use. For example, entering\\server\share will set the type to Windows Network, enteringftp://host will set it to FTP. Optionally, you may select to override default permissions andbehaviors on the share; this includes showing hidden files, setting theshare to read-only, showing folders inside the share, and preventingusers from deleting files or folders. You may also decide to set a Drive Letter for this share. This featurewill only be utilized by Windows clients; upon launch the Java agentwill mount the share as a mapped drive.

Applications An application is a resource which uses the SSL VPNAgent to open a tunnel to a destinationBuiltin Applications––––––Citrix Published AppRemote Desktop (Microsoft/Mac/Linux)VNCWinSCPPutty (SSH Client)TN5250 AS/400 Terminal Emulator