Barracuda Networks Version Sp4 Users Manual NG Network Access Client – Administrator’s Guide | Revision

VERSION SP4 to the manual 6e8bd029-b4f9-4fa9-83e6-7fb42c7bc0aa

2015-02-02

: Barracuda-Networks Barracuda-Networks-Version-Sp4-Users-Manual-480789 barracuda-networks-version-sp4-users-manual-480789 barracuda-networks pdf

Open the PDF directly: View PDF PDF.
Page Count: 268 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Copyright Notice
Copyright (c) 2004-2011, Barracuda Networks, Inc., 3175 S. Winchester Blvd, Campbell, CA 95008 USA
www.barracuda.com
vSP4-110722-30-0722
All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice.
Trademarks
Barracuda NG Firewall is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or
trademarks of their respective holders.
1 Barracuda NG Network Access Client - Administrator’s Guide
Barracuda NG Network Access Client
Chapter 1 - Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
Endpoint Security and Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Introduction to Barracuda NG Network Access Client . . . . . . . . . . . . . . . . . . . . . . . . 4
What can Barracuda NG Network Access Client be used for?. . . . . . . . . . . . . . . . . . . . . . . . . . 6
Licensing Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Policy Matching Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
What is a Policy Rule Set? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Health Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Health State "Untrusted" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Health State "Probation" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Health State "Healthy" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Health State "Unhealthy" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Health State Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Endpoint Security Policy Introduction Practices (Analyse, Enforce, Monitor) . . . . . 15
The Border Patrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2 - Server Config – Access Control Service. . . . 17
General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Access Control Service Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
System Health Validator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Remediation Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Trustzone-Border . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
802.1X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Access Control Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Access Control Service Trustzone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Support Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Chapter 3 - Server Config – Personal Firewall Rules . . . 41
General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
<Rule Set Name> Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Rules Incoming / Outgoing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Tester . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Test Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
User Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Net Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Application Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 4 - Operating & Monitoring Barracuda NG NAC . 62
Box – Monitoring and Real-time Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Available Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Context Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Status Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Status VPN Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Quarantine Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 5 - Client Installation . . . . . . . . . . . . . . . . . . . . 68
Complete Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Custom Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Unattended Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Customer Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
customer.inf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
silent.cmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
System Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2
Chapter 6 - Update or Migration. . . . . . . . . . . . . . . . . . . 81
General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter 7 - Uninstall . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Chapter 8 - VPN Configuration. . . . . . . . . . . . . . . . . . . . 83
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Facts and Figures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Chapter 9 - Barracuda NG Personal Firewall . . . . . . . . . 87
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Integration within Windows 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Rule Set Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
General Firewall Settings and Tasks (Menu Bar). . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Firewall Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
View Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Security Mode Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Load Display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
NG Control Center - Monitoring Firewall Activities . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Live Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Current State - Setting the Security Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Rule Tester . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Test Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Administration - Firewall Settings Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Automatic Adapter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Automatic Rule Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Chapter 10 - VPN Component Configuration. . . . . . . . . 124
Create a New Profile Using the Profile Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Configure a New Profile Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Functional Elements of the Barracuda NG Network Access Client’s System Tray Icon. . . . . 130
The Barracuda NG VPN Client’s Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Connection Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Status Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Message Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Barracuda Networks Control / Preferences Dialog. . . . . . . . . . . . . . . . . . . . . . . . . 137
VPN Profiles Configuration Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Certification Authorities Configuration Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Connection Entries Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Barracuda Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Advanced Settings Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Adaptation of Profile Creation using an .ini file (Barracuda NG Authentication only) . . . . . . . 146
Log Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Chapter 11 - Barracuda NG Access Monitor . . . . . . . . . 149
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Access Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Health Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
802.1X Authentication - Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Health Agent Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Health Agent Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
802.1X Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
3 Barracuda NG Network Access Client - Administrator’s Guide
Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Chapter 12 - Pre-Connector and Remote VPN . . . . . . . . 167
General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
VPN Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Creating a Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Connecting And Disconnecting using the Barracuda NG VPN Client. . . . . . . . . . . . . . . . . . . 169
Remote Domain Logon (Pre-Logon). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Remote VPN (rvpn) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Connection Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Chapter 13 - Example Configuration . . . . . . . . . . . . . . 172
Introduce Access Control Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Personal Firewall Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Introduce an Access Control Service Trustzone . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Configure an Access Control Service Trustzone . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configure Forwarding Firewall Rule Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Chapter 14 - 802.1X – Technical Guideline . . . . . . . . . . 183
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Status Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
EAP Packet Tracer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Using the Barracuda NG Access Monitor for Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Log Files on the Client Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Switch Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Switch Console Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Operational Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Start up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Runtime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Addendum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
WPA Supplicant Log File Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Engineering Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Known Issues using Cisco Catalyst 3750-E Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Chapter 15 - Appendix. . . . . . . . . . . . . . . . . . . . . . . . . 205
customer.inf File Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
VPN Profile Registry Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Profile Registry Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Parameter Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Warranty and Software License Agreement . . . . . . . . . 222
Barracuda Networks Limited Hardware Warranty . . . . . . . . . . . . . . . . . . . . . . . . . 222
Barracuda Networks Software License Agreement . . . . . . . . . . . . . . . . . . . . . . . . 222
Barracuda Networks Software License Agreement Appendix . . . . . . . . . . . . . . . . 225
4 Introduction
Chapter 1
Introduction
1.1 Endpoint Security and Network Access Control
With the advent of novel technologies, work habits have changed dramatically throughout the past
decades. Notebooks and netbooks, smartphones and vast amounts of data easily portable on USB
sticks and miniature storage cards, ubiquitous wireless network access, personal area networking,
they all have attributed to the fact that endpoints in corporate networks have become an increasingly
hard to control hazard.
Effective endpoint security today extends far beyond historical personal firewall and antivirus concepts.
It still means protection of an endpoint against network threats using a host firewall and malware
detection software, but extends the protection concept by a broader enforcement and validation of
security policies that are specific to the identity of the device, the user and its current state. Powerful
endpoint security concepts also necessitate full integration into an accompanying network access
control framework.
Network Access Control (NAC) represents a novel technology aimed at guaranteeing that access to
enterprise network resources is granted based upon authentication of the user and device as well as
verification of the device's compliance with current security policies.
By default, a typical Network Access Control solution offers enhanced protection against malicious
software and attackers, improved access control to the network for employees and guests, superior
resource usage tracking, and a powerful policy adherence mechanism. As a consequence, the
complexity of the network and the administration effort required is significantly reduced, a greater
degree of integration among stand-alone security solutions is achieved, existing and potential security
gaps are nicely closed, and a greater visibility of end-to-end security is provided.
1.2 Introduction to Barracuda NG Network Access Client
Barracuda NG Network Access Client denotes Barracuda Networks' endpoint security and network
access control (NAC) framework. Administered endpoint integrity and endpoint access is what
Barracuda NG Network Access Client provides. In order to achieve this, it consists of client software
components1, server side components, which the client software periodically communicates with to
have the health state of its underlying operating system verified and its network access rights
assessed. Barracuda NG Firewalls can interpret that information and subsequently allow or deny
network access attempts by the respective client.
1. Available for Microsoft® Windows XP (32 Bit) and Vista (32 Bit and 64 Bit)
Windows 7 (32 Bit and 64 Bit)operating systems
5 Barracuda NG Network Access Client - Administrator’s Guide
Before we have a closer look at the interplay of the various components and their roles let us briefly
study what has inspired the design of the Barracuda NG Network Access Client endpoint security
framework.
The originally very long list of requirements reads as follows in a slightly more condensed fashion:
We want to create an endpoint security solution that is effective and yet still
simple enough to be implemented and operated in a cost efficient manner.
We do not wish to require customers to completely change their
infrastructures. This means that we do not require 802.1x aware switches and
endpoints.
We support guest networking. There must be a simple way to distinguish
between visitors and own users. We use a combination of client agent-based
and DHCP-based address assignment. A combination of agent-based and
DHCP enforcement will likely catch the most prevalent threats to network
security.
We assess the client's health prior to its initial connecting to the network.
Client system health assessments should also be carried out periodically
afterwards to detect changes in the client health state.
Policies, such as applicable firewall rule set or access rights, must be selected
according to both, identity and system health state. ID-based exceptions must
be possible to cater for real world scenarios. A forced client update of several
megabytes across a 2400 baud link is not meaningful when the link is required
for important messaging.
Policies can be machine specific. A PC frequently going online with nobody
actually being logged in, may already have been compromised. This routine
situation must be easily accommodated within the policy framework. This also
means we’ve got to find means to identify a machine in a unique fashion.
Policies may differ in different access contexts; this is the archetypal roaming
laptop problem. A certain policy will apply to its user when connecting from
within the corporate network. A different policy is required for accessing the
nearest WLAN hotspot on the airport to build a secure VPN connection. Again,
a different policy is required when operating the same equipment inside the
user's private home network.
The client software consists of the following subsystems:
Barracuda NG Personal Firewall
Being a centrally managed host firewall, this advanced firewall engine can handle up
to four different firewall rule sets at once. Which rule sets are available to the firewall
engine and which one of these is currently enforced depends on the policy
applicable to user, machine, date, and time.
Barracuda NG Access Monitor
This software is responsible for sending the endpoint health status to the Access
Control Service for baselining. Barracuda NG Access Monitors are dynamically
downloaded and updated as required, supporting same full and delta updates. They
are extremely light as they only occupy 340 KB in memory.
Barracuda NG VPN Client
Provides an integrated VPN client that secures mobile desktops connecting to the
corporate LAN through the internet. The VPN client will establish a secure
connection to a VPN Service. The Barracuda NG Access Monitor will then
communicate through the VPN tunnel with the responsible so-called System Health
Validator (SHV). It is worth noticing that in this case the VPN server fully controls the
virtual connection.
6 Introduction
1.2.1 What can Barracuda NG Network Access Client be used for?
It can be used to implement an endpoint security policy on Windows based endpoints within a
corporate network. In this context, Barracuda NG Network Access Client provides a managed personal
firewall solution with periodic health assessments. Both, the outcome of the assessment as well as the
identity of the machine and/or current user, will influence the policy applicable to the endpoint.
Enforcement of the policy is provided by the software installed on the endpoint itself and with regard
to enforcement outside the local collision domain by Barracuda NG Firewalls. The latter may interpret
the access policy attribute assigned to the endpoint within their rule sets. This provides a way to
enforce network access control concepts based on date and time, identity, and health state and type
of network access. The latter is required to enforce different policies when access takes place through
a VPN tunnel.
This setup requires the presence of at least one Access Monitor Service. This service entails two
component services. The SHV is the policy matching engine that determines the applicable policy
according to the connector's identity and current health state.
The SHV issues a digitally signed cookie to the connecting endpoint, which contains all the information
pertinent to the identity and state of this client. That cookie serves as a passport of limited temporal
validity with which the endpoint may identify itself to the remediation server.
Fig. 1–1 Barracuda NG Network Access Client environment
Since the NG Network Access Clients are communicating with the Access Control Server in cyclic intervals, the
Access Control Server should be placed as close as possible to the NG Network Access Clients. This helps
reducing network traffic and getting better response times.
7 Barracuda NG Network Access Client - Administrator’s Guide
The remediation server is the component from which policy attributes, such as firewall rule sets,
welcome messages, and bitmaps as well as client software components required for updates can be
obtained. It can be run on the same Barracuda NG Firewall system as the SHV or, for load balancing
reasons, it can be spread out over several Barracuda NG Firewall systems.
How does the client know at which address the SHV service component may be reached? There are
two options here. The first one is that the respective addresses are configured statically within the client
configuration on the endpoint. This approach is mandatory if DHCP based address assignment is not
used.
In the case of DHCP based address assignment the respective address or addresses are assigned to
the client by way of the vendor ID DHCP option (43).
DHCP is also used to make a distinction between own endpoint systems with an installed NG client
and the so called guest systems. As guest systems are not able to communicate with SHV they are not
assigned any SHV addresses. By way of the DHCP user ID option sent by the client a DHCP server
may assign an address from a pool on a separate subnet.
Note that while this approach may easily be circumvented by a skilled human attacker to gain network
access, worm and other malware issued with limited intelligence located on visitor's notebooks are
typically prevented from quickly spreading out into the principal network.
In this LAN scenario up to three firewall rule sets can be assigned to a secured and monitored
endpoint. When the endpoint system goes online and connects to the SHV it will be assigned a "local
machine" rule set and a "limited access" rule set. The limited access rule set is the one rule set that
comes into effect when the endpoint is diagnosed as unhealthy by the SHV. Note that the quarantine
state is not entered immediately as there is a configurable period of time during which the client is given
a chance to recover from the current condition, for example by successfully starting a disabled
anti-virus (AV) scanner service or updating an obsolete AV pattern file.
As soon as a user logs into the system a different policy may apply to the endpoint now, depending on
the identity of the user and various other conditions. The assigned policy attributes may in due cause
a different so-called "current user" rule set to be assigned. In contrast to the previous two this rule set
is volatile. That means it is cleared when the user logs off or the system is rebooted.
Consequently a notebook that has been used in the office environment and is taken home in the
evening will operate there with the most recently installed "local machine" firewall rule set.
Any endpoint whose system state is assessed as unhealthy will have the most recently installed
"limited access" rule set activated by the NG client after a configurable grace period.
Barracuda NG Network Access Client can also be used to secure mobile desktops connecting to the
corporate LAN through the internet. To this end, NG NAP provides an integrated VPN client. The VPN
client will establish a secure connection to a Barracuda NG VPN Service. The NG Network Access
Monitor will then communicate through the VPN tunnel with the responsible SHV. From this point on
the overall procedure is quite analogous to the LAN scenario. The most notable difference is that the
VPN server fully controls the virtual connection. That means that also traffic within the VPN network's
collision domain is fully subject to the NG Network Access Control framework. This better control also
necessitates that the remediation service component is also active on the very same Barracuda NG
Firewall system, which is also hosting the VPN Service.
In the LAN context certain policy attributes together with a "current user" rule set are assigned. This
setup supports a maximum of up to three different firewall rule sets. The rationale behind this
SHV and remediation server must always remain accessible to all endpoints regardless of the currently active
firewall rule set.
8 Introduction
seemingly complex procedure is rather straightforward and easy to understand. As autonomous
machine authentication is rather uncommon in the VPN context, the "limited access" and the "local
machine" firewall rule sets and policies need to be provided together with the actual VPN rule set.
1.2.2 Licensing Aspects
In order to operate an Access Control Service either as a SHV or a remediation server or both, a valid
license needs to be present. On Barracuda NG Firewall systems, the Access Control Service is
automatically licensed.
It is possible to equip all Barracuda NG Firewall branch office devices with a remediation server in
order to reduce WAN traffic and optimize response times.
1.2.3 Policy Matching Procedure
Each Access Control Service belongs to a so called trustzone. All Access Control Services within the
same trust zone share the same set of security policies. In addition, they share a signing key, so that
a mutual trust relationship can be established.
Within each trustzone there are three policy rule sets. There is a "local machine" policy rule set that is
used to determine a policy for a connecting machine. A connecting machine is an endpoint system that
does not request user authentication.
As soon as user authentication is requested by the connecting client, the "current user" policy rule set
is used for policy matching.
If the connection attempt is mediated by an intermittent VPN Service the VPN policy rule set is
adopted.
1.3 What is a Policy Rule Set?
A policy rule set is an ordered list of policy rules that is processed from the top to the bottom in
sequential order. If no identity match can be found a "no rule exception policy" is assigned. From now
The "local machine" rule set thus acts as a VPN-offline rule set that can be used to centrally control the network
access rights of the mobile user even when they are not connected to the corporate LAN.
Table 1–1
Policy
VPN Assignment
Healthy Limited Access VPN Offline
Firewall rule set Firewall rule set Firewall rule set (=local machine rule set)
Message of the day Message
Welcome picture
Network access policies
9 Barracuda NG Network Access Client - Administrator’s Guide
on the client system is assumed untrusted and a configured "untrusted access" firewall rule set and
client message applies.
Nevertheless, Barracuda Networks recommends to configure a catch-all rule at the end of the policy
rule set. An explicit catch-all rule allows a better control of the required client health-state and gives
more details to the end user. In addition more details in the server-side visualisation will be available.
Each policy rule consists of three parts:
1. An identity related part that defines the applicable matching policy and criteria.
2. A health policy part is used to determine the health state by comparing the status information sent
by the client with the specified required status. There are only three health states: healthy, probation,
and unhealthy.
3. And finally, there is a third policy attribute part that contains firewall rule sets, messages, pictures,
and network access policies that are assigned to a healthy client.
The matching procedure is graphically shown on the next page.
10 Introduction
Fig. 1–2 Client-Server actions during connection, health validation and assigning network access
Client
Client collects and sends
User Information
Matching Health condition
matching
requirements?
mode
user & system information
to Access Control Service
Identity?
Health state change to
Untrusted
Already in
probation?
Access Ctrl Service sends
ACTION Get policy
attributes for Untrusted
Untrusted policy
attributes requested
and activated by client
Access according to
configured "Untrusted"
rights profile
Access Control Service sends
probation actions
to client
Probation actions
executed by client
Access rights
remain unchanged
Health state change to
Unhealthy: Restricted
Access Ctrl Service sends
ACTION Activate policy
attributes for Quarantine
Quarantine policy
attributes activated
by client
Restricted access
to Quarantine
network segment
Health state change to
Healthy
Access Ctrl Service sends
ACTION Get policy
attributes for Healthy
Healthy policy
attributes requested
and activated by client
Full access
according to
client profile
Health state change to
Unhealthy: Probation
YesNo
Yes
No
Yes
No Rule
Health state change Server action Client action
exception
User
Local
Machine
Automatic
revalidation
(configurable)
Client connection
to server
11 Barracuda NG Network Access Client - Administrator’s Guide
1.) Determine the applicable rule set
First of all, the NG Network Access Client determines in which context it is started and how it connects
to the Access Control Service. The following three contexts are available:
Local Machine context
The local machine context is available in case no user has logged in. This applies during the
startup of a Windows computer as well as after user logout.
Since the Windows system behaves different between "Current User" and "Local Machine" context
it is necessary to handle the local machine context separately. For example, no popups are
allowed if no user is logged in. Certificate based authentication (see below) is available for both,
Local Machine and Current User Authentication, but different Microsoft certificate stores are
available to get the certificates from. Of course, a Local Machine certificate must not be password
protected since dialogue boxes to request the password will not be available.
Current User context
As soon as a user has logged in successfully, the client switches to the current user context. Now
additional information like the user name and the password (or kerberos ticket in case of NTLM
authentication) can be used to perform identity matching.
Since the user context allows to open client windows and popups, the client can notify the user
about the current health state or request additional information (for example Basic Authentication:
popup requests username and password).
VPN context
The VPN context is an extension of the current user context mentioned above. The client is able to
determine if a Barracuda NG VPN connection was initiated as well as if the VPN server has Access
Control Service capabilities. If the client mode is VPN all possibilities available in User mode are
available as well. Additionally, an online and offline rule set can be assigned to the client.
2.) Client connects to Access Control Service
The next step for the client is to connect to the configured Access Control Service. The IP address of
the Access Control Service is either configured manually (during installation) or is assigned by the
DHCP server. The connection is based on TCP and uses port 44000 to communicate between client
and server.
During the handshake, the Access Control Service notifies the client of it's capabilities (for example is
NTLM authentication available).
As a response, the client collects all available system information and sends this information back to
the Access Control Service together with authentication credentials.
This response contains details about the computer's network (for example IP address, MAC-Address),
the computer's operating system (for example OS-Version, hostname, domain name, user and
certificates) as well as details about installed health suite, Antivirus, or Antispyware products.
Further policy matching on the Access Control Service depends on the data collected and sent from
the client.
3.) Determine Client identity
The Access Control Service has now all information to determine the client's identity. Depending on
the client mode (Local Machine, Current User, VPN) the Access Control Server determines the
applicable policy rule set, which is then used to perform identity matching.
The connection is always initiated by the client and never the other way round.
12 Introduction
The available identity information is sequentially matched from top to bottom with the identity
conditions of the individual policies. Each policy can be configured to match if all configured identity
criteria apply or if only one of the configured criteria applies.
If a match is found, the comparison of the health information sent by the client with the stated health
requirements of the policy rule carries on.
Although the Access Control Service rule set bears analogy to a firewall rule set, one of the significant
differences is that the handling in case no rule matches can be configured. Configuration of "no rule
exception" notifying NG clients even if they can not be identified.
As this should really be treated as an exception, a better way to control clients is to manually apply a
catch-all rule at the end of the policy rule set.
1.4 Health Matching
The most complex part of the policy rule matching is the matching of health conditions. This is due to
the fact that not only matching of health requirements is done but actions on the client can be
performed as well.
An overview of the health matching procedure is available in the flowchart above.
At the beginning of the communication between client and server the health state of the client is
"uninitialized". If the quarantine rule set is already available on the client, then the client activates the
available quarantine rule set but remains in the state uninitialized. This state triggers an immediate
connection to the configured Access Control Service as described above.
As soon as the communication between the client and the Access Control service is established and
policy matching is performed one of four different health states is assigned.
Usually both, Access Control service and NG VPN client, do have the same health state. The only
exception is the state "uninitialized" mentioned above. In this case the Access Control Service is not
aware of the existence of the NG client.
Table 1–2
Matching Criteria Local Machine Current User VPN
Client Connection Type  
Current Date/Time  
NetBios Domain - 
Group Patterns - 
User [Login Name] - 
Network  
OS Version  
Hostname  
MAC Address  
MS Machine SID  
x.509 Certificate Conditions  
13 Barracuda NG Network Access Client - Administrator’s Guide
1.4.1 Health State "Untrusted"
As soon as the identity match is finished and the client's identity can not be validated, the health state
changes to "Untrusted". Untrusted does not necessarily mean that the client may be a guest client but
only that the Access Control Service can not determine the client's identity. Nevertheless the
configuration parameter Access Control Service Trustzone > Settings > No Rule Exception allows to assign
a set of client attributes.
1.4.2 Health State "Probation"
If the health match fails the client is said to be in probation. It still receives a cookie containing the
unhealthy assessment as well as the detailed outcome of the health matching procedure. From here
on the client software may take appropriate action and try to self-remedy the situation, for example by
starting the AV scanner. In any case, the user will be informed of the current state of his or her system
by an appropriate message.
After the client has performed the requested actions it reconnects to the Access Control Service again.
Should the client be successful to self remedy the situation the Access Control service verifies the
health conditions again and changes the client health state to "healthy" if the client complies to the
assigned health policy from now on.
Should the client fail to self remedy the situation or does not reconnect in a reasonable amount of time,
its status changes to unhealthy and the quarantine rules are enabled.
A client will never be in state "probation" for more than one connect cycle (see flowchart above). If the
client does not respond within the configurable "Health Sate Probation time" (Access Control Service
Settings > System Health-Validator > General) the Access Control Service automatically changes the
client's health state to "Unhealthy".
1.4.3 Health State "Healthy"
Depending on the configuration the health policy could require an up-to-date Barracuda NG Personal
Firewall installed and enabled or a running Antivirus software including up-to-date AV patterns. A list
of available Health State requirements is available below.
Should all required criteria match, the client is deemed healthy and receives a signed cookie listing the
applicable policy attributes. This signed cookie may be further used to authenticate against external
trust zones.
1.4.4 Health State "Unhealthy"
Last but not least a client may not comply to the company's health policy. As described in the section
Health State 'Probation' (see 1.4.2 Health State "Probation", page 13) the client will get the possibility
to perform actions (either manual or automated) to to fulfil all health requirements before being put into
quarantine.
14 Introduction
If the client fails during a specific time it's state is changed to "Unhealthy". In other terms the client is
put into quarantine. This means that the client enables it's latest quarantine rule set.
On the Barracuda NG Firewall the proper state is propagated to the firewall engine where limited
access can therefore be enforced.
1.4.5 Health State Requirements
The following list provides an overview of the available Health State requirements. Failing a health
state requirement can either trigger automatic "self-remediation" or can require a manual action of the
user.
The desired behavior is configurable since some versions of Antivirus- or Antispyware do not fully
support auto-remediation. In case of manual action the user is informed about the required actions by
the Barracuda NG Access Monitor.
A list of all supported AV and AS engines is available via Access Control Service Trustzone > Support
Chart (see also 2.4.8 Support Chart, page 40).
Beside Barracuda Networks specific information, where health state requirements primarily depend on
Antivirus or Antispyware settings, the following requirements can be verified:
Service Settings
Is the installed Barracuda NG Personal Firewall active?
Is the installed Virus Scanner active?
Is the installed Spyware Scanner active?
Antivirus Settings
Which Virus Scanner vendors are allowed?
Enabled AV Real Time Protection?
When was the last AV Scan performed?
When was the AV Engine updated?
When were the AV Pattern Definitions updated?
Antispyware Settings
Which Spyware Scanner vendors are allowed?
Enabled AS Real Time Protection?
When was the last AS Scan performed?
When was the AS Engine updated?
When were the AS Pattern Definitions updated?
Advanced Health State
Which versions of the health suite are allowed?
Miscellaneous
Are specific Registry keys set?
Which Microsoft hotfixes or service packs are present?
To verify these requirements, each Access Control Service depends on up-to-date information of AV
and AS products.
Barracuda Networks provides an online update service that helps Barracuda NG Network Access
Client Clients to recognize and activate AV and AS products.
Even the quarantine rule set must at least enable the client to connect to the Access Control Service, to the
Microsoft active directory, and to the remediation servers. Depending on the company's infrastructure, more
connections should be available to restore the client's health state to "Healthy" again.
15 Barracuda NG Network Access Client - Administrator’s Guide
Furthermore the update service provides the information necessary to diagnose the up-to-dateness of
the client's signature databases and engine versions..
1.5 Endpoint Security Policy Introduction Practices (Analyse, Enforce,
Monitor)
For implementing firewalls at formerly unrestricted network transitions like LAN-segments or endpoint
firewalls for LAN endpoints, a smooth implementation tactics is widely used.
A widely used but not recommended way is to start with a pass all policy, analysing traffic instead of
controlling it, and then introducing rules step-by-step reducing traffic using the pass-all policy, and at
last replacing pass-all by block-all. This might be called the AEM-model:
1.) Analyse
2.) Enforce
3.) Monitor
When implementing a firewall at a clear network perimeter like an internal-internet transition it is not
advisable to use this model. The rule set should be built according to SAEM:
1.) Strictly Enforce
2.) Analyse
3.) Enforce
4.) Monitor
While from a strict security point of view this is also recommended for formerly unrestricted network
transitions, many administrators nevertheless use AEM for practical reasons. If, however, you have the
chance to already know what should happen at the network point of concern, use as much of this
know-how as possible and do not start with pass-all only. And if you use AEM, do not finish with a pass-all
rule.
Keep in mind that your rule sets should always mirror your overall abstract security policy for the
network point of concern. Using AEM or SAEM is not a matter of technical possibilities but of weighing
risk and effort.
1.6 The Border Patrol
Clients often need to access remote trust zones for which restricted access rights and stronger security
measures apply. Consequently, the means to assess the suitability of crossing clients to access target
trust zones needs to be available. The building block responsible for evaluating trust zone transitions
is called border patrol. In short, the border patrol validates the credentials of crossing clients, including
authentication and health status data, so that the applicable security measures are correctly met.
As a prerequisite, either the Access Control Service (standalone Barracuda NG Firewall) or the CC (for
managed Barracuda NG Firewalls) must have access to the internet.
16 Introduction
An important aspect related to trust zone crossing is the synchronization of authentication data.
Basically, trust zones need to have a consistent and up-to-date view of the clients' authentication
information that is shared across the whole network. In this line the CC ensures that changes are
replicated and synchronized across the various available servers and databases, so that identity
federation is achieved.
It is also relevant to notice that the authentication process is based on the use of ICMP packages.
Succinctly, the client submits an access request to the border patrol. The border patrol responses by
sending an authentication request through an ICMP package. Upon reception of the ICMP package
the client replies with a ticket containing the cookie issued by the remediation service in the trust zone
of origin and its corresponding access rights. If health status and permission match the minimum
requirements of the target trust zone, the client is granted access. Otherwise, the border patrol denies
the request.
Fig. 1–3 Trust Relationships
If the border patrol denies the request, then no remediation will be available. Access is either granted or fully
denied.
17 Server Config – Access Control Service
Chapter 2
Server Config – Access Control Service
2.1 General
For proper operation, both components of the Barracuda NG Network Access Clients framework,
Access Control Service and Baracuda NG Network Access Client that is, depend on up-to-date
information regarding AV and AS products.
Barracuda Networks provides an online updating service that helps the Access Control Service
verifying the up-to-dateness of the client’s signature databases. In addition this information helps the
client to recognize and activate AV and AS products.
Barracuda NG Firewall includes an automatic software downloader which periodically connects to the
Barracuda Networks website. To reduce the need for permanent internet connection for Barracuda NG
Firewalls the Barracuda Networks update service behaves differently on stand-alone-managed boxes
and CC-administered boxes. Internet access using an HTTP/HTTPS proxy server is possible.
Stand-alone-managed boxes running a Access Control Service require
internet access. For configuration parameters see 2.2.6 General, page 21.
CC-administered boxes running an Access Control Service get the required
files uploaded from the Barracuda NG Control Center. The CC itself requires
internet access to secure.phion.com:443.
2.2 Access Control Service Settings
This section defines the general parameters of the Access Control Service.
2.2.1 System Health Validator
List 2–1 Access Control Server - Access Control Server Settings - System Health-Validator – section Trustzone (only available on CC)
Parameter Description
Name On a Barracuda NG Control Center, this parameter allows referencing to global trustzone objects. An empty value indicates that
the local trustzone configuration (for example, only this Access Control Service should use the configured trustzone) should be
used (2.4 Access Control Service Trustzone, page 25).
18 Server Config – Access Control Service
List 2–2 Access Control Server - Access Control Server Settings - System Health-Validator – section General
Parameter Description
Start System
Health-Validato
r
Setting to yes starts the Access Control Server module before VPN health validation.
Health State
Validity (min.)
This value restricts validity time of a health state. If the client does not re-evaluate its health state within that period, all assigned
“network access rights” will be dropped.
Health State
Probation
(min.)
This value defines the probation interval of a health validation. If a client does not satisfy the health requirements in an initial health
validation step, the client will be set into probation. It will get the special network access right “probation” additionally to the rights as
it was healthy. If the client doesn’t become healthy within the probation time it will be set to health state “unhealthy” automatically
after the probation time was elapsed.
External IPs This option defines service IP addresses as external IP addresses. This information may be used in policy rules for health
evaluation to distinguish between external and internal requests.
List 2–3 Access Control Server - Access Control Settings - System Health-Validator – section User Authentication
Parameter Description
User
Authenticatio
n Required
If this option is set to no the client will not re-evaluate its health state when a user logs on. For example, no "current user" health
evaluation will take place.
PHIBS
Authenticatio
n Scheme
The used phibs scheme for basic authentication.
Fallback
PHIBS Auth.
Scheme
This option is only available if Phibs Authentication Scheme was set to MSCHAP. In this case this scheme is used for authentication
if the MS-CHAP authentication fails. The client will display a pop-up requesting username and password.
List 2–4 Access Control Server - Access Control Server Settings - System Health-Validator – section Local Machine Authentication
Parameter Description
Certificate Required If set to yes, a local machine authentication requires a certificate for a successful local machine authentication.
Caution:
do not forget to set a right Search String for Box Certificates since there is no "default" box certificate, which could be used
for authentication. The client needs to know which certificate of the local certificate store should be used for health
evaluation.
Search String Type May be set to either Issuer or Subject. This setting defines how the Search String for Box Certificates is interpreted.
Search String for Box
Certificates
Either a X509 issuer string or a X509 subject string (for example C=AT, O=Barracuda, OU=*,CN=*). Pattern matching is
allowed.
List 2–5 Access Control Server - Access Control Server Settings - System Health-Validator – section General Authentication
Parameter Description
Authentication Root Certificate The root certificate is used to verify the validity of certificates provided by clients within a local computer health
validation process.
Root Cert. Revocation Settings This section provides configuration settings for certificate revocation. Certificate revocation can be done by using
either CRL (LDAP) or OCSP.
List 2–6 Access Control Server - Access Control Server Settings - System Health-Validator – section Referrals
Parameter Description
Remediation Server Location This option defines where the remediation server can be reached. Select This, if the remediation server is
running on the same system as the Access Control Server. In this case Start Remediation Server must be set
to yes. Select Other, if it is running on another system, and specify the remediation server IP addresses in the
fields below.
Internal Remediation Server IPs In this list, define the IP address(es) of the remediation servers that are accessible by clients within the Secure
Network.
External Remediation Server IPs In this list, define the IP address(es) of the remediation servers that are accessible by clients within the
Restricted Network.
19 Barracuda NG Network Access Client - Administrator’s Guide
2.2.2 Remediation Service
2.2.3 Trustzone-Border
2.2.4 802.1X
VPN Remediation Service IPs Define where the Access Control Service remediation service module is reachable for VPN clients.
Note:
This IP address must not be the same IP address as already used as an Internal or External Remediation
Service IP address.
Example: For the internal Clients the Access Control Service listening socket is on 10.0.8.108 and you want to
have also a remediation service for clients which are connected with VPN.
Introduce an additional IP address, for example 10.0.8.150 on Virtual Server Layer and insert these
two Bind IPs (10.0.8.108 and 10.0.8.150) in the Access Control Service Configuration.
Now open the Access Control service settings, scroll down to the VPN Remediation Service IPs and
select the IP Address 10.0.8.150 from the pull-down menu.
Sync authentication to Trustzone Using a Barracuda NG Control Center multiple Access Control Services can reference to the same trustzone.
Already validated clients can be propagated to all Access Control Services sharing the same trustzone
configuration. This also affects gateway firewall authentication. This parameter is only available on a CC.
List 2–7 Access Control Server - Access Control Server Settings - Remediation Server – section General
Parameter Description
Start
Remediation
Service
Setting to yes starts the Access Control Server remediation service module.
TLS required Set to yes will allow unencrypted downloads from the remediation server. This will increase download velocity, but decrease
security since personal firewall rule sets are transmitted unencrypted over the network.
List 2–8 Access Control Server - Access Control Server Settings - Trustzone-Border – section General
Parameter Description
Start Border Health-Validator Starts the Access Control Service module responsible for trustzone border health state evaluation.
Trustzone Border IP IP address the health validator uses for listening for trustzone border health validations.
Foreign Health Passp. Verification Add all foreign health passport verification keys whose health passports should be trusted for this border
trustzone. The Health state of clients with a signed and trusted health passport is revalidated for this
trustzone but their authentication credentials are accepted from the signed cookie.
Allowed Peer Networks Only peers from listed networks are allowed to perform trustzone border health validations.
List 2–9 Access Control Server - Access Control Server Settings - 802.1X – section 802.1X
Parameter Description
Start 802.1X Radius Validator To use 802.1X port authentication configure your 802.1X capable switch to use a RADIUS server with this servers
server IP address. Then set this parameter to Yes.
Log Authentications Log every authentication request, for debugging purposes. (parameter is only visible in Advanced View mode)
List 2–6 Access Control Server - Access Control Server Settings - System Health-Validator – section Referrals
Parameter Description
20 Server Config – Access Control Service
2.2.5 Advanced
Debug Log Enable debugging log here. A service restart is required. (parameter is only visible in Advanced View mode)
List 2–10 Access Control Server - Access Control Server Settings - 802.1X – section Radius Clients
Parameter Description
NAS identifiers Network access servers (NAS alias switch) which are allowed to access the RADIUS server. Parameter description see list 2–11.
List 2–11 NAS identifiers – section Radius Client Configuration
Parameter Description
IP Address Client’s IP address or subnet address.
Secret RADIUS secret for the client.
Short Name Client’s short name.
List 2–12 Access Control Server - Access Control Server Settings - 802.1X – section Radius Proxy
Parameter Description
Radius Proxy Dest. Servers RADIUS destination servers where external requests should be proxied to. Parameter description see list 2–13.
List 2–13 Radius Proxy Dest. Servers – section Radius Proxy Dest. Servers
Parameter Description
Realm Leave empty for a default realm.
Dest. IP Address Destination RADIUS server.
Dest. Port Auth. Destination server’s port for authentication.
Dest. Port Acct. Destination server’s port for accounting.
Dest. Secret Destinations server’s secret.
List 2–14 Access Control Server - Access Control Server Settings - 802.1X – section Advanced
Parameter Description
Radius One Time Pwd Lifetime (s) Cache the old password as one-time-password for <n> seconds. (only visible in Advanced View)
List 2–15 Access Control Server - Access Control Server Settings - Advanced – section General
Parameter Description
Log Level This option defines the verbosity of log file output. Usually it should be set to 0 (that is "no debug output").
Number of used Threads Number of used worker threads for health validation and remediation. The default value is 5. This should meet the
requirements in most of the cases. Increasing this value leads to a more reactive server, but also increases the
load on the system.
Keep Access Cache Entries (d) Amount of days for wich access cache entries generated by activities traversing the Access Control Server should
be deleted.
List 2–9 Access Control Server - Access Control Server Settings - 802.1X – section 802.1X
Parameter Description
21 Barracuda NG Network Access Client - Administrator’s Guide
2.2.6 General
2.3 Access Control Objects
Policy rule sets can reference to so-called Access Control Objects.
Access Control Objects are attributes which are assigned to the client according to the policies
configured in the Access Control Service Trustzone.
Sync Access Cache to CC By enabling this parameter, the access cache entries of this Access Control Service are synced to the Barracuda
NG Control Center. Thus a consolidated health status of multiple Access Control Services will be available.
Additionally the appropriate Barracuda NG Network Access Client service must be introduced on the CC.
Use with care in case of limited bandwidth as the synchronisation consumes additional bandwidth.
The parameter is only available in conjunction with a Barracuda NG Control Center.
List 2–16 Access Control Server - Access Control Server Settings - Advanced – section TLS/SSL
Parameter Description
TLS/SSL Certificate The X.509 certificate which is used with TLS.
TLS/SSL Private Key Corresponding RSA private key which is used with TLS.
List 2–17 Access Control Server - Access Control Server Settings - General – section Time Settings
Parameter Description
Download Interval Specifies the download interval in minutes.
List 2–18 Access Control Server - Access Control Server Settings - General – section Proxy Settings
Parameter Description
Use Proxy Enables or disables usage of an HTTP/HTTPS proxy.
Proxy Host IP address or hostname of the proxy server.
Proxy Server Port Proxy server port.
Proxy User If the HTTP proxy requires authentication, provide a valid username here.
Proxy Password If the HTTP proxy requires authentication, provide a valid password here.
List 2–19 Access Control Server - Access Control Server Settings - General – section Logging
Parameter Description
Log Level Higher values provide more detailed log information.
List 2–15 Access Control Server - Access Control Server Settings - Advanced – section General
Parameter Description
22 Server Config – Access Control Service
For those already familiar with Barracuda NG VPN, the Access Control Objects are similar to the
objects available for Client to Site VPN.
Welcome Messages
can be used to display customized messages to welcome end-users to the corporate net-
work, inform them about security policies, or display administrator contact details. For each
policy rule may a different "welcome" message be displayed to individual groups of users.
In addition, "welcome" messages may be used to display localized messages. Each mes-
sage is assigned to a language. According to the client's language settings the localized
message is displayed. The client will display the English language message as fallback.
• Pictures
assigned to clients are usually small bitmaps displaying the company's logo. Sometimes
they are also used to notify the users about special events.
Fig. 2–1 Access Control Objects – Configuration tree - Access Control Objects
Fig. 2–2 Access Control Objects – Access Control Service Messages
23 Barracuda NG Network Access Client - Administrator’s Guide
Assigned pictures are displayed in the client after successfully connecting to the Access
Control Service.
Personal Firewall Rules
The details of a Barracuda NG Personal Firewall rule set is explained in Server Config –
Personal Firewall Rules, page 41.
Fig. 2–3 Access Control Objects – Access Control Service Bitmaps
Keep the size of your picture small since the picture will be transferred to all clients. Pictures larger than 167x90 pixels
are scaled down on the Barracuda NG NAC anyway.
Fig. 2–4 Access Control Objects – Firewall Rule Object
24 Server Config – Access Control Service
Registry Check Objects
These objects allow an administrator to define registry checks to be performed on the client.
This allows to validate registry keys and values just like taking action in case of failed vali-
dation. Available actions are "Repair", "Notify", or "Fail". In case of action type "Fail" the Ac-
cess Control Service health validation will fail if the specified registry keys are not set
appropriately.
"Notify" generates appropriate log messages on the Barracuda NG Firewall.
Import of a registry file:
Click (clipboard), import the adequate registry file.
Registry "key" changes (for example, introduction of a new registry key) are only done for local machine
authentication. Thus, users needs to log off or reboot to activate these changes.
Registry values may also be verified and changed for user authentication.
Fig. 2–5 Access Control Objects – Access Control Service Registry Check Rules
Fig. 2–6 Access Control Objects – Import registry file
25 Barracuda NG Network Access Client - Administrator’s Guide
2.4 Access Control Service Trustzone
Each Access Control Service belongs to a so-called trustzone. To enable a company to enforce their
security policies across multiple Barracuda NG Firewalls the Barracuda NG Control Center provides
Access Control Service Trustzones as global objects. This advanced feature allows all Access Control
Services within the same trust zone to share the same set of security policies. In addition they share
a signing key, so that a mutual trust relationship can be established.
On stand-alone Barracuda NG Firewalls, configuration of the trustzone is located in the configuration
node Virtual Servers > <servername> > Assigned Services > <servicename> (Access Control
Service) > Access Control Service Trustzones.
The Barracuda NG Control Center provides Access Control Service Trustzones either within the
Global Settings directory or specifically as Range Settings or Cluster Settings. As usual these objects
permit access only to administrators with appropriate administrative scope and appropriate
permission.
Access Control Objects provide an hierarchical override mechanism. Objects on cluster level sharing the same name
as global or range objects override the global definition(s). This mechanism works like the one using global firewall
objects for the Barracuda NG Firewall.
Fig. 2–7 Access Control Service Trustzone - Configuration tree
26 Server Config – Access Control Service
The pre-defined Access Control Service Trustzones can be referenced within the configuration dialogue
Virtual Servers > <servername> > Assigned Services > <servicename> (ACS) > Access
Control Service Settings > System Health-Validator view > Trustzone section.
The Barracuda NG Control Center automatically links the Trustzone to the appropriate global / range
/ cluster object.
As mentioned in the introduction above, each trustzone contains three policy rule sets. There is a "local
machine" policy rule set that is used to determine a policy for a connecting machine if no user is
currently logged in. As soon as user authentication is requested by the connecting client, the "current
user" policy rule set is used for policy matching.
If the connection attempt is mediated by an intermittent VPN Service, then the VPN policy rule set
is adopted. More details are available in the introduction above.
Create an Access Control Server service within
Config > Box > Virtual Servers >
<servername> > Assigned Services > <servicename> (ACS)).
Click
Access Control Service Trustzone to open the configuration dialogue.
Fig. 2–8 Access Control Service Trustzone - Configuration dialogue
User authentication can be skipped by setting the the parameter "Access Control Service Settings" > User Authenti-
cation > User Authentication Required to "No". Furthermore, local machine rule sets allow to skip user authentication
for a specific policy rule (Policy Assignments > Exception > User Authentication Required.
27 Barracuda NG Network Access Client - Administrator’s Guide
2.4.1 Rules
The main window of a Access Control Service Trustzone is split up into a navigation bar on the left and
three policy rule sets on the right (1.3 What is a Policy Rule Set?, page 8).
2.4.2 Identity Matching - Basic
The first step when processing a policy rule set (either local machine, current user, or VPN) is to
determine the client's identity.
Depending on the value of the parameter Basic Matching > Policy Matching either all or one of the
specified criteria must match to determine the client's identity.
Fig. 2–9 Access Control Service Trustzone - Rules
28 Server Config – Access Control Service
If the identity match fails, the next rule is taken into account.
Fig. 2–10 Access Control Service Trustzone - Rules - Identity Matching Basic
List 2–20 Access Control Service Trustzone - Rules - Identity Matching Basic – section Basic Identity Matching
Parameter Description
Policy Name The name of the policy. This name is visible in the log file and in the access cache.
Deactivate Policy Selecting the checkbox disables the configured policy.
Client Connection External
• Ignore
• Internal
Set to External effects that this policy rule is ignored for internal connection (connections to an IP address which is not defined
in External IPs, see above).
Set to Internal effects that this policy rule is ignored for external connections (connection to an IP address which is defined in
External IPs, see above).
Set to Ignore means that the policy rule is neither ignored for internal nor external connections.
Time Restriction Each policy rule can be assigned with a date and time restriction.
The date restriction consists on a Start Date and an End Date. Out of that time period this policy rule will be ignored.
The granularity of the time restriction is 1 hour on a weekly base.
A rule is allowed at all times by default, that is all checkboxes in the Time Interval window are cleared.
Selecting a checkbox denies a rule for the given time.
Click to configure allowed and disallowed time intervals simultaneously.
Click to clear selected checkboxes.
Click to to configure disallowed time intervals.
Select Continue if mismatch to proceed the health evaluation within the policy rule set with the next rule (default).
Select Block if mismatch to stop the health evaluation process and set the client to "unhealthy" immediately.
29 Barracuda NG Network Access Client - Administrator’s Guide
List 2–21 Access Control Service Trustzone - Rules - Identity Matching Basic – section Basic Matching
Parameter Description
Policy Matching All-of-following
• One-of-following
Set this option to All-of-following if all of the identity matching parameters (basic and advanced), except the empty ones, must
match for a successful identity verification. If just one field does not match, the identity is not verified successfully within this policy
rule and the health match process will proceed with the next policy rule in the policy rule set.
Set this option to One-of-following effects that the identify verification succeeds if just one field matches.
Fields left empty will be ignored in both cases.
Note:
All string comparison is done case insensitive.
For all of the following identify matching fields applies that just one value of each field must match, for example if more than one
group patterns are defined, it is necessary that at least one user group must match at least on defined group pattern.
Group Patterns Enter group patterns here. At least one user group must match at least one of these patterns for successful identity verification.
Be aware of using the right syntax for the group patterns: for example, MS Active Directory groups have be be entered as
distinguished name (for example CN=group-*, OU=my-unit,CD=mycompany,DC=at).
Net Bios
Domain
Enter the name of a NetBIOS Domain to match only users of a specific Domain.
Note:
Only available for "Current User" and "VPN" rule set
User [Login
Name]
Enter user name patterns here. A user name is the login name (without leading "DOMAIN\").
Networks Enter networks here. The users peer address must be part of at least one of these networks.
Allowed OS
Versions
• Name
OS Versions
Service Pack Major Number
Service Pack Minor Number
Minimum Build Number
Policy on OS
Define allowed or explicitly denied client OS version here. The OS Versions parameter needs to be one of the listed Microsoft
Windows Versions.
The Service Pack Major Number and the Service Pack Minor Number are the service pack numbers of the client OS.
The Minimum Build Number needs to be the OS build number and is checked only, if Policy on OS was set to
This-One-Or-Newer.
Possible values for Policy on OS field are
• Exact-This-One
the client OS must match OS Version, Service Pack Major Number, and Service Pack Minor Number.
• Explicit-Deny
If the clients OS matches OS Versions, Service Pack Major Number, and Service Pack Minor Number, then the current policy
rule will be ignored for the current match, and health evaluation process proceeds with the next policy rule in the policy rule
set.
• This-One-Or-Newer
In this case, the client OS must be identically equal to OS version. The client OS service pack major and minor number and its
build number need to be equal or greater than those defined here.
Hostnames Enter hostnames here. Patterns may be used.
30 Server Config – Access Control Service
2.4.3 Identity Matching - Advanced
Fig. 2–11 Access Control Service Trustzone - Rules - Identity Matching Advanced
List 2–22 Access Control Service Trustzone - Rules - Identity Matching Advanced – section Advanced Identity Matching
Parameter Description
MAC Addresses Enter MAC addresses here. Patterns may be used.
Microsoft
Machine SIDs
Enter Microsoft Machine SIDs here. A SID is a - from the Microsoft OS generated - world wide unique machine identifier. The SID is
visualized in the Access Control Server’s access cache. Patterns may be used.
List 2–23 Access Control Service Trustzone - Rules - Identity Matching Advanced – section Certificate Conditions
Parameter Description
x509 Subject Enter X.509 subject name patterns here (for example, CN=name-*, O=my-company). The X.509 subject of the clients authentication
certificate must match at least one of these patterns.
Note:
Certificate authentication is only possible in Local machine and basic user authentication.
x509 Issuer Enter X.509 issuer name patterns here (e.g CN=name-*, O=my-company). The subject of the issuer of the clients certificate must
match at least one of these patterns.
Note:
Certificate authentication is only possible in Local machine and basic user authentication.
x509
Altnames
Enter X.509 alternative name patterns here (IP:10.0.10.*). The subject alternative name of the clients authentication certificate must
match at least one of these patterns.
Note:
Certificate authentication is only possible in Local machine and basic user authentication.
The subject alternative name is prepended by its type (for example, "email:" or "IP:")
31 Barracuda NG Network Access Client - Administrator’s Guide
2.4.4 Required Health State - Basic
After successful verification of the client’s identity, this configuration entity is used for determining the
client’s health state.
Some of the parameters provide the following options:
Not required
The result of the health evaluation doesn’t depend on this parameter.
• Required
If a Required parameter does not match, the user is notified and manual action is required.
Furthermore the client's health state changes to "Probation".
Required <Auto-Remediation>
Notifies the client too, but tries to automatically execute the necessary actions to fulfill the
health requirements. During this period the client's health state changes to "Probation".
Fig. 2–12 Access Control Service Trustzone - Rules - Required Health State Basic
32 Server Config – Access Control Service
In case of third-party products (for example Virus scanner), Auto-Remediation may not work with all
available engine versions. As fallback, the client always requests manual action.
List 2–24 Access Control Service Trustzone - Rules - Required Health State Basic – section Service Settings
Parameter Description
NG Personal
Firewall On
• Required
Required <Auto-Remediation>
Not Required (default)
Set to Required if a client must have the personal firewall up and running to be healthy.
If the client does not meet this requirement, the user will be advised to turn on the firewall.
Antivirus
Scanner On
• Required
Required <Auto-Remediation>
Not Required (default)
Set to Required if a client must have the virus scanner up and running to be healthy.
If the client does not meet this requirement, the user will be advised to turn on the virus scanner.
Note:
The option Required only takes effect when the checkbox Antivirus is selected (figure 2–12, page 31).
Antispyware
Scanner On
• Required
Required <Auto-Remediation>
Not Required (default)
Set to Required if a client must have the anti spyware scanner up and running to be healthy.
If the client does not meet this requirement, the user will be advised to turn on the anti spyware scanner.
Note:
The option Required only takes effect when the checkbox Antispyware is selected (figure 2–12, page 31).
List 2–25 Access Control Service Trustzone - Rules - Required Health State Basic – section Misc
Parameter Description
Continue Match STOP on Health Mismatch (default)
Continue on Health Mismatch
Set this to Continue on Health Mismatch if the health validation should be continued with the next policy rule in the policy
rule set, if the health-evaluation in the current rule gave the result that the client is not healthy.
Set this to STOP on Health Mismatch if health validation should NOT continue with the next policy rule in the policy rule
set if the client is not healthy.
In this case the Policy Attributes of the current rule are assigned to the client, and the client is advised to heal itself.
Registry Check Rules Here choose one of the Registry Check objects. The client’s registry entries must match those of the selected registry
check object to be healthy.
List 2–26 Access Control Service Trustzone - Rules - Required Health State Basic
Parameter Description
Antivirus Select this checkbox to enable the Antivirus settings parameters. Parameter description see list 2–27. (Default: not selected)
Antispyware Select this checkbox to enable the Antispyware settings parameters. Parameter description see list 2–28. (Default: not selected)
List 2–27 Access Control Service Trustzone - Rules - Required Health State Basic – section Antivirus
Parameter Description
AV Real Time Protection Required
Required <Auto-Remediation>
Not Required (default)
Set to Required if a client must have enabled the real time protection of the anti virus scanner to be healthy.
If the client does not meet this requirement, it will be advised to turn on the real time protection of the virus scanner.
Last AV Scan Not Older
Than
• Ignore
6-Hours > 1-Month
24-Hours (default)
Set to a value unequal Ignore to ensure that the client’s last full virus scan is not older than <value> to be healthy. If the
client does not meet this requirement, it will be advised to perform a full anti virus scan.
33 Barracuda NG Network Access Client - Administrator’s Guide
Last AV Scan Action Manual
Auto Remediation
Depending on this parameter either the user gets informed to manually perform a full AV system scan or that the client
tries to execute a full system scan automatically.
AV Engine Required Ignore
Latest (default)
• Previous
• Last-2
Set to Ignore if the clients’ Virus Scanner version should not be checked.
Set to Latest if the client must not have an older version of the Virus Scanner to be healthy.
Set to Previous if the latest and the previous version of the Virus Scanner are allowed to be healthy.
Set to Last-2 if the latest, the previous and the second last Virus Scanner are allowed to be healthy.
If the client does not meet the chosen requirement, it will be advised to perform a anti virus engine update.
AV Patterns Not Older Than
(h)
• Ignore
6-Hours > 1-Month
24-Hours (default)
Set this option to a value unequal Ignore to require anti virus patterns to be not older than <value> to be healthy.
This option will be ignored if the latest anti virus pattern is older than <value>. For instance if this option is set to
6-Hours but the latest anti virus pattern was released 8 hours ago, the client will be set to state unhealthy due this
option. Release cycles of anti virus patterns depend on the anti virus vendor.
AV Engine/Pattern Action Manual
Auto Remediation
Depending on this parameter either the user gets informed to manually update the AV system or the client tries to
trigger AV updates automatically.
Allowed Vendors Chose one or more of the list of anti virus vendors to enforce a specific anti virus vendor product needs to be installed
on the client. Anti virus products which are not listed here are ignored in the health validation process. This option is
helpful especially to exclude some on the clients installed anti virus products from the health validation process. The
list of available anti virus vendors is created dynamically.
List 2–28 Access Control Service Trustzone - Rules - Required Health State Basic – section Antispyware
Parameter Description
AS Real Time
Protection
• Required
Required <Auto-Remediation>
Not Required (default)
Set to Required if a client must have enabled the real time protection of the anti spyware scanner to be healthy.
If the client does not meet this requirement, it will be advised to turn on the real time protection of the anti spyware scanner.
Last AS Scan Action Manual
Auto Remediation
Depending on this parameter either the user gets informed to manually perform a full AS scan or the client tries to execute a full
system scan automatically.
Last AS Scan Not
Older Than
• Ignore
6-Hours > 1-Month
24-Hours (default)
Set to a value unequal Ignore to ensure that the clients last full anti spyware scan is not older than <value> to be healthy.
If the client does not meet this requirement, it will be advised to perform a full anti spyware scan.
AS Engine Required Ignore
Latest (default)
• Previous
• Last-2
Set to Ignore if the clients anti spyware engine version should not be checked.
Set to Latest if the client must not have an older version of the anti spyware scanner engine to be healthy.
Set to Previous if the latest and the previous version of the anti spyware scanner engine are allowed to be healthy.
Set to Last-2 if the latest, the previous and the second last anti spyware scanner engines are allowed to be healthy. If the client
does not meet this requirement, it will be advised to perform an anti spyware engine update.
List 2–27 Access Control Service Trustzone - Rules - Required Health State Basic – section Antivirus
Parameter Description
34 Server Config – Access Control Service
2.4.5 Required Health State - Advanced
AS Pattern
Definitions
Required
• Ignore
Latest (default)
• Previous
• Last-2
Set to Ignore if the clients anti spyware pattern definitions should not be checked. Be aware of the fact that in this case the
client may be healthy without having any anti spyware patterns installed.
Set to Latest if the client’s anti spyware patterns must be up to date to be healthy.
Set to Previous if the client’s anti spyware patterns must either be up to date or of the previous version to be healthy.
Set to Last-2 if the client’s anti spyware patterns must be up to date, the previous or the second last to be healthy. If the client
does not meet this requirement, it will be advised to perform an anti spyware pattern definition update.
AS Patterns Not
Older Than (h)
• Ignore
6-Hours > 1-Month
24-Hours (default)
Set this option to a value unequal Ignore to require anti spyware patterns to be not older than <value> to be healthy.
This option will be ignored if the latest anti spyware pattern is older than <value>. For instance if this option is set to 6-Hours
but the latest anti spyware pattern was released 8 hours ago, the client will be set to state unhealthy due this option.
Release cycles of anti spyware patterns depend on the anti spyware vendor.
AV Engine/Pattern
Action
Manual
Auto Remediation
Depending on this parameter either the user gets informed to manually update the AS system or the client tries to trigger an AS
update automatically.
Allowed Vendors Chose one or more of the list of anti spyware vendors to enforce a specific anti spyware vendor product must be installed on
the client. Anti spyware products which are not listed here are ignored in the health validation process. This option is helpful
especially to exclude some on the clients installed anti spyware products from the health validation process. The list of
available anti spyware vendors is created dynamically.
Fig. 2–13 Access Control Service Trustzone - Rules - Required Health State Advanced
List 2–28 Access Control Service Trustzone - Rules - Required Health State Basic – section Antispyware
Parameter Description
35 Barracuda NG Network Access Client - Administrator’s Guide
Select New (context menu) to create a new entry. The configuration dialog provides following entries:
It is also possible to include a check for the currently installed Microsoft hotfixes on the client computer.
Right click into the Required Security Updates field
Click New... and enter the ID of the Microsoft hotfix. For example: KB936929
Fig. 2–14 Access Control Service Trustzone - Rules - Required Health State Advanced - Allowed Health Suite Versions
List 2–29 Access Control Service Trustzone - Rules - Required Health State Advanced - Allowed Health Suite Versions
Parameter Description
Name Specify a name.
Define allowed or explicitly denied client health suite version.
Major Release The clients’ health suite major number must match Major Release.
Minor Release The clients’ health suite minor number must match Minor Release.
Service Pack
Number
The Service Pack Number must be the service pack number of the clients’ health suite.
Policy on OS Exact-This-On
The clients’ health suite version must match all three number values.
• Explicit-Deny
If the clients’ health suite version matches all three number values then the health state will be set unequal "health" and the
clients will be advised to update the health suite.
• This-One-Or-Newer
In this case the clients’ health suite major version must be identically equal to Major Version. The minor number and the
service pack number needs to be equal or greater than those here defined.
Health suite updates are always performed on an equal major number, for instance a client’s health suite version 4.0.2
may be updated to 4.1.0 but not to 5.0.0.
36 Server Config – Access Control Service
2.4.6 Policy Assignments
Fig. 2–15 Access Control Service Trustzone - Rules - Policy Assignments
List 2–30 Access Control Service Trustzone - Rules - Policy Assignments – section Attributes
Parameter Description
Personal
Firewall Settings
Ruleset Name
Choose one of the created Personal Firewall Rule objects here. If the client does not already have this rule set installed, the health
state will be set to unequal "healthy" and the client will be advised to update the personal firewall rule set from the remediation
server.
Message of the
Day
Choose one of the created Welcome Message objects here. If the client does not already have this message, it will be advised to
get the message from the remediation server.
Limit Access Ruleset Name
• Message
Client Emerg. Quarantine Time (s)
Define the quarantine rule set here. Assignment of "Limited Access" Rule Sets and Messages is only available for the "Local
Machine" rule set.
Note:
The quarantine rule set ("Limited Access" rule set) is stored on the local machine. This means that the quarantine rule set can
only be updated if the current user logs off or the client is rebooted. If a client changes it's state to "unhealthy" the local machine
quarantine rule set is activated.
List 2–31 Access Control Service Trustzone - Rules - Policy Assignments – section Exceptions
Parameter Description
Software
Update
Required
• Yes
No (default)
• Yes-Even-Major
Changing this value to Yes for as the client to automatically perform software updates if a new software version is available on the
CC.
37 Barracuda NG Network Access Client - Administrator’s Guide
2.4.7 Settings
If no policy rule matched identity for a client or at least one matched, but the Continue Match parameter
was set on that/those policy rules, the clients state will be untrusted and it be assigned the No Rule
Exception attributes.
User
Authentication
Required
• Yes
•No
Like Service Settings (Default)
Only available for local machine rule set. If set to "No", user authentication is not performed even if a user logs in.
List 2–32 Access Control Service Trustzone - Rules - Policy Assignments – section Radius Attributes
Parameter Description
802.1X Use 802.1x
Enforces the usage of 802.1x port based authentication on the client computer.
Use DHCP renew
Whenever the client is relocated into a different VLan this flag enforces the renewal of the client computers IP address.
Healthy Vlan Id
Specifies the VLan, which will assigned to the client computers if they meet the configured health requirements.
Unhealthy VLan Id
Specifies the VLan, which will assigned to the client computers if they do not meet the configured health requirements.
Healthy
Attribute
Assignments
RADIUS attribute assignments passed to RADIUS server as key value pairs, when the client meets the health requirements.
Unhealthy
Attribute
Assignments
RADIUS attribute assignments passed to RADIUS server as key value pairs, when the client does not meet the health
requirements.
List 2–31 Access Control Service Trustzone - Rules - Policy Assignments – section Exceptions
Parameter Description
38 Server Config – Access Control Service
Fig. 2–16 Access Control Service Trustzone - Settings
List 2–33 Access Control Service Trustzone - Settings – section No Rule Exception
Parameter Description
Bitmap Here choose one of the Picture objects. The client will be advised to get the bitmap from the remediation server.
Limited Access
Ruleset Name
Description see parameter Limit Access, table 2–30, page 36.
Limited Access
Message
List 2–34 Access Control Service Trustzone - Settings – section Identity
Parameter Description
Health Passport
Signing Key
The Health Validator returns a digital passport to the client as result of the health validation. The passport contains all required
information for the remediation server. To ensure authenticity the passport is digitally signed.
Note:
Since all Access Control Services of the same trustzone share the identify credentials, the remediation server instances can verify
that a passport was issued by a health validator of the same trustzone.
Here set the RSA key for digital passport signing.
39 Barracuda NG Network Access Client - Administrator’s Guide
Health Passport
Verification Key
Here set the RSA public key for verifying a digital passport signature.
If one Access Control Server instance is a remediation server exclusively it is not necessary to set the Signing Key, but only the
Passport Verification Key.
List 2–35 Access Control Service Trustzone - Settings – section 802.1X
Parameter Description
802.1X Description see parameter 802.1X, table 2–32, page 37
List 2–36 Access Control Service Trustzone - Settings – section Limited Access Defaults
Parameter Description
Client
Emergency
Quarantine
Time (s)
If the Access Control Server is not reachable anymore for the client, it switches automatically to the Quarantine or Unhealthy:
Restricted State.
Enter 0 to disable.
For further information see parameter Limit Access, table 2–30, page 36.
Note:
If no Access Control Server ip address is available this parameter doees not have any effect.
See 11.3.2 Access Control Server IPs from Registry, page 160 and 11.3.3 Access Control Server IPs from DHCP, page 160
Quarantine
Ruleset Name
Here choose one of the Personal Firewall Rules objects. The client will be advised to get the bitmap from the remediation server.
Quarantine
Message
Here choose one of the Welcome Messages objects. The client will be advised to get the bitmap from the remediation server.
Health
Validation Mode
• Moderate
Health checks are executed after connection establishment.
• Offensive
Health checks are executed during connection establishment.
List 2–37 Access Control Service Trustzone - Settings – section Radius Attribute Assignments
Parameter Description
Generally with this feature it is possible to send additional attributes to the switch, depending on the health state of the client. VLAN
Change attributes are already hardcoded.
Healthy Description see parameter Healthy Attribute Assignments, table 2–32, page 37
Unhealthy Description see parameter Unhealthy Attribute Assignments, table 2–32, page 37
List 2–34 Access Control Service Trustzone - Settings – section Identity
Parameter Description
40 Server Config – Access Control Service
2.4.8 Support Chart
This view provides information concerning Antivirus and Antispyware vendors and versions that are
supported.
The Support Chart is automatically downloaded from the Barracuda Networks update service
mentioned above and distributed to Barracuda NG Admin on connect. Thus, the Support Chart reflects
the current capabilities of the Access Control Service.
Restrictions on Microsoft® Windows Vista and Windows 7 64 Bit:
The supported features listed in the support chart may differ from the technically executed actions (e.g. automatic
update of Windows Defender 1.x: the chart states Implemented though it may not work on the 64 Bit client. Reason:
The released version of the 64 Bit client contains a 32 Bit compatible COM+ server for integrated OPSWAT-modules
(health-check). Therefore this component is not yet implemented as native 64 Bit.
This leads to some restrictions regarding auto-remediation features of the health agent system:
Enabling/disabling of antivirus/antispyware can not be done
automatically for some vendors (see support charts).
Auto-remediation for antivirus/antispyware engine and pattern
updates is disabled in the 64-bit client.
41 Server Config – Personal Firewall Rules
Chapter 3
Server Config – Personal Firewall Rules
3.1 General
To configure the personal firewall rules browse to Client to Site and select the VPN FW tab.
(Config > Box > Virtual Servers > <servername> > Assigned Services > <servicename> (vpnserver) >
Client to Site).
Double-click the appropriate VPN Firewall Rule Set.
3.2 <Rule Set Name> Tab
This tab allows manual rule configuration, testing, and setting the options.
Personal Firewall rule sets do not support Revision Control System (RCS).
42 Server Config – Personal Firewall Rules
Fig. 3–1 Rules Incoming
43 Barracuda NG Network Access Client - Administrator’s Guide
3.2.1 Rules Incoming / Outgoing
Rules controlling incoming traffic are arranged in the Rules Incoming view, rules controlling outgoing
traffic are arranged in the Rules Outgoing view (figure 3–1).
3.2.2 Context Menu
Select and right-click a list entry to display the following context menu:
Fig. 3–2 Rules Outgoing
Table 3–1 Rule window - Context menu
Item Description
Show Source
Addresses …
Opens a window displaying all source addresses affected by the selected rule.
Show Destination
Addresses …
Opens a window displaying all destination addresses affected by the selected rule.
Show Services Opens a window displaying all services affected by the selected rule.
Show Applications Opens a window displaying all applications affected by the selected rule.
Show Adapters… Opens a window displaying all adapters affected by the selected rule.
Show Users… Opens a window displaying all users affected by the selected rule.
Select Overlapping… As a connection request can match several conditions, the rules' succession within a rule set is very important. If incorrectly
ordered, rules might interfere with one another. The function Select Overlapping is meant to help avoiding configuration
mistakes. When applied to a selected rule, all rules possibly interfering with it are highlighted. In the majority of cases, the
overlap is a harmless outcome of the use of very openly defined objects such as InterNet.
Edit … Opens the rule configuration dialog for the selected rule (3.2.4 Rule Configuration, page 45).
44 Server Config – Personal Firewall Rules
3.2.3 Button Bar
In the button bar, the Up and Down buttons complement options are available in the context menu.
Select a rule and click one of the buttons, to shift the rule further up or down within the rule set.
Alternatively, you can use drag&drop.
New … Opens the rule configuration dialog for a new rule (3.2.4 Rule Configuration, page 45).
Delete Deletes the selected rule(s).
Copy Copies the selected rule(s) to the clipboard.
Paste Pastes the selected rule(s) from the clipboard.
Fig. 3–3 Rules Outgoing – Button bar
According to a regular Barracuda NG Firewall rule set, the NG Firewall rule set is processed rule by rule until an ap-
plicable rule is available. Thus, to achieve correct rule processing, rules must be arranged in the correct order.
Table 3–1 Rule window - Context menu
Item Description
45 Barracuda NG Network Access Client - Administrator’s Guide
3.2.4 Rule Configuration
Select New … from the context menu to create a new rule.
Configure the following connection details in the Rules view of the Rule Object window:
Fig. 3–4 Edit/Create Rule Object
List 3–1 Edit/Create Rule Object - Options in the Rules view
Item / Parameter Description
Action Select Pass to enable a connection request, select Block to prevent it.
Name Insert a rule name into this field.
Note:
The maximum length of this parameter is 50 characters.
Comment For easier identification, insert a rule description (optional).
inactive Select the inactive checkbox to disable a rule (default: unselected).
A minimum specification of the following connection details is mandatory in the sections below:
Source / Destination / Service or
Adapter / Source / Service or
Adapter / Destination / Service
46 Server Config – Personal Firewall Rules
Configure the following connection details in the Advanced view of the Rule Object window:
Modifying an object is a global action. For example, any other rule using the specific object will be affected by the mod-
ification.
This applies only for referenced objects, not for objects of type <explicit>.
Explicit objects are only available for the current rule.
Table 3–2 Edit/Create Rule Object – Sections
Section Description
Adapter Specify an adapter for the connection request. In the list all Adapter Objects that have been defined in the Adapter window are
available (3.3 Adapters, page 51).
Right-click the adapter window below the list and Select New … to create a new Adapter Object.
Double-click an available entry to edit the assigned Adapter Object.
Source /
Destination
Specify a source for the connection request. In the list all Network Objects that have been defined in the Networks window are
available (3.5 Net Objects, page 55).
Select <Explicit> to define a network object explicitly without adding it to the Network Objects listing.
Right-click the source window below the list and Select New … to create a new Network Object.
Double-click an available entry to edit the assigned Network Object.
Service Specify a service for the connection request. In the list all Service Objects that have been defined in the Services window are
available (3.6 Service Objects, page 58).
Select <Explicit> to define a network object explicitly without adding it to the Service Objects listing.
Right-click the source window below the list and Select New … to create a new Service Object.
Double-click an available entry to edit the assigned Service Object.
Application
(optional)
Specify an application for the connection request. In the list all Application Objects that have been defined in the Application
window are available (3.7 Application Objects, page 59).
Select <Explicit> to define an application object explicitly without adding it to the Application Objects listing.
Right-click the source window below the list and Select New … to create a new Application Object.
Double-click an available entry to edit the assigned Application Object.
User (optional) Specify an user for the connection request. In the list all User Objects that have been defined in the User window are available
(3.4 User Objects, page 54).
Select <Explicit> to define an user object explicitly without adding it to the User Objects listing.
Right-click the source window below the list and Select New … to create a new User Object.
Double-click an available entry to edit the assigned User Object.
List 3–2 Edit/Create Rule Object - Options in the Advanced view – section Rule Mismatch Policy
Parameter Description
Source /
Service/
Destination /
Application /
User / Adapter
Continue on Mismatch (default)
Process the rule, even if the corresponding object does not match the configured setting.
BLOCK on Mismatch
Do not process the rule if the corresponding object does not match the configured setting.
List 3–3 Edit/Create Rule Object - Options in the Advanced view – section Miscellaneous
Parameter Description
Time Restriction A time restriction can be assigned to each rule. The granularity is 1 hour on a weekly base.
A rule is allowed at all times by default, for example, all checkboxes in the Time Interval window are cleared. Selecting a checkbox
denies a rule for the given time.
Select (set invert) from the list to configure allowed and disallowed time intervals simultaneously.
Select (set allow) from the list to clear selected checkboxes.
Select (set deny) from the list to to configure disallowed time intervals.
Select Continue if mismatch to process the rule even if time restriction denies it.
Select Block if mismatch to prevent rule processing if time restriction denies it (default).
See figure 3–5: a time interval setting for a rule which has been set to disallowed on Monday and Thursday from 8 a.m. to 5 p.m.
Monitor
Connections
• Yes
•No
47 Barracuda NG Network Access Client - Administrator’s Guide
3.2.5 Tester
The Tester view allows testing rule sets for consistency.
Fig. 3–5 Time restriction dialog
Fig. 3–6 Rule Tester
48 Server Config – Personal Firewall Rules
The following entities are available for rule testing:
3.2.6 Test Report
Test reports are saved on a first come first served basis. Test results with Action Pass are indicated by
a green icon ( ), test results with Action Blocked are indicated by a red icon ( ).
List 3–4 Rule Tester parameters – section TEST CONNECTION
Parameter Description
Direction This is the direction of the traffic policy (Incoming or Outgoing).
Application To query for an arbitrary application leave the asterisk (*), which is set as default value. Click the Application link and Select
Update Applications to reset the field to the default value.
From: IP / Port Insert Source IP and corresponding connection port. Click the From or To link to Swap IP and/or Port information.
Protocol Specify which protocol to test. Click the Protocol link and select Show all Protocols to include other protocols than TCP/UDP and
ICMP into the list.
Time (optional) Insert day of the week and time (optionally). Click the Time link and select Insert current Time to insert current day and time.
User (optional) Select an User from the list (Optionally). Click the User link and select Update Users to clear the field.
Adapter
(optional)
Select an adapter from the list (Optionally). Click the Adapter link and select Update Adapters to clear the field.
Test Click Test to test the connection and display the test result in the section below.
List 3–5 Rule Tester parameters – section TEST RESULT
Parameter Description
Test Status Icon /
Action
A connection attempt with the given values can either have failed or have been successful if a rule is applicable. A failed
connection will be indicated by symbol and Action field Block . A successful connection attempt will be indicated by
symbol and Action field Pass .
Rule The Rule field displays the applicable rule responsible for the rule test result. Click Edit … to open and modify the
corresponding rule. If the connection attempt has been blocked because no rule has applied, the field will display the string
<No Matching Rule Found>.
Service This field displays the applicable Service Object.
PlugIn If applicable, this field displays the name of the PlugIn that has been employed in the connection.
Save Result to Insert the report name and click Save Result to to save the test result. The output of the connection test is written to the
Test Report view (3.2.6 Test Report, page 48).
Attribute/Value listing This listing displays attributes of the tested connection in detail.
Fig. 3–7 Test Report window
49 Barracuda NG Network Access Client - Administrator’s Guide
Changing any parameter in any configuration area that influences the result of a test report leads to a
status icon change in the overview window. Green icons ( ) will become red ( ). To apply the new
conditions to an already existing test report, select the data set in the overview window of the Test
Reports window and click Rectify.
Select a report and click Edit … to open the test result in the Rule Tester window. You may now use the
report as template for further connection tests.
Select a report and click Delete to delete the report from the Test Report window.
3.2.7 Options
The Options view contains settings steering the overall behavior of the personal firewall if this rule set
is active.
Subsequently to this action, the status icons will no longer indicate if an action has been successful or not, but instead
if rectification has been applied. Rectified entries will be flagged with a green ( ) status icon, even if a tested connection
attempt has failed.
List 3–6 Barracuda NG Network Access Client
Parameter Description
Trusted Network Network assignments and references in the network object that have been defined as trustworthy are updated dynamically,
when network adapters are added to the system with trust assignment "trusted" or when IP address configuration of a
trusted adapter changes (3.3 Adapters, page 51). By default, the Trusted Network option points to the preconfigured
TrustedNet object (3.5 Net Objects, page 55). You may change the setting to another available network object. Be aware
of possible implications. Set to No to disable this feature.
Domain Member This option can only be set to yes when a network object has been configured as Trusted Network. Setting to yes creates
and activates default rules allowing applications required in Microsoft Windows domains.
Windows File Sharing This option can only be set to yes when a network object has been configured as Trusted Network. When set to yes
incoming connections to local printer(s) and files are allowed.
Allow NetBIOS
Incoming
Setting to yes (default: no) allows incoming NetBIOS traffic.
Allow NetBIOS
Outgoing
Setting to yes (default: no) allows outgoing NetBIOS traffic.
Ask for unknown
incoming connections
Set this value to yes to enforce manual confirmation for all incoming connection attempts. Confirmation for connection
establishment grant is going to be requested by a notification pop-up.
Ask for unknown
outgoing connections
Set this value to yes to enforce manual confirmation for all unknown outgoing connection attempts. Confirmation for
connection establishment grant will be requested by a notification pop-up.
Ask for adapter update
confirmation
Setting to yes (default) triggers a pop-up, when settings assigned to a network adapter change. See 9.9.1 Automatic
Adapter Configuration, page 121 for details.
50 Server Config – Personal Firewall Rules
ICMP Parameters This tab allows you to configure blocking of ICMP packets.
Connect to the Internet
with ADSL (PPTP)
Setting to yes creates a pass rule named ADSL in the Outgoing tab of the firewall configuration that is needed for Internet
connections via ADSL.
The service object used in this rule amongst others implements the services and protocols listed in table 3–3, page 50.
Table 3–3 Services and protocols employed by the ADSL rule
Port Protocol Service Name Description
GRE pptp Generic Routing Encapsulation; protocol which allows an arbitrary network protocol A to be
transmitted over any other arbitrary network protocol B, by encapsulating the packets of A within
GRE packets, which in turn are contained within packets of B
1723 TCP NETBIOS-DGM Point-to-Point tunnelling protocol; control port
List 3–6 Barracuda NG Network Access Client
Parameter Description
51 Barracuda NG Network Access Client - Administrator’s Guide
3.3 Adapters
The Adapters tab allows you to view and configure network adapters available on the system. Adapters
may be employed in firewall rules, in order to restrict rule processing to a specific adapter or a set of
adapters only.
The listing is divided into the following columns:
In the Adapter Objects view, several dynamic adapter objects (flagged with the icon) are
preconfigured.
The following objects (assigned with status multi) are available:
Adapter [Dial-up]
This object summarizes all dial-up adapters available on the system (for example, UMTS,
ISDN, and modem cards).
Adapter [Ethernet]
This object summarizes all Ethernet adapters available on the system (for example, LAN de-
vices).
Adapter [Wireless]
Fig. 3–8 Adapter view
Table 3–4 Adapter view details
Column Description
Name Name of the adapter object.
Referenced by Number of references pointing to the adapter object
Status Current connection status of the adapter object (connected / disabled / multi)
IP’s IP addresses and/or references assigned to the adapter object
Trust Trust type assigned to the adapter object (trusted / untrusted)
Comment Optional adapter object description
Dynamic objects are updated at runtime when adapter configuration changes and cannot be edited manually. In order
to work, Automatic Adapter Assignment must be selected in the Firewall Settings (9.4.1 Firewall Menu, page 91).
52 Server Config – Personal Firewall Rules
This object summarizes all wireless adapters available on the system (for example, WLAN
cards).
The following further adapter objects are available:
[Network Connection name] (for example, Local Area Connection)
These are the LAN devices available on the system. The Network Connection name is re-
trieved from the Microsoft Windows Network Connections view (available through Start > Set-
tings > Network Connections).
Barracuda NG VPN
This is the virtual interface of the NG VPN client.
To create a new adapter object, click New … in the Adapter Objects window:
Adapters available on the system are automatically assigned to the appropriate adapter object with status type multi.
These objects may be used to construct abstract rule sets, for example, to configure a rule blocking access to all avail-
able dial-up or wireless adapters.
The "logical" Microsoft Windows name, dependent on the operating system’s language version, and not the device
name is applicable for object naming.
Fig. 3–9 Edit/Create Adapter Object configuration dialog
List 3–7 Edit/Create Adapter Object options
Parameter Description
Name Specify a name for the adapter object.
53 Barracuda NG Network Access Client - Administrator’s Guide
Comment Optionally, insert an adapter description
Trust Type Select Trusted to add a reference to the adapter object to the network object that has been defined as Trusted Network in the
Administration > Firewall Settings (Trusted Network, page 120). If you do not want to create a reference, select Untrusted.
Note:
When later changing the setting from Trusted to Untrusted, the reference to the adapter object is automatically deleted from the
Trusted Network object. References to Untrusted adapter objects may not be added to the Trusted Network object manually.
Status This is a read-only field displaying the connection status of the adapter object.
IPs This is a read only field, displaying the IPs assigned to the adapter object.
Adapter/Ref Select network adapter and/or reference you wish to create the adapter object for. Click New to add your selection to the Adapter list.
List 3–7 Edit/Create Adapter Object options
Parameter Description
54 Server Config – Personal Firewall Rules
3.4 User Objects
The User Objects tab allows you to create User and User Group objects, which may be employed in
rule sets. Click New … to open the Edit/Create User Object dialog:
An user object is automatically created when a connection attempt is processed by the firewall. The
object is then inserted into the corresponding rule.
In the User/Group list, the Microsoft Windows domain users and groups known to the Barracuda NG
Firewall are available for selection. Local user/group information is displayed in the list first. If the
Windows workstation is a member of a Microsoft Windows domain, domain user/group information
may be retrieved from the Active Directory server by clicking Update.
Fig. 3–10 User Object dialog
Irrespective of the operating systems language version installed on the workstation, the following users will always be
displayed in English:
NT AUTHORITY\SYSTEM
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\NETWORK
The internal firewall engine will transform these names to the appropriate language version. Do not insert them in an-
other language manually.
55 Barracuda NG Network Access Client - Administrator’s Guide
3.5 Net Objects
The Net Objects tab facilitates IP address/network management. Use this tab for the following
purposes:
Assigning of names to single IP addresses
Combining multiple IPs/networks/references into networking objects
In the Net Objects tab, a number of dynamic network objects (flagged with the icon) are preconfigured.
• localIP
Contains all IPs that are configured on trusted adapters, and a reference to the Net-Broad-
cast object.
• virtualIP
Contains the IP address assigned from the VPN server. The virtual IP is only available in
case of established VPN connections.
Net-[Network Connection name]
These network objects contain the network addresses of each specific adapter available on
the system. The Network Connection name is retrieved from the Microsoft Windows Net-
work Connections view (available through Start > Control > Network Connections).
For a clearly arranged network management rather make use of referencing Network Objects than explicit IPs when
configuring firewall rule sets.
Fig. 3–11 Network Objects window
Dynamic objects are updated at runtime when network configuration changes and cannot be edited manually. For dy-
namic update to work, Automatic Adapter Assignment must be selected in the Firewall Settings (9.4.1 Firewall Menu,
page 91).
The "logical" Microsoft Windows name, which depends on the operating system’s language version and not the device
name, is applicable for object naming.
56 Server Config – Personal Firewall Rules
Net-[Network Connection name] objects may be used to set up abstract rule sets.
• InterNet
The InterNet object may be used for outbound connections to the Internet (network
0.0.0.0/0).
• TrustedNet
Use the TrustedNet object to refer to trustworthy networks. The content of this object is de-
pendent on assignment of an adapter as trusted or untrusted (3.3 Adapters, page 51).
When an adapter is specified as trusted the IP addresses living on it are added to the Trust-
edNet object. Vice versa they are deleted from it, when trust assignment changes to untrust-
ed. The TrustedNet object is also updated when IP address configuration of a trusted
adapter changes.
Net-Barracuda NG VPN
The Net-Barracuda NG VPN object contains the address of that network the virtualIP object
is living in.
• Net-Broadcast
This object contains the broadcast addresses of IP addresses configured on trusted adapt-
ers. The broadcast addresses are calculated directly from the IPs.
• Net-Multicast
This object includes the Multicast network 239.255.0.0/16.
Secured Routes are assigned to the Net-Barracuda NG VPN Object.
57 Barracuda NG Network Access Client - Administrator’s Guide
Click New … to open the Net Object dialog.
Insert Name and Description of the Net Object for easier identification.
In the Entry section insert IP/network address(es) of the new Net Object and/or specify a Reference to
the Net Object, for example select an existing Net Object to refer to a new one.
The Excluded Entry section allows excluding specific networks from a network object.
Fig. 3–12 Net Object dialog
For transparency and consistency reasons, references are not available in this section.
58 Server Config – Personal Firewall Rules
3.6 Service Objects
The Service Objects tab facilitates port and protocol management. Use the Services window to
assign port and protocol to specific services
and merge multiple services to one service object using references.
Properties of Service Objects are described in detail in the Barracuda NG Firewall Administrator’s Guide.
Fig. 3–13 Service Object dialog
59 Barracuda NG Network Access Client - Administrator’s Guide
The following services are available in the Barracuda NG Personal Firewall by default:
3.7 Application Objects
The Application Objects tab allows creating predefined applications, which may be employed in rule
sets.
Click New … to open the Edit / Create Application Object window.
Table 3–5 Service Objects available in the Personal Firewall
Service Name Port Protocol Connection Description
ICMP O / I Internet Control Message Protocol; ICMP messages, delivered in IP packets are
used for out-of-band messages related to network operation, or misoperation.
DNS 53 TCP/UDP ODomain Name Service; method by which the Internet addresses in mnemonic form
(for example barracuda.com) are converted into the equivalent numeric IP address
(for example 134.220.4.1)
BOOTPS 67 UDP OBootstrap protocol; also used for DHCP (Dynamic Host Configuration)
Kerberos 88 TCP/UDP OProtocol for authentication in Windows 2000 environment
NTP 123 UDP ONetwork Time Protocol; used to synchronize the time of a computer client or server
to another server or reference time source
LOC-SRV/EPMAP 135 TCP ONETBIOS; very common protocol; it is supported on both, Ethernet and TokenRing.
In NetBIOS, TCP and UDP communication is supported. It supports broadcasts and
multi-casting and also three distinct services: Naming, Session, and Datagram.
NETBIOS-NS 137 UDP O / I
NETBIOS-DGM 138 UDP O / I
NETBIOS-SSN 139 TCP O / I
SNMP 161 UDP OSimple Network Protocol; Network management system contains two primary
elements – Manager (console to perform network management functions) and
Agents (entities that interface to the actual managed device). SNMP allows
Managers and Agents to communicate.
LDAP 389 TCP/UDP OLightweight Directory Access Protocol; set of protocols for accessing information
directories.
CIFS 445 TCP O / I further development of the SMB protocol and serves as an addition and
improvement to the standard protocols FTP and HTTP.
MSTASK 1026 TCP OWindows Task Scheduler; used to schedule tasks, such as backups or updates, to
run at certain times or dates
Application Liability and Application Type classifications are purely informational.
60 Server Config – Personal Firewall Rules
Insert Name and Application Object Description for easier identification.
Again, click New … to specify an application. The Application Entry Parameters
window opens.
Click Browse and select the file you want to create the object for. After
selection, the path to the file and its inherent file description will be displayed
in the Path and Description fields below.
Optionally, insert a file description into the Comment field.
Specify Application Liability and Application Type. Momentarily, the classification is
purely informational.
Click Generate to create an MD5 Hash in order to clearly identify the selected file,
when it is executed.
Fig. 3–14 Application Object dialog
MD5 Hash creation is recommended in order to avoid corrupt file and a vulnerable PC after an attack.
61 Barracuda NG Network Access Client - Administrator’s Guide
The following application objects, that are required in Microsoft Windows domains, are available within
the Barracuda NG Personal Firewall by default:
Consider that when an application equipped with an MD5 Hash is used on multiple clients, file versions need to match
exactly. Otherwise, the application object will not be applicable.
Click Clear to delete the hash.
In addition to the application, first level DLLs are taken into consideration. This provides additional security. However,
DLLs used by first level DLLs are not monitored.
Table 3–6 Applications required in Microsoft Windows domains
Application Connection Description
System O / IServices needed by the OS kernel
TCP/IP Ping
Command
O / I
lsass.exe O Local Security Authority Service; process responsible for management of local security authority domain
authentication and Active Directory management.
services.exe O Upon startup, services.exe enumerates through all registry sub-keys located in
HKEY_LOCAL_MACHINE\Services registry key.
spoolsv.exe O The Windows Printer Spooler stores printer jobs and forwards them to the printer when it is ready.
userinit.exe O By default, WinLogon executes this application that triggers logon scripts, re-establishes network
connections, …
winlogon.exe O This application manages security-related user interactions in Windows NT. It handles logon and logoff
requests, changing the password,
svchost.exe O This is a generic host process name for services that are run from dynamic-link libraries (DLLs). There
can be multiple instances of svchost.exe running at the same time.
62 Operating & Monitoring Barracuda NG NAC
Chapter 4
Operating & Monitoring Barracuda NG NAC
4.1 Box – Monitoring and Real-time Information
The Access Control Service provides extensive information about the currently available endpoints
and their status. Both, real-time and historical information are displayed when logging into the status
window.
The following tabs are available for operational purposes:
Status tab
Status VPN tab
Access tab
Quarantine tab
4.1.1 Available Columns
The lists in the real-time information GUI consist of the following columns:
• Time
Displays date and time of the last client access
• Hostname
Displays the client's hostname as reported by the client.
IP Address
Client's IP address as reported by the client.
• User
Either "Local Machine" if no user information is available or the name of the logged in user
(DOMAIN\username).
• Status
Current status of the client. Possible values are "Machine logged in", "User logged in" or
"User logged off". Additionally the status "Out of time" is displayed if the client did not
reconnect to the Access Control Service within the configured time period ("Access Control
Service Settings > System Health-Validator > Health State Validity"). This is often caused
by powered off clients or by interrupted network connectivity.
• Information
63 Barracuda NG Network Access Client - Administrator’s Guide
Summary of the client's health status or more details of a failed connection. Values could be
"Client is healthy". If the client is unhealthy, the column "Information" contains details about
the failed health checks. "No rule matched", another possible information, means that
identity matching failed.
• Healthstate
Last health state, which could be one of the four "Healthy", "Unhealthy", "Probation", or
"Untrusted".
• IsolationState
Possible values are Access", "Not Restricted", or "Probation".
Auth. (PHIBS)
Result of the last authentication, which could be either "OK" or "Not OK".
• Rule
Name of the matching policy rule.
• Boxname
Originating box where the Access Control Service runs on (only relevant in CC Barracuda
NG Network Access Client GUI context).
• Type
Displays the type "Health Evaluator", "Authenticator" or "Remediation", depending on the
Access Control Service module which created the entry.
MAC Address
Client's MAC address as reported by the NG client.
• SID
Client's local machine Secure Identifier (SID) as reported by the NG client.
4.1.2 Filtering
All available tabs provide filtering options at the top of the Barracuda NG Access Monitor GUI.
The filter categories are split into Basic Filters and Advanced Filters. Depending on the currently
selected tab some filters are not available or set as preselection.
The Basic Filter provides the following filter criteria:
From date/dime
Restrict the time period for which entries should be listed.
Health State
This filter provides the different health states "Healthy", "Unhealthy", "Probation", and
"Untrusted" to display only the selected entries
To activate a filter and refresh the Status list it is necessary to press the button "Update List".
Filters are case sensitive. Some of the filters provide a list of available entries, other filter criteria can be entered man-
ually. For manual input there are wildcards ('*', '?') available. For example, Filter 10.0.8.1? filters for IP addresses
10.0.8.10 to 10.0.8.19, the filter 10.0.8.1* also matches 10.0.8.100 to 10.0.8.199.
64 Operating & Monitoring Barracuda NG NAC
• Isolation
The categories "Not restricted", "Restricted", and "Probation" are available as filter criteria.
•IP
Filters the list for specific IP addresses.
• User
Filters the list for specific user entries.
• Type
Filters the list for entries of type "Health Evaluator", "Authenticator", or "Remediation",
depending on the Access Control Service module which created the entry.
• Client
Filters the list for entries of type "Local Machine", "VPN", or "User".
The advanced filter provides the following criteria:
• MAC
MAC-address of the client (sent by NG client, so even in routed environments the original
MAC address will be available).
• SID
Filter for microsoft machine SID.
• Box
Filter for originating box where the Access Control Service runs on (only relevant in CC
Barracuda NG Network Access Client GUI context).
• Rule
Matching policy rule.
• Auth
Filter on authentication status.
• Host
Filter on hostname.
• Status
Filter on client status ("User logged in", "Machine logged in", "Logged out", "Out of time").
By activating the corresponding checkboxes. it is possible to combine multiple fields in order to achieve
a more precise selection.
4.1.3 Context Menus
Right-click a list entry to activate the following context menus:
The standard context menu accessible through the Tools item (see Barracuda
NG Firewall Administration Guidance)
Follow this Computer
65 Barracuda NG Network Access Client - Administrator’s Guide
By selecting this context menu entry on a selected entry all entries with the selected client
are displayed in a new tab. Criteria for identifying a computer is the computer's local
machine secure identifier (SID).
Visualize this Computer
This entry visualizes the health state of the selected client. The graphical status at the top
of the main window displays the summarized health state per day. Selecting multiple entries
displays statistics of clients in state "Unhealthy", "Probation", and "Healthy".
For single entries, the summary displays a red icon to indicate an unhealthy client if it was unhealthy
only once per displayed time period (day/week). Grey icons mean that no data is available for this date.
This might e.g. indicate a client that is powered off.
Show Log File
Displays the log entries relating to the selected client. Additionally, the access cache of the
forwarding firewall can be displayed.
Show Details
Displays detailed information about the selected client in a list view.
Flush Cache >
Fig. 4–1 Box – Monitoring and Real-time Information – Visualizing 2 Computers
Fig. 4–2 Box – Monitoring and Real-time Information – Visualizing FD-QA-XP
Only log entries available on this Barracuda NG Firewall box will be displayed.
66 Operating & Monitoring Barracuda NG NAC
• Entry
This Computer
• -ALL-
Removes either the selected entry, or all entries belonging to the selected client, or all
entries from the cache.
• Ungroup
Displays all entries in a flat list instead of the default group view.
Group by >
For better lucidity, status entries may be grouped by their essential attributes such as time,
IP address, or rule name. Entries are arranged in pop-up menus topped by a labelled title
bar.
Summarize duplicate entries
Cumulate identical entries and in addition display the count (for example, how many entries
are cumulated).
Show time in UTC
Show UTC time instead of Barracuda NG Firewall system timezone.
4.1.4 Status Tab
The Status tab summarizes the health information of all connected clients. The Barracuda NG Network
Access Client framework does not depend on continuously established connections, but NG clients
connect periodically to the Access Control Service. Thus the Status tab is able to display historical
information of the clients, too. To update the list press Update List, since automatic updates are
disabled.
As primary key, Barracuda NG Network Access Client uses the Microsoft Machine Secure Identifier
(SID). The MS Machine SID is a unique value which could change only in case of severe hardware
Fig. 4–3 Box – Monitoring and Real-time Information – Show time in UTC
67 Barracuda NG Network Access Client - Administrator’s Guide
modifications or re-installation of the operating system. This means that the Access Control Service
can assign health states to the proper client even if the IP address changes or a user performs a logout.
The status tab displays only the last health status of a client. To get an overview of historical
information, e.g. in order to display different states for a client but cumulate states if they were identical,
change the view to the Access tab.
Alternatively, the full log entries are available via the Log Viewer module. The full Access Cache can be
viewed in the Firewall GUI > Access Cache.
Both, log entries and firewall access cache, are only available if the the Access Control Service was
active on the Barracuda NG Firewall box. Barracuda NG Firewalls do not sync their log files or the
firewall access cache to the HA partner.
4.1.5 Status VPN Tab
This tab provides a subset of the information available in the Status tab. Only Barracuda NG Network
Access Client Client connections established through VPN are enlisted. Manually applying filters in the
Status tab results provides the same information.
4.1.6 Access Tab
The Access tab provides all information available for the Access Control Service. This includes health
information (also displayed in the Status tab) and also data generated by the remediation module and
the authenticator module.
4.1.7 Quarantine Tab
The Quarantine tab provides all information regarding clients which health state is unhealthy and which
are therefore in quarantine.
Fig. 4–4 Box – Monitoring and Real-time Information – Status
Double-click an entry to open a new window where the Access Control Service logs corresponding to the appropriate
entry are displayed. Optionally, the Firewall Access Cache may be displayed by pressing "Show Access Cache". Au-
tomatically an appropriate filter for the client's IP address is set. The cache selection includes forwarding and local-in
and local-out traffic. This gives the administrators an easy way of trouble-shooting for their clients.
68 Client Installation
Chapter 5
Client Installation
Installation files for VPN client installation are provided on the Barracuda NG Firewall Application
CD-ROM. You may alternatively download the installation package from Barracuda Networks. An MSI
file is additionally provided for software distribution systems.
Double-click setup.exe to start the installation routine.
The installation routine offers three basic ways of setup:
<Barracuda NG VPN client>, <Barracuda NG SSL VPN and NAC client>, <Custom>
Copy the installation files onto the local hard disk before commencing installation.
All Barracuda NG VPN client drivers are signed by Microsoft for Windows NT, Windows XP (32 Bit), Windows
Vista (32 Bit and 64 Bit) and Windows 7 (32 Bit and 64 Bit) logo compliance.
Barracuda NG Network Access Client is not intended to work as complement to VPN clients and/or personal
firewalls provided by other vendors. Thus, Barracuda Networks recommends to uninstall any other VPN client
and/or personal firewalls prior to installation of Barracuda NG Network Access Client.
The only notable exception is the Microsoft Firewall which can be operated in conjunction with Barracuda NG
Personal Firewall.
Installation requires administrator rights on the respective system.
For Microsoft Windows XP users it is highly recommended to have the official Service Pack 2 and recent hotfixes
installed.
Take into consideration that the NG Personal Firewall is turned OFF by default and requires manual activation
during the setup routine, or alternatively after successful installation.
69 Barracuda NG Network Access Client - Administrator’s Guide
Barracuda NG VPN Client
Barracuda NG SSL VPN and NAC Client (complete installation)
• Custom
A way to perform remote installation procedures is provided through customizable script files. Refer to
the following chapters if you intend installing and configuring multiple clients remotely.
Unattended Setup
See 5.3 Unattended Setup, page 70
Customer Setup
See 5.4 Customer Setup, page 73
5.1 Complete Installation
The complete installation itself is a standard installation routine providing default settings (For example
for connection behavior) for all product variants. Selecting this setup type does not require any deeper
knowledge of the Barracuda NG Network Access Client. Simply follow the instructions on the screen.
The following default settings apply when executing complete installation (details of these settings are described
in 5.2 Custom Installation, page 70).
Fig. 5–1 Complete Installation – default settings
70 Client Installation
As soon as the installation procedure has completed, Barracuda NG Network Access Client is ready
for use (for a feature list, see 8.2 Facts and Figures, page 83).
5.2 Custom Installation
This installation type is intended for experienced users. However, the basic settings defined during the
installation routine require a deeper look, see table 5–1, page 71 and table 5–2, page 72.
5.3 Unattended Setup
Unattended installation procedure aims at concurrent remote installation and basic configuration of
multiple clients and addresses the experienced system administrator.
To specify non-default values for installation, Msiexec options may additionally be extended by
List 5–1 Complete Installation — section Barracuda NG Access Monitor – default settings
Parameter Default
802.1x Enable
DHCP Renew
List 5–2 Complete Installation — section NG Personal Firewall – default settings
Parameter Default
Trusted Network
Connect to the Internet with ADSL (PPTP)
Allow others to access my files and printer(s)
Disable Barracuda NG Personal Firewall
Firewall Always ON
List 5–3 Complete Installation — section Ask for – default settings
Parameter Default
unknown outgoing connections
unknown incoming connections
adapter update confirmation
Unattended setup requires administrator rights on the system where installation is executed.
Msiexec (command-line options) apply for customisation of the installation procedure. For information on these
options refer to
http://technet2.microsoft.com/WindowsServer/en/li-
brary/9361d377-9011-4e21-8011-db371fa220ba1033.mspx?mfr=true.
71 Barracuda NG Network Access Client - Administrator’s Guide
Barracuda NG Network Access Client specific properties. The available options for this purpose are
listed in table 5–1 and table 5–2.
Save the following to a .cmd file and execute this file to trigger an unattended setup. Separate multiple
specific properties with spaces:
Trusted Network
see description for parameter Trusted Network, page 120
Allow other to access my files and printer(s)
see description for parameter Windows File Sharing, page 120.
Fig. 5–2 Exemplary silent.cmd file for unattended setup
Specific properties must be inserted into one row.
Table 5–1 Properties available for customisation of unattended setup
Property Value (*=default) Corresponding Option in the Firewall Settings
DEFAULT_SHELL Required when using another shell then explorer.exe (For example, Microsoft Embedded XP).
DHCPRENEW8021
X
0*
1
Enable/disable 802.1X DHCP Renew
ENABLE8021X 0*
1
Enable/disable 802.1X
FW_ALWAYS_ON 0*
1
Firewall Always ON, page 72
FW_INSTALL_GIN
A
0*
1
Install Barracuda Networks GINA
FW_NOTINSTALL 0*
1
This option is for SMART-clients only, although SMART-clients still also work with installed firewall.
INSTALLDIR Defines the installation path (C:\Program Files\BarracudaNG)
POLSRV_IP Defines the IP address of the Access Control Server.
PROGTYPE Installs selected product containing of:
NG Personal Firewall, VPN and system health validator
INSIDE - personal firewall and system health validator
R8 - personal firewall and VPN
PROGTYPE VPN Chooses the VPN-only installation mode. Only the VPN client components will be installed.
PUB_CA_KEYCER
T
Allows adding the name of the CA public certificate to the profile and requires adding the lines
copy certname.pem > nul and
del certname.pem > nul accordingly.
PWD [A secret password] Sets a password that will be requested prior to shutting down the client. It will not be possible for
users to shut down the client without the correct password.
Leaving the value blank removes the shutdown protection.
The NG Personal Firewall settings can be edited after installation. For detailed information see
9.9 Administration - Firewall Settings Wizard, page 120.
@echo off
setup.exe /s /v"/qr CUSTOMER_INF=customer.inf PROGTYPE=R8 FW_NOTINSTALL=1"
72 Client Installation
Connect to the Internet with ADSL (PPTP)
see description for parameter Connect to the Internet with ADSL (PPTP), page 120
Ask for adapter update confirmation
see description for parameter Ask for adapter update confirmation, page 120
Access Control Server Address
This parameter defines the Access Control Server to be used.
Ask for unknown outgoing/incoming connections
Selecting these checkboxes causes a dialog to pop up for each unknown connection. Via
this dialog the NG Personal Firewall rule set is modified automatically (9.9.2 Automatic Rule
Configuration, page 122).
Disable Barracuda Networks Secure Mode (Firewall off)
Selecting this checkbox results in a "pass-all-behavior" of the NG Personal Firewall. Use
this option for unattended setups.
Firewall Always ON
This option prevents deactivating the NG Personal Firewall.
Any rule set which is assigned trough a policy- or VPN server will overwrite these options.
Table 5–2 Properties available for customisation of unattended setup
Property Value (*=default) Corresponding Option in the Firewall Settings
FW_TRUSTEDNETWORK 0*
1Trusted Network, page 120
FW_SHARE 0*
1Windows File Sharing, page 120
FW_ADSL 0*
1Connect to the Internet with ADSL (PPTP), page 120
FW_ASKOUT 0
1* Ask for unknown outgoing connections, page 120
FW_ASKIN 0*
1Ask for unknown incoming connections, page 120
FW_ASKADAPTER 0
1* Ask for adapter update confirmation, page 120
FW_DISABLE 0
1* Disable Barracuda Networks Secure Mode (Firewall off), page 72
73 Barracuda NG Network Access Client - Administrator’s Guide
5.4 Customer Setup
Customer setup is a comprehensive installation method, allowing you to fully preconfigure all NG
Network Access Client settings on multiple installation systems remotely.
Customer setup addresses the experienced system administrator. In addition to pure installation and
basic configuration, it allows you to:
Preconfigure an arbitrary number of connection profiles on the NG Network
Access Client.
Import license (.lic) files and X.509 certificates into the NG Network Access
client.
Import preconfigured rule sets into the NG Personal Firewall.
Exemplary script files required for Customer Setup (customer.inf, silent.cmd) are available on
the Application CD, allowing you to adapt the remote configuration procedure.
Proceed as follows to prepare a completely customized setup:
1.) Edit the customer.inf file
See 5.4.1 customer.inf, page 73
2.) Edit the silent.cmd file
See 5.4.5 silent.cmd, page 78
3.) Copy the following files to the folder containing the setup.exe file:
• customer.inf
• silent.cmd
active.i_fwrule (optional)
[LicenseName].lic (optional)
[CertificateName].pem (optional)
4.) Execute the silent.cmd file
5.4.1 customer.inf
The customer setup is only available for NG VPN Client
Customer setup requires administrator rights on the installation’s target system.
The syntax examples below are partly arranged in abstracts only. If needed as template, refer to the complete
exemplary customer.inf file (15.1 customer.inf File Template, page 205).
74 Client Installation
The customer.inf file directs copying of required files and insertion of registry entries. It is divided into
three sections of interest ("Customer Areas"):
Customer Area [CustomerCopyFiles], page 74
Customer Area [CustomerReg], page 75
Customer Area [SourceDisksFiles], page 78
5.4.2 Section "1. Customer Area" / [PhionCustomerCopyFiles]
Optionally, the following file-directives may be detailed:
The content of the customer.inf file is treated case sensitive.
Do NOT rename the customer.inf file.
Remove nonessential parameters from the customer.inf file before applying it for Customer Setup.
The files customer.inf and silent.cmd are adapted to inclusion of a customer.lic file. If you are not importing a
license (.lic) file during installation, delete the corresponding entries in both files. If you are using another name
for the .lic file, do not forget to edit this file name within the installation files.
Fig. 5–3 Example for section [CustomerCopyFiles]
Table 5–3 File-directives applicable in the Customer Area" / [CustomerCopyFiles]
Directive Comment
destination-file-name Specifies the name of the destination file. If no source-file-name is given, this specification is also the
name of the source file.
source-file-name Specifies the name of the source file. If the source and destination file names for the file copy operation
are the same, source-file-name can be omitted.
temporary-file-name Specifies the name of a temporary file to be created in the copy operation, if a file of the same name on
the destination is open or currently in use. Only used on Windows 9x/Me platforms. The NT-based
operating system automatically generates temporary file names when necessary and renames the
copied source files the next time the operating system is started.
flag These optional flags, expressed in hexadecimal notation or as a decimal value in a section entry, can
be used to control how (or whether) a particular source file is copied to the destination. One or more
(ORed) values for the following system-defined flags can be specified, but some of these flags are
mutually exclusive:
0x00000400
(COPYFLG_REPLACEONLY)
Copy the source file to the destination directory only if the file is already present in the destination
directory.
[PhionCustomerCopyFiles]
; destination-file-name[,source-file-name][,temporary-file-name][,flag]
customer.inf,,,2 ; important, do not remove
customer.lic,,,2 ; if importing a license file
active.i_fwrule,,,2 ; if importing a firewall rule set
75 Barracuda NG Network Access Client - Administrator’s Guide
5.4.3 Section "2. Customer Area" / [CustomerReg]
This section controls the configuration of profiles set up during installation. Profile settings are saved
to [HKEY_USERS\.DEFAULT\Software\Phion\phionvpn\Profile]
For automated VPN profile creation, the following syntax is applicable in the customer.inf file:
reg-root, [subkey], [value-entry-name], [flags], [value]
0x00000800
(COPYFLG_NODECOMP)
Copy the source file to the destination directory without decompressing the source file if it is
compressed.
0x00000008
(COPYFLG_FORCE_FILE_IN_USE)
Force file-in-use behavior: do not copy over an existing file of the same name if it is currently open.
Instead, copy the given source file with a temporary name so that it can be renamed and used when the
next reboot occurs.
0x00000010
(COPYFLG_NO_OVERWRITE)
Do not replace an existing file in the destination directory with a source file of the same name. This flag
cannot be combined with any other flags.
0x00001000
(COPYFLG_REPLACE_BOOT_FILE)
This file is required by the system loader. The system will prompt the user to reboot the system.
0x00002000
(COPYFLG_NOPRUNE)
Do not delete this operation to effectuate optimisation.
For example, Setup might determine that the file copy operation is not necessary because the file
already exists. However, the writer of the INF knows that the operation is required and directs Setup to
override its optimisation and perform the file operation. (This flag can be used to ensure that files are
copied if they are also specified in an INF DelFiles directive or an INF RenFiles directive.)
0x00000020
(COPYFLG_NO_VERSION_DIALOG)
Do not overwrite a file in the destination directory with the source file if the existing file is newer than the
source file.
This flag is irrelevant to digitally signed INF files. If a driver package is digitally signed, Setup installs the
package as a whole and does not selectively omit files in the package based on other versions already
present on the machine.
0x00000004
(COPYFLG_NOVERSIONCHECK)
Ignore file versions and overwrite existing files in the destination directory. This flag and the next two
are mutually exclusive. This flag is irrelevant to digitally signed INF files.
0x00000040
(COPYFLG_OVERWRITE_OLDER_
ONLY)
Copy the source file to the destination directory only if the file on the destination will be superseded by
a newer version. This flag is irrelevant to digitally signed INF files.
0x00000001
(COPYFLG_WARN_IF_SKIP)
Send a warning if the user selects to not copy a file. This flag and the next are mutually exclusive, and
both are irrelevant to INF files that are digitally signed.
0x00000002
(COPYFLG_NOSKIP)
Do not allow the user to skip copying a file. This flag is implied if the driver package is signed.
Do not change the name of the firewall rule set entry (active.i_fwrule). If you do not intend installing the
Barracuda Networks Firewall R8 with a predefined rule set meeting company policy, uncomment or delete this
line.
Fig. 5–4 Customer Setup – Profile settings
Table 5–3 File-directives applicable in the Customer Area" / [CustomerCopyFiles]
Directive Comment
HKU,.DEFAULT\Software\Phion\phionvpn\Profile\1,dhcp,0x00010001,1
Registry path
Profile path
Profile ID
76 Client Installation
This section is used for creating profiles and defining default values.
Table 5–4 Directives applicable in the "Customer Area" / [CustomerReg]
Directive Comment
reg-root Identifies the root of the registry tree for other values supplied in this entry. The value can be one of the
following:
HKCR Abbreviation for HKEY_CLASSES_ROOT
HKCU Abbreviation for HKEY_CURRENT_USER
HKLM Abbreviation for HKEY_LOCAL_MACHINE
HKU Abbreviation for HKEY_USERS
subkey This optional value, formed either as a %strkey% token defined in a Strings section of the INF or as a
registry path under the given reg-root (key1\key2\key3 …), specifies one of the following:
A new subkey to be added to the registry at the end of the given registry path.
An existing subkey in which the additional values specified in this entry will be written (possibly replacing
the value of an existing named value entry of the given subkey).
Both a new subkey to be added to the registry together with its initial value entry.
value-entry-name This optional value either names an existing value entry in the given (existing) subkey or creates the
name of a new value entry to be added in the specified subkey, whether it already exists or is a new key
to be added to the registry. This value can be expressed either as "quoted string" or as a %strkey% token
that is defined in the INFs Strings section.
(If this is omitted for a string-type value, the value-entry-name is the default "unnamed" value entry for this
key.)
The operating system supports some system-defined special value-entry-name keywords. See the end of
this Comments section for more information.
flags This optional hexadecimal value, expressed as an ORed bitmask of system-defined low word and high
word flag values, defines the data type for a value entry and/or controls the add-registry operation.
Bitmask values for each of these flags are as follows:
0x00000001
(FLG_ADDREG_BINVALUETYPE)
The given value is "raw" data. (This value is identical to the FLG_ADDREG_TYPE_BINARY.)
0x00000002
(FLG_ADDREG_NOCLOBBER)
Prevent a given value from replacing the value of an existing value entry.
0x00000004
(FLG_ADDREG_DELVAL)
Delete the given subkey from the registry, or delete the specified value-entry-name from the specified
registry subkey.
0x00000008
(FLG_ADDREG_APPEND)
Append a given value to that of an existing named value entry. This flag is valid only if
FLG_ADDREG_TYPE_MULTI_SZ is also set. The specified string value is not appended if it already
exists.
0x00000010
(FLG_ADDREG_KEYONLY)
Create the given subkey, but ignore any supplied value-entry-name and/or value.
0x00000020
(FLG_ADDREG_OVERWRITEONLY)
Reset to the supplied value only if the specified value-entry-name already exists in the given subkey.
0x00001000
(FLG_ADDREG_64BITKEY)
(Windows XP and later.) Make the specified change in the 64-bit registry. If not specified, the change is
made to the native registry.
0x00002000
(FLG_ADDREG_KEYONLY_COMMON)
(Windows XP and later.) This is the same as FLG_ADDREG_KEYONLY but also works in a
del-registry-section (see INF DelReg Directive).
0x00004000
(FLG_ADDREG_32BITKEY)
(Windows XP and later.) Make the specified change in the 32-bit registry. If not specified, the change is
made to the native registry.
0x00000000
(FLG_ADDREG_TYPE_SZ)
The given value entry and/or value is of type REG_SZ. Note that this is the default type for a specified
value entry, so the flags value can be omitted from any reg-root= line in an add-registry section that
operates on a value entry of this type.
0x00010000
(FLG_ADDREG_TYPE_MULTI_SZ)
The given value entry and/or value is of the registry type REG_MULTI_SZ. This specification does not
require any NULL terminator for a given string value.
0x00020000
(FLG_ADDREG_TYPE_EXPAND_SZ)
The given value entry and/or value is of the registry type REG_EXPAND_SZ.
0x00010001
(FLG_ADDREG_TYPE_DWORD)
The given value entry and/or value is of the registry type REG_DWORD.
0x00020001
(FLG_ADDREG_TYPE_NONE)
The given value entry and/or value is of the registry type REG_NONE.
77 Barracuda NG Network Access Client - Administrator’s Guide
1.) Edit default entry
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, Default, 0x00010001, 1
Value "1" sets a profile to the default profile of the Barracuda NG VPN Client. All other profiles take the
value "0".
2.) Edit DHCP entry
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, dhcp, 0x00010001, 1
Editing the value changes the value of the parameter Virtual Adapter Configuration:
Assign IP address manually
Use internal DHCP assignment (default)
Direct assignment
3.) Edit profile name
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, description, 0x00000000,
"profile name"
4.) Name the license (customer.lic)
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, license, 0x00000000,
"%65600%\customer.lic"
5.) Enter IP address of the VPN server
HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, server, 0x00000000,
"192.168.0.1"
value This optionally specifies a new value for the specified value-entry-name to be added to the given registry
key. Such a value can be a "replacement" value for an existing named value entry in an existing key, a
value to be appended (flag value 0x00010008) to an existing named REG_MULTI_SZ-type value entry in
an existing key, a new value entry to be written into an existing key, or the initial value entry for a new
subkey to be added to the registry.
The expression of such a value depends on the registry type specified for the flag as follows:
• A registry string-type value can be expressed either as a "quoted string" or as a %strkey% token defined
in a Strings section of the INF file. Such an INF-specified value need not include a NULL terminator at the
end of each string.
• A registry numerical-type value can be expressed as a hexadecimal (using 0x notation) or decimal
number.
The following describes only the minimum required information. You may add any other Barracuda Networks
registry entry.
%65600% is used as placeholder for the installation directory.
Table 5–4 Directives applicable in the "Customer Area" / [CustomerReg]
Directive Comment
78 Client Installation
5.4.4 Section "3. Customer Area" / [SourceDisksFiles]
A SourceDisksFiles section names the source files used during installation, identifies the
installation disks that contain these files, and provides the path to the subdirectories, if any, on the
distribution disks containing individual files.
The following directives are applicable:
filename = diskid[,[ subdir][, size]]
5.4.5 silent.cmd
Save the following to a .cmd file and execute this file to trigger an unattended customer setup.
Separate multiple properties with spaces:
Fig. 5–5 Example for section [SourceDisksFiles]
Table 5–5 Directives applicable in the Customer Area" / [SourceDisksFiles]
Directive Comment
filename Specifies the name of the file on the source disk.
diskid Specifies the integer identifying the source disk that contains the file. This value and the initial path to the subdir(ectory), if any,
containing the named file must be defined in a SourceDisksNames section of the same INF.
subdir
This optional value specifies the subdirectory (relative to the SourceDisksNames path specification, if any) on the source disk
where the named file resides.
If this value is omitted from an entry, the named source file is assumed to be in the path directory that was specified in the
SourceDisksNames section for the given disk or, if no path directory was specified, in the installation root.
size This optional value specifies the uncompressed size, in bytes, of the given file.
Do not change the name of the firewall rule set entry (active.i_fwrule). If you do not intend installing the
NG Personal Firewall with a predefined rule set meeting company policy, incomment or delete this line.
Fig. 5–6 Exemplary silent.cmd file for unattended setup
Specific properties must be inserted into one row.
[SourceDisksFiles]
; Files for disk Customer Files #1
; filename = diskid[,[ subdir][, size]]
customer.inf,,,1
customer.lic,,,1 ; if a license file is imported
active.i_fwrule,,,1 ; if a firewall rule set is imported
@echo off
setup.exe /s /v"/qr CUSTOMER_INF=customer.inf PROGTYPE=R8 FW_NOTINSTALL=1"
79 Barracuda NG Network Access Client - Administrator’s Guide
For an overview of specific properties see table 5–1, page 71.
80 Client Installation
5.5 System Restore
Barracuda NG Network Access Clients installation and removal processes create restore points in the
Windows System Restore area that you may use to restore your system to a previous state.
Refer to the OS help for details.
Fig. 5–7 System Restore
81 Update or Migration
Chapter 6
Update or Migration
6.1 General
In case you are updating from predecessor versions, simply execute the setup executable and follow
the on-screen instructions.
If you have particular questions regarding the migration process, then please contact the Barracuda
Networks support.
For migration, it is mandatory to have the setup file locally on your system. A network installation is NOT possible.
If the Personal Firewall is installed, make sure to disable the Internet connection prior to migration.
After an update, the system needs to be restarted. Close all applications including the Barracuda NG VPN Client
before rebooting the system.
82 Uninstall
Chapter 7
Uninstall
7.1 General
7.2 Procedure
To uninstall the client, browse to Start > Control Panel > Add or Remove Programs > Barracuda NG Network
Access Client and click Remove.
Close all applications including the VPN client before uninstalling. You will be prompted to restart the system after
uninstallation has completed.
83 VPN Configuration
Chapter 8
VPN Configuration
8.1 Overview
Virtual Private Networks are an efficient and cost-saving way to use the internet as a transport
alternative to dedicated lines or dial-up RAS overcoming the security risks of internet communications.
There are two well-established technologies for data encryption: IPSec and SSL (Secure Socket
Layer).
Most VPN implementations rely solely on IPSec, which has several disadvantages in modern network
topologies. Barracuda NG VPN has incorporated both technology standards and hence improves the
VPN connectivity substantially.
Barracuda Networks provides two types of VPN client licenses:
Barracuda NG VPN Client
Barracuda NG SSL VPN and NAC
8.2 Facts and Figures
VPN Licensing
The Barracuda NG VPN Client license is included with every appliance. On box appliances, it allows for
unlimited users, while on virtual appliances it is limited to the virtual appliance’s capacity.
Fig. 8–1 Structure of a VPN tunnel
For detailed information concerning the different features of the two licenses, have a look at 8.2 Facts and Figures,
page 83.
HQ LAN
NG
Firewall
NG
VPN client
Destination
IP Address
=
DST
Server Tunnel
IP Address
=
VPN Server
Client IP
Address
=
Peer
VPN client
IP Address
=
Source
84 VPN Configuration
Optionally, the Barracuda NG SSL VPN and NAC subscription license is availabe. It enables SSL VPN
functionality and includes Barracuda NG Network Access Client with the full client including the
centrally managed Barracuda NG Personal Firewall.
Authentication support
Personal firewall capabilities
Policy matching capabilities
Table 8–1 Authentication support
Function Supported
Active Directory
LDAP
RADIUS
MSNT
RSAACE
X509 certificates
RSA tokens
Smart cards
Table 8–2 Personal firewall capabilities
Function Supported
Dynamic adapter object handling
Dynamic user object handling
RPC handling
Multiple rule sets support
Client side policy enforcement
Table 8–3 Policy matching capabilities
Function Comment
ID-based policies
Support for ID-based Exemptions , health condition and/or software update
Date and time conditions
Access type Support for internal and external category
Separate machine policies
Separate policies
Separate quarantine policies
Machine properties Microsoft operating system time, Microsoft SID, x.509 certificate (LocalMachine Account) with subject, issues,
altname conditions, Hostname, MAC Address, network ACL, Netbios name
User properties All of the above and login name and work group affiliation
Required client version
Personal firewall active
85 Barracuda NG Network Access Client - Administrator’s Guide
Usage Scenario
Antivirus (AV) product installed
AV active
AV realtime protection active
Last AV scan time
Enforce overdue AV scan
AV engine version
AV pattern version
AV pattern max age
Enforce overdue AV
engine/pattern update
AntiSpyware (AS) product
installed
AS active
AS realtime protection active
Last AS scan time
Enforce overdue AS scan
AS engine version
AS pattern version
AS pattern max age
Enforce overdue AS
engine/pattern update
Personal firewall rule set a
Registry entries a
Welcome message
Welcome picture
C-ID support
ID-based exemption from
enforced client updates
Gateway network access roles
a. Not available for Barracuda NG VPN Client
Table 8–4 Usage Scenario
Function Barracuda NG VPN Client Barracuda NG SSL VPN and NAC
LAN protection 
VPN remote access 
Table 8–3 Policy matching capabilities
Function Comment
86 VPN Configuration
• Architecture
OS requirements
Table 8–5 Architecture
Function Barracuda NG VPN Client Barracuda NG SSL VPN and NAC
Integrated health agent
Integrated VPN client 
Integrated personal firewall managed
Full entegra policy support
Table 8–6 OS Requirements
Function Barracuda NG VPN Client Barracuda NG SSL VPN and NAC
Operation systems Windows XP (32-Bit),
Windows Vista (32-bit/64-bit),
Windows 7 (32bit/64bit)
Disk space 30 MB
RAM 512 MB / 1024 MB (Vista)
Processor Intel 1.3 GHz
87 Barracuda NG Personal Firewall
Chapter 9
Barracuda NG Personal Firewall
9.1 Overview
The Barracuda NG Personal Firewall is a lighter version of the Barracuda NG Firewall especially
designed for client usage. Nevertheless, most configuration options of the Barracuda NG Firewall are
available. When connected to an Access Control Service or via VPN, the Barracuda NG Personal
Firewall can accept rule sets sent from the Barracuda NG Firewall (depending on the used client
license).
Open the configuration mode of the Barracuda NG Personal Firewall by right-clicking (VPN status)
in the system tray and selecting NG Personal Firewall from the context menu or by browsing to Start
> All Programs > Barracuda NG Network Access Client > NG Firewall.
Selection between the following functional firewall modes is available in the context menu of the
system tray icon:
Block All
Barracuda Networks Secure Mode
Disable Firewall (Allow all Traffic)
The active operational mode is selected. To change the mode, click another item in the menu.
Each rule in a Barracuda NG Personal Firewall rule set is constructed from a variety of configuration
entities (Adapters, Networks, Services, Applications, Users), which can be created and maintained
independently from the rule set itself. They are then pieced together building a logical formation. Each
configuration entity may be accessed from the Configuration sub-menu in the left navigation bar.
The Configuration section of the Barracuda NG Personal Firewall complements the automatic
configuration mechanisms made available by the Firewall Settings Wizard in the Administration section
(9.9 Administration - Firewall Settings Wizard, page 120). It allows you to:
Create rules from scratch in the Rules view (9.8.2 Rules, page 104).
Modify objects and rules that have been created automatically determined
through settings in the Administration view (9.9 Administration - Firewall
Settings Wizard, page 120).
DO NOT directly switch from Disable Firewall (Allow all Traffic) to Block All. Always select Barracuda Networks
Secure Mode as intermediate step.
88 Barracuda NG Personal Firewall
Modify objects and rules that have been created in the History view by selecting
Add Pass/Block - Traffic Policy from the context menu (9.6.3 History, page 97)
9.1.1 Integration within Windows 7
The Barracuda NG Personal Firewall integrates with Windows 7’s intrusion control system. If
configured to do so in Firewall Settings > Firewall Settings > Disable Windows Firewall, it will properly
replace the built-in Windows Firewall as long as it is enabled.
Disabling the Barracuda NG Personal Firewall will automatically re-enable the Windows Firewall.
You can view the current protection status in your Windows 7 system within Control Panel > System and
Security > Windows Firewall and within Control Panel > System and Security > Action Center:
Firewall administration experience is recommendable before manipulating the Barracuda NG Personal Firewall
manually.
Fig. 9–1 Windows 7 Windows Firewall and Action Center screens
89 Barracuda NG Network Access Client - Administrator’s Guide
9.2 Rule Set Selection
Click Rule Set Selection to select one of the available rule sets for viewing. The Local Rule Set is
selected by default. Only the Local Rule Set may be edited in the Barracuda NG Personal Firewall.
Fig. 9–2 Rule set selection
90 Barracuda NG Personal Firewall
9.3 User Interface
The graphical user interface of the Barracuda NG Personal Firewall is built up of the following items:
Fig. 9–3 Graphical Interface of the Barracuda NG Personal Firewall
Menu bar, page 91 Load display, page 94
Content window
Left navigation bar
Configuration Item bar
91 Barracuda NG Network Access Client - Administrator’s Guide
9.4 General Firewall Settings and Tasks (Menu Bar)
The following configuration items of the Barracuda NG Personal Firewall are accessible through the
Menu Bar (use the ALT key to open/close the menu bar):
• Firewall
see 9.4.1 Firewall Menu, page 91
• View
see 9.4.2 View Menu, page 93
Security Mode
see 9.4.3 Security Mode Menu, page 94
9.4.1 Firewall Menu
Save Configuration
Select this item to save configuration changes immediately.
Settings …
Select this item to adjust general behavior of the Barracuda Barracuda NG Personal Fire-
wall. The following parameters are available for configuration.
Firewall Settings Tab:
Click the Save Configuration link within the Configuration Item bar to save configuration changes after prior
confirmation inquiry.
List 9–1 Firewall Settings > Protocol Option
Parameter Description
Log dropped packets/Log successful
connections
Select these checkboxes to activate logging for dropped packets and/or successful connections. Log line
structure is depicted in figure 9–5.
List 9–2 Firewall Settings > Protocol File
Parameter Description
File name This field defines path and name of the NG VPN client log file. By default, the file is saved to C:\Program
Files\BarracudaNG\phlog.txt
Size limit This field defines a maximum size for the log file (default: 4096 KByte).
List 9–3 Firewall Settings > Network Objects
Parameter Description
IP Monitor Selecting this checkbox (default: selected) activates dynamic update of Network Objects (9.8.7 Networks,
page 110).
92 Barracuda NG Personal Firewall
ICMP Parameters Tab:
This tab allows you to configure blocking of ICMP packets.
Automatic Adapter Assignment Selecting this checkbox (default: selected) activates dynamic update of network interface adapters. When
active, network adapters are automatically added to the Adapter Objects configuration area, when they
are used the first time (9.8.6 Adapters, page 108).
List 9–4 Firewall Settings > Firewall Settings
Parameter Description
Disable Windows Firewall Selecting this checkbox disables the Windows Firewall if it is installed (default: selected).
Block all IP Fragments By default, IP fragments may generally pass the firewall notwithstanding the configured rule set. Select this
checkbox to block IP fragments.
Passthru all IPv6 Packets By default, IPv6 packets may generally pass the firewall notwithstanding the configured rule set. Select this
checkbox to block IPv6 packets.
Fig. 9–4 ICMP Parameters
List 9–3 Firewall Settings > Network Objects
Parameter Description
93 Barracuda NG Network Access Client - Administrator’s Guide
Export Firewall Rule Set
This item allows you to export the rule set from the Barracuda NG Personal Firewall to a text
file.
Import Firewall Rule Set
This item allows you to import a rule set into the NG VPN client. The rule set may either orig-
inate from another Barracuda NG Personal Firewall or from a firewall configured on a Bar-
racuda NG Firewall.
Close Firewall Window
Selecting this item closes the Barracuda NG Personal Firewall configuration window.
9.4.2 View Menu
DCERPC List
This dialog displays the status of each DCERPC communication slot (for detailed informa-
tion concerning DCERPC, please consult the Barracuda NG Firewall Administrator’s
Guide).
Access Control Server IPs
Fig. 9–5 Logging syntax of the phlog.txt file
Fig. 9–6 DCERPC List
Direction:
• IN
OUT
Status:
• CONNECT
• CLOSE
• BLOCK
Exact date
Originator
(for example firefox.exe)
Source IP
address
Destination IP
address
Connection
used
protocol
port
affected
PFW rule
OUT;CONNECT;02.11.2004 12:53:22;System;udp;10.0.1.41;10.0.1.255;137;;System;
and time
94 Barracuda NG Personal Firewall
Displays every Access Control Server the client knows of.
9.4.3 Security Mode Menu
The items in the Security Mode menu allow you to adjust the security level of the Barracuda NG
Firewall.
Block All
Prohibit all traffic.
Disable Firewall (Allow All Traffic)
Turn the firewall off and allow all traffic.
Barracuda Networks Secure Mode
Activate customized firewall rule sets.
Process Monitor
Generate an entry in the event monitor for every process initiation (9.6.2 Events, page 96).
9.5 Load Display
The load display is a graphical view of current Incoming and Outgoing connections. The dimensions of
the graphs depend on the current peak load. The last graph (Block) depicts the amount of blocked
connections.
Fig. 9–7 Access Control Server IPs
Fig. 9–8 Load display
95 Barracuda NG Network Access Client - Administrator’s Guide
9.6 NG Control Center - Monitoring Firewall Activities
Items arranged in the NG Control Center give a review of application activities in the Barracuda NG
Personal Firewall. The NG Control Center is divided into the following sub-items:
• Summary
see 9.6.1 Summary, page 95
• Events
see 9.6.2 Events, page 96
• History
see 9.6.3 History, page 97
Live Activity
see 9.6.7 Live Activity, page 100
9.6.1 Summary
This view gives a quick comparison overview of the 5 most-used ports, active internet, and blocked
applications.
Fig. 9–9 NG Control Center: Summary window
96 Barracuda NG Personal Firewall
9.6.2 Events
The Events view details all applications that are currently or have been executed on the machine,
irrespective, if they have requested passing the firewall. Double-click a list entry to view event details.
Select Reload Logs from the context menu to reload the display of logged entries.
The listing is divided into the following columns:
Filter Section:
The Filter section allows you to define filters in order to narrow down the view in the event listing. Select
the checkbox assigned to an item to activate filter effectiveness and select or insert the desired filter
value. Click Refresh to apply filter settings.
Fig. 9–10 NG Control Center: Events window
Table 9–1 Event view details
Column Description
Date Date and time the connection has been initiated.
Action Type of the recorded action: System Information, Monitored connection, or Informational message.
Application The application that has initiated the connection and assigned port over which the connection is processed.
Parent Parent process required that has initiated the application.
Access Status and direction assigned to the connection. An application can be either in status Process started or ended, and the
connection direction can either be Outbound or Inbound.
User The User Object assigned to the connection (9.8.10 Users, page 117).
Object Complete path to the application that is responsible for the connection.
97 Barracuda NG Network Access Client - Administrator’s Guide
9.6.3 History
The History view details the entire network traffic (established connections and connection attempts)
since the last system boot.
9.6.4 Listing and Context Menu
The listing is divided into the following columns:
Fig. 9–11 NG Control Center: History window
Table 9–2 History window details
Column Description
Direction Flags the connection direction ( outgoing connections; incoming connections).
Connection
State Flags the connection state ( granted connections; blocked connection attempts; failed connection attempts).
Date/Time Date and time of traffic initiation.
Application Name of the application.
Protocol Protocol assigned to the application.
Source Source IP of the connection.
98 Barracuda NG Personal Firewall
Select and then right-click a list entry to display the following context menu:
9.6.5 History Selection Tab
In the History Selection tab, the following checkboxes are available for fast and easy filtering.
• Access
Only displays connections that have been granted (marked with ).
Rule Block
Only displays connection attempts that have been blocked (marked with ).
• Fail
Only displays connection attempts that have failed (marked with ).
Show all Ethernet protocols
Additionally displays connection attempts over protocols other than TCP, UDP and ICMP.
Show Hostnames
Destination Destination IP of the connection.
Port Connection port.
User Name of the user who has initiated the connection attempt.
Traffic Policy Name of the effective firewall rule.
Info Connection status (passed, blocked, failed).
Count Total number of connections processed over this slot.
Last Expired time since last traffic over this slot.
Service Affected service object or UUID (Universal Unique IDentifier).
Adapter NIC that was used for connection.
AID Unique Access ID of the connection.
Table 9–3 History window - Context menu
Item Description
Show Details Select Show Details or double-click a list entry to view a summary of connection details.
Resolve Source/Destination IP Tries to resolve the source/destination IP and summarizes the results (port, IP address, hostname and
description) in a separate window.
Send to Rule Tester Inserts the connection details into the rule tester and opens the rule tester window.
Add Pass Rule Inserts the connection details into a new rule with default action Pass and opens the rule object window for
editing.
Add Block Rule Inserts the connection details into a new rule with default action Block and opens the rule object window
for editing.
Flush History Clears all entries from the history listing.
Ungroup Undoes the group view and sorts connection entries into a successive listing.
Group by Groups listing entries by the selected item.
Table 9–2 History window details
Column Description
99 Barracuda NG Network Access Client - Administrator’s Guide
Translates IP addresses into hostnames, if possible.
After each selection change, click to refresh the view. Click the Group History by link to sort listing
entries by topic.
9.6.6 History Filter Tab
In the History Filter tab, filter conditions can be set to confine the view to the minimum wanted amount
of entries. If filters apply, the History Filter tab is highlighted in yellow ( ).
Select the checkbox on the right side of an available filter to activate it and insert the condition to apply.
• Policy
filters the connection’s Traffic Policy
• Source
filters the source IP address of the connection
• Application
filters the application which has attempted to connect
• In/Out
filters incoming or outgoing connections
• Protocol
filters a connection protocol
• Destination
filters the destination IP address of the connection
• Port
filters a connection port
Show matching entries/Hide matching entries
select between displaying and hiding the matching entries
100 Barracuda NG Personal Firewall
9.6.7 Live Activity
The Live Activity view details all currently active connections.
Fig. 9–12 NG Control Center: Live Activity window
Refresh
101 Barracuda NG Network Access Client - Administrator’s Guide
9.6.8 Listing and Context Menu
The listing is divided into the following columns:
Select and right-click a list entry to display the following context menu:
Table 9–4 Live Activity window details
Column Description
Direction Flags the connection direction ( outgoing connections; incoming connections).
Load Displays the current connection load ( to ).
Date/Time Date and time of traffic initiation.
Application Application name and its PID (Process ID).
Protocol Protocol assigned to the application.
Source Source IP of the connection.
Destination Destination IP of the connection.
Port Connection port.
User Name of the user who has initiated the connection attempt.
Traffic Policy Name of the effective firewall rule.
bps Connection load in bits per second.
Idle Idle time of the connection.
Total Total amount of data transfer, that is sum of incoming (column In) and outgoing (column Out) traffic.
Start Expired time span since connection initiation.
Service Affected service object or UUID (Universal Unique IDentifier).
ID Internal slot ID.
Session
Timeout
Effective connection state or current session timeout value.
Table 9–5 Live Activity window - Context menu
Item Description
Show Details Select Show Details or double-click a list entry to view a summary of connection details.
Disconnect Terminates the selected connection.
Resolve Source/Destination IP Tries to resolve the source/destination IP and summarizes the results (port, IP address, hostname and
description) in a separate window.
Note:
Entries displayed in italic indicate closed connections waiting for RST-ACK (reset acknowledgement). The
RST-ACK must be awaited in order to avoid its blocking by the firewall.
102 Barracuda NG Personal Firewall
9.6.9 Filter Conditions
Click the filter button ( ) to open the Filter Condition window. This allows you to specify filter conditions
in order to confine the view to the minimum wanted amount of entries.
Click Activate to activate the filter settings. Click Disable to deactivate the filter settings.
After having specified a filter, click to refresh the view.
Click Capture to record traffic processed over the network interface.
Fig. 9–13 Filter condition
Administrator rights are required to use the Capture option.
Fig. 9–14 Capture options
103 Barracuda NG Network Access Client - Administrator’s Guide
The data acquired is saved as a CAP file in the local folder of the VPN client (C:\Program
Files\BarracudaNG).
9.7 Current State - Setting the Security Mode
Clicking the link below this navigation item changes the effective state of the Barracuda NG Personal
Firewall. The current state is depicted by one of the following icons and links respectively:
Disabled
By default (after fresh installation) the firewall is in disabled state. Click the link to enable
secure mode.
Secure
This icon depicts secure firewall mode. Click the link to deactivate effectiveness of the con-
figured rule set.
9.8 Configuration
9.8.1 General
A special viewer is needed (for example wireshark; www.wireshark.org, for viewing network traffic recorded
in .cap files.
Usually the configuration of the firewall is directly made at the server (Server Config – Personal Firewall Rules,
page 41).
Windows Vista: If Increase permissions (figure 9–15) appears in the Configuration sub-menu you have no access
to the configuration. For editing contact your system administrator.
Fig. 9–15 Windows Vista – Configuration – Increase permissions
104 Barracuda NG Personal Firewall
9.8.2 Rules
The Rules view allows manual rule configuration. Rules controlling incoming traffic are arranged in the
Incoming tab, rules controlling Outgoing traffic are arranged in the Outgoing tab (figure 9–16).
9.8.3 Context Menu
Select and right-click a list entry to display the following context menu:
Personal Firewall rule sets are not capable of RCS.
Fig. 9–16 Rules window
Table 9–6 Rule window - Context menu
Item Description
Show Source Addresses Opens a window displaying all source addresses affected by the selected rule.
Show Destination Addresses Opens a window displaying all destination addresses affected by the selected rule.
Show Services Opens a window displaying all services affected by the selected rule.
Show Applications Opens a window displaying all applications affected by the selected rule.
Show Adapters Opens a window displaying all adapters affected by the selected rule.
Show Users Opens a window displaying all users affected by the selected rule.
Select Overlapping As a connection request can match several conditions, the rules' succession within a rule set is very
important. If incorrectly ordered, rules might interfere with one another. The function Select Overlapping is
meant to help avoiding configuration mistakes. When applied to a selected rule, all rules possibly interfering
with it are highlighted. In the majority of cases, the overlap is a harmless outcome of the use of very openly
defined objects such as InterNet.
Edit … Opens the rule configuration dialog for the selected rule (9.8.5 Rule Configuration, page 105).
New … Opens the rule configuration dialog for a new rule (9.8.5 Rule Configuration, page 105).
Delete Deletes the selected rule(s).
Copy Copies the selected rule(s) to the clipboard.
Button bar
105 Barracuda NG Network Access Client - Administrator’s Guide
9.8.4 Button Bar
In the button bar, the Up and Down buttons complement options are available in the context menu (see above).
Select a rule and click one of the buttons, to shift the rule further up or down within the rule set.
Alternatively, you can use drag&drop.
9.8.5 Rule Configuration
Select New … from the context menu to create a new rule.
Paste Pastes the selected rule(s) from the clipboard.
According to a regular Barracuda NG Firewall rule set, the Barracuda NG Personal Firewall rule set is processed rule
by rule until an applicable rule is available. Thus, to achieve correct rule processing, rules need to be arranged in the
correct order.
Fig. 9–17 Rule configuration dialog
Table 9–6 Rule window - Context menu
Item Description
106 Barracuda NG Personal Firewall
Configure the following connection details in the Rules view of the Rule Object window:
List 9–5 Rule Object - Options in the Rules view
Item / Parameter Description
Action Select Pass to enable a connection request, select Block to prevent it.
Name Insert a rule name into this field.
Comment For easier identification, insert a rule description (optional).
inactive checkbox Select the inactive checkbox to disable a rule (default: unselected).
A minimum specification of the following connection details is mandatory in the sections below:
Source / Destination / Service or
Adapter / Source / Service or
Adapter / Destination / Service
Modifying an object is a global action. For example, any other rule using the specific object will be affected by the
modification.
This applies only for referenced objects, not for objects of type <explicit>.
Explicit objects are only available for the current rule.
Table 9–7 Rule Object - Options in the Rules view – sections
Section Description
Adapter Specify an adapter for the connection request. In the list all Adapter Objects that have been defined in the
Adapter window are available (9.8.6 Adapters, page 108).
Right-click the adapter window below the list and Select New … to create a new Adapter Object.
Double-click an available entry to edit the assigned Adapter Object.
Source / Destination Specify a source for the connection request. In the list all Network Objects that have been defined in the
Networks window are available (9.8.7 Networks, page 110).
Select <Explicit> to define a network object explicitly without adding it to the Network Objects listing.
Right-click the source window below the list and Select New … to create a new Network Object.
Double-click an available entry to edit the assigned Network Object.
Service Specify a service for the connection request. In the list all Service Objects that have been defined in the
Services window are available (9.8.8 Services, page 112).
Select <Explicit> to define a network object explicitly without adding it to the Service Objects listing.
Right-click the source window below the list and Select New … to create a new Service Object.
Double-click an available entry to edit the assigned Service Object.
Application (optional) Specify an application for the connection request. In the list all Application Objects that have been defined
in the Application window are available (9.8.9 Applications, page 114).
Select <Explicit> to define an application object explicitly without adding it to the Application Objects listing.
Right-click the source window below the list and Select New … to create a new Application Object.
Double-click an available entry to edit the assigned Application Object.
User (optional) Specify an user for the connection request. In the list all User Objects that have been defined in the User
window are available (9.8.10 Users, page 117).
Select <Explicit> to define an user object explicitly without adding it to the User Objects listing.
Right-click the source window below the list and Select New … to create a new User Object.
Double-click an available entry to edit the assigned User Object.
107 Barracuda NG Network Access Client - Administrator’s Guide
Configure the following connection details in the Advanced view of the Rule Object window:
List 9–6 Edit/Create Rule Object - Options in the Advanced view – section Rule Mismatch Policy
Parameter Description
Source / Service/ Destination /
Application / User / Adapter
Continue on Mismatch (default)
Process the rule, even if the corresponding object does not match the configured setting.
BLOCK on Mismatch
Do not process the rule if the corresponding object does not match the configured setting.
List 9–7 Edit/Create Rule Object - Options in the Advanced view – section Miscellaneous
Parameter Description
Time Restriction A time restriction can be assigned to each rule. The granularity is 1 hour on a weekly base.
A rule is allowed at all times by default, for example, all checkboxes in the Time Interval window are cleared. Selecting
a checkbox denies a rule for the given time.
Select (set invert) from the list to configure allowed and disallowed time intervals simultaneously.
Select (set allow) from the list to clear selected checkboxes.
Select (set deny) from the list to to configure disallowed time intervals.
Select Continue if mismatch to process the rule even if time restriction denies it.
Select Block if mismatch to prevent rule processing if time restriction denies it (default).
See figure 9–18: a time interval setting for a rule which has been set to disallowed on Monday and Thursday from 8 a.m.
to 5 p.m.
Monitor Connections Yes
•No
Fig. 9–18 Time restriction dialog
108 Barracuda NG Personal Firewall
9.8.6 Adapters
The Adapters view allows you to view and configure network adapters available on the system.
Adapters may be employed in firewall rules, in order to restrict rule processing to a specific adapter or
a set of adapters only.
The listing is divided into the following columns:
In the Adapter Objects view, several dynamic adapter objects (flagged with the icon) are
preconfigured.
The following objects (assigned with status multi) are available:
Adapter [Dial-up]
This object summarizes all dial-up adapters available on the system (for example, UMTS,
ISDN, and modem cards).
Adapter [Ethernet]
This object summarizes all Ethernet adapters available on the system (for example, LAN de-
vices).
Adapter [Wireless]
Fig. 9–19 Adapter objects window
Table 9–8 Adapter Object view details
Column Description
Name Name of the adapter object.
Referenced by Number of references pointing to the adapter object
Status Current connection status of the adapter object (connected / disabled / multi)
IP’s IP addresses and / or references assigned to the adapter object
Trust Trust type assigned to the adapter object (trusted / untrusted)
Comment Optional adapter object description
Dynamic objects are updated at runtime when adapter configuration changes and cannot be edited manually. In order
to work, Automatic Adapter Assignment must be selected in the Firewall Settings (9.4.1 Firewall Menu, page 91).
109 Barracuda NG Network Access Client - Administrator’s Guide
This object summarizes all wireless adapters available on the system (for example, WLAN
cards).
The following further adapter objects are available:
[Network Connection name] (for example, Local Area Connection)
These are the LAN devices available on the system. The Network Connection name is re-
trieved from the Microsoft Windows Network Connections view (available through Start >
Control > Network Connections).
NG VPN
This is the virtual interface of the Barracuda NG VPN Connector.
To create a new adapter object, click New … in the Adapter Objects window:
Adapters available on the system are automatically assigned to the appropriate adapter object with status type multi.
These objects may be used to construct abstract rule sets, for example, to configure a rule blocking access to all
available dial-up or wireless adapters.
The "logical" Microsoft Windows name, which is dependent on the operating system’s language version, and not the
device name is applicable for object naming.
Fig. 9–20 Edit/Create Adapter Object configuration dialog
110 Barracuda NG Personal Firewall
The following options are available:
9.8.7 Networks
The Networks view facilitates IP address/network management. Use the Networks window to
assign names to single IP addresses
combine multiple IPs/networks/References into networking objects
List 9–8 Edit/Create Adapter Object options
Parameter Description
Name Specify a name for the adapter object.
Comment Optionally, insert an adapter description
Trust Type Select Trusted to add a reference to the adapter object to the network object that has been defined as Trusted Network in the
Administration > Firewall Settings (Trusted Network, page 120). If you do not want to create a reference, select
Untrusted.
Note:
When later changing the setting from Trusted to Untrusted, the reference to the adapter object is automatically deleted from the
Trusted Network object. References to Untrusted adapter objects may not be added to the Trusted Network object manually.
Status This is a read-only field displaying the connection status of the adapter object.
IPs This is a read only field, displaying the IPs assigned to the adapter object.
Adapter Select network adapter you wish to create the adapter object for. Click New to add your selection to the Adapter list.
Ref Select network reference you wish to create the adapter object for. Click New to add your selection to the Adapter list.
For a clearly arranged network management rather make use of referencing Network Objects than explicit IPs when
configuring firewall rule sets.
Fig. 9–21 Network Objects window
111 Barracuda NG Network Access Client - Administrator’s Guide
In the Network Objects window, a number of dynamic network objects (flagged with the icon) are
preconfigured.
• localIP
The localIP object contains all IPs that are configured on trusted adapters, and a reference
to the Net-Broadcast object.
• virtualIP
The virtualIP object contains the IP address assigned from the VPN server. The virtual IP is
only available in case of established VPN connections.
Net-[Network Connection name]
These objects contain the network addresses of each specific adapter available on the sys-
tem. The Network Connection name is retrieved from the Microsoft Windows Network Con-
nections view (available through Start > Control > Network Connections).
Net-[Network Connection name] objects may be used for setup of abstract rule sets.
• InterNet
The InterNet object may be used for outbound connections to the Internet (network
0.0.0.0/0).
• TrustedNet
Use the TrustedNet object to refer to trustworthy networks. The content of this object is de-
pendent on assignment of an adapter as trusted or untrusted (9.8.6 Adapters, page 108).
When an adapter is specified as trusted the IP addresses living on it are added to the Trust-
edNet object. Vice versa they are deleted from it, when trust assignment changes to untrust-
ed. The TrustedNet object is also updated when IP address configuration of a trusted
adapter changes.
• Net-NGVPN
The Net-NGVPN object contains the address of that network the virtualIP object is living in.
• Net-Broadcast
This object contains the broadcast addresses of IP addresses configured on trusted adapt-
ers. The broadcast addresses are calculated directly from the IPs.
• Net-Multicast
Dynamic objects are updated at runtime when network configuration changes and cannot be edited manually. For
dynamic update to work, Automatic Adapter Assignment must be selected in the Firewall Settings (9.4.1 Firewall
Menu, page 91).
The "logical" Microsoft Windows name, which dependents on the operating system’s language version and not
the device name, is applicable for object naming.
Secured Routes are assigned to the Net-NGVPN Object.
112 Barracuda NG Personal Firewall
This object includes the Multicast network 239.255.0.0/16.
Click New … to open the Net Object dialog.
Insert Name and Description of the Net Object for easier identification.
In the Entry section insert IP/network address(es) of the new Net Object and/or specify a Reference to
the Net Object, for example select an existing Net Object to refer to a new one.
The Excluded Entry section allows excluding specific networks from a network object.
9.8.8 Services
The Services window facilitates port and protocol management. Use the Services window for the
following purposes:
Assigning ports and protocols to specific services.
Fig. 9–22 Net Object dialog
For transparency and consistency reasons, there are no references available in this section.
113 Barracuda NG Network Access Client - Administrator’s Guide
Merging multiple services to one service object using references.
The following services are available in the Barracuda NG Personal Firewall by default:
Properties of Service Objects are described in detail in the Barracuda NG Firewall Administrator’s Guide.
Fig. 9–23 Service Object dialog
Table 9–9 Service Objects available in the Personal Firewall
Service Name Port Protocol Connection Description
ICMP O / I Internet Control Message Protocol; ICMP messages, delivered in IP packets are used
for out-of-band messages related to network operation, or misoperation.
DNS 53 TCP/UDP ODomain Name Service; method by which the Internet addresses in mnemonic form
(for example phion.com) are converted into the equivalent numeric IP address (for
example 134.220.4.1)
114 Barracuda NG Personal Firewall
9.8.9 Applications
The Application Objects window allows creating predefined applications, which may be employed in
rule sets.
Click New … to open the Application Object window.
BOOTPS 67 UDP OBootstrap protocol; also used for DHCP (Dynamic Host Configuration)
Kerberos 88 TCP/UDP OProtocol for authentication in Windows 2000 environment
NTP 123 UDP ONetwork Time Protocol; used to synchronize the time of a computer client or server to
another server or reference time source
LOC-SRV/EPMAP 135 TCP ONETBIOS; very common protocol; it is supported on both, Ethernet and TokenRing. In
NetBIOS, TCP and UDP communication is supported. It supports broadcasts and
multi-casting plus three distinct services: Naming, Session, and Datagram.
NETBIOS-NS 137 UDP O / I
NETBIOS-DGM 138 UDP O / I
NETBIOS-SSN 139 TCP O / I
SNMP 161 UDP OSimple Network Protocol; Network management system contains two primary
elements – Manager (console to perform network management functions) and Agents
(entities that interface to the actual managed device). SNMP allows Managers and
Agents to communicate.
LDAP 389 TCP/UDP OLightweight Directory Access Protocol; set of protocols for accessing information
directories.
CIFS 445 TCP O / I further development of the SMB protocol and serves as an addition and improvement
to the standard protocols FTP and HTTP.
MSTASK 1026 TCP OWindows Task Scheduler; used to schedule tasks, such as backups or updates, to run
at certain times or dates
Application Liability and Application Type classification is purely informational.
Table 9–9 Service Objects available in the Personal Firewall
Service Name Port Protocol Connection Description
115 Barracuda NG Network Access Client - Administrator’s Guide
Insert Name and Application Object Description for easier identification.
Again, click New … to specify an application. The Application Entry Parameters
window opens.
Click Browse and select the file you want to create the object for. After
selection, the path to the file and its inherent file description will be displayed
in the Path and Description fields below.
Optionally, insert a file description into the Comment field.
Specify Application Liability and Application Type. Momentarily, the classification is
purely informational.
Fig. 9–24 Application Object dialog
116 Barracuda NG Personal Firewall
Click Generate to create an MD5 Hash in order to clearly identify the selected file
as soon as it is executed.
The following application objects, which are required in Microsoft Windows domains, are available in
the Barracuda NG Personal Firewall by default:
MD5 Hash creation is recommended in order to avoid corrupt file and a vulnerable PC after an attack.
Consider that when an application equipped with an MD5 Hash is used on multiple clients, file versions must match
exactly. The application object will otherwise not be applicable.
To delete the hash, click Clear.
In addition to the application, first level DLLs are taken into consideration. This provides additional security. However,
DLLs that are used by first level DLLs are not monitored.
Table 9–10 Applications required in Microsoft Windows domains
Application Connection Description
System O / IServices needed by the OS kernel
TCP/IP Ping Command O / I
lsass.exe OLocal Security Authority Service; process responsible for management of local security authority domain
authentication and Active Directory management.
services.exe OUpon startup, services.exe enumerates through all registry sub-keys located in
HKEY_LOCAL_MACHINE\Services registry key.
spoolsv.exe OThe Windows Printer Spooler stores printer jobs and forwards them to the printer when it is ready.
userinit.exe OBy default, WinLogon executes this application that triggers logon scripts, re-establishes network
connections, …
winlogon.exe OThis application manages security-related user interactions in Windows NT. It handles logon and logoff
requests, changing the password,
svchost.exe OThis is a generic host process name for services that are run from dynamic-link libraries (DLLs). There can
be multiple instances of svchost.exe running at the same time.
117 Barracuda NG Network Access Client - Administrator’s Guide
9.8.10 Users
The Users view allows you to create User and User Group objects, which may be employed in rule
sets. Click New … to open the User Object window:
An user object is automatically created when a connection attempt is processed by the firewall. The
object is then inserted into the corresponding rule.
In the User/Group list, the Microsoft Windows domain users and groups known to the Barracuda NG
Firewall are available for selection. Local user/group information is displayed in the list first. If the
Windows workstation is a member of a Microsoft Windows domain, domain user/group information
may be retrieved from the Active Directory server by clicking Update.
Fig. 9–25 User Object dialog
Irrespective of the operating systems language version installed on the workstation, these users will always be
displayed in English:
NT AUTHORITY\SYSTEM
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\NETWORK
The internal firewall engine will transform these names to the appropriate language version. Do not insert them
in another language manually.
118 Barracuda NG Personal Firewall
9.8.11 Rule Tester
The Rule Tester view allows testing rule sets for consistency.
The following entities are available for rule testing:
Fig. 9–26 Rule Tester
List 9–9 Rule Tester parameters – section TEST CONNECTION
Parameter Description
Direction This is the direction of the traffic policy (Incoming or Outgoing).
Application To query for an arbitrary application leave the asterisk (*), which is set as default value. Click the Application link and Select
Update Applications to reset the field to the default value.
From: IP / Port Insert Source IP and corresponding connection port. Click the From or To link to Swap IP and/or Port information.
Protocol Specify which protocol to test. Click the Protocol link and select Show all Protocols to include other protocols than TCP/UDP and
ICMP into the list.
Time (optional) Insert day of the week and time (optionally). Click the Time link and select Insert current Time to insert current day and time.
User (optional) Select an User from the list (Optionally). Click the User link and select Update Users to clear the field.
Adapter
(optional)
Select an adapter from the list (Optionally). Click the Adapter link and select Update Adapters to clear the field.
119 Barracuda NG Network Access Client - Administrator’s Guide
9.8.12 Test Reports
Test reports are saved on a first come first served basis. Test results with Action Pass are indicated by
a green icon ( ), test results with Action Blocked are indicated by a red icon ( ).
Changing any parameter in any configuration area that influences the result of a test report leads to a
status icon change in the overview window. Green icons ( ) will become red ( ). To apply the new
conditions to an already existing test report, select the data set in the overview window of the Test
Reports window and click Rectify.
Select a report and click Edit … to open the test result in the Rule Tester window. You may now use the
report as template for further connection tests.
Test Click Test to test the connection and display the test result in the section below.
List 9–10 Rule Tester parameters – section TEST RESULT
Parameter Description
Test Status Icon /
Action
A connection attempt with the given values can either have failed or have been successful if a rule is applicable. A failed
connection will be indicated by symbol and Action field Block . A successful connection attempt will be indicated by
symbol and Action field Pass .
Rule The Rule field displays the applicable rule responsible for the rule test result. Click Edit … to open and modify the
corresponding rule. If the connection attempt has been blocked because no rule has applied, the field will display the string
<No Matching Rule Found>.
Service This field displays the applicable Service Object.
PlugIn If applicable, this field displays the name of the PlugIn that has been employed in the connection.
Save Result to Insert the report name and click Save Result to to save the test result. The output of the connection test is written to the
Test Report view (9.8.12 Test Reports, page 119).
Attribute/Value listing This listing displays attributes of the tested connection in detail.
Fig. 9–27 Test Report window
Subsequently to this action, the status icons will no longer indicate if an action has been successful or not, but
instead if rectification has been applied. Rectified entries will be flagged with a green ( ) status icon, even if a
tested connection attempt has failed.
List 9–9 Rule Tester parameters – section TEST CONNECTION
Parameter Description
120 Barracuda NG Personal Firewall
Select a report and click Delete to delete the report from the Test Report window.
9.9 Administration - Firewall Settings Wizard
Options available in the Firewall Settings view allow you to adjust the preconfigured local rule set of
the Barracuda NG Personal Firewall. Setting changes triggers either rule creation, deletion or traffic
policy change. Use this configuration area to customize the preconfigured rule set easily.
The following options are available for customisation:
The settings defined in this window by default are triggered by the specifications defined during installation
(5.2 Custom Installation, page 70).
List 9–11 Firewall Settings parameters > Trusted Domain Membership
Parameter Description
Trusted Network Network assignments and references in the network object that has been defined as trustworthy are updated
dynamically when network adapters are added to the system with trust assignment "trusted" or when IP
address configuration of a trusted adapter changes (9.8.6 Adapters, page 108). By default, the Trusted
Network option points to the preconfigured TrustedNet object (9.8.7 Networks, page 110). You may change
the setting to another available network object. Be aware of possible implications. Set to No to disable this
feature.
Domain Member This option can only be set to yes when a network object has been configured as Trusted Network. Setting
to yes creates and activates default rules allowing applications required in Microsoft Windows domains.
Windows File Sharing This option can only be set to yes when a network object has been configured as Trusted Network. When
set to yes incoming connections to local printer(s) and files are allowed.
Allow NetBIOS
Incoming Setting to yes (default: no) allows NetBIOS traffic.
Outgoing Setting to yes (default: no) allows NetBIOS traffic.
List 9–12 Firewall Settings parameters > Miscellaneous
Parameter Description
Interactive Alarm Notifications
Ask for unknown incoming
connections
Set this value to yes to enforce manual confirmation for all incoming connection attempts. Confirmation
for connection establishment grant is going to be requested by a notification pop-up. For information
details on design of this notification window see 9.9.2 Automatic Rule Configuration, page 122.
Ask for unknown outgoing
connections
Set this value to yes to enforce manual confirmation for all unknown outgoing connection attempts.
Confirmation for connection establishment grant will be requested by a notification pop-up. For information
details on design of this notification window see 9.9.2 Automatic Rule Configuration, page 122.
Ask for adapter update confirmation Setting to yes (default) triggers a pop-up, when settings assigned to a network adapter change
(9.9.1 Automatic Adapter Configuration, page 121).
Connectivity
Connect to the Internet with ADSL
(PPTP)
Setting to yes creates a pass rule named ADSL in the Outgoing tab of the firewall configuration that is
needed for Internet connections via ADSL.
The service object used in this rule amongst others implements the services and protocols listed in
table 9–11.
121 Barracuda NG Network Access Client - Administrator’s Guide
9.9.1 Automatic Adapter Configuration
Set option Ask for adapter update confirmation in the Firewall Settings view (page 120) to yes (default),
if you would like to be notified, when adapter configurations change. A security alert window will then
pop-up, asking for configuration change confirmation.
Click Untrust to add the adapter to the Adapter Objects list and assign it as Untrusted adapter. This will
create an incoming adapter block rule in the Incoming tab of the firewall rule set configuration area
(9.8.2 Rules, page 104).
Click Trust to add the adapter to the Adapter Objects list and assign it as Trusted adapter. This will add
a reference to the trusted adapter in the TrustedNet object and delete a possibly existing incoming
adapter block rule in the Incoming tab of the firewall rule set configuration area (9.8.2 Rules,
page 104).
Generally, the security alert window will pop up if:
... an adapter is used for the first time, for example if it is added to the system.
... the IP configuration of an adapter changes, for example if an IP address is
added or deleted.
However, it will not pop up if:
... an IP address is reintroduced (for example, DHCP renew).
... an adapter’s IP configuration is reset to 0.0.0.0.
Table 9–11 Services and protocols employed by the ADSL rule
Port Protocol Service Name Description
GRE pptp Generic Routing Encapsulation; protocol which allows an arbitrary
network protocol A to be transmitted over any other arbitrary network
protocol B, by encapsulating the packets of A within GRE packets,
which in turn are contained within packets of B
1723 TCP NETBIOS-DGM Point-to-point tunnelling protocol; control port
For a detailed description of adapter configuration options see 9.8.6 Adapters, page 108.
122 Barracuda NG Personal Firewall
9.9.2 Automatic Rule Configuration
If Ask for unknown outgoing/incoming connections has been activated in the Firewall Settings view
(9.9 Administration - Firewall Settings Wizard, page 120), an unknown application/service requesting
network connection will trigger a Security Alert pop-up window requesting authorisation.
The following information is included in the Security Alert window:
Select the Remember this answer checkbox (default: selected) to allow or deny a
connection request permanently. Selecting the checkbox automatically
creates a corresponding rule in the Configuration area of the Barracuda NG
Personal Firewall, including required Network, Service, Application and User
Objects (9.8 Configuration, page 103). If cleared, the connection request is
granted temporarily for this one specific connection request only.
Fig. 9–28 Security Alert windows
Windows Vista: If you don’t have access to the dialog (figure 9–28), then please contact your system administrator.
Table 9–12 Connection request details summarized in the Security Alert window
Column Description
Date/Time Time of the connection request.
Local
Server/Program
Application requesting the connection.
Path Complete path to the application requesting the connection.
User User responsible for the connection request.
Source/Destination Connection source and target destination/port.
Service Service requesting the connection.
Message Counter Number of security alerts that are to be considered. Click the arrows to scroll through the alert windows.
More Info Click this link to open the Barracuda NG Firewall online help file.
Message counter
Switches to next/
p
revious messa
g
e
123 Barracuda NG Network Access Client - Administrator’s Guide
Selecting the checkbox also makes the Advanced Policy link available. Click the link to cus-
tomize further connection details:
Click Allow to grant the connection request in consideration of the conditions
defined above.
Click Block to deny the connection request in consideration of the conditions
defined above.
Fig. 9–29 Security Alert - Advanced Policy
Table 9–13 Security Alert – Advanced Policy options
Column Description
Only this Destination/Source This option binds the outgoing/incoming connection to a specific IP address.
All Destinations/Sources Select this option to detach connection binding from a specific IP address (default).
Only Port This option binds the outgoing/incoming connection to a specific port. This option is selected by default to allow a
restrictive rule set only.
All activities for this application Select this option to allow connection initiation on arbitrary ports.
Port Range Select this option and insert a port range to allow connection initiation on the specified ports only.
CTRL + left mouse button confirms all connection notifications present with Allow/Block. The number of messages
is shown in the message counter.
ESC confirms the current connection notification with Block.
A connection request related to browsing the Internet with Microsoft Internet Explorer or another browser should be
treated differently than other more specific connection requests. For connections initiated by the browser, select All
Destinations. With All Destinations selected, the rule set will be created referencing the global Net Object InterNet.
With Only this Destination selected the rule set generated will be created referencing only the specific web server’s
address.
124 VPN Component Configuration
Chapter 10
VPN Component Configuration
10.1 Create a New Profile Using the Profile Wizard
For your convenience, you may use the Profile Wizard to easily create and configure a new VPN
profile.
To start the wizard, right-click anywhere within the empty white space in the Barracuda NG VPN
Control window, followed by choosing New (Wizard)... from the context menu.
In the appearing Profile Wizard window, type the VPN server’s address into the upper field and,
optionally, a name to display into the lower field.
Fig. 10–1 VPN Profile Wizard Context Menu Item
125 Barracuda NG Network Access Client - Administrator’s Guide
The next window is titled Authentication Method. You can later change a different method for
authentication in case you have chosen the wrong one.
Choosing Username and Password or SecurID will enable the Finish button, allowing you to complete the
configuration process at this point.
However, if you selected one of the two remaining options, Certificate or Barracuda personal License, you
will be taken to another configuration step.
Fig. 10–2 VPN Profile Wizard > Profile Wizard
Fig. 10–3 VPN Profile Wizard > Authentication Method
126 VPN Component Configuration
If you have chosen Barracuda personal License, you will see the following window of the same title. To
finish the configuration wizard, browse for the license file, then click Finish.
If you have chosen Certificate, you will be taken to this dialog of the same title. Enter your certificate
data and click Finish to complete the wizard.
Fig. 10–4 VPN Profile Wizard > Enter personal License
Fig. 10–5 VPN Profile Wizard > Certificate
127 Barracuda NG Network Access Client - Administrator’s Guide
You can later call the wizard again by right-clicking Modify Profile (Wizard) ... at the respective VPN
profile entry.
10.2 Configure a New Profile Manually
Double-click the Barracuda NG Network Access Client icon ( ) in the system tray to open the VPN
component. This will bring up the client’s status window which is attached to the tray.
Clicking Connect (altered by Disconnect, if already connected) will open the client’s configuration
window.
Fig. 10–6 VPN Profile Wizard - Modify Existing Profile Using the Wizard
Fig. 10–7 VPN client – tray status window
128 VPN Component Configuration
On the first start or If no working VPN profile for automated connecting has been defined before, the
client will show up with the Default profile’s Connect dialog als shown below:
The VPN profile can be chosen using the Profile dropdown.
Clicking Connect either left-hand or at the bottom would then initiate a connection using the chosen
profile:
However, before connecting for the first time you will of course need at least one working VPN profile.
Fig. 10–8 NG VPN client – Connect dialog
Fig. 10–9 NG VPN client – Connect dialog
129 Barracuda NG Network Access Client - Administrator’s Guide
Clicking Preferences... will bring up the Barracuda NG VPN Control dialog wherein the necessary
configurations can be made:
The space on the right side of this screen is reserved for a list of VPN profiles. It will be empty on the
first start. You may now create a new VPN profile by clicking New... which will bring up another window
for configuring the profile.
Insert a name for the connection entry into the Description field at the top. In the Certificate list, select
and configure an authentication method, then insert the address of the remote server into the Remote
Server field. Save the connection entries.
The newly created profile can now be chosen as preconfigured profile from the VPN client dialog.
Instead of creating a new profile, the default profile can of course be edited.
Advanced configuration options found in die Advanced Settings tab are described in-depth in Barracuda
Networks Control / Preferences Dialog, page 137.
In the following, several configuration fields will be encountered, which are to be edited by clicking into
the either empty or already pre-filled field. One of three possible editing options will then be offered:
a field where characters need to be inserted
Fig. 10–10 NG VPN client – Connect dialog
Configure a VPN profile for every known VPN server you might want to access. This way you can use the client’s
Direct Access functionality, enabling you to keep your VPN connection automatically up in the background via different
VPN gateways. See Direct Access, page 140.
It is possible to create multiple profiles for several users with individual certificates.
130 VPN Component Configuration
a browse button including a context menu
a dropdown list (figure 10–11)
10.2.1 Functional Elements of the Barracuda NG Network Access Client’s
System Tray Icon
Installing Barracuda NG Network Access Clients adds a new icon to the system tray providing quick
access to the main elements of VPN client and Barracuda NG Firewall R8. Double-click the icon to
open the VPN client Connection dialog (10.3 Connection Dialog, page 132). Right-click the icon to
make the following menu items available:
About NG Network Access Client
Shows the version information.
Shutdown NG Network Access Client
Shuts down the VPN for the current Windows session. The Barracuda NG Network Access
Client will be available again after a system restart. Select the Close for now checkbox to
proceed.
Fig. 10–11 Editing options of the VPN client dialog
Fig. 10–12 Context menu of the NG VPN Client system tray icon
131 Barracuda NG Network Access Client - Administrator’s Guide
NG Access Monitor
Opens the Barracuda NG Access Monitor which provides information concerning the health
state of the system.
Secure Mode
Disable Firewall (Allow all Traffic)
Allows you to change the operational modes of the Barracuda NG Personal Firewall. Secure
Mode enables it, while Disable Firewall disables it. After installation, the firewall is disabled by
default ( Barracuda NG Personal Firewall, page 87).
NG Personal Firewall
Opens the user interface of the Barracuda NG Personal Firewall ( Barracuda NG Personal
Firewall, page 87).
NG VPN Client
Opens the Status dialog of the Barracuda NG VPN Client (10.4 Status Dialog, page 134).
10.2.2 The Barracuda NG VPN Client’s Menu Bar
The following items are available in the Barracuda NG VPN Client’s menu bar:
File Download (Update)
This item is only available when a connection to a VPN Server has been established. Use
it to download updates from the VPN server and install them on the client.
Fig. 10–13 Close NG VPN Client informational window
Shutting down the client will also disable the personal firewall, Take that into account especially if this is the only local
firewall you’re using.
The whole Windows system needs to be restarted in order to restart the services.
132 VPN Component Configuration
• Close
Closes the NG VPN Client window.
10.3 Connection Dialog
The NG VPN Client can be started in the following ways:
Click Connect after left-clicking the icon in the system tray.
Use Start > All Programs > Barracuda NG Network Access Client > VPN Connector.
Use the Pre-Connector (12.2 VPN Connector, page 167). For using the
Pre-Connector, a profile must already be configured.
Execute rvpn.exe (12.3 Remote VPN (rvpn), page 169). Before using Remote
VPN, a profile must be configured.
The following values are required for a successful login to the VPN server:
Profile list
Select a preconfigured profile for login here. The creation of new profiles is described in
10.6 Barracuda Networks Control / Preferences Dialog, page 137.
Username and Password fields
Depending on the chosen authentication method, username and/or password must be
inserted here. With some authentication methods (Barracuda Networks authentication,
X509 certificate), only a password might be required. If this is the case, then the username
field is disabled.
Fig. 10–14 Profile selection in the Connect Dialog
133 Barracuda NG Network Access Client - Administrator’s Guide
Use a proxy server to connect checkbox
When use of a proxy server has been defined at profile creation time (10.6 Barracuda
Networks Control / Preferences Dialog, page 137), then this checkbox will be selected by
default, User/Password and Proxy Server will be displayed in the fields below at the same
time. If the proxy server requires a password, you need to insert it into the respective field.
Click Connect to establish a connection to the VPN server.
You can make use of the proxy server checkbox to override settings that have been defined at creation time of the
profile. In certain cases you might want to define use of a proxy server though the profile settings do not require this
(or vice versa), or you might need to use another proxy server than the configured one. The overriding option is
especially useful if a user does not have administrator rights is therefore not able to change profile settings in general.
134 VPN Component Configuration
10.4 Status Dialog
Use the Status dialog window to view properties of an established connection. Click Connect to
establish a connection through the Status dialog. A profile for the connection needs to be chosen in
the Connection dialog (10.3 Connection Dialog, page 132), though.
Technical Details tab:
Technical Details section:
Client IP
The assigned VPN client IP address (Source) and gateway IP address.
• Domain
The assigned domain.
• DNS
The assigned DNS IP address for the VPN connection
• WINS
The assigned WINS address.
Compression checkbox
Selected if traffic between VPN server and client is compressed (Compression, page 144).
Exclusive Network Access checkbox
If Exclusive Network Access (ENA) has been activated on the VPN Server, then this
checkbox is displayed selected.
Fig. 10–15 Status Dialog
135 Barracuda NG Network Access Client - Administrator’s Guide
Secure Routes section:
If secured routes have been assigned to the client by the VPN server, then their values will
be displayed in the fields Network and Subnet Mask.
Connection tab:
Connection section:
Status
Status information on the current connection, may it be active, initiating or shutting down.
Duration
The uptime for the current connection.
VPN Server
The VPN server to which the client currently is connected.
VPN Server Time
Local time on the VPN server.
Compression checkbox
Enable or disable compression.
Exclusive Network Access checkbox
If this is enabled, then only network resources available through the VPN can be accessed.
Client IP
The client’s IP address within the VPN.
Activity section:
Bytes Sent, Bytes Received
Amount of traffic transferred so far during the current session.
Bandwidth
Graphical representation of the currently used bandwidth.
My Account tab:
Authentication section:
Authentication scheme
The currently method for authentication used for the currently established connection.
Shows a respective status message if the VPN connection is not active.
In the same section below the authentication scheme entry, a set of properties for the
currently active auth scheme will be displayed, such as user name or certificate information.
Data integrity and encryption section:
Authentication Algorithm
The currently used auth algorithm.
Encryption Algorithm
The currently used encryption algorithm.
136 VPN Component Configuration
Tunnel Mode
The currently used transport mode for the VPN tunnel. Can display a value of TCP, UDP or
Hybrid.
Cancel button:
Use this button to terminate a connection. Only shown if a connection is currently active.
Connect button:
Click this button to initiate a connection.
Close button:
Click this button to close the VPN client window. The VPN control window will remain open.
Change Server Password link:
This link is only available as long as an active connection to the VPN server is established (Barracuda
Networks authentication only). It enables you to change your password on the server. Open the
configuration dialog, insert a new password, confirm it and attest authenticity by inserting the current
server password.
10.5 Message Dialog
This window displays the initial welcome message configured on the VPN server.
Fig. 10–16 Message dialog window
137 Barracuda NG Network Access Client - Administrator’s Guide
10.6 Barracuda Networks Control / Preferences Dialog
Click Preferences to open the Barracuda Networks Control panel.
Barracuda Networks Control is the user interface for configuration of profiles and Barracuda NG VPN
adapter settings and the management of certificates.
Barracuda Networks Control is also accessible via the Windows Control panel. Shortcut icons reside
within the Network and Internet Connections and the Security Center.
The Barracuda Networks Control window is divided into a menu (Options) on the left and a
configuration area on the right side.
At start-up, Barracuda NG VPN Control opens with the VPN Profiles configuration area. Further
available for configuration are Certification Authorities... (10.6.2 Certification Authorities Configuration
Window, page 138) and Advanced settings (10.6.3 Advanced, page 139).
10.6.1 VPN Profiles Configuration Window
All available profiles are listed in the overview window ordered by the connection type they were
configured with. The connections are listed with the following attributes:
• Description
The name of the profile.
• Host
The configured VPN server to connect to.
• Certificate
The certificate and authentication type used to connect (Barracuda Networks authentication,
User / Password or X509 authentication).
Fig. 10–17 Barracuda NG VPN Control
138 VPN Component Configuration
• Store
The store into which the certificate was saved.
• Status
The connection status. If you are not connected, you may click Connect … in the context
menu in order to establish a connection. On the other hand, if you are connected, then you
can click Disconnect in the context menu to terminate a connection.
•ID
This is the profile ID.
Options menu:
• Connect...
Select a VPN profile and click Connect to connect to a VPN server.
Modify Profile
Copy Profile...
Delete Profile...
Modify, copy or delete an existing profile.
Set as Default
Defines the currently marked profile as new default profile. The default profile is displayed
with bold letters in the overview window.
New …
Click New … to create a new VPN profile.
The profile configuration itself is done through the Connection Entries and Advanced Settings tabs (see
10.6.4 Connection Entries Tab, page 141 and 10.6.8 Advanced Settings Tab, page 143).
Context menu
Right-click into configuration area to open the Barracuda Networks Control context menu. The following
additional items are available here:
• Disconnect
Use this menu item to terminate a connection.
Show List / Show Groups
Arranges the profiles either in List or in Group view (default).
10.6.2 Certification Authorities Configuration Window
Manage certificates in the Certification Authorities configuration area. The following actions are
possible:
139 Barracuda NG Network Access Client - Administrator’s Guide
Options section:
View …
Opens a window with detailed certificate information.
Remove …
Deletes the selected certificate from the certificate store.
Import …
Imports the certificate to the certificate store. Supported certificate types are: DER encoded
binary x.509, PKCS #12 certificates, PEM encoded binary x.509
Export Certificate To section:
File …
• Clipboard
Exports the certificate to a text file or to the clipboard for further use in another place.
10.6.3 Advanced
Configure specific Barracuda NG VPN adapter settings here.
For successful authentication, both certificates, client AND root certificate that is, must be available. If your certificate
does not yet include the root certificate, add it here.
Fig. 10–18 VPN Adapter Settings
140 VPN Component Configuration
General VPN Settings section:
Direct Access
The VPN client can be configured so that it automatically reconnects to different gateways,
if available. Upon an unwanted disconnection, reconnecting to the same gateway will be
tried for three times. If this fails, a so-called "path finder connection" will be initiated, trying
a variety of pre-defined gateways and finding the fastest one. This gives mobile users
seamless access to corporate networks wherever they have Internet access. The
reconnection process can be configured to happen in the background without any user
interaction. The advanced reconnection mode can be activated by setting this to Yes.
Direct Access VPN Profile
The name of the VPN profile that is used for establishing Direct Access connections.
Barracuda NG VPN Adapter Settings section:
Disable Windows IP Auto Configuration
Disable Windows XP’s built-in automatic IP address configuration of the adapter.
Automatically reorder adapters
Place the VPN client's virtual adapter within the Windows adapter bindings right at the
position that is configurable through Order VPN Adapter.
Order VPN Adapter
The position of the VPN client's virtual adapter within the Windows adapter bindings. The
sequence affects e.g. the DNS resolution of short DNS names or the function of Windows
Remote Assistance.
Virtual Adapter ON/OFF Handling
Disables the virtual adapter as long as there is no active VPN connection. The adapter will
be re-enabled as soon as a VPN connection is established.
Virtual Adapter max start time period (def 60sec)
Waiting period in seconds for an enabled adapter. You may increase this value on slow
systems. Default and recommended value is 60.
Miscallenous Settings section:
Notify me when connection is established
Display a notifying popup as soon as a VPN connection has successfully been established.
Show icon in notification area
Display a status icon for the connection within the notification area of the task bar.
Allow automatic Service Recovery
Restart the service automatically in case of service termination.
141 Barracuda NG Network Access Client - Administrator’s Guide
10.6.4 Connection Entries Tab
Enter a description of this connection entry field
Insert a profile name into this field. The name entered will be displayed as profile name in
the Connection dialog window.
Certificate section:
Choose the authentication method required by the VPN server. The chosen authentication type
appoints further configuration parameters.
Remote Server section:
Host names or IP addresses of remote server:
The VPN server’s address. If entering a host name, make sure that this host name is
DNS-resolvable. Separate multiple entries using semicolons (";").
Fig. 10–19 Connection Entries tab
142 VPN Component Configuration
10.6.5 Barracuda Authentication
The following parameters are available for Barracuda Authentication:
10.6.6 X509 Authentication
The following parameters are available for X509 authentication:
Barracuda Authentication requires a valid certificate file (*.lic). The .lic file must be saved locally on the client
system using it.
List 10–1 Parameters used with Barracuda NG authentication
Parameter Description
File Select the certificate (*.lic) file needed for authentication at the VPN server.
Hash READ-ONLY
After a certificate has been loaded, its hash is displayed in this field.
Certificate File
Password
Only editable if a certificate file has been loaded.
The password for certificate usage can be changed here. Enter the new password and confirm it.
The creation of a Barracuda Authentication related profile can be rudimentary adapted by including an .ini file into the
creation process. If you want to make use of this option, then have a look at 10.6.8 Advanced Settings Tab, page 143
first. Subsequently, refer to 10.6.9 Adaptation of Profile Creation using an .ini file (Barracuda NG Authentication only),
page 146 for further details.
Selecting this method requires a valid X.509 certificate (*.).
List 10–2 Parameters available for use with X509 authentication
Description Description
Subject After the X.509 certificate has been selected, its subject is displayed here.
Issuer Displays the issuer of the selected X.509 certificate.
Use serial number Defines if the certificate’s serial number gets used in the authentication process.
Valid to Displays date and time when the X.509 certificate looses validity.
Key specific Hash value of the certificate file.
Key usage Value of the KeyUsage keyCertSign bit. Possible values are Exchange (public key exchange) or Signing (digital
signature).
Private Encrypt Switches encryption procedure (private key for encryption, public for decryption) depending on whether crypto API
is supported or not.
Prompt for user and password Set to yes to request both, certificate and user/password validation.
Temporary Root Certificate As soon as a temporary root certificate has been provided by the server, it can be viewed with the menu item
Show … or deleted with the menu item Clear.
Show external X509 Certificate If an external X.509 certificate has been loaded, its properties can be viewed here.
143 Barracuda NG Network Access Client - Administrator’s Guide
10.6.7 User / Password
The following parameter is available for User / Password authentication:
10.6.8 Advanced Settings Tab
Individual profile settings related to connection details can be configured from within the Advanced
Settings tab of the respective profile
Configure the following section when connecting to the VPN server over a proxy.
Data integrity and encryption Section:
External File Path to the external X.509 certificate.
List 10–3 Parameters used with User/Password authentication
Parameter Description
Temporary
Root Certificate
This field is set to the the value Not Available as long as a connection to the VPN server has never been established or if the
certificate file has been deleted. As soon as a certificate is available, it can be viewed with the menu item Show … or deleted with
the menu item Clear.
List 10–4 Advanced Settings tab – Proxy Settings section
Parameter Description
via Proxy
[Default: No Proxy]
Whether a proxy should be used and if, of which type it is.
Proxy[:Port]
[-]
IP address and port for the proxy. If HTTP Proxy is selected, the system’s proxy server is automatically set as default.
Proxy user
[-]
Note:
Only editable if HTTP Proxy is selected.
The username required for authentication at the proxy server, if needed.
Domain
[-]
Note:
Only editable if HTTP Proxy is selected.
The proxy server’s domain.
Simulate SSL
[No]
Note:
Only editable if HTTP Proxy is selected.
Set to Yes when using a proxy server requiring an SSL handshake.
Manipulations in the following fields should only be made by experts. Please take into consideration that the VPN
server must support the settings configured here.
List 10–5 Advanced Settings tab – Data integrity and encryption (ESP) section
Parameter Description
Authentication algorithm
[Default: MD5]
The algorithm to be used for authenticating to the VPN server.
List 10–2 Parameters available for use with X509 authentication
Description Description
144 VPN Component Configuration
Tunnel Settings section:
Encryption algorithm
[AES]
The algorithm to be used for encryption.
Tunnel Mode
[Response (UDP)]
The protocol to be used for tunnel traffic. The available options depend on the chosen proxy type:
- Response (UDP) for Socks 5
- Reliability (TCP) for HTTP Proxy and Socks 4
- Selecting No Proxy gives access to both protocol types and offers an additional one called Optimized
(Hybrid) indicating a combination of Response (UDP) and Reliability (TCP).
List 10–6 Advanced Settings tab – Tunnel Settings section
Parameter Description
Virtual Adapter Configuration
[Default: Direct assignment]
The method to be used for gathering IP addresses.
- Direct assignment - uses WMI (Windows Management Instrumentation) for assigning the IP address;
recommended if DHCP is not available due to security aspects.
- Use internal DHCP assignment - uses the integrated DHCP (Dynamic Host Configuration Protocol) for
assigning the IP address
- Assign IP address manually - IP address is entered manually in NIC properties
Compression
[Yes]
Yes triggers the Barracuda NG VPN Client to request compressed traffic. The server may or may not accept
the request depending on both its configuration and the license type assigned to the VPN client. Client
compression is only available to those clients that have assigned a secure connector license.
Note:
The gateway hosting the VPN server must hold a valid BOB license to use this feature. Refer to the
respective product guide for licensing details.
Note:
To activate compression operability, the VPN Service needs to be restarted after BOB license installation.
Use Access Control Service Validate the client’s status through the Access Control Service before a VPN connection is established.
NAC intercept VPN connection
[Default: Yes]
Configure here whether the Health Agent should intercept the VPN connection phase or wait until a VPN
connection is established. Recommended value: No.
Access Control Timeout [Default: 30] Timeout value in seconds for the VPN Service to wait for the Health Agent. Recommended value: 30.
WLAN Roaming [Default: Yes] Different IP addresses from the same profile are tried if a connection breaks. Recommended value: Yes.
Fast Reconnect [Default: Yes] Choose here whether to be prompted for user name and password on every connection attempt or not,
enabling seamless automatic reconnecting. This is also important in conjunction with one-time passwords.
Recommended value: Yes.
Reconnect immidiately Reconnect immidiately upon a connection break if set to Yes.
One Time Password
[No]
The behavior for reconnecting.
If set to Yes, then the password is queried anew when reconnecting.
If set to no, then reconnection is automatically performed without a password query.
Allow ENA Connection
[Yes]
Allows/blocks ENA (Exclusive Network Access) connections.
Note:
For successful VPN connection establishment between a server forcing ENA and a client, this value must be
set to Yes. Otherwise, no connection is possible.
Allow Sending Offline Rule Set
[Yes]
Enable the client to receive and use offline firewall rulesets from the VPN server. Offline firewall rulesets are
effective as long as no VPN connection is active.
Silent Mode (No Keep Alive)
[No]
Break all non-relevant communication over the VPN tunnel (for example for dial-up connections).
Keep alive (seconds)
[10]
The time value in seconds to keep an idle VPN tunnel alive.
Soft Hearbeat [Default: No] IKeep a VPN tunnel up by interpreting normal VPN traffic as keepalive traffic. Useful if the special keepalive
packets are dropped somewhere between client and server.
Enable VPN Tunnel Probing [Default:
Yes]
Probe a VPN tunnel prior to establishing a VPN connection. If this is set to Yes, the reachability of configured
IP addresses will be tested prior to establishing a tunnel. Recommended value: Yes.
Check Round Trip Time (RTT)
[Default: Yes]
Setting this to Yes will activate automatic selecting of the fastest VPN server by measuring the roundtrip
times of all available servers prior to connecting if more than one server IP address has been configured in
the profile. Recommended value: Yes.
List 10–5 Advanced Settings tab – Data integrity and encryption (ESP) section
Parameter Description
145 Barracuda NG Network Access Client - Administrator’s Guide
Always Connect section:
User Interface Settings section:
OS Settings section:
Terminate Countdown (sec.)
[2]
Period in seconds to wait until a VPN connection is terminated.
After reconnect adapter reset Reset the virtual adapter after reconnecting. This may help resolving connectivity issues.
Connect retry time (sec) [Default: 60] A timeout period in seconds which will be used for reconnection attempts to the given profile. The lower this
value is, the faster the connection to the fallback profile will be established, if defined. Recommended value:
60.
Fallback Profile Fallback profiles can be defined here. These will be tried next if a connection to the respective profile cannot
be established.
List 10–7 Advanced Settings tab – Always Connect section
Parameter Description
Disable Active Directory Scan
[Default: No]
Direct Access can be disabled if an Active Directory is found within the currently active connection. This
ensures in office environments that the local WiFi is used by preventing a search for different gateways upon
disconnecting. Recommended value: No.
List 10–8 Advanced Settings tab – User Interface Settings section
Parameter Description
Remember logon user name The VPN connection GUI remembers the last entered user name.
For security reasons, this parameter is disabled by default.
Show Popup
[Yes]
Specifies whether pop up messages are displayed for incoming and outgoing connections.
Close after Connection
[No]
Causes the VPN client dialog to close as soon as a VPN connection has successfully been established.
Save new Certificate Unattended
[No]
Locally save new certificates without any user interaction.
List 10–9 Advanced Settings tab – OS Settings section
Parameter Description
Start Script
[-]
Define scripts to be started automatically on connecting (e.g. to automatically modify Internet Explorer
settings).
Stop Script
[-]
Disconnect when user logs off
[Yes]
The behavior expected when logging off from Windows (Start > Log Off):
When set to Yes, then the VPN connection is terminated on performing a system logout.
If set to No, then the VPN connection remains active.
Enable MS Logon
[No]
Causes the user/password credentials entered during the log-in procedure on the Windows system to be
sent automatically to the Barracuda NG Firewall Smart/Secure Connector.
Note:
On establishing a VPN connection, these credentials are automatically used for authentication.
Using other credentials than these is not possible.
Certificate Store Flag Assign the certificate location within Microsoft Windows’ Certificate Management store.
Certificate Store
[MY]
Assigns the certificate location within Microsoft Windows’ Certificate Management store.
List 10–6 Advanced Settings tab – Tunnel Settings section
Parameter Description
146 VPN Component Configuration
10.6.9 Adaptation of Profile Creation using an .ini file (Barracuda NG
Authentication only)
Some parameters configurable in the Connection Entries and Advanced Settings (10.6.3 Advanced,
page 139) tabs can be passed to the NG VPN Client through an .ini file. When a profile with
Barracuda NG authentication is created the Barracuda NG Firewall Connector looks for an .ini file in
the same directory as the .lic file is retrieved from. The .ini file is expected to be named equally to
the .lic file (for example C:\licenses\barracuda_user.lic requires
C:\licenses\barracuda_user.ini). If the .ini file is available, the values defined there will be
used for the VPN profile.
The following parameters can be defined through the .ini file:
• Description
Name of the profile.
• Server
IP address of the VPN server.
• Proxy
URL or IP address of the proxy server.
• ProxyType
Proxy server type. Possible options are: HTTP, Socks4 and Socks5
• ProxyUser
User name possibly needed for proxy authentication.
• ProxyDomain
Windows domain within which the user is able to authenticate.
Dhcp [corresponds to Virtual Adapter Configuration dropdown list in the
Advanced Settings tab]
Fig. 10–20 Example for an .ini file
Remove unnecessary options from the .ini file.
The proxy related parameters must be removed from the .ini file, if connection establishment is not handled via a proxy
server.
[Settings]
Description=Profile Name
Server=192.168.10.10
Proxy=proxy.sample.com:3128
ProxyType=HTTP
ProxyUser=testUser
ProxyDomain=SAMPLE
Dhcp=1
connectmode=tcp
;[tcp, udp, hybrid]
147 Barracuda NG Network Access Client - Administrator’s Guide
Behavior of a DHCP client.
Possible options are:
2 IP address is assigned directly (using Windows Management Instrumentation)
1 IP address is assigned dynamically (DCHP)
0 IP address is configured statically
connectmode [corresponds to Tunnel Mode dropdown list in the Advanced
Settings tab]
This parameter specifies the used connection mode. By default, this parameter is set to tcp.
The alternatively available modes are shown in brackets ([]). Please remove the bracket and
its entries in order the get a working setup file.
10.7 Log Window
The log information screen displays information collected from the initiation of a connection attempt
until disconnecting. Purely informational messages are logged conjointly with messages related to
connection errors or other errors.
Time row
The log entry’s time stamp.
When changing the protocol to udp, be sure to delete all parameters related to the proxy.
Fig. 10–21 Log window
148 VPN Component Configuration
Module row
The module the respective log entry refers to.
Status row
The status of several actions such as Internal loop, Add Routes (added routes), Refresh IP
(client IP), etc.
149 Barracuda NG Access Monitor
Chapter 11
Barracuda NG Access Monitor
11.1 Overview
11.1.1 Access Monitor
The Access Monitor is the key component of Barracuda NG Network Access Client. Its responsibilities
include:
Collecting information from the client computer necessary for health
evaluation, including
Workstation identity information
Operating system information and patch level
Antivirus and Antispyware information
Communication with the Access Control Server
Taking security measurements dependent on the health evaluation result
returned by the Access Control Server. This includes
Downloading and installing necessary updates
Restricting network access
Executing Antivirus / Antispyware updates and starting scans or updates
11.1.2 Port Security
The Barracuda NG Network Access Client implements the IEEE 802.1X standard. The IEEE 802.1X
standard defines a client-server-based access control and authentication protocol that prevents
unauthorized clients from connecting to a LAN through publicly accessible ports unless they are
authenticated. The credentials for authentication are obtained by the client computer from the Access
Control Server, based on the client computer's health evaluation result, restricting or granting network
access to the client computer.
150 Barracuda NG Access Monitor
11.2 Monitoring
11.2.1 Health Agent
The Barracuda NG Access Monitor provides all necessary information regarding the client computers
health state and network restriction.
Fig. 11–1 Barracuda NG Access Monitor
Table 11–1 Barracuda NG Access Monitor
Property Description
Health Condition There are 3 different health states:
• Healthy
The client computer complies with the policy configured on the Access Control Server
• Unhealthy
The client computer does not comply with the policy; actions need to be taken to meet the health
requirements.
Untrusted
There is no rule defined for the client computer, thus he has only restricted network access.
151 Barracuda NG Network Access Client - Administrator’s Guide
Client Origin Local Computer
Health evaluation for the client computer is mandatory; if the health evaluation for the client computer
is not successful, evaluation based on user credentials is not possible.
Current User
When multiple users use the same computer it is possible to start health evaluation based on user
credentials, matching each user with its own policy depending on his role in the network.
• VPN
When connected to the Access Control Server using a VPN connection
Last Health Check Date and time when the last health evaluation was performed.
Next Health Check Date and time the next health evaluation will be performed.
Quarantine Status The quarantine status depends on the health condition of the client computer. Three states are provided for
policy based network access, these include:
Not Restricted
Full network access is granted when the health evaluation result returns the health state Healthy.
• Probation
When the client computer does not meet the configured health requirements, it will enter probation
state. In this state he is not restricted in order to contact network resources necessary to meet all health
requirements. If the following health evaluation does not return a Healthy state he will enter restricted
network access mode.
• Restricted
If restricted network access is active, the Client will activate the quarantine rule set assigned by the
Access Control Server.
Note:
It is possible to configure two quarantine rule sets, one for when the client computer does not meet the
health requirements and is unhealthy. The other for when the client computer is untrusted because no rule
is defined for it.
Access Control Server IP or hostname of the Access Control Server that is being contacted for health evaluation. See
11.3.2 Access Control Server IPs from Registry, page 160 and 11.3.3 Access Control Server IPs from DHCP,
page 160.
Emergency Network Adapter Repair If enabled this allows you to reset the network adapters managed by the Port Security wpa_supplicant. To
enable or disable see 11.3.12 Allow Emergency Network Adapter Repair, page 163.
Image of the day Custom welcome image configurable on the Access Control Server, for following states:
Local Computer - healthy, limited access
Current User - healthy
VPN - healthy
Message of the day Custom welcome message supporting Unicode configurable on the Access Control Server for following
states:
Local Computer - healthy, limited access
Current User - healthy
VPN - healthy, limited access
Health evaluation result This shows the actual health evaluation result. It holds an entry for every health criteria and if it complies with
the policy configured.
If a criterion does not meet the requirements, a description of necessary actions in order to comply with the
policy is shown.
Table 11–1 Barracuda NG Access Monitor
Property Description
152 Barracuda NG Access Monitor
11.2.2 Advanced Status information
If more information is required, the Barracuda NG Access Monitor provides additional information
through the Barracuda NG Access Monitor Advanced dialog. This can be opened by either clicking the
Health Condition link (see: Health Condition, table 11–1, page 150) or the Quarantine Status link (see:
Quarantine Status, same table) in the Health Agent view.
11.2.3 Service Status
If either the Client service or the Barracuda NG Access Monitor Agent service, both vital for normal
operation, is not running, a message will be shown for either of them (figure 11–3). No message
indicates that both services are operating normally as intended.
Fig. 11–2 Barracuda NG Access Monitor Advanced
Fig. 11–3 Neither Client nor Barracuda NG Access Monitor service is running
153 Barracuda NG Network Access Client - Administrator’s Guide
11.2.4 Communication Status
Whenever the Barracuda NG Access Monitor is working, a status message is displayed below the
message of the day group (figure 11–4). While the Barracuda NG Access Monitor is communicating it
is not possible to start a health evaluation. There are following communication states for the Barracuda
NG Access Monitor:
11.2.5 Connection Errors
If, for any reason, the Access Control Server can not be reached at the configured IP addresses for
health evaluation, a connection error will be shown as in figure 11–5. See 11.3.4 ICMP Connectivity
Checking, page 161 later on for more details on this specific connection error.
The connection error as in figure 11–6 occurs when the Barracuda NG Access Monitor has no Access
Control Server IP addresses configured.
There are some options to resolve this:
Table 11–2 Health Agent states
State Description
Initializing The Barracuda NG Access Monitor is initializing before entering operational state.
Termination The Barracuda NG Access Monitor service is shutting down and freeing all resources.
Pending communication, validating A health evaluation has been started, waiting for the result from the Access Control Server.
Pending communication,
downloading
Files such as rule sets, patches and other, necessary to comply with the policy the client matched with are
being downloaded.
Waiting for user input The Barracuda NG Access Monitor requires user credentials for user specific authentication and health
evaluation. W0hen this message is shown a dialog is visible to enter the user credentials.
Fig. 11–4 Barracuda NG Access Monitor communicating with the Access Control Server
154 Barracuda NG Access Monitor
Configure a valid Access Control Server IP address locally ( see 11.3.2 Access
Control Server IPs from Registry, page 160)
Use these instead if the Access Control Server IP addresses are distributed by DHCP:
By using the Emergency Network Adapter Repair function/button ( see
11.3.12 Allow Emergency Network Adapter Repair, page 163)
By using the operating system's built in ipconfig tool to obtain a new IP
address for the client computer which will include a Access Control Server IP
address to connect to
In order to verify if an Access Control Server IP address was received through DHCP, look up the
Barracuda NG Access Monitor Access Control Server IPs dialog. (see 11.3.3 Access Control Server IPs
from DHCP, page 160).
Fig. 11–5 Connection error using ICMP connectivity checking (see 3.1.3)
155 Barracuda NG Network Access Client - Administrator’s Guide
Fig. 11–6 Connection error because no Access Control Server IP addresses are configured
156 Barracuda NG Access Monitor
11.2.6 802.1X Authentication - Port Security
11.2.7 Network Interfaces
As seen in figure 11–7, the Port Security view lists all network interfaces available for 802.1X
authentication in two groups:
• Managed
Unmanaged
Managed network interfaces have been activated for the use of 802.1X authentication. The Barracuda
NG Access Monitor provides several actions for all managed network interfaces when a
wpa_supplicant is running for the network interface.
Unmanaged network interfaces have not been enabled yet to use the 802.1X authentication scheme.
It is not possible to perform any actions on unmanaged interfaces through the Barracuda NG Access
Monitor.
If available, the list shows the following information:
Fig. 11–7 Port Security
Table 11–3 Barracuda NG Access Monitor actions for managed network interfaces
Task Description
Logon Starts the 802.1X authentication scheme, by requesting network access through the switch, which enables the line protocol if
successful, allowing all network traffic.
Logoff Tells the switch, the client computer does not need network access any more. The switch will disable the line protocol and
block all network traffic except for EAP, CDP and STP protocols.
Reassociate Restart the authentication process if already authenticated.
Reset This will reset the session password used for authentication against the RADIUS server. Hence the authentication process will
start from beginning and client computer will receive a new session password.
Trace EAP Packets… Opens the EAP Packet tracer with packet data for the selected network interface.
Table 11–4 Barracuda NG Access Monitor information for unmanaged network interfaces
Column Description
Name Friendly name of the network device
157 Barracuda NG Network Access Client - Administrator’s Guide
11.2.8 Advanced Status Information
For more detailed information about a network interface, double-click it to open the 802.1X Properties
dialog, or right-click the desired network interface and choose Details… from the context menu.
Status Shows the device status of the network interface, these include:
Network cable unplugged
Not connected
Disconnected
Connecting
• Connected
PAE state Port Access Entity status
EAP state Extensible Authentication Protocol status
Device Name The name of the device made up by the manufacturer.
IP Address IP Address the network interface is using.
Fig. 11–8 Advanced network interface information
Table 11–4 Barracuda NG Access Monitor information for unmanaged network interfaces
Column Description
158 Barracuda NG Access Monitor
11.2.9 EAP Tracer
The EAP Tracer allows you to view EAP and EAPOL packets captured by the Barracuda NG Access
Monitor for every network interface which has the option Trace EAP Packets enabled (see
11.3.13 Capture 802.1X Traffic (EAP), page 164).
Fig. 11–9 EAP Tracer
159 Barracuda NG Network Access Client - Administrator’s Guide
11.3 Configuration
Fig. 11–10 Barracuda NG Access Monitor Advanced Settings
List 11–1 Configuration – Advanced Settings
Parameter Description
Access Control Server IPs from Registry See 11.3.2 Access Control Server IPs from Registry, page 160
Access Control Server IPs from DHCP See 11.3.3 Access Control Server IPs from DHCP, page 160
ICMP Connectivity Checking See 11.3.4 ICMP Connectivity Checking, page 161
Offline Checkl See 11.3.5 Offline Check, page 161
Use Basic Authentication See 11.3.7 Use Basic Authentication, page 162
Use NTML Authentication See 11.3.8 Use NTLM Authentication, page 162
IEEE 802.1X Authentication See 11.3.10 IEEE 802.1X Authentication, page 163
IEEE 802.1X DHCP Renew See 11.3.11 IEEE 802.1X DHCP Renew, page 163
Allow Emergency Network Adapter Repair See 11.3.12 Allow Emergency Network Adapter Repair, page 163
Capture 802.1X Traffic (EAP) See 11.3.13 Capture 802.1X Traffic (EAP), page 164
Barracuda NG Network Access Client
Logging
See 11.3.16 Barracuda NG Network Access Client Logging, page 165
Barracuda NG Health Agent Logging See 11.3.15 Barracuda NG Health Agent Logging, page 165
160 Barracuda NG Access Monitor
11.3.1 Health Agent Connectivity
This section holds all configuration section regarding the connectivity of the Barracuda NG Access
Monitor.
11.3.2 Access Control Server IPs from Registry
As shown in figure 11–11, the dialog allows creating, editing and deleting of Access Control Server IP
addresses, which are stored in the registry. It is possible to configure as many Access Control Server
IP addresses as required to ensure to ensure continuous connectivity.
As shown in figure 11–11, these IPs can be configured locally using the dialog, and then they are
stored in the registry. These can be found as follows:
11.3.3 Access Control Server IPs from DHCP
When the Barracuda Networks DHCP server is configured to distribute the Access Control Server IPs
using DHCP, these are listed in an advanced dialog, see figure 11–12. To open the dialog click the
Table 11–5 Registry entry for Access Control Server IPs
Item Description
Path HKEY_USERS\.Default\Software\phion\phionha\PolSrv
Key N (enumeration)
Value IP or Hostname of a Access Control Server
Fig. 11–11 Edit Access Control Server IPs in registry.
161 Barracuda NG Network Access Client - Administrator’s Guide
Edit… button. If required, clear the Access Control Server IP addresses, which are received through
DHCP, with the button Clear Policy IPs.
11.3.4 ICMP Connectivity Checking
As an advanced feature, the Barracuda NG Access Monitor is able to determine the connectivity to the
Access Control Server using ICMP packets. If this option is enabled the Barracuda NG Access Monitor
will send an ICMP packet to the Access Control Server, before connecting and starting health
evaluation. If the ICMP packet sent, returns successfully the Barracuda NG Access Monitor will
connect to the Access Control Server and start health evaluation. When this option is disabled, the
Barracuda NG Access Monitor will start immediately connecting to the Access Control Server, instead
of checking for connectivity first.
It is highly recommended to enable this feature when connecting to the Access Control Server through
a VPN connection; otherwise connectivity may not be as satisfying as expected.
To edit this option manually, modify the following registry key:
11.3.5 Offline Check
Allows to disable the Health Agent if no network connection is active. This prevents the local firewall
from unwantedly entering quarantine mode. The default and recommended value is Yes.
Fig. 11–12 Access Control Server IP addresses, received by DHCP.
When ICMP Connectivity checking is enabled, the NG Firewall must be configured to pass through ICMP packets,
otherwise the Barracuda NG Access Monitor will not connect to the Access Control Server.
Table 11–6 Registry entry for ICMP connectivity
Item Description
Path HKEY_USERS\.Default\Software\phion\phionha\settings
Key ICMPProbing
Value (Default=1)
0 - disabled
1 - enabled
162 Barracuda NG Access Monitor
To edit this option manually, modify the following registry key:
11.3.6 Health Agent Authentication
11.3.7 Use Basic Authentication
This option specifies if basic user-password or certificate authentication should be used, in case the
NTLM authentication fails.
To edit this option manually, modify the following registry key:
11.3.8 Use NTLM Authentication
By enabling this option, the Barracuda NG Access Monitor will use windows user credentials provided
by NTLM for authentication.
To edit this option manually, modify the following registry key:
Table 11–7 Registry entry for ICMP connectivity
Item Description
Path .DEFAULT\Software\Phion\phionha\settings\
Key UseConnectionState
Value (Default=1)
0 - disabled
1 - enabled
Table 11–8 Registry entry for basic authentication
Item Description
Path HKEY_USERS\.Default\Software\phion\phionha\settings
Key UseBasicAuthFallback
Value (Default=1)
0 - disabled
1 - enabled
Table 11–9 Registry entry for NTML authentication
Item Description
Path HKEY_USERS\.Default\Software\phion\phionha\settings
Key UseNTLM
Value (Default=1)
0 - disabled
1 - enabled
163 Barracuda NG Network Access Client - Administrator’s Guide
11.3.9 802.1X Settings
11.3.10 IEEE 802.1X Authentication
This option enables or disables the use of 802.1X authentication. When enabled, the Client will
automatically start a wpa_supplicant for all network interfaces configured to use 802.1X authentication.
To edit this option manually, modify the following registry key:
11.3.11 IEEE 802.1X DHCP Renew
When 802.1X DHCP Renew is enabled, a DHCP request packet will be sent to obtain a new IP
address, whenever a VLAN is assigned to the client computer by the switch.
To edit this option manually, modify the following registry key:
11.3.12 Allow Emergency Network Adapter Repair
This option enables the button for Emergency Network Adapter Repair in the Barracuda NG Access
Monitor - Health Agent view. By clicking the button all network interfaces enabled to use 802.1X are
being reset and will receive a new IP if the network interface is configured to use DHCP.
To edit this option manually, modify the following registry key:
Table 11–10 Registry entry for 802.1X authentication
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key 8021XMonitor
Value (Default=1)
0 - disabled
1 - enabled
Table 11–11 Registry entry for 802.1X DHCP Renew
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key 8021XEnableDHCPRenew
Value (Default=1)
0 - disabled
1 - enabled
Option IEEE 802.1X DHCP Renew must be enabled in order to allow emergency network adapter repair.
Table 11–12 Registry entry for emergency network adapter repair
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
164 Barracuda NG Access Monitor
11.3.13 Capture 802.1X Traffic (EAP)
If enabled, the Barracuda NG Access Monitor will capture all EAP (Extensible Authentication Protocol)
and EAPOL (Extensible Authentication Protocol) packets and save them in the log directory located in
the Barracuda NG Network Access Client installation directory. These files can be viewed using the
EAP Tracer.
To edit this option manually, modify the following registry key:
Key AllowEmergencyRepair
Value (Default=1)
0 - disabled
1 - enabled
Table 11–13 Registry entry to capture 802.1X Traffic (EAP)
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key 8021xTraceEAP
Value (Default=1)
0 - disabled
1 - enabled
Table 11–12 Registry entry for emergency network adapter repair
Item Description
165 Barracuda NG Network Access Client - Administrator’s Guide
11.3.14 Log Settings
For proper analysis verbose output is essential, thus it is possible to enable logging for both the Health
Agent service and the Barracuda NG Access Monitor service to receive detailed information, see
11.4 Log Files, page 165 for more information.
11.3.15 Barracuda NG Health Agent Logging
To edit this option manually, modify the following registry key:
11.3.16 Barracuda NG Network Access Client Logging
To edit this option manually, modify the following registry key:
11.4 Log Files
Information for analysis, serialized by the NG Network Access Client, is stored on the local hard drive
if verbosity is enabled. These files can be found in the log directory located in the Barracuda NG
Network Access Client installation directory. These files can be opened either using the Barracuda NG
Access Monitor, by double clicking the desired log file in the "Advanced Settings" section or with the
desired text editor.
Following log files are available, depending on the level of verbosity configured:
Table 11–14 Registry entry to log clients
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key Logging
Value (Default=1)
0 - disabled
1 - enabled
Table 11–15 Registry entry to log Barracuda NG Access Monitor
Item Description
Path HKEY_USERS\.Default\Software\phion\phionha\settings
Key Logging
Value (Default=1)
0 - disabled
1 - enabled
Table 11–16 Log Files
File Description
phions.log Log information by the Client Service, depending on option (see 11.3.15, Page 165)
phionha.log Log information by the Barracuda NG Access Monitor, depending on option (see 11.3.16 Barracuda NG Network Access
Client Logging, page 165)
wpa_supplicant_{UUID}.lo
g
Log information by the wpa_supplicant for each network interface, depending on option (11.3.15 Barracuda NG Health
Agent Logging, page 165)
166 Barracuda NG Access Monitor
client.xml Xml file containing the information sent to the Access Control Server containing information about the client computer
when perform user based health evaluation.
connect.xml Information about connectivity and connection errors.
download.xml Contains data from the last download such as rule set, message of the day, …
downloadLocal.xml Contains data received when a local computer based health evaluation succeeded.
downloadUser.xml Contains data received when a user based health evaluation succeeded.
health.xml Last health evaluation result returned by the Access Control Server.
healthLocal.xml Last health evaluation result for local computer based health evaluation.
healthUser.xml Last health evaluation result for user based health evaluation.
Table 11–16 Log Files
File Description
167 Pre-Connector and Remote VPN
Chapter 12
Pre-Connector and Remote VPN
12.1 General
Pre-connectors and Remote VPN are tools that are meant to simplify/automate logon procedure.
Optionally, combined with a prior dial-up connection, they may also be used to log on to a domain
remotely.
12.2 VPN Connector
Create a connector to achieve following:
Enable a user to gain quick access to a preconfigured profile or multiple
profiles. Place shortcuts to the connectors on the client’s desktop.
Connect to a VPN server directly from the Microsoft Windows login screen
without prior login to the Windows system.
Connect to a VPN server with prior dial-up connection to a remote domain.
Dial-up connection and remote domain login may also be called directly from
the Windows login screen.
168 Pre-Connector and Remote VPN
12.2.1 Creating a Connector
Prior to creating a Barracuda NG VPN connector, the connection profile must be configured
(10.6.8 Advanced Settings Tab, page 143). The connector may then be created using one of two
possible methods.
Start the VPN client and enter the configuration mode for the required profile
(
Preferences > Select profile to change > Options > Modify Profile > Advanced
Settings tab > Pre Domain Logon > Create Connector ; see Advanced Settings Tab,
page 143).
Browse to Start > Control Panel > Network Connections. A default Barracuda NG VPN
Connector is available in the Virtual Private Network section. Modify or copy and
thereafter rename the default profile.
The checkbox Dial Another Connection First enables activation of a dial-up connection prior to tunnel
establishment. Dialling is started automatically after start of the VPN connector.
Click Finish to create the connector or to save the settings that have been made respectively.
To create a shortcut for quick access, select a connector and drag it to the desktop.
Fig. 12–1 Creating a Connector
169 Barracuda NG Network Access Client - Administrator’s Guide
12.2.2 Connecting And Disconnecting using the Barracuda NG VPN Client
To connect using the Barracuda NG VPN Client, double-click the corresponding shortcut (if available)
or select the connector in Start > Control Panel > Network Connections. Enter the necessary information
and click OK to start the VPN tunnel.
To disconnect, double-click the corresponding shortcut (if available) or select the connector in Start >
Control Panel > Network Connections and click Disconnect.
12.2.3 Remote Domain Logon (Pre-Logon)
As soon as a Barracuda NG VPN connector has been created, Remote Domain Logon from the
Windows login screen becomes possible with prior dial-up connection.
Select the checkbox Log on using dial-up connection when logging on to your PC and select the desired
VPN connector connection profile from the list. Dial-up connection and tunnel are going to be
established successively during logon process to your PC, enabling access to an otherwise
inaccessible domain.
12.3 Remote VPN (rvpn)
Remote VPN allows connecting/disconnecting automatically via script. rvpn.exe is downloadable
from Barracuda Networks.
1.) Create a VPN Profile
First, you must configure the required profile as described in the previous chapter ( VPN Component
Configuration, page 124).
2.) Allocate the Profile in the Windows Registry
Open the registry (regedit) and change into the folder HKEY_USERS > .DEFAULT > Software >
Barracuda Networks > Barracuda NG VPN > Profile.
3.) This directory contains an explicit directory for each VPN profile.
4.) Create an rvpn Profile
An rvpn profile contains several parameters that determine the actions to be taken when a profile is
executed:
The sequence in the registry (1, 2, 3, …) does NOT match with the sequence in the NG VPN Client User Interface.
Have a look at the Description entry in the registry in order to find out which profile number matches the required VPN
profile.
List 12–1 Parameters contained in an rvpn profile
Parameter Description
-c [X] Connect [number of retries - default 1]
170 Pre-Connector and Remote VPN
• Examples:
rvpn.exe -c -r 3 -a vpntest -p a12b34c56
This profile connects (-c) with client profile "3" (-r 3) using certificate password "vpntest"
(-a vpntest) and server password "a12b34c56" (-p a12b34c56).
rvpn.exe -c 10 -r 3 -a vpntest -p a12b34c56
The same example with 10 retries for connecting
(-c 10):
rvpn.exe -c -r 3 -aa -p a12b34c56
This profile starts a query for a local certificate password (-aa) via pop-up. Thus, the script
does not run completely automatic. It requires manual input.
rvpn.exe -c -r 3 -a * -p a12b34c56
This profile starts a query for a certificate password (-aa) via DOS window. Thus, the script
does not run completely automatic. It requires manual input.
12.4 Connection Procedure
After successful authentication against the VPN server, the client requests the configuration from it. As
soon as the configuration is received, the VPN Service transmits this configuration to the Barracuda
Networks Secure Personal Access Client (SPAC). This enables the SPAC to answer DHCP requests.
-a [X, *] Local password [Certificate Password] (if any)
-aa Pop-up for local password
-cs [X] Client shutdown password protection. Prompts for the password definied in [X] whenever a user tries to shut down the VPN client.
Leaving the password value blank deactivates this feature.
-d Disconnect
-f "X+X" Process to kill [0, KILL]
-g [X] IP address of VPN server;
Note:
overrules the server IP set in the profile
-h Hide console
-n Profile name
-o Proxy password
-p VPN server password
-pp Pop-up for VPN client password
-preconnector
[X]
If VPN connection is terminated this preconnection is also terminated (for example for terminating modem connection)
-r [X] Profile (registry ID)
-u [X] User
-v [X] Verbose
-x [X] Command (showvpn, shofw)
List 12–1 Parameters contained in an rvpn profile
Parameter Description
171 Barracuda NG Network Access Client - Administrator’s Guide
The following steps are carried out when a connection is to be established:
1.) Client opens a socket on the server, starts authentication and requests configuration
2.) Client receives configuration (IP, subnet mask, WINS, DNS, …)
3.) Client sends received information to the SPAC
4.) Client triggers ipconfig/renew for the Barracuda NG VPN Virtual Adapter
5.) SPAC answers DHCP requests for the Adapter with the configuration data
6.) Operating system reconfigures the Virtual Adapter
7.) VPN Service introduces additional routes
8.) The corresponding rule set for the Barracuda NG Personal Firewall is implemented.
Fig. 12–2 Connection procedure
User space
Kernel
Hardware
NG VPN
Virtual Adapter
Ethernet
Device
NG VPN
Barracuda Networks VPN
server
Port 691 or
443 via Proxy
SPAC DHCP
Step 2
Step 1
Step 4
Step 3
Step 5
1
12
2
4
3
5
component
172 Example Configuration
Chapter 13
Example Configuration
Introducing an up-and-running Barracuda NG Network Access Client environment involves several
components, like global objects, trustzone settings, Access Control Service and gateway firewall
configuration.
This section presents an overview how simple an environment can be set up. For further details of
individual parameters please refer to the appropriate sections.
Beginning to use Barracuda NG Network Access Client does not necessarily require complex policy
rule sets. Although rule sets will become more elaborated due to required exceptions, the sample
includes only one policy within the rule set Local Machine.
The client LAN has the IP-range 10.0.8.0/24, the protected servers are located in the network
172.16.0.0/24. Additionally to the protected servers, one server acts as Microsoft Domain Controller
and as remediation server for updating the antivirus patterns. This server has the IP address
172.16.0.10 - you need to grant access to this computer even for unknown or unhealthy clients.
The other servers located within the server segment should be protected - for example access to these
servers should only be available for clients conforming to the corporate health policy.
The health policy requires to have a client installed and the personal firewall to be enabled. In addition,
the company uses Trend Micro antivirus products, so it is required to have the AV engine enabled and
to receive regular anti-virus ipattern updates.
Fig. 13–1 Example configuration – environment
173 Barracuda NG Network Access Client - Administrator’s Guide
13.1 Introduce Access Control Objects
As a first step it is recommended to prepare the Access Control Objects. These objects should be
ready for referencing during trustzone configuration.
At the beginning, setting up an Barracuda NG Network Access Client infrastructure usually starts with
two different Welcome messages, two different Personal Firewall rule sets, and one Picture.
To give users customized details about their health state we recommend to define different Welcome
messages for unrestricted access ("healthy") and quarantine ("unhealthy"). In case of quarantine
contact details of the company's IT support will be useful for the end user.
Like welcome messages, customized pictures are not really necessary for a Barracuda NG Network
Access Client infrastructure. Nevertheless, companies usually want to display their own logo instead
of the Barracuda Networks logo.
The most important part which is also required for proper operation is to set up Personal Firewall Rules.
13.2 Personal Firewall Rule Set
It is difficult to give guidelines for personal firewall rule sets. The required applications may strongly
differ between companies.
Nevertheless, remember for all your Barracuda NG Personal Firewall rule sets:
All your clients, regardless of their health state, require network access. They need to contact the
Access Control Service (TCP 44000, the rule is included in the default rule set) and the Microsoft
Domain Controller. Otherwise no user login will be possible. Additionally, depending on the antivirus
or antispyware product, access to HTTP servers may be necessary. Backup software, remote support
and automatic software distribution often trigger connections from server to client, so it may be
necessary to modify the incoming rule set of your personal firewall to allow incoming connections.
For the setup used in this example only small modifications to the default rule set are required. First
create the quarantine rule set:
In the configuration directory Access Control Objects > Personal Firewall Rules
choose New Access Control Firewall Rule Set in the context menu.
The object name of the rule set is restrictedAccess.
Open the rule set restrictedAccess.
For the restrictedAccess rule set, the following new rules are added:
Explicitly block Skype application.
Allow connections to the remediation-servers (172.16.0.10).
174 Example Configuration
Allow HTTP/HTTPS connections to the internet. Some antivirus products use
HTTP/HTTPS to download up-to-date engines and patterns.
Next create and edit the unrestricted rule set:
For the unrestricted rule set, the Outgoing rules allow connections to the
whole internal network. Add a pass rule using "LocalIPs" as source and
"10.0.0.0/8" plus "172.16.0.0/24" as destination.
Additional remote desktop connections are allowed in the "Incoming" rule set.
13.3 Introduce an Access Control Service Trustzone
As mentioned above, the hierarchical structure of a Barracuda NG Control Center allows introduction
of Access Control Service Trustzones at different levels (Global, Range, and Cluster). Thus, a decision
about the proper place for a company's trustzone is required.
Fig. 13–2 Example configuration – Personal Firewall rule set – Access Control Service - Rules – Outgoing tab example view
Fig. 13–3 Example configuration – Personal Firewall rule set – Incoming tab example view
175 Barracuda NG Network Access Client - Administrator’s Guide
Administrators of stand-alone Barracuda NG Firewalls can avoid making this decision - you simply
configure your trustzone within the Access Control Service > Trustzone node.
As a guideline for a simple setup using a CC, we recommend to use global trustzones or alternatively
switch to range trustzones.
For range or cluster based Access Control Services note that they can only reference trustzones within the same
administrative scope (not from another range/cluster).
176 Example Configuration
13.4 Configure an Access Control Service Trustzone
The main window of a Access Control Service Trustzone is split up into a navigation bar on the left and
the three policy rule sets on the right.
To guarantee that our policy trustzone has a public/private key pair to properly authenticate clients to
all participating Access Control Services, we initially need to create a Health Passport Signing Key
(Settings > Identity > Health Passport Signing Key). The Health Passport is used for authenticating
against other Access Control Service instances (for example Remediation Service and Border Patrol).
Therefore, generation of a Heath Passport Signing key is required.
Click New Key to create a new Health Passport Signing key. In this setup with local created
public/private keys use the previously created key and export the public part into the clipboard. This
public key is imported again as Health Passport Verification Key.
To keep our setup as simple as possible we will start with local machine policies. We recommend to
extend your setup by applying user specific or VPN policies as a next step. At the beginning even
setting up a restricted local machine rule set and configuring the gateway firewall rule set requires quite
some time.
So as a next step create at least one rule within the "Local Machine" policy rule set. The first and for
the moment the only available rule is our catch-all rule which usually should be at the end of your policy
rule set. Click New … at the bottom of the policy rule set or via the context-menu to create a policy rule.
When using more than one rule, remember that policy rule sets are processed from top to bottom.
The Policy Rule dialog is split up into these views:
Identity Matching
Required Health State
Policy Assignments
177 Barracuda NG Network Access Client - Administrator’s Guide
For the Identity Matching and Required Health State views, Basic and Advanced configuration dialogs
exist.
Fig. 13–4 Example configuration – Configure an Access Control Service Trustzone – Local Machine: Create Policy Rule: catch-all
178 Example Configuration
First start with defining the criteria for Identity Matching:
Since the Access Control Service in this sample setup is only reachable using private IP addresses we
can restrict the Networks section to the private address ranges.
As a next step define the required health conditions. For the catch-all rule you can define the same
policies you require for known clients, as security policies usually further restrict unknown clients
instead of granting them lower health requirements.
To comply to the above mentioned security requirements set the following parameters:
The value Required <Auto-remediation> automatically enables the Barracuda NG Personal Firewall and
the Antivirus Scanner if they are deactivated.
To set the parameter Last AV Scan Not Older Than to Ignore is due to the reason that performing a regular
full-scan of the client computer takes quite some time. To enforce users to perform a full-scan during
working hours is not always welcome if their computer is slowed down.
The option Policy Matching (section Basic Matching) is set to One-of-following. Therefore you don't need to specify
further matching criteria.
List 13–1 Example configuration – Configure a Access Control Service Trustzone – Local Machine: Edit Policy Rule – Parameters
Parameter Value
NG Personal Firewall On Required <Auto-remediation>
Antivirus Scanner On Required <Auto-remediation>
Last AV Scan Not Older Than Ignore
AV Engine Required Last-2
AV Pattern Definitions Required Last-2
AV Engine/Pattern Action Manual
Allowed Vendors Trend Micro, Inc
Antispyware disabled
179 Barracuda NG Network Access Client - Administrator’s Guide
For the AV engine and for the AV patterns the settings above accept the current version and also two
versions before. Usually companies already have mechanisms to perform regular updates of their AV
engines and patterns - in the sample you can thus leave the setting AV Engine/Pattern Action to Manual.
Instead continue with the view Policy Assignments and assign the following attributes:
Assign the Firewall Object unrestrictedAccess as Barracuda NG Network Access
Client
Assign the Welcome Message NG Network Accesss Protection Welcome as Message
of the Day. Since the local machine context of Microsoft Windows does not
allow GUI dialogs before login, the GUI components Message of the day and
Welcome picture are displayed as soon as a user has logged in.
Assign the Welcome Picture Barracuda NG Network Access Client Logo.
For Limited Access assign the appropriate Rule Set and Message
For the catch-all rule which matches all clients in the LAN, no automatic client
update is required, thus the parameter Software Update Required is set to No.
Fig. 13–5 Example configuration – Configure a Access Control Service Trustzone – Local Machine: Edit Policy Rule: catch-all
Checking engine and pattern versions of Antivirus- or Antispyware products requires up-to-date information on
server-side.
Before deploying new client versions to large-scale environments, the client software will usually be tested on a limited
number of clients. Thus it is recommended to create a separate policy rule which matches only a limited number of
clients. In this policy rule enable automatic software update. After updating a smaller number of clients, one can enable
automatic software update for the rest of the company's clients.
180 Example Configuration
In the sample you are not required to manually add "Network Access Policies". Instead you
can set up your firewall rules of the gateway firewall using the implicit roles unhealthy,
healthy, probation and untrusted.
Fig. 13–6 Example configuration – Configure a Access Control Service Trustzone – Local Machine: Edit Policy Rule – catch-all
181 Barracuda NG Network Access Client - Administrator’s Guide
13.5 Configure Forwarding Firewall Rule Set
Enforcement of the security policy is provided by the Barracuda NG Network Access Client software
installed on the endpoint itself. Whenever leaving the local collision domain, Barracuda NG Firewalls
can provide additional protection. To enforce the health policy, Barracuda NG Firewalls may interpret
the access policy attribute assigned to the endpoint within their rule sets. This provides a way to
enforce network access control concepts based on date and time, identity and health state and type
of network access.
To allow communication to protected servers only for clients conforming to the health policy, modify
the gateway firewall rule set as follows:
Open the forwarding firewall rule set and change to section User Groups.
Select New … in the context menu to create a new User Object.
After setting a name for the user object add a new User Condition
Within the Policy Roles Patterns section, change the logic operation to One
Pattern must match (OR).
Add two new Policy Roles Patterns: healthy and probation.
Close the User condition dialog.
Create or edit the firewall rule Healthy-Access-to-protected-Servers.
Add a reference to the new user object healthy-clients within the
Authenticated user dialog box.
Fig. 13–7 Example configuration – Configure forwarding firewall rule set – Edit/Create User Object > User Condition
182 Example Configuration
If the user authentication is assigned to the firewall rule, only clients either fully conforming to the policy
("healthy") or clients being in "probation" state are allowed to access the protected network.
Fig. 13–8 Example configuration – Configure forwarding firewall rule set – Edit Rule: Healthy-Access-to-protected-Servers[Rule]
Fig. 13–9 Example configuration – Configure forwarding firewall rule set – Firewall - Rules
Barracuda Networks allows access even for clients in "probation" since we do not want to block new
connections or even terminate existing connections only because the antivirus patterns are not up-to-date for a
few minutes. Remember that the client is in "probation" while it tries to execute the (auto)remediation actions. If
the remediation fails, then it will become "unhealthy".
183 802.1X – Technical Guideline
Chapter 14
802.1X – Technical Guideline
14.1 Overview
Barracuda NG Network Access Client features the IEEE 802.1X standard for port-based network
access control. The IEEE 802.1X standard defines a client-server-based access control and
authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly
accessible ports unless they are properly authenticated. Every client connected to a switch port must
be authenticated by the authentication server before having access to any services provided by the
switch or LAN. Until the client is authenticated, the only traffic allowed through the port the client is
connected to, is the Extensible Authentication Protocol over LAN (EAPOL), the Cisco Discovery
Protocol (CDP) and the Spanning Tree Protocol (STP).
Other than common implementations of the 802.1X standard, the client computer's health state is the
criterion for access control. The health state of a client computer is evaluated by the Barracuda NG
Access Control Server, accessible from within the initial assigned guest VLAN after the first
authentication using default credentials succeeded. Once the client computer evaluated its health
state, it will start the authentication using a unique identifier as username and a session id as
password, received by the Access Control Server based on his health evaluation result. The
authentication server will assign the client computer the VLAN configured for the result of the client
computer's health evaluation result.
When the user logs off or shuts down the operating system, the Client service will notify the
wpa-supplicant to send the logoff command so the switch disabling the line protocol on the port the
client computer is connected to. The logoff, along with the logon and reassociate command can also
be executed by the user manually using the Barracuda NG Access Monitor or the command-line
interface.
The four key entities in the network environment using port security are:
Client computer
with an installed Barracuda NG SSL VPN and NAC Client utilizing the wpa-supplicant, which
will request access to the LAN and will respond to identity requests by the switch. The
wpa-supplicant will be started and controlled by the Client Service for 802.1X authentication,
where as the Barracuda NG Access Monitor service is responsible for the evaluation of the
client computer's health state.
• Switch
Is responsible for controlling the physical access to the LAN based on the authentication
status of the client. The switch acts as proxy between the client computer and the authenti-
cation server.
Authentication Server
184 802.1X – Technical Guideline
Necessary for authentication, validates the client computer's identity information forwarded
by the switch and notifies the switch which VLAN the client computer is assigned to. Due to
the switch's functionality as proxy the authentication service is transparent to the client.
Access Control Server
The Access Control Server is required to determine the health state of the client computer
based on the information provided by the Barracuda NG Access Monitor service. It also han-
dles the configuration of the VLANs assigned to the client computers for healthy and un-
healthy states.
14.2 Status Monitoring
Multiple sources of information are available in order to monitor the status of the components handling
the 802.1X authentication process:
EAP Packet Tracer
Barracuda NG Access Monitor
Log files on the client computer
Access Control Server logs
Switch web interface
Switch console interface
14.2.1 EAP Packet Tracer
The EAP Packet tracer displays all EAP and EAPOL packets captured by phionuio driver. To enable
the capturing of EAP Packets to be processed by the EAP Packet Tracer modify the following option.
For every network interface, the driver will generate a separate dump file named
wpa_{adapter_uid}.cap which is located in the install directory’s log folder.
Table 14–1 Key 8021XTraceEAP
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key 8021XTraceEAP
Value Enables or disables verbose output to be written (Default=1).
0 - disabled
1 - enabled
Changing this value takes effect immediately.
This value may also be changed through the Advanced Settings of the Barracuda NG Access Monitor
185 Barracuda NG Network Access Client - Administrator’s Guide
14.2.2 Using the Barracuda NG Access Monitor for Analysis
The Barracuda NG Access Monitor provides within its port security section a listing of all network
interfaces capable of 802.1X, displaying the current status.
Additionally, the Barracuda NG Access Monitor allows opening a command-line interface for the
selected device.
Supplicant console interface
If more detailed status information or control is required, the Barracuda NG Access Monitor provides
the option to open a console interface for all instances of wpa-supplicants. This console interface
allows monitoring and direct control of the wpa-supplicant.
14.2.3 Log Files on the Client Computer
If verbose output is enabled log files are created for the following components:
The log files can be found in the folder \log located in the installation directory, which by default is
C:\Program Files\BarracudaNG\. Also the Barracuda NG Access Monitor provides a view in the
Advanced Settings section, listing all available log files and providing the functionality to open them in
the default editor.
Table 14–2 Commands for wpa-supplicant
Command Description
status
verbose
Lists all status information available from the wpa-supplicant
logon Starts a new authentication sequence by sending an EAPOL start packet to the switch
logoff Log off the client computer, disabling the line protocol on the port the client is connected to
reassociate Will force a re-association
Using the console interface requires Administrative privileges.
Table 14–3 Components - log files
Component Log Files
Client service phions.log
Barracuda NG Access Monitor phionha.log
For every instance of a running
wpa-supplicant
wpa_supplicant_{adapter_uid}.log
186 802.1X – Technical Guideline
To enable or disable verbose the below registry needs to be set:
14.2.4 Switch Web Interface
The web interface provides various outputs for monitoring and configuration. These can be viewed in
any web browser. The web interface additionally provides a simple command-line allowing configuring
or showing any settings.
Following sample output shows the 802.1X configuration for the port used in this document.
Command base-URL:
/level/15/exec/-
Complete URL:
/level/15/exec/-/show/dot1x/interface/fa0\/3/CR
Command:
show dot1x interface fa0/3
These values are described in more details on:
Table 14–4 Key Logging
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key Logging
Value Enables or disables verbose output to be written (Default=0).
0 - disabled
1 - enabled
Changing this value takes effect immediately.
This value may also be changed through the Advanced Settings of the Barracuda NG Access Monitor.
Fig. 14–1 802.1X configuration for the used ports
Supplicant MAC 00a0.c992.0000
AuthSM State = AUTHENTICATED(AUTH-FAIL-VLAN)
BendSM State = IDLE
Posture = N/A
ReAuthPeriod = 3600 Seconds (Locally Configured)
ReAuthAction = Reauthenticate
TimeToNextReauth = 3224 Seconds
PortStatus = AUTHORIZED(AUTH-FAIL-VLAN)
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
PortControl = Auto
ControlDirection = Both
QuietPeriod = 1 Seconds
Re-authentication = Enabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 251
AuthFail-Vlan = 252
AuthFail-Max-Attempts = 3
Critical Port = Disabled
187 Barracuda NG Network Access Client - Administrator’s Guide
• ReAuthPeriod
see 14.3.9 Periodic client re-authentication by the switch, page 193
• Guest-Vlan
see 14.3.11 Authentication Message Exchange, page 194
• AuthFail-Vlan
see 14.3.11 Authentication Message Exchange, page 194
• AuthFail-Max-Attempts
see 14.3.11 Authentication Message Exchange, page 194
• QuietPeriod
see 14.3.12 VLAN Assignment, page 195
The output following is the status of a network interface on the switch a client computer is connected
to. The first line (underlined) shows the probably most important information about whether a client
computer is connected to the port: FastEthernet0/3 is down/up. (up when a client is connected,
and down if otherwise). The second part indicates if the line protocol is enabled (up) or disabled (down)
restricting or allowing network traffic.
Command base-URL:
/level/15/exec/-
Complete URL:
/level/15/exec/-/show/dot1x/interface/fa0\/3/CR
Command:
show interface fa0/3
Fig. 14–2 Status of a network interface on the switch
FastEthernet0/3 is down, line protocol is down (notconnect)
Hardware is Fast Ethernet, address is 0016.c7ba.9505 (bia 0016.c7ba.9505)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:07:31, output 00:07:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
7496 packets input, 1124053 bytes, 0 no buffer
Received 7335 broadcasts (0 multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 5949 multicast, 0 pause input
0 input packets with dribble condition detected
36644 packets output, 3008285 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
188 802.1X – Technical Guideline
14.2.5 Switch Console Interface
For either administrative or informative purposes it is possible to connect to the switch using a telnet
session. By default the console interface shows only little output. To enable higher verbosity it is
recommended to enable debug information, as seen in the example, for various topics. To enable or
disable debug logs it is required to enter the privileged exec mode.
To enter privileged exec mode, enter after initially authenticating following line:
enable
Example enabling debug output:
debug aaa authentication
debug aaa authorization
debug aaa accounting
debug dot1x all
debug eap all
Sample debug information for EAP should look something like this:
14.3 Authentication
14.3.1 Notes
For convenience reading throughout this document, certain terms will be
referred to by following aliases:
{install_directory}: The directory on the client computer, the Barracuda NG
Access Monitor is installed to.
{adapter_uid}: The unique identifier for any network interface, this GUID can
be viewed in the detail view of any network adapter in the port security window
of the Barracuda NG Access Monitor
The 802.1X authentication mechanism is only supported on following types of
network interfaces:
Ethernet
Fig. 14–3 Sample debug information for EAP
The Cisco command line interface supports auto-competition for almost any command.
*Mar 2 23:13:32.140: eap_authen : during state eap_auth_method_response, got event 11(eapMethodEnd)
*Mar 2 23:13:32.140: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
*Mar 2 23:13:32.140: eap_authen : during state eap_auth_select_action, got event 16(eapDecisionPass)
*Mar 2 23:13:32.140: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
*Mar 2 23:13:32.140: eap_authen : during state eap_auth_passthru_init, got event 18(eapPthruIdentity)
*Mar 2 23:13:32.140: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
*Mar 2 23:13:32.140: AAA/AUTHEN/8021X (00000020): Pick method list 'default'
189 Barracuda NG Network Access Client - Administrator’s Guide
Token Ring
• FDDI
Point-to-Point
14.3.2 Operational Sequence
14.3.3 Startup
1.) NG NAC services start
2.) Disabling Microsoft Windows 802.1X compliant software
3.) Starting the WPA supplicant
4.) WPA supplicant configuration
5.) WPA supplicant running
14.3.4 Runtime
1.) Re-authentication by the Client Service
2.) Re-authentication by the switch
3.) Re-authentication by the user using the command line
4.) Authentication Message Exchange
5.) VLAN Assignment
14.3.5 Shutdown
1.) Operating system shutdown by the user
2.) Operating system logoff by the user
3.) Manual Logoff command by the user
14.3.6 Start up
1.) Barracuda NG Network Access Client start
The Barracuda NG Network Access Client Secure Client 2.0 consists of two services, the main "Client"
service and the "Barracuda NG Access Monitor" service which is dependent on the "Client" service. If
verbose output is enabled, a log file for the Barracuda NG Client service, named "phions.log", and the
Barracuda NG Access Monitor’s "phionha.log", both within the log file directory (see Status
Monitoring), will be created.
190 802.1X – Technical Guideline
2.) Disabling Microsoft Windows 802.1X compliant software
Since Microsoft Windows ships with its own 802.1X compliant client software, the Client service needs
to disable it before starting the WPA supplicant. The Microsoft 802.1X compliant client software
consists of:
Once those services have been stopped by the client, the client will start the driver service that is
necessary for handling requests from the switch.
After all supplicants have been terminated, they will be (re-) enabled. To verify for a successful
disabling process, verbose output is available:
3.) Starting the wpa-supplicant
The " Client" service will start a WPA supplicant, named "wpa_supplicant.exe", for all supported
network interfaces given following circumstances:
"1.1.A is set to enabled
"1.1.B is set to enabled for the network interface to use 802.1X is set to
enabled
Table 14–5 Microsoft 802.1X compliant client software
Service Friendly Name Service Name
Wired AutoConfig WZO (prior to Windows Vista)
dot3svc (Windows Vista)
WLAN AutoConfig Wlansvc
ndisuio User Mode Input Output Driver
Fig. 14–4 phions.log
Table 14–6 Key 8021XMonitor
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key 8021XMonitor
Value Enables or disables 8021X authentication on the client computer (Default=1)
0 - disabled
1 - enabled
Changes of this value take effect immediately.
[009002007000] -->checking for WZO & Ndisuio and stopping them
[009002008000] ==> CheckAndStopService(dot3svc, true)
[009002008000] ==> CheckAndStopService(Wlansvc, true)
[009002008000] ==> CheckAndStopService(Ndisuio, true)
[009002006000] ==> togglephionuio
[009002006008] phionuio already running / phionuio started
[009002006000] <== togglephionuio
[009002007010] <-- finished WZO & Ndisuio service check
191 Barracuda NG Network Access Client - Administrator’s Guide
Alternatively the value in 1.1.A can be set by the Access Control Server, enforcing 802.1X
authentication. To enable the enforced use of 802.1X by the Access Control Server, following option
can be set:
Enter the Access Control Server trust-zone configuration using the Barracuda
NG Admin administration tool
Open the rule to enable the use of 802.1X authentication and select the view
Policy Assignments
Set the option Use 802.1X Authentication to Yes or No as desired
4.) wpa-supplicant configuration
In order for the "Client" service to run the wpa-supplicant, the wpa-supplicant requires a valid
configuration file for every network interface a supplicant will operate on. These configuration files are
located in the folder {install_directory}\wpa and generated by the Client service from a
template configuration automatically.
If the configuration file for the network interface used is corrupted, following behavior will occur:
The wpa-supplicant exe will terminate almost immediately and will not appear
in the Process Explorer or Task Manager
If verbose output is enabled:
wpa_supplicant_{adapter_uid}.log:
Line X: Invalid configuration file …
This value can also be changed within the Advanced Settings of the Barracuda NG Access Monitor, IEEE 802.1X
Authentication parameter.
Table 14–7 Key {adapter_uid}
Item Description
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phionuio\Parameters\Adapters\
Key {adapter_uid}
Value Enables or disables 8021X authentication for the adapter with the specified adapter_uid (Default=0)
0 - disabled
1 - enabled
Changes of this value take effect immediately.
This option may also be changed on the property page of the Barracuda Networks Personal Access Client within
the network interface's properties dialog by changing the 802.1X Authentication option.
If an existing instance of a WPA supplicant is already running for the desired network interface while the service start
is executed on the client, then the supplicant will be terminated followed by starting a new instance.
192 802.1X – Technical Guideline
To resolve this problem proceed following steps:
Delete the corrupted configuration file
You will require elevated privileges to perform this step.
Kill the process wpa_supplicant.exe
You will require elevated privileges to perform this step.
5.) wpa-supplicant running
A successful start of the wpa-supplicant can be verified by:
The Process Explorer or Task Manager will show for every network interface
using 802.1X, a wpa-supplicant, named "wpa_supplicant.exe" as child process
of "phions.exe" appearing in the Process Explorer or Task Manager
If verbose output is enabled following verbose output needs to be present in
the log files:
14.3.7 Runtime
During runtime the wpa-supplicant will re-authenticate periodically. This can be triggered either by the
Client service or the switch.
The Client service will generate the configuration file based on the template.
Table 14–8 wpa-supplicant running – phions.log
Item Output Description
802.1X [009001000001] stating that 802.1X monitoring is enabled
[009004000002] stating the authentication method (machine, user, user with
certificate)
[009002000009] 802.1x monitor created
[009001000002] reloading adapter list for wpa_supplicant
Non-ethernet adapters [009001000003] adapter found to be non-ethernet …
Virtual adapters [009001000003] found virtual adapter …
Disabled adapters [009001000003] found disabled adapter …
Active adapters [009001000004] 802.1x disabled for adapter …
Table 14–9 wpa-supplicant running – wpa_supplicant_{adapter_uid}.log
Output
CTRL: Open pipe
CTRL: ConnectNamedPipe: connection in progress
Initializing interface '{adapter_uid}' …
193 Barracuda NG Network Access Client - Administrator’s Guide
14.3.8 Re-authentication by the client service
The client service is able to enforce a re-authentication, given the configured interval (see 2.0.A),
independent of the switch's configuration. After the configured amount of seconds elapsed the Client
service will start the authentication sequence. By sending a EAPOL Start packet (see: 2.3.I) and
waiting for the identity request starting the authentication sequence (see: 2.3.II).
14.3.9 Periodic client re-authentication by the switch
You can enable periodic 802.1X client re-authentication and specify how often it occurs. If you do not
specify a time period before enabling re-authentication, the number of seconds between
re-authentication attempts is 3600 (1 hour). This option must be changed either through a command
line interface on the switch or the web interface.
Beginning in privileged EXEC mode, follow these steps to enable periodic re-authentication of the
client and to configure the number of seconds between re-authentication attempts.
Commands:
configure terminal
Enter global configuration mode
interface <interface-id>
Specify the port to be configured, and enter interface configuration mode
dot1x re-authentication
Enable periodic re-authentication of the client, which is disabled by default.
dot1x timeout reauth-period <seconds>
Set the number of seconds between re-authentication attempts.
The range is 1 to 65535; the default is 3600 seconds.
This command affects the behavior of the switch only if the periodic re-authentication is en-
abled.
• end
Return to privileged EXEC mode.
show dot1x interface
Verify your entries
Table 14–10 Registry entry for 802.1X authentication
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key 8021XReAuthPeriod
Value Desired number of seconds the "Client" service must wait until re-authentication (Default 3600 seconds)
0 - 4294967295
Changes of this value will take effect with the next health evaluation by the Barracuda NG Access Monitor service.
194 802.1X – Technical Guideline
To disable periodic re-authentication, use the no dot1x re-authentication interface
configuration command. To return to the default number seconds between re-authentication attempts,
use the no dot1x timeout reauth-period interface configuration command.
The re-authentication started by the switch is illustrated in 2.3.II.
14.3.10 Manually re-authenticating using the command line
You can manually re-authenticate the client connected to a specific port at any time by entering the
dot1x re-authenticate interface <interface-id> privileged EXEC command in a remote telnet
session on the switch or the web interface.
14.3.11 Authentication Message Exchange
The following image illustrates the authentication message exchange between the client computer, the
switch and the RADIUS authentication server:
Shown in the first section (I) is the initial EAPOL start packet sent by the wpa_supplicant from the client
computer, starting the 802.1X authentication scheme. This occurs on following circumstances:
An instance of the wpa-supplicant started and running beginning
authentication.
The configured re-authentication period elapsed and the wpa-supplicant starts
re-authentication.
Section II illustrates the message exchange of the authentication. This occurs when:
The client computer starts (re)-authentication; see section I above.
The configured re-auth period configured on the switch elapsed.
Fig. 14–5 Example
Fig. 14–6 Example
Fig. 14–7 Authentication Message Exchange Process
Switch(config-if)# dot1x reauthentication
Switch(config-if)# dot1x reauth-period 4000
Switch# dot1x re-authenticate interface fa0/3
195 Barracuda NG Network Access Client - Administrator’s Guide
A re-authentication is triggered manually on the switch by a user through the
command-line interface.
Finally, section III shows the way the logoff command is sent to the switch in order to disable the line
protocol on the port. There are several possibilities for the log-out process:
The user shuts down the operating system on the client computer.
The user logged off the operating system on the client computer.
The user executed the logoff command manually using the Barracuda NG
Access Monitor or the command-line interface.
See for the EAPOL packet frames.
14.3.12 VLAN Assignment
Network access control is enforced by assigning the client different VLANs, each for a different state:
It is possible that to the client computer is a different VLAN addigned by the RADIUS server due to a
failed authentication resulting of either:
A change of the clients health state. This is the most common reason.
A change of the configuration on the Access Control Server.
A not matching session password.
If this happens, then the switch will enter the Quiet Period, meanwhile disabling the line protocol and
not responding to any packets received on the port the client computer is connected to.
For faster response time it is recommended to set this value to 1 second. To change the quiet period,
follow the steps below in privileged EXEC mode using a command-line interface on the switch.
Command:
configure terminal
Enter the global configuration mode
Table 14–11
VLAN Condition Description
Guest VLAN Default VLAN which is initially assigned to the client computer
Authentication Fail The authentication against the
RADIUS server failed
The client computer will be assigned this VLAN if he fails to
authenticate successfully before the maximum number of
authentication failures is reached. The maximum number failures can
be configured on the switch by setting the option
AuthFail-Max-Attempts in the dot1x configuration on the desired port
Healthy The client computer met all health
requirements
This is the VLAN the client computer is indented to be assigned to.
Unhealthy The client computer did not meet
health requirements
In the Unhealthy-VLAN the client computer must be able to evaluate
his health state and access resources vital for restoring a healthy
state.
In the given engineering environment, the switch always enters the quiet period on the port the client computer is
connected to, whenever a different one than the currently assigned VLAN is assigned to the client computer.
196 802.1X – Technical Guideline
interface <interface-id>
Specify the port to be configured, and enter the interface configuration mode
dot1x timeout quiet-period <seconds>
Set the number of seconds that the switch remains in the quiet state following a failed au-
thentication exchange with the client.
The range is from 1 to 65535 seconds, the default is 60.
• end
Return to the privileged EXEC mode.
show dot1x interface
Verify your entries.
To restore the default quiet time, use the no dot1x timeout quiet-period interface
configuration command.
14.3.13 DHCP
It is possible instead of configuring the Access Control Server IPs locally on the client computer to
distribute them via DHCP.
The Access Control Server IPs the client computer received via DHCP are visible in the Advanced
Settings section of the Barracuda NG Access Monitor or the Barracuda NG Personal Firewall. Both
provide the functionality to delete the Access Control Server IPs, if necessary.
DHCP Renew
If the client computers in the network are configured to obtain their IP address using DHCP, there is
the possibility to trigger a DHCP renew whenever the client computer is assigned a different VLAN.
This can be configured either on the Access Control Server forcing it on the clients, or on the client
computer itself.
Fig. 14–8 Example
Table 14–12 Key 8021xEnableDHCPRenew
Item Description
Path HKEY_USERS\.Default\Software\phion\phionvpn\settings
Key 8021xEnableDHCPRenew
Value Enables or disables DHCP request when the assigned VLAN changes. (Default=0)
0 - disabled
1 - enabled
Changes of this value take effect immidiately.
Switch(config-if)# dot1x timeout quiet-period 30
197 Barracuda NG Network Access Client - Administrator’s Guide
To enable "DHCP Renew" on the Access Control Server enforcing it on all clients matching the rule it
is configured, follow these steps:
Enter the Access Control Server trustzone configuration using the Barracuda
NG Admin administration tool
Open the rule to enable DHCP Renew and select the view Policy Assignments
Set the option Use DHCP Renew to Yes or No as desired
14.3.14 ICMP Connectivity Checking
The Barracuda NG Access Monitor supports the usage of ICMP to check if the configured Access
Control Server is available. The use of this option highly recommended because it avoids long
timeouts, thus is enabled by default.
14.3.15 Resetting the 802.1X Authentication process
If, for which reason whatsoever, it is required to restart the 802.1X authentication process, the
Barracuda NG Access Monitor provides the necessary functionality. In order to perform this you should
follow these steps:
Enter the Port Security section in the Barracuda NG Access Monitor
Selected the network interface to reset
Choose "Reset" from the tasks menu on the left or through the context menu
of the network interface
Once done, the session password will be reset and the 802.1X authentication process starts over.
This value may also be changed by using the Advanced Settings screen within the Barracuda NG Access Monitor.
The value configured on the Access Control Server overwrites the value configured on the client computer.
Table 14–13 Key ICMPProbing
Item Description
Path HKEY_USERS\.Default\Software\phion\phionha\settings
Key ICMPProbing
Value Enables or disables the use of ICMP packets to check if the Access Control Server is available. (Default=1)
0 - disabled
1 - enabled
This value may also be changed using the Advanced Settings within the Barracuda NG Access Monitor through the
ICMP Connectivity Check parameter.
198 802.1X – Technical Guideline
14.3.16 Shutdown
14.3.17 Operating System Shutdown
When the client computer is been shut down, the Barracuda NG Access Monitor will send a logoff
command to switch, causing the line protocol being disabled by the switch.
14.3.18 Operating System Logoff
When a user logs off his account from the operating system, the Barracuda NG Access Monitor follows
the same procedure as above.
14.3.19 Manual Logoff
It is possible, if required, to logoff manually using the Barracuda NG Access Monitor. To do so take
following steps:
Enter the Barracuda NG Access Monitor Port Security section
Select the network interface to log off
Choose "Logoff" from the tasks menu on the left or through the context menu
of the network interface
To verify the logoff command was sent and executed properly, verbose output is required and needs
to show the following:
Table 14–14 phions.log
Output
[009003002002] sent command LOGOFF with answer [009003002003] about success
Table 14–15 phions.log
Output
[009002009001] monitor destroying
For every supplicant [009003002002] sent command LOGOFF with answer [009003002003] about success
[009003002002] sent command TERMINATE with answer [009003002003] about success
[009003009003] thread for adapter … ended
[009002009009] monitor destroyed
199 Barracuda NG Network Access Client - Administrator’s Guide
14.4 Addendum
14.4.1 Packets
The table shows an EAPOL packet frame:
The table below shows the fields of the EAP request-response frame:
14.4.2 WPA Supplicant Log File Identifiers
Table 14–16 EAPOL packet frame
Field Name Size Purpose
Version 1 Byte Protocol version
Type 1 Byte 1 Start
2 Logoff
Length 2 Bytes Length of the EAP packet
Data (EAP) N Bytes EAP packet
Table 14–17 Fields of the EAP request-response frame
Field Name Size Purpose
Code
1 Byte