Professional Documents
Culture Documents
Agenda
Overview Access Control Resources Deployment Advanced Concepts
Overview
Upload Signed Certificate - Use this box to upload the certificate (in PEM/Apache or PKCS12 format) that you received from your certificate authority.
Launched automatically when required Terminated when sessions are no longer active
Mac Specific
Mac RDC
Linux Specific
RDesktop
Windows Specific
Microsoft RDP Ericom Firefox portable (not yet released) PuTTY PuTTY portable telnet PuTTY portable SSH RAdmin UltraVNC WinSCP
Access Control
User Database
Internal user database, or synchronize with:
Active Directory Enhanced Active Directory LDAP NIS
OU Filter
List accounts and roles only from OUs that are selected. Exclude OUs that are not needed. Ability to exclude builtin groups
ACCESS RIGHTS
RESOURCES
A policy grants access to a set of users and/or groups to selected resources. All resources must be attached to a policy; furthermore, in order for a user to access a particular resource, their user account or group must also be attached to the same Policy. A user or group can be a member of multiple policies, and resources can be attached to multiple policies. This way, it is possible to easily set up a powerful set of permissions for all users of the system.
LDAP
POLICIES
RDP
NIS ACCOUNTS/GROUPS
AUTHENTICATION SCHEMES
USERS
DISTRIBUTION GROUPS
Authentication Schemes
Methodologies of validating user credentials submitted by the client browser against the user database. Support for eight modules, which may be used individually or in combination with one another, to create authentication schemes.
Authentication Key Client Certificate IP Authentication One-Time Password (Secondary) Password Personal Questions (Secondary) PIN Number Radius
Authentication Schemes
Two types of Authentication Modules: Primary and Secondary
Primary Authentication Module may appear anywhere in the list of selected modules Secondary Authentication Module may only appear after a primary Authentication Module. Support for many Authentication Modules, which may be used individually or in combination with one another to create authentication schemes. Once an authentication scheme has been created, it is applied to a policy A user can be a assigned multiple authentication schemes. For example, a user authenticating with their password, hardware token, and coming from a trusted IP, will be granted additional resources than just authenticating with a password.
Authentication Schemes
Authentication Key
Authentication keys are generated on your Barracuda SSL VPN and are passed out to users via computer or a USB flash drive. When authenticating using this module, the Barracuda SSL VPN will scan client drives for the authentication key or ask the user to provide a path to the key's file.
Authentication Schemes
Client Authentication
Client certificate authentication is a mechanism of authenticating against an SSL certificate stored in the client browser Client certificates can be generated by the Barracuda SSL VPN or by other keystores such as Active Directory. Automatic authentication process requiring minimal interaction The user is required to install the certificate into the browser Future access only requires the user to select the certificate during logon
Authentication Schemes
IP Authentication
IP authentication determines and validates the IP address of client during logon. Per user IP restrictions can be configured by navigating to Access Control > Accounts, selecting the appropriate user, and clicking on the edit icon adjacent to the user's name. Under the section Authorized IP you can enter in a specific address, a CIDR network range, or a wildcard address to restrict from which IP addresses the user can log on.
Authentication Schemes
One-Time Password
One-time password authentication sends a randomly generated password to the user via email or through SMS. This is a secondary authentication scheme meaning it can not be the primary or only mode of authentication. OTP is configured on the Advanced > Configuration page.
Authentication Schemes
Password
The password module authenticates using a typical username / password pair. This is the most commonly used Authentication Scheme.
Personal Questions
Under the Personal Questions module the user is presented with a personal security question selected at random. Security questions, such as Mother's Maiden Name, can be configured by the user on his or her attributes page within the Barracuda SSL VPN web user interface.
PIN Number
The PIN number authentication module uses a string of digits as a passphrase for a user.
Authentication Schemes
Radius
The RADIUS (Remote Authentication Dial In User Service) authentication module allows the Barracuda SSL VPN to authenticate users against an external RADIUS server. Radius authentication is used with RSA SecurID, VASCO, Secure Computing and CryptoCard. The use of hardware token authentication allows for access using a one-time password token. Radius Configuration is made on the Advanced > Configuration tab.
Access Rights
Allow a super user to delegate administration tasks to normally unprivileged users. This is fully modular; required rights can be delegated as needed without compromising other more sensitive areas of the system. There are three types of access rights:
Personal rights, which change the ability for a user to edit or use items on their account, such as maintaining attributes, using the Agent etc. Resource rights, which control access to edit, create and delete resources on the system. System rights, which give access to system configuration options.
Access Rights
To create a access right, login with the ssladmin account and navigate to
Access Control > Access Rights.
Select the Type of access right that you wish to create. You can add available rights by highlighting desired rights and clicking the Add button to move them to the right hand column. Select the policies to which you would like to attach the access right as a resource, and click Add to move them to the right hand column. Review the settings that you created and click Add to make the rights available.
Access Rights
Since this user is a member of the IT Admins Policy, he can now configure/manage resources. Notice how he does NOT have access to other configs like Access Control or the Advanced tab
Resources
22
Resources
Resources are the main entities an end user will want to access once connected to the Barracuda SSL VPN. Within the Barracuda SSL VPN, a resource is defined as an application, utility, data source, or any other privileged data source or interface that when assigned will allow the user to conduct certain tasks. The following types of resources are available
Web Forwards Network Places Applications SSL Tunnels Profiles Network Connect
Resources
Web Forwards
Proxy any intranet Web site Rich web applications (OWA) supported Four web forwarding techniques:
Tunnelled Proxy Host-based Reverse Proxy Path-based Reverse Proxy Replacement Proxy
Web Forwards
Tunneled Proxy
A tunneled proxy uses the SSL VPN Agent to open up a tunnel from the local client to the destination web URL. This type of forward does not modify the data stream, but will only work as long as all links stay on the same destination host (external links will jump out of the tunnel).
Web Forwards
Path-based reverse proxy
Generally the best proxy type to use, if possible. A path-based reverse proxy web forward only works for web sites that exist solely in sub-directories of the root of a web server. This type of forward does not modify the data stream. The proxy works by matching unique paths in the request URI with the configured web forwards. For example, if you have a web site that is accessible from the URL http://example.com/blog you can configure the reverse proxy web forward with a path of /blog so that all requests to the SSL VPN server URL https://sslvpn/blog are proxied to the destination site. This type of proxy will only be suitable if you know the paths used by the web application. If your web site runs on the root of the web server, i.e. http://example.com, there are no defined paths to proxy so another method will have to be used.
Web Forwards
Host-based reverse proxy
A host-based reverse proxy works in a similar way to a path-based reverse proxy, but is not restricted to subdirectories. However, the host must resolve properly via DNS. Can be used to tunnel traffic for sub domains and other hosts where the site does not have a path to identify. This means that web sites working on the root of a web server, https://webapp.example.com cannot be proxied automatically by the Reverse Proxy because there is no path to identify. To get around this we have developed a feature called Active DNS which modifies the hostname of the request so that we can identify the correct resource to forward to.
Web Forwards
Replacement proxy
A replacement proxy is generally used if any of the other web forward types cannot be used. This proxy type attempts to find all links in the web site code and replace them with links pointing back to the SSL VPN server. Due to the number of ways it is possible to create links (in many different languages), this proxy type is not always successful. However, it is possible to create custom replacement values to get a web site working via a replacement proxy web forward.
Network Places
Access Windows, SFTP and FTP filesystems Map drives using the SSL VPN Agent Edit files directly across the SSL VPN Single Sign on using username and password variables Automatically detects which type of network share that is being configured.
Network Places
There is a choice of Automatic, Windows Network, FTP or SFTP. Automatic attempts to detect which type to use. For example, entering \\server\share will set the type to Windows Network, entering ftp://host will set it to FTP. Optionally, you may select to override default permissions and behaviors on the share; this includes showing hidden files, setting the share to read-only, showing folders inside the share, and preventing users from deleting files or folders. You may also decide to set a Drive Letter for this share. This feature will only be utilized by Windows clients; upon launch the Java agent will mount the share as a mapped drive.
Applications
An application is a resource which uses the SSL VPN Agent to open a tunnel to a destination Builtin Applications
Citrix Published App Remote Desktop (Microsoft/Mac/Linux) VNC WinSCP Putty (SSH Client) TN5250 AS/400 Terminal Emulator
SSL Tunnels
Tunneling is a method of transmission over networks based on differing protocols. An SSL tunnel will use the Barracuda SSL VPN Agent to open up a tunnel from a port on the client machine to a port on the destination machine, which will direct traffic from the client through the tunnel to the destination machine. The flexibility and "on-demand" nature of tunnels over the Barracuda SSL VPN make them more desirable and secure than permanently opening ports on an external firewall, or granting a client machine unrestricted network access via a traditional VPN.
SSL Tunnels
Login to your Barracuda SSL VPN using your administrator login credentials, and navigate to Resources > SSL Tunnels. Enter a unique Name. Optionally you may add the tunnel to your favorites, or set it to start automatically on login. Enter a Source Interface, a Source Port, a Destination Host, and a Destination Port. Select the appropriate policy or policies to which you will attach the tunnel by selecting the name and clicking on the Add button. Review the settings, and if everything is correct click Add.
Profiles
A profile provides a means for an administrative user to alter the general working environment of the system. Settings in a profile can alter the timeouts of a user session, change the default view for resources (icons or lists) and also affect agent timeouts and proxy settings. Users can select different profiles upon login, or administrators can manage default environment settings for users.
35
36
Deployment
39
40
41
Advanced Concepts
42
Launched automatically when required Terminated when sessions are no longer active
Mac Specific
Mac RDC
Linux Specific
RDesktop
Windows Specific
Microsoft RDP Ericom Firefox portable (not yet released) PuTTY PuTTY portable telnet PuTTY portable SSH RAdmin UltraVNC WinSCP
Next create a Network place in windows to the address and folder name of the SSL VPN appliance, https://remoteserver.co.uk/fs/cifs/Public *Be aware that Windows Web Folders exhibits behavior that is insecure when this option is enabled. You will find that it is effectively impossible to logout of an external WebDAV session. The user simply has to click Cancel when asked to authenticate, and access will be allowed.This is because Windows caches your the credentials and simple re-presents them when the SSL VPN requests authentication again.
Configure IP Authentication
There may be a time where an administrator would like to prevent users outside the network from logging into administrative user accounts.
Thank You
52
Once you have configured your RADIUS server appropriately, you can configure an authentication scheme to use the RADIUS authentication module:
Navigate to Access Control > Authentication Schemes. Under the Create Scheme header, provide a Name. Select RADIUS and click the upper Add > button to move it to the box entitled Selected Modules. Select the relevant policy(ies) and click the lower Add > button to move it to the box entitled Selected Policies. Click the Add button. Your RADIUS authentication scheme is now available to be used by those users who are members of the selected policy(ies).