Barracuda NextGen Firewall F-Series

Remote Access - NGF0601

Lab Guide

Official training material for Barracuda certified trainings and

Autorized Training Centers.
Edition 2018 | Revision 1.0

campus.barracuda.com | campus@barracuda.com
© Barracuda Networks Inc., December 18, 2017. The information contained within this document is confidential
and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized
or used for other than internal documentary purposes without the written consent of an official representative of
Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes
no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change,
modify, transfer, or otherwise revise this publication without notice.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 3

Lab Description
Task 1. SSL VPN and CudaLaunch
More and more internal resources must be accessible from outside the trusted network. Employees need access to
these resources from anywhere, but the CSO doesn’t want to have the services facing the internet directly; she fears that
would widen the attack surface to possible intruders. To give the growing number of mobile workers access to these
resource via a web browser or a native app supporting mobile devices and desktop clients, the CSO has decided to use
an SSL VPN solution.
The resources to be accessed via SSL VPN are the internal website and SSH to the same server. Because of the insecurity of
some browsers, Internet Explorer must be blocked to get access to the SSL VPN resources.

OPTIONAL
Based on the limited availability of IPv4 addresses, the decision was made to use SSL VPN and client-to-site VPN on the
same public IPv4 address. It should be possible to provide client-to-site VPN connections via proxies or in hotel rooms
where TCP 80 and 443 are the only opened ports. The head of IT decided that it is better to have a client-to-site VPN always
working, rather than SSL VPN in this specific scenario.
Also, the login to the internal website via SSL VPN should be done automatically by passing user attributes to the website
to identify the logged-in user. To evaluate the possibility of managing the firewall using SSL VPN, some admins need
access to the firewall via NextGen Admin SPOE feature over the SSL-VPN.

Task 2. Client-to-Site VPN

A client-to-site VPN solution is needed for everyone who outgrows the SSL VPN. Everyone in the company using
the Barracuda VPN Client should be able to log into the company’s internal network using the client-to-site VPN
solution. There are no specific restrictions, but for easier communication with the employees, the same IP needs to be
used as for the SSL VPN.

Task 3. Client-to-Site VPN and SSL VPN (OPTIONAL)

Users are struggling with setting up client-to-site VPN connections; configuring the Barracuda VPN Client seems prone to
error. Use the SSL-VPN to roll out a client-to-site VPN profile to all users. They should be able to download it via the web
browser, or simply use it with CudaLaunch on their mobile devices. The CSO has decided not to use IPsec implementations
because of the complexity with different vendors. TINA is the only solution that needs to be supported.
Using the SSL VPN access to the internal website should also be possible via the VPN App feature. Some employees have
reported problems when uploading huge amount of data to the website. For this reason, seamless direct access using
CudaLaunch would be ideal.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 5

Lab Outline

nn Use objects and inheritance of configuration values wherever possible.

The lab outline demonstrates one of several possible solutions based on the lab description above.
Therefore, use it only as a guide, not as the only solution of the lab description.

Task 1. SSL VPN and CudaLaunch

Step 1. Set Up the VPN Service

Set up the VPN service on your BO1 firewall to support SSL VPN and CudaLaunch listening on the static
IP address assigned.
• Introduce a VPN service and bind it to the static public IP
• Disable the client-to-site/site-to-site VPN listening on port 443
• Enable and bind the SSL VPN service to the public IP address assigned to the server
• Configure NGF Local as an identity scheme for SSL VPN
 

nn Do not forget to configure the NextGen Firewall local authentication settings and to store at least one
user for testing purposes.

 OPTIONAL
• Instead of deactivating the VPN service binding to 443, bind the SSL VPN to a loopback or internal address not used by
the client-to-site or site-to-site VPN, and use an access rule to get SSL VPN access via the external port 8443. It must be
possible to use SSL VPN / CudaLaunch (8443) and client-to-site VPN (691/443) at the same time.

Step 2. Verify Configuration

Start a web browser and open SSL VPN on the public IP assigned (https://203.0.113.70). If this works, go to the next step
and create resources for SSL VPN.
6 | Remote Access - NGF0601 Barracuda NextGen Firewall F | Lab Guide

OPTIONAL
If access to the portal is using a different port than 443, append it to the URL accordingly.
 

Intended Result
You should see the SSL VPN portal website.

Step 3. Configure SSL VPN Resources

Create and configure SSL VPN resources to get access to some internal applications.
• Get access to the BO1 server website using a web app.
• OPTIONAL
• Pass along user attributes (firstname, lastname) when visiting the BO1 server website. The variables can be handed
over via POST or GET.
ex.: lastname=${user:var1}
• Use a native app or generic tunnel to allow SSH access to the BO1 server.
• OPTIONAL
• Make NextGen Admin access via SSL VPN / CudaLaunch available.
• Block Internet Explorer from logging  into the SSL VPN portal.

Step 4. Verify Configuration

User Authentication
• Open the web browser at https://203.0.113.70
• OPTIONAL
• If access to the portal is using a different port than 443, append it to the URL accordingly.
• Use Internet Explorer to verify the login is being blocked.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 7

Web App
• Open the web app resource to verify access to the internal website.

Intended Result
The website should be rendered and “Your IP Address” should be one from BO1 box or server layer

 OPTIONAL
• Fill out the user-defined attributes within the SSL VPN portal settings and verify the successful usage on
the internal website.
8 | Remote Access - NGF0601 Barracuda NextGen Firewall F | Lab Guide

Intended Result
The website should show the values entered for the parameters handed over via GET or POST. In this example
“Firstname” and “Lastname” are using Herbert Feutl as values.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 9

Native App / Generic Tunnel

• Start CudaLaunch and connect to the SSL VPN portal
• Enable the created tunnel and open putty.exe
• Connect to loopback IP of CudaLaunch and the port assigned to the tunnel
• Verify the successful connection to the BO1 server

Intended Result
This shows the successfully created generic tunnel binding to 127.0.0.1:63392, which is used with PuTTY to get SSH
piped through to the BO1 server.

Successfully connected via SSH through the generic tunnel. Initiate the command “w” to see all SSH connections
and their source IP.

 
10 | Remote Access - NGF0601 Barracuda NextGen Firewall F | Lab Guide

OPTIONAL
• Start the tunnel for NextGen Admin. Using the loopback IP on port 807 should grant management access via the
internal management IP (10.0.108.1)

Task 2. Client-to-Site VPN

Step 1. Configure Client-to-Site VPN

Configure client-to-site VPN access to the internal network of BO1 using the BO1 firewall and the authentication scheme
already configured during the SSL VPN configuration.
• Create the necessary default server certificate for the VPN service
• Create a routed client network that is going to be used for the client-to-site VPN. Take care not to overlap with existing
networks. For example, use 192.168.100.0/24
• Configure an external CA for the VPN to authenticate
• External authentication to ngflocal should be mandatory for all client-to-site connections using an external CA
• Create a group policy assigning an IP address out of the created client network
• Use the VPN default gateway as DNS server and redirect this traffic successfully to the DNS caching service
• Populate BO1-LAN to the client as a destination routed through the client-to-site VPN
• The group policy condition should only match for Barracuda clients, but every user group
• Configure the access rule on BO1 to allow full access from the client’s network to the BO1-LAN

Example Configuration
This is an example configuration for a group policy.

Step 2. Verify Configuration

VPN Connector
• Start the VPN Connector
• Follow the VPN Profile Wizard
• Fill out the VPN server IP
• Use “User Name and Password” as authentication method
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 11

• Fill out the username and password and click Connect

• Trust the server certificate
• Using the command line (cmd), verify the added route
• Using Windows Network Connections, verify the enabled VPN network interface and the configured
IP and default gateway
 

Intended Result
The VPN Connector is pre-installed and can be started with a simple click.

The VPN Profile Wizard pops up and asks for the basic configuration settings.

After successfully connecting to the VPN service, you need to trust the certificate by clicking Yes. Authentication is then
verified by the client.
12 | Remote Access - NGF0601 Barracuda NextGen Firewall F | Lab Guide

Verify the certificate with the one configured on the VPN service.

Using “route print” on the command line and the network connections details in the GUI, verify the added routes and
assigned IP on the Windows machine.
Lab Guide | Barracuda NextGen Firewall F Remote Access - NGF0601 | 13

Network Access
• Ping the BO1 server
• Open a browser and go to the BO1 server website. Verify the IP address used to access the website.
 

Intended Result
The IP address showing on the website should also be the one configured / assigned to the client-to-site VPN
interface on the windows machine.

Task 3. Client-to-Site VPN and SSL VPN (Optional)

Step 1. Configure Group Policies and VPN Apps

Use the existing client-to-site configuration to enable VPN apps and the VPN group policy feature on the SSL VPN.
• Export the created client-to-site VPN group policy to a file
• Use the exported profile as a VPN group policy to be used with CudaLaunch-supported clients and
the SSL VPN web portal
• Configure a VPN app to allow direct access to the BO1 server website

Step 2. Verify Configuration

• Open a web browser and access the SSL VPN web portal. Try to download the VPN configuration.
• Start CudaLaunch and test:
• Connect to the BO1-LAN using the VPN connection resource
• Use the VPN app to have direct access to the BO1 server website. The default browser should open automatically
and access the website.
campus.barracuda.com | campus@barracuda.com