Barracuda Networks Confidential 1

Configuration and Advanced ConceptsBarracuda SSL VPN

Agenda• Overview• Access Control• Resources• Deployment• Advanced Concepts

Barracuda SSL VPN 2

Barracuda Networks Confidential 3

Overview

Web Interfaces – Appliance and SSL VPN• Appliance Interface connects over port 8000

– Used for network configurations– SSL certificate uploads– Troubleshooting, EU, and firmware

updates

• SSL VPN Interface connects over HTTPS– Client login for resource access– Admin login to configure resources,

authentication, and policies

Upload SSL Certificate• From the Appliance Interface

– Obtain a Certificate Authority (CA) signed SSL certificate to upload to your device

– First generate a CSR– Download the CSR and submit to the CA

– Upload Signed Certificate - Use this box to upload the certificate (in PEM/Apache or PKCS12 format) that you received from your certificate authority.

Barracuda SSL VPN Agent• Lightweight Java based VPN client• Needed for more complex applications

– Drive mapping– Proxying of rich Web applications– Remote Desktop sessions

• Launched automatically when required• Terminated when sessions are no longer active

Barracuda SSL VPN Agent• Dependencies

– SSL capable web browser with Java installed

– Java 1.1 is supported, although Java 1.5+ is recommended

• Windows Specific– Microsoft RDP– Ericom

– Firefox portable (not yet released)

– PuTTY– PuTTY portable telnet

– PuTTY portable SSH

– RAdmin

– UltraVNC– WinSCP

• Mac Specific– Mac RDC

• Linux Specific– RDesktop

• OS independent (Java based)– Citrix ICA

– Elusiva RDP

– JTA– NX Client

– RDP

– TN5250

– VNC– UNITTY (SSH Client)

Barracuda Networks Confidential 8

Access Control

User Database• Internal user database, or synchronize with:

– Active Directory– Enhanced Active Directory – LDAP– NIS

• OU Filter– List accounts and roles only

from OU’s that are selected. – Exclude OU’s that are not

needed. – Ability to exclude builtin

groups

Policy Based Management• Permission to access resources are

granted via policies, which in turn contain a set of logical groupings

• A policy grants access to a set of users and/or groups to selected resources.

• All resources must be attached to a policy; furthermore, in order for a user to access a particular resource, their user account or group must also be attached to the same Policy.

• A user or group can be a member of multiple policies, and resources can be attached to multiple policies.

• This way, it is possible to easily set up a powerful set of permissions for all users of the system.

AD

POLICIES

ACCESS RIGHTS

USER DATABASE

LDAP

NIS

ACCOUNTS/GROUPS

USERS DISTRIBUTION GROUPS

RDP

NETWORK

PLACES

NETWORK

CONNECT

PASSWORD

ONE-TIME PASSWORD

RADIUS

IP AUTHENTICATION

CLIENT CERTIFICATE

RESOURCES

AUTHENTICATION SCHEMES

Authentication Schemes• Methodologies of validating user credentials submitted by the

client browser against the user database. • Support for eight modules, which may be used individually or in

combination with one another, to create authentication schemes. – Authentication Key– Client Certificate– IP Authentication– One-Time Password (Secondary)– Password– Personal Questions (Secondary)– PIN Number– Radius

Authentication Schemes• Two types of Authentication Modules: Primary and Secondary

– Primary Authentication Module may appear anywhere in the list of selected modules

– Secondary Authentication Module may only appear after a primary Authentication Module.

– Support for many Authentication Modules, which may be used individually or in combination with one another to create authentication schemes.

– Once an authentication scheme has been created, it is applied to a policy– A user can be a assigned multiple authentication schemes. For example, a user

authenticating with their password, hardware token, and coming from a trusted IP, will be granted additional resources than just authenticating with a password.

Authentication Schemes• Authentication Key

– Authentication keys are generated on your Barracuda SSL VPN and are passed out to users via computer or a USB flash drive.

– When authenticating using this module, the Barracuda SSL VPN will scan client drives for the authentication key or ask the user to provide a path to the key's file.

Authentication Schemes• Client Authentication

– Client certificate authentication is a mechanism of authenticating against an SSL certificate stored in the client browser

– Client certificates can be generated by the Barracuda SSL VPN or by other keystores such as Active Directory.

– Automatic authentication process requiring minimal interaction – The user is required to install the certificate into the browser– Future access only requires the user to select the certificate during logon

Authentication Schemes• IP Authentication

– IP authentication determines and validates the IP address of client during logon. – Per user IP restrictions can be configured by navigating to Access Control > Accounts , selecting the

appropriate user, and clicking on the edit icon adjacent to the user's name. – Under the section Authorized IP you can enter in a specific address, a CIDR network range, or a wildcard

address to restrict from which IP addresses the user can log on.

Authentication Schemes• One-Time Password

– One-time password authentication sends a randomly generated password to the user via email or through SMS.

– This is a secondary authentication scheme meaning it can not be the primary or only mode of authentication.

– OTP is configured on the Advanced > Configuration page.

Authentication Schemes• Password

– The password module authenticates using a typical username / password pair.

– This is the most commonly used Authentication Scheme.

• Personal Questions– Under the Personal Questions module the user is presented with a

personal security question selected at random. – Security questions, such as Mother's Maiden Name, can be configured

by the user on his or her attributes page within the Barracuda SSL VPN web user interface.

• PIN Number– The PIN number authentication module uses a string of digits as a

passphrase for a user.

Authentication Schemes• Radius

– The RADIUS (Remote Authentication Dial In User Service) authentication module allows the Barracuda SSL VPN to authenticate users against an external RADIUS server.

– Radius authentication is used with RSA SecurID, VASCO, Secure Computing and CryptoCard. The use of hardware token authentication allows for access using a one-time password token.

– Radius Configuration is made on the Advanced > Configuration tab.

Access Rights• Allow a super user to delegate administration tasks to normally

unprivileged users. • This is fully modular; required rights can be delegated as

needed without compromising other more sensitive areas of the system.

• There are three types of access rights: – Personal rights , which change the ability for a user to edit or use items

on their account, such as maintaining attributes, using the Agent etc.– Resource rights , which control access to edit, create and delete

resources on the system.– System rights , which give access to system configuration options.

Access Rights• To create a access right, login with the ssladmin account and navigate to

Access Control > Access Rights .– Select the Type of access right that you wish to create. – You can add available rights by highlighting desired rights and clicking the Add button to move them to the right hand

column. – Select the policies to which you would like to attach the access right as a resource, and click Add to move them to the

right hand column.– Review the settings that you created and click Add to make the rights available.

Access Rights•Since this user is a member of the IT Admins Policy, he can now configure/manage resources.

•Notice how he does NOT have access to other configs like Access Control or the Advanced tab

Barracuda Networks Confidential 22

Resources

Resources• Resources are the main entities an end user will

want to access once connected to the Barracuda SSL VPN.

• Within the Barracuda SSL VPN, a resource is defined as an application, utility, data source, or any other privileged data source or interface that when assigned will allow the user to conduct certain tasks.

• The following types of resources are available – Web Forwards– Network Places– Applications– SSL Tunnels– Profiles– Network Connect

Resources• Web Forwards

– Proxy any intranet Web site– Rich web applications (OWA) supported– Four web forwarding techniques:

• Tunnelled Proxy• Host-based Reverse Proxy• Path-based Reverse Proxy• Replacement Proxy

Web Forwards• Tunneled Proxy

– A tunneled proxy uses the SSL VPN Agent to open up a tunnel from the local client to the destination web URL.

– This type of forward does not modify the data stream, but will only work as long as all links stay on the same destination host (external links will jump out of the tunnel).

Web Forwards• Path-based reverse proxy

– Generally the best proxy type to use, if possible. – A path-based reverse proxy web forward only works for

web sites that exist solely in sub-directories of the root of a web server.

– This type of forward does not modify the data stream. – The proxy works by matching unique paths in the request

URI with the configured web forwards. – For example, if you have a web site that is accessible

from the URL http://example.com/blog you can configure the reverse proxy web forward with a path of /blog so that all requests to the SSL VPN server URL https://sslvpn/blog are proxied to the destination site.

– This type of proxy will only be suitable if you know the paths used by the web application. If your web site runs on the root of the web server, i.e. http://example.com, there are no defined paths to proxy so another method will have to be used.

Web Forwards• Host-based reverse proxy

– A host-based reverse proxy works in a similar way to a path-based reverse proxy, but is not restricted to subdirectories. However, the host must resolve properly via DNS.

– Can be used to tunnel traffic for sub domains and other hosts where the site does not have a path to identify.

– This means that web sites working on the root of a web server, https://webapp.example.com cannot be proxiedautomatically by the Reverse Proxy because there is no path to identify. To get around this we have developed a feature called Active DNS which modifies the hostname of the request so that we can identify the correct resource to forward to.

Web Forwards• Replacement proxy

– A replacement proxy is generally used if any of the other web forward types cannot be used.

– This proxy type attempts to find all links in the web site code and replace them with links pointing back to the SSL VPN server.

– Due to the number of ways it is possible to create links (in many different languages), this proxy type is not always successful.

– However, it is possible to create custom replacement values to get a web site working via a replacement proxy web forward.

Network Places• Access Windows, SFTP and FTP filesystems• Map drives using the SSL VPN Agent• Edit files directly across the SSL VPN• Single Sign on using username and password variables• Automatically detects which type of network share that is

being configured.

Network Places• There is a choice of Automatic, Windows Network, FTP or SFTP.

Automatic attempts to detect which type to use. For example, entering \\server\share will set the type to Windows Network, entering ftp://host will set it to FTP.

• Optionally, you may select to override default permissions and behaviors on the share; this includes showing hidden files, setting the share to read-only, showing folders inside the share, and preventing users from deleting files or folders.

• You may also decide to set a Drive Letter for this share. This feature will only be utilized by Windows clients; upon launch the Java agent will mount the share as a mapped drive.

Applications• An application is a resource which uses the SSL VPN

Agent to open a tunnel to a destination • Builtin Applications

– Citrix Published App– Remote Desktop (Microsoft/Mac/Linux)– VNC– WinSCP– Putty (SSH Client)– TN5250 AS/400 Terminal Emulator

SSL Tunnels• Tunneling is a method of transmission over networks based on

differing protocols. • An SSL tunnel will use the Barracuda SSL VPN Agent to open

up a tunnel from a port on the client machine to a port on the destination machine, which will direct traffic from the client through the tunnel to the destination machine.

• The flexibility and "on-demand" nature of tunnels over the Barracuda SSL VPN make them more desirable and secure than permanently opening ports on an external firewall, or granting a client machine unrestricted network access via a traditional VPN.

SSL Tunnels• Login to your Barracuda SSL VPN using your administrator login credentials, and

navigate to Resources > SSL Tunnels .• Enter a unique Name. Optionally you may add the tunnel to your favorites, or set

it to start automatically on login.• Enter a Source Interface , a Source Port , a Destination

Host , and a Destination Port .• Select the appropriate policy or policies to which you

will attach the tunnel by selecting the name and clicking on the Add button.

• Review the settings, and if everything is correct click Add.

Profiles• A profile provides a means for an administrative user to

alter the general working environment of the system. • Settings in a profile can alter the timeouts of a user

session, change the default view for resources (icons or lists) and also affect agent timeouts and proxy settings.

• Users can select different profiles upon login, or administrators can manage default environment settings for users.

Barracuda Network Connector

• Provides SSL VPN users with full network connectivity• Provides an OSI layer 2 or 3 secure network extension • Easy-to-configure network interface with minimal maintenance

overheads.

Barracuda SSL VPN 35

Barracuda Network Connector

• Configuration– Review the automatically generated settings for Network

and IP Address and modify them if appropriate. – You should select a DHCP range that contains a sufficient

number of addresses concomitant with the number of users you expect to use the Network Connect feature concurrently.

– Select the policies to which you would like to attach the resource and click Add . Once you have finished, click Save.

– Add a route for the client configuration

Barracuda SSL VPN 36

Barracuda SSL VPN Server Agent

• Create site-to-site links between branch offices

• Provide access to resources on systems outside the LAN

• Eliminates the requirement for a full network connection to secure remote sites where only a few services are required

Barracuda SSL VPN Server Agent• The Server Agent acts as a proxy directing traffic from the appliance to the

remote system. • A Server Agent can be installed on a remote network and connect back to

the appliance using the standard HTTPS port. With the configuration of routes an administrator can then set up resources that access services on the remote network without the need to open up a single port on the firewall protecting the remote network.

• This same process can be used to access resources inside the LAN from a Barracuda SSL VPN residing in a DMZ.

Barracuda Networks Confidential 39

Deployment

Plug and Play Deployment

Barracuda SSL VPN 40

• Inside The LAN– Route incoming connections to firewall on port 443 directly to the

Barracuda SSL VPN– Simple firewall, port forwarding and NAT rules

Plug and Play Deployment

Barracuda SSL VPN 41

• In The DMZ– Only port 443 on external firewall needs to be open– Ports on internal firewall need opening depending on the services that will

be offered to users

Barracuda Networks Confidential 42

Advanced Concepts

Barracuda SSL VPN Agent• Lightweight Java based VPN client• Needed for more complex applications

– Drive mapping– Proxying of rich Web applications– Remote Desktop sessions

• Launched automatically when required• Terminated when sessions are no longer active

Barracuda SSL VPN Agent• Dependencies

– SSL capable web browser with Java installed

– Java 1.1 is supported, although Java 1.5+ is recommended

• Windows Specific– Microsoft RDP– Ericom

– Firefox portable (not yet released)

– PuTTY– PuTTY portable telnet

– PuTTY portable SSH

– RAdmin

– UltraVNC– WinSCP

• Mac Specific– Mac RDC

• Linux Specific– RDesktop

• OS independent (Java based)– Citrix ICA

– Elusiva RDP

– JTA– NX Client

– RDP

– TN5250

– VNC

Configure a Web Forward for OWA 2003• Exchange 2003• Corp OWA for Example Destination URL is

https://mail.barracuda.com/exchweb/bin/auth/owaauth.dll and the paths that are added are /exchange and /exchweb.

• With the standard Reverse Proxy feature, web sites are proxied by identifying the path of the request and mapping this to a back end web server. For example, to proxy Outlook Web Access we identify two paths /exchange and /exchweb.

• When SSL-Explorer receives a HTTP request for http://sslexplorer.example.com/exchange/inbox/lee we look at the path of the URI and match it against the paths configured for all Reverse Proxy resources.

• Since this resource URI starts with /exchange it must be destined for the Outlook Web Access application.

Configure a Web Forward for OWA 2007• Choose path-based reverse proxy for the web forward type• Corp OWA for Example Destination URL is

https://owaserver/owa/auth/logon.aspx and the paths that are added are /owa.• With the standard Reverse Proxy feature, web sites are proxied by identifying

the path of the request and mapping this to a back end web server. For example, to proxy Outlook Web Access we identify the path /owa.

• Single Sign on can be posted using form-based authentication by adding the following form parameters

– Destination=https://owaserver/owa– Flags=4– Forcedownlevel=0– isUtf8=1– Password=${session:password}– Trusted=4– Username=DOMAIN${session:username}

RPC Over HTTPS• Allows full Outlook MAPI clients to connect to Exchange Servers using

HTTP/HTTPS. • This solves the problem remote Outlook users have when located behind

restrictive firewalls. • Outlook clients can then use the SSL VPN server as a proxy for Microsoft

Exchange traffic.• To configure Outlook RPC, navigate to Advanced > Configuration , and scroll

down to the Outlook header at the bottom of the page. • Enter the IP address of hostname of your Exchange server in the Exchange

Server field. • Enter the port in the Exchange Port field, and select the Protocol as

appropriate to your environment.

Configure Web Folders – Windows Access• When using Windows XP or later along with Internet Explorer, you can take

advantage of Microsoft Web Folders to access your file resources. • For security the Barracuda SSL VPN only allows Web folders to be mapped to

existing network places. • This enforces the policy restrictions; if a user does not have a policy which

allows them to access a given network place then they can neither create a Web folder to it.

• To Configure– First check the box on the Advanced->Configuration, ‘Allow external

WebDAV clients’ box in the resources section.

– Next create a Network place in windows to the address and folder name of the SSL VPN appliance, https://remoteserver.co.uk/fs/cifs/Public

– *Be aware that Windows Web Folders exhibits behavior that is insecure when this option is enabled. You will find that it is effectively impossible to logout of an external WebDAV session. The user simply has to click Cancel when asked to authenticate, and access will be allowed.This is because Windows caches your the credentials and simple re-presents them when the SSL VPN requests authentication again.

Configure a One-Time Password• One-time password authentication works by sending a

randomly generated password to the user via email or SMS.

• One-time password authentication must be used in conjunction with at least one other primary method.

• Configuration– Navigate to Advanced > Configuration .– Scroll down to the section entitled SMTP. Ensure that SMTP is enabled on

startup and that the email server details have been entered correctly. – In the One Time Password section, modify the following settings to suit

your environment.

– Generally the default settings should meet the needs of most users.

Configure IP Authentication• There may be a time where an administrator would like

to prevent users outside the network from logging into administrative user accounts.

Citrix Published Application • Java based ICA client is used to launch Published Desktop/Application

– Works with latest version of Citrix XenApp and older Presentation Server– Application Type use ‘Desktop’– Use session username and password variables for Single Sign On– Java based ICA client is used to launch Citrix Environment

Barracuda Networks Confidential 52

Thank You

Hardware Token Authentication -RADIUS• Radius

– The RADIUS authentication module enables the Barracuda SSL VPN to authenticate users against an external RADIUS server, and can be used as a primary module in an authentication scheme.

– Before the RADIUS module can be configured as a part of an authentication scheme, you must configure the details of your RADIUS server. To configure your RADIUS server, navigate to Advanced > Configuration and scroll down to the section entitled RADIUS. Below are the available configuration options.

• RADIUS Server : The host name or IP address of the RADIUS server. This can be localhost, or a remote server.• Authentication Port : This is the port number stipulated for the RADIUS authentication process. It must be a valid integer port between 0

and 65536. The default (1812) is usual for standard RFC compliant radius servers. Both this and the accounting port must be open between the RADIUS server and the connecting client.

• Accounting Port : This is the port number stipulated for the RADIUS accounting process. It must be a valid integer port between 0 and 65536. The default (1813) is usual for standard RFC compliant radius servers. Both this and the authentication port must be open between the RADIUS server and the connecting client.

• Shared Secret : The RADIUS shared secret which has been set up on the RADIUS server. • Authentication Method : If your server does not use a specific authentication method, this value is ignored. The only methods that are

currently supported in this configuration are PAP, CHAP, MSCHAP and MSCHAPv2• Time Out : The timeout for a RADIUS message. • Authentication Retries : The number of retries for a RADIUS message. • RADIUS Attributes : The RADIUS attributes required to execute the request. • Username Case : Setting that defines what case the username is sent to the RADIUS server. Options are to leave as entered, force to

upper case or force to lower case.• Expect Challenge : Expect an initial challenge from the RADIUS server (i.e. user does not provide password prior to first RADIUS Access

request)

– Once you have configured your RADIUS server appropriately, you can configure an authentication scheme to use the RADIUS authentication module:

• Navigate to Access Control > Authentication Schemes . • Under the Create Scheme header, provide a Name.• Select RADIUS and click the upper Add > button to move it to the box entitled Selected Modules . • Select the relevant policy(ies) and click the lower Add > button to move it to the box entitled Selected Policies . • Click the Add button. Your RADIUS authentication scheme is now available to be used by those users who are members of the selected policy(ies).