1. Barracuda VPN / Network Access Clients

1. Barracuda VPN / Network Access Clients
1. Barracuda VPN / Network Access Clients - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1 Release Notes for Barracuda VPN Clients & Network Access Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.1 Release Notes for Barracuda Network Access Client 3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.2 Release Notes for Barracuda Mac VPN Client 3.6.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.3 Release Notes for Barracuda NAC 3.6 Hotfix 209 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4 Release Notes for Barracuda NAC 3.6 Hotfix 104 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5 Release Notes for NAC 3.6 and Mac VPN Client 3.6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.6 Release Notes for Barracuda NAC 3.5 and Mac VPN Client 3.6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.7 Release Notes for Barracuda NAC 3.4 Hotfix 304 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.8 Release Notes for Barracuda NAC 3.4 Hotfix 207 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.9 Release Notes for Barracuda NAC 3.4 Hotfix 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.10 Release Notes for Barracuda NAC 3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Barracuda Network Access Client for Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2 Installing, Updating, or Uninstalling the Barracuda Network Access Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.1 Performing a Complete Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.2 Performing a VPN-Only Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.3 Fully Preconfigured Custom Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.3.1 Template Code: Customer Install Files (customer.inf) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.4 Partially Preconfigured Unattended Remote Custom Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.5 Updating or Migrating the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.2.6 Uninstalling the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3 Operating and Monitoring the Barracuda Network Access Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.1 The Barracuda VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.1.1 Configuring the Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.1.2 Creating VPN Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.1.3 Using Remote VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.2 The Barracuda Personal Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.2.1 Configuring Personal Firewall Rules on the Barracuda NG Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.3 The Barracuda Access Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.3.1 Template Code: Profile Registry Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.3.4 Barracuda Network Access Client Sample Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.4 How to Install and Configure the Barracuda NAC Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.5 How to Configure Multiple VPN Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.6 How to Configure Direct Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2.8 NAC PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Barracuda VPN Client for Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.1 How to Install and Update the Barracuda VPN Client for Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2 How to Configure the Barracuda VPN Client for Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.3 How to Establish and Terminate a VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.4 How to Uninstall the Barracuda VPN Client for Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.5 Using the Barracuda VPN Client via Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4 Barracuda VPN Client for Linux and Mac OS X (Command Line) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.1 How to Install the Barracuda VPN Client for Linux and Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.2 Updating the Barracuda VPN Client for Linux and Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.3 How to Configure the Barracuda VPN Client for Linux and Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.4 How to Use the Barracuda VPN Client for Linux and Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.5 How to Uninstall the Barracuda VPN Client for Linux and Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5 How to Create a *.vpn File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6 How to Import a *.vpn File into the VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
2
2
3
4
4
5
6
9
9
10
12
14
14
23
26
33
40
46
52
55
55
57
60
63
63
68
70
115
131
145
145
152
154
161
162
164
165
166
169
174
179
179
180
180
182
183
185
185
186
190
Barracuda VPN / Network Access Clients - Overview
Barracuda offers a suite of end-user clients to configure and establish Client-to-Site virtual private networks (VPNs). Different clients are available
for Windows, Mac OS X, and Linux operating systems.
The Barracuda VPN and Network Access clients offer support for numerous authentication methods, quick restoration of VPN tunnels after
dropped connections, 'Always On' VPN connections for PCs, support for redundant VPN gateways, selective routing of network traffic through the
tunnel, automatic selection of the optimal VPN gateway based on the client's location, and much more. When using a Barracuda NG Firewall as
the VPN gateway, you can also deploy and manage the Windows clients centrally.
Suitable server-side functionality is included with the Barracuda NG Firewall (which also offers Access Control) and the Barracuda Firewall.
Select your OS Version
The Barracuda Network Access Client Windows. The Barracuda Network Access Client is a suite of applications that, as an option, also
includes the Barracuda Personal Firewall and the Barracuda Access Monitor.
The Barracuda VPN Client for Mac OS X., a graphical VPN client.
The Barracuda VPN Client for Linux and Mac OS X (Command Line), a command-line VPN client.
Looking for information on how to configure the Barracuda NG Firewall or the Barracuda Firewall for
client-to-site VPN?
Server Product
Barracuda NG Firewall
Barracuda Firewall
Client-to-Site Service
Client-to-Site VPN
How to Use the Barracuda VPN Client
How to Configure a Client-to-Site VPN with
Certificate Authentication
How to Configure a Client-to-Site VPN with
PPTP
Access Control
Access Control Service
n.a.
Release Notes for Barracuda VPN Clients & Network Access Clients
Release Notes for Barracuda Network Access Client 3.7
Release Notes for Barracuda Mac VPN Client 3.6.5
Release Notes for Barracuda NAC 3.6 Hotfix 209
Release Notes for Barracuda NAC 3.6 Hotfix 104
Release Notes for NAC 3.6 and Mac VPN Client 3.6.2
Release Notes for Barracuda NAC 3.5 and Mac VPN Client 3.6.1
Release Notes for Barracuda NAC 3.4 Hotfix 304
Release Notes for Barracuda NAC 3.4 Hotfix 207
Release Notes for Barracuda NAC 3.4 Hotfix 101
Release Notes for Barracuda NAC 3.4
Release Notes for Barracuda Network Access Client 3.7
Before installing the new software version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support.
Download this Firmware Release
2
You can download the install files for the Barracuda Network Access Client from http://login.barracudanetworks.com
In these release notes:
General
What's new in Barracuda Network Access Client 3.7
Improvements included with Barracuda Network Access Client 3.7
General
Barracuda Network Access Client version 3.7 is the direct successor to Barracuda Network Access Client version 3.6 and contains all
improvements and features delivered with version 3.6 hotfix 209 and 3.6 hotfix 303.
Updating to Barracuda Network Access Client 3.7 is possible for any prior version.
Before installing the Barrauda Network Access Client 3.7 on Windows 7, the following Microsoft update must be applied: and KB303392
9
Starting with Barracuda Network Access Client 3.7, support for Windows Vista is discontinued.
What's new in Barracuda Network Access Client 3.7
Support for new Group Policy feature VPN Client NAC: Required introduced with NG Firewall 6.2.1. (BNNGF-35247)
Pre-Domain Logon (Single Sign-On) support for X509-based VPN profiles. (BNNGF-35347)
UI improvements for new "VPN Always On" feature. (BNNGF-29906)
Support for X.509 authentication for multiple, concurrent client-to-site VPN sessions by the same user. Note that this feature requires
Barracuda NextGen Firewall F version 6.2.1 or higher and a valid Premium Remote Access subscription. (BNNGF-35671)
Improvements included with Barracuda Network Access Client 3.7
VPN Adapter Priorization (Adapter Reordering) now works as expected on Windows 10. The corresponding settings have been renamed.
(BNNGF-34849, BNNGF-34748)
Automatically reorder adapters renamed to Automatically prioritize VPN adapter.
Order VPN Adapter renamed to VPN Adapter Prioritization.
VPN Client service no longer crashes when using Adapter Reordering on Windows 10. (BNNGF-32120)
Manual IP address assignment for VPN Adapter now works as expected. (BNNGF-29343)
Uninstalled driver packages are no longer listed in the Windows Control Panel. (BNNGF-31552)
The VPN profile configuration option "Certificate Selection Dialog" now works as expected. (BNNGF-35997)
VPN status notifications in the Windows tray no longer become unresponsive. (BNNGF-31581)
phions.log and phionha.log logfiles are no no longer filled with Windows Security Center events generated by 3rd-party anti-malware
software. (BNNGF-31413)
VPN Client service no longer crashes when Windows leaves hibernation mode. (BNNGF-33140)
Ruleset may not get activated properly after terminating a VPN connection. (BNNGF-29759, BNNGF-33029)
Resizing of certain user interface windows now works as expected. (BNNGF-32513)
VPN connections on Windows 10 are no longer terminated when Pre-Domain Logon is enabled. (BNNGF-36711)
VPN connections are now correctly terminated on Windows 10 if "Disconnect when user logs of" is enabled. (BNNGF-36712)
Various bug fixes based on Windows Error Reporting.
Updating from Windows 7 to Windows 10 no longer fails if Barracuda Network Access Client 3.6 with HF209 is present. (BNNGF-32589)
The OPSWAT Library was updated to version 4.2.761.0. (BNNGF-34048)
The driver for the Personal Firewall is now certified for Windows 10. (BNNGF-33554)
Release Notes for Barracuda Mac VPN Client 3.6.5
Download this Firmware Release
You can download the install files from http://login.barracudanetworks.com/.
In these Release Notes:
Known Issues
3
System Requirements
What´s New with Barracuda VPN Client for Mac OS X Version 3.6.5
Improvements Included with Barracuda VPN Client for MAC OS Version 3.6.5
Known Issues
For information about known issues, see https://login.barracudanetworks.com/support/knownissue or contact Barracuda Networks Technical
Support.
System Requirements
Barracuda VPN Client 3.6.5 for Mac OS X
Operating Systems
10.9 (Mavericks), 10.10 (Yosemite), 10.11 (El Capitan)
Disk Space
10 MB
RAM
512 MB
What´s New with Barracuda VPN Client for Mac OS X Version 3.6.5
Barracuda VPN Client for Mac OS X version 3.6.5 is maintenance release only. No new features have been added.
Improvements Included with Barracuda VPN Client for MAC OS Version 3.6.5
Added support for Mac OS X 10.11 (El Capitan)
Release Notes for Barracuda NAC 3.6 Hotfix 209
Before installing the new software version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support.
Download this Firmware Release
You can download the install files for the Barracuda Network Access Client from http://login.barracudanetworks.com/.
In these Release Notes:
General
Improvements Included with Barracuda Network Access Client Hotfix 209
General
Barracuda Network Access Client version 3.6 Hotfix 209 is a hotfix to be applied on Barracuda Network Access Client 3.6.
Improvements Included with Barracuda Network Access Client Hotfix 209
Added support for Credential Provider on Microsoft Windows 10. (BNNGF-32121)
System Report - Improved data collection handling when retrieving OS information. (BNNGF-31521)
Adapter reordering no longer results in VPN client crashes on Microsoft Windows 10. (BNNGF-32121)
OESIS Library Update - Improved product detection and several bug fixes. (BNNGF-31505)
Added support for multiple concurrent VPN user sessions. (BNNGF-30584)
Release Notes for Barracuda NAC 3.6 Hotfix 104
4
Before installing the new software version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support.
Download this Firmware Release
You can download the install files for the Barracuda Network Access Client from http://login.barracudanetworks.com/.
In these Release Notes:
General
Improvements Included with Barracuda Network Access Client Hotfix 304
General
Barracuda Network Access Client version 3.6 Hotfix 104 is a hotfix to be applied on Barracuda Network Access Client 3.6.
Improvements Included with Barracuda Network Access Client Hotfix 304
The Barracuda Network Access Client no longer crashes on MS Windows 8/8.1 64bit when using AES256 encryption. (BNNGF-31018)
The Establish VPN connection prior to Logon (Credential Provider (SSO)) setting is now configurable. (BNNGF-30428)
VPN connections now work as expected when using SHA256 certificates from the Local Machine Store. (BNNGF-30518)
The lock screen interception for the VPN Client's user interface controls is now configurable. (BNNGF-30427)
VPN Always On - User Interface improvements. (BNNGF-30256)
The Barracuda Network Access Client now disables VPN server probing correctly, if configured. (BNNGF-30549)
Health re-validation now works correctly in case of changes on the network adapter. (BNNGF-30255)
In order to use SHA256 hashing algorithm, Barracuda Network Access client version 3.6 requires properly issued certificates. When
using a Microsoft Certificate Authority, make sure to use a Key Storage Provider as described here: https://technet.microsoft.com/en-us
/library/dn771627.aspx
Release Notes for NAC 3.6 and Mac VPN Client 3.6.2
Download this Firmware Release
You can download the install files from http://login.barracudanetworks.com/.
In these Release Notes:
General
Known Issues
System Requirements
What´s New with Barracuda Network Access Client Version 3.6
Updates
Improvements Included with Barracuda Network Access Client Version 3.6
What´s New with Barracuda VPN Client for Mac OS X Version 3.6.2
General
Barracuda Network Access Client version 3.6 is the direct successor to version 3.5 and contains all improvements and features delivered
with version 3.5.
Known Issues
5
For information about known issues, see https://login.barracudanetworks.com/support/knownissue or contact Barracuda Networks Technical
Support.
System Requirements
Barracuda Network Access Client 3.6 for Windows
Operating Systems
Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit),
Windows 8 (32-bit, 64-bit), Windows 8.1 (32-bit, 64-bit), Windows
10 (32-bit, 64-bit) with installed hotfix 209.
Disk Space
Complete Installation: 250 MB
VPN Client only: 200 MB
RAM
Windows 7, Windows 8: 1 GB (32-bit) or 2 GB (64-bit)
Windows Vista: 1 GB
CPU
Windows Vista, Windows 7: 1 GHz or faster with 32-bit (x86) or
64-bit (x64)
Windows 8: 1 GHz or faster with PAE, NX and SSE2 support
Barracuda VPN Client 3.6.2 for Mac OS X
Operating Systems
10.6 (Snow Leopard), 10.7 (Lion), 10.8 (Mountain Lion), 10.9
(Mavericks), 10.10 (Yosemite)
Disk Space
10 MB
RAM
512 MB
What´s New with Barracuda Network Access Client Version 3.6
Support for SHA-256, SHA-384 and SHA-512 certificate hash functions.
The VPN authentication timeout is now configurable.
The Always On feature allows System Administrators to force VPN clients to have an permanent VPN connection (which cannot be
turned off by the end user), therefore preventing unprotected Internet connections.
Enhanced client health checks are now configurable in the personal firewall configuration (i.e. they can now be disabled). With new
installations enhanced client health checks are now disabled by default.
Updates
The OPSWAT Library was updated to version 4.1.187.0.
Improvements Included with Barracuda Network Access Client Version 3.6
The VPN Client's user interface controls are no longer visible on the Windows lock screen. (BNNGF-28943)
Importing multiple valid certificates now works as expected and does not lead to incorrect expired messages anymore. (BNNGF-22939)
What´s New with Barracuda VPN Client for Mac OS X Version 3.6.2
Updated German translation.
Release Notes for Barracuda NAC 3.5 and Mac VPN Client 3.6.1
Download this Firmware Release
You can download the install files from http://login.barracudanetworks.com/.
In these Release Notes:
General
Known Issues
6
System Requirements
What´s New with Barracuda Network Access Client Version 3.5
On-Demand VPN Connection
VPN Re-Connection
PowerShell Integration
RSA New Pin Mode Support
Updates
Improvements Included with Barracuda Network Access Client Version 3.5
What´s New with Barracuda VPN Client for Mac OS X Version 3.6 / 3.6.1
Improvements Included with Barracuda VPN Client for Mac OS X Version 3.6 / 3.6.1
General
Barracuda Network Access Client version 3.5 is the direct successor to version 3.4 Hotfix 304 and contains all improvements and
features delivered with version 3.4 Hotfix 304.
Barracuda VPN Client 3.6 is the direct successor to version 3.2 Hotfix 8 and contains all improvements and features delivered with
version 3.2 Hotfix 8.
Known Issues
For information about known issues, see https://login.barracudanetworks.com/support/knownissue or contact Barracuda Networks Technical
Support.
System Requirements
Barracuda Network Access Client 3.5 for Windows
Operating Systems
Windows XP, Windows Vista (32-bit, 64-bit), Windows 7 (32-bit,
64-bit), Windows 8 (32-bit, 64-bit), Windows 8.1 (32-bit, 64-bit)
Disk Space
Complete Installation: 250 MB
VPN Client only: 200 MB
RAM
Windows XP: 64 MB (recommended: 128 MB)
Windows 7, Windows 8: 1 GB (32-bit) or 2 GB (64-bit)
Windows Vista: 1 GB
CPU
Windows XP: Pentium 233 MHz (recommended: 300 MHz)
Windows Vista, Windows 7: 1 GHz or faster with 32-bit (x86) or
64-bit (x64)
Windows 8: 1 GHz or faster with PAE, NX and SSE2 support
Barracuda VPN Client 3.6.1 for Mac OS X
Operating Systems
10.6 (Snow Leopard), 10.7 (Lion), 10.8 (Mountain Lion), 10.9
(Mavericks), 10.10 (Yosemite)
Disk Space
10 MB
RAM
512 MB
What´s New with Barracuda Network Access Client Version 3.5
On-Demand VPN Connection
The On-Demand VPN connection feature allows a dedicated VPN connection to defined IP networks. If users are trying to establish a network
connection to a specified IP network, the connection is only allowed through a VPN connection and the VPN tunnel is therefore automatically
built-up on-demand.
VPN Re-Connection
The VPN re-connection mechanism was redesigned to improve the connection time. The overall time for VPN re-connections could be
significantly reduced.
7
PowerShell Integration
The Barracuda Network Access Client can now be controlled through a dedicated PowerShell. PowerShell integration includes the following
features:
VPN connect/disconnect
VPN profile management
VPN/Health Agent settings
Master Password and MS Credentials
Policy Server and health validation
On-Demand VPN configuration
Personal Firewall configuration
VPN status information
RSA New Pin Mode Support
The Barracuda Network Access Client now supports RSA New Pin Mode (user-generated PINs).
Updates
The OPSWAT Library was updated to version 3.6.8068.2.
Improvements Included with Barracuda Network Access Client Version 3.5
OpenSSL update to version 0.9.8za. (BNNGF-24010)
The personal firewall no longer crashes when running on MS Windows touch devices. (BNNGF-23357)
The VPN user interface now correctly determines the VPN connection state for users containing whitespaces in the user name.
(BNNGF-23287)
The install wizard now also works correctly on MS Windows XP. (BNNGF-22889)
Establishing manual VPN connections (rvpn.exe) through proxy servers without specifying host names and port, no longer leads to
subsequent failing connection attempts of vpn.exe. (BNNGF-22757)
The VPN client no longer crashes when using ENA (Exclusive Network Access) and hot-pluggable network adapters. (BNNGF-22483)
Context menus can now be correctly accessed via keyboard shortcut (Shift+F10). (BNNGF-22375)
The MS Vista/Windows 7 credential provides crashed on very rare occasions. This issue has been fixed. (BNNGF-22322)
VPN profile settings now also support SHA256 as hashing algorithm. (BNNGF-22216
Basic authentication as fallback authentication method now works as expected. (BNNGF-22170)
The Settings window of the Personal Firewall no longer loads with the default settings instead of the configured values. (BNNGF-21911)
The Personal Firewall no longer crashes when closing the Settings window but no ruleset is selected. (BNNGF-21894)
The DCE/RPC firewall plug-in now correctly works with MSRPC on 64-bit machines. Furthermore, the plug-in now supports IPv6.
(BNNGF-21442)
OPSWAT version detection now works correctly even if the registry key VersionOpswat is not present. (BNNGF-21369)
The login screen now always displays a Barracuda specific message, also if Pre-Domain Login and Direct Access is disabled.
(BNNGF-21349)
OS detection now works correctly for MS Windows 8.1. (BNNGF-21248)
Authentication with user names less than 3 characters now works correctly. (BNNGF-21219)
The Personal Firewall's process monitor can now be terminated correctly. (BNNGF-20321)
The behavior for enabling/disabling the Personal Firewall was reworked. It is no longer possible to disable the Personal Firewall if a
ruleset is assigned. Furthermore, the master password is not required anymore to enable the personal firewall. (BNNGF-20044)
Added input validation for allowed IPv6 prefixes and MAC address in the Router Advertisment Guard configuration. (BNNGF-20210)
Updating MS login credentials via rvpn commend now works correctly. (BNNGF-19559)
Disabling Windows IP Auto Configuration now works as expected on Windows XP. (BNNGF-19248)
Added warning and information items to the log viewer and current status messages. (BNNGF-19184)
Reordering of lists now works as expected. (BNNGF-18821)
Enumerating certificates from the pre-defined (physical) certificate stores no longer raises an error message. (BNNGF-17305)
phionvpn.sys occasionally crashed. This issue has been fixed. (BNNGF-16260)
What´s New with Barracuda VPN Client for Mac OS X Version 3.6 / 3.6.1
Barracuda VPN Client for Mac OS X version 3.6 is a maintenance release only. No new features have been added.
Improvements Included with Barracuda VPN Client for Mac OS X Version 3.6 / 3.6.1
8
Update to latest tuntap for OS X with new and signed kexts. (BNNGF-26497)
The VPN authentication timeout is now configurable and no longer hardcoded to 10 seconds. (BNNGF-25007)
The VPN client no longer crashes when using certain password combination in combination with Apples's iCloud Keychain.
Release Notes for Barracuda NAC 3.4 Hotfix 304
Before installing the new software version, back up your configuration and read all of the release notes that apply to the versions that
are more current than the version that is running on your system.
Do not manually reboot your system at any time while the update is in process, unless otherwise instructed by Barracuda Networks
Technical Support.
Download this Firmware Release
You can download the install files for the Barracuda Network Access Client from http://login.barracudanetworks.com/.
In these Release Notes:
General
Improvements Included with Barracuda Network Access Client Hotfix 304
General
Barracuda Network Access Client version 3.4 Hotfix 304 is the direct successor to version 3.4 Hotfix 207.
Improvements Included with Barracuda Network Access Client Hotfix 304
Importing multiple valid certificates now works as expected and does not lead to incorrect expired messages anymore. (BNNGF-22937)
Improved network address change notification on systems with disabled IPv6 protocol support. (BNNGF-22442)
Probing of MS Active Directory services now works as expected. (BNNGF-22392)
Direct Access now works as expected when NAC is installed in VPN only mode. (BNNGF-22392)
In very rare cases, firewall.exe was crashing at startup. (BNNGF-22441)
Release Notes for Barracuda NAC 3.4 Hotfix 207
Download this Firmware Release
You can download the install files from http://login.barracudanetworks.com/.
In these Release Notes:
General
Known Issues
System Requirements
Updates With Barracuda Network Access Client Version 3.4 Hotfix 207
OPSWAT Update
Improvements Included With Barracuda Network Access Client Version 3.4 Hotfix 207
General
Barracuda Network Access Client version 3.4 Hotfix 207 is the direct successor to version 3.4 Hotfix 101.
Known Issues
For information about known issues, see https://login.barracudanetworks.com/support/knownissue or contact Barracuda Networks Technical
Support.
9
System Requirements
Operating Systems
Windows XP, Windows Vista (32-bit, 64-bit), Windows 7 (32-bit,
64-bit), Windows 8 (32-bit, 64-bit)
Disk Space
Complete Installation: 250 MB
VPN Client only: 200 MB
RAM
Windows XP: 64 MB (recommended: 128 MB)
Windows 7, Windows 8: 1 GB (32-bit) or 2 GB (64-bit)
Windows Vista: 1 GB
CPU
Windows XP: Pentium 233 MHz (recommended: 300 MHz)
Windows Vista, Windows 7: 1 GHz or faster with 32-bit (x86) or
64-bit (x64)
Windows 8: 1 GHz or faster with PAE, NX and SSE2 support
Updates With Barracuda Network Access Client Version 3.4 Hotfix 207
OPSWAT Update
The OPSWAT Library was updated to version 3.6.8068.2.
Improvements Included With Barracuda Network Access Client Version 3.4 Hotfix 207
Description
The following message is with hotfix 207 not generated anymore in the gateway's VPN status:
Reverse Routing Check Failed
The Active Directory check is with hotfix 207 not erroneously terminating VPN sessions anymore.
The E1000E network driver within VMware does with hotfix 207 not cause high CPU usage anymore.
With Microsoft Windows 8.1, firewall.exe did in rare cases not start. This has been fixed with hotfix 207.
Release Notes for Barracuda NAC 3.4 Hotfix 101
Download this Firmware Release
You can download the install files from http://login.barracudanetworks.com/.
In these Release Notes:
General
Known Issues
System Requirements
Update With Barracuda Network Access Client Version 3.4 Hotfix 101
New Firmware Feature
Pre-Domain Logon
General
Barracuda Network Access Client version 3.4 Hotfix 101 is the direct successor to version 3.4.
Prior to Barracuda NG Firewall firmware release version 5.2.3, it was (for compatibility reasons) possible to establish a client-to-site VPN
connection using any VPN client, even though Exclusive Network Access (ENA) was configured on the Barracuda NG Firewall. With version 5.2.3
and above, you must have the Barracuda Personal Firewall (including the packet filter SPAC) installed on Windows clients. Otherwise, a
connection to the VPN server is blocked.
10
Known Issues
For information about known issues, see https://login.barracudanetworks.com/support/knownissue or contact Barracuda Networks Technical
Support.
System Requirements
Operating Systems
Windows XP, Windows Vista (32-bit, 64-bit), Windows 7 (32-bit,
64-bit), Windows 8 (32-bit, 64-bit)
Disk Space
Complete Installation: 250 MB
VPN Client only: 200 MB
RAM
Windows XP: 64 MB (recommended: 128 MB)
Windows 7, Windows 8: 1 GB (32-bit) or 2 GB (64-bit)
Windows Vista: 1 GB
CPU
Windows XP: Pentium 233 MHz (recommended: 300 MHz)
Windows Vista, Windows 7: 1 GHz or faster with 32-bit (x86) or
64-bit (x64)
Windows 8: 1 GHz or faster with PAE, NX and SSE2 support
Update With Barracuda Network Access Client Version 3.4 Hotfix 101
New Firmware Feature
Pre-Domain Logon
Overview
The pre-domain logon feature delivered with this update provides the ability to create a client-to-site VPN connection using TINA on Windows
Vista, Windows 7, and Windows 8 PCs already before the user is logged on to the domain. This allows users to remotely log on to the domain for
the first time. It also provides the ability to connect to the VPN and Windows domain using a single sign-on. On the Windows login screen, the end
user is presented with the option to use the Barracuda Single Sign-On to establish a VPN connection for a selected VPN profile prior to logging
into Windows.
Intended Use Case
This feature is designed to be used if client-to-site VPN is integrated with Active Directory for authentication. This ensures that the Windows user
credentials match the client-to-site VPN user credentials. It provides the user with a quick and easy single sign-on user experience
Setup
Pre-domain logon can be enabled by setting the Use Single Sign-On Credential Provider in VPN Control > Advanced to Yes. The credential
provider will then automatically be installed.
11
Pre-Requisites & Limitations
Works only with username / password VPN authentication (preferably MSAD – see intended use case above).
In order to establish a VPN connection, the Internet connection must be accessible before logging on to the PC. This means that if, for
example, the connection uses a guest Wi-Fi requiring a web form to be filled in to connect, this feature will not work.
A VPN profile using the required connection parameters must previously have been set up on the PC.
The certificate for the VPN must already be trusted, as the user cannot be prompted during the single sign-on to trust a certificate. See
the Temporary Root Certificate setting.
Release Notes for Barracuda NAC 3.4
Download this Firmware Release
You can download the install files from http://login.barracudanetworks.com/.
In these Release Notes:
General
Known Issues
System Requirements
Updates With Barracuda Network Access Client Version 3.4
What´s New With Barracuda Network Access Client Version 3.4?
New Firmware Features
Improvements Included with Barracuda Network Access Client Version 3.4
General
Barracuda Network Access Client version 3.4 is the direct successor to version 3.2. Version 3.3 was only an internal release and was therefore
not made available to the public.
Prior to Barracuda NG Firewall firmware release version 5.2.3, it was (for compatibility reasons) possible to establish a client-to-site VPN
connection using any VPN client, even though Exclusive Network Access (ENA) was configured on the Barracuda NG Firewall.
With version 5.2.3 and above, you must have the Barracuda Personal Firewall (including the packet filter SPAC) installed on Windows clients.
Otherwise, a connection to the VPN server is blocked.
Known Issues
12
For information about known issues, see https://login.barracudanetworks.com/support/knownissue or contact Barracuda Networks Technical
Support.
System Requirements
Operating Systems
Windows XP, Windows Vista (32-bit, 64-bit), Windows 7 (32-bit,
64-bit), Windows 8 (32-bit, 64-bit)
Disk Space
Complete Installation: 250 MB
VPN Client only: 200 MB
RAM
Windows XP: 64 MB (recommended: 128 MB)
Windows 7, Windows 8: 1 GB (32-bit) or 2 GB (64-bit)
Windows Vista: 1 GB
CPU
Windows XP: Pentium 233 MHz (recommended: 300 MHz)
Windows Vista, Windows 7: 1 GHz or faster with 32-bit (x86) or
64-bit (x64)
Windows 8: 1 GHz or faster with PAE, NX and SSE2 support
Updates With Barracuda Network Access Client Version 3.4
What´s New With Barracuda Network Access Client Version 3.4?
New Firmware Features
SPAC Driver Windows 8 Certified
Starting with Barracuda Network Access Client version 3.4, the Secure Personal Access Client (SPAC) driver within the Barracuda Network
Access Client has been certified for Windows 8 by Microsoft.
Windows 8 Virtual Smart Card Supported
Starting with Barracuda Network Access Client version 3.4, Windows 8 Virtual Smart Card authentication is supported. The Virtual Smart Card is
a new strong authentication technology that emulates hardware smart cards.
For more information on Windows 8 Virtual Smart Cards, see the Microsoft TechNet Using Virtual Smart Cards with Windows 8
e.
articl
mils Hardware Encryption Supported
Release version 3.4 of the Barracuda Network Access Client supports hardware authentication and encryption technology by mils electronic
GmbH & Co KG.
For more information on the strong authentication and encryption products of mils electronic, see http://www.mils.com/
.
Improvements Included with Barracuda Network Access Client Version 3.4
Description
In Barracuda Personal Firewall and predecessor versions 3.0 to 3.2, an internal issue occasionally created erroneous TCP-RST packets when
resetting the traffic stream due to a rule set change. An appropriate enhancement was included. (BNNGF-18181)
In Barracuda Network Access Client version 3.2, the Remote Server field within the VPN profile configuration had a length limitation that
erroneously prevented certain URLs from being entered into the field. An appropriate enhancement was included. (BNNGF-18077)
In Barracuda Network Access Client version 3.2, the VPN Client's GUI occasionally froze after the Message of the Day pop-up window was
closed by the user. An appropriate enhancement was included. (BNNGF-17726)
13
In Barracuda Network Access Client version 3.2, if a new network adapter was added to the system after the client setup had been completed,
the Firewall property within the network adapter configuration was incorrectly reflecting the adapter state. An appropriate enhancement was
included. (BNNGF-17670)
With Windows User Account Control (UAC) enabled, it was erroneously not possible to launch the Barracuda VPN Control from within the
Windows Control Panel in Barracuda Network Access Client version 3.2. An appropriate enhancement was included. (BNNGF-17505)
In Barracuda Network Access Client 3.1 hotfix 4 and 3.2, logging in using the Enable MS Logon option did not work as intended if the
password contained whitespace characters. An appropriate enhancement was included. (BNNGF-17396)
In Barracuda Network Access Client versions prior to 3.4, certain functions of the integrated virtual keyboard did not work as intended.
Appropriate enhancements were included. (BNNGF-17240)
In Barracuda Network Access Client version 3.2, the Change Server Password function did not work as intended if a wrong 'old' password
was given. In such cases, the client confirmed a successful password change although the password was in fact not changed. An appropriate
enhancement was included. (BNNGF-18820)
Barracuda Network Access Client for Windows
The Barracuda Network Access Client consists of the Barracuda Personal Firewall, the Barracuda Access Monitor, and the Barracuda VPN
Client.
Installing, Configuring, and Operating the Client
For information on how to set up and use the Barracuda Network Access Client, see the articles in this section:
Introduction
Installing, Updating, or Uninstalling the Barracuda Network Access Client
Operating and Monitoring the Barracuda Network Access Client
How to Install and Configure the Barracuda NAC Light
How to Configure Multiple VPN Gateways
How to Configure Direct Access
Troubleshooting
NAC PowerShell
Installing, Configuring, and Operating the Server
For information on how to set up and use the Access Control Service on the enterprise-level Barracuda NG Firewall product line, see Access
Control Service in the Barracuda NG Firewall documentation.
For information on how to configure the consumer-level Barracuda Firewall product line for client-to-site VPN, see How to Configure IPsec VPN
with Certificate Authentication in the Barracuda Firewall documentation.
Introduction
In this Article:
Endpoint Security and Network Access Control
Introduction to the Barracuda Network Access Client
What Can Barracuda Network Access Client Be Used For?
Licensing Aspects
Policy Matching Procedure
What is a Policy Rule Set?
The Client-Server Interaction Process
Step 1: Applicable Rule Set is Determined
Step 2: Client Connects to Access Control Service
Step 3: Client Identity is Determined
Health Matching
Untrusted Health State
Probation Health State
Healthy Health State
14
Unhealthy Health State
Health State Requirements
Endpoint Security Policy Introduction Practices (Analyse, Enforce, Monitor)
The Border Patrol
Endpoint Security and Network Access Control
With the advent of novel technologies, work habits have changed dramatically throughout the past decades. Notebooks and netbooks,
smartphones and vast amounts of data easily portable on USB sticks and miniature storage cards, ubiquitous wireless network access, personal
area networking, they all have attributed to the fact that endpoints in corporate networks have become an increasingly hard to control hazard.
Effective endpoint security today extends far beyond historical personal firewall and antivirus concepts. It still means protection of an endpoint
against network threats using a host firewall and malware detection software, but extends the protection concept by a broader enforcement and
validation of security policies that are specific to the identity of the device, the user and its current state. Powerful endpoint security concepts also
necessitate full integration into an accompanying network access control framework.
Network Access Control (NAC) represents a technology aimed at guaranteeing that access to enterprise network resources is granted based
upon authentication of the user and device as well as verification of the device's compliance with current security policies.
By default, a typical Network Access Control solution offers enhanced protection against malicious software and attackers, improved access
control to the network for employees and guests, superior resource usage tracking, and a powerful policy adherence mechanism. As a
consequence, the complexity of the network and the administration effort required is significantly reduced, a greater degree of integration among
stand-alone security solutions is achieved, existing and potential security gaps are nicely closed, and a greater visibility of end-to-end security is
provided.
Introduction to the Barracuda Network Access Client
The Barracuda N Network Access Client denotes Barracuda Networks' endpoint security and network access control (NAC) framework.
Administered endpoint integrity and endpoint access is what the Barracuda Network Access Client provides. In order to achieve this, it consists of
client software components, server side components, which the client software periodically communicates with to have the health state of its
underlying operating system verified and its network access rights assessed. Barracuda NG Firewalls can interpret that information and
subsequently allow or deny network access attempts by the respective client.
Before we have a closer look at the interplay of the various components and their roles let us briefly study what has inspired the design of the
Barracuda Network Access Client endpoint security framework. The originally very long list of requirements reads as follows in a slightly more
condensed fashion:
We want to create an endpoint security solution that is effective and yet still simple enough to be implemented and operated in a cost
efficient manner.
We do not wish to require customers to completely change their infrastructures.
We support guest networking. There must be a simple way to distinguish between visitors and own users. We use a combination of client
agent-based and DHCP-based address assignment. A combination of agent-based and DHCP enforcement will likely catch the most
prevalent threats to network security.
We assess the client's health prior to its initial connecting to the network. Client system health assessments should also be carried out
periodically afterwards to detect changes in the client health state.
Policies, such as applicable firewall rule set or access rights, must be selected according to both, identity and system health state.
ID-based exceptions must be possible to cater for real world scenarios. A forced client update of several megabytes across a 2400 baud
link is not meaningful when the link is required for important messaging.
Policies can be machine specific. A PC frequently going online with nobody actually being logged in, may already have been
compromised. This routine situation must be easily accommodated within the policy framework. This also means we’ve got to find means
to identify a machine in a unique fashion.
Policies may differ in different access contexts; this is the archetypal roaming laptop problem. A certain policy will apply to its user when
connecting from within the corporate network. A different policy is required for accessing the nearest WLAN hotspot on the airport to build
a secure VPN connection. Again, a different policy is required when operating the same equipment inside the user's private home
network.
The client software consists of the following subsystems:
Barracuda Personal Firewall
Being a centrally managed host firewall, this advanced firewall engine can handle up to four different firewall rule sets at once. Which rule
sets are available to the firewall engine and which one of these is currently enforced depends on the policy applicable to user, machine,
date, and time.
Barracuda Access Monitor
15
This software is responsible for sending the endpoint health status to the Access Control Service for baselining. Barracuda Access
Monitors are dynamically downloaded and updated as required, supporting same full and delta updates. They are extremely light as they
only occupy 340 KB in memory.
Barracuda VPN Client
Provides an integrated VPN client that secures mobile desktops connecting to the corporate LAN through the internet. The VPN client will
establish a secure connection to a VPN Service. The Barracuda Access Monitor will then communicate through the VPN tunnel with the
responsible so-called System Health Validator (SHV). It is worth noticing that in this case the VPN server fully controls the virtual
connection.
What Can Barracuda Network Access Client Be Used For?
It can be used to implement an endpoint security policy on Windows based endpoints within a corporate network. In this context, Barracuda
Network Access Client provides a managed personal firewall solution with periodic health assessments. Both, the outcome of the assessment as
well as the identity of the machine and/or current user, will influence the policy applicable to the endpoint. Enforcement of the policy is provided by
the software installed on the endpoint itself and with regard to enforcement outside the local collision domain by Barracuda NG Firewalls. The
latter may interpret the access policy attribute assigned to the endpoint within their rule sets. This provides a way to enforce network access
control concepts based on date and time, identity, and health state and type of network access. The latter is required to enforce different policies
when access takes place through a VPN tunnel.
This setup requires the presence of at least one Access Monitor Service. This service entails two component services. The SHV is the policy
matching engine that determines the applicable policy according to the connector's identity and current health state.
The SHV issues a digitally signed cookie to the connecting endpoint, which contains all the information pertinent to the identity and state of this
client. That cookie serves as a passport of limited temporal validity with which the endpoint may identify itself to the remediation server.
Since the NAC clients are communicating with the Access Control Server in cyclic intervals, the Access Control Server should be placed as close
as possible to the NAC Clients. This helps reducing network traffic and getting better response times.
The remediation server is the component from which policy attributes, such as firewall rule sets, welcome messages, and bitmaps as well as
client software components required for updates can be obtained. It can be run on the same Barracuda NG Firewall system as the SHV or, for
load balancing reasons, it can be spread out over several Barracuda NG Firewall systems.
SHV and remediation server must always remain accessible to all endpoints regardless of the currently active firewall rule set.
How does the client know at which address the SHV service component may be reached? There are two options here. The first one is that the
respective addresses are configured statically within the client configuration on the endpoint. This approach is mandatory if DHCP based address
assignment is not used. In the case of DHCP based address assignment the respective address or addresses are assigned to the client by way of
the vendor ID DHCP option (43).
16
DHCP is also used to make a distinction between own endpoint systems with an installed client and the so called guest systems. As guest
systems are not able to communicate with SHV they are not assigned any SHV addresses. By way of the DHCP user ID option sent by the client
a DHCP server may assign an address from a pool on a separate subnet.
Note that while this approach may easily be circumvented by a skilled human attacker to gain network access, worms and other malware issued
with limited intelligence located on visitor's notebooks are typically prevented from quickly spreading out into the principal network.
In this LAN scenario, up to three firewall rule sets can be assigned to a secured and monitored endpoint. When the endpoint system goes online
and connects to the SHV it will be assigned a Local Machine rule set and a Limited Access rule set. The limited access rule set is the one rule
set that comes into effect when the endpoint is diagnosed as unhealthy by the SHV. Note that the quarantine state is not entered immediately as
there is a configurable period of time during which the client is given a chance to recover from the current condition, for example by successfully
starting a disabled anti-virus (AV) scanner service or updating an obsolete AV pattern file.
As soon as a user logs into the system, a different policy may apply to the endpoint now, depending on the identity of the user and various other
conditions. The assigned policy attributes may in due cause a different so-called Ccurrent user" rule set to be assigned. In contrast to the previous
two, this rule set is volatile. That means it is cleared when the user logs off or the system is rebooted.
Consequently a notebook that has been used in the office environment and is taken home in the evening will operate there with the most recently
installed "local machine" firewall rule set.
Any endpoint whose system state is assessed as unhealthy will have the most recently installed Limited Access rule set activated by the client
after a configurable grace period.
Barracuda Network Access Client can also be used to secure mobile desktops connecting to the corporate LAN through the internet. To this end,
NAC provides an integrated VPN client. The VPN client will establish a secure connection to a Barracuda NG VPN Service. The Network Access
Monitor will then communicate through the VPN tunnel with the responsible SHV. From this point on the overall procedure is quite analogous to
the LAN scenario. The most notable difference is that the VPN server fully controls the virtual connection. That means that also traffic within the
VPN network's collision domain is fully subject to the Network Access Control framework. This better control also necessitates that the
remediation service component is also active on the very same Barracuda NG Firewall system, which is also hosting the VPN Service.
In the LAN context certain policy attributes together with a "current user" rule set are assigned. This setup supports a maximum of up to three
different firewall rule sets. The rationale behind this seemingly complex procedure is rather straightforward and easy to understand. As
autonomous machine authentication is rather uncommon in the VPN context, the Limited Access and the Local Machine firewall rule sets and
policies need to be provided together with the actual VPN rule set.
The Local Machine rule set acts as a VPN offline rule set that can be used to centrally control the network access rights of the mobile
user even when they are not connected to the corporate LAN.
Policy
VPN
Healthy
Limited Access
VPN Offline
Firewall Rule Set
Firewall Rule Set
Firewall Rule Set (= Local
Machine Rule Set)
Message of the Day
Message
Assignment
Welcome Picture
Network Access Policies
Licensing Aspects
In order to operate an Access Control Service either as a SHV or a remediation server or both, a valid license needs to be present. On Barracuda
NG Firewall systems, the Access Control Service is automatically licensed. It is possible to equip all Barracuda NG Firewall branch office devices
with a remediation server in order to reduce WAN traffic and optimize response times.
Policy Matching Procedure
Each Access Control Service belongs to a so-called trustzone. All Access Control Services within the same trust zone share the same set of
security policies. In addition, they share a signing key, so that a mutual trust relationship can be established. Within each trustzone, there are
three policy rule sets. There is a Local Machine policy rule set that is used to determine a policy for a connecting machine. A connecting machine
is an endpoint system that does not request user authentication. As soon as user authentication is requested by the connecting client, the Curren
17
t User policy rule set is used for policy matching. If the connection attempt is mediated by an intermittent VPN service, the VPN policy rule set is
adopted.
What is a Policy Rule Set?
A policy rule set is an ordered list of policy rules that is processed from the top to the bottom in sequential order. If no identity match can be found,
a No Rule Exception policy is assigned. From then on, the client system is assumed untrusted and a configured Untrusted Access firewall rule
set and client message applies.
Nevertheless, Barracuda Networks recommends to configure a Catch-all rule at the end of the policy rule set. An explicit Catch-all rule allows a
better control of the required client health state and gives more details to the end user. In addition more details in the server-side visualisation will
be available.
Each policy rule consists of three parts:
1. An identity related part that defines the applicable matching policy and criteria.
2. A health policy part is used to determine the health state by comparing the status information sent by the client with the specified required
status. There are only three health states: Healthy, Probation, and Unhealthy.
3. And finally, there is a third policy attribute part that contains firewall rule sets, messages, pictures, and network access policies that are
assigned to a healthy client.
The Client-Server Interaction Process
Below is a graphical representation of the client-server interactions during connecting, health validation and network access assigning.
18
The following steps are processed by the the various components of Barracuda Network Access Client:
Step 1: Applicable Rule Set is Determined
First of all, the NAC determines in which context it is started and via which method it connects to the Access Control Service. The following three
contexts are available:
Local Machine context
The local machine context is available in case no user has logged in. This applies during the startup of a Windows computer as well as
after user logout. Since the Windows system distinguishes between Current User and Local Machine context, it is necessary to handle
the local machine context separately. For example, no popups are allowed if no user is logged in. Certificate based authentication (see
below) is available for both, Local Machine and Current User Authentication, however, different Microsoft certificate stores are
19
available to get the certificates from. Of course, a Local Machine certificate must not be password protected since dialog boxes to
request the password will not be available.
Current User Context
As soon as a user has logged in successfully, the client switches to the current user context. Now, additional information like the user
name and the password (or kerberos ticket in case of NTLM authentication) can be used to perform identity matching. Since the user
context allows to open client windows and popups, the client can notify the user about the current health state or request additional
information (for example Basic Authentication: popup requests username and password).
VPN Context
The VPN context is an extension of the current user context mentioned above. The client is able to determine if a Barracuda VPN
connection was initiated as well as if the VPN server has Access Control Service capabilities. If the client mode is VPN all possibilities
available in User mode are available as well. Additionally, an online and offline rule set can be assigned to the client.
Step 2: Client Connects to Access Control Service
The next step for the client is to connect to the configured Access Control Service. The IP address of the Access Control Service is either
configured manually (during installation) or is assigned by the DHCP server. The connection is based on TCP and uses port 44000 to
communicate between client and server.
The connection is always initiated by the client and never the other way round.
During the handshake, the Access Control Service notifies the client of its capabilities (e.g. "NTLM authentication is available"). As a response,
the client collects all available system information and sends this information back to
the Access Control Service together with authentication credentials. This response contains details about the computer's network (for example IP
address, MAC-Address), the computer's operating system (for example OS version, hostname, domain name, user and certificates) as well as
details about installed health suite, anti-virus, or anti-spyware products.
Further policy matching on the Access Control Service depends on the data collected and sent from the client.
Step 3: Client Identity is Determined
The Access Control Service has now all information to determine the client's identity. Depending on the client mode (Local Machine, Current
User, VPN), the Access Control Server determines the applicable policy rule set, which is then used to perform identity matching. The connection
is always initiated by the client and never the other way round.
The available identity information is sequentially matched from top to bottom with the identity conditions of the individual policies. Each policy can
be configured to match if all configured identity criteria apply or if only one of the configured criteria applies.
Matching Criteria
Local Machine
Current User
VPN
Client Connection Type
Yes
Yes
Yes
Current Date and Time
Yes
Yes
Yes
NetBIOS Domain
No
Yes
Yes
Group Patterns
No
Yes
Yes
User (Log-in Name)
No
Yes
Yes
Network
Yes
Yes
Yes
OS Version
Yes
Yes
Yes
Hostname
Yes
Yes
Yes
MAC Address
Yes
Yes
Yes
X.509 Certificate Conditions
Yes
Yes
Yes
If a match is found, the comparison of the health information sent by the client with the stated health requirements of the policy rule carries on.
Although the Access Control Service rule set bears analogy to a firewall rule set, one of the significant differences is that the handling in case no
rule matches can be configured. To do so, configure a No Rule Exception notifying clients even if they can not be identified.
As this should really be treated as an exception, a better way to control clients is to manually apply a Catch-All rule at the end of the policy rule
20
set.
Health Matching
The most complex part of the policy rule matching is the matching of health conditions. This is due to the fact that not only matching of health
requirements is done but actions on the client can be performed as well. An overview of the health matching procedure is available in the
flowchart above.
At the beginning of the communication between client and server the health state of the client is Uninitialized. If the quarantine rule set is already
available on the client, then the client activates the available quarantine rule set but remains in the Uninitialized state. This state triggers an
immediate connection to the configured Access Control Service as described above.
As soon as the communication between the client and the Access Control Service is established and policy matching is performed, one of four
different health states is assigned.
Usually both, Access Control Service and VPN client, do have the same health state. The only exception is the Uninitialized state mentioned
above. In this case, the Access Control Service is not aware of the existence of the client.
Untrusted Health State
As soon as the identity match is finished and the client's identity can not be validated, the health state changes to Untrusted. Untrusted does not
necessarily mean that the client may be a guest client but only that the Access Control Service can not determine the client's identity.
Nevertheless, the Access Control Service Trustzone > Settings > No Rule Exception configuration parameter allows to assign a set of client
attributes.
Probation Health State
If the health match fails, the client is said to be in probation. It still receives a cookie containing the unhealthy assessment as well as the detailed
outcome of the health matching procedure. From here, the client software may take appropriate action and try to self-remedy the situation, for
example by starting the AV scanner. In any case, the user will be informed of the current state of his or her system by an appropriate message.
As soon as the client has performed the requested actions, it will reconnect to the Access Control Service.
Should the client successfully self-remedy the situation, the Access Control service verifies the health conditions again and changes the client
health state to Healthy if the client complies to the assigned health policy from now on.
Should the client fail to self-remedy the situation or does not reconnect in a reasonable amount of time, its status changes to Unhealthy and the
quarantine rules are enabled.
A client will never stay in Probation state for more than one connect cycle. If the client does not respond within the configurable Health State
Probation Time, configurable in Access Control Service Settings > System Health-Validator > General, the Access Control Service
automatically changes the client's health state to Unhealthy.
Healthy Health State
Depending on the configuration the health policy could require an up-to-date Barracuda Personal Firewall installed and enabled or a running
Antivirus software including up-to-date Virus Scanner patterns. A list of available health state requirements is available below. Should all required
criteria match, the client is deemed healthy and receives a signed cookie listing the applicable policy attributes. This signed cookie may be further
used to authenticate against external trust zones.
Unhealthy Health State
Last but not least a client may not comply to the company's health policy. As described in Probation Health State, the client will get the possibility
to perform either manual or automated actions in order to fulfil all health requirements before being put into quarantine.
If the client fails during a specific interval, then its state is changed to Unhealthy which means that the client is put into quarantine. The latest
quarantine rule set will be activated.
On the Barracuda NG Firewall, the proper state is propagated to the firewall engine where limited access can therefore be enforced.
Health State Requirements
The following list provides an overview of the available Health State requirements. Failing a health state requirement might either trigger
automatic self-remediation or require a manual action by the user. The desired behavior is configurable since certain anti-virus or anti-spyware
tools do not fully support auto-remediation. In case of manual action, the user is informed about the required actions via the Barracuda Access
Monitor.
A list of all supported anti-virus and anti-spyware engines can be read by navigating to Access Control Service Trustzone > Support
Chart.
21
Beside Barracuda Networks specific information, where health state requirements primarily depend on anti-virus or anti-spyware settings, the
following requirements can be verified:
Service Settings
Is the installed Barracuda Personal Firewall active?
Is the installed Virus Scanner active?
Is the installed Spyware Scanner active?
Antivirus Settings
Which Virus Scanner vendors are allowed?
Enabled AV Real Time Protection?
When was the last AV Scan performed?
When was the AV Engine updated?
When were the AV Pattern Definitions updated?
Antispyware Settings
Which Spyware Scanner vendors are allowed?
Enabled AS Real Time Protection?
When was the last AS Scan performed?
When was the AS Engine updated?
When were the AS Pattern Definitions updated?
Advanced Health State
Which versions of the health suite are allowed?
Miscellaneous
Are specific Registry keys set?
Which Microsoft hotfixes or service packs are present?
To verify these requirements, each Access Control Service depends on up-to-date information of anti-virus and anti-spyware products.
Barracuda Networks provides an online update service helping clients to recognize and activate anti-virus and anti-spyware products. Even the
quarantine rule set must at least enable the client to connect to the Access Control Service, to the Microsoft Active Directory, and to the
remediation servers. Depending on the company's infrastructure, more connections should be available to restore the client's health state to Healt
hy again.
Furthermore, the update service provides the information necessary to diagnose the up-to-dateness of the client's signature databases and
engine versions.
As a prerequisite, either the Access Control Service (standalone Barracuda NG Firewall) or the CC (for managed Barracuda NG
Firewalls) must have access to the internet.
Endpoint Security Policy Introduction Practices (Analyse, Enforce, Monitor)
For implementing firewalls at formerly unrestricted network transitions like LAN segments or endpoint firewalls for LAN endpoints, a smooth
implementation tactics is widely used. A widely used but not recommended way is to start with a Pass-All policy, analyzing traffic instead of
controlling it, and then introducing rules step-by-step reducing traffic using the Pass-All policy, and at last replacing Pass-All by Block-All.
This might be called the AEM model:
1. Analyse
2. Enforce
3. Monitor
When implementing a firewall at a clear network perimeter, like e.g. an internal-Internet transition, it is not advisable to use this model. The rule
set should be built according to SAEM:
1.
2.
3.
4.
Strictly Enforce
Analyse
Enforce
Monitor
While from a strict security point of view this is also recommended for formerly unrestricted network transitions, many administrators nevertheless
use AEM for practical reasons. If, however, you have the chance to already know what should happen at the network point of concern, use as
much of this knowledge as possible and do not start with Pass-All only. And if you use AEM, do not finish with a Pass-All rule.
Keep in mind that your rule sets should always mirror your overall abstract security policy for the network point of concern. Using AEM or SAEM is
not a matter of technical possibilities but of weighing risk and effort.
22
The Border Patrol
Clients often need to access remote trust zones for which restricted access rights and stronger security measures apply. Consequently, the
means to assess the suitability of crossing clients to access target trust zones needs to be available. The building block responsible for evaluating
trust zone transitions is called border patrol. In short, the border patrol validates the credentials of crossing clients, including authentication and
health status data, so that the applicable security measures are correctly met.
An important aspect related to trust zone crossing is the synchronization of authentication data. Basically, trust zones need to have a consistent
and up-to-date view of the client's authentication information that is shared across the whole network. In this line the CC ensures that changes are
replicated and synchronized across the various available servers and databases, so that identity federation is achieved.
It is also relevant to notice that the authentication process is based on the use of ICMP packages.
Succinctly, the client submits an access request to the border patrol. The border patrol responses by sending an authentication request through
an ICMP package. Upon reception of the ICMP package, the client replies with a ticket containing the cookie issued by the remediation service in
the trust zone of origin and its corresponding access rights. If health status and permission match the minimum requirements of the target trust
zone, the client is granted access. Otherwise, the border patrol denies the request.
If the border patrol denies the request, then no remediation will be available. Access is either granted or fully denied.
Installing, Updating, or Uninstalling the Barracuda Network Access Client
In this article:
Installing the Barracuda Network Access Client
Updating or Migrating the Barracuda Network Access Client
Uninstalling the Barracuda Network Access Client
Restoring the System after a Failed Installation
Installing the Barracuda Network Access Client
To install the Barracuda Network Access Client, select an installation mode from the following table. You can use simple installation methods
using the Windows GUI or advanced installation methods using custom scripting. The table provides a link to detailed instructions on how to
install the Barracuda Network Access Client with the selected mode.
The full set of Barracuda Network Access Client components is only supported by the enterprise-level Barracuda NextGen Firewall F.
If you instead operate a Barracuda NextGen Firewall X, choose the Barracuda VPN setup type, as this product supports only the
Barracuda VPN Client.
23
Barracuda Network Access Client is not intended to work as complement to VPN clients and/or personal firewalls provided by other
vendors. Thus, Barracuda Networks recommends to uninstall any other VPN client and/or personal firewalls prior to installation of the
Barracuda Network Access Client. The only notable exception is the Microsoft Firewall which can be operated in conjunction with the
Barracuda Personal Firewall.
Take into consideration that the Personal Firewall is turned off by default, therefore it requires manual activation during the setup
routine, or, alternatively, after the successful installation.
For Microsoft Windows XP users, it is highly recommended to have the official Service Pack 2 and recent hotfixes installed.
Installation with the Window GUI
Description
You want to install the full Barracuda Network Access Client on-site
on a workstation. Additionally, you probably want to control and
update the Client's components and certain security aspects on the
workstation using a Barracuda NG Firewall or a Barracuda Firewall.
Complete Installation (Default)
Components installed: Barracuda VPN Client, Barracuda
Personal Firewall, Barracuda Health Agent, all tools, all Help
items.
Installation method: On site.
Configuration method: During and after installation.
Necessary skills and user rights: None, normal user.
For step-by-step instructions, see Performing a Complete Installation.
You want to install only the Barracuda VPN Client on-site on a
workstation as well as the components needed to control it via a
Barracuda NG Firewall.
VPN Client Only
Components installed: Barracuda VPN Client.
Installation method: On site.
Configuration method: During and after installation.
Necessary skills and user rights: None, normal user.
For step-by-step instructions, see Performing a VPN-Only Installation.
You are an experienced user and you want to perform either a full
installation of the Barracuda Network Access Client or only the
Barracuda VPN Client, but omit some components of your choice.
Custom Installation
Components installed: Selectable during installation.
Installation method: On site.
Configuration method: During and after installation.
Necessary skills and user rights: Understanding of the
component's interplay, normal user.
Installation with Custom Scripting
Description
24
Partially Preconfigured Unattended Remote Custom Installation
Remote Installation using a parametrized .cmd File
You are an experienced system administrator and you want to
remotely install instances of the Barracuda Network Access Client on
several workstations that are preconfigured for a VPN server and an
Access Control Service.
Components installed: Selectable during preparation
Installation method: On site or remotely.
Configuration method: Partially prior to installation.
Necessary skills and user rights: Customizing a *.cmd configu
ration file and remotely triggering its execution, system
administrator.
For step-by-step instructions, see Partially Preconfigured Unattended
Remote Custom Installation.
Fully Preconfigured Custom Installation
Remote Installation using parametrized customer.inf and silent.cmd F
iles
You are an experienced system administrator and you want to
remotely install fully customized instances of the Barracuda Network
Access Client on several workstations that include configuration
parameters for an Access Control Service as well as one or more
VPN profiles, one or more certificates, and a Barracuda Personal
Firewall ruleset.
Components installed: Selectable during preparation.
Installation method: On site or remotely.
Configuration method: Prior to installation.
Necessary skills and user rights: Customizing the custom.inf a
nd silent.cmd configuration files and remotely triggering the
latter's execution, system administrator.
For step-by-step instructions, see Fully Preconfigured Custom
Installation.
Updating or Migrating the Barracuda Network Access Client
For step-by-step instructions on upgrading an existing installation on a workstation to a new version without adding or removing components, see
Updating or Migrating the Client.
Uninstalling the Barracuda Network Access Client
For step-by-step instructions to completely remove the Barracuda Network Access Client from a system, see Uninstalling the Client.
Restoring the System after a Failed Installation
The Barracuda Network Access Client installation and removal processes create restore points in the Windows System Restore area that you
may use to restore your system to a previous state if necessary.
25
For details, refer to the Windows Help.
Performing a Complete Installation
The complete installation is a standard installation routine providing default settings (e.g. regarding the connection behavior) for all product
variants. This setup type does not require any deeper knowledge of the Barracuda Network Access Client or any other than standard user
privileges on the workstation.
Follow the steps below to install or update the Barracuda Network Access Client and all of its components.
In this article:
Step 1. Prepare the Installation Files
Step 2. Start the Setup Executable
Step 3. Close all Running Programs
Step 4. Read the License Agreement
Step 5. Enter Your Customer Information
Step 6. Set the Installation Target Directory
Step 7. (Optional) Select a Custom Target Directory
Step 8. Select the Complete Installation
Step 9. Configure Some Basic Settings
Step 10. Confirm the Settings
Step 11. Wait Until the Installation is Finished
Default Settings Used in this Installation Mode
Step 1. Prepare the Installation Files
The installation files for the Barracuda Network Access Client are provided on the Barracuda NG Firewall application thumb drive or can be
downloaded from your Barracuda Networks Account. An MSI file is additionally provided for software distribution systems.
All Barracuda VPN Client drivers are signed by Microsoft for Windows NT, Windows XP (32-bit), Windows Vista (32-bit and 64-bit), Windows 7,
and Windows 8 (32-bit and 64-bit) logo compliance. Installation requires local administrator rights.
26
Do not run the installation executable from a network share. Instead, copy the installation files to a local hard drive and run it from there.
Otherwise, the installation will fail because all network connections are terminated for a few moments during the installation process.
If necessary, copy the installation files onto the local hard disk before commencing installation.
Step 2. Start the Setup Executable
Double-click setup.exe to start the installation routine. The InstallShield Wizard then starts to prepare the installation files.
Step 3. Close all Running Programs
After the installation files are prepared, a window opens and advises you to close all running programs. After you close all running programs, click
Next.
If you do not close all running programs, you might be prompted to close certain programs later during the installation.
Step 4. Read the License Agreement
After a few seconds, you are presented with the Barracuda Networks Warranty and Software License Agreement.
Read it carefully. If you agree to the terms, select I accept the terms in the license agreement. You must accept the agreement before you can
continue with the installation.
27
Step 5. Enter Your Customer Information
On the next screen, you are prompted to enter your User Name and Organization. You can also choose to install the Barracuda Network Access
Client for either Anyone who uses this computer (all users) or Only for me.
Click Next when you are done.
Step 6. Set the Installation Target Directory
If you do not want to install the Barracuda Network Access Client at the default location, click Change.
Otherwise, click Next.
28
Step 7. (Optional) Select a Custom Target Directory
If you clicked Change on the last screen, you can now browse to the target directory wherein you want to have the Client installed or create such
a directory.
Click OK when done.
Step 8. Select the Complete Installation
Click Barracuda VPN and NAC Client on the next screen to initiate a complete installation.
Then click Next.
29
Step 9. Configure Some Basic Settings
On this screen, you can configure some basic settings. You can also configure these settings later.
Barracuda Network Defaults:
VPN Server IP(s) – One or more IP addresses for VPN servers. These will be used in the default VPN profile. Separate multiple IP
addresses with a semicolon (;). See also: Configuring the Client.
Network Access Control IP – If applicable, the IP address of the Access Control Service. See also: Access Control Service.
Terminate Password – The master password that must be entered in the Barracuda Network Access Client by users before they can
terminate the Client or modify Advanced settings. This is to prevent users from simply shutting down the Client or modifying certain
settings in order to bypass its security functions. Leave the field empty to disable the master password. The password set here can later
only be changed via the Access Control Service in Barracuda NG Admin by navigating to Config > Access Control Service Trustzone
> Settings > Client Shutdown Passphrase.
Barracuda Personal Firewall:
Disable Barracuda Personal Firewall – To disable the firewall on startup, select this check box.
Firewall Always ON – To prevent the personal firewall from being disabled by users, select this check box.
If enabled for the initial installation, this setting can not be removed by a re-installation of the VPN client with disabled setting.
IPv6 Router Advertisement Guard – Activates the Barracuda Personal Firewall's IPv6 protection. See also: The Barracuda Personal
Firewall.
Click Next when you are done.
30
Step 10. Confirm the Settings
The next screen is only to confirm that the installation itself is about to be executed now. If you want to modify any settings, click Back. To
proceed, click Install.
Step 11. Wait Until the Installation is Finished
Wait until the progress bar reaches 100%, indicating that the installation is complete. During this subprocess, the system's network connectivity
will drop out for a few moments.
31
The wizard tells you when the installation has been completed. To start the VPN Client when you click Finish, select the Launch VPN Client che
ck box.
Default Settings Used in this Installation Mode
The following default settings apply in a complete installation. For more information on these settings, see Fully Preconfigured Custom Installation
and Partially Preconfigured Unattended Remote Custom Installation.
Complete Installation > Barracuda Access Monitor > Default Settings
Parameter
Default
DHCP Renew
No
Complete Installation > Personal Firewall > Default Settings
Parameter
Default
Trusted Network
No
32
Connect to the Internet with ADSL (PPTP)
No
Allow others to access my files and printer(s)
No
Disable Barracuda Personal Firewall
Yes
Firewall Always ON
No
Complete Installation > Ask for > Default Settings
Parameter
Default
unknown outgoing connections
Yes
unknown incoming connections
No
adapter update confirmation
Yes
Performing a VPN-Only Installation
The VPN Client installation is a standard installation routine providing default settings (e.g. regarding the connection behavior). This setup type
does not require any deeper knowledge of the Barracuda Network Access Client or any other than standard user privileges on the workstation.
Follow the steps below to install or update the Barracuda VPN Client and the necessary components.
In this article:
Step 1. Prepare the Installation Files
Step 2. Start the Setup Executable
Step 3. Close all Running Programs
Step 4. Read the License Agreement
Step 5. Enter Your Customer Information
Step 6. Set the Installation Target Directory
Step 7. (Optional) Select a Custom Target Directory
Step 8. Select the VPN-Only Installation
Step 9. Configure Some Basic Settings
Step 10. Confirm the Settings
Step 11. Wait Until the Installation is Finished
Default Settings Used in this Installation Mode
Step 1. Prepare the Installation Files
The installation files for the Barracuda Network Access Client are provided on the Barracuda NG Firewall application thumb drive or can be
downloaded from your Barracuda Networks Account. An MSI file is additionally provided for software distribution systems.
All Barracuda VPN Client drivers are signed by Microsoft for Windows NT, Windows XP (32-bit), Windows Vista (32-bit and 64-bit), Windows 7,
and Windows 8 (32-bit and 64-bit) logo compliance. Installation requires local administrator rights.
Do not run the installation executable from a network share. Instead, copy the installation files to a local hard drive and run it from there.
Otherwise, the installation will fail because all network connections are terminated for a few moments during the installation process.
If necessary, copy the installation files onto the local hard disk before commencing installation.
Step 2. Start the Setup Executable
Double-click setup.exe to start the installation routine. The InstallShield Wizard then starts to prepare the installation files.
33
Step 3. Close all Running Programs
After the installation files are prepared, a window opens and advises you to close all running programs. After you close all running programs, click
Next.
If you do not close all running programs, you might be prompted to close certain programs later during the installation.
Step 4. Read the License Agreement
After a few seconds, you are presented with the Barracuda Networks Warranty and Software License Agreement.
Read it carefully. If you agree to the terms, select I accept the terms in the license agreement. You must accept the agreement before you can
continue with the installation.
34
Step 5. Enter Your Customer Information
On the next screen, you are prompted to enter your User Name and Organization. You can also choose to install the Barracuda Network Access
Client for either Anyone who uses this computer (all users) or Only for me.
Click Next when you are done.
Step 6. Set the Installation Target Directory
If you do not want to install the Barracuda Network Access Client at the default location, click Change.
Otherwise, click Next.
35
Step 7. (Optional) Select a Custom Target Directory
If you clicked Change on the last screen, you can now browse to the target directory wherein you want to have the Client installed or create such
a directory.
Click OK when done.
Step 8. Select the VPN-Only Installation
Click Barracuda VPN Client on the next screen to initiate an installation of only the components necessary to run the Barracuda VPN Client.
Then click Next.
36
Step 9. Configure Some Basic Settings
On this screen, you can configure some basic settings. You can also configure these settings later.
Barracuda Network Defaults:
VPN Server IP(s) – One or more IP addresses for VPN servers. These will be used in the default VPN profile. Separate multiple IP
addresses with a semicolon (;). See also: Configuring the Client.
Network Access Control IP – This option is disabled because it is not necessary for this installation type.
Terminate Password – The master password that must be entered in the Barracuda Network Access Client by users before they can
terminate the Client or modify Advanced settings. This is to prevent users from simply shutting down the Client or modifying certain
settings in order to bypass its security functions. Leave the field empty to disable the master password. The password set here can later
only be changed via the Access Control Service in Barracuda NG Admin by navigating to Config > Access Control Service Trustzone
> Settings > Client Shutdown Passphrase.
Barracuda Personal Firewall:
Disable Barracuda Personal Firewall and Firewall Always ON – These settings are disabled because the Personal Firewall is not
available in this installation mode.
IPv6 Router Advertisement Guard – Activates the Barracuda Personal Firewall's IPv6 protection. See also: The Barracuda Personal
Firewall.
Click Next when you are done.
37
Step 10. Confirm the Settings
The next screen is only to confirm that the installation itself is about to be executed now. If you want to modify any settings, click Back. To
proceed, click Install.
Step 11. Wait Until the Installation is Finished
Wait until the progress bar reaches 100%, indicating that the installation is complete. During this subprocess, the system's network connectivity
will drop out for a few moments.
38
The wizard tells you when the installation has been completed. To start the VPN Client when you click Finish, select the Launch VPN Client che
ck box.
Default Settings Used in this Installation Mode
The following default settings apply in a VPN-only installation. For more information on these settings, see Fully Preconfigured Custom
Installation and Partially Preconfigured Unattended Remote Custom Installation.
Complete Installation > Barracuda Access Monitor > Default Settings
Parameter
Default
DHCP Renew
No
Complete Installation > Ask for > Default Settings
Parameter
Default
unknown outgoing connections
Yes
39
unknown incoming connections
No
adapter update confirmation
Yes
Fully Preconfigured Custom Installation
In this article:
Installation Using a Customer.inf File
The customer.inf File
Section 1: Customer Area / [PhionCustomerCopyFiles]
Section 2: Customer Area / [CustomerReg]
Section 3: Customer Area / [SourceDisksFiles]
The silent.cmd File
Installation Using a Customer.inf File
The customer.inf setup is only available for the Barracuda VPN Client. It requires administrator rights on the target system.
The customer.inf setup is a comprehensive installation method, allowing you to fully preconfigure all Network Access Client settings on multiple
installation systems remotely. This method addresses the experienced system administrator. In addition to pure installation and basic
configuration, it allows you to:
Preconfigure an arbitrary number of connection profiles on the Network Access Client.
Import license (.lic) files and X.509 certificates into the Network Access Client.
Import preconfigured rule sets into the Personal Firewall.
Exemplary script files required for Customer.inf Setup (customer.inf, silent.cmd) are available on the Application thumb drive or on the Template
Code: Customer Install Files (customer.inf) page, allowing you to adapt the remote configuration procedure.
To prepare a completely customized setup:
1. Edit the customer.inf file.
For more information, see The customer.inf File.
2. Edit the silent.cmd file.
For more information, see The silent.cmd File.
3. Copy the following files to the folder containing the setup.exe file:
customer.inf
silent.cmd
active.i_fwrule (optional)
[LicenseName].lic (optional)
[CertificateName].p12 (optional)
4. Execute the silent.cmd file.
The customer.inf File
The syntax examples below are partly arranged in abstracts only. If needed as template, see the full exemplary customer.inf at Templa
te Code: Customer Install Files (customer.inf).
The customer.inf file directs the copying of required files and the insertion of registry entries. It is divided into three sections of interest (Custome
r Areas):
Section 1: Customer Area / [PhionCustomerCopyFiles]
Section 2: Customer Area / [CustomerReg]
Section 3: Customer Area / [SourceDisksFiles]
Do not rename the customer.inf file.
Remove nonessential parameters from the customer.inf file before applying it for custom setup.
40
Both the customer.inf and silent.cmd files are adapted for inclusion of a customer.lic file. If you are not importing a license (.lic) file
during installation, delete the corresponding entries in both files. If you are using another name for the .lic file, do not forget to
respectively edit the installation files.
The content of the customer.inf file is treated as case-sensitive.
Section 1: Customer Area / [PhionCustomerCopyFiles]
Example for Section [PhionCustomerCopyFiles]
[PhionCustomerCopyFiles]
; destination-file-name[,source-file-name][,temporary-file-name][,flag]
customer.inf,,,2 ; important, do not remove
customer.lic,,,2 ; if importing a license file
active.i_fwrule,,,2 ; if importing a firewall rule set
Optionally, the following file directives may be detailed:
File Directives Applicable in the Customer Area / [CustomerCopyFiles]
Directive
Comment
destination-file-name
Name of the destination file.
If no source-file-name is given, this specification is also the name of
the source file.
source-file-name
Name of the source file.
If the source and destination file names for the file copy operation are
the same, source-file-name can be omitted.
temporary-file-name
Name of a temporary file to be created in the copy operation, if a
file of the same name on the destination is open or currently in
use.
Only used on Windows 9x/Me platforms. The NT-based operating
system automatically generates temporary file names when
necessary and renames the copied source files the next time the
operating system is started.
flags
These optional flags, expressed in hexadecimal notation or as a decimal value in a section entry, can be used to control how (or whether) a
particular source file is copied to the destination. One or more (ORed) values for the following system-defined flags can be specified, but some
of these are mutually exclusive:
0x00000400
(COPYFLG_REPLACEONLY)
Copy the source file to the destination directory only if the file is
already present in the destination directory.
0x00000800
(COPYFLG_NODECOMP)
Copy the source file to the destination directory without
decompressing the source file if it is compressed.
0x00000008
(COPYFLG_FORCE_FILE_IN_USE)
Force file-in-use behavior.
Do not copy over an existing file of the same name if it is currently
open. Instead, copy the given source file with a temporary name so
that it can be renamed and used when the next reboot occurs.
0x00000010
(COPYFLG_NO_OVERWRITE)
Do not replace an existing file in the destination directory with a
source file of the same name.
This flag cannot be combined with any other flags.
41
0x00001000
(COPYFLG_REPLACE_BOOT_FILE)
This file is required by the system loader.
The system will prompt the user to reboot the system.
0x00002000
(COPYFLG_NOPRUNE)
Do not delete this operation to effectuate optimization.
For example, Setup might determine that the file copy operation is not
necessary because the file already exists. However, the writer of the
INF knows that the operation is required and directs Setup to override
its optimization and perform the file operation.
This flag can be used to ensure that files are copied if they are also
specified in an INF DelFiles directive or an INF RenFiles directive.
0x00000020
(COPYFLG_NO_VERSION_DIALOG)
Do not overwrite a file in the destination directory with the
source file if the existing file is newer than the source file.
This flag is irrelevant to digitally signed INF files. If a driver package is
digitally signed, Setup installs the package as a whole and does not
selectively omit files in the package based on other versions already
present on the machine.
0x00000004
(COPYFLG_NOVERSIONCHECK)
Ignore file versions and overwrite existing files in the destination
directory.
This flag and the next two are mutually exclusive. This flag is
irrelevant to digitally signed INF files.
0x00000040
(COPYFLG_OVERWRITE_OLDER_ONLY)
Copy the source file to the destination directory only if the file
on the destination will be superseded by a newer version.
This flag is irrelevant to digitally signed INF files.
0x00000001
(COPYFLG_WARN_IF_SKIP)
Send a warning if the user selects to not copy a file.
This flag and the next are mutually exclusive, and both are irrelevant
to INF files that are digitally signed.
0x00000002
(COPYFLG_NOSKIP)
Do not allow the user to skip copying a file.
This flag is implied if the driver package is signed.
Do not change the name of the firewall rule set entry (active.i_fwrule). If you are not installing the Personal Firewall with a predefined
rule set that meets company policy, uncomment or delete this line.
Section 2: Customer Area / [CustomerReg]
This section controls the configuration of profiles set up during installation. Profile settings are saved to HKEY_USERS\.DEFAULT\Software\Phi
on\phionvpn\Profile. The structure is the following:
HKU,.DEFAULT\Software\Phion\phionvpn\Profile\1,dhcp,0x00010001,1
-------------------------------------------Profile Path
Profile ID
Registry Path
For automated VPN profile creation, the following syntax is applicable in the customer.inf file:
reg-root, [subkey], [value-entry-name], [flags], [value]
This section is used for creating profiles and defining default values.
Directives Applicable in the Customer Area / [CustomerReg]
Directive
Comment
reg-root
Identifies the root of the registry tree for other values supplied in
this entry.
The value can be one of the following:
42
HKCR
Abbreviation for HKEY_CLASSES_ROOT.
HKCU
Abbreviation for HKEY_CURRENT_USER.
HKLM
Abbreviation for HKEY_LOCAL_MACHINE.
HKU
Abbreviation for HKEY_USERS.
subkey
Optional; formed either as a %strkey% token defined in a Strings
section of the INF or as a registry path under the given reg-root
(key1\key2\key3 …), specifies one of the following:
A new subkey to be added to the registry at the end of the given
registry path.
An existing subkey in which the additional values specified in this
entry will be written (possibly replacing the value of an existing
named value entry of the given subkey).
Both a new subkey to be added to the registry together with its
initial value entry.
value-entry-name
Optional; either names an existing value entry in the given
(existing) subkey or creates the name of a new value entry to be
added in the specified subkey, whether it already exists or is a
new key to be added to the registry.
This value can be expressed either as "quoted string" or as a %strk
ey% token that is defined in the INFs Strings section. (If this is
omitted for a string-type value, the value entry name is the default
unnamed value entry for this key.) The operating system supports
some system-defined special value-entry-name keywords. See the
end of this comments section for more information.
value
Optionally specifies a new value for the specified value-entry-name to
be added to the given registry key.
Such a value can be a replacement value for an existing named value
entry in an existing key, a value to be appended (flag value 0x000100
08) to an existing named REG_MULTI_SZ-type value entry in an
existing key, a new value entry to be written into an existing key, or
the initial value entry for a new subkey to be added to the registry.
The expression of such a value depends on the registry type
specified for the flag as follows:
A registry string-type value can be expressed either as a "quote
d string" or as a %strkey% token defined in a Strings section
of the INF file. Such an INF-specified value must not include a
NULL terminator at the end of each string.
A registry numerical-type value can be expressed as a
hexadecimal (using 0x notation) or decimal number.
flags
Optional hexadecimal value, expressed as an ORed bitmask of system-defined low word and high word flag values, defines the data
type for a value entry and/or controls the add-registry operation.
Bitmask values for each of these flags are as follows:
The given value is raw data.
This value is identical to the FLG_ADDREG_TYPE_BINARY.
0x00000001
(FLG_ADDREG_BINVALUETYPE)
43
0x00000002
(FLG_ADDREG_NOCLOBBER)
Prevent a given value from replacing the value of an existing
value entry.
0x00000004
(FLG_ADDREG_DELVAL)
Delete the given subkey from the registry, or delete the specified
value-entry-name from the specified registry subkey.
0x00000008
(FLG_ADDREG_APPEND)
Append a given value to that of an existing named value entry.
This flag is valid only if FLG_ADDREG_TYPE_MULTI_SZ is also set.
The specified string value is not appended if it already exists.
0x00000010
(FLG_ADDREG_KEYONLY)
Create the given subkey, but ignore any supplied
value-entry-name and/or value.
0x00000020
(FLG_ADDREG_OVERWRITEONLY)
Reset to the supplied value only if the specified
value-entry-name already exists in the given subkey.
0x00001000
(FLG_ADDREG_64BITKEY)
Make the specified change in the 64-bit registry.
If not specified, the change is made to the native registry. Only
Windows XP and later.
0x00002000
Same as FLG_ADDREG_KEYONLY but also works in a
del-registry-section (see INF DelReg Directive).
Only Windows XP and later.
(FLG_ADDREG_KEYONLY_COMMON)
0x00004000
(FLG_ADDREG_32BITKEY)
Make the specified change in the 32-bit registry.
If not specified, the change is made to the native registry. Only
Windows XP and alter.
0x00000000
(FLG_ADDREG_TYPE_SZ)
Given value entry and/or value is of type REG_SZ.
Note that this is the default type for a specified value entry, so the
flag's value can be omitted from any reg-root line in an add-registry
section that operates on a value entry of this type.
0x00010000
Given value entry and/or value is of type REG_MULTI_SZ.
This specification does not require any NULL terminator for a given
string value.
(FLG_ADDREG_TYPE_MULTI_SZ)
0x00020000
(FLG_ADDREG_TYPE_EXPAND_SZ)
Given value entry and/or value is of type REG_EXPAND_SZ.
0x00010001
(FLG_ADDREG_TYPE_DWORD)
Given value entry and/or value is of type REG_DWORD.
0x00020001
(FLG_ADDREG_TYPE_NONE)
Given value entry and/or value is of type REG_NONE.
The following describes only the minimum required information. You may add any other Barracuda Networks registry entry.
1. Edit Default Entry
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, Default, 0x00010001, 1
Value 1 sets a profile to the default profile of the Barracuda VPN Client. All other profiles take the value 0.
2. Edit DHCP Entry
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, dhcp, 0x00010001, 1
Editing this value changes the value of the Virtual Adapter Configuration parameter:
44
Assign IP address manually
Use internal DHCP assignment (default)
Direct assignment
3. Edit Profile Name
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, description, 0x00000000, "profile name"
4. Name the License (customer.lic)
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, license, 0x00000000, "%65600%\customer.lic"
%65600% is used as a placeholder for the installation directory
5. Enter IP Address of the VPN Server
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, server, 0x00000000, "192.168.0.1"
Section 3: Customer Area / [SourceDisksFiles]
Example for Section [SoruceDisksFiles]
[SourceDisksFiles]
; Files for disk Customer Files #1
; filename = diskid[,[ subdir][, size]]
customer.inf,,,1
customer.lic,,,1
; if a license file is imported
active.i_fwrule,,,1 ; if a firewall rule set is imported
A SourceDisksFiles section names the source files used during installation, identifies the installation disks that contain these files, and provides
the path to the subdirectories, if any, on the distribution disks containing individual files. The following directives are applicable:
filename = diskid[,[ subdir][, size]]
File Directives Applicable in the Customer Area / [SourceDisksFiles]
Directive
Comment
filename
Name of the file on the source disk.
diskid
Integer identifying the source disk that contains the file.
This value and the initial path to the subdir(ectory), if any, containing
the named file must be defined in a SourceDisksNames section of
the same INF.
subdir
Subdirectory (relative to the SourceDisksNames path
specification, if any) on the source disk where the named file
resides.
If this value is omitted from an entry, the named source file is
assumed to be in the path directory that was specified in the Source
DisksNames section for the given disk or, if no path directory was
specified, in the installation root.
size
Optional; uncompressed size, in bytes, of the given file.
Do not change the name of the firewall rule set entry (active.i_fwrule). If you do not intend installing the Personal Firewall with a
predefined rule set meeting company policy, then remove this line.
The silent.cmd File
45
Save the following to a .cmd file and execute this file to trigger an unattended customer setup. Separate multiple properties with spaces:
@echo off
setup.exe /s /v"/qr CUSTOMER_INF=customer.inf FW_NOTINSTALL=1"
xcopy /s X509-Certificate.p12 "c:\Program Files\BarracudaNG"
Specific properties must be inserted into one row.
For an overview of the available properties, see the Partially Preconfigured Unattended Remote Custom Installation page.
Template Code: Customer Install Files (customer.inf)
In the box below you can find template code for a customer.inf file, ready to copy and paste.
;
------------------------------------------------------------------------------------------; customer.INF
;
; Customer Install Files
;
; Copyright 2008-2015 Barracuda Networks, Inc.
;
; For detailed information please consider the Barracuda TechLibrary
;
------------------------------------------------------------------------------------------[version]
signature = "$Windows NT$"
provider = %ph%
[Manufacturer]
%Phion% = Phion
[DefaultInstall]
CopyFiles=PhionCustomerCopyFiles
AddReg = PhionCustomerReg
[DefaultUninstall]
DelFiles=PhionCustomerCopyFiles
DelReg = PhionCustomerReg
;
----------------------------------------------------------------------------; 1, Customer Area
;
----------------------------------------------------------------------------[PhionCustomerCopyFiles]
; destination-file-name[,source-file-name][,temporary-file-name][,flag]
customer.inf,,,2 ; important, do not remove
customer.lic,,,2 ; if importing a phion license file
active.i_fwrule,,,2 ; if importing a firewall rule set
;
-----------------------------------------------------------------------------
46
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
;
2, Customer Area
REG_SZ = 0x00000000
REG_DWORD = 0x00010001
Description:
Certificate: AuthType (0x00010001)
0 -> phion authentication
1 -> X509 authentication
2 -> User / Password
File: license (0x00000000)
Subject: license (0x00000000)
Microsoft Certificate Store Lookup: CertSearchOrder (0x00010001)
0 -> Lookup with Subject
1 -> Lookup with Issuer
Use Serial Number: certserialnumber (0x00000000)
Private Encrypt: PrivateEncrypt (0x00010001)
Probe Encryption: ProbeEncryption (0x00010001)
Prompt for user and password: AuthUser (0x00010001)
Remote Server: server (0x00000000)
Proxy Type Configuration: proxyType (0x00010001)
0 -> No Proxy
1 -> HTTP Proxy
2 -> Socks4
3 -> Socks5
Proxy [:Port]: proxy (0x00000000)
Proxy user: proxyuser (0x00000000)
Domain: proxydomain (0x00000000)
Simulate SSL: simulateSSL (0x00010001)
Authentication algorithm: hash (0x00010001)
1 -> MD5
2 -> SHA1
Encryption Algorithm: encryption (0x00010001)
1 -> None
2 -> 3DES
4 -> AES
8 -> Cast
16 -> Blowfish
32 -> DES
64 -> AES256
47
; Tunnel Mode: mode (0x00010001)
; 1 -> Reliability (TCP)
; 2 -> Response (UDP)
; 3 -> Optimized (Hybrid)
;
; Virtual Adapter Configuration: dhcp (0x00010001)
; 0 -> Assign IP address manually
; 1 -> Use internal DHCP assignment (default)
; 2 -> Direct assignment
;
; Compression: streamCompression (0x00010001)
; Use Policy Server: usePolSrv, 0x00010001
; Disconnect when user logs off: terminateIfUserLogout (0x00010001)
; One Time Password: oneTimePassword (0x00010001)
; Allow ENA Connection: allowENA (0x00010001)
; Allow Sending Offline Ruleset: allowFWRule (0x00010001)
; Save new Certificate Unattended: unattended (0x00010001)
; Silent Mode (No Keep Alive): silent (0x00010001)
; Keep Alive (seconds): timeoutAlive (0x00010001)
; Start Script: startScript (0x00000000)
; Stop Script: stopScript (0x00000000)
; Enable MS Logon: enableMSLogon (0x00010001)
;
; Certificate Store Flag: StoreFlags (0x00010001)
; ffffffff -> <Default>
; 10000 -> Current User
; 70000 -> Current User Group Policy
; 20000 -> Local Machine
; 90000 -> Local Machine Enterprise
; 80000 -> Local Machine Group Policy
; 50000 -> Phion VPN Service
;
; Certificate Store: store (0x00000000)
; MY -> MY
; Root -> Root
; Trust -> Trust
; CA -> CA
;
; Terminate Countdown (sec.): TerminateCountdown (0x00010001)
; Show Popup: ShowPopup (0x00010001)
; Close after Connect: CloseOnConnect (0x00010001)
;
----------------------------------------------------------------------------[PhionCustomerReg]
; reg-root, [subkey], [value-entry-name], [flags], [value]
HKU, .DEFAULT\Software\Phion\phionvpn, CustomerINF, 0x00000000,
"%65600%\customer.inf"
; important, do not remove
48
; Profile 1 Example with phion.lic (Default selected)
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, Default, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, dhcp, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, AuthType, 0x00010001, 0
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, Description, 0x00000000,
"phionLIC (Default)"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, license, 0x00000000,
"%65600%\customer.lic"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, server, 0x00000000,
"192.168.0.1"
; Profile 2 Example with extern linked X509 PKCS#12 File
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, Default, 0x00010001, 0
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, dhcp, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, AuthType, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, AuthUser, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, description, 0x00000000,
"Extern PKCS#12"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, license, 0x00000000,
"%65600%\X509-Certificate.p12"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, server, 0x00000000,
"192.168.0.1"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, mode, 0x00010001, 2
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, hash, 0x00010001, 2
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, PrivateEncrypt,
0x00010001, 0
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\2, store, 0x00000000, ""
; Profile 3 Example with Microsoft Certificate Store Linked x509 Certificate
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, Default, 0x00010001, 0
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, dhcp, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, AuthType, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, AuthUser, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, description, 0x00000000,
"MY-Store Linked x509"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, license, 0x00000000, ""
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, server, 0x00000000,
"192.168.0.1"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, mode, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, hash, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, PrivateEncrypt,
0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\3, store, 0x00000000, "MY"
; Profile 4 Example with phion.lic and Proxy Connection
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4, Default, 0x00010001, 0
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4, dhcp, 0x00010001, 1
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4, Description, 0x00000000,
"PhionLIC with Proxy"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4, license, 0x00000000,
"%65600%\customer.lic"
49
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4,
"192.168.0.1"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4,
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4,
/www.proxy.ip:3128"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4,
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4,
"testUser"
50
server, 0x00000000,
Default, 0x00010001, 0
proxy, 0x00000000, "http:/
proxyType, 0x00010001, 1
proxyuser, 0x00000000,
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4, proxydomain, 0x00000000,
"PHION"
; HKU, .DEFAULT\Software\Phion\phionvpn\Profile\4, mode, 0x00000000, 1
;
----------------------------------------------------------------------------; install credential provider
;
; If you want to set the 'enableMSLogon' property in your profile (see above)
you also have to install the Barracuda Credential Provider.
; Please note that values depend on your OS version (e.g. Windows 8 and
newer) AND your OS architecture. (i.e. 32-bit / 64-bit)
; 32-bit operating systems
; HKCR, CLSID\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}, , 0x00000000,
"CredentialProvider"
;
; Windows Vista/Windows 7 OR
; HKCR, CLSID\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}\InprocServer32, ,
0x00000000, "CredentialProvider.dll"
; Windows 8 and newer (you must only include one line)
; HKCR, CLSID\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}\InprocServer32, ,
0x00000000, "CredentialProviderWin8.dll"
;
; HKCR, CLSID\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}\InprocServer32,
ThreadingModel, 0x00000000, "Apartment"
; HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential
Providers\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}, , 0x00000000,
"CredentialProvider"
; HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential
Provider Filters\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}, , 0x00000000,
"phionCredentialProviderFilter"
; HKLM, SOFTWARE\Phion\phionvpn, "CredentialProviderInstalled, 0x00010001, 1
;
; 64-bit operating systems
;
; HKCR, CLSID\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}, , 0x00001000,
"CredentialProvider"
;
; Windows Vista/Windows 7 OR
; HKCR, CLSID\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}\InprocServer32, ,
0x00001000, "CredentialProvider.dll"
; Windows 8 and newer (you must only include one line)
; HKCR, CLSID\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}\InprocServer32, ,
0x00001000, "CredentialProviderWin8.dll"
51
;
; HKCR, CLSID\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}\InprocServer32,
ThreadingModel, 0x00001000, "Apartment"
; HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential
Providers\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}, , 0x00001000,
"CredentialProvider"
; HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential
Provider Filters\{6CBB6E49-617A-4d74-AD03-B591C78DE5A3}, , 0x00001000,
"phionCredentialProviderFilter"
; HKLM, SOFTWARE\Phion\phionvpn, "CredentialProviderInstalled, 0x00010001, 1
;
----------------------------------------------------------------------------; 3, Customer Area
;
----------------------------------------------------------------------------[SourceDisksFiles]
; Files for disk phion AG Customer Files #1; filename = diskid[,[ subdir][,
size]]customer.inf,,,1customer.lic,,,1
; if a phionlicense file is importedactive.i_fwrule,,,
; if a firewall rule set is imported
;---------------------------------------------------------------------------; Do not change any attribute beyond this line!
;[DestinationDirs]PhionCustomerCopyFiles = 65600[SourceDisksNames]1 =
%DiskId1%,,,""
;---------------------------------------------------------------------------; Localizable Strings
;[Strings]
ph = "Phion"
DisplayClassName = "Phion Customer Files"
Phion = "Phion AG"
*Phiond.DeviceDesc = "Phion Customer Files"
Phion.DeviceDesc = "Phion Customer Files"
*Phion.DeviceDesc = "Phion Customer Files"
phionvpn.Service.DispName = "Phion Customer Files"
DiskId1 = "Phion Customer Files Disk #1"
Partially Preconfigured Unattended Remote Custom Installation
In this article:
Unattended Setup
Optionally Customizable Properties
Unattended Setup
The procedure for unattended installation aims at concurrent remote installation and basic configuration of multiple clients and addresses the
experienced system administrator.
Unattended setup requires administrator rights on the system where the installation is executed.
Msiexec (command-line options) apply for customization of the installation procedure. For information on these options refer to Microsof
52
t TechNet.
To specify non-default values for installation, Msiexec options may additionally be extended by Barracuda Network Access Client specific
properties. The available options for this purpose are listed in the tables below.
Save the following to a .cmd file and execute this file to trigger an unattended setup. Separate multiple specific properties with spaces:
Barracuda.msi /q CUSTOMER_INF=[path-and-filename] [property 1] [property 2] ...
For example, this call performs a silent installation of only the Barracuda VPN Client into c:\Program Files\Barracuda\VPN Client using further
configuration settings stored in a file named vpnconf.cmd:
@echo off
Barracuda.msi /q CUSTOMER_INF=<YOUR_INSTALLATION_PATH>\vpnconf.inf INSTALLDIR="c:\Program
Files\Barracuda\VPN Client"
Specific properties must be inserted into one row.
Msiexec Command-Line Options
Property
Possible Values
Corresponding Option in the Firewall Settings
Red = Default
Required if using a different shell than
explorer.exe (e.g. Microsoft Embedded XP).
DEFAULT_SHELL
0
1
FW_ALWAYS_ON
Firewall Always ON.
If this is enabled, the Barracuda
Network Access Client must be
installed with the Firewall Always
ON option enabled. Otherwise,
connections to the the according
VPN service will fail.
See also: Troubleshooting.
0
1
FW_INSTALL_GINA
INSTALLDIR
[String]
Install Barracuda Networks GINA.
[String] is the installation path, e.g.:
C:\Program Files\BarracudaNG
The IP address of the Access Control Server.
POLSRV_IP
[blank]
VPN
PROGTYPE
PUB_CA_KEYCERT
[String]
Leaving the value blank installs the
selected product including all
components.
The value VPN activates the VPN-only
installation mode. Only the VPN client
components will be installed.
[String] represents the name of the CA public
certificate to the profile and requires adding
the following lines:
copy certname.pem > nul
del certname.pem > nul
53
[blank]
[Secret Password]
PWD
Sets a secret password that will be
requested prior to shutting down the client or
modifying certain administrative settings in
the NAC. It will not be possible for users to
shut down the client without providing the
correct password. The password cannot be
changed from within the client; it can only be
changed in the Access Control Service
configuration on the server.
Leaving the value blank causes the
password protection to be disabled.
Additional Msiexec properties can optionally be modified. See the Optionally Customizable Properties section below.
Furthermore, the Personal Firewall settings can be edited after installation. For detailed information, see The Barracuda Personal
Firewall page.
Trusted Network
See a description here: Trusted Network.
Allow other to access my files and printer(s)
See a description here: Windows File Sharing.
Connect to the Internet with ADSL (PPTP)
See a description here: Connect to the Internet with ADSL (PPTP).
Ask for adapter update confirmation
See a description here: Ask for adapter update confirmation.
Access Control Server Address
The Access Control Server to be used.
Ask for unknown outgoing/incoming connections
Activating these checkboxes causes a dialog to pop up for every unknown connection. As a result of using this dialog, the Barracuda
Personal Firewall rule set is automatically modified (see Automatic Rule Configuration).
Disable Barracuda Networks Secure Mode (Firewall off)
Activating this checkbox results in a pass-all-behavior of the Personal Firewall. Use this option for unattended setups.
Firewall Always ON
Prevents deactivation of the Personal Firewall.
Any rule set assigned by a policy or VPN server will overwrite these options.
Optionally Customizable Properties
You can additionally customize the properties listed in the table below.
Msiexec Properties for Additional Customization of an Unattended Setup
Property
Value
Corresponding Option in the Firewall Settings
Red = Default
FW_TRUSTEDNETWORK
0
1
Trusted Network
FW_SHARE
0
1
Windows File Sharing
FW_ADSL
0
1
Connect to the Internet with ADSL (PPTP)
FW_ASKOUT
0
1
Ask for unknown outgoing connections
54
FW_ASKIN
0
1
Ask for unknown incoming connections
FW_ASKADAPTER
0
1
Ask for adapter update confirmation
FW_DISABLE
0
1
Unattended Setup only: Disable Barracuda
Networks Secure Mode (Firewall off)
Updating or Migrating the Client
Before updating the Barracuda Network Access Client, read the Release Notes for the new version in order to learn about substantial
changes that may appear.
Follow the steps below to update the Barracuda Network Access Client and all of its components from an older 3.x version to a newer one.
In this article:
Step 1. Prepare for the Update
Step 2. Perform the Update
Step 1. Prepare for the Update
Ensure that you saved the setup file locally on your system. A network installation is not possible. If the Barracuda Personal is installed,
disable your Internet connection prior to the update.
If you have particular questions regarding the migration process, contact Barracuda Networks Technical Support.
Step 2. Perform the Update
See Performing a Complete Installation and follow the instructions for a fresh installation. The new version will replace your already installed
version without the loss of any settings.
On the screen where you can choose the installation mode (Barracuda VPN Client, Barracuda VPN and NAC Client, or Custom), the mode
that fits your existing installation will be preselected.
Uninstalling the Client
This article provides instructions for uninstalling the client on a Windows 7 computer. If you are using a different platform where
methods may slightly differ, consult the Windows Help.
Follow the steps below to completely remove the Barracuda Network Access Client and all of its components from a system.
In this article:
Step 1. Close All Applications
Step 2. Navigate to the Uninstallation Screen
Step 3. Locate the Client in the List of Programs
Step 4. Start the Removal Process
Step 5. Wait Until Uninstallation Has Finished
Step 1. Close All Applications
Close all applications, including all components of the Barracuda Network Access Client.
During the uninstallation, all network connections will be interrupted for five seconds or longer. Before continuing with the uninstallation,
close any applications that may become unstable and save any open documents on network shares.
Step 2. Navigate to the Uninstallation Screen
In Windows, navigate to Control Panel > Programs and click Uninstall a Program. See the figure below.
55
Step 3. Locate the Client in the List of Programs
The list of installed programs appears, as shown in the screenshot below. Locate the Barracuda Network Access Client (the version number and
platform varies according to the installed version).
Step 4. Start the Removal Process
Double-click the item. You can also right-click it and select Uninstall.
If the existing installation included the Windows Start Menu items, then you can also directly execute the removal process by navigating to Start >
56
Control Panel > Add or Remove Programs > Barracuda Network Access Client and clicking Remove.
A confirmation window as shown below appears. Click Yes if you want to continue with the uninstallation process.
Step 5. Wait Until Uninstallation Has Finished
The uninstallation program will now internally prepare the removal. The dialog window below appears for a few seconds. If you now make a
last-second decision to keep the client, you can still click Cancel.
During the actual uninstallation, a dialog window with a progress bar as shown below informs you about the current status.
After proceeding to 100%, the uninstall dialog disappears. The Barracuda Network Access Client and all of its components are completely
removed from the system.
You may now be prompted to restart the system.
Operating and Monitoring the Barracuda Network Access Client
In this Section
The Barracuda VPN Client
The Barracuda Personal Firewall
The Barracuda Access Monitor
Barracuda Network Access Client Sample Configuration
In this Article:
Unit Monitoring and Real-time Information
Available Columns
Filtering
Context Menus
Status Tab
Status VPN Tab
Access Tab
Quarantine Tab
57
Unit Monitoring and Real-time Information
The Access Control Service provides extensive information about the currently available endpoints and their status. Both, real-time and historical
information are displayed when logging into the status window.
The following tabs are available for operational purposes:
Status tab
StatusVPN tab
Access tab
Quarantine tab
Available Columns
The lists in the real-time information GUI consist of the following columns:
Time
Displays date and time of the last client access.
Hostname
Displays the client's hostname as reported by the client.
IP Address
Client's IP address as reported by the client.
User
Either Local Machine if no user information is available or the name of the logged-in user (DOMAIN\username).
Status
Current status of the client. Possible values are Machine logged in, User logged in or User logged off. Additionally, Out of time can
be displayed if the client did not reconnect to the Access Control Service within the time period as configured in Access Control
Service Settings > System Health-Validator > Health State Validity. This is often caused by powered-off clients or by interrupted
network connectivity.
Information
Summary of the client's health status or more details of a failed connection. Possible values include Client is healthy, or, if the client is
unhealthy, the Information column contains details about the failed health checks. No rule matched, another possible information,
means that identity matching failed.
Healthstate
Last health state, which could be one of the four Healthy, Unhealthy, Probation, or Untrusted.
IsolationState
Possible values are Access, Not Restricted, and Probation.
Auth. (PHIBS)
Result of the last authentication, which can either be OK or Not OK.
Rule
Name of the matching policy rule.
Boxname
Originating unit where the Access Control Service runs on. This is only relevant in CC Barracuda Network Access Client GUI context.
Type
Displays the possible types Health Evaluator, Authenticator or Remediation, depending on the Access Control Service module which
created the entry.
MAC Address
Client's MAC address as reported by the client.
SID
Client's local machine secure identifier (SID) as reported by the client.
Filtering
All available tabs provide filtering options at the top of the Barracuda Access Monitor GUI.
To activate a filter and refresh the Status list, it is necessary to click Update List. Filters are case sensitive. Some of the filters provide
a list of available entries, other filter criteria can be entered manually. For manual input there are wildcards (* and ?) available. For
example, 10.0.8.1? filters for IP addresses 10.0.8.10 to 10.0.8.19, while 10.0.8.1* also matches 10.0.8.100 to 10.0.8.199.
The filter categories are split into Basic Filters and Advanced Filters. Depending on the currently selected tab, some filters are not available or
set as preselection.
58
The Basic Filter provides the following filter criteria:
From date/dime
Restrict the time period for which entries should be listed.
Health State
Provides the different health states Healthy, Unhealthy, Probation, and Untrusted to display only the selected entries.
Isolation
Categories Not restricted, Restricted, and Probation are available as filter criteria.
IP
Filters for specific IP addresses.
User
Filters for specific user entries.
Type
Filters for entries of Health Evaluator, Authenticator, or Remediation types, depending on the Access Control Service module that
created the entry.
Client
Filters for entries of Local Machine, VPN, or User types.
The Advanced Filter provides the following criteria:
MAC
Filters for the MAC-address of the client (sent by an client, so even in routed environments the original MAC address will be available).
SID
Filters for a Microsoft machine SID.
Box
Filters for the originating unit on which the Access Control Service runs (only relevant in CC Barracuda Network Access Client GUI
context).
Rule
Matching policy rule.
Auth
Filters for a certain authentication status.
Host
Filters for a hostname.
Status
Filters for a client status (User logged in, Machine logged in, Logged out, Out of time).
By activating the corresponding checkboxes, it is possible to combine multiple fields in order to achieve a more precise selection.
Context Menus
Right-click a list entry to activate one of the following context menus:
Standard context menu
accessible through the Tools item.
Follow this Computer …
All entries within the selected client are displayed in a new tab. Criteria for identifying a computer is the computer's local machine secure
identifier (SID).
Visualize this Computer …
This entry visualizes the health state of the selected client. The graphical status at the top of the main window displays the summarized
health state per day. Selecting multiple entries displays statistics of clients in Unhealthy, Probation, and Healthy states.
For single entries, the summary displays a red icon to indicate an unhealthy client if it was unhealthy only once per displayed time period
(day/week). Grey icons mean that no data is available for this date. This might e.g. indicate a client that is powered off.
Show Log File …
Displays the log entries referring the selected client. Additionally, the access cache of the forwarding firewall can be displayed.
Only log entries available on this Barracuda NG Firewall box will be displayed.
Show Details …
Displays detailed information about the selected client in a list view.
Flush Cache >
Entry
59
This Computer
-ALLRemoves either the selected entry, or all entries belonging to the selected client, or all entries from the cache.
Ungroup
Displays all entries in a flat list instead of the default group view.
Group by >
For better lucidity, status entries may be grouped by their essential attributes such as time, IP address, or rule name. Entries are
arranged in pop-up menus topped by a labeled title bar.
Summarize duplicate entries
Cumulate identical entries and in addition display the count (for example, how many entries are cumulated).
Show time in UTC
Show UTC time instead of Barracuda NG Firewall system timezone.
Status Tab
The Status tab summarizes the health information of all connected clients. The Barracuda Network Access Client framework does not depend on
continuously established connections, but clients connect periodically to the Access Control Service. Therefore, the Status tab is able to display
historical information of the clients, too. To update the list, press Update List, since automatic updates are disabled.
As a primary key, Barracuda Network Access Client uses the Microsoft Machine Secure Identifier (SID). The SID is a unique value which could
change only in case of severe hardware modifications or re-installation of the operating system. This means that the Access Control Service can
assign health states to the proper client even if the IP address changes or a user performs a logout.
The Status tab displays only the last health status of a client. To get an overview of historical information, e.g. in order to display different states
for a client but cumulate states if they were identical, change the view to the Access tab.
Double-click an entry to open a new window wherein the Access Control Service logs corresponding to the appropriate entry are
displayed. Optionally, the Firewall Access Cache may be displayed by clicking Show Access Cache. An appropriate filter for the
client's IP address is automaically set. The cache selection includes forwarding as well as local-in and local-out traffic. This gives
administrators an easy way to troubleshoot for their clients.
Alternatively, the full log entries are available via the Log Viewer module. The full Access Cache can be viewed in the Firewall GUI > Access
Cache. Both, log entries and firewall access cache, are only available if the the Access Control Service was active on the Barracuda NG Firewall
unit. Barracuda NG Firewalls do not sync their log files or the firewall access cache to the HA partner.
Status VPN Tab
This tab provides a subset of the information available in the Status tab. Only Barracuda Network Access Client Client connections established
through VPN are enlisted. Manually applying filters to Status tab results provides the same information.
Access Tab
This tab provides all information available for the Access Control Service. This includes health information (also displayed in the Status tab) as
well as data generated by the remediation module and the authenticator module.
Quarantine Tab
This tab provides all information regarding quarantined clients whose health state is unhealthy.
The Barracuda VPN Client
This section deals with the Windows version of the Barracuda VPN Client.
The Barracuda VPN Client documentation focuses on the interplay between the VPN client and enterprise-level Barracuda NG Firewall / Barrac
uda NG Control Center units.Therefore, this documentation usually refers to the Barracuda NG Firewall / Barracuda NG Control Center as
server-side component.
However, most functionalities of the VPN client are also usable in conjunction with consumer-level Barracuda Firewall units.
In this Section:
60
Configuring the Client
Creating VPN Profiles
Using Remote VPN
Overview
If you already know the basics of client-to-site VPN, you may continue reading on the Creating VPN Profiles page or learn about Using Remote
VPN.
Virtual Private Networks are an efficient and cost-saving way to use the internet as a transport alternative to dedicated lines or dial-up RAS while
overcoming the security risks of internet communications.
There are two well-established technologies for data encryption: IPSec and SSL (Secure Socket Layer). Most VPN implementations rely solely on
IPSec, which has several disadvantages in modern network topologies. Barracuda VPN has incorporated both technology standards and hence
improves the VPN connectivity substantially.
Barracuda Networks provides two types of VPN client licenses:
Barracuda VPN Client
Barracuda SSL VPN and NAC
61
The different features of these two licenses will be described in detail in the following chapter.
Facts and Figures
VPN Licensing
The Barracuda VPN Client license is included with every appliance. On box appliances, it allows for unlimited users, while on virtual
appliances it is limited to the virtual appliance’s capacity. Optionally, the Barracuda SSL VPN and NAC subscription license is availabe. It
enables SSL VPN functionality and includes Barracuda Network Access Client with the full client including the centrally managed
Barracuda Personal Firewall.
Authentication Support
Supported are the following authentication methods:
Active Directory
LDAP
RADIUS
MSNT
RSAACE
X.509 certificates
RSA tokens
Smart Cards
Personal Firewall Capabilities
Amongst the features supported by the Barracuda Personal Firewall are:
Dynamic adapter object handling
RPC handling
Multiple rule sets support
Client side policy enforcement
Policy Matching Capabilites
The Barracuda Network Access Client's policy matching capabilites include:
ID-based policies
Support for ID based exemptions (health condition and/or software update)
Date and time conditions
Access type (internal and external category supported)
Separate machine policies
Separate policies
Separate quarantine policies
Machine properties (Microsoft operating system time, Microsoft SID, x.509 certificate for LocalMachine account with subject,
issues, alt name conditions, host name, MAC address, network ACL, NetBIOS name)
User properties (all of the above plus login name and work group affiliation)
Required client version
Personal firewall active
Antivirus (AV) product installed
AV active
AV realtime protection active
Last AV scan time
Enforce overdue AV scan
AV engine version
AV pattern version
AV pattern max age
Enforce overdue AV engine/pattern update
AntiSpyware (AS) product installed
AS active
AS realtime protection active
Last AS scan time
Enforce overdue AS scan
AS engine version
AS pattern version
AS pattern max age
Enforce overdue AS engine/pattern update
Personal firewall rule set (not available for Barracuda VPN Client)
Registry entries (not available for Barracuda VPN Client)
Welcome message
Welcome picture
62
C-ID support
ID-based exemption from enforced client updates
Gateway network access roles
Usage Scenario
Feature
Barracuda VPN Client
Barracuda SSL VPN and NAC
LAN protection
Yes
Yes
VPN remote access
Yes
Yes
Architecture
Feature
Barracuda VPN Client
Barracuda SSL VPN and NAC
Integrated health agent
No
Yes
Intergrated VPN client
Yes
Yes
Intergrated personal firewall
No
Yes, managed
Full entegra policy support
No
Yes
Configuring the Client
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.
Creating VPN Profiles
This section deals with the Windows version of the Barracuda VPN Client. For Mac OS X and Linux versions, navigate to The
Barracuda NAC and VPN Clients.
In this article:
How to Create a New Profile Using the Profile Wizard
How to Configure a New Profile Manually
How to Import a Profile Previously Created in Barracuda NG Admin
How to Create a New Profile Using the Profile Wizard
For your convenience, you may use the Profile Wizard to easily create and configure a new VPN profile.
63
To start the wizard, right-click anywhere within the empty white space in the Barracuda VPN Control window and select New (Wizard).
In the Profile Wizard window, type the VPN server’s address into the upper field and, optionally, a name to display into the lower field.
The next window is titled Authentication Method. You can later choose a different method for authentication in case you have chosen the wrong
one.
Choosing Username and Password or SecurID will enable the Finish button, allowing you to complete the configuration process at this point.
64
However, if you selected one of the two remaining options, Certificate or Barracuda Personal License, you will be taken to another
configuration step.
If you have chosen Barracuda personal License, you will see the following window of the same title. To finish the configuration wizard,
browse for the license file, followed by clicking Finish.
If you have chosen Certificate, you will be taken to this dialog of the same title. Enter your certificate data and click Finish to complete
the wizard.
65
You can later call the wizard again by right-clicking Modify Profile (Wizard) ... at the respective VPN profile entry.
How to Configure a New Profile Manually
Left-click the Barracuda Network Access Client icon
window which is attached to the tray.
in the system tray to open the VPN component. This will bring up the client’s status
Clicking Connect (altered by Disconnect, if already connected) will open the client’s configuration window.
On the first start or if no working VPN profile for automated connecting has been defined before, the client will show up with the Default profile’s C
onnect dialog as shown below:
66
The VPN profile can be chosen using the Profile drop-down menu. Clicking Connect either left-hand or at the bottom would then initiate a
connection using the chosen profile:
However, before connecting for the first time, you need at least one working VPN profile. Clicking Preferences will bring up the Barracuda VPN
Control dialog wherein the necessary configurations can be made:
67
The space on the right side of this screen is reserved for a list of VPN profiles. It will be empty on the first start. You may now create a new VPN
profile by clicking New, which will bring up another window for configuring the profile. Insert a name for the connection entry into the Description f
ield at the top. In the Certificate list, select and configure an authentication method. Then insert the address of the remote server into the Remote
Server field. Save the connection entries.
Configure a VPN profile for every known VPN server you might want to access. This way you can use the client’s Direct Access functi
onality, enabling you to keep your VPN connection automatically up in the background via different VPN gateways. See also: Direct
Access.
The newly created profile can now be chosen as a preconfigured profile from the VPN client dialog.
Instead of creating a new profile, the default profile can of course be edited. Advanced configuration options found in the Advanced Settings tab
are described in-depth in Barracuda Networks Control / Preferences Dialog.
You can create multiple profiles for several users with individual certificates.
How to Import a Profile Previously Created in Barracuda NG Admin
Starting with Barracuda VPN Client 3.2, you can import VPN profiles created in Barracuda NG Admin. To do so, execute the following steps:
1. Create a VPN profile within Barracuda NG Admin and save it locally.
2. Locate the saved *.vpn file in Windows Explorer and double-click it.
3. The profile will now be imported into the Barracuda VPN Client. The message below is displayed if the import process was successful.
VPN profile creation and import is only possible with Barracuda Network Access Client version 3.2 or later and Barracuda NG Admin
versions newer than 5.2.5.
Template Code: VPN Profile Registry Keys
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.
Using Remote VPN
This section deals with the Windows version of the Barracuda VPN Client. For Mac OS X and Linux versions navigate to The
Barracuda NAC and VPN Clients.
68
In this article:
Remote VPN (rvpn)
Remote VPN (rvpn)
Remote VPN allows connecting/disconnecting automatically via script. The rvpn.exe file is downloadable from Barracuda Networks.
To use rvpn, execute the steps listed below.
Step 1. Create a VPN Profile
First, you must configure the required profile as described in Creating VPN Profiles.
Step 2. Allocate the Profile in the Windows Registry
Start the registry editor and navigate to HKEY_USERS > .DEFAULT > Software > Barracuda Networks > Barracuda VPN > Profile.
This directory contains an explicit directory for each VPN profile.
Warning
The sequence within the registry (1, 2, 3, …) does not match the sequence in the Barracuda VPN Client's user interface. Have a look at
the Description entry in the registry in order to find out which profile number matches the required VPN profile.
Step 3. Create a New Remote VPN Profile
An rvpn profile contains several parameters determining the actions to be taken when a profile is executed:
Parameters Contained in an rvpn Profile
Parameter
Description
-c [X]
Initiate a connection. [number of retries]. Default is 1.
-a [X, *]
Local password [certificate password]. This parameter is only
necessary if a password is set.
-aa
Display a pop-up for the local password.
-cs [X]
Client shutdown password protection. Prompts for the password [X]
whenever a user tries to shut down the VPN client. Leaving [X] blank
deactivates this feature.
-d
Initiate disconnection.
-f "X+X"
Process to kill [0, KILL].
-g [X]
The IP address of the VPN server. If this parameter is given, it
overrules the server IP address configured in the profile.
-h
Hide the console.
-n
Set the profile name.
-o
Give a proxy password.
-p
Give a VPN server password.
-pp
Display a pop-up for the VPN client password.
-preconnector [X]
If the VPN connection is terminated, then this preconnection is also
terminated (useful for e.g. terminating a modem connection).
-r [X]
Profile [registry ID].
-u [X]
User.
-v [X]
Verbose.
-x [X]
Command (showvpn, shofw).
69
Examples
rvpn.exe -c -r 3 -a vpntest -p a12b34c56
Connects (-c) using client profile "3" (-r 3) and certificate password "vpntest" (-a vpntest) and server password "a12b34c56" (-p
a12b34c56).
rvpn.exe -c 10 -r 3 -a vpntest -p a12b34c56
The same example as the previous one but with 10 retries for connecting (-c 10).
rvpn.exe -c -r 3 -aa -p a12b34c56
Starts a query for a local certificate password (-aa) via pop-up. The script does not run completely automatically, it requires manual user
input.
rvpn.exe -c -r 3 -a * -p a12b34c56
Starts a query for a certificate password (-aa) via a DOS window. The script does not run completely automatically, it requires manual
user input.
Connection Procedure
After successful authentication against the VPN server, the client requests the configuration from it. When the configuration is received, the VPN
Service transmits this configuration to the Barracuda Networks Secure Personal Access Client (SPAC). This enables the SPAC to answer DHCP
requests.
Step 1. Client Initiates Connection
The client opens a socket on the server, starts the authentication process, and requests the configuration data.
Step 2. Client Receives Configuration
The IP address, subnet mask, WINS, DNS, etc. are received by the client.
Step 3. Client Sends Received information to the SPAC
The previously received configuration data is sent to the Barracuda Networks Secure Personal Access Client.
Step 4. Client Triggers ipconfig / renew
The newly received configuration data is applied to the Barracuda VPN Virtual Adapter.
Step 5. SPAC Answers DHCP Requests for the Adapter
The Barracuda Networks Secure Personal Access Client answers DHCP requests for the virtual adapter using the previously received
configuration data.
Step 6. OS Reconfigurates Adapter
The operating system now reconfigures the virtual adapter.
Step 7. VPN Service Introduces Additional Routes
The additional routes that become available through the VPN connection are introduced to the network.
Step 8. Personal Rule Set is Implemented
In a last step, the corresponding rule set for the Barracuda Personal Firewall is implemented.
70
The Barracuda Personal Firewall
In this Article
Overview
Integration with Windows 7's Intrusion Control
Rule Set Selection
User Interface
Menu Bar (General Firewall Settings and Tasks)
Firewall Menu
View Menu
Security Mode Menu
Load Display
Live Activity - Monitoring Firewall Activities
Summary
Events
Filter Section
History
Listing and Context Menu
History Selection Tab
History Filter Tab
Live Activity
Listing and Context Menu
Filter Conditions
Current State - Setting the Security Mode
Configuration
General
Rules
Context Menu
Button Bar
Rule Configuration
Adapters
Networks
Services
Applications
Users
Rule Tester
Test Reports
Administration - Firewall Settings Wizard
Automatic Adapter Configuration
Automatic Rule Configuration
IPv6 Router Advertisement Guard
What is IPv6 Router Advertisement?
Potential Vulnerabilities in Conjunction with RA Messages
IPv6 Router Advertisement Guard Functionalities
Example 1:
Example 2:
Example 3:
Default Firewall Rules for the IPv6 Router Advertisement Guard
Monitoring the IPv6 Router Advertisement Guard
Personal Firewall Default Ruleset
Rule Categories
Adapters
Networks
Services
Applications
Default Rules
Barracuda VPN
Outbound
Network Discovery
Outbound
71
Inbound
Core Network
Outbound
Core IPv6 Tunnel
Outbound
File and Printer Sharing
Outbound
Inbound
Local
Outbound
Overview
If you already have firewall administration experience and knowledge of the Barracuda Personal Firewall, you may continue reading on the Config
uring Personal Firewall Rules on the Barracuda NG Control Center page.
The Barracuda Personal Firewall is a lighter version of the Barracuda NG Firewall especially designed for client usage. Nevertheless, most
configuration options of the Barracuda NG Firewall are available. When connected to an Access Control Service or via VPN, the Barracuda
Personal Firewall can accept rule sets sent from the Barracuda NG Firewall (depending on the used client license).
Open the configuration screen of the Barracuda Personal Firewall by right-clicking the VPN Status icon in the system tray, followed by selecting P
ersonal Firewall from the context menu. You can also use the Windows start menu by browsing to Start > All Programs > Barracuda Network
Access Client > Personal Firewall.
Selecting one of the following functional firewall modes is possible within the context menu of the system tray icon:
Block All
Barracuda Networks Secure Mode
Disable Firewall (Allow all Traffic)
The active operational mode is selected. To change the mode, click another item in the menu.
You must not directly switch from Disable Firewall (Allow all Traffic) to Block All. Always select Barracuda Networks Secure Mode
as intermediate step.
Each rule in a Barracuda Personal Firewall rule set is constructed from a variety of configuration entities (Adapters, Networks, Services,
Applications, Users), which can be created and maintained independently from the rule set itself. They are then pieced together building a
logical formation. Each configuration entity may be accessed from the Configuration sub-menu in the left navigation bar.
The Configuration section of the Barracuda Personal Firewall complements the automatic configuration mechanisms made available by the Fire
wall Settings Wizard in the Administration section (see Firewall Settings Wizard). It allows you to:
Create rules from scratch in the Rules view.
Modify objects and rules that have been created automatically determined through settings in the Administration view (see the Firewall
Settings Wizard).
Modify objects and rules that have been created in the History view by selecting Add Pass/Block > Traffic Policy… from the context
menu.
Firewall administration experience is required to manipulate the Barracuda Personal Firewall manually.
Integration with Windows 7's Intrusion Control
The Barracuda Personal Firewall integrates with Windows 7’s intrusion control system. If configured to do so in Firewall Settings > Firewall
Settings > Disable Windows Firewall, it will properly replace the built-in Windows firewall as long as it is enabled. Disabling the Barracuda
Personal Firewall will automatically re-enable the Windows firewall.
You can view the current protection status in your Windows 7 system within Control Panel > System and Security > Windows Firewall and
within Control Panel > System and Security > Action Center:
72
Rule Set Selection
73
Click Rule Set Selection… to select one of the available rule sets for viewing. The Local Rule Set is selected by default. Only the Local Rule
Set may be edited in the Barracuda Personal Firewall.
In order to learn about configuring centrally managed Personal Firewall rule sets on the Barracuda NG Firewall, see the Configuring
Personal Firewall Rules on the Barracuda NG Control Center page.
User Interface
The graphical user interface of the Barracuda Personal Firewall consists of the following items:
Menu Bar (General Firewall Settings and Tasks)
The following configuration items of the Barracuda Personal Firewall are accessible via the menu bar (use the ALT key to open or close the menu
bar):
Firewall
Navigate to Firewall Menu for more information.
View
Navigate to View Menu for more information.
Security Mode
Navigate to Security Mode Menu for more information.
Help
74
Firewall Menu
Save Configuration
Select this item to save configuration changes immediately.
Click the Save Configuration link within the configuration item bar to save configuration changes after prior confirmation
inquiry.
Settings…
Select this item to adjust general behavior of the Barracuda Barracuda Personal Firewall.
The following parameters are available for configuration:
Firewall Settings Tab
Configure various firewall settings here.
Firewall Settings > Protocol Option
Parameter
Description
Log dropped packets
Log successful connections
Select these checkboxes to activate logging for dropped packets and
/ or successful connections.
The log line structure is illustrated below.
Firewall Settings > Protocol File
Parameter
Description
File name
Path and name of the VPN client log file. By default, the file is saved
to:
C:\Program Files\BarracudaNG\phlog.txt
Maximum size for the log file (default: 4096 KByte).
Size limit
Firewall Settings > Network Object
Parameter
Description
IP Monitor
Selecting this checkbox (default: selected) activates the dynamic
updating of network objects (see Networks).
Automatic Adapter Assignment
Selecting this checkbox (default: selected) activates the dynamic
updating of network interface adapters.
If active, network adapters are automatically added to the Adapter
Objects configuration area as soon as they are used for the first time
(see Adapters).
Firewall Settings > Firewall Settings
Parameter
Description
75
Disable Windows Firewall
Selecting this checkbox disables the Windows firewall if it is installed
(default: selected).
This computer is an ICS gateway
(.e.g. allow PAN)
For security reasons, the client prevents the workstation from acting
as an ICS gateway. PAN devices will be ignored unless this checkbox
is selected (default: not selected).
Block all IP Fragments
By default, IP fragments are generally allowed to pass the firewall
notwithstanding the configured rule set. Select this checkbox to block
IP fragments.
Passthru all IPv6 Packets
By default, IPv6 packets are generally allowed to pass the firewall
notwithstanding the configured rule set. Select this checkbox to block
IPv6 packets.
ICMP Parameters Tab
Configure the blocking of ICMP packets here.
Export Firewall Rule Set...
This item allows you to export the rule set from the Barracuda Personal Firewall to a text file.
Import Firewall Rule Set…
This item allows you to import a rule set into the VPN client. The rule set may either originate from another Barracuda Personal Firewall
or from a firewall configured on a Barracuda NG Firewall.
Close Firewall Window
Selecting this item closes the Barracuda Personal Firewall configuration window.
View Menu
DCERPC List
Status of each DCERPC communication slot. For detailed information concerning DCERPC, see the Barracuda NG Firewall documentati
on.
Access Control Server IPs…
Displays every Access Control Server the client knows of.
Security Mode Menu
The items in the Security Mode menu allow you to adjust the security level of the Barracuda Personal Firewall.
Block All
Prohibit all traffic.
Disable Firewall (Allow All Traffic)
Turn the firewall off and allow all traffic.
Barracuda Networks Secure Mode
Activate customized firewall rule sets.
Process Monitor
Generate an entry in the Events monitor for every process initiation.The load display is a graphical view of current incoming and outgoing
connections. The dimensions of the graphs depend on the current peak load. The last graph (Block) depicts the amount of blocked
connections.
Load Display
Live Activity - Monitoring Firewall Activities
Items arranged in the Life Activity view give a review of application activities in the Barracuda Personal Firewall. The Life Activity view is
divided into the following sub-items:
Summary
76
Navigate down to the next section below this item list.
Events
Navigate to Events for more information.
History
Navigate to History for more information.
Live Activity
Navigate to Live Activity for more information.
Summary
This view gives a quick comparison overview of the 5 most used Ports, Active Internet, and Blocked Applications.
Events
The Events view details all applications that are currently or have been executed on the machine, respectively if they have requested passing the
firewall.
Double-click a list entry to view event details. Select Reload Logs from the context menu to reload the display of logged entries.
The listing is divided into the following columns:
Event View Details
Column
Description
Date
Date and time the connection has been initiated at.
Action
Type of the recorded action: System Information, Monitored
connection, or Informational message.
Application
The application that initiated the connection and assigned the port
over that the connection is processed.
Parent
Parent process that initiated the application.
77
Access
Status and direction assigned to the connection.
An application can either be in Process started or Process ended st
ate, and the connection direction can either be Outbound or Inboun
d.
User
The user object assigned to the connection (see also: Users).
Object
Full path to the application that is responsible for the connection.
Filter Section
The Filter section allows you to define filters in order to narrow down the view in the event listing. Select the checkbox assigned to an item to
activate filter effectiveness and select or insert the desired filter value. Click Refresh to apply the filter settings.
History
The History view details the entire network traffic, established connections and connection attempts that is, that appeared since the last system
boot.
Listing and Context Menu
The listing is divided into the following columns:
History Window Details
Column
Description
Direction
Flags the connection direction (Incoming icon, Outgoing icon).
Connection State
Flags the connection state (Granted connections icon, Blocked
connection attempts icon, Failed connection attempts icon).
Date/Time
Date and time of traffic initiation.
Application
Name of the application.
Protocol
Protocol assigned to the application.
Source
Source IP of the connection.
Destination
Destination IP of the connection.
Port
Connection port.
User
Name of the user who has initiated the connection attempt.
Traffic Policy
Name of the effective firewall rule.
Info
Connection status (passed, blocked, failed).
Count
Total number of connections processed over this slot.
Last
Time that passed since the last traffic activity over this slot.
Service
Affected service object or UUID (Universal Unique IDentifier).
Adapter
NIC that was used for connection.
AID
Unique Access ID of the connection.
Select and then right-click a list entry to display the following context menu:
Item
Description
78
Show Details
Select Show Details or double-click a list entry to view a summary of
connection details.
Resolve Source/Destination IP
Tries to resolve the source and destination IP adresses and
summarizes the results (port, IP address, hostname and description)
in a separate window.
Send to Rule Tester
Inserts the connection details into the rule tester and opens the rule
tester window.
Add Pass Rule
Inserts the connection details into a new rule with default action Pass
and opens the rule object window for editing.
Add Block Rule
Inserts the connection details into a new rule with default action Bloc
k and opens the rule object window for editing.
Flush History
Clears all entries from the history listing.
Ungroup
Undoes the Group by command and sorts the connection entries into
a successive listing.
Group by
Groups list entries by the selected item.
History Selection Tab
In the History Selection tab, the following checkboxes are available for fast and easy filtering.
Access
Only displays connections that have been granted (marked with a green dot).
Rule Block
Only displays connection attempts that have been blocked (marked with a red square).
Fail
Only displays connection attempts that have failed (marked with an exclamation mark icon).
Show all Ethernet protocols
Additionally displays connection attempts over protocols other than TCP, UDP and ICMP.
Show Hostnames
Translates IP addresses into hostnames, if possible.
After each selection change, click the refresh arrows icon to refresh the view. Click the Group History by link to sort listing entries by topic.
History Filter Tab
In the History Filter tab, filter conditions can be set to confine the view to the minimum wanted amount of entries. If filters apply, the History
Filter tab is highlighted in yellow. Select the checkbox on the right side of an available filter to activate it and insert the condition to apply.
Policy
Filter the connection’s traffic policy.
Source
Filter the source IP address of the connection.
Application
Filter the application which has attempted to connect.
In/Out
Filter incoming or outgoing connections.
Protocol
Filter a connection protocol.
Destination
Filter the destination IP address of the connection.
Port
Filter a connection port.
Show matching entries / Hide matching entries
Toggle between displaying and hiding the matching entries.
Live Activity
79
The Live Activity view details all currently active connections.
Listing and Context Menu
The listing is divided into the following columns:
Live Activity Window Details
Column
Description
Direction
Flags the connection direction (Outgoing connections icon, Incomi
ng connections icon).
Load
Displays the current connection load using a bar graph.
Date/Time
Date and time of traffic initiation.
Application
Application name and its PID (Process ID).
Protocol
Protocol assigned to the application.
Source
Source IP address of the connection.
Destination
Destination IP address of the connection.
Port
Connection port.
User
Name of the user who has initiated the connection attempt.
Traffic Policy
Name of the effective firewall rule.
bps
Connection load in bits per second.
Idle
Idle time of the connection.
Total
Total amount of traffic summarized from incoming (In column) and
outgoing (Out column).
80
Start
Time that has passed since the connection's initiation.
Service
Affected service object or UUID (universal unique identifier).
ID
Internal slot ID.
Session Timeout
Effective connection state or current session timeout value.
Select and right-click a list entry to display the following context menu:
Item
Description
Show Details
Select Show Details or double-click a list entry in order to view a
summary of the connection's details.
Disconnect
Terminates the selected connection.
Resolve Source/Destination IP
Tries to resolve the source and destination IP addresses and
summarizes the results (port, IP address, hostname and description)
in a separate window.
Entries displayed in italic indicate closed connections
waiting for RST-ACK (reset acknowledgement). The
RST-ACK must be awaited in order to avoid it being
blocked by the firewall.
Filter Conditions
Click the Filter button to open the Filter Condition window. This allows you to specify filter conditions in order to confine the view to the minimum
wanted amount of entries.
Click Activate to activate the filter settings. Click Disable to deactivate the filter settings. After having specified a filter, click Refresh to refresh
the view. Click Capture to record traffic processed over the network interface.
Administrator rights are required to use the Capture option.
The data acquired is saved as a .cap file in the local folder of the VPN client (usually C:\Program Files\BarracudaNG).
A special viewer is needed for viewing network traffic recorded in .cap files. You may e.g. use wireshark for this purpose; it's
downloadable from www.wireshark.org,
Current State - Setting the Security Mode
Clicking the link below the appropriate navigation item changes the effective state of the Barracuda Personal Firewall. The current state is
depicted by one of the following icons and links respectively:
Disabled
By default (after a fresh installation), the firewall is in disabled state. Click the link to enable the secure mode.
Secure
The secure firewall mode is active. Click the link to deactivate any impacts of the configured rule set.
Configuration
Usually, the configuration of the firewall is directly made at the server (see the Configuring Personal Firewall Rules on the Barracuda NG Control
Center page).
General
In Windows Vista, if an item named Increase permissions as illustrated below appears in the Configuration sub-menu as illustrated in
81
the figure below, you have no access to the configuration. In this case, contact your system administrator to have editing enabled.
Rules
The Rules view allows manual rule configuration. Rules controlling incoming traffic are arranged in the Incoming tab, rules controlling outgoing
traffic are arranged in the Outgoing tab. See the figure below for an example.
See the Configuring Personal Firewall Rules on the Barracuda NG Control Center page th learn how to configure centrally managed
rule sets on a Barracuda NG Firewall using Barracuda NG Admin.
Personal Firewall rule sets are not capable of RCS.
Context Menu
Select and right-click a list item to display the following context menu:
Item
Description
Show Source Addresses …
Opens a window displaying all source addresses affected by the
selected rule.
Show Destination Addresses …
Opens a window displaying all destination addresses affected by the
selected rule.
Show Services …
Opens a window displaying all services affected by the selected rule.
Show Applications …
Opens a window displaying all applications affected by the selected
rule.
Show Adapters
Opens a window displaying all adapters affected by the selected rule.
Show Users
Opens a window displaying all users affected by the selected rule.
Select Overlapping
As a connection request can match several conditions, the
succession of the rules within a rule set is very important. If rules are
in an erroneous sequence, they might interfere with one another. The
Select Overlapping function is meant to help avoiding configuration
mistakes. When applied to a selected rule, all rules possibly
interfering with it are highlighted. In the majority of cases, the overlap
is a harmless outcome of the use of very openly defined objects such
as e.g. the InterNet object.
Edit …
Opens the rule configuration dialog for the selected rule (see Rule
Configuration).
New …
Opens the rule configuration dialog for a new rule (see Rule
Configuration).
Delete
Deletes the selected rule(s).
Copy
Copies the selected rule(s) into the clipboard.
Paste
Pastes the selected rule(s) out of the clipboard.
Button Bar
In the button bar, the Up and Down buttons enable you to select a rule followed by clicking one of these buttons in order to shift the rule either up
or down within the rule set. Alternatively, you can drag and drop rules within the rule set..
According to a regular Barracuda NG Firewall rule set, the Barracuda Personal Firewall rule set is processed in sequence until an
applicable rule is available. Therefore, to achieve correct rule processing, rules need to be arranged in the correct order.
82
Rule Configuration
Select New… from the context menu in order to create a new rule.
Configure the following connection details in the Rules view of the Rule Object window:
Rules > Rule Object > Options
Item / Parameter
Description
Action
Select Pass to enable a connection request, or select Block to
prevent it.
Name
Insert a rule name into this field.
Comment
For easier identification, insert a rule description (optional).
Inactive checkbox
Select the Inactive checkbox to disable a rule (default: unselected).
A minimum specification of the following connection details is mandatory in the sections below:
Source / Destination / Service or
Adapter / Source / Service or
Adapter / Destination / Service
Always take into consideration that modifying an object is a global action. For example, any other rule using the specific object will be
affected by the modification. This applies only for referenced objects, not for objects of the <explicit> type. Explicit objects are only
available for the current rule.
Rules > Rule Object > Options > Sections
Section
Description
Adapter
Specify an adapter for the connection request. In the list, all Adapter
objects that have been defined in the Adapter window are available
(9.8.3 Adapters, page 110).
Right-click the Adapter window below the list and select New… to
create a new Adapter object. Double-click an available entry to edit
the assigned Adapter object.
Source / Destination
Specify a source for the connection request. In the list, all Network o
bjects that have been defined in the Networks window are available
(9.8.4 Networks, page 112).
Select <Explicit> to define a Network object explicitly without adding
it to the Network Objects listing.
Right-click the source window below the list and select New… to
create a new Network object.
Double-click an available entry to edit the assigned Network object.
Service
Specify a service for the connection request. In the list, all Service ob
jects that have been defined in the Services window are available
(9.8.5 Services, page 114).
Select <Explicit> to define a network object explicitly without adding
it to the Service Objects listing.
Right-click the source window below the list and select New… to
create a new Service object.
Double-click an available entry to edit the assigned Service object.
83
Application (optional)
Specify an application for the connection request. In the list, all Appli
cation objects that have been defined in the Application window are
available (9.8.6 Applications, page 116).
Select <Explicit> to define an application object explicitly without
adding it to the Application Objects listing.
Right-click the source window below the list and select New… to
create a new Application Object.
Double-click an available entry to edit the assigned Application obje
ct.
User (optional)
Specify an user for the connection request. In the list all User objects
that have been defined in the User window are available (9.8.7
Users, page 119).
Select <Explicit> to define an user object explicitly without adding it
to the User Objects listing.
Right-click the source window below the list and Select New … to
create a new User Object.
Double-click an available entry to edit the assigned User Object.
Source / Service / Destination /
Application / User / Adapter
Continue on Mismatch (default)
Process the rule, even if the corresponding object does not
match the configured setting.
BLOCK on Mismatch
Do not process the rule if the corresponding object does not
match the configured setting.
Configure the following connection details in the Advanced view of the Rule Object window:
Edit/Create Rule Object > Options > Rule Mismatch Policy
Parameter
Description
Source / Service/ Destination / Application / User / Adapter
Continue on Mismatch (default)
Process the rule even if the corresponding object does not match
the configured setting.
BLOCK on Mismatch
Do not process the rule if the corresponding object does not
match the configured setting.
Edit/Create Rule Object > Options > Miscallenous
Parameter
Description
Time Restriction
A time restriction can be assigned to each rule. The granularity is one
hour on a weekly base.
A rule is allowed at all times by default, for example, all checkboxes
in the Time Interval window are cleared. Selecting a checkbox
denies a rule for the given time.
Select (set invert) from the list to configure allowed and disallowed
time intervals simultaneously.
Select (set allow) from the list to clear selected checkboxes.
Select (set deny) from the list to to configure disallowed time
intervals.
Select Continue if Mismatch to process the rule even if time
restriction denies it.
Select Block if Mismatch to prevent rule processing if time
restriction denies it (default).
The example figure below this table shows a time interval setting for a
rule which has been set to disallowed on all days from 8 a.m. to 5
p.m.
84
Monitor Connections
Yes
No
Adapters
The Adapters view allows you to view and configure network adapters available on the system. Adapters may be employed in firewall rules, in
order to restrict rule processing to a specific adapter or a set of adapters only.
The listing is contains the following columns:
Adapter Object View
Column
Description
Name
Name of the adapter object.
Referenced by
Number of references pointing to the adapter object.
Status
Current connection status of the adapter object (connected, disable
d or multi).
IP’s
IP addresses and / or references assigned to the adapter object.
Trust
Trust type assigned to the adapter object (trusted or untrusted).
Comment
Optional adapter object description.
In the Adapter Objects view, several dynamic adapter objects (flagged with the icon) are preconfigured.
Dynamic objects are updated at runtime when adapter configuration changes and cannot be edited manually. In order for this to work, A
utomatic Adapter Assignment must be selected in the Firewall Menu .
The following objects (assigned with status multi) are available:
Adapter [Dial-up]
This object summarizes all dial-up adapters available on the system (e.g. UMTS, ISDN, and modem cards).
Adapter [Ethernet]
This object summarizes all Ethernet adapters available on the system (e.g. LAN devices).
Adapter [Wireless]
This object summarizes all wireless adapters available on the system (e.g. WLAN cards).
Adapters available on the system are automatically assigned to the appropriate adapter object with status type multi. These objects
may be used to construct abstract rule sets, for example, to configure a rule blocking access to all available dial-up or wireless
adapters.
The following further adapter objects are available:
[Network Connection name] (for example, Local Area Connection)
85
These are the LAN devices available on the system. The Network Connection name is retrieved from the Microsoft Windows Network
Connections view (available through Start >Control > Network Connections).
The "logical" Microsoft Windows name, which is dependent on the operating system’s language version, not the device name is
applicable for object naming.
VPN
This is the virtual interface of the Barracuda VPN connection.
To create a new adapter object, click New … in the Adapter Objects window.
The following options are available:
Edit/Create Adapter Object
Parameter
Description
Name
Specify a name for the adapter object.
Comment
Optionally, insert an adapter description.
Trust Type
Select Trusted to add a reference to the adapter object to the
network object that has been defined as Trusted Network in Admini
stration > Firewall Settings . If you do not want to create a
reference, then select Untrusted.
When later changing the setting from Trusted to Untruste
d, the reference to the adapter object is automatically
deleted from the Trusted Network object. References to U
ntrusted adapter objects must not be added to the Truste
d Network object manually.
Status
Displays the connection status of the adapter object. Read-only.
IPs
The IP addresses assigned to the adapter object. Read-only.
Adapter
Network adapter you wish to create the adapter object for. Click New
to add your selection to the Adapter list.
Ref
Network reference you wish to create the adapter object for. Click Ne
w to add your selection to the Adapter list.
Networks
The Networks view facilitates IP address/network management. Use the Networks window to assign names to single IP addresses or to
combine several IP addresses, networks, or references into networking objects.
For a clearly arranged network management, rather make use of referencing network objects than explicit IP addresses when
configuring firewall rule sets.
In the Network Objects window, a number of dynamic network objects are preconfigured.
Dynamic objects are updated at runtime with network configuration changes. They cannot be edited manually. For dynamic updating to
work, Automatic Adapter Assignment must be selected in the Firewall Settings .
localIP
The localIP object contains all IP addresses that are configured on trusted adapters as well as a reference to the Net-Broadcast object.
virtualIP
The virtualIP object contains the IP address assigned from the VPN server. The virtual IP address is only available while VPN
connections are established.
86
Net-[Network Connection name]
These objects contain the network addresses of each specific adapter available on the system. The Network Connection name is
retrieved from the Microsoft Windows Network Connections view (available within Start > Control > Network Connections).
The "logical" Microsoft Windows name, depending on the operating system’s language version, but not the device name, is
applicable for object naming.
Net-[Network Connection name] objects may be used for setup of abstract rule sets.
InterNet
The InterNet object may be used for outbound connections to the Internet (the 0.0.0.0/0 network).
TrustedNet
Use the TrustedNet object to refer to trustworthy networks. The content of this object is dependent on assignment of an adapter as
trusted or untrusted (see Adapters). If an adapter is specified as trusted, the IP addresses living on it are added to the TrustedNet object
. Vice versa, they are deleted from it as soon as trust assignment changes to untrusted. The TrustedNet object is also updated when IP
address configuration of a trusted adapter changes.
Net-NGVPN
The Net-NGVPN object contains the address of the network the virtualIP object is living in.
Secured routes are assigned to the Net-NGVPN object.
Net-Broadcast
This object contains the broadcast addresses of IP addresses configured on trusted adapters. The broadcast addresses are calculated
directly from the IP addresses.
Net-Multicast
This object includes the multicast network 239.255.0.0/16.
Click New … to open the Net Object dialog.
Insert a Name and a Description for the Net Object in order to later identify it easily.
In the Entry section, insert IP and network address(es) of the new Net Object and/or specify a Reference to the Net Object, for example select
an existing Net Object to refer to a new one.
The Excluded Entry section allows excluding specific networks from a network object.
For transparency and consistency reasons there are no references available in this section.
Services
The Services window facilitates port and protocol management. Use the Services window for assigning ports and protocols to specific services
and for merging multiple services to one Service Object using references.
Properties of Service Objects are described in detail in Service Objects.
The following services are available in the Barracuda Personal Firewall by default:
Barracuda Personal Firewall Services
Service Name
Port
Protocol
ICMP
Connection
Out / In
87
Description
Internet Control Message
Protocol. ICMP
messages, delivered in IP
packets are used for
out-of-band messages
related to network
operation, or
misoperation.
DNS
53
TCP/UDP
Out
Domain Name Service.
Method by which the
Internet addresses in
mnemonic form (e.g., ww
w.barracudanetworks.c
om) are converted into
the equivalent numeric IP
address (e.g., 134.220.4.
1).
BOOTPS
67
UDP
Out
Bootstrap protocol. Also
used for DHCP (Dynamic
Host Configuration).
Kerberos
88
TCP/UDP
Out
Protocol for
authentication in
Windows 2000
environments.
NTP
123
UDP
Out
Network Time Protocol.
Used to synchronize the
time of a computer client
or server with another
server or a reference time
source.
LOC-SRV/EPMAP
135
TCP
Out
NETBIOS-NS
137
UDP
Out / In
NETBIOS-DGM
138
UDP
Out / In
NETBIOS-SSN
139
TCP
Out / In
NetBIOS. Very common
protocol. It is supported
on both Ethernet and
TokenRing. In NetBIOS,
TCP and UDP
communication is
supported. It supports
broadcasts and
multi-casting plus three
distinct services: naming,
session, and datagram.
SNMP
161
UDP
Out
Simple Network
Management Protocol. A
network management
system contains two
primary elements: manag
er (console to perform
network management
functions) and agents (en
tities interfacing to the
actual managed device).
SNMP allows managers
and agents to
communicate.
LDAP
389
TCP/UDP
Out
Lightweight Directory
Access Protocol. A set of
protocols for accessing
information directories.
CIFS
445
TCP
Out / In
An advancement of the
SMB protocol. It serves
as an addition and
improvement to FTP and
HTTP.
88
MSTASK
1026
TCP
Out
Windows Task
Scheduler. Used to
schedule tasks, such as
backups or updates, to
run at certain times or
dates.
Applications
The Application Objects window allows creating predefined applications for employment in rule sets.
Click New … to open the Application Object window.
Application Liability and Application Type classifications are purely informational.
Insert Name and Application Object Description for easier identification.
Again, click New … to specify an application. The Application Entry Parameters window opens.
Click Browse and select the file you want to create the object for. Subsequently, the path to the file and its inherent file description will be
displayed in the Path and Description fields below.
Optionally, insert a file description into the Comment field.
Specify Application Liability and Application Type. Momentarily, these classifications are purely informational.
Click Generate to create an MD5 hash in order to clearly identify the selected file as soon as it is executed.
MD5 hash creation is recommended in order to avoid file corruption and a vulnerable PC after an attack.
Consider that in case an application equipped with an MD5 hash is used on multiple clients, file versions must match exactly. The Appli
cation Object will otherwise not be applicable. To delete the hash, click Clear.
Caution
In addition to the application, first level DLLs are taken into consideration. This provides additional security. However, DLLs that are
used by first-level DLLs are not monitored.
The following application objects required in Microsoft Windows domains are available in the Barracuda Personal Firewall by default:
Applications required in Microsoft Windows domains
Application
Connection
Description
System
Out / In
TCP/IP Ping Command
Out / In
Services needed by the OS kernel.
lsass.exe
Out
Local Security Authority Service. Process
responsible for management of local security
authority domain authentication and Active
Directory management.
services.exe
Out
Upon startup, services.exe enumerates
through all registry sub-keys located in the H
KEY_LOCAL_MACHINE\Services registry
key.
spoolsv.exe
Out
The Windows Printer Spooler stores printer
jobs and forwards them to the printer when it
is ready.
89
userinit.exe
Out
By default, WinLogon executes this
application that triggers logon scripts,
re-establishes network connections, etc.
winlogon.exe
Out
This application manages security-related
user interactions in Windows NT. It handles
requests to log on or off, to change
passwords, etc.
svchost.exe
Out
This is a generic host process name for
services run from dynamic-link libraries
(DLLs). There can be multiple instances of
svchost.exe running at the same time.
Users
The Users view allows you to create User and User Group objects to be employed in rule sets. Click New … to open the User Object window.
A user object is automatically created whenever a connection attempt is processed by the firewall. The object is then inserted into the
corresponding rule.
In the User/Group list, the Microsoft Windows domain users and groups known to the Barracuda Personal Firewall are available for selection.
Local user/group information is displayed first in the list. If the Windows workstation is a member of a Microsoft Windows domain, then domain
user and group information can be retrieved from the Active Directory server by clicking Update.
Irrespective of the operating system's language version installed on the workstation, the following users will always be displayed in
English:
1.
2.
3.
4.
AUTHORITY\SYSTEM
AUTHORITY\LOCAL SERVICE
AUTHORITY\NETWORK SERVICE
AUTHORITY\NETWORK
The internal firewall engine will transform these names to the appropriate language version. Do not insert them manually in a different
language.
Rule Tester
The Rule Tester view allows testing rule sets for consistency.
90
The following entities are available for rule testing:
Rule Tester > Test Connection
Parameter
Description
Direction
This is the direction of the traffic policy (either Incoming or Outgoing
).
Application
To query for an arbitrary application, leave the asterisk character (*)
that's already set as default value. Click the Application link and Sel
ect Update Applications to reset the field to the default value.
From: IP / Port
Insert the source IP address and the corresponding connection port.
Click the From or To link to swap IP address and/or port information.
Protocol
Specify which protocol to test. Click the Protocol link and select Sho
w all Protocols to include protocols other than TCP/UDP and ICMP
into the list.
Time (optional)
Insert day of the week and time (optionally). Click the Time link and
select Insert current Time in order to insert current day and time.
User (optional)
Select a user from the list (optional). Click the User link and select Up
date Users to clear the field.
Adapter (optional)
Select an adapter from the list (optional). Click the Adapter link and
select Update Adapters to clear the field.
Test
Click Test to test the connection and display the test result in the
section below.
Rule Tester > Test Result
91
Parameter
Description
Test Status Icon / Action
A connection attempt with the given values can either have failed or
have been successful if a rule is applicable. A failed connection
attempt will be indicated by the
symbol and the Block Action fi
eld . A successful connection attempt will be indicated by the
mbol and the Pass Action field.
sy
Rule
Tthe applicable rule responsible for the rule test result. Click Edit … t
o open and modify the corresponding rule. If the connection attempt
has been blocked because no rule has applied, the field will display <
No Matching Rule Found>.
Service
The applicable Service Object.
PlugIn
If applicable, the name of the plugin that has been employed in the
connection.
Save Result to
Insert the report name and click Save Result to to save the test
result. The output of the connection test is written to the Test
Reports view.
Attribute / Value listing
This listing displays attributes of the tested connection in detail.
Test Reports
Test reports are saved first-come first-served. Test results with Pass are indicated by a green icon, test results with Blocked are indicated by a
red icon. Changing any parameter in any configuration area that influences the result of a test report leads to a status icon change in the overview
window. Green icons will become red. To apply the new conditions to an already existing test report, select the data set in the overview window of
the Test Reports window and click Rectify.
After this action, the status icons will no longer indicate whether an action was successful or not, but instead whether rectification has
been applied. Rectified entries will be flagged with a green status icon, even if the test that generated the entry has failed.
Select a report and click Edit… to open the test result in the Rule Tester window. You may now use the report as a template for further
connection tests. Or, select a report and click Delete to delete the report from the Test Report window.
Administration - Firewall Settings Wizard
Options available in the Firewall Settings view allow you to adjust the preconfigured local rule set of the Barracuda Personal Firewall. Changing
these paramaters either triggers rule creation, deletion, or traffic policy changes. Use this configuration area to customize the preconfigured rule
set.
The settings defined in this window are triggered by the specifications defined during the installation process by default. See also: Instal
ling, Updating, or Uninstalling the Barracuda Network Access Client).
The following customizable options are available:
Firewall Settings > Trusted Domain Membership
Parameter
Description
92
Trusted Network
Network assignments and references in the network object that has
been defined as trustworthy are updated dynamically if network
adapters are added to the system with a trusted trust assignment
level or if IP address configuration of a trusted adapter changes (see
also: Adapters). By default, the Trusted Network option points to the
preconfigured TrustedNet object (see also: Networks). You may
change this to another available network object. Be aware of possible
implications. Set to No to disable this feature.
Domain Member
Can only be set to yes if a network object was previously configured
as Trusted Network. Setting this to yes creates and activates default
rules allowing applications required in Microsoft Windows domains.
Windows File Sharing
Can only be set to yes if a network object was previously configured
as Trusted Network. Setting this to yes allows incoming connections
to local printer(s) and files.
Allow NetBIOS
Incoming
Setting to yes (default: no) allows incoming NetBIOS traffic.
Outgoing
Setting to yes (default: no) allows outgoing NetBIOS traffic.
Firewall Settings > Miscallenous
Parameter
Description
Interactive Alarm Notifications
Ask for unknown incoming connections
Set to yes to enforce a manual confirmation for all incoming
connection attempts. Confirmation for connection establishment
granting is going to be requested by a notification pop-up. For details
on the design of this notification window see Automatic Rule
Configuration.
Ask for unknown outgoing connections
Set this value to yes to enforce manual confirmation for all unknown
outgoing connection attempts.
Confirmation for connection establishment grant will be requested by
a notification pop-up.
For details on the design of this notification window see Automatic
Rule Configuration.
Ask for adapter update confirmation
Setting to yes (default) triggers a pop-up on detecting changes on the
settings assigned to a network adapter. See also: Automatic Adapter
Configuration.
Connectivity
Setting this to yes creates a Pass rule named ADSL in the Outgoing
tab of the firewall configuration that is needed for Internet connections
via ADSL. The service object used in this rule amongst others
implements the services and protocols listed in the previous table.
Connect to the Internet with ADSL (PPTP)
Services and Protocols Employed by the ADSL Rule
Port
Protocól
Service Name
93
Description
1723
GRE
pptp
Generic Routing Encapsulation.
A protocol allowing an arbitrary
network protocol A to be
transmitted via any other
arbitrary network protocol B by
encapsulating A's packets within
GRE packets, rthat in turn are
contained within packets of B.
TCP
NETBIOS-DGM
Point-to-point tunnelling protocol.
Control port.
Automatic Adapter Configuration
Set the Ask for adapter update confirmation option in the Firewall Settings view (see Firewall Settings Wizard) if you would like to be notified
of adapter configurations changes. A security alert window will then pop-up asking you to confirm each configuration change.
Click Untrust to add the adapter to the Adapter Objects list and assign it as Untrusted adapter. This will create an incoming adapter block rule
in the Incoming tab of the firewall rule set configuration area (see Rules).
Click Trust to add the adapter to the Adapter Objects list and assign it as trusted adapter. This will add a reference to the trusted adapter in the Tr
ustedNet object and delete a possibly existing incoming adapter block rule in the Incoming tab of the firewall rule set configuration area.
Generally, the security alert window will pop up if:
... an adapter is used for the first time, for example if it is added to the system.
... the IP configuration of an adapter changes, for example if an IP address is added or deleted.
However, it will not pop up if:
... an IP address is reintroduced (for example, on a DHCP renew).
... an adapter’s IP configuration is reset to 0.0.0.0.
For a detailed description of adapter configuration options navigate to Adapters.
Automatic Rule Configuration
If Ask for unknown outgoing/incoming connections is active in the Firewall Settings view (see Firewall Settings Wizard), then an unknown
application or service requesting network connection will trigger a security alert pop-up window requesting authorization.
Windows Vista: if you can't access the dialog as shown in the figure above, then please contact your system administrator.
The following information is included in the security alert window:
Connection Request Details as Summarized in the Security Alert Window
Column
Description
Date / Time
Time of the connection request.
Local Server / Program
Application requesting the connection.
Path
Full path to the application requesting the connection.
User
User being responsible for the connection request.
Source / Destination
Connection source and target destination and port.
Service
Service requesting the connection.
Message Counter
Number of security alerts to be considered. Click the
scroll through the alert windows.
94
arrows to
Click this link to open the online help.
More Info
Select the Remember this answer checkbox (defaults to selected) to permanently allow or deny a connection request. Selecting this
checkbox automatically creates a corresponding rule in the Configuration area of the Barracuda Personal Firewall, including required Ne
twork, Service, Application and User Objects (see Configuration). If cleared, one-time access is granted for this specific connection
request when clicking Allow.
Selecting the checkbox also makes the Advanced Policy… link available. Click the link in order to customize further connection details:
Advanced Policy Options in the Security Alert
Column
Description
Only this Destination/Source
Binds the outgoing or incoming connection to a specific IP address.
All Destinations/Sources
If selected, this detachs the connection binding from a specific IP
address (default).
Only Port
Binds the outgoing or incoming connection to a specific port. This
option is selected by default to allow a restrictive rule set only.
All activities for this application
Allows connection initiation on arbitrary ports if selected.
Port Range
Select this and insert a port range in order to allow connection
initiation on the specified ports only.
Click Allow to grant the connection request in consideration of the conditions defined above.
Or, click Block to deny the connection request in consideration of the conditions defined above.
For your convenience, you may use hot keys in the security alert window: holding the CTRL key while left-clicking either Allow or Block
confirms all current connection notifications. The number of messages is shown in the message counter. Or, pressing the Escape key
confirms the current connection notification with Block.
A connection request related to browsing the Internet with a web browser should be treated differently than other more specific
connection requests. For connections initiated by the browser, select All Destinations. With All Destinations selected, the rule set will
be created referencing the global InterNet object. Then again, with Only this Destination selected, the rule set will be created to
reference only the specific web server’s address.
IPv6 Router Advertisement Guard
Barracuda Network Access Client helps you dealing with different aspects of IPv6’s Router Advertisement functionality. The IPv6 Router
Advertisement Guard keeps track of IPv6 Router Advertisement (RA) messages by inspecting the RA packets, and puts you in control of them
while conforming to IETF RFC 6105.
You can straight away proceed to Router Advertisement Guard Functionalities if you already know about purpose and potential
endangement coming along with Router Advertisement.
What is IPv6 Router Advertisement?
Router Advertisement (RA) is a feature of IPv6's Neighbor Discovery Protocol (NDP), which replaces IPv4's Address Resolution protocol (ARP).
95
RA helps network nodes determine information about their LAN, such as the network prefix list, the default routers list, the default gateway, and
other information that can help them communicate. It can for example lead a node to utilize the emitting router as its default gateway.
RA is sent out by routers periodically using ICMPv6 type 134 messages. Part of any RA message is an expiration time value. Entries created by
RA messages within network nodes will be deleted after expiration. This way, only routers will persist in the lists that are actively broadcasting
their presence by sending RA messages. An RA emission can also be forced by sending a Router Solicitation Message to the network's router
multicast address to avoid waiting for an entry's expiry, which can e.g. help to quickly activate new interfaces.
See the list below to understand the structure of an RA prefix data set:
Structural Parameters for RA Prefix Information
RA Parameter
Purpose
Hop Limit
The hop limit is an 8-bit value containing the maximum hop count
proposed by the router.
M bit
If set, the receiving node may also use Stateful Auto Configuration,
besides normal Auto Configuration, for the IP address.
O bit
If set, the node may also use Stateful Auto Configuration, besides
normal Auto Configuration, for all remaining values that are not the IP
address.
Router Lifetime
16-bit integer defining the expiration time for the information
contained in this RA message. The maximum value is 18.2 hours. A
value of 0 (zero) means that the router is not a default router and
therefore should not be stored in the default router list.
Reachability Timeout
32-bit integer defining the duration in milliseconds for which an entry
in the Neighbor Cache should be indicated as being reachable after
the last data was received.
Resolution Timeout
32-bit integer defining the duration in milliseconds to wait until
another Neighbor Solicitation message is to be sent.
Valid RA options are the sender's link layer address, the router's MTU and all valid prefixes. All unknown options are actually ignored according to
the RFC.
Potential Vulnerabilities in Conjunction with RA Messages
Given the purpose and abilities of RA, harmful RA messages can become a security treat to a network node, to a LAN or at least to performance
and bandwidth. Barracuda Network Access Client offers various configuration options to effectively prevent treats such as:
Denial of Service (DoS) Attacks
RA messages may be used for DoS attacks. Therefore, the forwarding of RA messages should be disabled on specific interfaces if they
are not needed to prevent the generation of DoS messages.
Stateless Address Auto Configuration Attacks
IPv6 nodes are capable of having a stateless address auto configuration mode, in which they listen to RA messages to automatically
configure themselves. A local attacker could send malicious RA messages to divert traffic to a not existing address, thus blackholing the
victim’s traffic, or the attacker could insert himself in the traffic flow in order to perform a man-in-the-middle attack.
Various Other Network Discovery Protocol Attacks
IPv6 depends on the Neighbor Discovery Protocol to discover the mapping between an IPv6 address and an ethernet MAC address. The
protocol exhibits the same vulnerabilities as IPv4's ARP and is therefore not secure when the attacker is in the same LAN as the victim.
A broad variety of further endangerments exists beside these.
IPv6 Router Advertisement Guard Functionalities
The IPv6 Router Advertisement Guard tracks all RA messages by reading the following data from a RA packet:
Option 1: Source Link Layer Address
Option 3: Prefix Information (including lifetimes)
96
The RA Guard starts to act as soon as a specific network prefix is detected for the second time. The first time a prefix is detected, it is always
allowed to pass. This way, it is ensured that also with a fully configured RA Guard with company prefixes it’s possible to establish a connection to
an available network e.g. in a hotel.
For a configured prefix 2001:db8:1:3::/64, this would mean:
Example 1:
2001:db8:1:3::/64 is received > RA Guard allows connection
2001:db8:2:2::/64 is received > RA Guard instantly blocks 2001:db8:2:2::/64 (including RA)
Example 2:
2001:db8:2:2::/64 is received > RA Guard allows connection
2001:db8:1:3::/64 is received > RA Guard instantly blocks 2001:db8:2:2::/64
Example 3:
2001:db8:2:2::/64 is received > RA Guard allows connection
2001:db8:1:7::/64 is received > RA Guard instantly blocks 2001:db8:1:7::/64 and 2001:db8:2:2::/64
The detected RA data is stored in a list and compared to prefixes configured in the Firewall ruleset. Known router prefixes will be ignored, as
illustrated in the figure below.
Now, if the IPv6 Router Advertisement Guard detects an RA message with a yet unknown network prefix, it will become active on those firewall
rules having the IPv6 Company Prefix Match checkbox activated. The advertised router with the unknown prefix will be blocked. The following
figure illustrates this.
Default Firewall Rules for the IPv6 Router Advertisement Guard
There are two rules for the IPv6 Router Advertisement Guard within the Personal Firewall’s default ruleset. One of them is an outbound rule
named Core Network - Router Advertisement Guard. It lets outbound RA messages pass by default. See the screenshot in the next figure:
97
The other one is an inbound rule also named Core Network - Router Advertisement Guard. It blocks all inbound RA messages by default. See
the next screenshot:
Configuring the IPv6 Router Advertisement Guard
There are three different possible configuration modes for the IPv6 Router Advertisement Guard. The first one is setting Personal Firewall
Settings > Core Network > IPv6 Router Advertisement Guard to Block all Router Advertisements as shown in the next figure. This will block
all incoming RA messages, the inbound rule Core Network - Router Advertisement Guard will be set to Block All and a log entry will be
generated into the Firewall History for every blocked RA message.
The second one is setting Personal Firewall Settings > Core Network > IPv6 Router Advertisement Guard to Disable as shown the next
figure. This will allow all incoming RA messages, the inbound rule Core Network - Router Advertisement Guard will be set to Pass. Incoming
RA messages are still logged into the Firewall History.
98
The third mode is the Custom mode wherein it’s possible to configure known network’s prefixes. You may configure these prefixes in Personal
Firewall Settings > Core Network > IPv6 Router Advertisement Guard as shown in the figure below. Separate multiple entries using the
semicolon (";") character. Each entry consists of the prefix itself and the length of the prefix in bits, as also shown in the screenshot below.
Once there are prefixes set, the inbound rule named Core Network - Router Advertisement Guard will be set to Pass with activated IPv6
Router Advertisement Guard. This prevents unknown routers advertising not configured routes from being added to the system. Routes to
configured networks, that is with one of the configured prefixes, will still be added.
Switching to a ruleset, e.g. by activating quarantine, while the Router Advertisement Guard is set to Disable or Block all, will trigger
clearance of the list of known routers and prefixes. So, when loading a new ruleset with configured Router Advertisement Guard
thereafter, the system will have to learn the routers and their advertised prefixes again.
The next step is to activate the IPv6 Router Advertisement Guard for each firewall rule wherein it's needed by selecting the Router
Advertisement Guard checkbox.
Monitoring the IPv6 Router Advertisement Guard
Rules wherein the IPv6 Router Advertisement Guard is active are marked with an according symbol within the ruleset overview, as can be seen in
the ALL rule in the following example figure.
As soon as the IPv6 Router Advertisement Guard is active, an according text, as highlighted in the following figure, will be displayed within the
firewall’s Summary overview, either displaying that the RA Guard is only active or in Block all mode.
Furthermore, by clicking View > Route Advertise List, information about all received routes and a list of the allowed MAC addresses can be
displayed.
Connections blocked by the IPv6 Router Advertisement Guard will be logged by generating an according entry within the Info column in the Firew
all History.
Personal Firewall Default Ruleset
From version 3.0, the Barracuda Personal Firewall comes with a default firewall ruleset. The following tables aim to give you a compact overview
about the default rules and their purposes.
Rule Categories
The default rules are split into these rule categories:
Baracuda Personal Firewall Default Rule Categories
Main Category
Sub Category Level #1
99
Sub Category Level #2
Lockdown
Block all outbound and inbound traffic
Mixed (default)
Allow outbound and inbound
Core network
Barracuda VPN Allow Outbound and
Inbound (Only on Adapter [TRUSTED])
Network Discovery
Ipv6 Tunnel
File and Printer Sharing (only on MY Net)
WLAN
Allow outbound and inbound
Core network
Allow outbound
Barracuda VPN
IPv6 tunnel
File and printer sharing (only on my net)
Block inbound
Network discovery
File and printer sharing
Block outbound
Network discovery
Domain
Allow outbound and inbound
Barracuda VPN
Network discovery
Core network
IPv6 tunnel
File and printer sharing (only on my net)
Adapters
The tables below show the used adapter denominations and what they mean.
DYNAMIC
Name
Description
100
Examples:
All System Adapters
VPN Network
Wireless Network Connection
Local Area Connection
Mobile Broadband Connection
Reusable Microsoft 6To4 Adapter
Teredo Tunneling pseudo interface
DYNAMIC [isatap]
Name
Description
Intra-Site Automatic Tunneling Addressing Protocol
ISATAP uses IPv4 as a virtual nonbroadcast multiple-access network
(NBMA) data link layer, so that it does not require the underlying IPv4
network infrastructure to support multicast.
Example:
isatap.{09D450D7-FDBA-4B29-8165-5ED2EAB69606}
DYNAMIC [multi]
Name
Description
Adapter [TRUSTED]
All trusted adapters:
Ips: mc (managed by CC)
Barracuda VPN Adapter
Ethernet Adapter
Ask User and click “trusted”
Adapter [TUNNEL]
All OS tunneling adapters
Adapter [Dial-up]
Dial-up adapter, e.g. a modem
Adapter [Ethernet]
Ethernet based adapters
Adapter [PolSrv]
Adapter that was used for the last Access Control Service connection
Adapter [UNTRUSTED]
All untrusted adapters:
Wireless adapter
Dial-up adapter
Adapter [Virtual]
Virtual adapters
Adapter [VPN]
Barracuda virtual adapter
Adapter [Wireless]
Wireless adapters
Networks
The tables below show the used network denominations and what they mean.
DYNAMIC
Name
Description
Any
::/0, 0.0.0.0
localIP
All local IP addresses
localPolicyIP
Local IP connect to Access Control Service
101
localTrustedIP
All local IP addresses from trusted adapters
Net-Personal
All Barracuda client secure personal routes
VPN
TrustedNet
Secure zone
UntrustedNet
Insecure zone
virtualIP
All Barracuda VPN IP addresses
DYNAMIC [net]
Name
Description
Link-local
::fe80::/64
Secure Link-local Zone
Link-Local Scope Multicast Addresses
ff02::1, ff02::2, ff02::16, ff02::1:3
Ref: Solicited-Node Multicast Addresses
Net-Broadcast
255.255.255.255
All Broadcast
Node-Local Scope Multicast Addresses
ff01::2, ff01::1
Simple Service Discovery Protocol
ff0e::8, ff05::8, ff05::c, ff02::c, 239.255.255.250
Well-known practical multicast addresses for SSDP
Site-Local Scope Multicast Addresses
ff05::1:3, ff05::2
Solicited-Node Multicast Addresses
The solicited-node multicast address facilitates the efficient querying
of network nodes during address resolution
Net-[Adapter Name]
LOCAL
Name
Description
LLMRN
MY Net
Ref: TrustedNet
My private trusted network
SSDP
Ref: Simple Service Discovery Protocol
Ref: MY Net
Services
The table below shows the services you can choose from, as well as their protocols, default ports and purpose.
102
Applications
The table below shows the applications known to the Barracuda Personal Firewall by default.
Default Rules
The following sub chapters and tables within describe all default rules delivered with version 3.0.
Changes in other sections than Local may have impacts on the OS’s functionality.
103
Barracuda VPN
The rules within this section are used for VPN server connections and for filtering content within tunnels.
Outbound
Tunnel
Outbound Barracuda VPN Tunnel
Adapter
Source
localIP
Destination
Any
Service
Barracuda VPN
Application
BARRACUDA VPN (phions.exe)
Settings
Core Network > Barracuda VPN
Yes (default)
No
Payload
Outbound Barracuda VPN Payload
Adapter [VPN]
Adapter
Source
Destination
*
Service
Any
Application
Any
Settings
Core Network > Barracuda VPN
Yes (default)
No
* Possible Network objects to restrict the traffic:
Net-Personal VPN: All Barracuda Client Secure Routes
Net-VPN Network: Dynamic Virtual Dapter Object
Network Discovery
These rules are used to allow or restrict device, service or machine discovery functionalities on the network.
Outbound
Network Discovery (WSD)
Outbound rule for Network Discovery to discover devices via Function Discovery.
Adapter
Adapter [TRUSTED]
Source
Any
Destination
Any
Service
WS-Discovery
104
SVCHOST
Application
Network Discovery (LLMNR)
Outbound rule for Network Discovery to allow Link Local Multicast Name Resolution.
Adapter
Adapter [TRUSTED]
BLOCK on Mismatch
Source
localIP
Destination
LLMNR
Service
LLMNR
Application
SVCHOST
Network Discovery (SSDP)
Outbound rule for Network Discovery to allow use of the Simple Service Discovery Protocol.
Adapter
Adapter [TRUSTED]
BLOCK on Mismatch
Source
Any
Destination
SSDP
Service
SSDP
Application
SSDP
Inbound
Network Discovery (LLMNR)
Inbound rule for Network Discovery to allow Link Local Multicast Name Resolution.
Adapter
Adapter [TRUSTED]
BLOCK on Mismatch
Source
LLMNR
Destination
LLMNR
Service
LLMNR
Application
SVCHOST
Network Discovery (WSD)
Inbound rule for Network Discovery to discover devices via Function Discovery.
Adapter
Adapter [TRUSTED]
BLOCK on Mismatch
Source
Any
Destination
Any
Service
WS-Discovery
Application
SVCHOST
Network Discovery (SSDP)
105
Outbound rule for Network Discovery to allow use of the Simple Service Discovery Protocol.
Adapter
Adapter [TRUSTED]
BLOCK on Mismatch
Source
Any
Destination
SSDP
Service
SSDP
Application
SSDP
Core Network
These rules are for managing the core network. They abstract the most common protocols and functionalities like address assignment, group
policy assignment, address lookup and IPv6 auto-configuration as well as operating system and certificate updates. Also included is a rule to
allow or restrict the system’s access to the Barracuda NG Access Control Server.
Outbound
Core Network - Dynamic Host Configuration
Allows DHCP messages for stateful auto-configuration.
Adapter
Source
0.0.0.0/0
Destination
0.0.0.0/0
Service
BOOTPS
Application
Any
Core Network - Dynamic Host Configuration for IPv6
Allows DHCPv6 messages for stateful and stateless configuration.
Adapter
Source
Any
Destination
Any
Service
DHCPv6
Application
Any
Core Network - Router Advertisement Guard
Router Advertisement (RA) messages are used by routers to announce themselves on the link. The IPv6 Router Advertisement
Guard can analyze and filter these RA messages.
Adapter
Source
Any
Destination
Any
Service
ICMPv6 Router Advertisement
Application
Any
Core Network - Neighbor Discovery
106
Neighbor Discovery Solicit and Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in
response to a Neighbor Discovery Solicitation request.
Adapter
Source
Any
Destination
Any
Service
ICMPv6 Neighbor Discovery
Application
ICMPv6
Core Network - Multicast Listener Report
The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast
traffic at a specific multicast address or in response to a Multicast Listener Query.
Adapter
Source
Any
Destination
Any
Service
ICMPv6 Multicast Listener Discovery
Application
Any
Core Network - Group Policy
Outbound rule to allow remote LSASS trafic for Group Policy updates.
Adapter
Source
Any
Destination
Any
Service
Any
Application
LSASS
Core Network - IPv6 No Next Header
The Next Header field indicates that there is no next header whatsoever following this one, not even a header of an upper-layer
protocol.
Adapter
Source
Any
Destination
Link-Local Scope Multicast Addresses
Service
Ipv6-NoNxt
Application
*
Core Network - DNS
Outbound rule to allow DNS requests. DNS responses based on requests that matched this rule will be permitted regardless of their
source address.
Adapter
Any
Source
107
Destination
Any
Service
DNS
Application
SVCHOST
Core Network - Internet Group Management Protocol
IGMP messages are sent and received by nodes to create, join or depart multicast groups.
Adapter
Source
Any
Destination
Any
Service
IGMP
Application
*
Core Network - Update Service
Outbound rule to allow Windows, certificate and CRL updates.
Adapter
Source
Any
Destination
Any
Service
WEB
Application
SVCHOST
Core Network - Group Policy (TCP-Out)
Outbound rule to allow remote RPC traffic for Group Policy updatesAdapter
Adapter [TRUSTED]
Source
Any
Destination
Any
Service
TCP*
Application
SVCHOST
Core Network - Group Policy (UDP-Out)
Outbound rule to allow remote PRC traffic for Group Policy updates.
Adapter
Adapter [TRUSTED]
Source
Any
Destination
Any
Service
UDP*
Application
SVCHOST
Core Network - Explorer
Windows Explorer
108
Adapter
Source
Any
Destination
MY Net
Service
Any
Application
EXPLORER
Core Network - Access Control Service
Barracuda NG Network Access Control Service
Adapter
Source
localIP
Destination
Any
Service
POLSRV
Application
POLSRV
Core Network - Dynamic Host Configuration
Allows DHCP messages for stateful auto-configuration.
Adapter
Source
0.0.0.0/0
Destination
0.0.0.0/0
Service
BOOTPS
Application
Any
Core Network - Dynamic Host Configuration for IPv6
Allows DHCPv6 messages for stateful and stateless configuration
Adapter
Source
Any
Destination
Any
Service
DHCPv6
Application
Any
Core Network - Router Advertisement Guard
Analyzing and filtering of Router Advertisement messages.
Adapter
Source
Any
Destination
Any
Service
ICMPv6 Router Advertisement
Application
Any
109
Settings
Core Network > IPv6 RA Guard
Block all RA (default)
Disable
IPv6 Prefixes
Core Network - Neighbor Discovery
Neighbor Discovery Solicit and Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in
response to a Neighbor Discovery Solicitation request.
Adapter
Source
Any
Destination
Any
Service
ICMPv6 Neighbor Discovery
Application
ICMPv6
Core Network - Multicast Neighbor Discovery
Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response
to a Neighbor Discovery Solicitation request.
Adapter
Source
Any
Destination
Link-Local Multicast Addresses
Service
ICMPv6 Neighbor Discovery
Application
ICMPv6
Core Network - Multicast Listener Report
The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast
traffic at a specific multicast address or in response to a Multicast Listener Query.
Adapter
Source
Any
Destination
Any
Service
ICMPv6 Multicast Listener Discovery
Application
ICMPv6
Core Network - Internet Group Management Protocol
IGMP messages are sent and received by nodes to create, join or depart multicast groups.
Adapter
Source
Any
Destination
Any
Service
IGMP
Application
*
110
Core IPv6 Tunnel
These rules allow management of the tunnel traffic for the two IPv6 tunneling protocols that are active by default, e.g. in Windows 7.
Outbound
Core IPv6 Tunnel - Teredo (UDP-Out)
Outbound UDP rule to allow Teredo edge traversal.
Adapter
Adapter [TUNNEL]
Source
0.0.0.0/0
Destination
Any
Service
UDP *
Application
SVCHOST
Settings
Core Network > Teredo Tunnel
Yes (default)
No
Core IPv6 Tunnel - IPv6 over IPv4
Outbound IPv6 over IPv6 tunneling allows access to the IPv6 Internet in absence of an IPv6 native access provider.
Adapter
Source
localIP
Destination
Any
Service
IPv6 over IPv4
Application
Any
Settings
Core Network > IPv6 over IPv4
Yes (default)
No
File and Printer Sharing
These rules are for managing access to printers, files and folders shared over the network.
Outbound
File and Printer Sharing - Echo Request
Echo request messages are sent as ping requests to other nodes.
Adapter
Source
localIP
Destination
MY Net
Service
ICMP Echo
Application
*
111
Settings
File and Printer Sharing > Outbound
Yes (default)
No
File and Printer Sharing - NB-Name-Out
Outbound rule for File and Printer Sharing to allow NetBIOS Name Resolution.
Adapter
Adapter [TRUSTED]
Source
localIP
Destination
MY Net
Service
NETBIOS-NS
Application
SYSTEM
Settings
File and Printer Sharing > Outbound
Yes (default)
No
File and Printer Sharing - NB-Datagram-Out
Outbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception.
Adapter
Adapter [TRUSTED]
Source
localIP
Destination
MY Net
Service
NETBIOS-DMB
Application
SYSTEM
Settings
File and Printer Sharing > Outbound
Yes (default)
No
File and Printer Sharing - NB-Session-Out
Outbound rule for File and Printer Sharing to allow NetBIOS Session Service connections.
Adapter
Adapter [TRUSTED]
Source
localIP
Destination
MY Net
Service
NETBIOS-SSN
Application
SYSTEM
Settings
File and Printer Sharing > Outbound
Yes (default)
No
File and Printer Sharing - SMB-Out
Outbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes.
112
Adapter
Adapter [TRUSTED]
Source
Any
Destination
MY Net
Service
CIFS
Application
SYSTEM
Settings
File and Printer Sharing > Outbound
Yes (default)
No
File and Printer Sharing - NB-Name-Out
Outbound rule for File and Printer Sharing to allow NetBIOS Name Resolution.
Adapter
Adapter [TRUSTED]
Source
localIP
Destination
MY Net
Service
NETBIOS-NS
Application
SYSTEM
Settings
File and Printer Sharing > Outbound
Yes (default)
No
Inbound
File and Printer Sharing - NB-Datagram-In
Outbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception
Adapter
Adapter [TRUSTED]
Source
MY Net
Destination
MY Net
Service
NETBIOS-DGM
Application
SYSTEM
Settings
File and Printer Sharing > Inbound
Yes (default)
No
File and Printer Sharing - NB-Name-In
Inbound rule for File and Printer Sharing to allow NetBIOS Name Resolution.
Adapter
Adapter [TRUSTED]
Source
MY Net
Destination
MY Net
Service
NETBIOS-NS
113
Application
SYSTEM
Settings
File and Printer Sharing > Inbound
Yes (default)
No
File and Printer Sharing - NB-Session-In
Outbound rule for File and Printer Sharing to allow NetBIOS Session Service connections.
Adapter
Adapter [TRUSTED]
Source
MY Net
Destination
MY Net
Service
NETBIOS-SSN
Application
SYSTEM
Settings
File and Printer Sharing > Inbound
Yes (default)
No
File and Printer Sharing - SMB-In
Outbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes
Adapter
Adapter [TRUSTED]
Source
MY Net
Destination
localIP
Service
CIFS
Application
SYSTEM
Settings
File and Printer Sharing > Inbound
Yes (default)
No
Local
These are custom defined rules for other applications, networks and network locations.
Outbound
Internet
Adapter
Source
localIP
Destination
Any
Service
WEB
Application
Any
114
Settings
Internet > Web access
Yes (default)
No
Configuring Personal Firewall Rules on the Barracuda NG Control Center
In this Article:
General
Rule Set Name
Inbound / Outbound Rules
Context Menu
Button Bar
Rule Configuration
Tester
Test Report
Options
Adapters
User Objects
Net Objects
Service Objects
Application Objects
General
To prepare for configuring Personal Firewall rules:
1. In Barracuda NG Admin, navigate to Config > Box > Virtual Servers > (servername) > Assigned Services > (servicename)
(vpnserver) > Client to Site followed by selecting the VPN FW tab.
2. If no Personal Firewall rule set is listed, you need to create a new rule set or import one that has previously been exported from a
Barracuda Network Acess Client. To do so, right-click into the empty table space and select New VPN Firewall Rule Set... or Import
from Personal Firewall, according to which method you want to use, and finalize the creation or importing of a rule set.
3. Double-click the appropriate VPN firewall rule set to open the Personal Firewall Rule Configuration window.
Rule Set Name
This tab allows for manual rule configuration, testing, and configuring.
Personal Firewall rule sets do not support Revision Control System (RCS).
115
Inbound / Outbound Rules
Rules controlling incoming traffic are arranged in the Rules Incoming view, rules controlling outgoing traffic are arranged in the Rules Outgoing
view.
Context Menu
Select and right-click a list entry to display the following context menu:
Rule View > Right-Click Context Menu
Show Source Addresses …
Opens a window displaying all source addresses affected by the
selected rule.
Show Destination Addresses …
Opens a window displaying all destination addresses affected by the
selected rule.
Show Services …
Opens a window displaying all services affected by the selected rule.
Show Applications …
Opens a window displaying all applications affected by the selected
rule.
Show Adapters…
Opens a window displaying all adapters affected by the selected rule.
Show Users…
Opens a window displaying all users affected by the selected rule.
Select Overlapping…
As a connection request can match several conditions, the rules'
succession within a rule set is very important. If incorrectly ordered,
rules might interfere with one another. The Select Overlapping functi
on is meant to help avoiding configuration mistakes. When applied to
a selected rule, all rules possibly interfering with it are highlighted. In
the majority of cases, the overlap is a harmless outcome of the use of
very openly defined objects such as InterNet.
Edit …
Opens the rule configuration dialog for the selected rule (see also: Ru
le Configuration).
New …
Opens the rule configuration dialog for a new rule (see also: Rule
Configuration).
Delete
Deletes the selected rule(s).
Copy
Copies the selected rule(s) to the clipboard.
116
Pastes the selected rule(s) from the clipboard.
Paste
Button Bar
The button bar is docked to the bottom of the rule editor window. The Up and Down buttons complement options are available in the context
menu. Select a rule followed by clicking one of the buttons to shift the rule further up or down within the rule set. You may also drag and drop a
rule.
According to a regular Barracuda NG Firewall rule set, the Personal Firewall rule set is processed rule by rule until an applicable rule is
available. Thus, to achieve correct rule processing, rules must be arranged in the correct order.
Rule Configuration
Select New … from the context menu to create a new rule.
Configure the following connection details in the Rules view of the Rule Object window:
Edit/Create Rule Object > Rules View Options
Action
Select Pass to enable a connection request, or select Block to
prevent it.
Name
Freely choosable rule name.
Up to 50 characters are possible.
Comment
Optional description for easier identification.
Deactivate Rule
Selecting this checkbox disables the rule (default: cleared).
117
Activates the IPv6 Router Advertisement Guard.
IPv6 Company Prefix Match
A minimum specification of the following connection details is mandatory in this sections:
Source / Destination / Service or
Adapter / Source / Service or
Adapter / Destination / Service
Modifying an object is a global action. For example, any other rule using the specific object will be affected by the modification. This
applies only for referenced objects, not for objects of the explicit type. Explicit objects are only available for the current rule.
Edit/Create Rule Object > Sections
Adapter
The adapter to be used for the connection request. In the list, all Ada
pter objects as defined in the Adapter window are available (see
also: Adapters).
Right-click the Adapter window below the list and select New … to
create a new Adapter object. Double-click an available entry to edit
the assigned Adapter Object.
Source / Destination
The source to be used for the connection request. In the list, all Netw
ork objects as defined in the Networks window are available (see
also: Net Objects).
Select Explicit to define a network object explicitly without adding it
to the Network objects listing. Right-click the source window below
the list and select New… to create a new Network object.
Double-click an available entry to edit the assigned Network object.
Service
The service to be used for the connection request. In the list, all Servi
ce objects as defined in the Services window are available (see also:
Service Objects).
Select Explicit in order to define a Service object explicitly without
adding it to the Service objects listing. Right-click the source window
below the list and select New… to create a new Service object.
Double-click an available entry to edit the assigned Service object.
Application
(optional)
The application to be used for the connection request. In the list, all A
pplication objects as defined in the Application window are
available (see also: Application Objects).
Select Explicit to define an Application object explicitly without
adding it to the Application objects listing. Right-click the source
window below the list and select New… to create a new Application
object. Double-click an available entry to edit the assigned Applicati
on object.
User
(optional)
The user to be used for the connection request. In the list, all User ob
jects as defined in the User window are available (see also: User
Objects).
Select Explicit to define an User object explicitly without adding it to
the User objects listing. Right-click the source window below the list
and select New… to create a new User object. Double-click an
available entry in order to edit the assigned User object.
Configure the following connection details in the Advanced view of the Rule Object window:
Edit/Create Rule Object > Advanced > Rule Mismatch Policy
118
Source / Service / Destination / Application / User / Adapter
Continue on Mismatch (default)
Process the rule even if the corresponding object does not match
the configured setting.
BLOCK on Mismatch
Do not process the rule if the corresponding object does not
match the configured setting.
Edit/Create Rule Object > Advanced > Miscellaneous
A time restriction can be assigned to each rule. The granularity is 1
hour on a weekly base.
A rule is allowed at all times by default, for example, all checkboxes
in the Time Interval window are cleared. Selecting a checkbox
denies a rule for the given time.
Time Restriction
Select set invert (graphical icon) to configure allowed and disallowed
time intervals simultaneously.
Select set allow (graphical icon) to clear selected checkboxes.
Select set deny (graphical icon) to configure disallowed time
intervals.
Select Continue if mismatch to process the rule even if time
restriction denies it.
Select Block if mismatch to prevent rule processing if time
restriction denies it (default).
The figure shows an example time interval setting for a rule that is
disallowed Mondays and Thursdays from 8 to 17 o'clock.
Yes
No
Monitor Connections
Tester
The Tester view allows testing rule sets for consistency.
119
The following entities are available for rule testing:
Rule Tester > Test Connection
Direction
Direction of the traffic policy (Incoming or Outgoing).
Application
To query for an arbitrary application leave the asterisk (*), which is
set as default value. Click the Application link and select Update
Applications to reset the field to the default value.
From: IP / Port
Insert the source IP address and the corresponding connection port.
Either click the From or the To link in order to swap IP address
and/or port information.
Protocol
Protocol to be used for the test. Click the Protocol link and select Sh
ow all Protocols to include other protocols than TCP/UDP and ICMP
into the list.
Time
(optional)
Day of the week and time (optionally). Click the Time link and select I
nsert current Time to insert the current day and time value.
User
(optional)
Select a user from the list (optionally). Click the User link and select
Update Users to clear the field.
Adapter
(optional)
Select an adapter from the list (optionally). Click the Adapter link and
select Update Adapters to clear the field.
Test
Click Test to test the connection and display the test result in the
section below.
120
Rule Tester > Test Result
Test Status Icon / Action
A connection attempt with the given values can either have failed or
have been successful if a rule is applicable. A failed connection will
be indicated by a Block symbol . A successful connection attempt will
be indicated by a Pass symbol.
Rule
The Rule field displays the applicable rule responsible for the rule
test result. Click Edit … to open and modify the corresponding rule. If
the connection attempt has been blocked because no rule has
applied, the field will display No Matching Rule Found.
Service
This field displays the applicable Service object.
PlugIn
If applicable, this field displays the name of the plugin that has been
employed in the connection.
Save Result to
Insert the report name and click Save Result in order to save the test
result. The output of the connection test is written to the Test Report
view (see also: Test Report).
Attribute/Value Listing
This listing displays attributes of the tested connection in detail.
Test Report
Test reports are saved on a first come first served basis. Test results containing Pass in their Action field are indicated by a green icon, test
results containing Blocked in their Action field are indicated by a red icon.
Changing any parameter in any configuration area that influences the result of a test report leads to a status icon change in the overview window.
Green icons will change to red. To apply the new conditions to an already existing test report, select the data set in the overview window of the T
est Reports window and click Rectify.
Subsequently to this action, the status icons will no longer indicate whether an action has been successful or not, but instead if
rectification has been applied. Rectified entries will be flagged with a green status icon, even if a tested onnection attempt has failed.
Select a report followed by clicking Edit … to open the test result in the Rule Tester window. You may now use the report as a template for
further connection tests.
Select a report followed by clicking Delete to erase the report from the Test Report window.
Options
The Options view contains settings to control the overall behavior of the personal firewall if this rule set is active.
Options
121
Trusted Network
Network assignments and references in the network object that have
been defined as trustworthy are updated dynamically as soon as
network adapters are added to the system with trusted trust
assignment level or as soon as the IP address configuration of a
trusted adapter changes (see also: Adapters).
By default, the Trusted Network option points to the preconfigured T
rustedNet object (see also: Net Objects). You may change this
setting to use another available network object. Be aware of possible
implications. No disables the feature.
Domain Member
Can only be set to yes if a network object has been configured as Tr
usted Network. Setting to yes creates and activates default rules
allowing applications required in Microsoft Windows domains.
Windows File Sharing
Can only be set to yes when a network object has been configured
as Trusted Network. When set to yes, incoming connections to local
printer(s) and files are allowed.
Allow NetBIOS Incoming
Yes
(default: no) allows incoming NetBIOS traffic.
Allow NetBIOS Outgoing
Yes
(default: no) allows outgoing NetBIOS traffic.
Ask for unknown incoming connections
Yes enforces a manual confirmation for all incoming connection
attempts. Confirmation for the connection establishment grant is then
requested by a notification window.
Ask for unknown outgoing connections
Yes enforces manual confirmation for all unknown outgoing
connection attempts. Confirmation for connection establishment grant
will be requested by a notification window.
Ask for adapter update confirmation
Yes (default) triggers a modal dialog as sson as settings assigned to
a network adapter change. See Automatic Adapter Configuration for
details on this.
Options
122
ICMP Parameters
Configure the blocking of ICMP packets.
Connect to the Internet with ADSL (PPTP)
Yes creates a Pass rule named ADSL in the Outgoing tab of the
firewall configuration that is needed for Internet connections via
ADSL.
The Service object used in this rule implements, amongst others,
also the services and protocols listed in the ICMP Parameters.
Services and protocols employed by the ADSL rule
Port
1723
Protocol
Service Name
Description
GRE
pptp
Generic Routing Encapsulation,
a protocol allowing an arbitrary
network protocol A to be
transmitted over any other
arbitrary network protocol B, by
encapsulating the packets of A
within GRE packets, which in
turn are contained within packets
of B.
TCP
NETBIOS-DGM
Point-to-Point tunnelling protocol,
using the control port.
Adapters
The Adapters tab allows you to view and configure network adapters available on the system. Adapters may be employed in firewall rules, in
order to restrict rule processing to a specific adapter or a set of adapters only.
123
The listing is divided into the following columns:
Adapter
Name
Name of the Adapter object.
Referenced by
Number of references pointing to the Adapter object.
Status
Current connection status of the Adapter object (connected, disable
d or multi).
IP’s
IP addresses and/or references assigned to the Adapter object.
Trust
Trust type assigned to the Adapter object (trusted or untrusted).
Comment
Optional Adapter object description.
In the Adapter Objects view, several dynamic Adapter objects (flagged with the respective icon) are preconfigured.
Dynamic objects are updated at runtime with adapter configuration changes and cannot be edited manually. In order to work, Automati
c Adapter Assignment must be selected in the Firewall Settings within the Firewall Menu.
The following objects (assigned with status multi) are available:
Adapter [Dial-up]
This object summarizes all dial-up adapters available on the system (e.g. UMTS, ISDN, and modem cards).
Adapter [Ethernet]
This object summarizes all ethernet adapters available on the system (e.g. LAN devices).
Adapter [Wireless]
This object summarizes all wireless adapters available on the system (e.g. WLAN cards).
Adapter [LPSA]
This object refers to the Access Control Server.
Adapters available on the system are automatically assigned to the appropriate Adapter object with the multi status type . These may
be used to construct abstract rule sets, e.g. to configure a rule blocking access to all available dial-up or wireless adapters.
The following further adapter objects are available:
[Network Connection name]
(e.g. Local Area Connection) These are the LAN devices available on the system. The network connection name is retrieved from the
Microsoft Windows Network Connections view (Start > Settings > Network Connections).
The logical Microsoft Windows name, dependent on the operating system’s language version, and not the device name is
applicable for object naming.
Barracuda VPN
This is the virtual interface of the VPN client.
124
To create a new Adapter object, click New … in the Adapter Objects window:
Edit/Create Adapter Object
Name
Name for the Adapter object.
Comment
Optional description.
Trust Type
Select Trusted to add a reference from the Adapter object to the Net
work object that has been defined as Trusted Network in Administr
ation > Firewall Settings. If you do not want to create such a
reference, select Untrusted.
If you later change the setting from Trusted to Untrusted,
the reference to the Adapter object is automatically deleted
from the Trusted Network object. References to Untruste
d Adapter objects can not be added to the Trusted
Network object manually.
Status
Read-only field displaying the connection status of the Adapter objec
t.
IPs
Read-only field displaying the IP addresses assigned to the Adapter
object.
Adapter/Ref
Select the network adapter and/or the reference for which you create
the Adapter object. Click New to add your selection to the Adapter li
st.
User Objects
The User Objects tab allows you to create User and User Group objects to be employed in rule sets. Click New … to open the Edit/Create User
Object dialog:
125
A User object is automatically created as soon as a connection attempt is processed by the firewall. The object is then inserted into the
corresponding rule.
In the User/Group list, the Microsoft Windows domain users and groups known to the Barracuda Personal Firewall are available for selection.
Local user and group information is displayed in the list first. If the Windows workstation is a member of a Windows domain, the domain user and
group information can be retrieved from the Active Directory server by clicking Update.
Irrespective of the operating system's active language on the workstation, the following users will always be displayed in English
language:
NT AUTHORITY\SYSTEM
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\NETWORK
The internal firewall engine will transform these names to the appropriate language version. Do not insert them manually in a different
language.
Net Objects
The Net Objects tab facilitates IP address and network management. Use this tab for the following purposes:
Assigning of names to single IP addresses
Combining multiple IPs/networks/references into networking objects
For a clearly arranged network management, rather make use of referencing Network Objects than of explicit IP addresses when
configuring firewall rule sets.
In the Net Objects tab, a number of dynamic network objects, flagged with the respective icon, are preconfigured.
126
Dynamic objects are updated at runtime as soon as network configuration changes appear. They cannot be edited manually. For
dynamic updates to work, Automatic Adapter Assignment must be selected in the Firewall Settings within the Firewall Menu.
localIP
Contains all IP addresses configured on trusted adapters as well as a reference to the Net-Broadcast object.
virtualIP
Contains the IP address assigned from the VPN server. virtualIP is only available if established VPN connections exist.
Net-[Network Connection Name]
These network objects contain the network addresses of each specific adapter available on the system. The Network Connection Name
is retrieved from the Microsoft Windows Network Connections view (Start > Control > Network Connections).
Rather than the device name, the logical Microsoft Windows name generated from the operating system’s language version is
applicable for object naming.
Net-[Network Connection name] objects may be used to set up abstract rule sets.
InterNet
This object may be used for outbound connections to the Internet (network 0.0.0.0/0).
TrustedNet
Use this object to refer to trustworthy networks. The content of this object is dependent on assignment of an adapter as trusted or
untrusted (see Adapters). If an adapter is specified as trusted, the IP addresses living on it are added to the TrustedNet object. Vice
versa they are deleted from it, when trust assignment changes to untrusted. The TrustedNet object is also updated as soon as the IP
address configuration of a trusted adapter changes.
Net-Barracuda VPN
This object contains the address of the network the virtualIP object is living in.
Secured routes are assigned to the Net-Barracuda VPN Object.
Net-Broadcast
This object contains the broadcast addresses of IP addresses configured on trusted adapters. The broadcast addresses are calculated
directly from the IP addresses.
Net-Multicast
This object includes the Multicast network 239.255.0.0/16.
Click New… to open the Edit/Create Net Object dialog.
Insert Name and Description of the Net object for easier identification.
In the Entry section, insert IP and network address(es) for the new Net Object and/or specify a Reference to the Net Object. For instance, you
127
may select an existing Net Object to refer to a new one.
The Excluded Entry section allows excluding specific networks.
For transparency and consistency reasons, references are not available in this section.
Service Objects
The Service Objects tab facilitates port and protocol management. Use the Services window to:
assign port and protocol to specific services
merge multiple services to one service object using references.
Properties of Service objects are described in detail in the Barracuda NG Firewall documentation.
The following services are available in the Barracuda Personal Firewall by default:
Service Objects Available in the Personal Firewall
Service Name
Port
Protocol
Connection
Description
ICMP
Out
In
Internet Control
Message Protocol:
ICMP messages,
delivered in IP packets,
are used for out-of-band
messages related to
network operation or
misoperation.
128
DNS
53
TCP
UDP
Out
Domain Name Service:
method by which the
Internet addresses in
mnemonic form are
converted into the
equivalent numeric IP
addresses.
BOOTPS
67
UDP
Out
Bootstrap protocol:
also used for DHCP
(Dynamic Host
Configuration).
Kerberos
88
TCP
UDP
Out
Authentication
protocol:
Used for authentication in
Windows 2000
environments.
NTP
123
UDP
Out
Network Time Protocol:
used to synchronize the
time of a computer client
or server to another
server or reference time
source.
LOC-SRV/EPMAP
135
TCP
Out
NETBIOS-NS
137
UDP
Out
In
NETBIOS-DGM
138
UDP
Out
In
NETBIOS-SSN
139
TCP
Out
In
NETBIOS:
a very common protocol
supported on both
ethernet and TokenRing.
In NetBIOS, TCP and
UDP communication is
supported. It supports
broadcasts and
multi-casting and also
three distinct services: Na
ming, Session, and Data
gram.
SNMP
161
UDP
Out
Simple Network
Protocol:
Network management
system containing two
primary elements, the Ma
nager (console to
perform network
management functions)
and the Agents (entities
that interface to the
actual managed device).
SNMP allows Managers
and Agents to
communicate.
LDAP
389
TCP
UDP
Out
Lightweight Directory
Access Protocol:
a set of protocols for
accessing information
directories.
129
CIFS
445
TCP
Out
In
The new SMB:
further development of
the SMB protocol that
also serves as an
addition and improvement
to the standard protocols
FTP and HTTP.
MSTASK
1026
TCP
Out
Windows Task
Scheduler:
used to schedule tasks,
such as backups or
updates, to run at certain
times or dates.
Application Objects
The Application Objects tab allows creating predefined applications to be employed in rule sets.
Click New … to open the Edit / Create Application Object window.
Application Liability and Application Type classifications are purely informational.
1. Insert Name and Application Object Description for easier identification.
2. Again, click New … to specify an application. The Application Entry Parameters window opens.
3. Click Browse and select the file you want to create the object for. Subsequently, the path to the file and its inherent file description will be
displayed in the Path and Description fields below.
4. Optionally, insert a file description into the Comment field.
5. Specify Application Liability and Application Type. This classification is purely informational.
6.
130
6. Click Generate to create an MD5 hash in order to clearly identify the selected file when it is executed.
MD5 hash creation is recommended in order to avoid vulnerabilities after an attack.
Consider that when an application equipped with an MD5 hash is used on multiple clients, file versions need to match exactly.
Otherwise, the application object will not be applicable.
Click Clear to delete the hash.
In addition to the application, first level DLLs are taken into consideration. This provides additional security. However, DLLs used by first
level DLLs are not monitored.
The following Application objects, being required in Microsoft Windows domains, are available within the Barracuda Personal Firewall by default:
Applications Required in Microsoft Windows Domains
Application
Connection
Description
System
Out
In
Services needed by the OS kernel.
TCP/IP Ping Command
Out
In
lsass.exe
Out
Local Security Authority Service:
is responsible for management of local
security authority domain authentication and
Active Directory management.
services.exe
Out
Upon startup, services.exe enumerates
through all registry sub-keys located in
HKEY_LOCAL_MACHINE\Services registry
key.
spoolsv.exe
Out
Windows Printer Spooler:
stores printer jobs and forwards them to the
printer when it is ready.
userinit.exe
Out
By default, executes this application that
triggers logon scripts, re-establishes network
connections, etc.
winlogon.exe
Out
Manages security-related user interactions in
Windows NT. It handles logon and logoff
requests, changing the password, etc.
svchost.exe
Out
Generic host process name for services run
from dynamic-link libraries (DLLs). There can
be multiple instances of svchost.exe running
at the same time.
The Barracuda Access Monitor
In this Article:
What is the Access Monitor?
Port Security
Monitoring
Health Agent
Advanced Status Information
Service Status
Communication Status
131
Connection Errors
Advanced Setting for the Access Control Service Port
Authentication - Port Security
Network Interfaces
Advanced Status Information
EAP Tracer
Configuration - Advanced Settings
Health Agent Connectivity
Access Control Server IPs From Registry
Access Control Server IPs From DHCP
Connectivity Timeout Settings
ICMP Connectivity Checking
Offline Check
Health Agent Authentication
Use Basic Authentication
Use NTLM Authentication
Log Settings
Log Files
What is the Access Monitor?
The Access Monitor is the key component of the Barracuda Network Access Client. Its responsibilities include:
Collecting information from the client computer necessary for health evaluation, including:
Workstation identity information
Operating system information and patch level
Antivirus and Antispyware information
Communication with the Access Control Server
Taking security measures depending on the health evaluation result returned by the Access Control Server. This includes:
Downloading and installing necessary updates
Restricting network access
Executing Antivirus / Antispyware updates and starting scans or updates
Port Security
The Barracuda Network Access Client implements a client-server-based access control and authentication processes preventing unauthorized
clients from connecting to a LAN through publicly accessible ports unless they are authenticated. The credentials for authentication are obtained
by the client computer from the Access Control Server, based on the client computer's health evaluation result, restricting or granting network
access to the client computer.
Monitoring
Health Agent
132
The Barracuda Access Monitor provides all necessary information regarding the client computer's health state and network restriction.
Barracuda Access Monitor Properties
Property
Description
Health Condition
There are 3 different health states:
Healthy
The client computer complies with the policy configured on the
Access Control Server.
Unhealthy
The client computer does not comply with the policy; actions
need to be taken to meet the health requirements.
Untrusted
There is no rule defined for the client computer, so, as a
consequence, it has only restricted network access.
Client Origin
Local Computer
Health evaluation for the client computer is mandatory. If the
health evaluation for the client computer is not successful, then
an evaluation based on user credentials is not possible.
Current User
Multiple users use the same computer it is possible to start
health evaluation based on user credentials, matching each user
with the user's individual policy depending on their role in the
network.
VPN
The client is connected to the Access Control Server using a
VPN connection.
Last Health Check
Date and time of when the last health evaluation was performed.
Next Health Check
Date and time for the next health evaluation to be performed.
133
The quarantine status depends on the health condition of the client
computer. Three states are provided for policy based network access,
these include:
Quarantine Status
Not Restricted
Full network access is granted if the health evaluation result
returns a health state of Healthy.
Probation
If the client computer does not meet the configured health
requirements, it will enter probation state. In this state, the client
is not restricted in order to contact network resources necessary
to meet all health requirements. If the subsequent health
evaluation does not return a Healthy state, then the client will
enter restricted network access mode.
Restricted
If restricted network access is active, the client will activate the
quarantine rule set assigned by the Access Control Server.
It is possible to configure two quarantine rule sets, one for
when the client computer does not meet the health
requirements and is unhealthy, the other for when the client
computer is untrusted because no rule is defined for it.
Access Control Server
IP address or hostname of the Access Control Server to be contacted
for health evaluation. See Access Control Server IPs From Registry a
nd Access Control Server IPs From DHCP.
Emergency Network Adapter Repair
If enabled, this allows you to reset the network adapters managed by
the Port Security WPA supplicant. See Allow Emergency Network
Adapter Repair to learn how to enable or disable this functionality.
Image of the day
Custom welcome image configurable on the Access Control Server,
for following states:
Local Computer - healthy, limited access
Current User - healthy
VPN - healthy
Custom welcome message supporting Unicode configurable on the
Access Control Server for following states:
Message of the day
Local Computer - healthy, limited access
Current User - healthy
VPN - healthy, limited access
This shows the actual health evaluation result. It holds an entry for
every health criteria if it complies with the policy configured.
If a criterion does not meet the requirements, a description of
necessary actions in order to comply with the policy is shown.
Health evaluation result
Advanced Status Information
The Barracuda Access Monitor provides additional information via the Barracuda Access Monitor Advanced dialog. This can either be opened by
clicking the Health Condition link or the Quarantine Status link in the Health Agent view.
134
Service Status
If either the Client service or the Barracuda Access Monitor Agent service, both being vital for normal operation, are not running, warning
messages in red will be shown for either of them. No message indicates that both services are operating normally as intended.
Communication Status
Whenever the Barracuda Access Monitor is working, a status message is displayed below the Message of the Day group, as seen in the next
figure. While the Barracuda Access Monitor is communicating. it is not possible to start a health evaluation. The following communication states
exist for the Barracuda Access Monitor:
Health Agent States
State
Description
Initializing
The Barracuda Access Monitor is initializing before entering
operational state.
Termination
The Barracuda Access Monitor service is shutting down and freeing
all resources.
Pending communication, validating
A health evaluation has been started, now the client is waiting for the
result from the Access Control Server.
Pending communication, downloading
Files such as rule sets, patches, and other data necessary to comply
with the matching policy, are being downloaded.
135
The Barracuda Access Monitor requires user credentials for user
specific authentication and health evaluation. Whenever this
message is shown, a dialog is visible to enter the user credentials.
Waiting for user input
Connection Errors
If, for any reason, the Access Control Server can not be reached at the IP addresses configured for health evaluation, a connection error as
illustrated in the next figure will be shown. See ICMP Connectivity Checking later on for more details on this specific connection error.
136
Another connection error, illustrated in the next figure, occurs if the Barracuda Access Monitor has no Access Control Server IP addresses
configured.
There are some options to resolve this:
Configure a valid Access Control Server IP address locally (see also: Access Control Server IPs From Registry).
Use the following as a replacement if the Access Control Server IP addresses are distributed by DHCP:
Use the Emergency Network Adapter Repair button. To enable it, see Allow Emergency Network Adapter Repair.
Use the operating system's built-in ipconfig tool to obtain a new IP address for the client computer which will include an Access Control
Server IP address to connect to.
In order to verify whether an Access Control Server IP address was received through DHCP, look up the Barracuda Access Monitor Access
Control Server IPs dialog. See also: Access Control Server IPs From DHCP.
Advanced Setting for the Access Control Service Port
It is possible to change the default port of 44000 through which the Access Monitor reaches the Access Control Server by manipulating the
registry key shown below.
Registry Entry for Access Control Service Port
Item
Description
Path
.DEFAULT\Software\Phion\phionha\settings\
Key
DefaultPort
Value
DefaultPort
137
Authentication - Port Security
Network Interfaces
As seen in the next figure, the Port Security view lists all network interfaces available for authentication in two groups:
Managed
Unmanaged
Managed network interfaces have been activated for authentication. The Barracuda Access Monitor provides several actions for all managed
network interfaces whenever a WPA supplicant is running for the network interface.
Barracuda Access Monitor Actions for Managed Network Interfaces
Task
Description
Logon
Starts the authentication scheme by requesting network access
through the switch, enabling the line protocol if successful, and
allowing all network traffic.
Logoff
Tells the switch that the client computer does not need network
access any more. The switch will disable the line protocol and block
all network traffic except for EAP, CDP and STP protocols.
Reassociate
Restart the authentication process although already authenticated.
Reset
This will reset the session password used for authentication against
the RADIUS server. The authentication process will start over and the
client computer will receive a new session password.
Trace EAP Packets…
Opens the EAP Packet tracer with packet data for the selected
network interface
Unmanaged network interfaces have not been enabled yet to use the authentication scheme. It is not possible to perform any actions on
unmanaged interfaces through the Barracuda Access Monitor.
If available, the list shows the following information:
Barracuda Network Access Monitor Information for Unmanaged Network Interfaces
Column
Description
Name
Friendly name of the network device.
138
Status
Device status of the network interface, which can take one of these
values:
Network cable unplugged
Not connected
Disconnected
Connecting
Connected
PAE state
Port Access Entity status.
EAP state
Extensible Authentication Protocol status.
Device Name
The name of the device made up by the manufacturer.
IP Address
IP Address the network interface is using.
Advanced Status Information
For more detailed information about a network interface, double-click it to open the Properties dialog, or right-click the desired network interface
and choose Details… from the context menu.
EAP Tracer
The EAP Tracer allows you to view EAP and EAPOL packets captured by the Barracuda Access Monitor for every network interface with the Trac
e EAP Packets option enabled.
Configuration - Advanced Settings
139
Configuration > Advanced Settings
Parameter
Description
Access Control Server IPs from Registry
Navigate to Access Control Server IPs From Registry for more
information.
Access Control Server IPs from DHCP
Navigate to Access Control Server IPs From DHCP for more
information.
ICMP Connectivity Checking
Navigate to ICMP Connectivity Checking for more information.
Offline Check
Navigate to Offline Check for more information.
Use Basic Authentication
Navigate to Use Basic Authentication for more information.
Use NTML Authentication
Navigate to Use NTLM Authentication
Allow Emergency Network Adapter Repair
Navigate to Allow Emergency Network Adapter Repair for more
information.
Barracuda Network Access Client Logging
Navigate to Barracuda Network Access Client Logging for more
information.
Barracuda Health Agent Logging
Navigate to Barracuda Health Agent Logging for more information.
Health Agent Connectivity
This section holds all configuration items regarding the connectivity of the Barracuda Access Monitor.
140
Access Control Server IPs From Registry
As shown in the screenshot below, this dialog allows creating, editing and deleting of Access Control Server IP addresses stored within the
registry. It is possible to configure as many Access Control Server IP addresses as required to ensure continuous connectivity.
The configured IP addresses will then be stored in the registry:
Registry Entry for Access Control Server IP Addresses
Item
Description
Path
HKEY_USERS\.Default\Software\phion\phionha\PolSrv
Key
N (enumeration)
Value
IP or Hostname of an Access Control Server
Access Control Server IPs From DHCP
When the Barracuda Networks DHCP server is configured to distribute the Access Control Server IP addresses using DHCP, these are listed in
an advanced dialog, as shown in the next figure. Click the Edit… button to open this dialog. If required, clear the Access Control Server IP
addresses received through DHCP using the Clear Policy IPs button.
Connectivity Timeout Settings
You can manipulate the timeout periods for the Barracuda Access Monitor’s connection to the Access Control Server using registry switches.
Reduce the default values herein in order to get a more reactive client behavior.
Item
Description
141
Path
HKEY_USERS\.Default\Software\phion\phionha\settings
Key
WaitForNextTry
Value
[Timeout value in milliseconds, dafault value is
30000 (30 sec)]
Item
Description
Path
HKEY_USERS\.Default\Software\phion\phionha\setting
s
Key
WaitForNextLocalComputerAuth
Value
[Timeout value in milliseconds, dafault value is
60000 (60 sec)]
Connection wait time for the Access Control Server, if VPN is active:
Item
Description
Path
HKEY_USERS\.Default\Software\phion\phionha\setting
s
Key
WaitForNextVPNTry
Value
[Timeout value in milliseconds, dafault value is
1000 (1 sec)]
The waiting time for the next user prompt, if Cancel was clicked in the basic authentication request:
Item
Description
Path
HKEY_USERS\.Default\Software\phion\phionha\setting
s
Key
WaitCancel
Value
[Timeout value in milliseconds, dafault value is
3600000]
ICMP Connectivity Checking
As an advanced feature, the Barracuda Access Monitor is able to determine the connectivity to the Access Control Server using ICMP packets. If
this option is enabled, then the Barracuda Access Monitor will send an ICMP packet to the Access Control Server before connecting and starting
a health evaluation. If the ICMP packet returns successfully, then the Barracuda Access Monitor will connect to the Access Control Server and
start the health evaluation. If this option is disabled, the Barracuda Access Monitor will start immediately connecting to the Access Control Server,
instead of checking for connectivity first.
It is recommended to enable this feature when connecting to the Access Control Server through a VPN connection; because otherwise
the connectivity may not be as satisfying as expected.
When ICMP Connectivity Checking is enabled, the Barracuda NG Firewall must be configured to pass ICMP packets through, because
142
otherwise the Barracuda Access Monitor will not connect to the Access Control Server.
To edit this option manually, modify the following registry key:
Item
Description
Path
HKEY_USERS\.Default\Software\phion\phionha\settings
Key
ICMPProbing
Value
0 (disabled)
1 (enabled, default)
Offline Check
This option allows to disable the Health Agent if no network connection is active. This prevents the local firewall from unwantedly entering
quarantine mode. The default value is 0 (the Health agent is not disabled when offline).
To edit this option manually, modify the following registry key:
Item
Description
Path
.DEFAULT\Software\Phion\phionha\settings\
Key
UseConnectionState
0 (disabled, default)
Value
1 (enabled)
You can enable or disable quarantine in offline mode using the following registry key. The defauilt value is 1 (quarantine in offline mode is
enabled).
Item
Description
Path
.DEFAULT\Software\Phion\phionha\settings\
Key
UseOfflineQuarantineMode
Value
0 (disabled)
1 (enabled, default)
You may configure whether to display the health dialog window or not using the following registry key. Default value is 1 (the dialog is displayed).
Item
Description
Path
.DEFAULT\Software\Phion\phionha\settings\
Key
ShowAgentDlg
Value
0 (disabled)
1 (enabled, default)
Health Agent Authentication
143
Use Basic Authentication
This option specifies if basic user-and-password or certificate authentication should be used in case the NTLM authentication fails. Defaults to 1 (
basic user-and-password authentication is used).
To edit this option manually, modify the following registry key:
Item
Description
Path
.DEFAULT\Software\Phion\phionha\settings\
Key
UseBasicAuthFallback
0 (disabled)
Value
1 (enabled, default)
Use NTLM Authentication
By enabling this option, the Barracuda Access Monitor will use the Windows user credentials provided by NTLM for authentication. Defaults to 1 (
NTLM is used).
To edit this option manually, modify the following registry key:
Item
Description
Path
.DEFAULT\Software\Phion\phionha\settings\
Key
UseNTLM
Value
0 (disabled)
1 (enabled, default)
Log Settings
For proper analysis, verbose output is essential. It is possible to enable logging for both the Health Agent service and the Barracuda Access
Monitor service to receive detailed information. See Log Files for more information.
Barracuda Health Agent Logging
Logging is by default enabled. To edit this option manually, modify the following registry key:
Item
Description
Path
.DEFAULT\Software\Phion\phionvpn\settings\
Key
Logging
Value
0 (disabled)
1 (enabled, default)
Barracuda Network Access Client Logging
Logging is by default enabled. To edit this option manually, modify the following registry key:
Item
Description
144
Path
.DEFAULT\Software\Phion\phionha\settings\
Key
Logging
Value
0 (disabled)
1 (enabled, default)
Log Files
Information for analysis, serialized by the Barracuda Network Access Client, is stored on the local hard drive if verbosity is enabled. These files
can be found in the log directory located in the Barracuda Network Access Client installation directory. These files can be opened either using the
Barracuda Access Monitor, by double-clicking the desired log file in the Advanced Settings section or using some text editor.
The following log files are available, depending on the configured level of verbosity:
Log Files Residing in [Barracuda Network Access Client Installation Path]\log\
File
Description
phions.log
Log information by the Client Service, depending on configuration
(see Log Settings).
phionha.log
Log information by the Barracuda Access Monitor, depending on
configuration (see Barracuda Network Access Client Logging)
wpa_supplicant_{UUID}.log
Log information by the WPA supplicant for each network interface,
depending on configuration (see Barracuda Health Agent Logging)
client.xml
XML file sent to the Access Control Server containing information
about the client computer if user-based health evaluation is
performed.
connect.xml
Information about connectivity and connection errors.
download.xml
Contains data from the last download such as rule set, message of
the day, etc.
downloadLocal.xml
Contains data received if a local-computer-based health evaluation
succeeded.
downloadUser.xml
Contains data received if a user-based health evaluation succeeded.
health.xml
Last health evaluation result returned by the Access Control Server.
healthLocal.xml
Last health evaluation result for local-computer-based health
evaluation.
healthUser.xml
Last health evaluation result for user-based health evaluation.
Template Code: Profile Registry Keys
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.
Barracuda Network Access Client Sample Configuration
Introducing an up-and-running Barracuda Network Access Client environment involves several components, like global objects, trustzone
settings, Access Control Service and gateway firewall configuration.
An environment can be set up easily. For in-depth information about individual parameters, see the pages referred to in the example.
Using Barracuda Network Access Client does not necessarily require complex policy rule sets. Although rule sets will become more elaborate due
to required exceptions, the sample includes only one policy within the Local Machine rule set.
In this article:
The Example Setup
145
Step 1. Introduce Access Control Objects
Step 2. Personal Firewall Rule Set
Step 3. Introduce an Access Control Service Trustzone
Step 4. Configure an Access Control Service Trustzone
Step 5. Configure the Forwarding Firewall Rule Set
The Example Setup
The figure below illustrates the example setup:
The client LAN has an IP address range of 10.0.8.0/24.
The protected servers are located in the 172.16.0.0/24 network.
Additionally to the protected servers, one server acts as a Microsoft Domain Controller and as a remediation server for updating the
antivirus patterns. This server has an IP address of 172.16.0.10. Even unknown or unhealthy clients need access to this server.
The other servers located within the server segment should be protected, e.g., access to these servers should only be available for
clients conforming to the corporate health policy.
The health policy requires having a client installed and the personal firewall to be enabled.
In addition, the company uses Trend Micro antivirus products, so it is required to have the Antivirus engine enabled and to receive regular
anti-virus pattern updates.
Step 1. Introduce Access Control Objects
As a first step, it is recommended to prepare the Access Control Objects. These objects should be ready for referencing when configuring the
trustzone.
At the beginning, setting up a Barracuda Network Access Client infrastructure usually starts with configuring two different welcome messages, two
different Personal Firewall rule sets, and one welcome bitmap. To give users customized information regarding their health state, it is
recommended to define different welcome messages for unrestricted access (healthy status) and quarantine (unhealthy status). If a computer is
quarantined, having all the necessary information to contact the company's IT support will be useful for the end user. Like welcome messages,
customized welcome bitmaps are not required for a Barracuda Network Access Client infrastructure. Nevertheless, companies usually want to
display their own logo instead of the Barracuda Networks logo. The most important part that is also required for proper operation is setting up
Personal Firewall rules.
Step 2. Personal Firewall Rule Set
It is difficult to give guidelines for personal firewall rule sets. The required applications may strongly differ between companies. Nevertheless,
remember for all your Barracuda Personal Firewall rule sets that all your clients, regardless of their health state, require network access. They
need to contact the Access Control Service (TCP port 44000 - this rule is included in the default rule set) and the Microsoft Domain Controller.
Otherwise, no user can log in. Additionally, depending on the antivirus or antispyware product, access to HTTP servers may be necessary.
Backup software, remote support and automatic software distribution often trigger connections from server to client, so it may be necessary to
modify the incoming rule set of your personal firewall to allow incoming connections.
For the setup used in this example, only small modifications to the default rule set are required.
First create the quarantine rule set:
1. In the Access Control Objects > Personal Firewall Rules configuration directory, select New Access Control Firewall Rule Set from
146
1.
within the context menu.
2. The object name of the rule set is restrictedAccess.
3. Open the restrictedAccess rule set.
For the restrictedAccess rule set, the following new rules are added:
1. Explicitly block Skype application.
2. Allow connections to the remediation servers (172.16.0.10).
3. Allow HTTP/HTTPS connections to the Internet. Some antivirus products use HTTP or HTTPS to download updates to engines and
patterns.
Step 3. Introduce an Access Control Service Trustzone
As mentioned above, the hierarchical structure of a Barracuda NG Control Center allows introducing Access Control Service Trustzones at
different levels (Global, Range, and Cluster). Thus, a decision about the proper place for a company's trustzone is required.
Administrators of standalone Barracuda NG Firewalls can avoid making this decision. You simply configure your trustzone within the Access
Control Service > Trustzone node.
As a guideline for a simple setup using a Barrcuda NG Control Center, you may use global trustzones or alternatively switch to range trustzones.
For range- or cluster-based Access Control Services, note that they can only reference trustzones within the same administrative
scope. Trustzones from a different range or cluster can in this case not be referenced.
Step 4. Configure an Access Control Service Trustzone
The main window of an Access Control Service Trustzone is split up into a navigation bar on the left and the three policy rule sets on the right.
To guarantee that the policy trustzone has a public/private key pair to properly authenticate clients to all participating Access Control Services,
you must initially create a Health Passport Signing Key in Settings > Identity > Health Passport Signing Key. The Health Passport is used for
authenticating against other Access Control Service instances (e.g., Remediation Service, or Border Patrol). Therefore, generating a Health
Passport Signing key is required.
Click New Key to create a new Health Passport Signing key. In this setup with local created public/private keys, use the previously created key
and export the public part into the clipboard. This public key is imported again as Health Passport Verification Key.
To keep this setup as simple as possible, start with local machine policies. You should extend your setup by applying user-specific or VPN
policies in a next step. At the beginning, even setting up a restricted local machine rule set and configuring the gateway firewall rule set can be
time-consuming.
So, in the next step, create at least one rule within the Local Machine policy rule set. The first and, for now, the only available rule is our catch-al
l rule that usually should be at the end of your policy rule set. Click New on the bottom of the policy rule set or within the context menu in order to
create a policy rule. If using more than one rule, remember that policy rule sets are sequentially processed from top to bottom.
The Policy Rule dialog is split up into these views:
Identity Matching
Required Health State
Policy Assignments
For the Identity Matching and Required Health State views, Basic and Advanced configuration dialogs exist.
147
Start out with configuring the criteria for Identity Matching:
Since the Access Control Service in this example setup is only reachable using private IP addresses, we can restrict the Networks section to the
private address ranges.
Basic Matching > Policy Matching is set to One-of-following. Therefore, you do not need to specify further matching criteria.
Now configure the required health conditions. For the catch-all rule, you can define the same policies you require for known clients because
security policies usually further restrict unknown clients instead of granting them lower health requirements.
To comply to the above mentioned security requirements, you must set the following parameters:
Example Configuration: Configure Access Control Service Trustzone > Local Machine > Edit Policy Rule Parameters
Parameter
Value
Personal Firewall On
Required <Auto-remediation>
Antivirus Scanner On
Required <Auto-remediation>
Last AV Scan Not Older Than
Ignore
AV Engine Required
Last-2
AV Pattern Definitions Required
Last-2
AV Engine/Pattern Action
Manual
Allowed Vendors
Trend Micro, Inc
Antispyware
Disabled
The Required <Auto-remediation> value automatically enables the Barracuda Personal Firewall and the Antivirus Scanner if they are
deactivated.
148
Setting the Last AV Scan Not Older Than parameter to Ignore originates from the fact that performing a regular full Antivirus scan of the client
computer takes quite some time. Enforcing users to perform a full scan during working hours is not always welcome because their workstation
might be slowed down by the scanning process.
For the AV engine and the AV patterns, the settings above accept the current version and also the previous and pre-previous version. Usually,
companies already have mechanisms to perform regular updates of their AV engines and patterns. In the sample, you can therefore leave the
setting AV Engine/Pattern Action at Manual.
Checking engine and pattern versions of antivirus or antispyware products requires up-to-date information on the server side.
Instead, continue with the Policy Assignments view and assign the following attributes:
1. Assign the unrestrictedAccess firewall object as Barracuda Network Access Client.
2. Assign the Welcome message as Message of the Day. Since the local machine context of Microsoft Windows does not allow graphical
user interface dialogs previous to logging in, the welcome message and the welcome picture are displayed as soon as a user has logged
in, but not before.
3. Assign the Barracuda Network Access Client Logo welcome picture.
4. For limited access, assign the appropriate rule set and message.
5. For the catch-all rule matching all clients in the LAN, no automatic client update is required. Therefore, the Software Update Required p
arameter is set to No.
Before deploying new client versions to large-scale environments, the client software will usually be tested on a limited number of
clients. Because of that, it is recommended that you create a separate policy rule matching only a limited number of clients. Automatic
software update should therefore be enabled only in this policy rule. After a smaller number of clients has been updated successfully,
you may enable automatic software updates for the rest of the company's clients.
In the example, you are not required to manually add Network Access Policies. Instead, you can set up your firewall rules on the gateway
firewall using the implicit roles unhealthy, healthy, probation and untrusted.
149
Step 5. Configure the Forwarding Firewall Rule Set
Enforcement of the security policy is provided by the Barracuda Network Access Client software installed on the endpoint itself. Whenever leaving
the local collision domain, Barracuda NG Firewalls can provide additional protection. To enforce the health policy, Barracuda NG Firewalls may
interpret the access policy attribute assigned to the endpoint within their rule sets. This provides a way to enforce network access control
concepts based on date and time, identity and health state as well as the type of network access.
To allow communication with protected servers only for clients conforming to the health policy, modify the gateway firewall rule set as follows:
1. Open the forwarding firewall rule set and navigate to the User Groups section.
2. Select New… in the context menu to create a new user object.
3. After defining a name for the user object, add a new User Condition:
150
a. Within the Policy Roles Patterns section, change Logic Operation to One Pattern must match (OR).
b. Add two new Policy Roles Patterns: healthy and probation.
c. Close the User Condition dialog.
4. Create or edit the Healthy-Access-to-protected-Servers firewall rule:
151
a. Add a reference to the new healthy-clients user object within the Authenticated user dialog box
If the user authentication is assigned to the firewall rule, only clients either fully conforming to the healthy policy or clients being in probation stat
e are allowed to access the protected network.
To avoid blocking new connections and terminating existing connections because the antivirus patterns are not up-to-date for a few
minutes, Barracuda Networks even allows access for clients in probation status. Remember that the client is in probation status while
it tries to execute the remediation actions. If the remediation fails, then the client becomes unhealthy.
How to Install and Configure the Barracuda NAC Light
To use the network security enforcing features of the Barracuda Network Access Client without fully installing it, install the Barracuda VPN Client
in 'NAC Light' mode. The Barracuda VPN Client can enforce Windows Security Center settings on client machines running Windows Vista,
Windows 7, Windows 8, or Windows 10 so that only healthy clients are allowed to connect. The client security settings are validated via the
Barracuda NG Firewall's VPN service without requiring the Barracuda Personal Firewall or the Barracuda Access Monitor to be installed on the
client machines.
This article provides step-by-step instructions on how to install and configure the Barracuda Network Access Client in Light mode.
In this article:
Step 1. Set Up a VPN Service on the Barracuda NG Firewall
Step 2. Configure a Client-to-Site VPN Connection
Step 3. Install the Barracuda VPN Client on the Client Machines
Step 4. Select the Windows Security Settings to Enforce
Step 1. Set Up a VPN Service on the Barracuda NG Firewall
Create and configure a VPN service. For instructions, see Client-to-Site VPN. You will select the Windows Security settings via the Barracuda NG
Firewall's VPN service.
Step 2. Configure a Client-to-Site VPN Connection
Configure the VPN service for client-to-site VPN connections. For instructions, see Client-to-Site VPN.
Step 3. Install the Barracuda VPN Client on the Client Machines
On the client machines to be managed, install the Barracuda VPN Client with one of the following methods:
Preconfigured Remote Custom Installation – For instructions including the full list of possible parameters, see Partially Preconfigured
Unattended Remote Custom Installation. Use at least this parameter:
Parameter
Description
PROGTYPE=VPN
Selects the VPN-only installation mode.
VPN-Only Installation – The interactive standard installation process. For instructions, see VPN-Only Installation.
Step 4. Select the Windows Security Settings to Enforce
In your client-to-site VPN template, select the Windows security settings to enforce on client machines.
1. In Barracuda NG Admin, open the Client to Site page (Config Tree > Box > Virtual Servers > your virtual server > Assigned
Services > your VPN service > Client to Site).
2.
152
2. From the Barracuda VPN CA tab, click the Templates tab.
3. Double-click the template.
4. In the Enforce Windows Security Settings section of the Barracuda Templates window, select the security settings that you want to
enforce:
Microsoft Network Firewall
Windows Updates
Windows Virus Protection
Windows Spyware Protection
Internet Security Settings
In the following figure, the Enforce Windows Security Settings section is highlighted:
The next time that the Barracuda VPN Client connects to your server, it will query the client machine's Windows Action Center settings while
initiating the connection. The connection will only be established if these settings meet the Windows Security settings that you configured in the
VPN service.
153
How to Configure Multiple VPN Gateways
You can configure the Barracuda VPN Client for Windows to silently switch to fallback VPN gateways when a VPN gateway is not reachable, such
as when the client is used in different corporate networks or geographic locations. A working VPN connection is always available and the
appropriate gateway is automatically selected.
For each gateway, configure a VPN profile. This article provides step-by-step instructions on how to configure VPN profiles for an example
scenario with three gateways.
This article only provides steps on how to configure the basic settings for the VPN profiles. Settings such as authentication are not
described in this article. For more information on authentication methods and how to configure a VPN profile, see Creating VPN Profiles
.
In this article:
The Example Scenario and Fallback Chain
Setting Up the VPN Profiles
Step 1. Set Up the Various VPN Gateways
Step 2. Configure externalvpn.mycompany.com
Step 3. Configure hqvpn
Step 4. Configure branchvpn
The Example Scenario and Fallback Chain
In the example scenario for this article, three VPN profiles are used to connect to a corresponding gateway into the company network:
externalvpn.mycompany.com – The gateway to be used when the client is not connected to a corporate network.
hqvpn – The gateway to be used within the company HQ's network.
branchvpn – The gateway to be used within a branch office's network.
This article provides instructions for configuring these VPN profiles as part of a fallback chain that will be used by the VPN client to find the
appropriate gateway. You can initiate a VPN connection using the hqvpn profile, which is set as the default VPN profile. If necessary, the VPN
client will try each configured VPN profile in the fallback chain until it can establish a connection. You can also initiate the connection using any
other VPN profile in the chain.
Example scenario:
Fallback chain:
154
Setting Up the VPN Profiles
Follow the steps in the following sections to set up the VPN profiles for the three gateways in the example scenario.
Step 1. Set Up the Various VPN Gateways
Create a VPN profile for each of the three VPN gateways.
1. In the Barracuda VPN Client window, click Preferences.
155
2. When the Barracuda VPN Control window opens, click New in the left navigation pane to launch the Profile Wizard. You can also
right-click the window's main area and select New (Wizard) or New.
3. Type the IP address or host name of the first gateway into the Remote Server field. In this example, the host name is externalvpn.myco
mpany.com.
4. Select the Remember my user name check box so that the client will reconnect to this server without prompting users for their
username.
5. Click Next.
6. On the Authentication Method screen, select your authentication method:
If you choose User Name and Password, you must configure additional settings to save the password locally if you do not want
the client to constantly prompt users for a password when changing gateways.
To automatically reconnect in the background, select Certificate or Barracuda Personal License.
Do not select SecurID because it uses one-time passwords, which are not suitable with fallback gateways.
156
See Creating VPN Profiles for more information on configuring a profile and choosing the right authentication method.
7. Configure the two remaining profiles with your respective parameters. The two remaining profiles used in the example scenario are
named hqvpn and branchvpn , and they point to identically named VPN servers.
Step 2. Configure externalvpn.mycompany.com
1. In the Barracuda VPN Control window, right-click the externalvpn.mycompany.com entry and select Modify Profile.
2. In the Properties window, click the Advanced Settings tab.
3. In the Tunnel Connect section, set Enable VPN Tunnel Probing to Yes. This setting ensures that the client will always use the fastest
available gateway.
157
4. In the Tunnel Reconnect section, set WLAN Roaming, Fast Reconnect, and Reconnect immediately to Yes.
5. In the same section, set Fallback Profile to hqvpn. With this option set, the next gateway in the chain will be tried if the primary gateway
is not reachable.
158
6. Because the externalvpn.mycompany.com gateway is used when the client is not connected to the company network, you should
disable it in the company network.
7. Although the external URL of a company's VPN server should not be reachable from within a cleanly configured company network, you
can accelerate the switch to the next fallback profile by enabling the client to detect the company's Active Directory (AD) service. In the A
ctive Directory section, configure the following settings:
Set Probe Active Directory to Yes.
In the Active Directory IP field, you can enter one or more known IP addresses for the MSAD service to help the client quickly
detect the AD service.
8. In the User Interface Settings section, configure the following settings:
If you configured username and password authentication, set Remember logon user name to Yes to disable login prompts.
To store credentials after they are entered, set Use MS Credential Manager to Local.
To disable the informational pop-up window that displays connection status changes, set Show Popup to No.
159
9. Click OK to save the configuration.
Step 3. Configure hqvpn
Configure the hqvpn profile with the same settings as the external profile, with these three exceptions:
1. In the Tunnel Reconnect section, set Fallback Profile to branchvpn. This way, the branch network's VPN gateway is defined to be the
next gateway in the chain.
2. Disable Active Directory probing. In the Active Directory section, set Probe Active Directory to No.
3. Define hqvpn as the default profile by right-clicking its list entry in the Barracuda VPN Control window and selecting Set as Default.
The client will automatically start with this profile in the fallback chain when it tries to establish a connection.
Step 4. Configure branchvpn
160
Configure the branchvpn profile with the same settings as the hqvpn profile, with these two exceptions:
1. In the Tunnel Reconnect section, set Fallback Profile to externalvpn.mycompany.com. This closes the fallback chain so that the
external VPN gateway will be tried next if none of the company's internal VPN gateways is reachable.
2. Do not select branchvpn as the default profile.
How to Configure Direct Access
To give mobile users seamless access to corporate networks, configure the Direct Access feature of the Barracuda VPN Client for Windows. Use
Direct Access to provide a permanent VPN connection for mobile workers, to help ensure corporate compliant Internet access through a secure
VPN connection. Direct Access provides the following:
Availability and Control - If the configured VPN gateway becomes unreachable for any reason, the VPN client automatically starts three
connections attemps to the corporate VPN gateway.
Acceleration and Balancing - If three connections attempts fail, the VPN client triggers the path finder connection mechanism the
determine the fastest or nearest connection to other predefined VPN gateways in fallback profiles.
Geo Awareness - If the VPN client detects the availability of a MS Active Directory service, Direct Access is disabled since the client
resides within the corporate LAN.
To configure Direct Access, complete the steps in the following sections.
In this article:
Step 1. Set Up a VPN Gateway
Step 2. Define Fallback Profiles
Step 3. Enable Direct Access
Step 1. Set Up a VPN Gateway
If you do not already have a VPN profile configured, create one.
1. In the Barracuda VPN Client window, click Preferences.
2. In the Barracuda VPN Control window, click New in the left navigation pane to launch the Profile Wizard. You can also right-click the
window's main area and select New (Wizard) or New.
3. Type the IP address or host name of the gateway into the Remote Server field. In this example, the host name is externalvpn.mycompan
y.com.
4. Select the Remember my user name check box so that the client will reconnect to this server without prompting users for their
username.
5. Click Next.
6. On the Authentication Method screen, select your authentication method:
If you choose User Name and Password, you must configure additional settings to save the password locally if you do not want
the client to constantly prompt users for a password when changing gateways.
To automatically reconnect in the background, select Certificate or Barracuda Personal License.
Do not select SecurID because it uses one-time passwords, which are not suitable with automatic reconnecting.
For more information on setting up a profile and choosing the right authentication method, see Creating VPN Profiles.
7. In the profile's Advanced Settings, set Enable MS Logon to Yes if the VPN gateway accepts OS credentials, which is very likely in
company networks and when using company hardware. Users will not be prompted for their credentials when the VPN profile is used for
the first time.
Step 2. Define Fallback Profiles
Define additional fallback VPN profiles to use if the primary gateway is not reachable. You should define a VPN profile for each location from
which you must connect to the VPN. Combine these profiles to create a fallback chain.
For instructions on how to create fallback chains, see How to Configure Multiple VPN Gateways.
161
Step 3. Enable Direct Access
To enable Direct Access:
1. In the Barracuda VPN Control window, click Advanced.
2. In the General VPN Settings section, set Direct Access to Yes and select your Direct Access VPN Profile. If you have a fallback
chain, select the primary VPN profile.
Direct Access is now enabled. The Barracuda VPN Client will now try to establish and maintain this connection in the background.
3. In the Miscellaneous Settings section, you can configure the following notification settings for the client connection status:
To turn off connection notifications, set Notify me when connection is established to No.
To display the connection status in the Windows task bar's notification area, set Show icon in notification area to Yes.
The Barracuda VPN Client now tries to always maintain a connection to the selected VPN gateway.
If you terminate the VPN connection manually by clicking Disconnect in the tray icon, Direct Access is disabled until you restart the
client.
If you want to remain disconnected by default, disable Direct Access.
Troubleshooting
This page provides you with solutions to some common problems concerning the Barracuda Network Access Client.
Troubleshooting
Problem
Solution
Initialization of the Personal Firewall service takes very long and
thus the system's health state can not be validated.
The Personal Firewall's API registrations takes too long because the
required MS Windows Security Center service (WSCSVC) is not yet
started. By default, MS Windows starts the WSCSVC service with
startup type: Automatic (delayed Start)
E_PENDING 0x8000000A The data necessary to complete
the operation is not yet available.
Set the Startup type value of WSCSVC to Automatic.
Debug Log output:
WMIXP2SecureCenter2.cpp(863)* Register FW Status
Provider
WMIXP2SecureCenter2.cpp(62)*
RegisterFWStatusProvider
WMIXP2SecureCenter2.cpp(112)* QueryInterface for
Register failed Error: 0x8000000a
WMIXP2SecureCenter2.cpp(870)*
RegisterFWStatusProvider failed. wait 1000 ms...(0)
162
Connection to the VPN server breaks immediately after
establishing.
A firewall rule set may have been damaged during transfer from the
VPN server to the client. Disconnect all applications and connect
again to solve the issue. This behavior may also occur with slow
connections. Increase the Keep alive (seconds) parameter (see Adv
anced Settings Tab) if you encounter any problems.
Connection breaks if IP address assignment via DHCP is used.
A connection problem occurs when the firewall slot is closed too
early. Create a local firewall rule set to solve the issue: Action >
Pass Service > BOOTPS (out: UDP 67; in: UDP 68).
VPN Gateway not reachable via VPN tunnel is logged into the Ev
ents window.
Open the Expert tab (see Advanced Settings Tab) and change the
value from Virtual Adapter Configuration to Direct assignment or
the other way around.
Session PHS: signature check failed (bad decrypt) is logged into
the Events window.
Deactivate Private Encrypt (see Connection Dialog, X.509
Authentication).
Error code 0x0000142 is continuously thrown by phionHADlg.ex
e in Barracuda NG Access Client 2.0 SPx.
This is an operating system issue (see also this Microsoft article: http:
//support.microsoft.com/kb/950312/en-us).
The following error popup shows permanently up in Windows XP:
As a workaround, you may disable the respective process entry in the
Microsoft Event Monitor by disabling the process monitor for the
Barracuda NG Access Client 2.0 SPx. To do so, set this DWORD
registry entry to a value of "0":
HKEY_USERS\.DEFAULT\Software\Phion\phionvpn\setting
s\ProcessMonitor
Subsequently restart the computer.
Authentication using X.509 and eToken / SmartCard fails in
Barracuda NG Access Client 2.0 SPx.
The crypto service provider (e.g., Smartcard from aTrust) does not
support native RSA access.
The following error message is generated into VPN client log while
trying to connect to the VPN server:
In this case, set the Probe Encryption option within VPN Profile >
Properties > Connection Entries to No. Thereby, the probe
encryption will not be executed prior to the actual connecting process.
The user is then prompted for the PIN and will have 20 seconds to
enter it before the timeout at the VPN service is reached.
ERROR: Crypto Key Provider doesn't support
native RSA CryptEncrypt/CryptDecrypt
163
A VPN connection can not be not established due to a Firewall
Status mismatch error.
The VPN Service on the Barracuda NG Firewall drops incoming
connection request by a Barracuda NG Network Access Client with a
version number below 2.0 SP3 and generates the following error
message into the VPN Log:
Warning Session PGRP-AUTH-user01:
reply unsuccesful handshake:
100 36 Firewall Status mismatch
Barracuda NG Network Access Clients prior to version 2.0 SP3
cannot interpret the VPN Service's Firewall Always ON option which
therefore effectively prevents connection establishment for these
clients.
To allow these older clients to connect to the VPN service, navigate
in Barracuda NG Admin to Config > Box > Virtual Servers >
[Servername] > Assigned Services > [Servicename] > Client to
Site > External CA > Group Policy and clear the Firewall Always
ON check box. Ask your administrator to process this if you have no
access to the Barracuda NG Firewall by yourself.
See also: Firewall Always ON option.
This message appears only if the server's IP address is reachable,
but at the same time no listen port (UDP/TCP 691) is available.
The VPN Client cannot open a connection due to a timeout.
Barracuda NG Network Access Client 2.0 SPx breaks the VPN
connection and generates the following error message into the client
log:
Could not connect to serverConnectLib,
Open() failed: could not open DIRECT connection,
IOStreamSock: Connect(x.x.x.x:691): TIMEOUT
Error while connect to x.x.x.x:691 (proto=TCP)
The VPN Service listens by default on the first and the second server
IP address. For additional server IP addresses, it is necessary to bind
the service manually to these additional IP addresses. Navigate to Co
nfig > Box > Virtual Servers > [Servername] > Assigned Services
> [Servicename] > Service Properties > Service Availability in
order to achieve this.
NAC PowerShell
The Barracuda Network Access Client for Windows offers a dedicated PowerShell. The PowerShell enables administrators and users to configure
and control the VPN client via a command line interface.
Starting the NAC PowerShell
To open the NAC PowerShell, navigate to the installation folder of the Barracuda Network Access Client and launch the NacConsoleLoader.exe
file.
Commands
164
To get an overview of all currently available commands, type Get-NacCommand in the NAC PowerShell. For detailed syntax information of each
command, type <command> -?.
The following commands are available:
Add-OnDemandVPNNetwork
Add-OnDemandVPNService
Add-PolicyServer
Add-VPNProfile
Clear-PolicyServerDHCP
Connect-VPN
Disable-PersonalFirewall
Disconnect-VPN
Enable-PersonalFirewall
Get-HealthAgentSettings
Get-MasterPasswordStatus
Get-OnDemandVPNNetwork
Get-OnDemandVPNService
Get-PolicyServer
Get-VPNConnectionStatus
Get-VPNProfile
Get-VPNSettings
Remove-OnDemandVPNNetwork
Remove-OnDemandVPNService
Remove-PolicyServer
Remove-VPNProfile
Set-HealthAgentSettings
Set-MasterPassword
Set-MSCredentials
Set-VPNProfile
Set-VPNSettings
Start-HealthValidation
Barracuda VPN Client for Mac OS X
This section deals with the Mac OS X version of the Barracuda VPN Client. For Windows and Linux versions navigate to Barracuda
VPN / Network Access Clients - Overview.
The Barracuda VPN Client for Mac OS X is a fully featured VPN client for Mac OS X version 10.5 and above. It features all popular and strong
encryption algorithms such as AES256 or 3DES, as well as other popular authentication methods such as X.509 certificate authentication.
The client can either connect directly to a VPN server or through HTTP, SOCKS4, or SOCKS5 proxies using different protocols. You can
configure an unlimited number of named VPN profiles to fulfill a wide variety of VPN server requirements. The secure and small client can run in a
background task and lets you quickly connect and disconnect to configured VPN servers.
In this article:
Supported Operating Systems and VPN Client Versions
Languages
Encryption Algorithms
Authentication Methods
Proxy Types
Tunnel Modes
Tunnel Encryption Hash Methods
Setting up the Barracuda VPN Client for Mac OS X
Supported Operating Systems and VPN Client Versions
Mac OS X 10.5 (Leopard): Barracuda VPN Client for Mac OS X version 3.2 HF6
Mac OS x 10.6 (Snow Leopard): Barracuda VPN Client for Mac OS X version 3.2 HF6
Mac OS X 10.7 (Lion): Barracuda VPN Client for Mac OS X version 3.6.2
165
Mac OS X 10.8 (Mountain Lion): Barracuda VPN Client for Mac OS X version 3.6.2
Mac OS X 10.9 (Mavericks): Barracuda VPN Client for Mac OS X version 3.6.5
Mac OS X 10.10 (Yosemite): Barracuda VPN Client for Mac OS X version 3.6.5
Mac OS X 10.11 (El Capitan): Barracuda VPN Client for Mac OS X version 3.6.5
Languages
The Barracuda VPN Client for Mac OS X is available in the following languages:
English (EN)
German (DE)
Japanese (JP)
French (FR)
Spanish (ES)
Italian (IT)
Encryption Algorithms
AES128
AES256
CAST
BlowFish
3DES
DES
Authentication Methods
Public Key (License File)
X.509 Certificate
X.509 Certificate + Username / Password
Username / Password
Proxy Types
HTTP
SOCKS4
SOCKS5
Tunnel Modes
TCP
UDP
Hybrid
Tunnel Encryption Hash Methods
MD5
SHA
Setting up the Barracuda VPN Client for Mac OS X
For more information on how to set up and use the Barracuda VPN Client for Mac OS X, see the following articles in this section:
How to Install and Update the Barracuda VPN Client for Mac OS X
How to Configure the Barracuda VPN Client for Mac OS X
How to Establish and Terminate a VPN Connection
How to Uninstall the Barracuda VPN Client for Mac OS X
Using the Barracuda VPN Client via Command Line
How to Install and Update the Barracuda VPN Client for Mac OS X
166
Before installing or updating the Barracuda VPN Client for Mac OS X, download it from the Barracuda Customer Portal. All provided update/hotfix
packages contain the entire VPN client. Update the VPN client by installing the latest software package.
1. Launch the Barracuda VPN Client installation file (BarracudaVPNClientInstaller.pkg).
2. When the Welcome screen opens, click Continue.
3. Select Install for all users of this computer and click Continue.
4. When prompted, enter your system user credentials and click Install Software. Your system account requires admin privileges to install
the client.
167
5. Select an install location. You can click Change Install Location and specify an install location, or you can click Install to use the default
install location.
After you choose your install location, the installation process starts.
168
6. After the installation process finishes, click Close.
After installing the Barracuda VPN Client, you can configure it. Continue with How to Configure the Barracuda VPN Client for Mac OS X.
Related Articles
The Barracuda VPN Client for Mac OS X
How to Uninstall the Barracuda VPN Client for Mac OS X
How to Configure the Barracuda VPN Client for Mac OS X
After installing the Barracuda VPN Client, you can configure your VPN connection settings. In the Barracuda VPN Client, your VPN connection
169
settings are saved in a VPN profile. You can create a new VPN profile or edit an existing VPN profile.
In this article:
Configure a VPN Profile
VPN Profile Settings
Authentication Settings
Proxy Settings
License Settings
Advanced Settings
Configure a VPN Profile
1. Launch the Barracuda VPN Client. You can access it through the Finder and the Launchpad. It resides in the Applications folder.
If you have a client prior to version 3.0 installed on your system, your old configuration is migrated to the Barracuda VPN Client
and displayed as the default VPN profile. You can create a new VPN profile or edit the existing default profile.
2. To create a new VPN profile, select New from the Profile Name list.
170
Then, enter a name for your new profile and click OK.
3. To edit an existing VPN profile, select it from the Profile Name list and click Configure.
4. After configuring your VPN profile settings in the Barracuda VPN Configuration window, click Save. For more information on VPN
profile settings, see the following section.
Your VPN profile configuration is saved to a plain text ASCII file: /System/Library/barracudavpn/barracudavpn.conf.
VPN Profile Settings
In the Barracuda VPN Configuration window, you can specify the settings for a new VPN profile or edit the settings for an existing VPN profile.
171
In the Profile section, you can delete or rename the profile by clicking Delete or Rename.
Authentication Settings
In the Authentication Settings section, configure the authentication method for the VPN connection. For details on the required authentication
method, contact your administrator. You can specify the following settings:
Authentication Type - Select one of the following methods:
Public Key (license)
X509 Cert (certificate)
X509 Cert + User/Pass
User + Pass only
If the authentication method is certificate-based but you select Public Key or User + Pass only, the imported certificate will be
removed. Any imported licenses will remain in the file system.
If the authentication method is license-based but you select X509 Cert, X509 Cert + User/Pass, or User + Pass only, the
imported license will be removed. Any imported certificates will remain in the file system.
Server Address - The IP address or host name of the VPN server.
You can also enter a comma-delimited list of VPN servers.
Server Port - The VPN server port.
Proxy Settings
If a proxy is required, configure it in the Proxy Settings section. You can specify the following settings:
Proxy Type - Select one of the following types:
No Proxy
HTTP (disables all tunnel modes except TCP)
Socks4 (disables all tunnel modes except TCP)
Socks5
Proxy Server - The IP address or host name of the proxy server.
Proxy Port - The proxy server port. Examples for common port numbers are 3128 or 8080. Your network administrator can provide you
with the correct port number.
Proxy User - The username to authenticate at the proxy server.
172
The IP address and port number are required. In some cases, the username is also required.
If the server requires a password, you are prompted for it when you initiate a VPN connection. The proxy server’s password cannot be
set in the profile configuration. It must be set in the main window. The password is not stored locally unless you activate the Save in
Keychain checkbox.
License Settings
In the License Settings section, import your licenses and certificates.
If you selected Public Key or User + Pass only from the Authentication Type list, a certificate cannot be imported.
If you selected X509 Cert, X509 Cert + User/Pass, or User + Pass only from the Authentication Type list, a license file cannot be
imported.
To import a license, click Choose next to the License Path field and select the required license.
To import a certificate, click Choose next to the Certificate Path field and select the required certificate.
Advanced Settings
In the Advanced Settings section, you can specify more detailed settings for the Barracuda VPN Client. In this section, not all settings are
mandatory. Some settings depend on the proxy type for the VPN profile.
Be careful when configuring the settings in this section. Otherwise, the client may function incorrectly. If you are unsure about how to
configure an advanced setting, consult your network administrator.
In this section, you can specify the following settings:
Special Mode - To deactivate tunnel probing, select Silent. For normal operation, select None.
This setting is dependent on the VPN server.
Source IP - The IP address that is assigned to the client for the TAP device.
This setting is dependent on the VPN server.
Tunnel Mode - The protocol for the VPN tunnel. You can select TCP, UDP, or Hybrid.
If you selected Socks4 or HTTP from the Proxy Type list, you can only select TCP.
173
Tunnel Encryption Hash - The hash algorithm to be used. You can select MD5 or SHA1.
The selected option must be supported by the VPN server.
Tunnel Encryption - The tunnel encryption method. You can select AES128, AES256, CAST, BlowFish, 3DES, or DES.
The selected option must be supported by the VPN server.
TAP Device - The TAP device that is used for the VPN tunnel. In most cases, the required TAP device is /dev/tun0.
Keep Alive - The interval in seconds to send keepalive signals.
After configuring your VPN profiles, you can start using your VPN connections. Continue with How to Establish and Terminate a VPN Connection.
How to Establish and Terminate a VPN Connection
This section deals with the Mac OS X version of the Barracuda VPN Client. For Windows and Linux versions navigate to The
Barracuda VPN / Network Access Client overview page.
After installing and configuring the Barracuda VPN Client, you can initiate a VPN connection with the settings from a configured VPN profile.
In this article:
Initiating a VPN Connection
Terminating a VPN Connection
VPN Connection Status
Inactive Connections
Successfully Authenticated Connections
Successfully Established VPN Connections
Connection Status Section
Using the System Tray Menu
Initiating a VPN Connection
1. Launch the Barracuda VPN Client.
2. Select a VPN profile from the Profile Name list.
3. Depending on the profile settings, you may be prompted to enter authentication credentials for the server, license, or proxy:
If the profile is configured for public key authentication, enter your Server Password and License Password credentials.
If the profile is configured for simple username and password authentication, enter your Username and Password credentials.
174
If a server password is required, enter your Server Password credentials.
4. Click Connect. To monitor the progress of your VPN connection, watch the traffic light in the client window. For more information, see the
VPN Connection Status section.
You can close the Barracuda VPN Client window but keep established VPN connections running in the background by clicking
Close.
You can establish and terminate VPN connections from the Barracuda VPN Client icon in the system tray. For more
information, see the section on Using the System Tray Menu.
Terminating a VPN Connection
To terminate an established VPN connection, click Disconnect in the client window. You can then establish a new VPN connection with a
175
different VPN profile.
The Barracuda VPN Client forks a background process that keeps running even if you exit the main client. When you terminate an established
VPN connection, this background process is also terminated.
VPN Connection Status
In the Barracuda VPN Client window, the color of the traffic light indicates the status of your VPN connection. As the VPN connection
authenticates and establishes itself, the light changes from red to yellow to green. In the Connection Status section, you can view detailed
information about your connection.
Inactive Connections
When there are no active VPN connections, the traffic light is red.
Successfully Authenticated Connections
When an initiated VPN connection is successfully authenticated, the traffic light turns yellow and Connect changes to connecting. Wait a few
moments for the VPN tunnel to completely establish itself.
176
Successfully Established VPN Connections
When the VPN connection successfully establishes itself, the traffic light turns green and Connect changes to Disconnect.
Connection Status Section
The Connection Status section displays the following information about your VPN connection:
177
ClientIP - The IP address used by the client TAP device.
Gateway - The gateway to the VPN server.
DNS - The DNS that is assigned by the VPN server.
Routes - The routes in use.
Bits/s - The traffic throughput in bits per second.
Using the System Tray Menu
You can also establish and terminate VPN connections from the Barracuda VPN Client icon in the system tray.
To establish a VPN connection, click a VPN profile. You can only establish one VPN connection at a time. To establish a VPN connection with a
different VPN profile, you must first disconnect from the established VPN connection.
To view the status and configuration of your VPN connection and client, you can also click the following menu options:
Show Status Window
Show Configuration
About
When a VPN connection is successfully established, the status icon turns green.
178
To terminate your VPN connection and close the Barracuda VPN Client, click Quit Barracuda VPN Client.
You can also use the Barracuda VPN Client from the command line. For more information, see Using the Barracuda VPN Client via
Command Line.
Related Articles
The Barracuda VPN Client for Mac OS X
How to Install and Update the Barracuda VPN Client for Mac OS X
How to Configure the Barracuda VPN Client for Mac OS X
How to Uninstall the Barracuda VPN Client for Mac OS X
This section deals with the Mac OS X version of the Barracuda VPN Client. For Windows and Linux versions navigate to The
Barracuda VPN / NAC Clients Overview.
Before uninstalling the Barracuda VPN Client, terminate any established VPN connections.
Make sure that your local user account has the required rights to uninstall the Barracuda VPN Client.
1. If a Barracuda VPN Client shortcut was created in the Dock, remove the shortcut.
2. Open a command-line window.
3. Remove the Barracuda VPN Client executables. At the command line, enter:
rm -rf /Applications/BarracudaVPNClient.app
rm /usr/sbin/barracudavpn
rm /usr/sbin/barracudavpn.engine
You can also delete these executables with the Finder.
4. (Optional) To remove any certificates and licenses, enter:
rm -rf /System/Library/barracudavpn
Using the Barracuda VPN Client via Command Line
This section deals with the Mac OS X version of the Barracuda VPN Client. For Windows and Linux versions navigate to The
Barracuda VPN / NAC Clients Overview.
You can also use the Barracuda VPN Client from the command line.
To migrate your VPN configurations from client versions 3.0 and below, you must launch the Barracuda VPN Client GUI at least once.
Make sure that your local user account has the required rights.
At the command line, enter:
barracudavpn.engine [options]
You can specify any of the following command-line options:
-s --start - Start the VPN tunnel.
-p --stop - Stop the VPN tunnel.
-t --status - Show the tunnel status.
-k --keypwd - Password for the local key.
-r --serverpwd - Server password.
-c --config - Path name to configuration.
-V --version - Show the VPN client version.
-v --verbose - Show debug output.
179
-h --help - Show this help output.
To launch the Barracuda VPN Client GUI, enter:
barracudavpn
Related Articles
How to Establish and Terminate a VPN Connection
How to Uninstall the Barracuda VPN Client for Mac OS X
Barracuda VPN Client for Linux and Mac OS X (Command Line)
This section deals with the Linux and Mac OS X command-line version of the Barracuda VPN Client. For Windows and Mac OS X
GUI versions navigate to Barracuda VPN / Network Access Clients - Overview.
The Barracuda VPN Client for Linux, MacOS X, and OpenBSD is a command-line VPN client.
If your system is running Mac OS X 10.5 Leopard and above, you can also use the Barracuda VPN Client for Mac OS. The Barracuda
VPN Client features a GUI. For more information, see The Barracuda VPN Client for Mac OS X.
For more information on how to set up and use the Barracuda VPN Client, see the following articles in this section:
How to Install the Barracuda VPN Client for Linux and Mac OS X
Updating the Barracuda VPN Client for Linux and Mac OS X
How to Configure the Barracuda VPN Client for Linux and Mac OS X
How to Use the Barracuda VPN Client for Linux and Mac OS X
How to Uninstall the Barracuda VPN Client for Linux and Mac OS X
How to Install the Barracuda VPN Client for Linux and Mac OS X
This section deals with the Linux and Mac OS X command-line version of the Barracuda VPN Client. For Windows and Mac OS X
GUI versions navigate to Barracuda VPN / Network Access Clients - Overview.
To install the Barracuda VPN Client, you must have the following:
Recent Linux distribution
License (depending on authentication type):
Barracuda personal license
X.509 certificate
If you are using user/password authentication, a license is not required.
In this article:
Required Installation Information
Install the Barracuda VPN Client
Install the Barracuda VPN Client for RPM package-based Linux
Install the Barracuda VPN Client for Debian
Install the Barracuda VPN Client for OpenBSD
Install the Barracuda VPN Client for Mac OS X
Required Installation Information
180
You can get all the required information from your network administrator.
Before installing the Barracuda VPN Client, gather the following information:
IP address and port of the Barracuda VPN server
Local password for your license
Server password
Install the Barracuda VPN Client
To install the Barracuda VPN Client and the required license, following the instructions in the section for your system OS:
If there is an older version of the Barracuda VPN Client installed on your system, you must remove it before installing the latest version.
At the command line, enter:
rm /usr/local/bin/barracudavpn
Because older versions of the Barracuda VPN Client are not package-based, the installation of any newer versions will fail if you do not
remove the older version.
Install the Barracuda VPN Client for RPM package-based Linux
You must install the Barracuda VPN Client for Linux as root.
1. For RPM package-based Linux systems (Novell/SuSE or RedHat/Fedora), download and install one of the following RPM packages from
your Barracuda account :
barracudavpn-20-SP2.i386.rpm - The dynamically linked Barracuda VPN Client. To install this package, enter:
rpm -Uh barracudavpn-2.0-SP2.i386.rpm
barracudavpn-2.0-SP2_STATIC.i386.rpm - The statically linked Barracuda VPN Client. Use this package if your target system
does not satisfy the dependencies for the dynamically linked Barracuda VPN Client. To install this package, enter:
rpm -Uh barracudavpn-2.0-SP2_STATIC.i386.rpm
2. Install the license. Depending on your license file type, use one of the following sets of instructions:
Barracuda Authentication - If a vpnpers.lic file is provided, copy it to the /etc/barracudavpn/ directory.
X.509 Certificate p12 File - If a cert.p12 file is provided, copy it to the /etc/barracudavpn/ directory.
X.509 Certificate Packet - If a packet of three files (cert.pem, key.pem and ca.pem) is provided, copy the files to the following
directories:
cert.pem to /etc/barracudavpn/
key.pem to /etc/barracudavpn/
ca.pem to /etc/barracudavpn/ca/
Install the Barracuda VPN Client for Debian
1. Download the barracudavpn_2.0-SP2_i386.deb package from your Barracuda account.
2. You must install the package as root. At the command line, enter:
dpkg -i barracudavpn_2.0-SP2_i386.deb
3. Install the license. Depending on your license file type, use one of the following sets of instructions:
Barracuda Authentication - If a vpnpers.lic file is provided, copy it to the /etc/barracudavpn/ directory.
X.509 Certificate p12 File - If a cert.p12 file is provided, copy it to the /etc/barracudavpn/ directory.
X.509 Certificate Packet - If a packet of three files (cert.pem, key.pem and ca.pem) is provided, copy the files to the following
directories:
cert.pem to /etc/barracudavpn/
key.pem to /etc/barracudavpn/
ca.pem to /etc/barracudavpn/ca/
Install the Barracuda VPN Client for OpenBSD
1.
181
1. Download the barracudavpn-2.0-SP2.tgz package from your Barracuda account .
2. You must install the package as root. At the command line, enter:
pkg_add barracudavpn-2.0-SP2.tgz
The barracudavpn-2.0-SP2.tgz file is an OpenBSD package and is not just a tar.gz file. Do not install it using the tar
command.
3. Install the license. Depending on your license file type, use one of the following sets of instructions:
Barracuda Authentication - If a vpnpers.lic file is provided, copy it to the /etc/barracudavpn/ directory.
X.509 Certificate p12 File - If a cert.p12 file is provided, copy it to the /etc/barracudavpn/ directory.
X.509 Certificate Packet - If a packet of three files (cert.pem, key.pem and ca.pem) is provided, copy the files to the following
directories:
cert.pem to /etc/barracudavpn/
key.pem to /etc/barracudavpn/
ca.pem to /etc/barracudavpn/ca/
Install the Barracuda VPN Client for Mac OS X
1.
2.
3.
4.
Download the barracudaVPN_setup.command file from your Barracuda account.
Open a terminal.
Change to the directory where the package is located.
Change to the superuser. The root password is required. Enter:
sudo su
5. Start the Barracuda VPN Client installation. Enter:
./barracudaVPN_setup.command
6. Install the license. Depending on your license file type, use one of the following sets of instructions:
Barracuda Authentication - If a vpnpers.lic file is provided, copy it to the /System/Library/barracudavpn directory.
X.509 Certificate p12 File - If a cert.p12 file is provided, copy it to the /System/Library/barracudavpn directory.
X.509 Certificate Packet - If a packet of three files (cert.pem, key.pem and ca.pem) is provided, copy the files to the following
directories:
cert.pem to /System/Library/barracudavpn/
key.pem to /System/Library/barracudavpn/
ca.pem to ???
After installing the Barracuda VPN Client, you can configure it. Continue with How to Configure the Barracuda VPN Client for Mac OS X.
Updating the Barracuda VPN Client for Linux and Mac OS X
This section deals with the Linux and Mac OS X command-line version of the Barracuda VPN Client. For Windows and Mac OS X
GUI versions navigate to Barracuda VPN / Network Access Clients - Overview.
Disconnect before installing your new client.
You can receive updates for the Barracuda VPN Client via the Main Menu or conventional distribution methods. After you receive your updates,
install them.
In this article:
Receiving Updates
Via the Main Menu
Via Conventional Distribution Methods
Installing Updates
Receiving Updates
You can receive updates for the Barracuda VPN Client via the Main Menu or conventional distribution methods.
182
Via the Main Menu
Your network administrator is able to provide you with client updates. If an update is available, you can load it onto your machine and install it.
From the Main Menu, select Update Client. Downloads are saved in the /tmp/ folder.
Via Conventional Distribution Methods
You can receive updates for the Barracuda VPN Client via conventional distribution methods, such as email or floppy disk.
Installing Updates
You must install your update packages as root. Install updates with the same command that you used to install the Barracuda VPN Client
package:
OS
Command
RPM package-based Linux
rpm -Uh <update-package>
Debian
dpkg -i <update-package>
OpenBSD
pkg_add <update-package>
Mac OS
./<update-package>
How to Configure the Barracuda VPN Client for Linux and Mac OS X
This section deals with the Linux and Mac OS X command-line version of the Barracuda VPN Client. For Windows and Mac OS X
GUI versions navigate to Barracuda VPN / Network Access Clients - Overview.
When you first start the Barracuda VPN Client after installing it, you must configure it.
To run the Barracuda VPN Client, you must be root (or equivalent). At the command line, you can also change the file permissions by
entering:
chmod 4755 /usr/sbin/barracudavpn
In this article:
Configure the Barracuda VPN Client
VPN Client Settings
Authentication and Proxy Settings
183
Expert Settings
Configure the Barracuda VPN Client
Configurations for client version 2 and below are not migrated to the new client. However, installing the new client version will not
modify the configuration for the older client version.
1. Start the Barracuda VPN Client. At the command line, enter:
barracudavpn
2. Configure your settings. For more information about these settings, see the following VPN Client Settings section below.
Mandatory settings are displayed in orange boxes. The number of mandatory settings is dependent on your connection type.
The <-> symbol indicates lists from which you can select one of several options. Navigate through these options by pressing < or
>.
3. After configuring your settings, save your configuration.
VPN Client Settings
For the Barracuda VPN Client, configure your authentication and proxy settings.
Authentication and Proxy Settings
You can specify the following authentication and proxy settings:
Authentication - The authentication method to be used for successful VPN connections. For details on the required authentication
method, contact your administrator. You can select one of the following options:
Personal License (Public Key) - Must be renamed and copied to /etc/barracudavpn/vpnpers.lic
X509 Cert
X509 Cert+User/Pass
User/Pass only
Server Address - The IP address or host name of the VPN server.
You can also enter a comma-delimited list of VPN servers.
Server Port - The VPN server port.
Proxy Type - If required, the proxy to be used. You can select one of the following types:
184
No Proxy - Uses a direction connection to the VPN server.
HTTP - Connect via an HTTP proxy, such as Squid.
Socks4 - Connect via a SOCKS4 server.
Socks5 - Connect via a SOCKS5 server.
Proxy Server - The IP address or host name of the proxy server.
Proxy Port - The proxy server port. Examples for common port numbers are 3128 or 8080. Your network administrator can provide you
with the correct port number.
Proxy Username - The username to authenticate at the proxy server.
The IP address and port number are required. In some cases, the username is also required.
If the server requires a password, you are prompted for it when you initiate a VPN connection.
Expert Settings
In the EXPERT SETTINGS section, you can specify more detailed settings for the Barracuda VPN Client. In this section, not all settings are
mandatory. Some settings depend on the configured proxy type.
Special Mode - You can deactivate keepalive packets to the VPN server. You can select one of the following modes:
NONE - Normal operation.
SILENT - Deactivate keepalive packets to the VPN server. This mode allows adapters such as ISDN cards to hang up the line
when idle. Otherwise, a connection is always triggered by communication between the client and server.
Source IP to use - The source IP address for your client.
Tunnel Mode - The protocol for the VPN tunnel. You can select TCP, UDP, or Hybrid. The Hybrid mode combines the best of both
connection types; it provides the reliability of TCP with the responsiveness of UDP.
Be careful when selecting the tunnel mode. Applications may function incorrectly. They can crash with data loss.
Tunnel Rekey Time - Time in minutes after which the client and server must exchange new keys.
Tunnel Encryption - The tunnel encryption method. You can select methods such as AES, CAST, or Blowfish.
Tap device - The TAP device that is used for the VPN tunnel. Because Linux now uses the universal TUN/TAP driver, select /dev/net/tu
n.
Keepalive - The timeout interval for reconnecting the tunnel. If you are using a GPRS connection, increase this setting to avoid
permanent reconnects due to dropouts.
Configure DNS - Specifies if the DNS configuration from the VPN or system is used. You can select one of the following options:
Yes - Use the DNS configuration that is provided by the VPN. The VPN domain that is configured on the VPN server is added to
the search path in /etc/resolv.conf.
No - Use the DNS configuration from the system.
Merge - Merge the DNS configurations from the VPN and system.
After configuring the Barracuda VPN Client, you can start using it. Continue with How to Use the Barracuda VPN Client for Linux and Mac OS X.
How to Use the Barracuda VPN Client for Linux and Mac OS X
Missing the language English in this article! Please add the language, otherwise this article can not be displayed properly.
How to Uninstall the Barracuda VPN Client for Linux and Mac OS X
This section deals with the Linux and Mac OS X command-line version of the Barracuda VPN Client. For Windows and Mac OS X
GUI versions navigate to Barracuda VPN / Network Access Clients - Overview.
Before uninstalling the Barracuda VPN Client, terminate any established VPN connections.
In this article:
Uninstall the Barracuda VPN Client on Linux
Uninstall the Barracuda VPN Client on Max OS X
185
Uninstall the Barracuda VPN Client on Linux
You must uninstall the Barracuda VPN Client as root.
1. Uninstall the Barracuda VPN Client. Depending on your OS, enter one of the following commands:
OS
Command
RPM package-based Linux
rpm -e barracudavpn
Debian
dpkg -r barracudavpn
OpenBSD
pkg_delete barracudaVPN-2.0-SP2
2. (Optional) To remove any certificates and licenses, enter:
rm -rf /etc/barracudavpn
Uninstall the Barracuda VPN Client on Max OS X
1. If a Barracuda VPN Client shortcut was created in the Dock, remove the shortcut.
2. Open a command-line window.
3. Uninstall the Barracuda VPN Client. At the command line, enter:
rm /usr/local/bin/barracudavpn
4. (Optional) To remove any certificates and license, enter:
rm -rf /System/Library/barracudavpn
How to Create a *.vpn File
Creating and exporting *.vpn files is possible using Barracuda NG Admin version 5.4.1 or later.
You can import VPN profiles and Barracuda Personal Licenses to the Barracuda Network Access Client and the Barracuda VPN Client using
configuration files with the suffix *.vpn (for the importing process see How to Import a *.vpn File into the VPN Client) that can be configured and
created within Barracuda NG Admin. Follow the instructions on this page to learn how to export a VPN profile from Barracuda NG Admin.
In this article:
Creating a *.vpn File From a Barracuda Personal License
Creating a Group Policy Based *.vpn File
Advanced Manipulations: Manually Editing the Contents of a *.vpn File
Creating a *.vpn File From a Barracuda Personal License
Before creating the *.vpn file, you must configure a VPN template and configure a Barracuda Personal License to be exported in the
file.
1. In Barracuda NG Admin 5.4.1 or later, navigate to the Config Tree, and open the Client to Site page (Config > Full Config > Box > Virt
ual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings).
186
2. Click Lock.
3. Double-click Client to Site to open the Client to Site > your VPN configuration page.
4. Merge the Barracuda Personal License and the VPN profile you wish to export. In the Pool Licenses tab, you may attach the VPN profile
template to a license and export it from there.
To do so, open a previously prepared Barracuda Personal License by double-clicking it. The configuration template to be used is chosen
in the Template list, as shown in the figure below. You may also edit the template from here by clicking the Template button.
5. Export a VPN profile containing your license from here by clicking Export to File and selecting Export to *.vpn file.
6. On the Export VPN Profile page, where you can modify various settings prior to the creation of the the *.vpn file, click a parameter name
to see a short description in the lower part of the dialog screen. Enter a meaningful name for the profile into the Description field and
adjust the other parameters as necessary.
187
6.
When done, click OK.
7. A dialog appears asking you to set a license password. You can either type in a password and click OK, or skip the password
configuration by clicking No Password.
8. In the next and last step of the file creation process, you are asked to choose a name for the file to save. Choose a saving location, type
a name, and click Save. Subsequently, the file is created.
Creating a Group Policy Based *.vpn File
Before creating the *.vpn file, you must configure a VPN template and configure VPN group settings to be exported in the file.
1. In Barracuda NG Admin 5.4.1 or later, navigate to the Config Tree, and open the Client to Site page (Config > Full Config > Box > Virt
ual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings).
2. Click Lock.
3. Double-click Client to Site to open the Client to Site > your VPN configuration page.
4. Navigate to Group Policy in the External CA tab.
5. Double-click a group policy in the list. The Edit Group Policy window opens.
188
5.
6. If necessary, modify the profile settings as needed. Then click Export to File in the bottom of the window.
7. On the Export VPN Profile page, where you can modify various settings prior to the creation of the *.vpn file, click any parameter to
see a short description in the lower part of the dialog screen. Type a meaningful name for the profile into the Description field. Adjust the
other parameters as necessary.
When done, click OK.
8. A dialog follows asking you to set a password for the license. You can either type in a password and click OK, or skip the password
configuration by clicking No Password.
9. In the next and last step of the file creation process, you are asked to choose a name for the file to save. Choose a saving location, type
a name, and click Save. Subsequently, the file is created.
Advanced Manipulations: Manually Editing the Contents of a *.vpn File
Technically, a *.vpn file is a ZIP archive containing a profilename.ini file (wherein profilename stands for the name of a VPN profile)
and, if applicable, a licensename.lic file (wherein licensename stands for a Barracuda Personal License). These files are extracted and
processed by the VPN Client during the import.
To manually alter the contained profile.ini file (assuming you already have a *.vpn file), complete the following steps:
1. It might be easier to handle the file if you rename it from filename.vpn to filename.zip first. However, this is not a requirement.
2. Open the *.vpn file using WinZIP, WinRAR, or another compressing / uncompressing tool that can handle ZIP files.
3. Extract the profilename.ini file.
4. Modify the extracted file as needed.
189
4.
For more information on the profilename.ini file's syntax, see Configuring the Client or contact Barracuda Networks
Support.
When done, update the archive by replacing the file inside with the modified version.
5. If applicable, rename the file back from filename.zip to filename.vpn.
How to Import a *.vpn File into the VPN Client
Importing *.vpn files is possible with The Barracuda Network Access Client for Windows version 3.2 or later, as well as with Barracuda
VPN Client for Mac OS X version 3.2 or later.
You can import VPN profiles and Barracuda Personal Licenses to the Barracuda Network Access Client and the Barracuda VPN Client using
configuration files with the suffix *.vpn that can be configured and created using Barracuda NG Admin 5.4.1 or later (see How to Create a *.vpn
File). Follow the instructions on this page to learn how to import such a file into the Barracuda Network Access Client for Windows or the
Barracuda VPN Client for Mac OS X.
After a *.vpn file has been prepared, it can be imported into one or more VPN Clients. For example, a system administrator might decide to
email *.vpn files to end users or provide them as downloads within the corporate network.
In this article:
Importing a *.vpn File into the Barracuda Network Access Client on Windows
Importing a *.vpn File into the Barracuda VPN Client for Mac OS X
Importing a *.vpn File into the Barracuda Network Access Client on Windows
1. A *.vpn file to import must have been copied or moved to the workstation or be accessible otherwise via the file system.
Ensure that an instance of the Barracuda Network Access Client version 3.2 or later is correctly installed on the Windows workstation.
See also: Installing, Updating, or Uninstalling the Barracuda Network Access Client.
2. Locate the *.vpn file in the Windows Explorer and then double-click it to import the file into the VPN client.
A successful import is indicated by this message:
The newly imported VPN profile is listed in VPN Control > VPN Profiles > Barracuda Authentication.
If the *.vpn file contains a Barracuda Personal License, a license file will automatically be created during the import and stored at the
default location for licenses, which is the Barracuda Network Access Client's working directory (usually C:\ProgramData\ngclient) . In this
case, the respective file path is displayed in the Store column.
Importing a *.vpn File into the Barracuda VPN Client for Mac OS X
1. A *.vpn file to import must have been copied or moved to the workstation or be accessible otherwise via the file system.
Ensure that the Barracuda VPN Client version 3.2 or later is correctly installed on the Mac OS X workstation. See also: How to Install and
Update the Barracuda VPN Client for Mac OS X.
2. Locate the *.vpn file in the Finder and then double-click it to import the file into the VPN client. Alternatively, you can drag-and-drop the
*.vpn file onto the VPN Client's icon.
If a profile with the same name already exists, the following warning dialog will be displayed:
Click No if you do not want to overwrite the existing profile. You can then either rename the profile within the *.vpn file or you may
rename the profile already stored in the client configuration before importing the file again.
3.
190
3. A successful import is indicated by opening the configuration window with the imported VPN profile:
If a *.vpn file containing a Barracuda Personal License was imported, the imported license will automatically be stored at the default
location for licenses, which is the Barracuda VPN Client's working directory (usually /Users/[Username]/.barracudavpn/). In this case, the
path to the license file is displayed in License Settings > License Path.
Related Articles
How to Create a *.vpn File
Adaptation of Profile Creation Using an .ini File (Barracuda Authentication Only)
191
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising