Académique Documents
Professionnel Documents
Culture Documents
Lab Guide
campus.barracuda.com | campus@barracuda.com
© Barracuda Networks Inc., December 18, 2017. The information contained within this document is confidential
and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized
or used for other than internal documentary purposes without the written consent of an official representative of
Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes
no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change,
modify, transfer, or otherwise revise this publication without notice.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 3
Lab Description
Task 1. SSL VPN and CudaLaunch
More and more internal resources must be accessible from outside the trusted network. Employees need access to
these resources from anywhere, but the CSO doesn’t want to have the services facing the internet directly; she fears that
would widen the attack surface to possible intruders. To give the growing number of mobile workers access to these
resource via a web browser or a native app supporting mobile devices and desktop clients, the CSO has decided to use
an SSL VPN solution.
The resources to be accessed via SSL VPN are the internal website and SSH to the same server. Because of the insecurity of
some browsers, Internet Explorer must be blocked to get access to the SSL VPN resources.
OPTIONAL
Based on the limited availability of IPv4 addresses, the decision was made to use SSL VPN and client-to-site VPN on the
same public IPv4 address. It should be possible to provide client-to-site VPN connections via proxies or in hotel rooms
where TCP 80 and 443 are the only opened ports. The head of IT decided that it is better to have a client-to-site VPN always
working, rather than SSL VPN in this specific scenario.
Also, the login to the internal website via SSL VPN should be done automatically by passing user attributes to the website
to identify the logged-in user. To evaluate the possibility of managing the firewall using SSL VPN, some admins need
access to the firewall via NextGen Admin SPOE feature over the SSL-VPN.
Lab Outline
nn Do not forget to configure the NextGen Firewall local authentication settings and to store at least one
user for testing purposes.
OPTIONAL
• Instead of deactivating the VPN service binding to 443, bind the SSL VPN to a loopback or internal address not used by
the client-to-site or site-to-site VPN, and use an access rule to get SSL VPN access via the external port 8443. It must be
possible to use SSL VPN / CudaLaunch (8443) and client-to-site VPN (691/443) at the same time.
OPTIONAL
If access to the portal is using a different port than 443, append it to the URL accordingly.
Intended Result
You should see the SSL VPN portal website.
User Authentication
• Open the web browser at https://203.0.113.70
• OPTIONAL
• If access to the portal is using a different port than 443, append it to the URL accordingly.
• Use Internet Explorer to verify the login is being blocked.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 7
Web App
• Open the web app resource to verify access to the internal website.
Intended Result
The website should be rendered and “Your IP Address” should be one from BO1 box or server layer
OPTIONAL
• Fill out the user-defined attributes within the SSL VPN portal settings and verify the successful usage on
the internal website.
8 | Remote Access - NGF0601 Barracuda NextGen Firewall F | Lab Guide
Intended Result
The website should show the values entered for the parameters handed over via GET or POST. In this example
“Firstname” and “Lastname” are using Herbert Feutl as values.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 9
Intended Result
This shows the successfully created generic tunnel binding to 127.0.0.1:63392, which is used with PuTTY to get SSH
piped through to the BO1 server.
Successfully connected via SSH through the generic tunnel. Initiate the command “w” to see all SSH connections
and their source IP.
10 | Remote Access - NGF0601 Barracuda NextGen Firewall F | Lab Guide
OPTIONAL
• Start the tunnel for NextGen Admin. Using the loopback IP on port 807 should grant management access via the
internal management IP (10.0.108.1)
Example Configuration
This is an example configuration for a group policy.
Intended Result
The VPN Connector is pre-installed and can be started with a simple click.
The VPN Profile Wizard pops up and asks for the basic configuration settings.
After successfully connecting to the VPN service, you need to trust the certificate by clicking Yes. Authentication is then
verified by the client.
12 | Remote Access - NGF0601 Barracuda NextGen Firewall F | Lab Guide
Verify the certificate with the one configured on the VPN service.
Using “route print” on the command line and the network connections details in the GUI, verify the added routes and
assigned IP on the Windows machine.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 13
Network Access
• Ping the BO1 server
• Open a browser and go to the BO1 server website. Verify the IP address used to access the website.
Intended Result
The IP address showing on the website should also be the one configured / assigned to the client-to-site VPN
interface on the windows machine.