Page 2: Copyright Notice
All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice. Trademarks Barracuda NG Firewall is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or trademarks of their respective holders.
Page 3: Table Of Contents
Barracuda NG Network Access Client Cha pt er 1 - I n t ro d u ct i o n ......4 Endpoint Security and Network Access Control.
Page 4 Message Dialog ........... 136 Barracuda Networks Control / Preferences Dialog......137 VPN Profiles Configuration Window .
Page 5: Cha Pt Er 8 - V Pn C O N F I G U Ra T Io
War r an ty an d So f t w ar e L i c e n s e Agr e e m e nt ..2 22 Barracuda Networks Limited Hardware Warranty ......222 Barracuda Networks Software License Agreement .
Page 6: Cha Pt Er 1 - I N T Ro D U Ct I O N
Introduction to Barracuda NG Network Access Client Barracuda NG Network Access Client denotes Barracuda Networks' endpoint security and network access control (NAC) framework. Administered endpoint integrity and endpoint access is what Barracuda NG Network Access Client provides.
Page 7: Cha Pt Er 1 5 - A P P En D I
Before we have a closer look at the interplay of the various components and their roles let us briefly study what has inspired the design of the Barracuda NG Network Access Client endpoint security framework. The originally very long list of requirements reads as follows in a slightly more condensed fashion: •...
Page 8: What Can Barracuda Ng Network Access Client Be Used For
Fig. 1–1 Barracuda NG Network Access Client environment Since the NG Network Access Clients are communicating with the Access Control Server in cyclic intervals, the Access Control Server should be placed as close as possible to the NG Network Access Clients. This helps reducing network traffic and getting better response times.
Page 9: Cha Pt Er 2 - S Er Ver C O N F I G - Ac C E S S Co Ntr Ol S E Rv Ic
The remediation server is the component from which policy attributes, such as firewall rule sets, welcome messages, and bitmaps as well as client software components required for updates can be obtained. It can be run on the same Barracuda NG Firewall system as the SHV or, for load balancing reasons, it can be spread out over several Barracuda NG Firewall systems.
Page 10: Licensing Aspects
seemingly complex procedure is rather straightforward and easy to understand. As autonomous machine authentication is rather uncommon in the VPN context, the "limited access" and the "local machine" firewall rule sets and policies need to be provided together with the actual VPN rule set. The "local machine"...
Page 11: Cha Pt Er 1 1 - B A Rr Acu D A N G Ac C E S S Mon It
"untrusted access" firewall rule set and client message applies. Nevertheless, Barracuda Networks recommends to configure a catch-all rule at the end of the policy rule set. An explicit catch-all rule allows a better control of the required client health-state and gives more details to the end user.
Page 12 Fig. 1–2 Client-Server actions during connection, health validation and assigning network access Client connection to server Client mode Local Machine Client collects and sends user & system information to Access Control Service Matching Identity? exception No Rule Automatic revalidation (configurable) Health state change to Untrusted Access Ctrl Service sends...
Page 13 1.) Determine the applicable rule set First of all, the NG Network Access Client determines in which context it is started and how it connects to the Access Control Service. The following three contexts are available: • Local Machine context The local machine context is available in case no user has logged in.
Page 14: Health Matching
The available identity information is sequentially matched from top to bottom with the identity conditions of the individual policies. Each policy can be configured to match if all configured identity criteria apply or if only one of the configured criteria applies. Table 1–2 Matching Criteria Client Connection Type...
Page 15: Health State "Untrusted
1.4.1 Health State "Untrusted" As soon as the identity match is finished and the client's identity can not be validated, the health state changes to "Untrusted". Untrusted does not necessarily mean that the client may be a guest client but only that the Access Control Service can not determine the client's identity.
Page 16: Health State Requirements
To verify these requirements, each Access Control Service depends on up-to-date information of AV and AS products. Barracuda Networks provides an online update service that helps Barracuda NG Network Access Client Clients to recognize and activate AV and AS products.
Page 17: Endpoint Security Policy Introduction Practices (Analyse, Enforce, Monitor)
Furthermore the update service provides the information necessary to diagnose the up-to-dateness of the client's signature databases and engine versions.. As a prerequisite, either the Access Control Service (standalone Barracuda NG Firewall) or the CC (for managed Barracuda NG Firewalls) must have access to the internet. Endpoint Security Policy Introduction Practices (Analyse, Enforce, Monitor) For implementing firewalls at formerly unrestricted network transitions like LAN-segments or endpoint...
Page 18 An important aspect related to trust zone crossing is the synchronization of authentication data. Basically, trust zones need to have a consistent and up-to-date view of the clients' authentication information that is shared across the whole network. In this line the CC ensures that changes are replicated and synchronized across the various available servers and databases, so that identity federation is achieved.
Page 19: General
AV and AS products. Barracuda NG Firewall includes an automatic software downloader which periodically connects to the Barracuda Networks website. To reduce the need for permanent internet connection for Barracuda NG Firewalls the Barracuda Networks update service behaves differently on stand-alone-managed boxes and CC-administered boxes.
Page 20 List 2–2 Access Control Server - Access Control Server Settings - System Health-Validator – section General Parameter Description Setting to yes starts the Access Control Server module before VPN health validation. Start System Health-Validato Health State This value restricts validity time of a health state. If the client does not re-evaluate its health state within that period, all assigned Validity (min.) “network access rights”...
Page 21: Remediation Service
List 2–6 Access Control Server - Access Control Server Settings - System Health-Validator – section Referrals Parameter VPN Remediation Service IPs Sync authentication to Trustzone 2.2.2 Remediation Service List 2–7 Access Control Server - Access Control Server Settings - Remediation Server – section General Parameter Description Start...
Page 22: Advanced
List 2–9 Access Control Server - Access Control Server Settings - 802.1X – section 802.1X Parameter Description Debug Log Enable debugging log here. A service restart is required. (parameter is only visible in Advanced View mode) List 2–10 Access Control Server - Access Control Server Settings - 802.1X – section Radius Clients Parameter Description NAS identifiers...
Page 23: General
List 2–15 Access Control Server - Access Control Server Settings - Advanced – section General Parameter Sync Access Cache to CC List 2–16 Access Control Server - Access Control Server Settings - Advanced – section TLS/SSL Parameter Description TLS/SSL Certificate The X.509 certificate which is used with TLS.
Page 24 For those already familiar with Barracuda NG VPN, the Access Control Objects are similar to the objects available for Client to Site VPN. Fig. 2–1 Access Control Objects – Configuration tree - Access Control Objects • Welcome Messages can be used to display customized messages to welcome end-users to the corporate net- work, inform them about security policies, or display administrator contact details.
Page 25 Assigned pictures are displayed in the client after successfully connecting to the Access Control Service. Fig. 2–3 Access Control Objects – Access Control Service Bitmaps Keep the size of your picture small since the picture will be transferred to all clients. Pictures larger than 167x90 pixels are scaled down on the Barracuda NG NAC anyway.
Page 26 • Registry Check Objects These objects allow an administrator to define registry checks to be performed on the client. This allows to validate registry keys and values just like taking action in case of failed vali- dation. Available actions are " cess Control Service health validation will fail if the specified registry keys are not set appropriately.
Page 27: Access Control Service Trustzone
Access Control Objects provide an hierarchical override mechanism. Objects on cluster level sharing the same name as global or range objects override the global definition(s). This mechanism works like the one using global firewall objects for the Barracuda NG Firewall. Access Control Service Trustzone Each Access Control Service belongs to a so-called trustzone.
Page 28 The pre-defined Access Control Service Trustzones > <servername> > Virtual Servers > Control Service Settings Fig. 2–8 Access Control Service Trustzone - Configuration dialogue The Barracuda NG Control Center automatically links the Trustzone to the appropriate global / range / cluster object. As mentioned in the introduction above, each trustzone contains three policy rule sets.
Page 29: Rules
2.4.1 Rules The main window of a Access Control Service Trustzone is split up into a navigation bar on the left and three policy rule sets on the right (1.3 What is a Policy Rule Set?, page 8). Fig. 2–9 Access Control Service Trustzone - Rules 2.4.2 Identity Matching - Basic The first step when processing a policy rule set (either local machine, current user, or VPN) is to...
Page 30 If the identity match fails, the next rule is taken into account. Fig. 2–10 Access Control Service Trustzone - Rules - Identity Matching Basic List 2–20 Access Control Service Trustzone - Rules - Identity Matching Basic – section Basic Identity Matching Parameter Description Policy Name...
Page 31 List 2–21 Access Control Service Trustzone - Rules - Identity Matching Basic – section Basic Matching Parameter Description Policy Matching • All-of-following • One-of-following Set this option to match for a successful identity verification. If just one field does not match, the identity is not verified successfully within this policy rule and the health match process will proceed with the next policy rule in the policy rule set.
Page 32 2.4.3 Identity Matching - Advanced Fig. 2–11 Access Control Service Trustzone - Rules - Identity Matching Advanced List 2–22 Access Control Service Trustzone - Rules - Identity Matching Advanced – section Advanced Identity Matching Parameter Description MAC Addresses Enter MAC addresses here. Patterns may be used. Microsoft Enter Microsoft Machine SIDs here.
Page 33 2.4.4 Required Health State - Basic Fig. 2–12 Access Control Service Trustzone - Rules - Required Health State Basic After successful verification of the client’s identity, this configuration entity is used for determining the client’s health state. Some of the parameters provide the following options: •...
Page 34 In case of third-party products (for example Virus scanner), Auto-Remediation may not work with all available engine versions. As fallback, the client always requests manual action. List 2–24 Access Control Service Trustzone - Rules - Required Health State Basic – section Service Settings Parameter Description NG Personal...
Page 35 List 2–27 Access Control Service Trustzone - Rules - Required Health State Basic – section Antivirus Parameter Description Last AV Scan Action • Manual • Auto Remediation Depending on this parameter either the user gets informed to manually perform a full AV system scan or that the client tries to execute a full system scan automatically.
Page 36 List 2–28 Access Control Service Trustzone - Rules - Required Health State Basic – section Antispyware Parameter Description AS Pattern • Ignore Definitions • Latest (default) Required • Previous • Last-2 Set to Ignore client may be healthy without having any anti spyware patterns installed. Set to Latest Set to...
Page 37 Select (context menu) to create a new entry. The configuration dialog provides following entries: Fig. 2–14 Access Control Service Trustzone - Rules - Required Health State Advanced - Allowed Health Suite Versions List 2–29 Access Control Service Trustzone - Rules - Required Health State Advanced - Allowed Health Suite Versions Parameter Description Name...
Page 38 2.4.6 Policy Assignments Fig. 2–15 Access Control Service Trustzone - Rules - Policy Assignments List 2–30 Access Control Service Trustzone - Rules - Policy Assignments – section Attributes Parameter Description Personal • Ruleset Name Firewall Settings Choose one of the created Personal Firewall Rule objects here. If the client does not already have this rule set installed, the health state will be set to unequal "healthy"...
Page 39: Settings
List 2–31 Access Control Service Trustzone - Rules - Policy Assignments – section Exceptions Parameter Description User • Yes Authentication • No Required • Like Service Settings (Default) Only available for local machine rule set. If set to "No", user authentication is not performed even if a user logs in. List 2–32 Access Control Service Trustzone - Rules - Policy Assignments –...
Page 40 Fig. 2–16 Access Control Service Trustzone - Settings List 2–33 Access Control Service Trustzone - Settings – section No Rule Exception Parameter Description Bitmap Here choose one of the Limited Access Description see parameter Ruleset Name Limited Access Message List 2–34 Access Control Service Trustzone - Settings – section Identity Parameter Description Health Passport...
Page 41 List 2–34 Access Control Service Trustzone - Settings – section Identity Parameter Description Health Passport Here set the RSA public key for verifying a digital passport signature. Verification Key If one Access Control Server instance is a remediation server exclusively it is not necessary to set the Passport Verification List 2–35 Access Control Service Trustzone - Settings –...
Page 42: Support Chart
This view provides information concerning Antivirus and Antispyware vendors and versions that are supported. The Support Chart is automatically downloaded from the Barracuda Networks update service mentioned above and distributed to Barracuda NG Admin on connect. Thus, the Support Chart reflects the current capabilities of the Access Control Service.
Page 43: General
Server Config – Personal Firewall Rules General To configure the personal firewall rules browse to > > Config Virtual Servers Client to Site Double-click the appropriate VPN Firewall Rule Set. <Rule Set Name> Tab This tab allows manual rule configuration, testing, and setting the options. Personal Firewall rule sets do not support Revision Control System (RCS).
Page 44 Fig. 3–1 Rules Incoming 42 Server Config – Personal Firewall Rules...
Page 45: Rules Incoming / Outgoing
3.2.1 Rules Incoming / Outgoing Rules controlling incoming traffic are arranged in the traffic are arranged in the Fig. 3–2 Rules Outgoing 3.2.2 Context Menu Select and right-click a list entry to display the following context menu: Table 3–1 Rule window - Context menu Item Description Show Source...
Page 46: Button Bar
Table 3–1 Rule window - Context menu Item Description New … Opens the rule configuration dialog for a new rule (3.2.4 Rule Configuration, page 45). Delete Deletes the selected rule(s). Copy Copies the selected rule(s) to the clipboard. Paste Pastes the selected rule(s) from the clipboard. 3.2.3 Button Bar Fig.
Page 47: Rule Configuration
3.2.4 Rule Configuration Select from the context menu to create a new rule. New … Fig. 3–4 Edit/Create Rule Object Configure the following connection details in the List 3–1 Edit/Create Rule Object - Options in the Rules view Item / Parameter Description Action Select...
Page 48 Modifying an object is a global action. For example, any other rule using the specific object will be affected by the mod- ification. This applies only for referenced objects, not for objects of type <explicit>. Explicit objects are only available for the current rule. Table 3–2 Edit/Create Rule Object –...
Page 49: Tester
Fig. 3–5 Time restriction dialog 3.2.5 Tester view allows testing rule sets for consistency. Tester Fig. 3–6 Rule Tester 47 Barracuda NG Network Access Client - Administrator’s Guide...
Page 50: Test Report
The following entities are available for rule testing: List 3–4 Rule Tester parameters – section TEST CONNECTION Parameter Description Direction This is the direction of the traffic policy Application To query for an arbitrary application leave the asterisk (*), which is set as default value. Click the Update Applications From: IP / Port Insert Source IP and corresponding connection port.
Page 51: Options
Changing any parameter in any configuration area that influences the result of a test report leads to a status icon change in the overview window. Green icons ( ) will become red ( ). To apply the new conditions to an already existing test report, select the data set in the overview window of the window and click Reports Subsequently to this action, the status icons will no longer indicate if an action has been successful or not, but instead...
Page 52 List 3–6 Barracuda NG Network Access Client Parameter Description ICMP Parameters This tab allows you to configure blocking of ICMP packets. Connect to the Internet Setting to yes creates a pass rule named ADSL in the Outgoing tab of the firewall configuration that is needed for Internet with ADSL (PPTP) connections via ADSL.
Page 53: Adapters
Adapters The Adapters tab allows you to view and configure network adapters available on the system. Adapters may be employed in firewall rules, in order to restrict rule processing to a specific adapter or a set of adapters only. Fig. 3–8 Adapter view The listing is divided into the following columns: Table 3–4 Adapter view details...
Page 54 This object summarizes all wireless adapters available on the system (for example, WLAN cards). Adapters available on the system are automatically assigned to the appropriate adapter object with status type multi. These objects may be used to construct abstract rule sets, for example, to configure a rule blocking access to all avail- able dial-up or wireless adapters.
Page 55 List 3–7 Edit/Create Adapter Object options Parameter Description Comment Optionally, insert an adapter description Trust Type Select Trusted to add a reference to the adapter object to the network object that has been defined as Trusted Network in the Administration >...
Page 56: User Objects
User Objects tab allows you to create User and User Group objects, which may be employed in User Objects rule sets. Click to open the New … Fig. 3–10 User Object dialog An user object is automatically created when a connection attempt is processed by the firewall. The object is then inserted into the corresponding rule.
Page 57: Net Objects
Net Objects tab facilitates IP address/network management. Use this tab for the following Net Objects purposes: • Assigning of names to single IP addresses • Combining multiple IPs/networks/references into networking objects For a clearly arranged network management rather make use of referencing Network Objects than explicit IPs when configuring firewall rule sets.
Page 58 Net-[Network Connection name] • InterNet InterNet 0.0.0.0/0). • TrustedNet Use the TrustedNet pendent on assignment of an adapter as trusted or untrusted (3.3 Adapters, page 51). When an adapter is specified as trusted the IP addresses living on it are added to the Trust- edNet object.
Page 59 Click to open the New … Fig. 3–12 Net Object dialog Insert Name Description In the section insert IP/network address(es) of the new Net Object and/or specify a Entry the Net Object, for example select an existing Net Object to refer to a new one. section allows excluding specific networks from a network object.
Page 60: Service Objects
Service Objects tab facilitates port and protocol management. Use the Services window to Service Objects • assign port and protocol to specific services • and merge multiple services to one service object using references. Properties of Service Objects are described in detail in the Barracuda NG Firewall Administrator’s Guide. Fig.
Page 61: Application Objects
The following services are available in the Barracuda NG Personal Firewall by default: Table 3–5 Service Objects available in the Personal Firewall Service Name Port Protocol TCP/UDP BOOTPS Kerberos TCP/UDP LOC-SRV/EPMAP NETBIOS-NS NETBIOS-DGM NETBIOS-SSN SNMP LDAP TCP/UDP CIFS MSTASK 1026 Application Objects Application Objects sets.
Page 62 Fig. 3–14 Application Object dialog • Insert Name • Again, click window opens. • Click Browse selection, the path to the file and its inherent file description will be displayed in the Path • Optionally, insert a file description into the •...
Page 63 Consider that when an application equipped with an MD5 Hash is used on multiple clients, file versions need to match exactly. Otherwise, the application object will not be applicable. Click Clear to delete the hash. In addition to the application, first level DLLs are taken into consideration. This provides additional security. However, DLLs used by first level DLLs are not monitored.
Page 64: Cha Pt Er 4 - O P E Rat I N G & M O N I T Or Ing B A Rr A C Uda N G Nac
Operating & Monitoring Barracuda NG NAC Box – Monitoring and Real-time Information The Access Control Service provides extensive information about the currently available endpoints and their status. Both, real-time and historical information are displayed when logging into the status window. The following tabs are available for operational purposes: •...
Page 65: Filtering
Summary of the client's health status or more details of a failed connection. Values could be "Client is healthy". If the client is unhealthy, the column "Information" contains details about the failed health checks. "No rule matched", another possible information, means that identity matching failed.
Page 66: Context Menus
• Isolation The categories "Not restricted", "Restricted", and "Probation" are available as filter criteria. • Filters the list for specific IP addresses. • User Filters the list for specific user entries. • Type Filters the list for entries of type "Health Evaluator", "Authenticator", or "Remediation", depending on the Access Control Service module which created the entry.
Page 67 By selecting this context menu entry on a selected entry all entries with the selected client are displayed in a new tab. Criteria for identifying a computer is the computer's local machine secure identifier (SID). • Visualize this Computer … This entry visualizes the health state of the selected client.
Page 68: Status Tab
• • • Removes either the selected entry, or all entries belonging to the selected client, or all entries from the cache. • Ungroup Displays all entries in a flat list instead of the default group view. • Group by > For better lucidity, status entries may be grouped by their essential attributes such as time, IP address, or rule name.
Page 69: Status Vpn Tab
modifications or re-installation of the operating system. This means that the Access Control Service can assign health states to the proper client even if the IP address changes or a user performs a logout. The status tab displays only the last health status of a client. To get an overview of historical information, e.g.
Page 70: Client Installation
Barracuda NG Network Access Client is not intended to work as complement to VPN clients and/or personal firewalls provided by other vendors. Thus, Barracuda Networks recommends to uninstall any other VPN client and/or personal firewalls prior to installation of Barracuda NG Network Access Client.
Page 71: Complete Installation
• Barracuda NG VPN Client • Barracuda NG SSL VPN and NAC Client • Custom A way to perform remote installation procedures is provided through customizable script files. Refer to the following chapters if you intend installing and configuring multiple clients remotely. •...
Page 72: Custom Installation
List 5–1 Complete Installation — section Barracuda NG Access Monitor – default settings Parameter 802.1x Enable DHCP Renew List 5–2 Complete Installation — section NG Personal Firewall – default settings Parameter Trusted Network Connect to the Internet with ADSL (PPTP) Allow others to access my files and printer(s) Disable Barracuda NG Personal Firewall Firewall Always ON...
Page 73 Enable/disable 802.1X Firewall Always ON, page 72 Install Barracuda Networks GINA This option is for SMART-clients only, although SMART-clients still also work with installed firewall. Defines the installation path (C:\Program Files\BarracudaNG) Defines the IP address of the Access Control Server.
Page 74 NG Personal Firewall rule set is modified automatically (9.9.2 Automatic Rule Configuration, page 122). • Disable Barracuda Networks Secure Mode (Firewall off) Selecting this checkbox results in a "pass-all-behavior" of the NG Personal Firewall. Use this option for unattended setups.
Page 75: Customer Setup
Customer Setup The customer setup is only available for NG VPN Client Customer setup is a comprehensive installation method, allowing you to fully preconfigure all NG Network Access Client settings on multiple installation systems remotely. Customer setup addresses the experienced system administrator. In addition to pure installation and basic configuration, it allows you to: •...
Page 76 file directs copying of required files and insertion of registry entries. It is divided into customer.inf three sections of interest (" • Customer Area [CustomerCopyFiles], page 74 • Customer Area [CustomerReg], page 75 • Customer Area [SourceDisksFiles], page 78 The content of the customer.inf Do NOT rename the customer.inf file.
Page 77 0x00000002 (COPYFLG_NOSKIP) Do not change the name of the firewall rule set entry (active.i_fwrule). If you do not intend installing the Barracuda Networks Firewall R8 with a predefined rule set meeting company policy, uncomment or delete this line. 5.4.3 Section "2. Customer Area" / [CustomerReg] This section controls the configuration of profiles set up during installation.
Page 78 This section is used for creating profiles and defining default values. Table 5–4 Directives applicable in the "Customer Area" / [CustomerReg] Directive reg-root HKCR HKCU HKLM subkey value-entry-name flags 0x00000001 (FLG_ADDREG_BINVALUETYPE) 0x00000002 (FLG_ADDREG_NOCLOBBER) 0x00000004 (FLG_ADDREG_DELVAL) 0x00000008 (FLG_ADDREG_APPEND) 0x00000010 (FLG_ADDREG_KEYONLY) 0x00000020 (FLG_ADDREG_OVERWRITEONLY) 0x00001000 (FLG_ADDREG_64BITKEY)
Page 79 Table 5–4 Directives applicable in the "Customer Area" / [CustomerReg] Directive value The following describes only the minimum required information. You may add any other Barracuda Networks registry entry. 1.) Edit default entry HKU, .DEFAULT\Software\Phion\phionvpn\Profile\1, Default, 0x00010001, 1 Value "1" sets a profile to the default profile of the Barracuda NG VPN Client. All other profiles take the value "0".
Page 80: Silent.cmd
5.4.4 Section "3. Customer Area" / [SourceDisksFiles] Fig. 5–5 Example for section [SourceDisksFiles] [SourceDisksFiles] ; Files for disk Customer Files #1 ; filename = diskid[,[ subdir][, size]] customer.inf,,,1 customer.lic,,,1 ; if a license file is imported active.i_fwrule,,,1 ; if a firewall rule set is imported A SourceDisksFiles section names the source files used during installation, identifies the installation disks that contain these files, and provides the path to the subdirectories, if any, on the distribution disks containing individual files.
Page 81 For an overview of specific properties see table 5–1, page 71. 79 Barracuda NG Network Access Client - Administrator’s Guide...
Page 82: System Restore
System Restore Barracuda NG Network Access Clients installation and removal processes create Windows System Restore Fig. 5–7 System Restore Refer to the OS help for details. 80 Client Installation area that you may use to restore your system to a previous state. in the restore points...
Page 83: General
General In case you are updating from predecessor versions, simply execute the setup executable and follow the on-screen instructions. If you have particular questions regarding the migration process, then please contact the Barracuda Networks support. For migration, it is mandatory to have the setup file locally on your system. A network installation is NOT possible. If the Personal Firewall is installed, make sure to disable the Internet connection prior to migration.
Page 84: General
General Close all applications including the VPN client before uninstalling. You will be prompted to restart the system after uninstallation has completed. Procedure To uninstall the client, browse to and click Access Client Remove 82 Uninstall Start > Control Panel > Add or Remove Programs > Barracuda NG Network Chapter 7 Uninstall...
Page 85: Vpn Configuration
Client IP IP Address Address Source Peer Barracuda Networks provides two types of VPN client licenses: • Barracuda NG VPN Client • Barracuda NG SSL VPN and NAC For detailed information concerning the different features of the two licenses, have a look at 8.2 Facts and Figures, page 83.
Page 86 Optionally, the Barracuda NG SSL VPN and NAC functionality and includes Barracuda NG Network Access Client with the full client including the centrally managed Barracuda NG Personal Firewall. • Authentication support Table 8–1 Authentication support Function Supported Active Directory  LDAP ...
Page 87 Table 8–3 Policy matching capabilities Function Antivirus (AV) product installed AV active AV realtime protection active Last AV scan time Enforce overdue AV scan AV engine version AV pattern version AV pattern max age Enforce overdue AV engine/pattern update AntiSpyware (AS) product installed AS active AS realtime protection active...
Page 88 • Architecture Table 8–5 Architecture Function Integrated health agent Integrated VPN client Integrated personal firewall Full entegra policy support • OS requirements Table 8–6 OS Requirements Function Operation systems Disk space Processor 86 VPN Configuration Barracuda NG VPN Client Barracuda NG SSL VPN and NAC –...
Page 89: Overview
Selection between the following functional firewall modes is available in the context menu of the system tray icon: • Block All • Barracuda Networks Secure Mode • Disable Firewall (Allow all Traffic) The active operational mode is selected. To change the mode, click another item in the menu. DO NOT directly switch from Secure Mode as intermediate step.
Page 90: Integration Within Windows 7
• Modify objects and rules that have been created in the Add Pass/Block - Traffic Policy … Firewall administration experience is recommendable before manipulating the Barracuda NG Personal Firewall manually. 9.1.1 Integration within Windows 7 The Barracuda NG Personal Firewall integrates with Windows 7’s intrusion control system. If configured to do so in replace the built-in Windows Firewall as long as it is enabled.
Page 91: Rule Set Selection
Rule Set Selection Fig. 9–2 Rule set selection Click Rule Set Selection … selected by default. Only the Local Rule Set may be edited in the Barracuda NG Personal Firewall. 89 Barracuda NG Network Access Client - Administrator’s Guide to select one of the available rule sets for viewing. The Local Rule Set is...
Page 92: User Interface
User Interface The graphical user interface of the Barracuda NG Personal Firewall is built up of the following items: Fig. 9–3 Graphical Interface of the Barracuda NG Personal Firewall Content window Left navigation bar 90 Barracuda NG Personal Firewall Menu bar, page 91 Configuration Item bar Load display, page 94...
Page 93: General Firewall Settings And Tasks (Menu Bar)
General Firewall Settings and Tasks (Menu Bar) The following configuration items of the Barracuda NG Personal Firewall are accessible through the Menu Bar (use the ALT key to open/close the menu bar): • Firewall see 9.4.1 Firewall Menu, page 91 •...
Page 94 List 9–3 Firewall Settings > Network Objects Parameter Automatic Adapter Assignment List 9–4 Firewall Settings > Firewall Settings Parameter Disable Windows Firewall Block all IP Fragments Passthru all IPv6 Packets ICMP Parameters This tab allows you to configure blocking of ICMP packets. Fig.
Page 95: View Menu
• Export Firewall Rule Set … This item allows you to export the rule set from the Barracuda NG Personal Firewall to a text file. • Import Firewall Rule Set … This item allows you to import a rule set into the NG VPN client. The rule set may either orig- inate from another Barracuda NG Personal Firewall or from a firewall configured on a Bar- racuda NG Firewall.
Page 96: Security Mode Menu
• Disable Firewall (Allow All Traffic) Turn the firewall off and allow all traffic. • Barracuda Networks Secure Mode Activate customized firewall rule sets. • Process Monitor Generate an entry in the event monitor for every process initiation (9.6.2 Events, page 96).
Page 97: Ng Control Center - Monitoring Firewall Activities
NG Control Center - Monitoring Firewall Activities Items arranged in the NG Control Center give a review of application activities in the Barracuda NG Personal Firewall. The NG Control Center is divided into the following sub-items: • Summary see 9.6.1 Summary, page 95 •...
Page 98: Events
9.6.2 Events view details all applications that are currently or have been executed on the machine, Events irrespective, if they have requested passing the firewall. Double-click a list entry to view event details. Select from the context menu to reload the display of logged entries. Reload Logs Fig.
Page 99: History
9.6.3 History view details the entire network traffic (established connections and connection attempts) History since the last system boot. Fig. 9–11 NG Control Center: History window 9.6.4 Listing and Context Menu The listing is divided into the following columns: Table 9–2 History window details Column Description...
Page 100 Table 9–2 History window details Column Description Destination Destination IP of the connection. Port Connection port. User Name of the user who has initiated the connection attempt. Traffic Policy Name of the effective firewall rule. Info Connection status (passed, blocked, failed). Count Total number of connections processed over this slot.
Page 101 Translates IP addresses into hostnames, if possible. After each selection change, click entries by topic. 9.6.6 History Filter Tab In the tab, filter conditions can be set to confine the view to the minimum wanted amount History Filter of entries. If filters apply, the Select the checkbox on the right side of an available filter to activate it and insert the condition to apply.
Page 102: Live Activity
9.6.7 Live Activity view details all currently active connections. Live Activity Fig. 9–12 NG Control Center: Live Activity window Refresh 100 Barracuda NG Personal Firewall...
Page 103 9.6.8 Listing and Context Menu The listing is divided into the following columns: Table 9–4 Live Activity window details Column Description Direction Flags the connection direction ( Load Displays the current connection load ( to Date/Time Date and time of traffic initiation. Application Application name and its PID (Process ID).
Page 104: Filter Conditions
9.6.9 Filter Conditions Click the filter button ( ) to open the in order to confine the view to the minimum wanted amount of entries. Fig. 9–13 Filter condition Click to activate the filter settings. Click Activate After having specified a filter, click Click to record traffic processed over the network interface.
Page 105: Current State - Setting The Security Mode
The data acquired is saved as a CAP file in the local folder of the VPN client (C:\Program Files\BarracudaNG). A special viewer is needed (for example wireshark; www.wireshark.org, for viewing network traffic recorded in .cap files. Current State - Setting the Security Mode Clicking the link below this navigation item changes the effective state of the Barracuda NG Personal Firewall.
Page 106: Rules
9.8.2 Rules The Rules view allows manual rule configuration. Rules controlling incoming traffic are arranged in the tab, rules controlling Outgoing traffic are arranged in the Incoming Personal Firewall rule sets are not capable of RCS. Fig. 9–16 Rules window 9.8.3 Context Menu Select and right-click a list entry to display the following context menu:...
Page 107 Table 9–6 Rule window - Context menu Item Paste 9.8.4 Button Bar In the button bar, the Select a rule and click one of the buttons, to shift the rule further up or down within the rule set. Alternatively, you can use drag&drop. According to a regular Barracuda NG Firewall rule set, the Barracuda NG Personal Firewall rule set is processed rule by rule until an applicable rule is available.
Page 108 Configure the following connection details in the List 9–5 Rule Object - Options in the Rules view Item / Parameter Action Name Comment inactive checkbox A minimum specification of the following connection details is mandatory in the sections below: • •...
Page 109 Configure the following connection details in the List 9–6 Edit/Create Rule Object - Options in the Advanced view – section Rule Mismatch Policy Parameter Source / Service/ Destination / Application / User / Adapter List 9–7 Edit/Create Rule Object - Options in the Advanced view – section Miscellaneous Parameter Description Time Restriction...
Page 110: Adapters
9.8.6 Adapters view allows you to view and configure network adapters available on the system. Adapters Adapters may be employed in firewall rules, in order to restrict rule processing to a specific adapter or a set of adapters only. Fig. 9–19 Adapter objects window The listing is divided into the following columns: Table 9–8 Adapter Object view details...
Page 111 This object summarizes all wireless adapters available on the system (for example, WLAN cards). Adapters available on the system are automatically assigned to the appropriate adapter object with status type multi. These objects may be used to construct abstract rule sets, for example, to configure a rule blocking access to all available dial-up or wireless adapters.
Page 112: Networks
The following options are available: List 9–8 Edit/Create Adapter Object options Parameter Description Name Specify a name for the adapter object. Comment Optionally, insert an adapter description Trust Type Select Trusted to add a reference to the adapter object to the network object that has been defined as Trusted Network in the Administration Untrusted.
Page 113 In the window, a number of Network Objects preconfigured. Dynamic objects are updated at runtime when network configuration changes and cannot be edited manually. For dynamic update to work, Automatic Adapter Assignment must be selected in the Firewall Settings (9.4.1 Firewall Menu, page 91).
Page 114: Services
This object includes the Multicast network 239.255.0.0/16. Click to open the New … Fig. 9–22 Net Object dialog Insert Name Description In the section insert IP/network address(es) of the new Net Object and/or specify a Entry the Net Object, for example select an existing Net Object to refer to a new one. section allows excluding specific networks from a network object.
Page 115 • Merging multiple services to one service object using references. Properties of Service Objects are described in detail in the Barracuda NG Firewall Administrator’s Guide. Fig. 9–23 Service Object dialog The following services are available in the Barracuda NG Personal Firewall by default: Table 9–9 Service Objects available in the Personal Firewall Service Name Port...
Page 116: Applications
Table 9–9 Service Objects available in the Personal Firewall Service Name Port Protocol Connection Description BOOTPS Kerberos TCP/UDP LOC-SRV/EPMAP NETBIOS-NS NETBIOS-DGM NETBIOS-SSN SNMP LDAP TCP/UDP CIFS MSTASK 1026 9.8.9 Applications The Application Objects window allows creating predefined applications, which may be employed in rule sets.
Page 117 Fig. 9–24 Application Object dialog • Insert • Again, click window opens. • Click Browse selection, the path to the file and its inherent file description will be displayed in the Path • Optionally, insert a file description into the •...
Page 118 • Click Generate as soon as it is executed. MD5 Hash creation is recommended in order to avoid corrupt file and a vulnerable PC after an attack. Consider that when an application equipped with an MD5 Hash is used on multiple clients, file versions must match exactly.
Page 119: Users
9.8.10 Users The Users view allows you to create User and User Group objects, which may be employed in rule sets. Click to open the New … Fig. 9–25 User Object dialog An user object is automatically created when a connection attempt is processed by the firewall. The object is then inserted into the corresponding rule.
Page 120: Rule Tester
9.8.11 Rule Tester view allows testing rule sets for consistency. Rule Tester Fig. 9–26 Rule Tester The following entities are available for rule testing: List 9–9 Rule Tester parameters – section TEST CONNECTION Parameter Description Direction This is the direction of the traffic policy Application To query for an arbitrary application leave the asterisk (*), which is set as default value.
Page 121: Test Reports
List 9–9 Rule Tester parameters – section TEST CONNECTION Parameter Description Test Click Test to test the connection and display the test result in the section below. List 9–10 Rule Tester parameters – section TEST RESULT Parameter Description Test Status Icon / A connection attempt with the given values can either have failed or have been successful if a rule is applicable.
Page 122: Administration - Firewall Settings Wizard
Select a report and click Administration - Firewall Settings Wizard Options available in the Firewall Settings view allow you to adjust the preconfigured local rule set of the Barracuda NG Personal Firewall. Setting changes triggers either rule creation, deletion or traffic policy change.
Page 123: Automatic Adapter Configuration
Table 9–11 Services and protocols employed by the ADSL rule Port Protocol 1723 9.9.1 Automatic Adapter Configuration Set option Ask for adapter update confirmation if you would like to be notified, when adapter configurations change. A security alert window will then pop-up, asking for configuration change confirmation.
Page 124: Automatic Rule Configuration
9.9.2 Automatic Rule Configuration Ask for unknown outgoing/incoming connections (9.9 Administration - Firewall Settings Wizard, page 120), an unknown application/service requesting network connection will trigger a Fig. 9–28 Security Alert windows Windows Vista: If you don’t have access to the dialog (figure 9–28), then please contact your system administrator. The following information is included in the Security Alert window: Table 9–12 Connection request details summarized in the Security Alert window...
Page 125 Selecting the checkbox also makes the tomize further connection details: Fig. 9–29 Security Alert - Advanced Policy Table 9–13 Security Alert – Advanced Policy options Column Only this Destination/Source All Destinations/Sources Only Port All activities for this application Port Range •...
Page 126: Create A New Profile Using The Profile Wizard
10.1 Create a New Profile Using the Profile Wizard For your convenience, you may use the Profile Wizard to easily create and configure a new VPN profile. Fig. 10–1 VPN Profile Wizard Context Menu Item To start the wizard, right-click anywhere within the empty white space in the Barracuda NG VPN Control window, followed by choosing In the appearing Profile Wizard...
Page 127 Fig. 10–2 VPN Profile Wizard > Profile Wizard The next window is titled . You can later change a different method for Authentication Method authentication in case you have chosen the wrong one. Choosing will enable the button, allowing you to complete the Username and Password SecurID Finish...
Page 128 If you have chosen , you will see the following window of the same title. To Barracuda personal License finish the configuration wizard, browse for the license file, then click Finish Fig. 10–4 VPN Profile Wizard > Enter personal License If you have chosen , you will be taken to this dialog of the same title.
Page 129: Configure A New Profile Manually
You can later call the wizard again by right-clicking profile entry. Fig. 10–6 VPN Profile Wizard - Modify Existing Profile Using the Wizard 10.2 Configure a New Profile Manually Double-click the Barracuda NG Network Access Client component. This will bring up the client’s status window which is attached to the tray. Fig.
Page 130 On the first start or If no working VPN profile for automated connecting has been defined before, the client will show up with the profile’s dialog als shown below: Default Connect Fig. 10–8 NG VPN client – Connect dialog The VPN profile can be chosen using the dropdown.
Page 131 Clicking will bring up the Barracuda NG VPN Control dialog wherein the necessary Preferences... configurations can be made: Fig. 10–10 NG VPN client – Connect dialog The space on the right side of this screen is reserved for a list of VPN profiles. It will be empty on the first start.
Page 132: Functional Elements Of The Barracuda Ng Network Access Client's System Tray Icon
• a browse button including a context menu • a dropdown list (figure 10–11) Fig. 10–11 Editing options of the VPN client dialog 10.2.1 Functional Elements of the Barracuda NG Network Access Client’s System Tray Icon Installing Barracuda NG Network Access Clients adds a new access to the main elements of VPN client and Barracuda NG Firewall R8.
Page 133: The Barracuda Ng Vpn Client's Menu Bar
Fig. 10–13 Close NG VPN Client informational window Shutting down the client will also disable the personal firewall, Take that into account especially if this is the only local firewall you’re using. The whole Windows system needs to be restarted in order to restart the services. •...
Page 134: Connection Dialog
• list Profile Select a preconfigured profile for login here. The creation of new profiles is described in 10.6 Barracuda Networks Control / Preferences Dialog, page 137. • Username Depending on the chosen authentication method, username and/or password must be inserted here.
Page 135 • Use a proxy server to connect When use of a proxy server has been defined at profile creation time (10.6 Barracuda Networks Control / Preferences Dialog, page 137), then this checkbox will be selected by default, User/Password time. If the proxy server requires a password, you need to insert it into the respective field. You can make use of the proxy server checkbox to override settings that have been defined at creation time of the profile.
Page 136: Status Dialog
10.4 Status Dialog Use the Status dialog window to view properties of an established connection. Click establish a connection through the Status dialog. A profile for the connection needs to be chosen in the Connection dialog (10.3 Connection Dialog, page 132), though. Fig.
Page 137 section: Secure Routes If secured routes have been assigned to the client by the VPN server, then their values will be displayed in the fields tab: Connection section: Connection • Status Status information on the current connection, may it be active, initiating or shutting down. •...
Page 138: Message Dialog
• Tunnel Mode The currently used transport mode for the VPN tunnel. Can display a value of TCP, UDP or Hybrid. button: Cancel Use this button to terminate a connection. Only shown if a connection is currently active. button: Connect Click this button to initiate a connection.
Page 139: Barracuda Networks Control / Preferences Dialog
Preferences Barracuda Networks Control is the user interface for configuration of profiles and Barracuda NG VPN adapter settings and the management of certificates. Barracuda Networks Control is also accessible via the Windows Control panel. Shortcut icons reside...
Page 140: Certification Authorities Configuration Window
138 VPN Component Configuration in the context menu to terminate a connection. to connect to a VPN server. Connect Connection Entries Barracuda Networks Control configuration area. The following actions are Certification Authorities in the context Connect … tabs (see Advanced Settings context menu.
Page 141: Advanced
section: Options • View … Opens a window with detailed certificate information. • Remove … Deletes the selected certificate from the certificate store. • Import … Imports the certificate to the certificate store. Supported certificate types are: binary x.509 PKCS #12 certificates Export Certificate To •...
Page 142 section: General VPN Settings • Direct Access The VPN client can be configured so that it automatically reconnects to different gateways, if available. Upon an unwanted disconnection, reconnecting to the same gateway will be tried for three times. If this fails, a so-called "path finder connection" will be initiated, trying a variety of pre-defined gateways and finding the fastest one.
Page 143: Connection Entries Tab
10.6.4 Connection Entries Tab Fig. 10–19 Connection Entries tab • Enter a description of this connection entry Insert a profile name into this field. The name entered will be displayed as profile name in the Connection dialog window. section: Certificate Choose the authentication method required by the VPN server.
Page 144: Barracuda Authentication
10.6.5 Barracuda Authentication Barracuda Authentication requires a valid certificate file (*.lic). The .lic file must be saved locally on the client system using it. The following parameters are available for Barracuda Authentication: List 10–1 Parameters used with Barracuda NG authentication Parameter Description File...
Page 145: Advanced Settings Tab
List 10–2 Parameters available for use with X509 authentication Description Description External File Path to the external X.509 certificate. 10.6.7 User / Password The following parameter is available for User / Password authentication: List 10–3 Parameters used with User/Password authentication Parameter Description Temporary...
Page 146 List 10–5 Advanced Settings tab – Data integrity and encryption (ESP) section Parameter Encryption algorithm [AES] Tunnel Mode [Response (UDP)] section: Tunnel Settings List 10–6 Advanced Settings tab – Tunnel Settings section Parameter Virtual Adapter Configuration [Default: Direct assignment] Compression [Yes] Use Access Control Service NAC intercept VPN connection...
Page 147 List 10–6 Advanced Settings tab – Tunnel Settings section Parameter Terminate Countdown (sec.) After reconnect adapter reset Connect retry time (sec) [Default: 60] Fallback Profile section: Always Connect List 10–7 Advanced Settings tab – Always Connect section Parameter Disable Active Directory Scan [Default: No] section: User Interface Settings...
Page 148: Adaptation Of Profile Creation Using An .Ini File (Barracuda Ng Authentication Only)
10.6.9 Adaptation of Profile Creation using an .ini file (Barracuda NG Authentication only) Some parameters configurable in the page 139) tabs can be passed to the NG VPN Client through an .ini file. When a profile with Barracuda NG authentication the same directory as the .lic file is retrieved from.
Page 149: Log Window
Behavior of a DHCP client. Possible options are: IP address is assigned directly (using IP address is assigned dynamically (DCHP) IP address is configured statically • connectmode Settings tab] This parameter specifies the used connection mode. By default, this parameter is set to The alternatively available modes are shown in brackets ( its entries in order the get a working setup file.
Page 150 • Module The module the respective log entry refers to. • Status The status of several actions such as (client IP), etc. 148 VPN Component Configuration (added routes), Internal loop Add Routes Refresh IP...
Page 151: Overview
11.1 Overview 11.1.1 Access Monitor is the key component of Barracuda NG Network Access Client. Its responsibilities Access Monitor include: • Collecting information from the client computer necessary for health evaluation, including • • • • Communication with the Access Control Server •...
Page 152: Monitoring
11.2 Monitoring 11.2.1 Health Agent Fig. 11–1 Barracuda NG Access Monitor Barracuda NG Access Monitor health state and network restriction. Table 11–1 Barracuda NG Access Monitor Property Health Condition 150 Barracuda NG Access Monitor provides all necessary information regarding the client computers Description There are 3 different health states: •...
Page 153 Table 11–1 Barracuda NG Access Monitor Property Client Origin Last Health Check Next Health Check Quarantine Status Access Control Server Emergency Network Adapter Repair Image of the day Message of the day Health evaluation result 151 Barracuda NG Network Access Client - Administrator’s Guide Description •...
Page 154 11.2.2 Advanced Status information If more information is required, the Barracuda NG Access Monitor provides additional information through the Barracuda NG Access Monitor Advanced dialog. This can be opened by either clicking the link (see: Health Condition , same table) in the Health Agent view. Quarantine Status Fig.
Page 155: Communication Status
11.2.4 Communication Status Whenever the Barracuda NG Access Monitor is working, a status message is displayed below the message of the day group (figure 11–4). While the Barracuda NG Access Monitor is communicating it is not possible to start a health evaluation. There are following communication states for the Barracuda NG Access Monitor: Table 11–2 Health Agent states...
Page 156 • Configure a valid Access Control Server IP address locally ( see 11.3.2 Access Control Server IPs from Registry, page 160) Use these instead if the Access Control Server IP addresses are distributed by DHCP: • By using the 11.3.12 Allow Emergency Network Adapter Repair, page 163) •...
Page 157 Fig. 11–6 Connection error because no Access Control Server IP addresses are configured 155 Barracuda NG Network Access Client - Administrator’s Guide...
Page 158: Authentication - Port Security
11.2.6 802.1X Authentication - Port Security 11.2.7 Network Interfaces As seen in figure 11–7, the authentication in two groups: • Managed • Unmanaged Fig. 11–7 Port Security Managed network interfaces have been activated for the use of 802.1X authentication. The Barracuda NG Access Monitor provides several actions for all managed network interfaces when a wpa_supplicant is running for the network interface.
Page 159: Advanced Status Information
Table 11–4 Barracuda NG Access Monitor information for unmanaged network interfaces Column Description Status Shows the device status of the network interface, these include: • Network cable unplugged • Not connected • Disconnected • Connecting • Connected PAE state Port Access Entity status EAP state Extensible Authentication Protocol status Device Name...
Page 160 11.2.9 EAP Tracer Fig. 11–9 EAP Tracer The EAP Tracer allows you to view EAP and EAPOL packets captured by the Barracuda NG Access Monitor for every network interface which has the option Trace EAP Packets enabled (see 11.3.13 Capture 802.1X Traffic (EAP), page 164). 158 Barracuda NG Access Monitor...
Page 161: Configuration
11.3 Configuration Fig. 11–10 Barracuda NG Access Monitor Advanced Settings List 11–1 Configuration – Advanced Settings Parameter Access Control Server IPs from Registry Access Control Server IPs from DHCP ICMP Connectivity Checking Offline Checkl Use Basic Authentication Use NTML Authentication IEEE 802.1X Authentication IEEE 802.1X DHCP Renew Allow Emergency Network Adapter Repair...
Page 162: Health Agent Connectivity
11.3.3 Access Control Server IPs from DHCP When the Barracuda Networks DHCP server is configured to distribute the Access Control Server IPs using DHCP, these are listed in an advanced dialog, see figure 11–12. To open the dialog click the...
Page 163 button. If required, clear the Access Control Server IP addresses, which are received through Edit… DHCP, with the button Clear Policy IPs Fig. 11–12 Access Control Server IP addresses, received by DHCP. 11.3.4 ICMP Connectivity Checking As an advanced feature, the Barracuda NG Access Monitor is able to determine the connectivity to the Access Control Server using ICMP packets.
Page 164: Health Agent Authentication
To edit this option manually, modify the following registry key: Table 11–7 Registry entry for ICMP connectivity Item Description Path .DEFAULT\Software\Phion\phionha\settings\ UseConnectionState Value (Default=1) 0 - disabled 1 - enabled 11.3.6 Health Agent Authentication 11.3.7 Use Basic Authentication This option specifies if basic user-password or certificate authentication should be used, in case the NTLM authentication fails.
Page 165: Settings
11.3.9 802.1X Settings 11.3.10 IEEE 802.1X Authentication This option enables or disables the use of 802.1X authentication. When enabled, the Client will automatically start a wpa_supplicant for all network interfaces configured to use 802.1X authentication. To edit this option manually, modify the following registry key: Table 11–10 Registry entry for 802.1X authentication Item...
Page 166 Table 11–12 Registry entry for emergency network adapter repair Item Description AllowEmergencyRepair Value (Default=1) 0 - disabled 1 - enabled 11.3.13 Capture 802.1X Traffic (EAP) If enabled, the Barracuda NG Access Monitor will capture all EAP (Extensible Authentication Protocol) and EAPOL (Extensible Authentication Protocol) packets and save them in the log directory located in the Barracuda NG Network Access Client installation directory.
Page 167: Log Settings
11.3.14 Log Settings For proper analysis verbose output is essential, thus it is possible to enable logging for both the Health Agent service and the Barracuda NG Access Monitor service to receive detailed information, see 11.4 Log Files, page 165 for more information. 11.3.15 Barracuda NG Health Agent Logging To edit this option manually, modify the following registry key:...
Page 168 Table 11–16 Log Files File Description client.xml Xml file containing the information sent to the Access Control Server containing information about the client computer when perform user based health evaluation. connect.xml Information about connectivity and connection errors. download.xml Contains data from the last download such as rule set, message of the day, … downloadLocal.xml Contains data received when a local computer based health evaluation succeeded.
Page 169: Cha Pt Er 1 2 - P R E- C O N N Ec T O R A N D R E Mo Te Vpn
12.1 General Pre-connectors and Remote VPN are tools that are meant to simplify/automate logon procedure. Optionally, combined with a prior dial-up connection, they may also be used to log on to a domain remotely. 12.2 VPN Connector Create a connector to achieve following: •...
Page 170: Creating A Connector
12.2.1 Creating a Connector Prior to creating a Barracuda NG VPN connector, the connection profile must be configured (10.6.8 Advanced Settings Tab, page 143). The connector may then be created using one of two possible methods. Fig. 12–1 Creating a Connector •...
Page 171: Connecting And Disconnecting Using The Barracuda Ng Vpn Client
12.3 Remote VPN (rvpn) Remote VPN allows connecting/disconnecting automatically via script. rvpn.exe is downloadable from Barracuda Networks. 1.) Create a VPN Profile First, you must configure the required profile as described in the previous chapter ( VPN Component Configuration, page 124).
Page 172: Connection Procedure
List 12–1 Parameters contained in an rvpn profile Parameter Description Local password [Certificate Password] (if any) -a [X, *] Pop-up for local password Client shutdown password protection. Prompts for the password definied in [X] whenever a user tries to shut down the VPN client. -cs [X] Leaving the password value blank deactivates this feature.
Page 173 SPAC DHCP Kernel Device Virtual Adapter Hardware 171 Barracuda NG Network Access Client - Administrator’s Guide Step 1 Step 2 Step 3 Step 4 Step 5 Barracuda Networks VPN server Port 691 or 443 via Proxy NG VPN Ethernet...
Page 174: Cha Pt Er 1 3 - E Xam P L E C O N F Ig U R A T Ion
Chapter 13 Example Configuration Introducing an up-and-running Barracuda NG Network Access Client environment involves several components, like global objects, trustzone settings, Access Control Service and gateway firewall configuration. This section presents an overview how simple an environment can be set up. For further details of individual parameters please refer to the appropriate sections.
Page 175: Introduce Access Control Objects
Like welcome messages, customized pictures are not really necessary for a Barracuda NG Network Access Client infrastructure. Nevertheless, companies usually want to display their own logo instead of the Barracuda Networks logo. The most important part which is also required for proper operation is to set up Personal Firewall Rules.
Page 176: Introduce An Access Control Service Trustzone
• Allow HTTP/HTTPS connections to the internet. Some antivirus products use HTTP/HTTPS to download up-to-date engines and patterns. Fig. 13–2 Example configuration – Personal Firewall rule set – Access Control Service - Rules – Outgoing tab example view Next create and edit the unrestricted rule set: •...
Page 177 Administrators of stand-alone Barracuda NG Firewalls can avoid making this decision - you simply configure your trustzone within the As a guideline for a simple setup using a CC, we recommend to use global trustzones or alternatively switch to range trustzones. For range or cluster based Access Control Services note that they can only reference trustzones within the same administrative scope (not from another range/cluster).
Page 178: Configure An Access Control Service Trustzone
13.4 Configure an Access Control Service Trustzone The main window of a Access Control Service Trustzone is split up into a navigation bar on the left and the three policy rule sets on the right. To guarantee that our policy trustzone has a public/private key pair to properly authenticate clients to all participating Access Control Services, we initially need to create a Health Passport Signing Key (Settings >...
Page 179 For the views, configuration dialogs Identity Matching Required Health State Basic Advanced exist. Fig. 13–4 Example configuration – Configure an Access Control Service Trustzone – Local Machine: Create Policy Rule: catch-all 177 Barracuda NG Network Access Client - Administrator’s Guide...
Page 180 First start with defining the criteria for Since the Access Control Service in this sample setup is only reachable using private IP addresses we can restrict the Networks The option Policy Matching further matching criteria. As a next step define the required health conditions. For the catch-all rule you can define the same policies you require for known clients, as security policies usually further restrict unknown clients instead of granting them lower health requirements.
Page 181 For the AV engine and for the AV patterns the settings above accept the current version and also two versions before. Usually companies already have mechanisms to perform regular updates of their AV engines and patterns - in the sample you can thus leave the setting Fig.
Page 182 In the sample you are not required to manually add "Network Access Policies". Instead you can set up your firewall rules of the gateway firewall using the implicit roles unhealthy healthy probation untrusted Fig. 13–6 Example configuration – Configure a Access Control Service Trustzone – Local Machine: Edit Policy Rule – catch-all 180 Example Configuration...
Page 183: Configure Forwarding Firewall Rule Set
13.5 Configure Forwarding Firewall Rule Set Enforcement of the security policy is provided by the Barracuda NG Network Access Client software installed on the endpoint itself. Whenever leaving the local collision domain, Barracuda NG Firewalls can provide additional protection. To enforce the health policy, Barracuda NG Firewalls may interpret the access policy attribute assigned to the endpoint within their rule sets.
Page 184 ("healthy") or clients being in "probation" state are allowed to access the protected network. Barracuda Networks allows access even for clients in "probation" since we do not want to block new connections or even terminate existing connections only because the antivirus patterns are not up-to-date for a few minutes.
Page 185: Overview
14.1 Overview Barracuda NG Network Access Client features the IEEE 802.1X standard for port-based network access control. The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.
Page 186: Status Monitoring
Necessary for authentication, validates the client computer's identity information forwarded by the switch and notifies the switch which VLAN the client computer is assigned to. Due to the switch's functionality as proxy the authentication service is transparent to the client. •...
Page 187: Using The Barracuda Ng Access Monitor For Analysis
14.2.2 Using the Barracuda NG Access Monitor for Analysis The Barracuda NG Access Monitor provides within its port security section a listing of all network interfaces capable of 802.1X, displaying the current status. Additionally, the Barracuda NG Access Monitor allows opening a command-line interface for the selected device.
Page 188: Switch Web Interface
To enable or disable verbose the below registry needs to be set: Table 14–4 Key Logging Item Description Path HKEY_USERS\.Default\Software\phion\phionvpn\settings Logging Value Enables or disables verbose output to be written (Default=0). • 0 - disabled • 1 - enabled Changing this value takes effect immediately. This value may also be changed through the 14.2.4 Switch Web Interface...
Page 189 • ReAuthPeriod see 14.3.9 Periodic client re-authentication by the switch, page 193 • Guest-Vlan see 14.3.11 Authentication Message Exchange, page 194 • AuthFail-Vlan see 14.3.11 Authentication Message Exchange, page 194 • AuthFail-Max-Attempts see 14.3.11 Authentication Message Exchange, page 194 • QuietPeriod see 14.3.12 VLAN Assignment, page 195 The output following is the status of a network interface on the switch a client computer is connected...
Page 190: Switch Console Interface
14.2.5 Switch Console Interface For either administrative or informative purposes it is possible to connect to the switch using a telnet session. By default the console interface shows only little output. To enable higher verbosity it is recommended to enable debug information, as seen in the example, for various topics. To enable or disable debug logs it is required to enter the privileged exec mode.
Page 191: Operational Sequence
• • • 14.3.2 Operational Sequence 14.3.3 Startup 1.) NG NAC services start 2.) Disabling Microsoft Windows 802.1X compliant software 3.) Starting the WPA supplicant 4.) WPA supplicant configuration 5.) WPA supplicant running 14.3.4 Runtime 1.) Re-authentication by the Client Service 2.) Re-authentication by the switch 3.) Re-authentication by the user using the command line 4.) Authentication Message Exchange...
Page 192 2.) Disabling Microsoft Windows 802.1X compliant software Since Microsoft Windows ships with its own 802.1X compliant client software, the Client service needs to disable it before starting the WPA supplicant. The Microsoft 802.1X compliant client software consists of: Table 14–5 Microsoft 802.1X compliant client software Service Friendly Name Wired AutoConfig...
Page 193 If verbose output is enabled: wpa_supplicant_{adapter_uid}.log: Line X: Invalid configuration file … 191 Barracuda NG Network Access Client - Administrator’s Guide Advanced Settings of the Barracuda NG Access Monitor, Barracuda Networks Personal Access Client 802.1X Authentication Use 802.1X Authentication IEEE 802.1X within option.
Page 194: Runtime
To resolve this problem proceed following steps: • Delete the corrupted configuration file You will require elevated privileges to perform this step. • Kill the process wpa_supplicant.exe You will require elevated privileges to perform this step. The Client service will generate the configuration file based on the template. 5.) wpa-supplicant running A successful start of the wpa-supplicant can be verified by: •...
Page 195: Show Dot1X Interface
14.3.8 Re-authentication by the client service The client service is able to enforce a re-authentication, given the configured interval (see 2.0.A), independent of the switch's configuration. After the configured amount of seconds elapsed the Client service will start the authentication sequence. By sending a EAPOL Start packet (see: 2.3.I) and waiting for the identity request starting the authentication sequence (see: 2.3.II).
Page 196 To disable periodic re-authentication, use the no configuration command. To return to the default number seconds between re-authentication attempts, use the no dot1x timeout reauth-period interface configuration command. Fig. 14–5 Example Switch(config-if)# dot1x reauthentication Switch(config-if)# dot1x reauth-period 4000 The re-authentication started by the switch is illustrated in 2.3.II. 14.3.10 Manually re-authenticating using the command line You can manually re-authenticate the client connected to a specific port at any time by entering the...
Page 197: Vlan Assignment
• A re-authentication is triggered manually on the switch by a user through the command-line interface. Finally, section III shows the way the logoff command is sent to the switch in order to disable the line protocol on the port. There are several possibilities for the log-out process: •...
Page 198: Dot1X Timeout
• interface <interface-id> Specify the port to be configured, and enter the interface configuration mode • dot1x timeout quiet-period <seconds> Set the number of seconds that the switch remains in the quiet state following a failed au- thentication exchange with the client. The range is from 1 to 65535 seconds, the default is 60.
Page 199 This value may also be changed by using the To enable "DHCP Renew" on the Access Control Server enforcing it on all clients matching the rule it is configured, follow these steps: • Enter the Access Control Server trustzone configuration using the Barracuda NG Admin administration tool •...
Page 200: Shutdown
14.3.16 Shutdown 14.3.17 Operating System Shutdown When the client computer is been shut down, the Barracuda NG Access Monitor will send a logoff command to switch, causing the line protocol being disabled by the switch. 14.3.18 Operating System Logoff When a user logs off his account from the operating system, the Barracuda NG Access Monitor follows the same procedure as above.
Page 201: Addendum
14.4 Addendum 14.4.1 Packets The table shows an EAPOL packet frame: Table 14–16 EAPOL packet frame Field Name Size Purpose Version 1 Byte Protocol version 1 Byte 1 Start Type 2 Logoff Length 2 Bytes Length of the EAP packet Data (EAP) N Bytes EAP packet...
Page 202 Table 14–18 WPA Supplicant Log File Identifiers starting to reset 802.1x registry setting stating session live time finished resetting 802.1x registry settings class C8021X Monitor constructor starting constructor leaving constructor reloading adapters adding adapter to list to start supplicants removing adapter from list to start supplicants thread-id's of 802.1x threads user logon/logoff reassociating user (logon value %d)
Page 203 Table 14–18 WPA Supplicant Log File Identifiers starting CheckAndStopService error opening service manager service %s not running error opening service %s service status for service %s error in status query for service %s stopped service %s error stopping service %s finished waiting for service to stop error in status query for service %s while waiting to stop leaving CheckAndStopService...
Page 204 Table 14–18 WPA Supplicant Log File Identifiers user authentication logging in as user username reassociation loop VLAN changed/unchanged, reassociate switched 802.1x authentication successfully waiting %d ms to retry new authentication logging in as user username (set user event) logging in as user username (reassociate event) received killed event starting ip renew helper error allocating memory for GetAdaptersInfo...
Page 205: Engineering Environment
This technical guideline is based on an engineering environment using following components: Table 14–19 Technical Guideline – Engineering Environment Switch Access Control Server Barracuda Networks Secure Client Radius Server Additionally following tools have been used for analysis: Table 14–20 Technical Guideline – Tools...
Page 206 In order for the RADIUS authentication to succeed with the above mentioned switch and software, "Authentication, Authorization and Accounting" need to be disabled. This can be done by following procedure: Command: • configure terminal Enter global configuration mode • no aaa accounting dot1x default group Disable accounting for 802.1X.
Page 207: Customer.inf File Template
15.1 customer.inf File Template Table 15–23 customer.inf File Template Template code ready for copy-and-paste is listed below this table. ; -------------------------------------------------------------------------------------------- ; customer.INF ; phion Customer Install Files ; Copyright 2008 phion AG ; For detailed information please consider the netfence entegra Guidance ;...
Page 208 ; File: license (0x00000000) ; Subject: license (0x00000000) ; Microsoft Certificate Store Lookup: CertSearchOrder (0x00010001) ; Use Serial Number: certserialnumber (0x00000000) ; Private Encrypt: PrivateEncrypt (0x00010001) ; Probe Encryption: ProbeEncryption (0x00010001) ; Prompt for user and password: AuthUser (0x00010001) ; Remote Server: server (0x00000000) ;...
Page 209 ; Terminate Countdown (sec.): TerminateCountdown (0x00010001) ; Show Popup: ShowPopup (0x00010001) ; Close after Connect: CloseOnConnect (0x00010001) ; ----------------------------------------------------------------------------- [PhionCustomerReg] ; reg-root, [subkey], [value-entry-name], [flags], [value] HKU, .DEFAULT\Software\Phion\phionvpn, ; important, do not remove ; Profile 1 Example with phion.lic (Default selected) ;...
Page 210 [DestinationDirs] PhionCustomerCopyFiles [SourceDisksNames] 1 = %DiskId1%,,,"" ;---------------------------------------------------------------------------- ; Localizable Strings [Strings] DisplayClassName Phion *Phiond.DeviceDesc Phion.DeviceDesc *Phion.DeviceDesc phionvpn.Service.DispName = "Phion Customer Files" DiskId1 208 Appendix = 65600 = "Phion" = "Phion Customer Files" = "Phion AG" = "Phion Customer Files" = "Phion Customer Files" = "Phion Customer Files"...
Page 211: Vpn Profile Registry Keys
15.2 VPN Profile Registry Keys Table 15–24 VPN Profile Registry Keys "; 2, Customer Area" "; REG_SZ = 0x00000000" "; REG_DWORD = 0x00010001" "; Certificate: AuthType (0x00010001)" "; 0 -> Barracuda authentication" "; 1 -> X509 authentication" "; 2 -> User / Password" ";"...
Page 212 Table 15–24 VPN Profile Registry Keys "; Encryption Algorithm: encryption (0x00010001)" "; 1 -> None" "; 2 -> 3DES" "; 4 -> AES" "; 8 -> Cast" "; 16 -> Blowfish" "; 32 -> DES" "; 64 -> AES256" ";" ";...
Page 213: Profile Registry Keys
Table 15–24 VPN Profile Registry Keys ";" "; Certificate Store: store (0x00000000)" "; MY -> MY" "; Root -> Root" "; Trust -> Trust" "; CA -> CA" ";" "; Terminate Countdown (sec.): TerminateCountdown (0x00010001)" "; Show Popup: ShowPopup (0x00010001)" ";...
Page 214 • The message VPN Gateway not reachable via VPN tunnel is logged to the events window Open the Expert tab (10.6.8 Advanced Settings Tab, page 143) and change from Adapter Configuration • The message Session PHS: signature check failed (bad decrypt) is logged to the events window.
Page 215: Configuration Parameters
15.5 Configuration Parameters 802.1X [2] ................. 37 802.1X [2] .
Page 216 Direction [9] ................118 Disable Barracuda NG Personal Firewall [5] .
Page 217 PHIBS Authentication Scheme [2] ............. 18 PlugIn [3].
Page 218 Use Access Control Service [10] ..................144 Use Basic Authentication [11] .
Page 219: Parameter Lists
15.6 Parameter Lists Chapter 1 Introduction Chapter 2 Server Config – Access Control Service List 2–1 Access Control Server - Access Control Server Settings - System Health-Validator – section Trustzone (only available on CC) ..List 2–2 Access Control Server - Access Control Server Settings - System Health-Validator –...
Page 220 Chapter 6 Update or Migration Chapter 7 Uninstall Chapter 8 VPN Configuration Chapter 9 Barracuda NG Personal Firewall List 9–1 Firewall Settings > Protocol Option ..................List 9–2 Firewall Settings >...
Page 221: Figures
15.7 Figures Chapter 1 Introduction Figure 1–1 Barracuda NG Network Access Client environment ..............Figure 1–2 Client-Server actions during connection, health validation and assigning network access .
Page 222 Chapter 9 Barracuda NG Personal Firewall Figure 9–1 Windows 7 Windows Firewall and Action Center screens ............. . Figure 9–2 Rule set selection .
Page 223 Chapter 13 Example Configuration Figure 13–1 Example configuration – environment ................Figure 13–2 Example configuration –...
Page 224: War R An Ty An D So F T W Ar E L I C E N S E Agr E E M E
Barracuda Networks published specifications in effect as of the date of manufacture. Except for the foregoing, the software is provided as is. In no event does Barracuda Networks warrant that the software is error free or that Customer will be able to operate the software without problems or interruptions.
Page 225 If you have purchased a Barracuda Networks Virtual Machine you may use the software only in the licensed number of instances of the licensed sizes and you may not exceed the licensed capacities. You may make a reasonable number of backup copies of the Software. If you have purchased client software you may install the software only on the number of licensed clients.
Page 226 10. Trademarks. Certain portions of the product and names used in this Agreement, the Software and the documentation may constitute trademarks of Barracuda Networks. You are not authorized to use any such trademarks for any purpose. 11. Export Restrictions. You may not export or re-export the Software without: (a) the prior written consent of Barracuda...
Page 227: Barracuda Networks Software License Agreement Appendix
Energize Updates typically include Basic support. 20. Changes. Barracuda Networks reserves the right at any time not to release or to discontinue release of any Software or Subscription and to alter prices, features, specifications, capabilities, functions, licensing terms, release dates, general availability or other characteristics of any future releases of the Software or Subscriptions.
Page 228 The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.
Page 229 227 Barracuda Networks Warranty and Software License Agreement...
Page 230 DAMAGES. END OF GNU TERMS AND CONDITIONS Barracuda Networks products may include programs that are covered by the GNU General Public License. The GNU General Public License is re-printed below for you reference. Copyright © 2007 Free Software Foundation, Inc. <http://fsf.org/>...
Page 231 (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. 229 Barracuda Networks Warranty and Software License Agreement...
Page 232 The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work.
Page 233 Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the 231 Barracuda Networks Warranty and Software License Agreement...
Page 234 Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it.
Page 235 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of 233 Barracuda Networks Warranty and Software License Agreement...
Page 236 Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF GNU TERMS AND CONDITIONS Barracuda Networks Products may contain programs and software that are covered by the Lesser General Public License The Lesser General Public License is re-printed below for you reference Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc.
Page 237 "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. 235 Barracuda Networks Warranty and Software License Agreement...
Page 238 The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language.
Page 239 Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. 237 Barracuda Networks Warranty and Software License Agreement...
Page 240 b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License.
Page 241 OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Barracuda Networks Products may contain programs and software that are covered by the Artistic License The Artistic license is re-printed below for you reference. Preamble...
Page 242 BSD license at: www.opensource.org/licenses/bsd-license.html, substituting the appropriate references in the template.) (end) Barracuda Networks Software may include programs that are covered by the Mozilla Public License Version 1.1 1. Definitions. 1.0.1 "Commercial Use" means distribution or otherwise making the Covered Code available to a third party.
Page 243 Modifications made by that Contributor with its Contributor Version (or portions of such combination). (c) the licenses granted in Sections 2.2(a) and 2.2(b) are effective on the date Contributor first makes Commercial Use of the Covered Code. 241 Barracuda Networks Warranty and Software License Agreement...
Page 244 (d) Notwithstanding Section 2.2(b) above, no patent license is granted: 1) for any code that Contributor has deleted from the Contributor Version; 2) separate from the Contributor Version; 3) for infringements caused by: i) third party modifications of Contributor Version or ii) the combination of Modifications made by that Contributor with other software (except as part of the Contributor Version) or other devices;...
Page 245 30 days of becoming aware of the breach. All sublicenses to the Covered Code which are properly granted shall survive any termination of this License. Provisions which, by their nature, must remain in effect beyond the termination of this License shall survive. 243 Barracuda Networks Warranty and Software License Agreement...
Page 246 8.2. If You initiate litigation by asserting a patent infringement claim (excluding declatory judgment actions) against Initial Developer or a Contributor (the Initial Developer or Contributor against whom You file such action is referred to as "Participant") alleging that: (a) such Participant's Contributor Version directly or indirectly infringes any patent, then any and all rights granted by such Participant to You under Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice from Participant terminate prospectively, unless if within 60 days after receipt of notice You either: (i) agree in writing to pay Participant a mutually agreeable reasonable royalty for Your past and future use of Modifications made by such Participant, or (ii) withdraw Your...
Page 247 LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE." Barracuda Networks Products may include the libspf library which is Copyright (c) 2004 James Couzens & Sean Comeau, All rights reserved. It is covered by the following agreement: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Page 248 States and Austrian copyright laws and international treaty provisions. You may not remove any copyright, patent, or other proprietary notices from the Software. AMCC and Barracuda Networks or its suppliers may make changes to the Software, or to items referenced therein, at any time without notice, but is not obligated to support or update the Software. Except as otherwise expressly provided, AMCC grants no express or implied right under AMCC patents, copyrights, trademarks, or other intellectual property rights.
Page 249 Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the 247 Barracuda Networks Warranty and Software License Agreement...
Page 250 Contributor by reason of your accepting any such warranty or additional liability. Barracuda Networks Products may contain programs and software that are copyright (c) 1990, 1993, 1994, 1995;The Regents of the University of California. All rights reserved.
Page 251 INCLUDING, WITHOUT LIMITATION, ITS CORRECTNESS, ACCURACY OR RELIABILITY. Barracuda Networks Software may include programs that are covered by the The Code Project Open License. The The Code Project Open License is re-printed below for you reference. These programs are copyrighted by their authors or other parties, and the authors and copyright holders disclaim any warranty for such programs The Code Project Open License (CPOL) 1.02...
Page 252 THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CODE PROJECT OPEN LICENSE ("LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HEREIN, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE.
Page 253 Work not specified herein. The Author shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Author and You. 251 Barracuda Networks Warranty and Software License Agreement...
Page 254 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Barracuda Networks Products may include programs that are covered by the OpenLDAP Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following...
Page 255 [including the GNU Public License.] Barracuda Networks Products may contain programs and software that are Copyright (c) 1999 - 2002 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1.
Page 256 PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>. Barracuda Networks Products may contain programs and software that are Copyright (c) 1996-2005, The PostgreSQL Global Development Group Portions Copyright (c) 1994, The Regents of the University of California Permission to use, copy, modify, and distribute this software and its documentation for any purpose, without fee, and without a written agreement is hereby granted, provided that the above copyright notice and this paragraph and the following two paragraphs appear in all copies.
Page 257 OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Barracuda Networks Products may contain SNMP programs and software that are covered in part by the license below: Various copyrights apply to this package, listed in 3 separate parts below. Please make sure to take note of all parts. Up until 2001, the project was based at UC Davis, and the first part covers all code written during this time.
Page 258 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Barracuda Networks Products may contain programs and software that are covered by the License below. Preamble The intent of this document is to state the conditions under which a Package may be copied, such that the Copyright Holder maintains some semblance of artistic control over the development of the package, while giving the users of the package the right to use and distribute the Package in a more-or-less customary fashion, plus the right to make reasonable modifications.
Page 259 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Barracuda Networks Products may contain programs and software that are Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy). Copyright (c) 2005 - 2008 CACE Technologies, Davis (California). All rights reserved.
Page 260 HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 261 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- 259 Barracuda Networks Warranty and Software License Agreement...
Page 262 It is provided "as is" without express or implied warranty. Barracuda Networks Products may contain programs and software that are copyright (c) 2003-2008, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. This program is dual-licensed under both the GPL version 2 and BSD license.
Page 263 IV) It is not allowed to remove this license from the distribution of the Vim sources, parts of it or from a modified version. You may use this license for previous Vim releases instead of the license that they came with, at your option. Barracuda Networks Products may contain programs and software that are covered by PSF LICENSE AGREEMENT FOR PYTHON 2.4 1.
Page 264 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Barracuda Networks Products may contain programs and software that are Copyright (c) 2010, Intel Corporation, All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
Page 265 Barracuda Networks makes available the source code used to build Barracuda products available at source.barracuda.com. This directory includes all the programs that are distributed on the Barracuda products. Obviously not all of these programs are utilized, but since they are distributed on the Barracuda product we are required to make the source code available.

Barracuda Networks NG Network Access Client SP4 Administrator's Manual

Cha Pt er 6 - U P D a T E O R M I Gr a T Io

Cha Pt er 3 - S er Ver C O N F I G - Pe Rs Ona L Fire Wa Ll Rule

Chapter 7 - Uninstall

Cha Pt er 8 - V PN C O N F I G U Ra T Io

Cha Pt er 1 - I N T Ro D U Ct I O N

Cha Pt er 1 0 - V P N C O M P O N E N T C Onfigur a T Ion

Cha Pt er 1 5 - a P P en D I

Cha Pt er 2 - S er Ver C O N F I G - Ac C E S S Co Ntr Ol S E Rv IC

Cha Pt er 9 - B Ar Racu D a N G P E Rs on a L Fir E Wa

Cha Pt er 5 - C L I en T I N St a L L at Io

Cha Pt er 1 1 - B a Rr Acu D a N G Ac C E S S Mon It

Cha Pt er 4 - O P E Rat I N G & M O N I T or Ing B a Rr a C Uda N G NAC

Cha Pt er 1 4 - 8 02. 1X - T Ech N IC al Guide Lin

Cha Pt er 1 2 - P R E- C O N N Ec T O R a N D R E Mo te VPN

Cha Pt er 1 3 - E Xam P L E C O N F Ig U R a T Ion

War R an Ty an D so F T W Ar E L I C E N S E Agr E E M E

Quick Links

Need help?

Questions and answers

Related Manuals for Barracuda Networks NG Network Access Client SP4

Summary of Contents for Barracuda Networks NG Network Access Client SP4

Table of Contents