Configuration and Advanced Concepts Barracuda SSL VPN

Barracuda Networks Confidential 1

Agenda
Overview Access Control Resources Deployment Advanced Concepts

Barracuda SSL VPN

Overview

Barracuda Networks Confidential

Web Interfaces Appliance and SSL VPN

Appliance Interface connects over port 8000
Used for network configurations SSL certificate uploads Troubleshooting, EU, and firmware updates

SSL VPN Interface connects over HTTPS

Client login for resource access Admin login to configure resources, authentication, and policies

Upload SSL Certificate

From the Appliance Interface
Obtain a Certificate Authority (CA) signed SSL certificate to upload to your device First generate a CSR Download the CSR and submit to the CA

Upload Signed Certificate - Use this box to upload the certificate (in PEM/Apache or PKCS12 format) that you received from your certificate authority.

Barracuda SSL VPN Agent

Lightweight Java based VPN client Needed for more complex applications
Drive mapping Proxying of rich Web applications Remote Desktop sessions

Launched automatically when required Terminated when sessions are no longer active

Barracuda SSL VPN Agent

Dependencies
SSL capable web browser with Java installed Java 1.1 is supported, although Java 1.5+ is recommended

Mac Specific
Mac RDC

Linux Specific
RDesktop

Windows Specific
Microsoft RDP Ericom Firefox portable (not yet released) PuTTY PuTTY portable telnet PuTTY portable SSH RAdmin UltraVNC WinSCP

OS independent (Java based)

Citrix ICA Elusiva RDP JTA NX Client RDP TN5250 VNC UNITTY (SSH Client)

Access Control

Barracuda Networks Confidential

User Database
Internal user database, or synchronize with:
Active Directory Enhanced Active Directory LDAP NIS

OU Filter
List accounts and roles only from OUs that are selected. Exclude OUs that are not needed. Ability to exclude builtin groups

Policy Based Management

Permission to access resources are granted via policies, which in turn contain a set of logical groupings
USER DATABASE

ACCESS RIGHTS
RESOURCES

A policy grants access to a set of users and/or groups to selected resources. All resources must be attached to a policy; furthermore, in order for a user to access a particular resource, their user account or group must also be attached to the same Policy. A user or group can be a member of multiple policies, and resources can be attached to multiple policies. This way, it is possible to easily set up a powerful set of permissions for all users of the system.

AD NETWORK PLACES NETWORK CONNECT

LDAP

POLICIES

RDP

NIS ACCOUNTS/GROUPS

AUTHENTICATION SCHEMES

PASSWORD ONE-TIME PASSWORD RADIUS IP AUTHENTICATION CLIENT CERTIFICATE

USERS

DISTRIBUTION GROUPS

Authentication Schemes
Methodologies of validating user credentials submitted by the client browser against the user database. Support for eight modules, which may be used individually or in combination with one another, to create authentication schemes.
Authentication Key Client Certificate IP Authentication One-Time Password (Secondary) Password Personal Questions (Secondary) PIN Number Radius

Authentication Schemes
Two types of Authentication Modules: Primary and Secondary
Primary Authentication Module may appear anywhere in the list of selected modules Secondary Authentication Module may only appear after a primary Authentication Module. Support for many Authentication Modules, which may be used individually or in combination with one another to create authentication schemes. Once an authentication scheme has been created, it is applied to a policy A user can be a assigned multiple authentication schemes. For example, a user authenticating with their password, hardware token, and coming from a trusted IP, will be granted additional resources than just authenticating with a password.

Authentication Schemes
Authentication Key
Authentication keys are generated on your Barracuda SSL VPN and are passed out to users via computer or a USB flash drive. When authenticating using this module, the Barracuda SSL VPN will scan client drives for the authentication key or ask the user to provide a path to the key's file.

Authentication Schemes
Client Authentication
Client certificate authentication is a mechanism of authenticating against an SSL certificate stored in the client browser Client certificates can be generated by the Barracuda SSL VPN or by other keystores such as Active Directory. Automatic authentication process requiring minimal interaction The user is required to install the certificate into the browser Future access only requires the user to select the certificate during logon

Authentication Schemes
IP Authentication
IP authentication determines and validates the IP address of client during logon. Per user IP restrictions can be configured by navigating to Access Control > Accounts, selecting the appropriate user, and clicking on the edit icon adjacent to the user's name. Under the section Authorized IP you can enter in a specific address, a CIDR network range, or a wildcard address to restrict from which IP addresses the user can log on.

Authentication Schemes
One-Time Password
One-time password authentication sends a randomly generated password to the user via email or through SMS. This is a secondary authentication scheme meaning it can not be the primary or only mode of authentication. OTP is configured on the Advanced > Configuration page.

Authentication Schemes
Password
The password module authenticates using a typical username / password pair. This is the most commonly used Authentication Scheme.

Personal Questions
Under the Personal Questions module the user is presented with a personal security question selected at random. Security questions, such as Mother's Maiden Name, can be configured by the user on his or her attributes page within the Barracuda SSL VPN web user interface.

PIN Number
The PIN number authentication module uses a string of digits as a passphrase for a user.

Authentication Schemes
Radius
The RADIUS (Remote Authentication Dial In User Service) authentication module allows the Barracuda SSL VPN to authenticate users against an external RADIUS server. Radius authentication is used with RSA SecurID, VASCO, Secure Computing and CryptoCard. The use of hardware token authentication allows for access using a one-time password token. Radius Configuration is made on the Advanced > Configuration tab.

Access Rights
Allow a super user to delegate administration tasks to normally unprivileged users. This is fully modular; required rights can be delegated as needed without compromising other more sensitive areas of the system. There are three types of access rights:
Personal rights, which change the ability for a user to edit or use items on their account, such as maintaining attributes, using the Agent etc. Resource rights, which control access to edit, create and delete resources on the system. System rights, which give access to system configuration options.

Access Rights
To create a access right, login with the ssladmin account and navigate to
Access Control > Access Rights.
Select the Type of access right that you wish to create. You can add available rights by highlighting desired rights and clicking the Add button to move them to the right hand column. Select the policies to which you would like to attach the access right as a resource, and click Add to move them to the right hand column. Review the settings that you created and click Add to make the rights available.

Access Rights
Since this user is a member of the IT Admins Policy, he can now configure/manage resources. Notice how he does NOT have access to other configs like Access Control or the Advanced tab

Resources

Barracuda Networks Confidential

22

Resources
Resources are the main entities an end user will want to access once connected to the Barracuda SSL VPN. Within the Barracuda SSL VPN, a resource is defined as an application, utility, data source, or any other privileged data source or interface that when assigned will allow the user to conduct certain tasks. The following types of resources are available
Web Forwards Network Places Applications SSL Tunnels Profiles Network Connect

Resources
Web Forwards
Proxy any intranet Web site Rich web applications (OWA) supported Four web forwarding techniques:
Tunnelled Proxy Host-based Reverse Proxy Path-based Reverse Proxy Replacement Proxy

Web Forwards
Tunneled Proxy
A tunneled proxy uses the SSL VPN Agent to open up a tunnel from the local client to the destination web URL. This type of forward does not modify the data stream, but will only work as long as all links stay on the same destination host (external links will jump out of the tunnel).

Web Forwards
Path-based reverse proxy
Generally the best proxy type to use, if possible. A path-based reverse proxy web forward only works for web sites that exist solely in sub-directories of the root of a web server. This type of forward does not modify the data stream. The proxy works by matching unique paths in the request URI with the configured web forwards. For example, if you have a web site that is accessible from the URL http://example.com/blog you can configure the reverse proxy web forward with a path of /blog so that all requests to the SSL VPN server URL https://sslvpn/blog are proxied to the destination site. This type of proxy will only be suitable if you know the paths used by the web application. If your web site runs on the root of the web server, i.e. http://example.com, there are no defined paths to proxy so another method will have to be used.

Web Forwards
Host-based reverse proxy
A host-based reverse proxy works in a similar way to a path-based reverse proxy, but is not restricted to subdirectories. However, the host must resolve properly via DNS. Can be used to tunnel traffic for sub domains and other hosts where the site does not have a path to identify. This means that web sites working on the root of a web server, https://webapp.example.com cannot be proxied automatically by the Reverse Proxy because there is no path to identify. To get around this we have developed a feature called Active DNS which modifies the hostname of the request so that we can identify the correct resource to forward to.

Web Forwards
Replacement proxy
A replacement proxy is generally used if any of the other web forward types cannot be used. This proxy type attempts to find all links in the web site code and replace them with links pointing back to the SSL VPN server. Due to the number of ways it is possible to create links (in many different languages), this proxy type is not always successful. However, it is possible to create custom replacement values to get a web site working via a replacement proxy web forward.

Network Places
Access Windows, SFTP and FTP filesystems Map drives using the SSL VPN Agent Edit files directly across the SSL VPN Single Sign on using username and password variables Automatically detects which type of network share that is being configured.

Network Places
There is a choice of Automatic, Windows Network, FTP or SFTP. Automatic attempts to detect which type to use. For example, entering \\server\share will set the type to Windows Network, entering ftp://host will set it to FTP. Optionally, you may select to override default permissions and behaviors on the share; this includes showing hidden files, setting the share to read-only, showing folders inside the share, and preventing users from deleting files or folders. You may also decide to set a Drive Letter for this share. This feature will only be utilized by Windows clients; upon launch the Java agent will mount the share as a mapped drive.

Applications
An application is a resource which uses the SSL VPN Agent to open a tunnel to a destination Builtin Applications
Citrix Published App Remote Desktop (Microsoft/Mac/Linux) VNC WinSCP Putty (SSH Client) TN5250 AS/400 Terminal Emulator

SSL Tunnels
Tunneling is a method of transmission over networks based on differing protocols. An SSL tunnel will use the Barracuda SSL VPN Agent to open up a tunnel from a port on the client machine to a port on the destination machine, which will direct traffic from the client through the tunnel to the destination machine. The flexibility and "on-demand" nature of tunnels over the Barracuda SSL VPN make them more desirable and secure than permanently opening ports on an external firewall, or granting a client machine unrestricted network access via a traditional VPN.

SSL Tunnels
Login to your Barracuda SSL VPN using your administrator login credentials, and navigate to Resources > SSL Tunnels. Enter a unique Name. Optionally you may add the tunnel to your favorites, or set it to start automatically on login. Enter a Source Interface, a Source Port, a Destination Host, and a Destination Port. Select the appropriate policy or policies to which you will attach the tunnel by selecting the name and clicking on the Add button. Review the settings, and if everything is correct click Add.

Profiles
A profile provides a means for an administrative user to alter the general working environment of the system. Settings in a profile can alter the timeouts of a user session, change the default view for resources (icons or lists) and also affect agent timeouts and proxy settings. Users can select different profiles upon login, or administrators can manage default environment settings for users.

Barracuda Network Connector

Provides SSL VPN users with full network connectivity Provides an OSI layer 2 or 3 secure network extension Easy-to-configure network interface with minimal maintenance overheads.

Barracuda SSL VPN

35

Barracuda Network Connector

Configuration Review the automatically generated settings for Network and IP Address and modify them if appropriate. You should select a DHCP range that contains a sufficient number of addresses concomitant with the number of users you expect to use the Network Connect feature concurrently. Select the policies to which you would like to attach the resource and click Add. Once you have finished, click Save. Add a route for the client configuration

Barracuda SSL VPN

36

Barracuda SSL VPN Server Agent

Create site-to-site links between branch offices Provide access to resources on systems outside the LAN Eliminates the requirement for a full network connection to secure remote sites where only a few services are required

Barracuda SSL VPN Server Agent

The Server Agent acts as a proxy directing traffic from the appliance to the remote system. A Server Agent can be installed on a remote network and connect back to the appliance using the standard HTTPS port. With the configuration of routes an administrator can then set up resources that access services on the remote network without the need to open up a single port on the firewall protecting the remote network. This same process can be used to access resources inside the LAN from a Barracuda SSL VPN residing in a DMZ.

Deployment

Barracuda Networks Confidential

39

Plug and Play Deployment

Inside The LAN
Route incoming connections to firewall on port 443 directly to the Barracuda SSL VPN Simple firewall, port forwarding and NAT rules

Barracuda SSL VPN

40

Plug and Play Deployment

In The DMZ
Only port 443 on external firewall needs to be open Ports on internal firewall need opening depending on the services that will be offered to users

Barracuda SSL VPN

41

Advanced Concepts

Barracuda Networks Confidential

42

Barracuda SSL VPN Agent

Lightweight Java based VPN client Needed for more complex applications
Drive mapping Proxying of rich Web applications Remote Desktop sessions

Launched automatically when required Terminated when sessions are no longer active

Barracuda SSL VPN Agent

Dependencies
SSL capable web browser with Java installed Java 1.1 is supported, although Java 1.5+ is recommended

Mac Specific
Mac RDC

Linux Specific
RDesktop

Windows Specific
Microsoft RDP Ericom Firefox portable (not yet released) PuTTY PuTTY portable telnet PuTTY portable SSH RAdmin UltraVNC WinSCP

OS independent (Java based)

Citrix ICA Elusiva RDP JTA NX Client RDP TN5250 VNC

Configure a Web Forward for OWA 2003

Exchange 2003 Corp OWA for Example Destination URL is https://mail.barracuda.com/exchweb/bin/auth/owaauth.dll and the paths that are added are /exchange and /exchweb. With the standard Reverse Proxy feature, web sites are proxied by identifying the path of the request and mapping this to a back end web server. For example, to proxy Outlook Web Access we identify two paths /exchange and /exchweb. When SSL-Explorer receives a HTTP request for http://sslexplorer.example.com/exchange/inbox/lee we look at the path of the URI and match it against the paths configured for all Reverse Proxy resources. Since this resource URI starts with /exchange it must be destined for the Outlook Web Access application.

Configure a Web Forward for OWA 2007

Choose path-based reverse proxy for the web forward type Corp OWA for Example Destination URL is https://owaserver/owa/auth/logon.aspx and the paths that are added are /owa. With the standard Reverse Proxy feature, web sites are proxied by identifying the path of the request and mapping this to a back end web server. For example, to proxy Outlook Web Access we identify the path /owa. Single Sign on can be posted using form-based authentication by adding the following form parameters
Destination=https://owaserver/owa Flags=4 Forcedownlevel=0 isUtf8=1 Password=${session:password} Trusted=4 Username=DOMAIN${session:username}

RPC Over HTTPS

Allows full Outlook MAPI clients to connect to Exchange Servers using HTTP/HTTPS. This solves the problem remote Outlook users have when located behind restrictive firewalls. Outlook clients can then use the SSL VPN server as a proxy for Microsoft Exchange traffic. To configure Outlook RPC, navigate to Advanced > Configuration, and scroll down to the Outlook header at the bottom of the page. Enter the IP address of hostname of your Exchange server in the Exchange Server field. Enter the port in the Exchange Port field, and select the Protocol as appropriate to your environment.

Configure Web Folders Windows Access

When using Windows XP or later along with Internet Explorer, you can take advantage of Microsoft Web Folders to access your file resources. For security the Barracuda SSL VPN only allows Web folders to be mapped to existing network places. This enforces the policy restrictions; if a user does not have a policy which allows them to access a given network place then they can neither create a Web folder to it. To Configure
First check the box on the Advanced->Configuration, Allow external WebDAV clients box in the resources section.

Next create a Network place in windows to the address and folder name of the SSL VPN appliance, https://remoteserver.co.uk/fs/cifs/Public *Be aware that Windows Web Folders exhibits behavior that is insecure when this option is enabled. You will find that it is effectively impossible to logout of an external WebDAV session. The user simply has to click Cancel when asked to authenticate, and access will be allowed.This is because Windows caches your the credentials and simple re-presents them when the SSL VPN requests authentication again.

Configure a One-Time Password

One-time password authentication works by sending a randomly generated password to the user via email or SMS. One-time password authentication must be used in conjunction with at least one other primary method. Configuration
Navigate to Advanced > Configuration. Scroll down to the section entitled SMTP. Ensure that SMTP is enabled on startup and that the email server details have been entered correctly. In the One Time Password section, modify the following settings to suit your environment. Generally the default settings should meet the needs of most users.

Configure IP Authentication
There may be a time where an administrator would like to prevent users outside the network from logging into administrative user accounts.

Citrix Published Application

Java based ICA client is used to launch Published Desktop/Application
Works with latest version of Citrix XenApp and older Presentation Server Application Type use Desktop Use session username and password variables for Single Sign On Java based ICA client is used to launch Citrix Environment

Thank You

Barracuda Networks Confidential

52

Hardware Token Authentication -RADIUS

Radius
The RADIUS authentication module enables the Barracuda SSL VPN to authenticate users against an external RADIUS server, and can be used as a primary module in an authentication scheme. Before the RADIUS module can be configured as a part of an authentication scheme, you must configure the details of your RADIUS server. To configure your RADIUS server, navigate to Advanced > Configuration and scroll down to the section entitled RADIUS. Below are the available configuration options.
RADIUS Server: The host name or IP address of the RADIUS server. This can be localhost, or a remote server. Authentication Port: This is the port number stipulated for the RADIUS authentication process. It must be a valid integer port between 0 and 65536. The default (1812) is usual for standard RFC compliant radius servers. Both this and the accounting port must be open between the RADIUS server and the connecting client. Accounting Port: This is the port number stipulated for the RADIUS accounting process. It must be a valid integer port between 0 and 65536. The default (1813) is usual for standard RFC compliant radius servers. Both this and the authentication port must be open between the RADIUS server and the connecting client. Shared Secret: The RADIUS shared secret which has been set up on the RADIUS server. Authentication Method: If your server does not use a specific authentication method, this value is ignored. The only methods that are currently supported in this configuration are PAP, CHAP, MSCHAP and MSCHAPv2 Time Out: The timeout for a RADIUS message. Authentication Retries: The number of retries for a RADIUS message. RADIUS Attributes: The RADIUS attributes required to execute the request. Username Case: Setting that defines what case the username is sent to the RADIUS server. Options are to leave as entered, force to upper case or force to lower case. Expect Challenge: Expect an initial challenge from the RADIUS server (i.e. user does not provide password prior to first RADIUS Access request)

Once you have configured your RADIUS server appropriately, you can configure an authentication scheme to use the RADIUS authentication module:
Navigate to Access Control > Authentication Schemes. Under the Create Scheme header, provide a Name. Select RADIUS and click the upper Add > button to move it to the box entitled Selected Modules. Select the relevant policy(ies) and click the lower Add > button to move it to the box entitled Selected Policies. Click the Add button. Your RADIUS authentication scheme is now available to be used by those users who are members of the selected policy(ies).