1. Barracuda Web Security Service - Overview Getting Started Step 1: Setting up your Barracuda Web Security Service Account...

Transcription

1 Barracuda Web Security Service - Overview Getting Started Step 1: Setting up your Barracuda Web Security Service Account Step 2: Download and Install Barracuda Web Security Agt Automated Installation of Barracuda WSA GPO Installation of Barracuda WSA from the Command Line GPO Installation of Barracuda WSA from the Windows Interface Installing the Barracuda WSA on a Macintosh Manual Local Installation of Barracuda WSA from the Command Line Step 3: Configuring Web Traffic How to Configure Proxy Settings Using Group Policy Managemt How to Configure Proxy Settings Using PAC Files and WPAD How to Manually Configure Proxy Settings Using a Login Script to Configure Web Browsers Deploymt Options Redirecting Traffic Using Proxy Options Barracuda Web Security Agt for Remote Users Release Notes - Barracuda Web Security Agt for Macintosh Release Notes - Barracuda Web Security Agt for Windows Using the Barracuda Web Security Agt Fallback Service Hosts and the Barracuda Web Security Service Using the Barracuda Web Security Gateway Barracuda Web Security Gateway Deploymt Configurations Configuring the Barracuda Web Security Gateway Enforcemt Mode, IP Configuration and Static Routes with Barracuda WSG Firmware Upgrade, Support, and System Reload/Shutdown with Barracuda WSG IP Blocking and IP Exemption with Barracuda WSG Proxy and Caching with Barracuda WSG Using SNMP with Barracuda WSG How to Use edirectory with the Barracuda Web Security Gateway Barracuda Web Security Service Architectures - Summary Authtication with the Barracuda Web Security Service How to Configure Authtication Directory Upload Barracuda Networks Directory Sync Group Information and GPO Proxying Manually Creating and Managing Groups Authtication with the Barracuda Web Security Gateway LDAP Authtication Managemt NTLM Authtication Managemt Kerberos Authtication Managemt Creating Rules for the Barracuda Web Security Service Order of Execution within Rules Blocking or Allowing Access within a Rule Enforcing Safe Search with a Rule The Purewire Intelligce WebDAV DLL Hijack Rule Option Allowing or Blocking Specific Objects on a Website Enforcing Schedules or Quotas Actions Tak for Traffic Matching a Rule How to Configure Rules Composite Rules Whitelist and Blacklist Rules Schedule and Quota Rules Actions on Violation of a Rule Web Use Categories in the Barracuda Web Security Service Managing Contt Filtering Services Gerating Reports How to Use Immediate Reports How to Use Scheduled Reports Monitoring Barracuda Web Security Service Activity Administering the Barracuda Web Security Service

2 8.1 Administrators and Role-based Administration Important Web Security Service Update - September Key Managemt Setting the System Time Zone Advanced Configuration Barracuda Safe Browser Setup Guide - With the Barracuda Web Security Service How to Configure YouTube for Schools Remote Filtering for Offsite and Mobile Users Limited Warranty

3 Barracuda Web Security Service - Overview Many cybercriminals have shifted from spam to using web-based malware to attack networks. The Barracuda Web Security Service is a cloud-based web filtering and security service that quickly gives administrators all the information and policy forcemt tools needed to isolate users from Internet threats, conserve network bandwidth and filter contt for compliance and productivity. Getting Started Step 1: Setting up your Barracuda Web Security Service Account Step 2: Download and Install Barracuda Web Security Agt Step 3: Configuring Web Traffic Downloads Barracuda Web Security Service Quick Start Guide Barracuda Web Security Gateway Quick Start Guide Getting Started Recommded Steps Barracuda Networks recommds first reviewing Deploymt Options. Wh you've determined the right deploymt, you're ready to install and configure the Barracuda Web Security Service: Step 1: Setting up your Barracuda Web Security Service Account Step 2: Download and Install Barracuda Web Security Agt Step 3: Configuring Web Traffic Step 1: Setting up your Barracuda Web Security Service Account In this article: Setting Up Your Service Select a Deploymt Option Create an Authtication Key Download and Install the Barracuda Web Security Agt (WSA) Software (optional) Forward Traffic Related Articles Using the Barracuda Web Security Agt Barracuda Web Security Gateway Deploymt Configurations Setting Up Your Service Go to 4. Select Barracuda Web Security Service. Enter the Serial Number and Linking Code you received via . and create a Barracuda Cloud Control account, or sign in if you already have an account. Note the Service Host URL that appears on the SUPPORT tab. You must ter this URL later to forward traffic to Barracuda Web Security Service. 3

4 Select a Deploymt Option Use one of the following deploymt options to forward traffic to the Barracuda Web Security Service: Direct to the Barracuda Web Security Service: Directly proxy your web traffic using web browser proxy settings, or transpartly forward traffic from any network firewall or proxy that supports forwarding to an upstream proxy. Barracuda Web Security Agt (WSA): Protect remote and roaming users by routing all web traffic from Windows or Mac laptops or desktops through the Barracuda Web Security Service. The Barracuda WSA is installed siltly so it is undetected by the d user. For more information about this option, see Using the Barracuda Web Security Agt. Barracuda Web Security Gateway (WSG): Enforce policies locally or forward web traffic to the Barracuda Web Security Service for forcemt using the Barracuda Web Security Gateway hardware appliance. This option can provide on-network security, caching, application blocking, and integration with directory services like LDAP/AD, NTLM and Kerberos. For WSG deploymt options, see Barra cuda Web Security Gateway Deploymt Configurations. Create an Authtication Key If you proxy traffic directly to the Barracuda Web Security Service, create an IP address authtication key based on your external IP address. Im portant: You must use a static external IP address. 4. In the Barracuda Web Security Service Manager, go to CONFIGURATION > Key Managemt, and click Add New Key. Type a Name for the authtication try. Select the IP Address option; ter the static IP Address. Th click Save Changes. If you are deploying a Barracuda WSA, create an Authtication Key using the Barracuda Web Security Service that you will ter during the Barracuda WSA installation so the Barracuda Web Security Service can idtify traffic from your computer. In the Barracuda Web Security Service Manager, go to CONFIGURATION > Key Managemt, and click Add New Key. Type a Name for the authtication try. Select the Barracuda Web Security Gateway/Web Security Agt option; copy the value in the Key field, which you will ter during Agt installation. Click Save Changes. Skip down to Download and Install the Barracuda WSA Software. If you are deploying a Barracuda Web Security Gateway, you need not create an associated authtication key. One will be created automatically wh you register your WSG with the Barracuda Web Security Service. Download and Install the Barracuda Web Security Agt (WSA) Software (optional) You can deploy Barracuda WSA software for protecting remote machines at any time. The Barracuda WSA can be downloaded from the SUPPORT tab Download page. Install the Barracuda WSA on each PC that you want to filter through the Barracuda Web Security Service. During installation, you will be prompted to ter the Service Host URL you noted from the Barracuda Web Security Service Manager Support ta b, and the Authtication Key you already created. After installation completes, the Barracuda WSA forwards traffic from your computer to the Barracuda Web Security Service which properly associates the traffic with your account. Forward Traffic To proxy traffic directly to the Barracuda Web Security Service, you must configure your web browser proxy settings to point to the Barracuda Web Security Service. One simple way is to configure your web browser connection settings for an upstream HTTP proxy on port 8080 and an upstream HTTPS proxy on port 844 Use the Service Host URL you noted earlier from the Support tab in the Barracuda Web Security Service Manager. Note: Support for port 8443 is not currtly available with the iwsa for the Macintosh. For detailed instructions, see Step 3: Configuring Web Traffic. Step 2: Download and Install Barracuda Web Security Agt 4

5 Installing the Barracuda Web Security Agt (WSA) Read the latest Release Notes for the Barracuda WSA for Windows or the Release Notes for the Barracuda WSA for Macintosh. The Barracuda WSA is an optional feature that installs on remote users' computers and directs that traffic to the Barracuda Web Security Service to detect and block malware and to allow secure web browsing access. The agt can be installed on and direct traffic from any computer and any location, as well as providing compliance with the web access and security policies of your organization. You can install the Barracuda WSA for Windows either from the command line, using the automated installation option with an MSI or EXE file, or using Windows GPO. You can install the Barracuda WSA for Mac using the Macintosh installation program. You can download the installation files for MS Windows or Macintosh using the following steps: If you are not already in the Barracuda Web Security Service Manager interface, click Barracuda Web Security Service at the top of the Barracuda Cloud Control account scre. The Barracuda Web Security Service Manager interface appears on the scre. From the SUPPORT tab of the Barracuda Web Service Manager, select the version you want to download to your system. Related Articles Configuration Tool for Barracuda WSA Windows Clit Step 2: Download and Install Barracuda Web Security Agt Using the Barracuda Web Security Agt Step 2: Download and Install Barracuda Web Security Agt For detailed installation instructions for Automated Installation, Command Line Installation, GPO Installation, or installing on a Mac, use the instructions below: Automated Installation of Barracuda WSA GPO Installation of Barracuda WSA from the Command Line GPO Installation of Barracuda WSA from the Windows Interface Installing the Barracuda WSA on a Macintosh Manual Local Installation of Barracuda WSA from the Command Line Automated Installation of Barracuda WSA Automated Installation The Barracuda WSA is designed to support automated installation processes in place in many organizations for managing software deploymts. The Barracuda WSA installation program is available as an MSI or an EXE file for flexibility in deploymt methods. This section explains a method for creating a self-executing zip file using free tools. You can use this file to automatically pass installation parameters to the Barracuda WSA setup program. Similar processes support MSI installation methods. Consult the documtation for your software deploymt solution for details on how to use a typical MSI or EXE installation program. Requiremt for Automated Installation You must have a file archiving utility capable of creating a self-extracting.exe file. You must have Microsoft.NET framework installed before you install the Barracuda WSA using the MSI installation method. The MSI file does not install the.net framework for you. If you do not install the.net framework before you begin installation with the.msi file, a 5

6 message appears prompting you to download and install the.net framework and th install the Barracuda WSA. Set Up the Directory To set up the installation directory: 4. Create a directory for the setup program (For example: c:\barracudawsa). Copy the Barracuda WSA setup file to the directory. See page 111 for more information on downloading files. Create a setup.bat file to execute the setup program. Example (type all on one line): C:\barracudawsasetup.msi" /qb! /lvmo c:\setup.log AUTH_KEY= SERVICE_URL=pleproxy.purewire.com SERVICE_PORT=8080 DEFAULT_BEHAVIOR=2 ADS=1 USER_MODE=0 Put the setup.bat file in your setup program directory. The Barracuda WSA uses a Service Host URL provided on the SUPPORT tab of the Barracuda Web Security Service Manager. To find the SERVICE_URL value for the setup.bat installation file, log into the Barracuda Web Security Service Manager, select the SUPPORT tab, and retrieve the Service Host URL. Create a Compressed File Use Windows Explorer to create a compressed file from the setup program directory that contains the Barracuda WSA setup program and your setup.bat file. Create a Self-Extracting Archive Use the file archive utility EXE creator to create a self-extracting file of the compressed directory. Deploymt The self-extracting installation program may now be distributed via login script, network share, or other means for automated installation of the Barracuda WSA. GPO Installation of Barracuda WSA from the Command Line The Barracuda WSA can be pushed to a group of remote computers using a GPO from the command line with a batch file. The batch file simply needs to contain one line, indicating the name of the msiexec file that executes the.msi file used to install the application, and any options you specify per the table below. You can download the.msi installer file from the SUPPORT > Downloads page in the Barracuda Web Security Service. Step 1: Download the MSI Windows Installer Package and create an MST file Log in to the Barracuda Web Security Service interface with the administrator credtials. Navigate to the SUPPORT > Downloads page Log on to the server computer as an administrator. Create a shared folder on the network where you will put the installer package (.msi file) that you want to distribute. To push the Barracuda WSA in the Windows domain the desired Clits must have access to this shared folder.. Click on the Barracuda WSA for Windows (msi) link. Save the MSI installer file in the shared folder on the network. Create a one-line batch file (per the syntax in the example below) and save the file on a network shared folder that is accessible to all remote computers you want to monitor. Include the options and argumts per the table below. Create a GPO container for all users / machines to which you want to push the application. Create a GPO with the Windows GPO editor. In the GPO editor, select either startup or shutdown to trigger wh the GPO installs the application on the remote machine. Add the batch file (script) you saved in the shared folder. The application should th install siltly on the remote machine wh the user either logs in or shuts down the machine. Example of the command line to put into the batch file: C:\kworking\barracudawsasetup.msi /qb /lvmo c:\kworking\bar_setup.log AUTH_KEY=0E733C7CA8F F C569E4D5703 SERVICE_URL=pleproxy.purewire.com SERVICE_PORT=8080 DEFAULT_BEHAVIOR=2 ADS=1 USER_MODE=0 RebootYesNo="No" REBOOT="Suppress" Command Line Argumts and Options Use the following argumts and options to control the configuration of Barracuda WSA. 6

7 Argumts: s runs Setup.exe in silt mode (no dialog boxes). v passes the /qn (no UI) parameter to the installer, which runs the executable in silt mode. The following table describes additional options: Option Description ALLOW_REMOVE 1 (Default) Allow removal of Barracuda WSA using Add/Remove Programs. 0 Do not allow Barracuda WSA to be removed using Add/Remove Programs.. ALLOW_UPDATE 1 (Default) Allow user to manually update through the Barracuda WSA Monitor and Configuration Tool. 0 Do not allow the user to manually update. Note: This has no effect on automatic updates APPLICATIONS EXCEPTIONS BLOCKS A pipe-delimited list of clit applications to be filtered on all ports. Example: APPLICATIONS=iexplore.exe firefox.exe If there are specific applications from which you don t want to capture any traffic, type them in as a pipe-delimited list. A pipe-delimited list of applications to be blocked by Barracuda WSA. Example: BLOCKS=blockexe blockexe BYPASS A semi-colon-delimited list of network addresses that will bypass filtering, such as trusted internal networks. Guidelines: Use a * in any octet (except the first) to indicate any. Bypass tries that begin with a dot (.) will match any URL ding with a dot and the subsequt string(s). For example, if you use *.example.com as a bypass try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. CPU (CPU Monitor) 1 means the CPU monitor is on 0 means the CPU monitor is off. Turning this feature on ables the administrator to see if there is any CPU loading issue. PASSWORD The password users must know to configure, stop or start the Barracuda WSA. 7

8 USER_MODE 0 (Default) Indicates ordinary operation. The Barracuda WSA Monitor appears in the task tray and the Configuration tool appears in the Program Files mu. 1 Runs Barracuda WSA in Silt mode. SERVICE_PORT The port number through which the Barracuda WSA communicates to the Barracuda Web Security Service. This parameter follows SERVICE_URL. Example: SERVICE _PORT=8443 SERVICE _URL The URL of the Barracuda Web Security Service, followed by SERVICE_PORT and port number. The URL can be a domain name or IP address. Example: SERVICE_URL=pleproxy.purewire.com SERVICE_PORT=8443 SERVICE_MODE 1 (Default) Using Barracuda WSA with the Barracuda Web Security Service as the host. 2 Using Barracuda WSA with Barracuda Web Filter. Example: SERVICE_MODE=1 TDC (Temporary Disable Count) TDT (Temporary Disable Timeout) DISABLE_AUTOMATIC_UPDATES The number of times a user can use the Tem porarily disable service feature. The default is 3 times, and th the user must reboot to reset the counter to 0. The number of minutes the user can temporarily disable the Barracuda WSA. The 'timeout' refers to the d of the allowable Te mporarily disable service period. Default is 5 minutes. 1 Disables automatic updates. Barracuda WSA will not check regularly for updates. 0 (Default) Enables automatic updates. DEFAULT_BEHAVIOR 1 Forwards all application traffic to ports 80 and 443 for filtering. 2 (Default) Application traffic bypasses filtering, except for the applications to filter that you specify. 3 Blocks all application traffic except for applications you specify for filtering, which are forwarded. 8

9 PROXY_EXCEPTIONS A semi-colon-delimited list of network addresses to specify proxy exceptions for internal proxies that should be reachable by Barracuda WSA clits for internal proxying and filtering. Guidelines: Use a * in any octet (except the first) to indicate any. Entries that begin with a dot (.) will include any URL that matches the dot and subsequt string(s). For example, if you use *.example.com as a proxy exception try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. GPO Installation of Barracuda WSA from the Windows Interface Installing Barracuda WSA Using GPO Deploymt If you install using GPO Deploymt, you will need to Update/Redeploy using GPO, and Uninstall using GPO. To install the Barracuda WSA, do the following: Create an MST file from the MSI windows installer package of WSA using the ORCA tool. To create an MST file, log into your Windows Server as administrator, and create a shared folder. This is the distribution point on the network where you will have the installer package you want to distribute and apply. Log in to the Barracuda Web Security Service and download the WSA MSI installer Package from the SUPPORT tab Downloads. Save the downloaded installer package in the shared folder you created above. Download the ORCA tool from This tool transforms the.msi file into a.mst file if you perform the following steps: a. Launch ORCA and click on File > Op to op the downloaded MSI installer. i. Set the property Service_Mode to ii. iii. iv. v. b. After setting the above properties according to your configuration, select Transform > Gerate Transform, saving the.mst file in the folder with the Barracuda WSA MSI installer file. 4. Deploy the Barracuda WSA application through Active Directory by creating a GPO and applying a GPO policy. To deploy the Barracuda WSA application using GPO deploymt, you need to create a container or Organizational Unit (OU), th create a GPO which you link to that OU and apply the GPO policy. a. Using your Windows Server Start mu, op Administrative Tools > Active Directory Users and Computers which displays the active directory domain users and computers. b. Select the domain where you want to add your OU, and right click, choosing New > Organizational Unit. You need to name your Organizational Unit, and unselect Protect container from accidtal deletion, because you may want to delete the OU later. c. Now you need to associate the USERS accounts or COMPUTERS accounts to your newly created OU where you will apply policies. You can add them to the created OU, move them from the existing USERS or COMPUTERS account to the new container (though this option prompts a warning), or create them in the OU. d. Finally, you need to create a GPO and link it to the new OU you created. Use the Windows Server Start mu, Administrative Tools > Group Policy Managemt and select your new OU; th right click, selecting Create a GPO in this domain, and Link it here... e. Set the property AUTH_KEY to the default Auth Key found on the CONFIGURATION > Key Managemt page of the Barracuda Web Security Service. Set the property SERVICE_URL to the Service Host found on the SUPPORT tab of the Barracuda Web Security Service. The property USER_MODE should be set to 0 for normal mode, and 1 for silt mode. Set the SERVICE_PORT to

10 e. Select your GPO and right click, selecting Edit to op the Group Policy Managemt Editor. You need to decide whether to use User Configuration or Computer Configuration to specify which domain elemts your GPO policy will apply to. User Configuration applies the policy to the users in your GPO whever they log into any computer. Computer Configuration appli es the policy to any user who logs into the computer in your GPO. To apply your software installation, select Software installation from User Configuration or Computer Configuration, depding on your desired configuration, and right click selecting New > Package. You will need to specify the full UNC path of the shared installer package you want (for example \\server2008\common\barracudawsasetup.msi) as the Filame of the Windows installer package, th O p the package. Select the Advanced deploymt method which allows you to add modifications to the msi file created using ORCA. For Computer Configuration: From the Modifications tab, use Add to add the MST file, typing the full Universal Naming Convtion (UNC) path of the MST transform file (for example: \\server2008\common\wsa.mst) and th Op. The Barracuda WSA will now appear in the right pane of your Group Policy Managemt Editor. Assigned vs Published Deploymt Type for Users If you decide to use User Configuration, you need to choose the deploymt type for users: From the Deploymt tab, : Assigned: Distributes software to users, but does not install it on their system. Wh software is assigned to a user it 'follows' them by providing shortcuts on the Programs mu of every machine they log into. If the user clicks on the shortcut, only th is the application actually installed on that system. You can select the checkbox Install this application at logon if you want the software to install (run the GPO policy) wh the user logs in. Published: Adds the application to the Add/Remove programs section of the control panel, and allows the user to install the application if necessary. Unlike Assigned software, it does not appear to be installed. A published application can be installed via documt invocation, as wh a user clicks on a zip file, WinZip would install had it be published to the user. Now you need to apply your GPO policy. To apply your GPO policy, op a command prompt, and Run it as administrator. To force update the Group Policy use the command: C:\Users\Administrator> gpupdate /Force The Barracuda WSA will be installed on the computers wh they reboot or apply to users wh they log in. For Computer Configuration policy, the GPO policy applies at reboot, and the Barracuda WSA application is installed th. For User Configuration policy, installation depds on the deploymt type setting. Refer to Assigned vs Published Deploymt Type for Users for more information. To verify that the Barracuda WSA has be installed, look for the Barracuda WSA icon in your system tray, or in the Add/Remove Programs list using your Control Panel. An application that has be installed through GPO can only be effectively uninstalled through GPO or it will reappear on your computer at reboot or user login. Also, you should turn off the Barracuda WSA Auto-Update feature for a Barracuda WSA installed using GPO Deploymt, as updates should be done through GPO as well. Installing the Barracuda WSA on a Macintosh Read the latest Release Notes - Barracuda Web Security Agt for Macintosh. System Requiremts for Macintosh You can install the Barracuda WSA on Macintosh systems that meet the following requiremts: Version 10.5 (Leopard) or later operating system 50MB memory (10.5 requires 512MB, 10.6 requires 0GB) 5 GB RAM Intel or Power PC G4 or G5 processor 30 MB free disk space Installation On Clit Machine Navigate to the SUPPORT tab of the Barracuda Web Security Service Manager. In the Downloads section of the page, select the Barracuda Web Security Agt for Macintosh (dmg) link for the Macintosh OS-X. Launch the installer on the Macintosh and follow on-scre instructions. 10

11 Command Line Installation (Remote) Use these instructions install the Barracuda WSA remotely via an ssh session to the clit (target machine). Connect to the target machine using ssh: ssh laptop.mycorp.com Download the Barracuda WSA installer disk image from an accessible web server using the curl file transfer tool (Alternately, use sftp or another file transfer tool to copy it over): cd /tmp curl -O Mount the downloaded disk image. hdiutil attach '/tmp/wsa for Macintosh.dmg' 4. Run the installer with admin privileges. If you don't have root privileges, you'll need to use sudo: sudo installer -pkg '/Volumes/WSA for Macintosh/Barracuda WSA Installer.mpkg' -target / You will be prompted for the password. The installer will take about 1-2 minutes to complete. The output should look like this: installer: Package name is Barracuda WSA installer: Upgrading at base path / installer: The upgrade was successful. installer: The install requires restarting now. 5. Edit the Barracuda WSA settings. Since the remote install doesn't prest a web interface, there is no way to unselect certain componts during installation everything is installed. Currtly the only setting configurable for the clit is silt mode. To activate silt mode, you'll need to remove the following componts: sudo rm -rf '/Library/Application Support/Barracuda WSA/WSA Notifier.app' sudo rm -rf '/Library/PrefercePanes/Barracuda WSA.prefPane' 6. Apply initial settings. One way to do this is to copy a pre-configured settings file from another system to the target machine. You'll need to copy the file as follows to sure the permissions are correct: sudo cp mysettings.dat '/Library/Application Support/Barracuda WSA/WSA Settings.dat' Alternately, you can use the following command to make the necessary changes: cd '/Library/Application Support/Barracuda WSA' sudo wsa_admin --product Flex --webfilter pleproxy.purewire.com --authkey ABCDEF You can use --help to show other options for wsa_admin; however, many settings will be undone after the first synchronization. 7. Reboot the machine. sudo shutdown -r now You will be disconnected after a short period. To update the Barracuda WSA for Macintosh remotely via ssh, follow the same set of instructions as shown above, but skip step 6. since the clit machine should already be configured with the Barracuda Web Security Service IP address. To Uninstall the Barracuda Web Security Agt You can uninstall the iwsa for Macintosh in one of these three ways: You can mount the Barracuda WSA installer image from the original disk or disk image file (.dmg) and choose Uninstall. If you used the default install, you can launch the uninstaller from /Library/Application/Support/Barracuda WSA. Running as root from the command line, you can navigate into the Uninstaller.app and invoke the uninstall.sh script directly (located in /Library/Application Support/Barracuda WSA/Uninstaller.app). Manual Local Installation of Barracuda WSA from the Command Line Before beginning the installation, you must have: 11

12 the Auth Key you created for the Barracuda WSA in the Barracuda Web Security Service Manager, and the Barracuda Web Security Service Service Host URL that was provided to you by Barracuda Networks or your Barracuda Networks partner. See Setting Up Your Barracuda Web Security Service Account if you don't have these yet. Command Line Example At the command line, type the following all on one line: BarracudaWSASetup.exe /s /v" /qn AUTH_KEY=<paste the auth key herewith no brackets> SERVICE_URL=proxy.example.com Argumts and Options Use the following argumts and options to control the configuration of the Barracuda WSA. Argumts: s runs Setup.exe in silt mode (no dialog boxes). v passes the /qn (no UI) parameter to the installer, which runs the executable in silt mode. You can set the USER_MODE switch to 1 for silt operation (the d user will not see the Barracuda WSA icon in the System Tray or Start Mu). The following table describes additional options: Option ADS (Allow Disable Service) Description 1(Default) Allow user to disable Barracuda WSA using the Stop and Start service in the Barracuda WSA Monitor. 0 Do NOT allow users to stop and start Barracuda WSA from the Barracuda WSA Monitor. ALLOW_REMOVE 1 (Default) Allow removal of Barracuda WSA using Add/Remove Programs. 0 Do not allow Barracuda WSA to be removed using Add/Remove Programs. ALLOW_UPDATE 1 (Default) Allow user to manually update through the Barracuda WSA Monitor and Configuration Tool. 0 Do not allow the user to manually update. Note: This has no effect on automatic updates APPLICATIONS ATDS (Allow Temporary Disable Service) A pipe-delimited list of clit applications to be filtered on all ports. Example: APPLICATIONS=iexplore.exe firefox.exe 1 Displays option in Barracuda WSA Monitor for user to temporarily disable Barracuda WSA for five minutes at a time, no more than three times. Reboot is required to reset the counter. 0 Hides the option to temporarily disable Barracuda WSA from the Barracuda WSA Monitor. AUTH_KEY The Barracuda Web Security Service authtication key (gerated on the Barracuda Web Security Service web interface). Note: This is only needed wh you are using Barracuda Web Security Service (SERVICE_MODE=1). BLOCKS A pipe-delimited list of applications to be blocked by Barracuda WSA. Example: BLOCKS=blockexe blockexe 12

13 BYPASS A semi-colon-delimited list of network addresses that will bypass filtering, such as trusted internal networks. Guidelines: Use a * in any octet (except the first) to indicate any. Bypass tries that begin with a dot (.) will match any URL ding with a dot and the subsequt string(s). For example, if you use *.example.com as a bypass try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. DEBUG 1 Enables Debug mode. The file: c:\windows\temp\wsatraffic.log stores debug information. 0 (Default) Disables Debug mode. DEFAULT_BEHAVIOR 1 Forwards all application traffic to ports 80 and 443 for filtering. 2 (Default) Application traffic bypasses filtering, except for the applications to filter that you specify. 3 Blocks all application traffic except for applications you specify for filtering, which are forwarded. DISABLE_AUTOMATIC_UPDATES 1 Disables automatic updates. Barracuda WSA will not check regularly for updates. 0 (Default) Enables automatic updates. EXCEPTIONS A pipe-delimited list of applications to bypass filtering. Example:EXCEPTIONS=appexe appexe LANG By default, Barracuda WSA uses the language indicated by the language setting of the clit computer. You may select an alternate language using the following language codes: German: de-de Japanese: ja-jp Dutch: nl-nl Chinese: zh-cn Chinese Traditional: zh-tw Portuguese: pt-br Spanish: es-es English: -US Example:LANG=de-DE PASSWORD PROXY_EXCEPTIONS SERVICE_MODE The password users must know to configure, uninstall, or stop/start the Barracuda WSA. A semi-colon-delimited list of proxy exceptions which includes internal proxies that should be reachable by Barracuda WSA clits for internal proxying and filtering. These must be exact IP addresses or host names. Example: PROXY_EXCEPTIONS= ;proxy.mycompany.com 1 (Default) Using Barracuda WSA with the Barracuda Web Security Service. 2 Using Barracuda WSA with Barracuda Web Filter. Example: SERVICE_MODE=1 13

14 SERVICE_PORT The port number through which the Barracuda WSA communicates to the Barracuda Web Security Service or the Barracuda Web Filter. This parameter follows SERVICE_URL. Example: SERVICE _PORT=8443 SERVICE _URL The URL of the Barracuda Web Security Service or Barracuda Web Filter, followed by SERVICE_PORT and port number. The URL can be a domain name or IP address. Example: SERVICE_URL=pleproxy.purewire.com SERVICE_PORT=8443 TDC (Temporary Disable Count) TDT (Temporary Disable Timeout) USER_MODE The number of times a user can use the Temporarily disable service feature. The default is 3 times, and th the user must reboot to reset the counter to 0. The number of minutes the user can temporarily disable the Barracuda WSA. The 'timeout' refers to the d of the allowable Tem porarily disable service period. Default is 5 minutes. 0 (Default) Indicates ordinary operation. The Barracuda WSA Monitor appears in the task tray and the Configuration tool appears in the Program Files mu. 1 Runs Barracuda WSA in Silt mode. WD 1 Enables the watchdog feature, prevting the removal of Barracuda WSA through tampering with registry settings or network settings. 0 (Default) Disables the watchdog feature. Warning: Test this setting before deploying into your vironmt, as locking down network settings and the registry can produce unwanted side effects in your system. Example using various options: BarracudaWSASetup.exe /s /v"/lvemo \setup.log /qn AUTH_KEY= ALLOW_REMOVE=1 EXCEPTIONS=chrome.exe safari.exe APPLICATIONS=explorer.exe firefox.exe BYPASS=1110;*.purewire.com;19168.* ADS=1 PASSWORD=pass" The above example also writes a log file to the setup directory called setup.log Step 3: Configuring Web Traffic Overview To force configured web rules in the cloud, you must route d user traffic through the Barracuda Web Security Service. You can configure web browsers to sd web traffic either: directly to the Barracuda Web Security Service, or to the Barracuda Web Security Gateway, which forwards traffic to the Barracuda Web Security Service Prerequisite: Create an Authtication Key Before you configure the web browsers, you must create an Auth Key in the Barracuda Web Security Service for your site s Internet-facing IP address. See Step 1: Setting up your Barracuda Web Security Service Account for instructions. Methods There are multiple methods for configuring the web browsers. You can use a proxy auto-config (PAC) file to instruct your clit web browsers to 14

15 point to the Barracuda Web Security Service or the Barracuda Web Security Gateway wh they are on the network. You can push PAC files out in Microsoft Internet Explorer by using a Group Policy (GPO). Also, you can configure Internet Explorer or Firefox to use a PAC file. Or you could create a login script (WinNT4) to set users proxy settings. You may already have a preferred method for distributing changes to users. Configuring Proxy Settings In most cases, you can configure the proxy using your preferred method by following the instructions below: How to Configure Proxy Settings Using Group Policy Managemt How to Configure Proxy Settings Using PAC Files and WPAD How to Manually Configure Proxy Settings Using a Login Script to Configure Web Browsers How to Configure Proxy Settings Using Group Policy Managemt To configure proxy settings using Group Policy Managemt with the Barracuda Web Security Service, first configure your group policy object using the Microsoft Group Policy Managemt Tool. Click Start > A4 >Programs > Administrative Tools > Group Policy Managemt. This snap-in is not available by default; you must download it from Microsoft or use the Active Directory Users and Computers method. Using the Microsoft Group Policy Managemt Tool Create a New Group Policy Object (GPO) 4. Select the policy proxy GPO. In the right pane, click the Details tab, and th change the GPO Status to User configuration settings disabled. This minimizes the parts of the GPO that are applied, so that users can log on more quickly. Edit the GPO In the Group Policy Managemt window, under Domains, right-click the domain name. Select Create and Link a GPO Here. The New GPO window appears. Enter an intuitive Name for the GPO, such as Web Security Service Proxy Policy. Click OK. Change the GPO Status The new GPO appears in the left pane under the specified domain. In the left pane, right-click the proxy policy GPO, th click Edit. In the Group Policy window, in the left pane: Select User Configuration. Select Windows Settings. Select Internet Explorer Maintance. Select Connection, th double-click Automatic Browser Configuration in the right pane. On the Automatic Configuration tab: Select Automatically detect configuration settings and Enable Automatic Configuration. Enter an interval in the Automatically configure every checkbox. Enter the Barracuda Web Security Gateway's URL, followed by /proxy.pac in the Auto-proxy URL box. Example: If you are hosting your PAC file in another location, use that URL. Click OK. Navigate to User Configuration > Windows Settings > Internet Explorer Maintance. Clear Automatically detect configuration settings. Select Enable Automatic Configuration. Select Auto-proxy URL. Enter the Barracuda Web Security Gateway's URL, followed by /proxy.pac in the Auto-proxy URL box. If you are hosting your PAC file in another location, use that URL. Example: 8. In the Computer Configuration area navigate to Administrative Templates > System/Group Policy, and th use the following settings to maintain consistcy and compliance of the web browser s settings: Select Internet Explorer Maintance policy processing. Select Allow processing across a slow network connection. Clear Do not apply during periodic background processing. Select Process ev if the Group Policy objects have not changed. For Firefox Users Barracuda recommds FirefoxADM for allowing ctrally managed locked and/or default settings in Firefox via Group Policy Templates in Active 15

16 Directory. More information is available at Secure the Proxy Settings After you able the proxy settings, you should disable users ability to change them. In the Group Policy window, in the left pane: Select User Configuration. Select Administrative Templates. Select Windows Componts. Select Internet Explorer. In the right pane, scroll down to and right-click Disable changing proxy settings. Select Properties, and th select Enabled. Click Apply, and th click OK twice. Users now cannot change their proxy settings. How to Configure Proxy Settings Using PAC Files and WPAD In this article: PAC files Syntax example Creating a PAC File Configuring Internet Explorer to Use a PAC File Configuring Firefox to Use a PAC File Barracuda Web Security Gateway Configuration Web Proxy Autodiscovery Protocol (WPAD) Requiremts PAC files A PAC file contains a JavaScript function "FindProxyForURL(url, host)". This function returns a string with one or more access method specifications. These specifications cause the user agt to use a particular proxy server or to connect directly. To use PAC, you publish a PAC file on a web server and instruct a user agt to use it, either by tering the URL in the proxy connection settings of your web browser or through the use of the Web Proxy Autodiscovery Protocol (WPAD). Multiple specifications provide a fallback wh a proxy fails to respond. The web browser fetches this PAC file before retrieving other pages. The URL of the PAC file is either configured manually or determined automatically by the WPAD. The Barracuda Web Security Gateway can gerate and manage this PAC file for you, and hosts both a proxy.pac and a wpad.dat file. Syntax example In this example, wh the clit makes a request to a website, the web browser refers to the PAC file. If the clit is using a local network address, the specified proxy server is used on the specified port. If the clit is not using a local network address (example: a user is connecting from a hotel), the PAC file instructs the web browser to connect directly to the Internet. proxy.pac. function FindProxyForURL(url, host) { if (isinnet(myipaddress(), " ", " ") return "PROXY [Proxy Address]:[Port]"; else return "DIRECT"; } Creating a PAC File You can use the Barracuda Web Security Gateway s Network Setup tab to automatically create a PAC file. Alternatively, you can create your own PAC file using the procedure below, and save it to a server within your network. 4. Use Notepad or another text editor to op a new text file Paste the text from the example above into the text editor. Replace the IP address and subnet mask with those of your network. 16

17 4. 5. In the Barracuda Web Security Gateway s administrative interface, specify the location of the PAC file. Configuring Internet Explorer to Use a PAC File 4. Click OK twice. Configuring Firefox to Use a PAC File Click Reload, and th click OK twice. Barracuda Web Security Gateway Configuration Save the file to a server within your network, naming it proxy.pac, and making sure to choose All Files for Save as type. In Internet Explorer, click on T ools > Internet Options > Connections > LAN Settings. Select Use automatic configuration script. Type the path and filame of your PAC file. Example: Barracuda Web Security Gateway/proxy.pac In Firefox, click on Tools > Options > Advanced > Network. Click Settings. Select Automatic Proxy Configuration URL. Type the path and filame of your PAC file. Example: Barracuda Web Security Gateway/proxy.pac In the Barracuda Web Security Gateway interface, click the wpad.dat tab. On the wpad.dat page, ter the IP address or the DNS resolvable hostname of the host where the wpad.dat file resides, and th click S ave. Add any internal networks to the Exceptions list using the Add New button. Use these to instruct the web browser to connect directly to hosts on those networks. Web Proxy Autodiscovery Protocol (WPAD) The Web Proxy Autodiscovery Protocol (WPAD) is a method used by clits to locate a proxy autoconfig file automatically and use this to configure the web browser's proxy settings. The WPAD standard defines two alternative methods the system administrator can use to publish the location of the proxy configuration file: the Dynamic Host Configuration Protocol (DHCP) or the Domain Name System (DNS). Before fetching its first page, a web browser implemting this method sds the local DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the server's reply. If the DHCP server does not provide the desired information, DNS is used. If, for example, the network name of the user's computer is pc.departmt.branch.example.com, the web browser will try the following URLs in turn until it finds a proxy configuration file within the domain of the clit: Requiremts In order for WPAD to work, a few requiremts have to be met: If you want to use DHCP, th the DHCP must be configured to serve up the "site-local" option 252 ("auto-proxy-config") with a string value of " (without the quotes) where xxx.yyy.zzz.qqq is the address of a web server (either IP address or DNS). If you want to use DNS, th a DNS try is needed for a host named WPAD. The host WPAD must be able to serve a web page. The file named wpad.dat must be located in the WPAD websites's root directory. How to Manually Configure Proxy Settings In this article: Prerequisite: Create an Auth Key Internet Explorer Proxy Settings Firefox Proxy Settings Prevt Repeated Authtication Pop-ups 17

18 Related Articles Redirecting Traffic Using Proxy Options Prerequisite: Create an Auth Key Before you configure the web browsers, you must create an Auth Key for your site s Internet-facing IP address on the Barracuda Web Security Service Manager. This allows all applicable traffic from your site to access the Barracuda Web Security Service. Make sure you have your external IP address available. Op a web browser and go to the Barracuda Web Security Service Manager at the following URL: rks.com The Barracuda Cloud Control login appears. Select Barracuda Web Security Service Manager at the top of the scre. Log into the Barracuda Web Security Service Manager. On the CONFIGURATION tab, click Key Managemt. Click Add New Key. Enter a Name for your site. Example: Beijing Office 1 Select IP Address for Type. Enter your external IP address. Save Changes. Traffic from the IP address is now authorized to use the Barracuda Web Security Service. Internet Explorer Proxy Settings These instructions are verified for Microsoft Internet Explorer version 8. For instructions on earlier versions, see your Microsoft documtation In Internet Explorer, go to Tools > Internet Options > Connections. Click LAN Settings. Select Use a proxy server for your LAN. Select Bypass proxy server for local addresses. Click Advanced. Make sure the Use the same proxy server for all protocols checkbox is cleared. For rows 1-3 ( HTTP, Secure, and FTP), type the Proxy Address (provided by Barracuda Networks or your Barracuda Networks partner) and Port. Other rows should remain empty. Under Exceptions, type any other IP addresses that need to bypass the proxy server for some reason (such as an Extranet site). Click OK. Firefox Proxy Settings These instructions are verified for Mozilla Firefox version 10. For instructions about manually configuring proxies on earlier versions of Firefox, see your Firefox documtation. 4. SOCKS Host box is empty, and that the Use this proxy server for all protocols checkbox is cleared. 5. In the No Proxy for box, type any IP addresses that need to bypass the proxy server (such as an Extranet site). 6. Click OK twice. Prevt Repeated Authtication Pop-ups In Firefox, click Tools > Options > Advanced > Network. In the Connection area, click Settings. Select Manual Proxy Configuration. For HTTP Proxy, SSL Proxy, and FTP Proxy, ter the proxy address and port for the Barracuda Web Security Service. Make sure the Use these instructions to prevt Firefox users from repeatedly seeing authtication pop-ups wh using NTLM authtication: In your Firefox web browser, type the following in the address bar: about:config Press Enter. In the Filter field, ter the following: network.automatic-ntlm-auth.trusted-uris The Preferce Name box lists this preferce. Double click the preferce you just searched for. In the box, type the Barracuda Web Security Gateway s URL. String value Example: if the Barracuda Web Security Gateway is named pwgateway, type the following URL: 18

19 Click OK. Using a Login Script to Configure Web Browsers You can create a login script (WinNT4) to set users proxy settings. Example script Replace example IPs and URLs with your specific IPs and URLs. off regedit /s %0\..\SetProxy.reg SetProxy.reg REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrtVersion\Internet Settings] "ProxyServer"="[example.proxy.purewire.com]:[8080]" "ProxyEnable"=dword: "AutoConfigURL"="" Proxy overrides You can use ProxyOverride settings to able clits to access trusted networks, such as your internal network, without passing through the Barracuda Web Security Service. For example, insert a ProxyOverride statemt immediately before the AutoConfigURL line, such as: "ProxyOverride"="aaa.bbb.ccc.*; where aaa.bbb.ccc.* and example.com are the IP address range and domain name of the trusted network. Deploymt Options The Barracuda Web Security Service provides maximum coverage across users and locations with the deploymt flexibility to select the right option for each network. The three deploymt options available for the Barracuda Web Security Service are: Software-as-a-Service (SaaS) for cloud filtering : The Barracuda Web Security Service includes a complete cloud based web security service providing malware scanning, contt filtering and application control. Web traffic from clit computers can be directly routed through the cloud service either through proxy settings or firewall rules. This is the simplest deploymt option and provides an quick way to use cloud based web security without deploying any additional hardware or software. Administrators can specify global policies through the Barracuda Web Security Service Manager. For more information on redirecting traffic for cloud filtering, refer to Redirecting Traffic Using Proxy Options. Barracuda Web Security Agt: The Barracuda Web Security Agt (WSA) is a lightweight, tamper-proof clit that can be installed on remote off-network computers. Once configured, the Barracuda WSA transpartly redirects web traffic from the remote machine to the Barracuda Web Security Service cloud filtering service. The Barracuda WSA also ables user specific browsing policies by securely transmitting local login credtials to the service. The Barracuda WSA is an easy and reliable way to provide the same web security policies to off-network users as are provided to on-network users. It is available for both Mac and Windows vironmts. For more information on using the Barracuda WSA, refer to Using the Barracuda Web Security Agt. SaaS with Gateway appliances: The Barracuda Web Security Service framework supports the (optional) use of on-premise gateway appliances (hardware or virtual) wherever required. Gateway appliances, called Barracuda Web Security Gateways, provide integration with on-network authtication services (LDAP/AD, NTLM, Kerberos, edirectory) and local caching for bandwidth optimization. Additionally, they can be configured to force security and web usage policies locally (Local Enforcemt Mode) or proxy traffic through to the cloud filtering proxy after authtication for malware scanning, contt filtering and application control (Service Enforcemt 19

20 Mode). In either case, gateway configuration, policy managemt and reporting is done through the cloud based Barracuda Web Security Service Manager interface. This means that administrators can apply and ctrally manage policies and gerate reports for users filtered through gateway appliances or directly through the cloud filtering service. Since they provide transpart user authtication, Gateways able user or group specific browsing policies using credtials configured in the corporate directory servers. For more information on using Gateway appliances, refer to Using the Barracuda Web Security Gateway. The Barracuda Web Security Service provides a unified framework which allows you to combine multiple deploymt methods. Whichever combination of options you choose, managemt and reporting is ctralized across all users and locations through the ctral managemt interface. This makes it really simple to customize the solution to fit your exact requiremts while providing the freedom to adapt and scale as your needs change. Redirecting Traffic Using Proxy Options The quickest and easiest way to use the Barracuda Web Security Service is to direct web traffic from your network to the Barracuda Web Security Service for policy forcemt. Using existing network elemts such as browsers, a network proxy, or your Barracuda (NG) Firewall, you can forward web traffic to the Barracuda Web Security Service and apply a single set of web use rules to all web traffic. This configuration option works well wh you don t need to distinguish betwe various users or groups to force rules or gerate reports. If you need to distinguish betwe traffic based on users and groups for forcemt and reporting, you will need to deploy a Barracuda Web Security Gateway. Related Articles Deploymt Options How to Manually Configure Proxy Settings Direct Proxy Deploymts There are three methods for configuring direct proxies from your network to the Barracuda Web Security Service: Direct Proxy Deploymts Direct from a Web Browser Proxy Barracuda Firewall and Barracuda NG Firewall Proxy Proxy Forwarding Direct from a Web Browser Proxy Configure your users web browsers to direct traffic to the Barracuda Web Security Service. You can use any method of managing proxy settings, but the simplest way is to configure your web browser connection settings for an upstream HTTP proxy on port 8080 and an upstream HTTPS proxy on port 844 You will need the Service Host URL that appears on the Support tab of the Barracuda Web Security Service Manager. Deploying the Barracuda Web Security Service as a direct proxy requires you to configure your firewall to allow internal clits to access the Barracuda Web Security Service on ports 8080 and 844 Note: Support for port 8443 is not currtly available with the iwsa for the Macintosh. 20

21 Barracuda Firewall and Barracuda NG Firewall Proxy Use your Barracuda NG Firewall's or Barracuda Firewall 's built-in proxy capability to route traffic to the Barracuda Web Security Service. Configure Barracuda Web Security Service on your Barracuda Firewall Configure Barracuda Web Security Service on you Barracuda NG Firewall 21

22 Proxy Forwarding Use an existing proxy server to route web traffic to the Barracuda Web Security Service. Barracuda Web Security Agt for Remote Users Remote Filtering using the Barracuda Web Security Agt (WSA) with the Barracuda Web Security Service ables your IT departmt to provide and control contt security beyond the perimeter of the IT infrastructure. For satellite offices, mobile workers and studts, the Remote Filtering feature allows secure web browsing access, from any computer and any location, that complies with the web access and security policies of the organization. To take advantage of Remote Filtering, the Barracuda WSA is deployed on each remote desktop or laptop and proxies all web traffic over the Internet to the Barracuda Web Security Service, which can be configured to recognize each remote clit by traffic signed by the Barracuda WSA. You can download the files required to install the Barracuda WSA for Windows or Macintosh, and configure how it filters traffic for your remote users using the Barracuda Web Security Service Manager. Multiple unique profiles can be created to apply differt filtering rules for specific groups or individual users. For system requiremts and how to manage the Barracuda WSA, see Using the Barracuda Web Security Agt. To get and configure the agt, see Step 2: Download and Install Barracuda Web Security Agt. 22

23 Release Notes - Barracuda Web Security Agt for Macintosh What's New in Version 4.0 Running version 4.0 of the Barracuda Web Security Agt (iwsa) requires MacOS X 10.6 (Snow Leopard) or later. Host Fallback feature - The Barracuda WSA checks the currt response times of all Barracuda Web Security Service hosts and ranks them accordingly. Rankings are viewable by the admin, and the admin can choose to have the Barracuda WSA automatically switch hosts to the fastest or to set the service host manually. See Fallback Service Hosts and the Barracuda Web Security Service for details. NOTE: This feature is not active by default; you must set it to be active in the profile and sync with clits. Improved compatibility with IPv6 services. Fixed in Version 4.0 Works as expected with AirDrop file sharing tool on MacOSx. Barracuda Web Security Agt installer works as expected. Reduced administrative traffic betwe the clit and service host. Increased security in proxy process. What's New in Version 1 Added support for MacOS X 10.9 Mavericks and the most rect version of Safari browser. Improved compatibility with Flash networking requests. 23

24 Fixed in Version 1 Temporary server error is no longer treated as a hard network failure. What's New in Version 0 Geral Availability: 8/2/13 Added support for secure Barracuda Web Security Service connections over port 844 Improved HTTP 1 compatibility. Fixed in Version 0 The YouTube for Schools feature works in Policy Lookup Only (PLO) mode. Works with PLO mode wh the Barracuda Web Filter is unreachable. Resolved connection issue after correcting an invalid Barracuda Web Security Service auth key. IPv6 requests do not trigger fail op. What's New in Version 2 Geral Availability: 07/06/12 The Barracuda Web Security Agt for Mac now passes along applicable LDAP credtials in the request headers. Fixed in Version 2 Improved logging for administrative requests and resolved startup problems which occurred on some systems. Release Notes - Barracuda Web Security Agt for Windows What's New in Version 4.0 Host Fallback feature - The Barracuda WSA checks the currt response times of all Barracuda Web Security Service hosts and ranks them accordingly. Rankings are viewable by the admin, and the admin can choose to have the Barracuda WSA automatically switch hosts to the fastest or to set the service host manually. See Fallback Service Hosts and the Barracuda Web Security Service for details. Fixed in Version 4.0 Removed default forced restart after installation complete, which could cause issues wh installing via Windows GPO. [BNWSA-258] Improvemts in filtering on Windows 8 / 8.1 systems using WFP. [BNWSA-222] Updated LSP compont to address Windows.Net 4.5 incompatibility issues with Non-IFSLSPs. [BNWSA-169] Warn page can now also be shown for local redirect address set to external Barracuda Web Filter IP address. [BNWSA-108] For SSL Traffic, fixed handling of TLS 1 to improve HTTPS Filtering. Fixed issues occurring in Policy Lookup Mode (Barracuda Webfilter), where monitored pages are not displayed correctly [BNWSA-257] The WSATraffic.log and WSA.log files are now limited to a maximum size of 3 MB each. Wh the Barracuda WSA clit is uninstalled, all related log files are removed from the system. [BNWSA-34] Version This version replaces version Fixed: If Fail Op is disabled, the Barracuda Web Security Agt now only fails closed wh there is no good connection available to the service host. [BNWSA-472] Fixed: The default setting on the Barracuda Web Security Agt clit Fail Op mode is no longer disabled; the default is now that Fail Op is abled before initial successful sync with the host service. This sures that traffic betwe the clit and the Internet continues to flow ev if no connection to the Barracuda Web Security Service or the Barracuda Web Filter can be made. Version If the Fallback feature is abled (see Fallback Service Hosts and the Barracuda Web Security Service), the Barracuda WSA no longer fails op/closed if the first fallback host is not available; rather, the next available fallback host is automatically selected. [BNWSA-465] 24

25 What's New in Version The Update options have be re-abled (backd): This relates to Auto-Update and Allow Users to Check for Updates Options, configurable on the Remote Filtering tab of the Barracuda Web Filter. The Barracuda Web Security Service only has Allow updates, which has the same effect as Auto-Update on the Barracuda Web Filter. It does not include the second configuration option on the Remote Filtering tab. Therefore, for the Barracuda Web Security Service, the Check for Updates option in the Context Mu is not available by default. Update server: d.barracuda.com. If the Update option is abled, make sure that access to this server is available through your firewall. Sync settings now available from the Context Mu: Any user can trigger the config synchronization with Service (Barracuda Web Filter / Barracuda Web Security Service) at any point of time. Before this version, this option was only available to users having access to the Local Configuration Tool or synchronization on specific evts like logon/startup. The Admin can now configure the Temporarily Disable option using command line / GPO deploymt option: Default: a. After 5 minutes, any temporarily disabled Barracuda WSA clit will be re-abled and proxy web traffic to the Barracuda Web Filter / Barracuda Web Security Service. b. The user can disable the clit 3 times and must restart the clit machine in order to reset this count. Configurable via command line / GPO on installation time: a. b. c. TDT (in ms): The lgth of time (timeout) the clit will be disabled TDC: The number of times that the user can temporarily disable the clit before needing to reboot the machine Example for cmd line config / GPO for custom timeout = 30 mins, timeout count = 5 (=> disable for 30 mins; you can do this 5 times before need to reboot the machine): BarracudaWSASetup.exe /s /v" /qn AUTH_KEY=[YOUR_AUTHKEY] SERVICE_URL=[YOUR_SERVICE_URL] ALLOW_REMOVE=1 TDT= TDC=5 The CPU monitor is now by default abled for Barracuda Web Security Service users and disabled for Barracuda Web Filter users. This configuration can now be only overridd at the time of installation, using command line / GPO deploymt: Enabled: CPU=1 Disabled: CPU=0 Example for cmd line config / GPO for disabling CPU monitor for BWFS: BarracudaWSASetup.exe /s /v" /qn AUTH_KEY=[YOUR_AUTHKEY] SERVICE_URL=[YOUR_SERVICE_URL] ALLOW_REMOVE=1 CPU=0 What's New in Version Scheduled reboot after installation to sure that the Barracuda Web Security Agt (WSA) is running. CPU monitor for BarracudaWSA.exe to address intermittt high CPU Loads with cloud-based web contt filtering. Fixed in Version Barracuda WSA componts no longer flagged as viruses by MS Windows antivirus scanners Fixed in previous versions: The Barracuda WSA tests for Barracuda Web Filter and Barracuda Web Security Service availability on each tap of the Start Service opt ion in the tooltip mu. Resolved issues wh already in 'Fail Op' mode Timeout for service availability check was shorted from 60s to 30s. Using the Barracuda Web Security Agt The Barracuda Web Security Agt (WSA) for Windows and the Barracuda WSA for Macintosh systems protects users outside the corporate vironmt. The Barracuda WSA installs on remote users' computers and directs that traffic to the Barracuda Web 25

26 Security Service to detect and block malware and to allow secure web browsing access. The agt can be installed on and direct traffic from any computer and any location, as well as providing compliance with the web access and security policies of your organization. Read the latest Release Notes for the Barracuda WSA for Windows or the Release Notes - Barracuda Web Security Agt for Macintosh. For more information about the Barracuda Web Security Gateway, see Using the Barracuda Web Security Gateway. In this article: Related Articles Barracuda WSA Functionality Download and Install Barracuda WSA Configuring Preferces for Barracuda WSA Macintosh Configuration Tool for Barracuda WSA Windows Fallback Service Hosts Configuring the Barracuda Web Security Gateway System Requiremts for Windows System Requiremts for Macintosh Managing the Barracuda WSA Creating Configuration Profiles for your Barracuda WSA Encryption Application Filtering Password Tamper Prevtion Password Protection User Privileges Allow Uninstall Option Temporarily Disable Service Option Stop/Start Service Option Allow Users to Change Service Host VPN Interoperability Automatic Software Updates Connection Testing Silt Operation Barracuda WSA and the Web Security Gateway Barracuda WSA Functionality The Barracuda WSA intercepts all HTTP/S and FTP traffic through any connection on the clit without regard for the type of web browser. This includes Ethernet, wireless, or dial-up connections. The Barracuda WSA: attaches user information to web requests, th directs traffic to the Barracuda Web Security Service. The Barracuda WSA prevts malware from reaching clit computers. Only safe traffic is passed to web browsers. After the Barracuda WSA is installed and configured, your web traffic is protected by the Barracuda Web Security Service automatically. The Barracuda WSA directs all traffic from web browsers, and other application traffic on ports 80 and 443, to the Barracuda Web Security Service. Use configuration profiles to define how the Barracuda WSA filters traffic. System Requiremts for Windows You can install the Barracuda WSA on Windows systems that meet the following requiremts: Latest released Service Packs of 32-bit version of Windows XP, and 32-bit or 64-bit versions of Windows Vista, Windows Server 2003 or 26

27 Windows 7 Windows Internet Explorer version 6 or later, or Mozilla Firefox version 3 or later 1 GB RAM 2 Ghz processor 30 MB free disk space To ctrally manage Barracuda WSA clits in the Barracuda Web Security Service Manager, the Barracuda WSA must be version 3 or later. Microsoft.NET Framework 4.0 Clit Profile System Requiremts for Macintosh You can install the Barracuda WSA on Macintosh systems that meet the following requiremts: Version 10.5 (Leopard) or later operating system 50MB memory (10.5 requires 512MB, 10.6 requires 0GB) 5 GB RAM Intel or Power PC G4 or G5 processor 30 MB free disk space To ctrally manage Barracuda WSA clits in the Barracuda Web Security Service Manager, the Barracuda WSA must be version 1 or higher. Managing the Barracuda WSA You can manage the Barracuda WSA in one of three ways: If you use Barracuda WSA clits that are version 3 or higher, you can ctrally manage all of your Barracuda WSA clits from the RE MOTE FILTERING > Web Security Agt page of the Barracuda Web Security Service Manager interface. Configuration settings for ctrally managed Barracuda WSA clits are defined in a configuration Profile. You can create, modify, delete, or assign Profiles to Barracuda WSA clits in a group, on a machine, or for an individual user. If you already have Barracuda WSA version 3 installed on your network, your configuration profiles are automatically populated in the REMOTE FILTERING > Web Security Agt page of the Barracuda Web Security Service Manager interface. You can use Windows GPO (Group Policy Object) or command line argumts to make changes to the Barracuda WSA clits on your network. To edit settings locally for an individual Agt, use the Configuration Tool in the Agt interface: see: For Windows - Configuration Tool for Barracuda WSA Windows Clit For Macintosh - Configuring Preferces for Barracuda WSA Macintosh Clit Important Note that any changes made on the clit with the configuration tool are OVERRIDDEN each time the Barracuda WSA syncs with the Barracuda Web Security Service. Creating Configuration Profiles for your Barracuda WSA You can create, edit, delete, or assign a Configuration Profile to Barracuda WSA clits you install on devices using the Barracuda Web Security Service Manager REMOTE FILTERING > Web Security Agt page. Click the Add Profile button to create a new profile and fill in the fields. The settings you select in the configuration profile allow you to define settings you can apply to specific Barracuda WSA clits. Make sure to define one or more profiles before installing the Barracuda WSA on user clits. Note: After installing the Barracuda WSA on user clit machines, you only need to define the Service Host, Port and Authtication Key on the clit. All other settings will be overwritt with what you have configured in the profile in the Barracuda Web Security Service each time the user's machine is rebooted or the user logs on. You can also force an overwrite, or Sync, of the settings on the clit: With the Barracuda WSA for Windows - by right clicking the Barracuda WSA icon in the task tray, and selecting Sync. With the Barracuda WSA for Macintosh - by clicking Synchronize Settings in the WSA Preferces window. Encryption The Barracuda WSA redirects traffic on port 8080 by default. Application Filtering The Barracuda WSA automatically forwards web browser traffic on all ports, and forwards traffic from all other applications on ports 80 and 44 27

28 You can specify how the Barracuda WSA filters application traffic by default: Filter traffic on ports 80 and 443 for all applications, Filter traffic for specified applications and allow traffic for all other applications, or Filter traffic for specified applications and block traffic for all other applications. If you have specific applications that use other ports, you can add them to the Applications to Filter (All Ports) list. To access this list, go to the Start > All Programs > Barracuda > Web Security Agt > Configuration scre, and th click Advanced to display the advanced options. Password Tamper Prevtion Password Protection You can choose an option during installation that lets users stop and start the Barracuda WSA from the task tray. This is sometimes helpful with troubleshooting network or performance issues, or wh the Barracuda WSA operates behind a Barracuda Web Security Gateway in transpart mode. You can use the password protection feature to sure that only authorized users can stop or start Barracuda WSA. During installation, you have an option to specify a password to protect configuration options and control user privileges. If you choose to specify a password, that password is required for any user to: Change configuration settings Temporarily disable the Barracuda WSA Change the service host based on response times (see Fallback Service Hosts and the Barracuda Web Security Service) Stop or start the Barracuda WSA Uninstall the Barracuda WSA There is no password reset; if the password is lost, you must reinstall the Barracuda WSA. User Privileges Allow Uninstall Option You can choose the Allow Uninstall Through Add/Remove Programs option during installation to allow the user to remove the Barracuda WSA from a computer using the Microsoft Windows Add or Remove Programs window. The Barracuda WSA does not, by default, appear in the Windows Add or Remove Programs list. If you did not able the Allow Uninstall Through Add/Remove Programs option during installation, the user must contact the System Administrator for assistance. You can able the Allow Uninstall Through Add/Remove Programs option during installation and use the password protection feature to sure that unauthorized users cannot uninstall the Barracuda WSA. If you did not able the Allow Uninstall Through Add/Remove Programs option during installation, contact Barracuda Networks Technical Support to uninstall Barracuda WSA. Temporarily Disable Service Option If the Barracuda Web Security Service prevts users from logging onto a public network, such as at a captive portal in a hotel or coffee shop, you can temporarily disable Barracuda WSA and connect to the public network. After five minutes, the Barracuda WSA automatically re-ables itself. Right-click the Barracuda Networks icon on the desktop or system tray. Select Temporarily Disable. The Barracuda WSA is disabled for five minutes, during which you can connect to the previously blocked network. It th re-ables itself. The user can disable the Barracuda WSA three times before the option is no longer available. A reboot of the clit machine restarts the counter. Stop/Start Service Option You can choose an option during installation that lets users stop and start the Barracuda WSA from the task tray. This is sometimes helpful with troubleshooting network or performance issues, or wh the Barracuda WSA operates behind a Barracuda Web Security Gateway in transpart mode. You can use the password protection feature to sure that only authorized users can stop or start Barracuda WSA. If you chose the Allow User to Disable Service option during installation, the user can stop and start the Barracuda WSA service. If you specified a password during installation, the user must provide the password that you created in order to stop or start the service. To stop the Barracuda WSA: Right-click the Barracuda Networks icon on the desktop or system tray. Select Stop Service. 28

29 If prompted for a password, type the password, and th click OK. The Barracuda WSA is stopped until you restart it or reboot. The Barracuda Networks icon in the system tray is grayed out. To restart the Barracuda WSA: Right-click the Barracuda Networks icon on the desktop or system tray. Select Start Service. Allow Users to Change Service Host With version 4.0 or higher, you can allow users the option to select another host from the Host drop-down in the context mu on the clit if there is another service host (Barracuda Web Security Service) available that has faster response times. This involves also configuring the Barracuda WSA to poll available service hosts and rank them by response times by checking the Automatically Select Service Host setting in the profile(s) you create on the REMOTE FILTERING > Web Security Agt page. See Fallback Service Hosts and the Barracuda Web Security Service for details. VPN Interoperability The Barracuda WSA is designed to forward all web traffic to the Barracuda Web Security Service, so virtual private network (VPN) clits that rely on web browser settings to forward traffic to private networks may interfere with Barracuda WSA s operation. In order to use a VPN clit on a PC that is running Barracuda WSA, a user may need to do one of the following: stop Barracuda WSA wh connecting with the VPN, use the VPN in split tunnel mode, or ter bypasses for the VPN server IP address. If you install and configure Barracuda WSA so that d users may not stop and restart Barracuda WSA, th only bypasses or split tunnel mode will work simultaneously with Barracuda WSA. You can use the password protection feature, available during installation, to sure that only authorized users can stop or start Barracuda WSA. Automatic Software Updates Barracuda WSA periodically checks the Barracuda Web Security Service for available software updates. Wh an upgrade is available, Barracuda WSA automatically and siltly downloads and installs it, preserving any configuration information you have in place. The automatic updater works whether Barracuda WSA is installed in regular mode or silt operating mode. The automatic updates may be disabled at installation for those network vironmts that prefer to manually upgrade. Connection Testing At the beginning of each session, Barracuda WSA tests its connection with the Barracuda Web Security Service. If there is a problem with the connection, it displays a message that it cannot connect to the Barracuda Web Security Service. If you opted to use the password protection feature during installation and have the password, you can disable the Barracuda WSA, either permantly or temporarily. Silt Operation If other people will be using the computer or you are concerned about tampering, you may want users to remain unaware that the Barracuda WSA is installed. If so, choose the silt operation option during installation. The Barracuda WSA icon will not appear in the user s task tray, and shortcuts will not exist in the Start mu. To change settings for a Barracuda WSA installation in silt operation mode, you must go into the Barracuda Networks directory and launch Barracuda WSA configuration manually. Barracuda WSA and the Web Security Gateway In corporate vironmts that use a Barracuda Web Security Gateway, if you direct proxy clits to the Barracuda Web Security Gateway, or any other internal proxies that should be reachable by Barracuda WSA clits for internal proxying and filtering, you must specify those proxy exception network addresses. You can specify proxy exceptions during installation, on the CONFIGURATION scre in the Proxy Exceptions bo x, or by using the PROXY_EXCEPTIONS option from the command line. Proxy Exceptions for an already installed Barracuda WSA can be viewed and modified by editing the corresponding configuration profile. Select the Profile from the REMOTE FILTERING > Web Security Agt page, Configuration Profiles section. Add, edit or remove Proxy Exceptions, and th Save Changes. If you use the Barracuda WSA behind a Barracuda Web Security Gateway, the Barracuda WSA detects that the Barracuda Web Security Gateway is reachable and automatically stops redirecting traffic so that web traffic flows through the Barracuda Web Security Gateway for filtering. Fallback Service Hosts and the Barracuda Web Security Service 29

30 Note: This feature applies wh using the Barracuda Web Security Agt (WSA) for Windows version 4.0 and higher, or the iwsa for Mac version 4.0 and higher, with the Barracuda Web Security Service. With the Fallback feature, the administrator can choose an alternate Barracuda Web Security Service host for filtering web traffic for remote users who have the Barracuda WSA installed on their Windows laptop, desktop or Macintosh. Fallback is useful in case the intded service host is unavailable, or there is another service host available that has faster response times. This feature provides the administrator with the following options: Configure the Barracuda WSA to automatically connect to the service host with the fastest response times instead of the currt host. Select the service host manually from the clit (requires Barracuda WSA password to log in) Related Articles Using the Barracuda Web Security Agt Configuration Tool for Barracuda WSA Windows Clit How the Fallback Feature Works At a regular interval, the Barracuda WSA can poll Barracuda Web Security Service hosts and rank them based on response times. With Windows: Wh you run the Configuration tool from the Windows Startup mu, you see the Host, Port and Bypass settings as shown in Figure 1a. Note the Host name. This is the currt service host. Figure 1a. Barracuda WSA for Windows Configuration tool displays the currt Host and port With the Macintosh: Wh you select WSA Preferces from the Macintosh mu bar, you see the Host, Port and Bypass settings as shown in Figure 1b. Note the Service Host name. This is the currt service host. Figure 1b. Barracuda WSA for Macintosh WSA Preferces displays the currt Service Host and port 30

31 For more information about configuring the Barracuda WSA, see: For Windows: Configuration Tool for Barracuda WSA Windows Clit For Macintosh: Configuring Preferces for Barracuda WSA Macintosh Clit If you have configured an administrator password, you'll be prompted to ter it before you can configure the Barracuda WSA. The settings shown are those based on the last sync evt betwe the Barracuda WSA and the service host. A sync evt is triggered by any of the following: User logging into Barracuda WSA A network change Clicking the Synchronize Settings button in the WSA Preferces The sync evt also updates the clit with all settings configured in the Barracuda Web Security Service; the exception is Debug Mode, which is a local setting. How to Enable the Fallback Feature In the Barracuda Web Security Service web interface, go to the REMOVE FILTERING > Web Security Agt page. Click on the Default Profile or any other existing profile for which you want to able or disable the feature. NOTE: This feature is, by default, NOT abled for customers using the Barracuda WSA before this feature became available. For customer accounts created after this feature became available, the Automatically Select Service Host option is set to ON by default, and the Allow User to Change Service Host is set to OFF by default. All profiles are created based on Default Profile settings. Click the check box for Automatically Select Service Host to able the Barracuda WSA to ping available service hosts at a regular interval and automatically switch to the host with the fastest response time. 4. Click the check box for Allow User to Change Service Host to able users to view available service hosts by response times and select a differt host if desired. Note that whever the Barracuda WSA syncs with the Barracuda Web Security Service, settings in the service override those in the Barracuda WSA. 5. Make sure that all remote clits are synchronized with the server to get the new settings. Perform these steps for EACH profile. Whatever settings you choose in the Default Profile will apply for each new profile you create. Figure 1c. Setting Fallback feature settings in the Default Profile 31

32 How to Configure the Fallback Feature From the Barracuda WSA Note that settings that you configure in the Barracuda WSA clit will be overridd by those in the Barracuda Web Security Service wh the service syncs with the clit. With Windows: In the Configuration tool, click the Advanced button. In the Advanced window, select the Allow Change Host check box. Click Ok. Click on the Barracuda WSA context mu in the task tray and select Change host to view and select from a list of hosts ranked by response times. Figure 2a. Configuring the Fallback feature with the Barracuda WSA for Windows 32

33 With the Macintosh : 4. From the mu bar, click on the Barracuda WSA icon and select WSA Preferces. Click on Allow the user to select a faster service host from mu as shown in Figure 1b. Click on the Barracuda WSA icon in the mu bar. Click Select Service Host to view and select from a list of available hosts ranked by response times. Figure 2b. Barracuda WSA for Macintosh context mu 33

34 Table Interaction betwe Auto Select Host and Allow Change Host settings for the Fallback feature Auto Select Host / Automatically switch Allow Change Host / Allow the user to select Behavior On On The Barracuda WSA will poll and rank Service Host response times at regular intervals and switch to the fastest host if differce in response times is big ough. The user will see an option to Change Service Host in the context mu (click Barracuda WSA icon in task tray) and can view the list of hosts/response times if the Barracuda WSA is not in Silt Mode. On Off (Default) The Barracuda WSA will poll and rank Service Host response times at regular intervals and switch to the fastest host if differce in response times is big ough. User cannot change the Service Host manually. Off (Default) On The Barracuda WSA will poll and rank Service Host response times at regular interval. The user will see an option to Change Service Host in the context mu and can view the list of hosts/response times if the Barracuda WSA is not in Silt Mode. Off Off The Barracuda WSA will not poll Service Hosts to measure response times. The user will not see an option to Change Service Host in the context mu. The admin can change the service host using the Host drop-down in the Configuration Tool window or in the Barracuda Web Security Service web interface. 34

35 Using the Barracuda Web Security Gateway The Barracuda Web Security Gateway (WSG) can provide transpart and integrated user authtication, application blocking, and web caching. You can ctrally manage settings and monitor each Barracuda Web Security Gateway using the Barracuda Web Security Service Manager interface. You can deploy a Barracuda Web Security Gateway in two modes: Service Enforcemt Mode (default mode): proxy all web traffic to the Barracuda Web Security Service for forcemt, or Local Enforcemt Mode: force policies locally, only passing reporting information to the cloud Related Articles Barracuda WSG Deploymt Configurations Authtication with the Barracuda WSG Configuring the Barracuda Web Security Gateway Note: If your Barracuda Web Security Gateway is deployed in Local Enforcemt Mode, it still sds logging information to the Barracuda Web Security Service for reporting purposes. See Enforcemt Mode to switch modes. The Barracuda Web Security Gateway can be deployed in an inline or forward proxy deploymt configuration. Both configurations support either forcemt mode. For more information on deploymt configurations, refer to Barracuda Web Security Gateway Deploymt Configurations. In Local Enforcemt Mode, the Barracuda Web Security Gateway performs caching, authtication, contt filtering, and application blocking locally. Logging information is st to the Barracuda Web Security Service Manager. You can ctrally manage Barracuda Web Security Gateways in Local Enforcemt Mode from the Barracuda Web Security Service Manager interface. Service Enforcemt Mode is the default mode for the Barracuda Web Security Gateway. In Service Enforcemt Mode, the Barracuda Web Security Gateway can attach authticated clit information to traffic before proxying it to the Barracuda Web Security Service for policy forcemt. The Barracuda Web Security Service applies user specific policies which you can define on the Rules tab in the Barracuda Web Security Service Manager interface, including contt filtering and application blocking, and allows approved web requests to pass through after removing the user information. You can ctrally manage Barracuda Web Security Gateways from the Barracuda Web Security Service Manager interface. Connect to the Barracuda Web Security Service Manager Use the System Configuration utility on the Barracuda Web Security Gateway interface to connect to the Barracuda Web Security Service Manager. Once connected to the Barracuda Web Security Service, manage Barracuda Web Security Gateway settings by selecting the Gateway name on the CONFIGURATION > Gateway page. Ctralized Managemt of Barracuda Web Security Gateways The Barracuda Web Security Gateway automatically receives updated Security Policies wh changes are made. The configuration settings you specify in the Barracuda Web Security Service Manager sync with the Barracuda Web Security Gateway wh you accept the prompt to sync your changes or wh the Barracuda Web Security Gateway syncs with the Barracuda Web Security Service Manager wh: the Barracuda Web Security Gateway is first detected by the Barracuda Web Security Service Manager; you restart or reload the Barracuda Web Security Gateway on the System tab for the selected Barracuda WSG; you make configuration changes and th press the Sync button wh prompted. These settings include: IP Configuration Authtication SNMP Proxy/Caching 35

36 System (settings for the Barracuda Web Security Gateway) Barracuda Web Security Gateway Deploymt Configurations The Barracuda Web Security Gateway can be deployed in an inline or forward proxy deploymt configuration. In either case it can be operated in either forcemt mode. Inline Barracuda Web Security Gateway Deploymt The Barracuda Web Security Gateway can be deployed inline with your core network componts so all network traffic to the Internet passes through the Barracuda Web Security Gateway. User and Group policies can be forced, and application blocking is available. All traffic flowing through your corporate network is subject to configured filtering policies with this configuration. The Barracuda Web Security Gateway in Service Enforcemt mode proxies all requests to the Barracuda Web Security Service after attaching authticated user information to the request. In Local Enforcemt mode, the Barracuda Web Security Gateway does not proxy any traffic to the Barracuda Web Security Service, but sds only reporting information viewable with the Barracuda Web Security Service Manager. Policies are forced by the Barracuda Web Security Gateway locally with policies configured and downloaded from the Barracuda Web Security Service Manager. Features not available with inline deploymt: SSL Inspection NTLM and Kerberos authtication mechanisms Deploying your Barracuda Web Security Gateway inline also allows automatic pass-through in the evt of a system failure, and does not require users to configure web browser proxy settings. Clit IP addresses are exposed, allowing forcemt of corporate firewall rules. Forward Proxy Barracuda Web Security Gateway Deploymt The forward proxy deploymt uses the Barracuda Web Security Gateway as an intermediary betwe a clit and the Barracuda Web Security Service Manager. In a forward proxy deploymt, only HTTP Internet traffic passes through the Barracuda Web Security Gateway. After the Barracuda Web Security Gateway authticates the user, it either attaches user information to the clits requests and sds them out to the Barracuda Web Security Service Manager, or forces policies locally in local forcemt mode. Wh deployed as a forward proxy, the Barracuda Web Security Gateway shows all HTTP traffic as coming from its own IP address instead of from the individual clit IP addresses as it does in the inline pass-through deploymt. Setting up a Forward Proxy Barracuda Web Security Gateway does not require interruptions to your network traffic. You may want to deploy the Barracuda Web Security Gateway in forward proxy mode if: You need to replace an existing forward proxy (such as Microsoft ISA Server) with the Barracuda Web Security Gateway. You do not want the Barracuda Web Security Gateway to reside inline with all your network traffic and are satisfied with the system only scanning HTTP traffic for viruses and spyware. Application blocking is not available in this configuration. You want to use SSL Inspection. This feature is not available with inline deploymts. You want to use either NTLM or Kerberos authtication mechanisms. Wh deploying a forward proxy Barracuda Web Security Gateway, the web browser makes a request to a website through the Barracuda Web Security Gateway based on its proxy configuration. The Barracuda Web Security Gateway receives the request, and performs any user idtification and group lookup associated with the request. In Service Enforcemt mode, the Barracuda Web Security Gateway passes the request to the Barracuda Web Security Service. In local forcemt mode, the policies are forced locally by the Barracuda Web Security Gateway. The appropriate response or web page based on the web rules that you specify is returned to the clit. To implemt a Barracuda Web Security Gateway as a forward proxy, you need to configure your firewall to allow the following accesses: Internal clits to the Barracuda Web Security Gateway on TCP Port 8080 Barracuda Web Security Gateway to Active Directory and domain controller on TCP Ports 389, 445 Barracuda Web Security Gateway to the Barracuda Web Security Service on TCP Ports 8080, 8443 Web browsers configured to use the Barracuda Web Security Gateway as their proxy WCCP Deploymt of the Barracuda Web Security Gateway Barracuda Web Security Gateways can be deployed as Web Cache Control Protocol (WCCP) cache gines on a network with a WCCP capable 36

37 core routing platform. Because the WCCP control router or switch transpartly redirects contt requests, d users need not configure browsers to use the Barracuda Web Security Gateway as an HTTP proxy. In addition to compatibility with other WCCP-capable routers, the Barracuda Web Security Gateway supports Cisco v1 and v2 routers. Enabling WCCP on your Barracuda Web Security Gateway allows you to take full advantage of your WCCP-capable Cisco router s ability to provide for failover and load balancing for multiple Barracuda Web Security Gateways connected to the router in a proxy configuration. For large installations requiring high availability and fault tolerance, this is an attractive deploymt option. Considerations wh using the WCCP deploymt WCCP allows Cisco routers/switches to forward non-http traffic to web cache servers, but the Barracuda Web Security Gateway only accepts HTTP traffic (port 80) in this configuration. WCCP also allows multiple Cisco routers to be connected to the same web cache server. The Barracuda Web Security Gateway does not support this feature and can only be connected to one WCCP router/switch. However, as always, multiple Barracuda Web Security Gateways can be connected to a single router/switch. Application blocking will not work. Outbound spyware will not be blocked. HTTPS traffic will not be filtered. Configuring the Barracuda Web Security Gateway NTLM and Kerberos authtication mechanisms will not work in this deploymt configuration, because they both require that the Barracuda Web Security Gateway be a trusted host in the Windows Domain and that it receive traffic directly from users (as a proxy). In WCCP deploymts the Barracuda Web Security Gateway receives outgoing traffic via the Cisco Router. In This Section Enforcemt Mode, IP Configuration and Static Routes with Barracuda WSG Firmware Upgrade, Support, and System Reload/Shutdown with Barracuda WSG IP Blocking and IP Exemption with Barracuda WSG Proxy and Caching with Barracuda WSG Using SNMP with Barracuda WSG Enforcemt Mode, IP Configuration and Static Routes with Barracuda WSG If you are not already in the Barracuda Web Security Service Manager interface, click Barracuda Web Security Service at the top of your Barracuda Cloud Control login scre. In the Barracuda Web Security Service Manager, click the CONFIGURATION tab. Specify configuration settings by selecting the desired Barracuda Web Security Gateway on the Gateway tab and clicking the IP Configuration t ab. You can configure the following settings on this page: Enforcemt Mode IP Configuration Static Routes Enforcemt Mode To configure the Enforcemt Mode for a Barracuda Web Security Gateway: Set Enable Local Enforcemt Mode to one of the following: Local Enforcemt - the Barracuda Web Security Gateway performs policy forcemt;only log information is st to the Barracuda Web Security Service Manager for reporting purposes. Service Enforcemt (default setting) - the Barracuda Web Security Gateway proxies web traffic to the Barracuda Web Security Service for policy forcemt. If you have set the Enforcemt Mode to Service Enforcemt Mode, you can turn on SSL Scanning by setting Enable SSL Scanning to Yes. Warning SSL Scanning is only available with Barracuda WSG in Service Enforcemt Mode. 37

38 Save Changes and wh prompted to sync the Barracuda Web Security Gateway, click Sync. IP Configuration View or change the IP Configuration settings in the IP Configuration section. The following fields are visible: IP Address Subnet Mask Default Network Gateway Service Host Authticaiton Key You can ter or edit tries in the following fields: Primary DNS Server Secondary DNS Server Default Host Name Default Domain Redirect IP: If the Default value conflicts with an existing LAN IP, you need to change the Redirect IP. Enable WCCP: Select this option to able Barracuda WSG to accept traffic from WCCP abled network devices. Fill in the fields on the Add/Edit WCCP page and click Submit. Save Changes and wh prompted to sync the Barracuda Web Security Gateway, click Sync. Static Routes View, add, or edit Static Routes in the Static Routes section: To edit a static route, select the IP Address of the existing route from the list. To add a static route, click Add New Route and fill in the following fields: IP/Network Address Netmask Network Gateway Address: The Network Gateway Address for this static route. Save Changes and wh prompted to sync the Barracuda Web Security Gateway, click Sync. Firmware Upgrade, Support, and System Reload/Shutdown with Barracuda WSG If you are not already in the Barracuda Web Security Service Manager interface, click Barracuda Web Security Service at the top of your Barracuda Cloud Control login scre. The Barracuda Web Security Service Manager interface appears. In the Barracuda Web Security Service Manager, click the CONFIGURATION tab. Specify configuration settings by selecting the desired Barracuda Web Security Gateway on the Gateway tab and clicking the System tab. Configure the following settings on this page: Firmware Op Support Tunnel System Reload/Shutdown Firmware The Firmware area allows you view: the Currt Installed Version, the Latest Geral Release version available for download from Barracuda Ctral, and the Latest Early Release(s) available for download from Barracuda Ctral. You can download firmware to the Barracuda Web Security Gateway by clicking the Download Now buttons. Op Support Tunnel A support tunnel is a connection which allows the technical support gineers of Barracuda Networks to troubleshoot any issues you may be expericing. Use Op Support Tunnel to establish a support tunnel. 38

39 System Reload/Shutdown The System Reload/Shutdown area allows you to execute the following commands for the Barracuda Web Security Gateway: Shutdown - shuts down the unit. Restart - restarts the unit with the latest configuration. Reload - reloads the latest configuration. IP Blocking and IP Exemption with Barracuda WSG If you are not already in the Barracuda Web Security Service Manager interface, click Barracuda Web Security Service at the top of your Barracuda Cloud Control login scre. The Barracuda Web Security Service Manager interface appears.click the CONFIGURATION tab. Specify IP Blocking and IP Exemption settings by selecting the desired Barracuda Web Security Gateway on the Gateway tab, th selecting the Policy tab. Configuring IP-based Exemptions If you want to exempt certain clits or sub-networks from all filtering (including spyware filtering), you can select Add New IP and Port Exemption and specify the source IP address for those clits under IP and Port Exemptions. For example, if you want to exempt an executive s clit machine from all filtering, you can do so using the IP address of the clit. Similarly, if you want to exempt certain external devices (such as trusted servers outside the protected network) from all filtering, you can specify the destination IP address and specific port under IP and Port Exemptions. Be sure to Enable your settings before you Save Changes. Exempted IP addresses will bypass the following block filters: Contt filtering IM blocking All types of download blocking Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Configuring IP-based Blocking If you want to block certain clits or sub-networks from all access, you can use the Add New IP and Port Blocking and specify the source IP address for those clits under IP and Port Exemptions. For example, if you want to block traffic from a suspicious clit machine or servers or internal web servers, you can do so using the IP address of the clit. Similarly, if you want to block certain external devices, you can specify the destination IP address and specific port under IP and Port Exemptions. Note that wh the Barracuda Web Security Gateway is deployed as a forward proxy, IP block/exempt rules based on request destination are not applied. You can use this page to configure clits or targeted servers to bypass scanning or filtering. To avoid accidtally specifying a broader than intded exemption range, be sure to apply the proper subnet mask. Be sure to Enable your settings before you Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Proxy and Caching with Barracuda WSG If you are not already in the Barracuda Web Security Service Manager interface, click Barracuda Web Security Service at the top of your Barracuda Cloud Control login scre. The Barracuda Web Security Service Manager interface appears. In the Barracuda Web Security Service Manager, click the CONFIGURATION tab. Specify proxy and caching settings by selecting the desired Barracuda Web Security Gateway on the CONFIGURATION > Gateway page and clicking the Proxy/Caching tab. You can manage the following settings on this page: Upstream Proxy Peer Proxy Domains Regular Expression Proxy Authtication Exceptions Request Header Proxy Authtication Exceptions Source IP Proxy Authtication Exceptions Destination IP Proxy Authtication Exceptions Domains Not Cached Exempt Domains Exempt Networks Upstream Proxy 39

40 To configure the upstream proxy for a Barracuda Web Security Gateway: In the Upstream Proxy area, ter or edit the fields in the table below. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field Sd VIA Header Sd Forwarded-For Header Description Select this option to expose the idtity of the Barracuda Web Security Gateway to web servers Select this option to allow HTTP requests to: expose the proxy that the Barracuda Web Security Gateway is using, and expose the clit IP address for which the Barracuda Web Security Gateway is forwarding. Transpart Proxy Port X-Forwarded-For Header HTTP Methods Specify the port to use to directly proxy through the Barracuda Web Security Gateway. Default: 8080 Used for header extsions from any proxy for the clit IP.This is useful wh the Barracuda Web Security Gateway is on the WAN side of another proxy. Used for logging and reporting only. Default: X -Forwarded-For Specify allowed HTTP methods other than the standard GET, POST, and HEAD. Example for Subversion: REPORT MERGE MKACTIVITY CHECKOUT Default values: OPTIONS PUT DELETE TRACE CONNECT PROPFIND PROPPATCH,MKCOL COPY MOVE LOCK UNLOCK VERSION-CONTROL REPORT CHECKOUT CHECKIN UNCHECKOUT MKWORKSPACE UPDATE LABEL MERGE BASELINE-CONTROL MKACTIVITY HTTP Ports HTTPS Ports Use Custom Proxy Authtication Settings Allowed HTTP ports for forward proxied clits. Port range is always allowed. Allowed HTTPS ports for forward proxied clits. Enable this feature to specify the number of proxy authtication helper threads (below). 40

41 Number of Proxy Authtication helper threads Enable Authtication Caching Authtication Cache TTL Disable Proxy Cache Peer Proxy IP Peer Proxy Port After you able Use Custom Authtication Settings, set the number of helper threads here. Default value:12 Enable this feature to allow the Barracuda Web Security Gateway to cache successful NTLM authtication responses from the domain controller. Time-to-live (TTL), in seconds, for a successful NTLM authtication response. Default: 3600 Select this option to disable proxy caching. IP address of any pre-existing proxy in front of the Barracuda Web Security Gateway. Port for the IP address of any pre-existing proxy in front of the Barracuda Web Security Gateway. Peer Proxy Domains To specify peer proxy domains for the Barracuda Web Security Gateway: In the Peer Proxy Domains area: to edit a peer proxy domain, select the Domain name; to add a peer proxy domain, click Add New Peer Proxy Domain. In the Add/Update Domain to Peer Proxy scre, ter or edit tries for the fields in the table below. Click Submit. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field Domain Description Domain names whose traffic you want st to the specified peer proxy. Example:.example.com Enabled Select this option to able the peer proxy domain. Regular Expression Proxy Authtication Exceptions To specify regular expression proxy authtication exceptions for the Barracuda Web Security Gateway: In the Regular Expression Proxy Authtication Exceptions area: to edit a regular expression proxy authtication exception, select the Regular Expression name; to add a regular expression proxy authtication exception, click Add New Regex Proxy Authtication Exception. In the Add/Update Regex Proxy Authtication Exception scre, ter or edit tries for the fields in the table below. Click Submit. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field Regular Expression Description Enter the regular expression of a URL to exempt from proxy authtication. To exempt HTTP traffic to example.com and all of its subdomains, ter: ^ To exempt HTTPS traffic to mydomain.com and all of its subdomains, ter: ^(.*\.)?mydomain\.com:443 Enabled Select to able this option. Request Header Proxy Authtication Exceptions 41

42 To specify Request Header Proxy Authtication Exceptions for the Barracuda Web Security Gateway: In the Request Header Proxy Authtication Exceptions area: to edit a request header proxy authtication exception, select the request header name; to add a request header proxy authtication exception, click Add New Request Header Proxy Authtication Exception. In the Add/Update Request Header Proxy Authtication Exception scre, ter or edit tries for the fields in the table below. Click Submit. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field Header Pattern Regex Enabled Description Exempt clits' browsers/programs which sd specific HTTP request headers listed here. Example:: Header:User-Agt Patt ern Regex:Java.* Enter the pattern regex in the text box. Select to able this option. Source IP Proxy Authtication Exceptions To specify Source IP Proxy Authtication Exceptions for the Barracuda Web Security Gateway: In the Source IP Proxy Authtication Exceptions area: to edit an exception, select the exception name; to add an exception, click Ad d New Source IP Proxy Authtication Exception. In the Add/Update Source IP Proxy Authtication Exception scre, ter or edit tries for the fields in the table below. Click Submit. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field IP Address Netmask Enabled Description IP Address of the Source to be exempted. Netmask for the Source IP Address. Select to able this option. Destination IP Proxy Authtication Exceptions To specify Destination IP Proxy Authtication Exceptions for the Barracuda Web Security Gateway: In the Destination IP Proxy Authtication Exceptions area: to edit an exception, select the exception name; to add an exception, click Add New Destination IP Proxy Authtication Exception. In the Add/Update Destination IP Proxy Authtication Exception scre, ter or edit tries for the fields in the table below. Click Submit. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field IP Address Netmask Enabled Description IP Address of the Destination to be exempted. Netmask for the Destination IP Address. Select to able this option. Domains Not Cached To specify Domains excepted from caching for the Barracuda Web Security Gateway In the Domains Not Cached area: to edit a Domain, select the Domain name; to add a Domain, click Add New No Cache Domain. In the Add/Update No Cache Domain scre, ter or edit tries for the fields in the table below. 42

43 4. 5. Click Submit. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field Domain Name Enabled Description Name of Domain exempted from caching. Select to able this option. Exempt Domains To specify Domains to exempt from sding to the Barracuda Web Security Service (applies in Service Enforcemt mode only): In the Exempt Domains area: to edit a Domain, select the Domain name; to add a Domain, click Add New Exempt Domain. In the Add/Update Exempt Domain scre, ter or edit tries for the fields in the table below. Click Submit. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field Domain Name Enabled Description Name of Domain whose traffic is not st to the Barracuda Web Security Service. Select to able this option. Exempt Networks To specify Networks to exempt from sding to the Barracuda Web Security Service (applies in Service Enforcemt mode only): In the Exempt Networks area: to edit a Network, select the Network name; to add a Network, click Add New Exempt Network. In the Add/Update Exempt Network scre, ter or edit tries for the fields in the table below. Click Submit. Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Field Network Enabled Description Name of Network whose traffic is not st to the Barracuda Web Security Service. Select to able this option. Using SNMP with Barracuda WSG To configure SNMP settings, you must be logged into the Barracuda Web Security Service Manager interface, and click Barracuda Web Security Service at the top of the Barracuda Cloud Control login scre. The Barracuda Web Security Service Manager interface appears in the scre. SNMP Manager Settings Click CONFIGURATION and th the Gateway page. Click the name of the Barracuda Web Security Gateway you want to manage. th select the SNMP tab. To configure SNMP Manager for a Barracuda Web Security Gateway: Enter or edit tries in the following fields: Enable SNMP Agt: Enable or disable SNMP access. SNMP Community String: The SNMP community string if needed. Default: public SNMP Username: Only required if using SNMP version v SNMP Password: Only required if using SNMP version v 43

44 SNMP Authtication Method: Select the authtication method your SNMP monitor supports: MD5, SHA-1 (more secure) SNMP Encryption Method: Select the cryption method:des, AES (more secure) Click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Allowed SNMP/IP Range Click CONFIGURATION and th the Gateway page. Click the name of the Barracuda Web Security Gateway you want to manage. th select the SNMP tab. To specify the allowed SNMP/IP ranges: Do one of the following: To edit SNMP settings, click the IP address you want to manage. To add an SNMP Range, click Add New SNMP Range. On the Add/Update Allowed SNMP/IP Range scre, ter or edit tries in the following fields: IP Address: IP addresses that can administer the Barracuda Web Security Gateway. Netmask: Netmask for the IP addresses above. Click Submit and click Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. SNMP Traps If you wish to report to an SNMP Trap Server, you need to able an SNMP agt using SNMP Manager Settings. The SNMP agt configuration is used by the SNMP Trap Server Agt. Click CONFIGURATION and th the Gateway page. Click the name of the Barracuda Web Security Gateway you want to manage. th select the SNMP tab. To set SNMP Traps for the Barracuda Web Security Gateway: If you have not already configured an SNMP Agt, do so by following the steps in SNMP Manager Settings. In the SNMP Traps area, do one of the following: To edit SNMP settings, click the IP address you want to manage. To add an SNMP Range, click Add New SNMP Trap. In the Add/Update SNMP Trap scre, ter or edit tries in the following fields: IP Address: IP addresses that can administer the Barracuda Web Security Gateway. Port: The port for the SNMP Trap IP address. Default: 162 How to Use edirectory with the Barracuda Web Security Gateway These steps will help you to configure the Barracuda Web Security Gateway to use Novell edirectory for LDAP authtication with the Barracuda Web Security Service. Browse to and log in with your Barracuda Cloud Control Account. Select Web Security. Browse to the CONFIGURATION > Gateways tab. Select the desired Gateway. Set Enable Local Enforcemt Mode to Local Enforcemt Mode and click Save Changes. From the top of this page, click Authtication. Make sure the radio button has LDAP selected, and th click on Add LDAP Authtication Mechanism. Enter in your LDAP information, and make sure you selected Novell edirectory for Server Type. (Note: You will need to add x servers where x is the number of replicas you have). Click on Sync. Call Barracuda Networks Technical Support for assistance in applying a patch. Repeat steps 1-7 for any additional Web Security Gateways for which you want to configure edirectory. 44

45 Barracuda Web Security Service Architectures - Summary In this article: Customize Security Coverage to Any Environmt Direct to Service Web Security Gateway Barracuda Web Security Agt Flexible Deploymt Customize Security Coverage to Any Environmt The Barracuda Web Security Service delivers state-of-the-art web security through various deploymt options that you administer through one managemt portal. For corporate and branch office deploymts, gateway web security appliances integrate with terprise directory services such as Active Directory behind the firewall, abling user and group-based policy control. A pure SaaS web security service provides web security for remote office and home-based users. Software agts extd security to mobile users Windows and Mac laptops. Administrators can select any deploymt option or any combination of deploymt options to satisfy their exact web security needs. Direct to Service The simplest way to use Barracuda Web Security Service is to directly proxy your web traffic to the cloud-based contt filtering and malware protection service. This can be done with browser proxy settings or by transpartly forwarding traffic from any network firewall or proxy that supports forwarding to an upstream proxy. Figure 1: Direct to Service. Web Security Gateway The Barracuda Web Security Gateway is an on-premises solution that integrates with your directory service for group-based policies, and caches static web contt locally to save bandwidth. The Barracuda Web Security Gateway can be configured either to provide local security and policy forcemt or forward traffic to the cloud-based web filtering service. These appliances are managed and configured through the cloud-based ctral managemt and reporting interface. The Barracuda Web Security Gateway is available as a hardware appliance or as a virtual appliance. See Using the Barracuda Web Security Gateway and Barracuda Web Security Gateway Deploymt Configurations for deploymt details and options. Figure 2: With the Barracuda Web Security Gateway appliance. Barracuda Web Security Agt The Barracuda Web Security Agt protects remote and roaming users by forcing all web traffic from laptops through the cloud-based contt filtering and malware protection service. The Barracuda Web Security Agt is a lightweight, tamper-proof clit available for Microsoft Windows and Mac laptops and desktops. Figure 3: Barracuda Web Security Agt installed on remote user's machines. 45

46 Flexible Deploymt The Barracuda Web Security Service allows the flexibility to combine deploymt options to suit the specific need of each location. The cloud-based ctral managemt and reporting interface makes it easy to specify a uniform web usage policy and monitor web access across all the users. Figure 4: Flexible deploymt options. Authtication with the Barracuda Web Security Service Authtication Options Idtity Managemt and the Barracuda Web Security Service The Barracuda Web Security Service allows you to force policies and gerate reports for specific users or groups. To implemt user or group awaress, you must configure the Barracuda Web Security Service Manager with user and group specific information. In addition, incoming traffic must be tagged with corresponding user and group idtities so traffic can be correctly matched to a policy or report. Direct proxy methods of deploymt (pure SAAS deploymts) do not tag traffic, and therefore cannot make use of user or group specific policy forcemt or reporting. Depding on your deploymt, follow the instructions below to configure authtication for the Barracuda Web Security Service: How to Configure Authtication Authtication with the Barracuda Web Security Gateway How to Configure Authtication This article explains how to configure the the Barracuda Web Security Service Manager with users and groups which can be matched to tagged incoming traffic so user-specific policies can be forced, and reports for specific users and groups can be gerated. For authtication options with the Barracuda WSG, refer to Authtication with the Barracuda Web Security Gateway. In this article: Configuring Barracuda Web Security Service with User/Group Idtities Configuring your System so Traffic can be Tagged with User/Group Idtities 46

47 Group Managemt Obtaining User and Group Information How Methods Interact Directory Upload Barracuda Networks Directory Sync Configure the Authtication Key and URL Add a Directory Profile Synchronize Data Group Information and GPO Proxying Manually Creating and Managing Groups Configuring Barracuda Web Security Service with User/Group Idtities To configure Barracuda Web Security Service users and groups, you can upload an LDIF file (a snapshot of authtication information output from your authtication system); alternatively, you can use the Barracuda Networks Directory Sync tool to synchronize user/group information on the Barracuda Web Security Manager to your authtication system. You can also ter user and group information manually through the Barracuda Web Security Service Manager. Manually tered user and group idtifications must correspond exactly to those tagged in traffic, or they will never be applied. Configuring your System so Traffic can be Tagged with User/Group Idtities Using a pure SAAS configuration of the Barracuda Web Security Service, the traffic arriving at the service is not tagged with any user idtification, so only global policy forcemt or reporting is possible. The Barracuda Web Security Agt tags user information on all traffic it proxies to the cloud. These idtifications allow the Barracuda Web Security Service to distinguish betwe traffic st from differt users, and if configured to do so, policies and reports can be applied for matching users or groups configured on the Barracuda Web Security Service Manager. The Barracuda Web Security Gateway can also tag traffic with user and group information. If you are deploying a Barracuda WSG and proxy traffic to the Barracuda Web Security Service for forcemt, you need to configure the Barracuda Web Security Service Manager with user/group information. Group Managemt You can specify groups in one of two ways: In directory services (such as Active Directory or LDAP) on your network. You can define and maintain groups in one place for both networking and for the web security service. In the Barracuda Web Security Service Manager interface. You can create or edit group information manually. Obtaining User and Group Information There are three ways to add user and group information to the Barracuda Web Security Service: Upload an LDIF file, exported from your LDAP, into the service. Push LDAP data from your network up to the service using the Barracuda Networks Directory Sync Utility. Manually create groups (or edit information already imported). How Methods Interact You can use the three methods above to manage user and group information. Be aware of the following interactions: Edit imported user or group information manually, but manual edits or additions may be overwritt wh they intersect with incoming imported data. The Barracuda Networks Directory Sync tool simply overwrites existing data wh executed. Directory Upload allows you to choose betwe an overwrite option and a merge option. The overwrite option simply overwrites existing data. Warning 47

48 Directory Upload options do not consider the domain; all usernames and groups are treated as a single domain. Usernames and groups should be unique across all domains being uploaded. Duplicates will be overwritt. Directory Upload During Directory Upload, the Barracuda Web Security Service Manager initiates a pull of data from your network directories. Most users perform an initial upload, th manage data manually thereafter. To use this option, you must first export an LDIF file from your LDAP. To use Directory Upload: If you are not already in the Barracuda Web Security Service Manager interface, from your Barracuda Cloud Control login scre, click Barracuda Web Security Service. Select the CONFIGURATION tab of the Barracuda Web Security Service Manager. Select the Group Managemt tab. Select Directory Upload. Browse to the LDIF file you want to upload. Choose Merge with existing data, if applicable or Delete and replace existing data. Click Upload File. Barracuda Networks Directory Sync Use the Barracuda Networks Directory Sync tool to sd the AD Groups on your local network to your Barracuda Web Security Service. Install it on a Windows machine that has network connectivity to the AD systems. You can do a one time SSL crypted transfer of one or many AD domains. Subsequt uses of the tool overwrite previous ones. Usernames should be unique across domains. To use the tool, first go to the Barracuda Web Security Service Manager SUPPORT > Downloads page and download the Directory Sync Installer. To install and launch the Directory Sync tool: Run the installer. Click Next. Accept the licse agreemt, and th click Next. Click Next, th Install, and wait while InstallShield installs the files. Click Finish. To launch the tool, click Start > All Programs > Barracuda > Directory Sync > Directory Sync. Configure the Authtication Key and URL Wh prompted for an Auth Key: In the Barracuda Web Security Service Manager: Go to CONFIGURATION > Key Managemt. Select Add New Key. Enter a Name for your key. Select Type Barracuda Web Security Gateway/Web Security Agt. Now copy the key so you can ter it into the Barracuda Networks Directory Sync configuration. Save Changes. In the Barracuda Networks Directory Sync Tool: Paste the key into the Auth Key box. In the Service box, the Barracuda Web Security Service URL appears by default: rks.com/api/directory.php Click OK. Add a Directory Profile If you create multiple profiles for multiple domains, they will be combined and uploaded as if they are a single domain. To add a directory profile: Click New. To add information about the profile, complete the following fields: 48

49 4. Domain/Host Name of the domain and host you want to import data from. Description Intuitive description of the domain. User Name Name of a user with sufficit privileges to query the LDAP server. Password Password for the User Name account. Base DN Domain name of the node closest to the root that includes the data you want to import. You can specify multiple base DNs, separating them with the character. Filter string that specifies how to examine each try. Click Test if you want to test the connection before you sd the data to the Barracuda Web Security Service. Click OK. Synchronize Data You can synchronize data manually, or use Windows Task Scheduler to set up automatic synchronization. To sd the data to the Barracuda Web Security Service manually, select Sync All OR To set up automated synchronization for a profile using Windows Task Scheduler, use the following command: "C:\Program Files\Barracuda\Directory Sync\Directory Sync.exe SYNC You can verify a sync was successful using the Barracuda Web Security Service Manager. Go to CONFIGURATION > Group Managemt to see the Last Successful directory sync and the number of users and groups synchronized. Group Information and GPO Proxying If you direct users' web browsers to Barracuda Web Security Service by using a Group Policy Object (GPO) to point to a PAC file, you must manually add the groups to the Barracuda Web Security Service Manager to make them available for policy creation and reporting; otherwise, though they are passed to the service, they will not be used. Manually Creating and Managing Groups Creating a Group You can create groups while you are creating a rule, or you can set them up on the CONFIGURATION tab. For more information about creating groups wh you create a rule, see Creating Rules for the Barracuda Web Security Service In the Barracuda Web Security Service Manager, select the CONFIGURATION tab. Select Group Managemt. Select Manual Group Managemt. Select Add New Group. Type the Name for this group, and th Save Changes. Now you can add members to the group by selecting Add New Member. Enter the Name, and th click Add Click OK if prompted to acknowledge the saved changes. Repeat steps 6 through 8 until you have added all group members. Editing a Group Any manual edits you make will be overwritt if you subsequtly upload or synchronize data from your LDAP server. If you plan to use Barracu da Networks Directory Sync or Directory Upload, it is best to edit the data on your LDAP server, rather than manually editing the Barracuda Web Security Service database. In the Barracuda Web Security Service Manager, select the CONFIGURATION tab. Select Group Managemt. Select the name of the group you want to edit to do any of the following: Deleting a Group The names of group members must be idtical to the names used for networking. Change the group name by editing the Name field, and th Save Changes. Add new group members by selecting Add NewMember, ter the user name, and Save Changes. Delete users selecting the X icon under Delete and th Save Changes. 49

50 You cannot delete a group used by a rule, a scheduled report, or by a Configuration Profile on the Web Security Agt tab. For more information about ctrally managing Barracuda Web Security Agts v. 3 or later, see Configuration Profiles Using the Barracuda Web Security Agt. To delete a group: In the Barracuda Web Security Service Manager, select the CONFIGURATION tab. Select Group Managemt. Select the X icon under Delete for the group you want to delete. Confirm you want to delete the selected group. Directory Upload During Directory Upload, the Barracuda Web Security Service Manager initiates a pull of data from your network directories. Most users perform an initial upload, th manage data manually thereafter. To use this option, you must first export an LDIF file from your LDAP. To use Directory Upload: If you are not already in the Barracuda Web Security Service Manager interface, from your Barracuda Cloud Control login scre, click Barracuda Web Security Service. Select the CONFIGURATION tab of the Barracuda Web Security Service Manager. Select the Group Managemt tab. Select Directory Upload. Browse to the LDIF file you want to upload. Choose Merge with existing data, if applicable or Delete and replace existing data. Click Upload File. Barracuda Networks Directory Sync Use the Barracuda Networks Directory Sync tool to sd the AD Groups on your local network to your Barracuda Web Security Service. Install it on a Windows machine that has network connectivity to the AD systems. You can do a one time SSL crypted transfer of one or many AD domains. Subsequt uses of the tool overwrite previous ones. Usernames should be unique across domains. To use the tool, first go to the Barracuda Web Security Service Manager SUPPORT > Downloads page and download the Directory Sync Installer. To install and launch the Directory Sync tool: Run the installer. Click Next. Accept the licse agreemt, and th click Next. Click Next, th Install, and wait while InstallShield installs the files. Click Finish. To launch the tool, click Start > All Programs > Barracuda > Directory Sync > Directory Sync. Configure the Authtication Key and URL Wh prompted for an Auth Key: In the Barracuda Web Security Service Manager: Go to CONFIGURATION > Key Managemt. Select Add New Key. Enter a Name for your key. Select Type Barracuda Web Security Gateway/Web Security Agt. Now copy the key so you can ter it into the Barracuda Networks Directory Sync configuration. Save Changes. In the Barracuda Networks Directory Sync Tool: Paste the key into the Auth Key box. In the Service box, the Barracuda Web Security Service URL appears by default: rks.com/api/directory.php Click OK. Add a Directory Profile If you create multiple profiles for multiple domains, they will be combined and uploaded as if they are a single domain. To add a directory profile: 50

51 4. 4. Click New. To add information about the profile, complete the following fields: Domain/Host Name of the domain and host you want to import data from. Description Intuitive description of the domain. User Name Name of a user with sufficit privileges to query the LDAP server. Password Password for the User Name account. Base DN Domain name of the node closest to the root that includes the data you want to import. You can specify multiple base DNs, separating them with the character. Filter string that specifies how to examine each try. Click Test if you want to test the connection before you sd the data to the Barracuda Web Security Service. Click OK. Synchronize Data You can synchronize data manually, or use Windows Task Scheduler to set up automatic synchronization. To sd the data to the Barracuda Web Security Service manually, select Sync All OR To set up automated synchronization for a profile using Windows Task Scheduler, use the following command: "C:\Program Files\Barracuda\Directory Sync\Directory Sync.exe SYNC You can verify a sync was successful using the Barracuda Web Security Service Manager. Go to CONFIGURATION > Group Managemt to see the Last Successful directory sync and the number of users and groups synchronized. Group Information and GPO Proxying If you direct users' web browsers to Barracuda Web Security Service by using a Group Policy Object (GPO) to point to a PAC file, you must manually add the groups to the Barracuda Web Security Service Manager to make them available for policy creation and reporting; otherwise, though they are passed to the service, they will not be used. Manually Creating and Managing Groups Creating a Group You can create groups while you are creating a rule, or you can set them up on the CONFIGURATION tab. In the Barracuda Web Security Service Manager, select the CONFIGURATION tab. Select Group Managemt. Select Add New Group. Enter a Name for this group, and th Save Changes. The names of group members must be idtical to the names used for networking. Now add members to the group by selecting Add New Member. Enter the Name of the new user, th click Add. Wh prompted, click OK to acknowledge the saved changes. Repeat steps 1-3 to add all group members. Editing a Group Any manual edits you make will be overwritt if you subsequtly upload or synchronize data from your LDAP server. If you plan to use Barracuda Networks Directory Sync or Directory Upload, it is best to edit the data on your LDAP server, rather than manually editing your users with the Barracuda Web Security Service. In the Barracuda Web Security Service Manager, select the CONFIGURATION tab. Select Group Managemt. Click on the Group Name of the group you want to edit to do any of the following: Change the group name by editing the Name field, and th Save Changes. Add new group members by selecting Add New Member, tering the user Name, and Save Changes. Delete users selecting the X icon in the Delete column, th Save Changes. Deleting a Group You cannot delete a group used by a rule, a scheduled report, or by a Configuration Profile on the WSA Managemt tab. 51

52 To delete a group: 4. In the Barracuda Web Security Service Manager, select the CONFIGURATION tab. Select Group Managemt. Select the X icon in the Delete column of the group you want to delete. Confirm you want to delete the selected group. Authtication with the Barracuda Web Security Gateway In this article: LDAP Authtication Managemt edirectory NTLM Authtication Managemt Kerberos Authtication Managemt The Barracuda Web Security Gateway fully and transpartly integrates with various user authtication technologies, including LDAP/AD, Novell s edirectory, NTLM, or Kerberos, authticating users before tagging traffic. For LDAP/AD deploymts, you can deploy a Domain Controller Agt with the Barracuda Web Security Gateway to authticate user idtities. If you deploy a Barracuda Web Security Gateway to proxy traffic to the Barracuda Web Security Service for forcemt, you will need to configure users and groups on the Barracuda Web Security Service Manager so traffic can be matched to policies or reports configured for the user or group. Refer to How to Configure Authtication for details. You can specify proxy and caching settings by selecting a Barracuda Web Security Gateway from the list on the Configuration > Gateway page and selecting the Authtication tab. The Authtication tab allows you to choose and configure the following authtication mechanisms: LDAP (including edirectory) NTLM Kerberos Choose only one authtication mechanism. The Barracuda Web Security Gateway does not support authtication using more than one method. LDAP Authtication Managemt Select LDAP as the authtication mechanism. The LDAP Authtication Managemt scre appears, and displays a list of LDAP authtication mechanisms. You can do one of the following: To edit an LDAP mechanism, click the LDAP Server Alias name. To add an LDAP mechanism, click Add LDAP Authtication Mechanism. The Add/Update LDAP Authtication Mechanisms scre appears. Enter or edit the following fields: Server Alias Idtifies this server in the Web interface. Server Name/IP Hostname or IP address of your LDAP or Active Directory server. Server Type Indicate whether this is a Novell edirectory server. Select Novell edirectory only if using single sign-on. Note: To add replicas, th select the server from the LDAP Authtication Managemt list. Click Edit to edit the replica try. LDAP Port The port for LDAP or Active Directory server. Default: 389 LDAP Encryption Select one of the cryption methods: None, TLS (Transport Layer Security), SSL Bind DN (Username) Distinguished Name (DN) of a user in your directory that has Read access to all the users you want to import into the Barracuda Web Security Gateway. Example: for Novell edirectory: cn=admin Bind Password Password for the user specified in the Bind DN field, above. LDAP Search Base Base DN for your directory. Example: If your domain is test.com, your Base DN might be dc=test,dc=com 52

53 UID Attribute Attribute containing the username. Examples: for Op LDAP: cn; for Active Directory: samaccountname; for Novell edirectory: cn If needed, select Advanced Options, and th ter or edit the following fields which may be needed to properly associate users with groups and vice versa. Additional Filter The filter to apply to LDAP searches. Member Groups Attribute Contains a member's groups. Recommded for Active Directory: memberof; Recommded for Novell edirectory: groupmembership. Group Members Attribute Contains a group's members. Recommded for Active Directory: member Be sure to Submit th Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. edirectory To configure edirectory replicas, add an additional LDAP server for each replica. While multiple LDAP servers can be configured, they must be for the same Domain, as the Barracuda Web Security Gateway does not support multiple Domains. All usernames and groups are treated as a single domain. As a result, usernames and groups should be unique across all domains. Multiple LDAP servers from differt Domains are not supported, and if configured, the behavior is unknown. NTLM Authtication Managemt Select NTLM as the authtication mechanism. The NTLM Authtication Managemt scre appears, and displays a list of NTLM authtication mechanisms. Do one of the following: To edit an NTLM mechanism, click the NTLM Domain name. To add an NTLM mechanism, click Add NTLM Authtication Mechanism. The Add/Update NTLM Authtication Mechanisms scre appears. Enter or edit the following fields: Domain Name The NetBIOS or pre-windows 2000 name of your Windows domain. Server IP The IP address of your NTLM server. In a Windows vironmt, this is typically the domain controller. Server Hostname Hostname of your NTLM domain controller. Username Username for joining the Windows domain. Note: This user must have Administrator privileges. Password Password for the user in the Username field, above. Be sure to Submit th Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Kerberos Authtication Managemt Select Kerberos as the authtication mechanism. The Kerberos Authtication Managemt scre appears, and displays a list of Kerberos authtication mechanisms. Do one of the following: To edit a Kerberos mechanism, click the Server Realm name. To add an NTLM mechanism, click Add Kerberos Authtication Mechanism. The Add/Update Kerberos Authtication Mechanisms scre appears. Enter or edit the following fields: Server Realm Your Windows administrative domain name. KDC FQDN (fully qualified domain) of the KDC (Key Distribution Cter) server for the above realm. This is typically the FQDN of your domain controller. Username Windows Username of a user with privileges to join this machine to the Active Directory. Do not include the domain name in the Username try. For example, if the Username is administrator, simply ter administrator. 53

54 Password Password for the user in the Username field, specified above. Advanced Options > Short Domain Name Short domain name if differt from the realm name. Be sure to Submit th Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. LDAP Authtication Managemt Select LDAP as the authtication mechanism. The LDAP Authtication Managemt scre appears, and displays a list of LDAP authtication mechanisms. You can do one of the following: To edit an LDAP mechanism, click the LDAP Server Alias name. To add an LDAP mechanism, click Add LDAP Authtication Mechanism. The Add/Update LDAP Authtication Mechanisms scre appears. Enter or edit the following fields: Server Alias Idtifies this server in the Web interface. Server Name/IP Hostname or IP address of your LDAP or Active Directory server. Server Type Indicate whether this is a Novell edirectory server. Select Novell edirectory only if using single sign-on. Note: To add replicas, th select the server from the LDAP Authtication Managemt list. Click Edit to edit the replica try. LDAP Port The port for LDAP or Active Directory server. Default: 389 LDAP Encryption Select one of the cryption methods: None, TLS (Transport Layer Security), SSL Bind DN (Username) Distinguished Name (DN) of a user in your directory that has Read access to all the users you want to import into the Barracuda Web Security Gateway. Example: for Novell edirectory: cn=admin Bind Password Password for the user specified in the Bind DN field, above. LDAP Search Base Base DN for your directory. Example: If your domain is test.com, your Base DN might be dc=test,dc=com UID Attribute Attribute containing the username. Examples: for Op LDAP: cn; for Active Directory: samaccountname; for Novell edirectory: cn If needed, select Advanced Options, and th ter or edit the following fields which may be needed to properly associate users with groups and vice versa. Additional Filter The filter to apply to LDAP searches. Member Groups Attribute Contains a member's groups. Recommded for Active Directory: memberof; Recommded for Novell edirectory: groupmembership. Group Members Attribute Contains a group's members. Recommded for Active Directory: member Be sure to Submit th Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. edirectory To configure edirectory replicas, add an additional LDAP server for each replica. While multiple LDAP servers can be configured, they must be for the same Domain, as the Barracuda Web Security Gateway does not support multiple Domains. All usernames and groups are treated as a single domain. As a result, usernames and groups should be unique across all domains. Multiple LDAP servers from differt Domains are not supported, and if configured, the behavior is unknown. NTLM Authtication Managemt Select NTLM as the authtication mechanism. The NTLM Authtication Managemt scre appears, and displays a list of NTLM authtication mechanisms. Do one of the following: To edit an NTLM mechanism, click the NTLM Domain name. To add an NTLM mechanism, click Add NTLM Authtication Mechanism. The Add/Update NTLM Authtication Mechanisms scre appears. Enter or edit the following fields: Domain Name The NetBIOS or pre-windows 2000 name of your Windows domain. Server IP The IP address of your NTLM server. In a Windows vironmt, this is typically the domain controller. 54

55 Server Hostname Hostname of your NTLM domain controller. Username Username for joining the Windows domain. Note: This user must have Administrator privileges. Password Password for the user in the Username field, above. Be sure to Submit th Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Kerberos Authtication Managemt Select Kerberos as the authtication mechanism. The Kerberos Authtication Managemt scre appears, and displays a list of Kerberos authtication mechanisms. Do one of the following: To edit a Kerberos mechanism, click the Server Realm name. To add an NTLM mechanism, click Add Kerberos Authtication Mechanism. The Add/Update Kerberos Authtication Mechanisms scre appears. Enter or edit the following fields: Server Realm Your Windows administrative domain name. KDC FQDN (fully qualified domain) of the KDC (Key Distribution Cter) server for the above realm. This is typically the FQDN of your domain controller. Username Windows Username of a user with privileges to join this machine to the Active Directory. Do not include the domain name in the Username try. For example, if the Username is administrator, simply ter administrator. Password Password for the user in the Username field, specified above. Advanced Options > Short Domain Name Short domain name if differt from the realm name. Be sure to Submit th Save Changes. Wh prompted to sync the Barracuda Web Security Gateway, click Sync. Creating Rules for the Barracuda Web Security Service In this article: Order of Execution within Rules Blocking or Allowing Access within a Rule Enforcing Safe Search with a Rule The Purewire Intelligce WebDAV/DLL Hijack Rule Option Allowing or Blocking Specific Objects on a Website Enforcing Schedules and Quotas Actions Tak for Traffic Matching the Rule Customizing Block Pages Bypassing a Block Page Coaching Logging Options After You Add or Change Rules Rules let you monitor or control how clits interact with the web. You define rules indicating which sites are allowed or disallowed based on contt or malware risk, th specify the response to user web requests violating the rule. For each rule, you can create forcemt schedules and throttle web use by limiting connections, bytes, or time. There are two types of rules: Global Only 55

56 Group or User-based Global rules apply one set of rules to everyone. Group or User-based rules apply to differt groups of people or ev to individual users. To configure Group or User-based rules, you need to configure authtication. Refer to How to Configure Authtication, or if you are deploying a Barracuda Web Security Gateway, refer to Authtication with the Barracuda Web Security Gateway. Order of Execution within Rules Because rules configured for the Barracuda Web Security Service can include differt types of restrictions, it's important to understand the order in which web requests are compared to configured restrictions. Wh you create a complex rule that includes a combination of several types of blocks, the restrictions and exceptions are executed in this order: Whitelist Blacklist File extsion Contt type Category (includes Anti-virus, Anti-malware, and contt blocked by Purewire Intelligce) Web contt is evaluated against rules in the order they appear on the Rules tab of the Barracuda Web Security Service web interface, top to bottom. Manage the rule order by moving rules up or down in the list. If a rule is true, the Barracuda Web Security Service completes the specified action, and rule processing stops. Blocking or Allowing Access within a Rule Rules can include any combination of the following componts, which control what the rule dies or allows: 4. Whitelist rules with a whitelist compont allow access to specific sites. They can apply to all users, groups of users, or specific IP addresses. Whitelist rules are the first rules Barracuda Web Security Service Manager checks wh a user request occurs, so a site on a whitelist rule will be available ev if another rule is created to dy it. Use an asterisk (*) to allow all. Blacklist rules with a blacklist compont dy access to specific sites. They can apply to all users, groups of users, or specific IP addresses. You can configure an alert to be st wh the rule is triggered, or choose to log the attempt. Use an asterisk (*) in the blacklist try to dy all. Compliance rules can force restrictions to defined contt types or file extsions accessed with configured applications or through configured URL categories. Safe Search rules with the Safe Search feature abled force Safe Search for the designated search gine, returning filtered search results only, no matter what the user browser Safe Search preferce settings indicate. Enforcing Safe Search with a Rule The Safe Search option is available in the Rules > Image/Multimedia Safe Search > Compliance area. The Safe Search option is available for the following search gines: Bing Dogpile Google MSN Yahoo This Safe Search option is available wh the administrator creates or edits a rule, and is forced for the selected gine(s) used by anyone in the set of Groups or IP Addresses specified in the Applies To area. Search gines apply various search filters, usually associated with websites that contain adult contt or other inappropriate contt as defined by that search gine. Wh Safe Search filtering is selected in the user s web browser, th the search gine applies its filters and displays filtered search results to the user. However, Safe Search filters in a search gine can be deselected by the user in the web browser. The Safe Search feature in the Barracuda Web Security Service can translate URLs so that the search gine can force its Safe Search filters regardless of the filter preferce set by the user in the web browser. For example, if the Safe Search preferce for Google in a user s web browser is deselected, but the administrator ables Safe Search in the 56

57 Barracuda Web Security Service for Google, th the Service translates the URLs so that Google can force its Safe Search filters regardless of the Safe Search preferce set in the user s web browser. If the administrator ables Safe Search for a search gine and also creates a rule to block URLs in a specified Category, th: The search gine applies its Safe Search filters and displays filtered search results to the user. If the user clicks a URL in the search results that resolves to a blocked Category in Barracuda Web Security Service, th the user sees the blocking page that you have designated for that Category. For example, if the administrator creates a rule in Barracuda Web Security Service to block URLs for the category Games, and also ables Safe Search for Google, th the user s search for Games returns results that are filtered by Google. If that user th clicks on a URL that resolves to the category Games in Barracuda Web Security Service, th the user sees the blocking page that you have designated for that Category. Wh abling the Safe Search feature for Bing or MSN search gines, always select both Bing and MSN to sure Safe Search cannot be circumvted. The Purewire Intelligce WebDAV/DLL Hijack Rule Option The Purewire Intelligce componts dynamically classify websites based on site contt and detect the presce of script- and bot-based attacks. The WebDAV/DLL Hijack rule option prevts an attacker from exploiting a flaw in the way that applications startup and load componts. During application startup, the application handles a specific file to load required dynamic componts; it searches the currt application directory first. An attacker can place a malicious DLL file in that directory with the same name as the DLL file that the application uses during startup. Wh the application ops the DLL file, the malicious DLL code loads into computer memory and allows the attacker to arbitrarily execute code. An attacker can use a variety of methods, including a USB drive, network file share, or the WebDAV protocol, to insert the malicious DLL file. An Administrator can override a block of a URL that is included as a Malicious Site in Rules > Threat Prevtion > Purewire Intelligce area by editing the rule and either: Pressing the Ctrl key and clicking on the Malicious Sites option to deselect it, or Adding the URL to the Whitelist in the Rules > Advanced > Exceptions area. Allowing or Blocking Specific Objects on a Website Barracuda Web Security Service provides fine grained control over which items on a web page are blocked. You can configure rules that combine URL Categories or Applications with Contt Types or File Extsions called Composite Rules. Using Composite Rules you can block specific objects, such as audio files, on categorized sites. For example, you can create a new rule to block Facebook Picture Uploads. To create this rule, first select the URL category Leisure > Social Networking, and th select File Extsion > Image, and Applies to: Uploads. Or you could select Contt Type > Image and Applies to: Uploads. The rule applies to any request matching URL category or Application, and either a specified Contt Type or File Extsion. Select Bl ock from Actions to indicate what the service should do if the prohibited contt is accessed. Apply this rule to a group, to an IP range or to Everyone. With this rule in place, users managed by this rule can access Facebook but cannot upload images. Enforcing Schedules and Quotas A rule can be applied or disabled on configured days and times. In addition, you can throttle traffic matching a rule by limiting the number of connections, the number of bytes, or the amount of time allowed per day or week for traffic matching the rule. Actions Tak for Traffic Matching the Rule Rules are configured with criteria that can be compared to traffic. Traffic matching the rule can be allowed (for Whitelist matches) or died (for all others). In addition, the Barracuda Web Security Service can perform one or more of the following actions configured at the bottom of the RULES page: 57

58 Display a Block Page Coach Log Customizing Block Pages The Barracuda Web Security Service displays a block page to users whose web traffic is blocked. You can determine what users see in this case by choosing one of the following options: Create custom blocking messages on a per-rule basis. Replace the Barracuda Web Security Service default block page with a custom global block page of your own using CONFIGURATION > Contt Filtering Services > URL Blocking. Use the Barracuda Web Security Service default block page. Wh the Barracuda Web Security Service blocks SSL sites, the user receives an error message rather than a block page because the web browser cannot complete the SSL handshake with the blocked destination server. Bypassing a Block Page You may want to block access to certain sites or categories for most users, but allow it for an individual or departmt. For example, you may want to prevt your workforce from using job search sites, but may need to give your recruiters access to those sites. You can accomplish this by creating a global rule blocking the sites and another rule allowing specific users or groups to bypass the block page. Wh you create the bypass rule, you specify a password which you can provide to the individuals who are allowed to bypass the block and go to the site. The block page they see contains a password try field. After tering the bypass password, the users can continue on to the site. The bypass prompt only appears on the block page se by the users specified in the bypass rule. Coaching You can set up a coaching page that warns users that they are attempting to visit a disallowed site or category. Users can continue to the website anyway by clicking an acknowledgemt button. To use bypass or coaching, the request to the Barracuda Web Security Service must contain a username (from a Barracuda Web Security Gateway, or Barracuda Web Security Agt) in order to track the session; if not, th the user sees the regular block page. Logging The Barracuda Web Security Service can log requests that violate a policy whether you block them or not. This lets you monitor and report on web activity ev if you do not block traffic. If a user triggers a bypass or coaching page, and th continues on to the disallowed site, their action is logged accordingly. If the user doesn t continue on to the disallowed site, the transaction is logged as a block. Unknown users appear as username None, Unknown, or a blank Username field in logs and reports. Authticate all traffic through the Barracuda Web Security Gateway or Remote clit software to sure meaningful user reporting. Options To inform others wh a user makes a request that violates a rule, you can sd an to multiple addresses. After You Add or Change Rules After you add or change rules, web browser cache and caching servers may have contt stored locally that makes a rule appear to be working improperly. If this occurs, th the web browser cache should be cleared manually and the cache should be cleared on caching servers. Order of Execution within Rules Because rules configured for the Barracuda Web Security Service can include differt types of restrictions, it's important to understand the order in which web requests are compared to configured restrictions. 58

59 Wh you create a complex rule that includes a combination of several types of blocks, the restrictions and exceptions are executed in this order: Whitelist Blacklist File extsion Contt type Category (includes Anti-virus, Anti-malware, and contt blocked by Purewire Intelligce) Web contt is evaluated against rules in the order they appear on the Rules tab of the Barracuda Web Security Service web interface, top to bottom. Manage the rule order by moving rules up or down in the list. If a rule is true, the Barracuda Web Security Service completes the specified action, and rule processing stops. Blocking or Allowing Access within a Rule Rules can include any combination of the following componts, which control what the rule dies or allows: 4. Whitelist rules with a whitelist compont allow access to specific sites. They can apply to all users, groups of users, or specific IP addresses. Whitelist rules are the first rules Barracuda Web Security Service Manager checks wh a user request occurs, so a site on a whitelist rule will be available ev if another rule is created to dy it. Use an asterisk (*) to allow all. Blacklist rules with a blacklist compont dy access to specific sites. They can apply to all users, groups of users, or specific IP addresses. You can configure an alert to be st wh the rule is triggered, or choose to log the attempt. Use an asterisk (*) in the blacklist try to dy all. Compliance rules can force restrictions to defined contt types or file extsions accessed with configured applications or through configured URL categories. Safe Search rules with the Safe Search feature abled force Safe Search for the designated search gine, returning filtered search results only, no matter what the user browser Safe Search preferce settings indicate. Enforcing Safe Search with a Rule The Safe Search option is available in the Rules > Image/Multimedia Safe Search > Compliance area. The Safe Search option is available for the following search gines: Bing Dogpile Google MSN Yahoo This Safe Search option is available wh the administrator creates or edits a rule, and is forced for the selected gine(s) used by anyone in the set of Groups or IP Addresses specified in the Applies To area. Search gines apply various search filters, usually associated with websites that contain adult contt or other inappropriate contt as defined by that search gine. Wh Safe Search filtering is selected in the user s web browser, th the search gine applies its filters and displays filtered search results to the user. However, Safe Search filters in a search gine can be deselected by the user in the web browser. The Safe Search feature in the Barracuda Web Security Service can translate URLs so that the search gine can force its Safe Search filters regardless of the filter preferce set by the user in the web browser. For example, if the Safe Search preferce for Google in a user s web browser is deselected, but the administrator ables Safe Search in the Barracuda Web Security Service for Google, th the Service translates the URLs so that Google can force its Safe Search filters regardless of the Safe Search preferce set in the user s web browser. If the administrator ables Safe Search for a search gine and also creates a rule to block URLs in a specified Category, th: The search gine applies its Safe Search filters and displays filtered search results to the user. If the user clicks a URL in the search results that resolves to a blocked Category in Barracuda Web Security Service, th the user sees the blocking page that you have designated for that Category. For example, if the administrator creates a rule in Barracuda Web Security Service to block URLs for the category Games, and also ables Safe Search for Google, th the user s search for Games returns results that are filtered by Google. If that user th clicks on a URL that resolves to the category Games in Barracuda Web Security Service, th the user sees the blocking page that you have designated for that Category. Wh abling the Safe Search feature for Bing or MSN search gines, always select both Bing and MSN to sure Safe Search 59

60 cannot be circumvted. The Purewire Intelligce WebDAV DLL Hijack Rule Option The Purewire Intelligce componts dynamically classify websites based on site contt and detect the presce of script- and bot-based attacks. The WebDAV/DLL Hijack rule option prevts an attacker from exploiting a flaw in the way that applications startup and load componts. During application startup, the application handles a specific file to load required dynamic componts; it searches the currt application directory first. An attacker can place a malicious DLL file in that directory with the same name as the DLL file that the application uses during startup. Wh the application ops the DLL file, the malicious DLL code loads into computer memory and allows the attacker to arbitrarily execute code. An attacker can use a variety of methods, including a USB drive, network file share, or the WebDAV protocol, to insert the malicious DLL file. An Administrator can override a block of a URL that is included as a Malicious Site in Rules > Threat Prevtion > Purewire Intelligce area by editing the rule and either: Pressing the Ctrl key and clicking on the Malicious Sites option to deselect it, or Adding the URL to the Whitelist in the Rules > Advanced > Exceptions area. Allowing or Blocking Specific Objects on a Website Barracuda Web Security Service provides fine grained control over which items on a web page are blocked. You can configure rules that combine URL Categories or Applications with Contt Types or File Extsions called Composite Rules. Using Composite Rules you can block specific objects, such as audio files, on categorized sites. For example, you can create a new rule to block Facebook Picture Uploads. To create this rule, first select the URL category Leisure > Social Networking, and th select File Extsion > Image, and Applies to: Uploads. Or you could select Contt Type > Image and Applies to: Uploads. The rule applies to any request matching URL category or Application, and either a specified Contt Type or File Extsion. Select Bl ock from Actions to indicate what the service should do if the prohibited contt is accessed. Apply this rule to a group, to an IP range or to Everyone. With this rule in place, users managed by this rule can access Facebook but cannot upload images. Enforcing Schedules or Quotas A rule can be applied or disabled on configured days and times. In addition, you can throttle traffic matching a rule by limiting the number of connections, the number of bytes, or the amount of time allowed per day or week for traffic matching the rule. Actions Tak for Traffic Matching a Rule Rules are configured with criteria that can be compared to traffic. Traffic matching the rule can be allowed (for Whitelist matches) or died (for all others). In addition, the Barracuda Web Security Service can perform one or more of the following actions configured at the bottom of the RULES page: Display a Block Page Coach Log Customizing Block Pages The Barracuda Web Security Service displays a block page to users whose web traffic is blocked. You can determine what users see in this case by choosing one of the following options: Create custom blocking messages on a per-rule basis. Replace the Barracuda Web Security Service default block page with a custom global block page of your own using CONFIGURATION > Contt Filtering Services > URL Blocking. Use the Barracuda Web Security Service default block page. 60

61 Wh the Barracuda Web Security Service blocks SSL sites, the user receives an error message rather than a block page because the web browser cannot complete the SSL handshake with the blocked destination server. Bypassing a Block Page You may want to block access to certain sites or categories for most users, but allow it for an individual or departmt. For example, you may want to prevt your workforce from using job search sites, but may need to give your recruiters access to those sites. You can accomplish this by creating a global rule blocking the sites and another rule allowing specific users or groups to bypass the block page. Wh you create the bypass rule, you specify a password which you can provide to the individuals who are allowed to bypass the block and go to the site. The block page they see contains a password try field. After tering the bypass password, the users can continue on to the site. The bypass prompt only appears on the block page se by the users specified in the bypass rule. Coaching You can set up a coaching page that warns users that they are attempting to visit a disallowed site or category. Users can continue to the website anyway by clicking an acknowledgemt button. To use bypass or coaching, the request to the Barracuda Web Security Service must contain a username (from a Barracuda Web Security Gateway, or Barracuda Web Security Agt) in order to track the session; if not, th the user sees the regular block page. Logging The Barracuda Web Security Service can log requests that violate a policy whether you block them or not. This lets you monitor and report on web activity ev if you do not block traffic. If a user triggers a bypass or coaching page, and th continues on to the disallowed site, their action is logged accordingly. If the user doesn t continue on to the disallowed site, the transaction is logged as a block. Unknown users appear as username None, Unknown, or a blank Username field in logs and reports. Authticate all traffic through the Barracuda Web Security Gateway or Remote clit software to sure meaningful user reporting. Options To inform others wh a user makes a request that violates a rule, you can sd an to multiple addresses. How to Configure Rules In this article: Creating Rules Composite Rules Whitelist and Blacklist of Websites Schedules and Quotas Actions on Violation of the Rule Editing Rules Disabling or Deleting Rules This article explains how to create, edit, or delete rules. You may want to refer to Creating Rules for Barracuda Web Security Flex which explains some considerations before creating rules. Creating Rules To create a rule, you need to be logged in to your customer account at Barracuda Networks. In the Barracuda Web Security Flex Manager interface, click the Rules tab, Click Add New Rule.th do the following steps: Enter a Name for the new rule. 61

62 In the Applies To area, select who the rule Applies To: Everyone Applies the rule to all users in a network. Unless you have configured authtication, this is your only option. To configure authtication, refer to How to Configure Authtication or Authtication with the Barracuda Web Security Gateway. New Group Type the name of the new group. Use alphanumeric characters only; do not use special characters. To add users to this group later, you can go to CONFIGURATION > Group Managemt and add users to the group. Existing Group Click in the text box to search for a group. Type the first three letters of the group you want to find, and th click on the Group name to select it. IP Addresses Type the IP address or subnet and two-digit CIDR prefix lgth. For multiple tries, click Add IP. To create a rule for an individual user, either create a group specifically for that user or (if the user has a static IP address) use their IP address. In the Threat Prevtion area, select threat categories you want to include in this rule: Anti-malware Anti-virus Purewire Intelligce WebDAV/DLL Exploit There are two ways an Administrator can override a block of a URL that is included as a Malicious Site in Rules > Threat Prevtion > Purewire Intelligce area. Edit the rule and either: Press the Ctrl key and click on the Malicious Sites option to deselect it, or Add the URL to the Whitelist in the Rules > Advanced > Exceptions area. Composite Rules The Compliance section of a rule allows you to combine URL Categories or Applications with Contt Types or File Extsions. This fine-grained control over which items on a web page are blocked is called a Composite Rule. In the URL Category area, click the caret symbol to expand the section, and th select the URL categories you want to restrict. Selecting any category displays more specific subcategories in list format. You can press the Shift key and select all subcategories, or press the Ctrl key to select specific subcategories. In the Applications area, click the caret symbol to expand the section, and th select the application types you want to restrict. Selecting any category displays specific applications in list format. You can press the Shift key and select all applications, or press the Ctrl key to select specific applications. In the Image/Multimedia SafeSearch area, click the caret symbol to expand the section, and th select the search gines which need the SafeSearch feature activated. In the File Extsion area, click the caret symbol to expand the section, select the application types you want to restrict in combination with the selected URL Categories and Applications you selected for this rule, and th specify the delivery format you want to restrict for this rule. Selecting any category displays specific applications in list format. You can press the Shift key and select all applications, or press the Ctrl key to select specific applications. Select a radio button to specify that you want this rule to apply to Downloads, Uploads, or Both. In the Contt Type area, click the caret symbol to expand the section, select the file contt types you want to restrict in combination with the selected URL Categories and Applications you selected for this rule, and th specify the delivery format you want to restrict for this rule. Selecting any category displays specific contt types in list format. You can press the Shift key and select all contt types, or press the Ctrl key to select specific contt types. Select a radio button to specify that you want this rule to apply to Downloads, Uploads, or Both. Whitelist and Blacklist of Websites In the Exceptions area, type any domain names you want to always allow in the Whitelist box. Type one domain name per line; websites in the Whitelist box will always be allowed. You can use the * character within a domain name to indicate all. In the Exceptions area, type any domain names you want to always dy in the Blacklist box. Type one domain name per line; websites in the 62

63 Blacklist box will always be died. You can use the * character within a domain name to indicate all. Schedules and Quotas Schedule your rule to be forced at set times on selected days by selecting Apply Rule for desired days and setting the times you want to Apply or Disable the rule. This gives you great flexibility in creating rules customized to differt types of users (accounting personnel versus sales gineers, for example). To limit users to a certain number of connections, transmitted bytes or time, click the appropriate Quota radio button, ter a number of units, and th select a time interval. Actions on Violation of the Rule In the Actions area, select one of the following: To display a message to users wh they are blocked by this rule, select the Block checkbox, and th choose either the Default block page or a Custom block page displaying the Custom Block Page Contts you ter. To allow users to bypass a block page, select Bypass. Enter a Password, th give it to users who are allowed to bypass the page. You may choose to display the Default blocking text in this case, or choose Custom blocking text, which displays the Custom Block Page Contts you ter. To help users decide whether to bypass the page, select the Coach checkbox, and choose either the Default coaching text or select Cu stom coaching text to display the Custom Coach Page Contts you ter.. To use bypass or coaching, on a request, Barracuda Web Security Service must know the idtity of the user (using Barracuda Web Security Gateway, Barracuda Web Security Agt, or manually configured authtication) in order to track the session; if not idtified, the user gets the regular block page. Select the checkbox to configure an message notification to specified addresses wh a user has triggered this rule. You can customize the subject line and from name and address, and th type recipit addresses, separated by commas. Select the Log checkbox if you want Barracuda Web Security Service to create a log try every time a user triggers this rule. Wh you are finished creating the rule, click Save Changes. Editing Rules In the Barracuda Web Security Flex Manager, click the Rules tab. Click on the name of the rule you want to edit. In the Rules Edit page, make your changes. Wh you are finished, click Save Changes. Disabling or Deleting Rules To disable or delete a rule: In the Barracuda Web Security Flex Manager click the Rules tab. To disable the rule, select the Disable check box. To delete the rule, click the delete icon next to the rule in the Delete column. The Barracuda Web Security Flex Manager prompts you to confirm your choice. Composite Rules 63

64 The Compliance section of a rule allows you to combine URL Categories or Applications with Contt Types or File Extsions. This fine-grained control over which items on a web page are blocked is called a Composite Rule. In the URL Category area, click the caret symbol to expand the section, and th select the URL categories you want to restrict. Selecting any category displays more specific subcategories in list format. You can press the Shift key and select all subcategories, or press the Ctrl key to select specific subcategories. In the Applications area, click the caret symbol to expand the section, and th select the application types you want to restrict. Selecting any category displays specific applications in list format. You can press the Shift key and select all applications, or press the Ctrl key to select specific applications. In the Image/Multimedia SafeSearch area, click the caret symbol to expand the section, and th select the search gines which need the SafeSearch feature activated. In the File Extsion area, click the caret symbol to expand the section, select the application types you want to restrict in combination with the selected URL Categories and Applications you selected for this rule, and th specify the delivery format you want to restrict for this rule. Selecting any category displays specific applications in list format. You can press the Shift key and select all applications, or press the Ctrl key to select specific applications. Select a radio button to specify that you want this rule to apply to Downloads, Uploads, or Both. In the Contt Type area, click the caret symbol to expand the section, select the file contt types you want to restrict in combination with the selected URL Categories and Applications you selected for this rule, and th specify the delivery format you want to restrict for this rule. Selecting any category displays specific contt types in list format. You can press the Shift key and select all contt types, or press the Ctrl key to select specific contt types. Select a radio button to specify that you want this rule to apply to Downloads, Uploads, or Both. Whitelist and Blacklist Rules In the Exceptions area, type any domain names you want to always allow in the Whitelist box. Type one domain name per line; websites in the Whitelist box will always be allowed. You can use the * character within a domain name to indicate all. In the Exceptions area, type any domain names you want to always dy in the Blacklist box. Type one domain name per line; websites in the Blacklist box will always be died. You can use the * character within a domain name to indicate all. Schedule and Quota Rules Schedule your rule to be forced at set times on selected days by selecting Apply Rule for desired days and setting the times you want to Apply or Disable the rule. This gives you great flexibility in creating rules customized to differt types of users (accounting personnel versus sales gineers, for example). To limit users to a certain number of connections, transmitted bytes or time, click the appropriate Quota radio button, ter a number of units, and th select a time interval. Actions on Violation of a Rule In the Actions area, select one of the following: To display a message to users wh they are blocked by this rule, select the Block checkbox, and th choose either the Default block page or a Custom block page displaying the Custom Block Page Contts you ter. To allow users to bypass a block page, select Bypass. Enter a Password, th give it to users who are allowed to bypass the page. You may choose to display the Default blocking text in this case, or choose Custom blocking text, which displays the Custom Block Page Contts you ter. To help users decide whether to bypass the page, select the Coach checkbox, and choose either the Default coaching text or select Cu stom coaching text to display the Custom Coach Page Contts you ter.. To use bypass or coaching, on a request, Barracuda Web Security Service must know the idtity of the user (using Barracuda Web Security Gateway, Barracuda Web Security Agt, or manually configured authtication) in order to track the session; if not idtified, the user gets the regular block page. Select the checkbox to configure an message notification to specified addresses wh a user has triggered this rule. You 64

65 can customize the subject line and from name and address, and th type recipit addresses, separated by commas. Select the Log checkbox if you want Barracuda Web Security Service to create a log try every time a user triggers this rule. Web Use Categories in the Barracuda Web Security Service The Barracuda Web Security Service filtering uses one of the most extsive contt definition databases, covering some of the highest risk websites on the Internet. The websites in the Barracuda Networks database are organized into 96 contt categories (subcategories) which are grouped below by supercategories. Wh you create rules that block categories of websites, you can choose a supercategory to block, or you can drill down and block websites at the subcategory level. See Related Articles listed at the d of this article for details. Bandwidth Websites delivering contt that can use large amounts of network resources. Category Streaming Media Streaming Radio/TV Advertisemts & Popups Media Downloads Media Sharing Criteria Websites that provide streaming audio and video, or software and tools for streaming media. Websites that provide streaming radio or TV. Websites that host or serve advertisemts or provide software that serves advertisemts. Websites that provide downloads of music and video contt in any format. Websites that allow posting and sharing of music and video contt in any format. Commerce Websites that contain business information or facilitate commercial transactions. Category Auctions & Classifieds Business Finance & Investmt Real Estate Shopping Stock Trading Criteria Websites that allow bidding and selling of items and services. Does not include non-selling related advertising. Websites that provide business-related overview, planning and strategy information. Websites that provide financial information or access to online banking. Websites that provide residtial and commercial property sales and rtal information, listings and services. Websites that sell goods and services, but not marketing or ordering websites for single products. Websites that allow monitoring, purchase, or sale of stocks. Communications Websites that let users communicate through web browsers. 65

66 Category Chat Peer-to-Peer Web-based Criteria Websites that provide Web-based messaging and chat rooms, including IRC and social networking chat functions. Websites that distribute file sharing software or allow the exchange of files betwe users. Websites that able sding, reading and archiving of . Instant Messaging Messaging Mobile Communications Online Meetings Web-based Telephony Websites that provide instant messaging software such as instant messaging clits or chat clits that are not Web-based. Websites that allow users to sd and receive messages, e.g. SMS,MMS, voice mail, or FAX. Websites that provide support information for mobile communication devices. Websites that able multiple users to interact transpartly with each other through messaging, audio or video connections. Websites that able voice communication over the Web. Information Websites that provide searching, geral news and information, including business contt. Category Education & Referce Forums & Newsgroups Governmt & Legal Health & Medicine History Job Search & Career Developmt Motor Vehicles News Advocacy/NGO Religion Moderated Forums Political Issues Criteria Websites that provide academic information about schools or education related topics. Websites containing user-gerated Web logs, discussion forums or wikis. Websites maintained by domestic and foreign governmt and military agcies. Websites that provide health and wellness material or information about health products and service providers. Websites that provide historical contt. Websites that able users to search for job opings and career opportunities, either with specific companies or job boards. Websites containing information and marketing for cars, auto parts and services. Websites that contain geral news information on a local, national and international level. Websites for groups that promote or defd specific causes. Websites that include contt related to spirituality, religion, and philosophy. Websites monitored by an authority who can prevt posting of inappropriate material. Websites that contain opinion and political information, groups and discussions. 66

67 Professional Networking Public Information Technical/Business Forums Uset News The subset of social networking websites which includes contt intded exclusively for businesses or professionals. Websites allowing search and access of the public records of people or organizations. Websites which allow discussions or posting of user-gerated contt related to business or technical developmt. Websites providing access to Uset news groups or other bulletin boards. Leisure Entertainmt and personal websites that are normally not business-related. Category Marketing & Merchandising Blogs & Wikis Arts & Society & Culture Comics & Humor & Jokes Entertainmt Food & Dining Game Playing & Game Media Hobbies & Recreation Kids Sites Personals & Dating Social Networking Sports Travel Digital Cards Fashion & Beauty Hosted Personal Pages Criteria Websites that provide information about products and services not available on the Web. Websites allowing users to post contt, edit and re-post frequtly. Websites that display art galleries, information about artists and ethnic and cultural heritage. Websites containing comical or funny contt. Websites providing information on theater arts, movies, concerts, tv, radio and other amusemts, or about celebrities of those vues. Websites with information, reviews, and online ordering for restaurants, bars, and catering. Websites that provide video game information or able the online playing of games. Websites dedicated to recreational activities and hobbies, or organizations and businesses dedicated to recreation, such as amusemt parks. Websites that are family-orited and geared toward childr. Websites that able users to meet and interact with each other for the purposes of dating or making frids. Websites that able frids to interact and share information, but not for the purposes of dating. Websites with information and news about amateur and professional sports. Websites that provide information about travel destinations or allow online booking of travel plans. Websites that able the sding and receiving of digital postcards and greeting cards. Websites that provide information or products related to fashion and beauty. Websites which allow users to design and post personal websites. Liability 67

68 Users may be committing crimes or exposing the organization to legal liability with these sites. Category Criminal Activity Illegal Drugs Illegal Software Academic Cheating Criteria Websites that provide information on how to commit illegal activities, perpetrate scams or commit fraud. Websites that provide information on the manufacturing or selling of illegal drugs or prescription drugs obtained illegally. Websites that provide information about or downloads of pirated software. Websites that advocate or assist plagiarism or provide or sell questionable educational material. Propriety Websites that are intded for mature or adult users only. Category Text/Audio Only Adult Contt Alcohol & Tobacco Gambling Intimate Apparel & Swimwear Intolerance & Hate Pornography Tasteless & Offsive Violce & Terrorism Weapons Extremely Offsive Gambling Related Game/Cartoon Violce Historical Opinion Incidtal Nudity Nudity Criteria Websites that contain text or audio only, but no pictures. These websites include contt intded for legitimate reproductive scice and sexual developmt educational material. Websites that promote or sell alcoholic beverages or tobacco products. Websites that provide gambling odds and information or allow online betting. Websites containing revealing images such as swimsuits and modeling, but not nudity. Websites couraging bigotry or discrimination. Any website that contains sexually suggestive, explicit or erotic contt. Websites portraying horror or perverse contt. Websites couraging, instructing, or portraying extreme violce to people or property. Websites that contain information about making, buying, or obtaining any sort of weapons. Websites containing contt that is shocking, gory, perverse, or horrific in nature. Websites providing information or promoting services, techniques or accessories related to gambling. Websites containing graphically violt animated contt. Websites dedicated to subjective analysis of historical evts, especially partisan or agda-driv analysis. Websites which include nude images because they are part of a broader category of art or education. Websites containing bare images of the human body which are not suggestive or explicit. 68

69 Profanity Websites which contain excessive use of profanity or obscities. Security Websites that are security risks or sources of malware, or that allow users to circumvt policies. Category Hacking Phishing & Fraud Proxies Spam Spyware Proxy Utilities Information Security Malicious Sites Suspicious Sites Criteria Websites that contain instructions and information for how to commit fraud or steal information through computer security vulnerabilities. Websites that are known to be distributed as links in phishing s. Websites that able users to hide their browsing destinations, IP address, or username to avoid detection and bypass Web filters. Websites delivering unwanted or unsolicited electronic messages. Websites that are accessed from spam message clicks, which distribute programs to gather user information, or covertly sd information to third party websites. Websites providing users with resources to help them avoid detection or bypass Web filters. Websites that provide information about protecting personal or business data. Websites that provide or display contt which intds harm to users or their computer systems. Suspect websites whose malicious intt cannot be confirmed. Technology Websites that allow users to access search gines, portals and various technologies. Category Computing & Technology Contt Server Downloads Parked Sites Visual Search Search Engines & Portals Software/Hardware Interactive Web Applications Online Services Online Storage Remote Access Criteria Websites that provide technical support information, but not of a security nature. Includes domains that host websites of other types and are oft sources of security threats. Websites that distribute copies of free and shared software. For sale or expired websites that display links or advertisemts. Websites that provide image searching and matching technology. Websites that aggregate disparate information or allow users to search across large amounts of data. Websites that provide access to software or hardware technology. Websites that provide access to groupware or interactive conferce rooms. Websites that provide access to Web-based services. Websites that allow the uploading of files and backups for remote data storage. Websites that provide access to resources from a remote locations. 69

70 Resource Sharing Technical Information Translators URL Redirectors Websites that allow posting and sharing of resources and downloads to a network of people. Websites that provide information on technical details of technologies. Websites that provide translation services. Websites that automatically forward the user from the requested URL to another URL. Related Articles Creating Block and Accept Policies BLOCK/ACCEPT Order of Precedce - Barracuda Web Filter Managing Contt Filtering Services The Barracuda Web Security Service provides various Contt Filtering Services which you can configure and able using the CONFIGURATIO N > Contt Filtering Services page, including: Safe Browsing URL Blocking SSL Filtering You can also configure the Failure Response of the following Contt Filtering Services to Fail Op or to Fail Closed if the service becomes unavailable: Anti-Virus Protection Malware Protection URL Filtering Configure Safe Browsing For details on configuring Safe Browsing, refer to How to Configure YouTube for Schools. Configure URL Blocking Global Settings The Barracuda Web Security Service provides global settings governing URL Blocking which you can configure on the CONFIGURATION > Contt Filtering Services > URL Blocking page. On a per rule basis, you can override the global block page setting by creating custom blocking messages; but if you do not configure custom block messages for a rule, these global settings will apply to any access blocked by that rule. Block Page Selection: You can choose betwe displaying: a Default Global Block Page for all users who attempt access of blocked contt, which contains the default blocking message indicating the category of the blocked contt; or a Custom Global Block Page wi th a custom message you compose. Save Blocking Changes after changing your selection. Change Global Bypass Password: Enter a password which you can provide to users who need to bypass block pages. After tering the bypass password, a user is allowed access to otherwise blocked contt. Save Password Changes after setting the password. Change Default Bypass Timeout (min): Enter the time in minutes, after which a bypass block page expires. Change Default Coaching Timeout (min): Enter the time in minutes, after which a coaching block page expires. Save Timeout Changes after setting new timeouts. Configure SSL Filtering For details on configuring SSL Inspection, refer to Using SSL Inspection with the Barracuda Web Security Service. Configure Failure Response for Services 70

71 You can configure how the Barracuda Web Security Service responds to a filtering service being unavailable using the following CONFIGURATIO N > Contt Filtering Services Configure pages: URL Configure: Select Fail Op (Recommded) to allow all traffic, or Fail Closed to block all traffic if URL Filtering is not possible. Virus Configure: Select Fail Op (Recommded) to allow all traffic, or Fail Closed to block all traffic if Virus checking is not possible. Malware Configure:Select Fail Op (Recommded) to allow all traffic, or Fail Closed to block all traffic if Malware checking is not possible. Gerating Reports How to Use Immediate Reports How to Use Scheduled Reports How to Use Immediate Reports In This Section In this article: Output Options Creating an Immediate Report User Report Types User Browsing Activity Report User Browsing Summary Report The Barracuda Web Security Service Manager contains numerous reports that help you analyze currt data about your organization s web traffic, and about viruses and malware blocked by the Barracuda Web Security Service. Output Options You can view Immediate Reports on demand or export them in the following formats: CSV Displays the report in spreadsheets HTML Displays the report as a web page PDF Displays the report in documt format XML Used as an input for web browsers and reporting tools PRINT Prints the report view you selected Creating an Immediate Report Manage reports for the Barracuda Web Security Service by accessing your Barracuda Cloud Control login. To create an immediate report: If you are not already in the Barracuda Web Security Service Manager interface, click the the Barracuda Web Security Service icon at the top of the Barracuda Cloud Control login scre. The Barracuda Web Security Service Manager interface appears in the scre. In the Barracuda Web Security Service Manager, click the Reports tab. The Immediate Report Settings page appears. Choose the category for which you want to report. Select one or more report(s) from the list, and th select the time period you want the report to cover. You can create a comprehsive report by using the Shift key to select ALL reports. Both the Show Chart and Show Table checkboxes are selected by default. You can deselect one of them if you want the report to focus on the other. If you chose one of the Top instances reports, use the Top drop-down to choose the number of instances you want the report to include. Click one of the output buttons to display the report in the format you choose or save it to another location. Unknown users appear as username None, Unknown, or a blank Username field in log and reports. Authticate all traffic through a Barracuda Web Security Gateway or Remote clit software to sure meaningful user reporting. 71

72 User Report Types There are two types of user reports: User Browsing Activity User Browsing Summary The User Browsing Activity and User Browsing Summary reports provide differt prestations of the same data, so the totals will rarely match wh you compare these reports for a giv user over an idtical time period. The Activity report is a detailed list of every individual domain request that a user made, grouped by category; the Summary report prests how much total time a user spds surfing the web each day. Some user browsing times may appear bloated, because sites with very heavy contt can have duplicate times reported. For example, if a user visits cnn.com and this site pulls contt from 5 differt domains, the Browsing Activity report lists all 5 domains during the same time period. In this example, two minutes of browse time may appear as 10 minutes on this report (two minutes for each of five differt domains). User Browsing Activity Report The User Browsing Activity report is a detailed list of every individual domain request that a user made, grouped by category. Data for this report are collected from the Forsics page (on the CONFIGURATION tab). Some data is estimated, because browse times are determined using a start and d time for each domain visited. If the same domain is visited within a 1 minute window th the d time for that domain is extded. If the same domain is visited outside this 1 minute window, th another try with a new start and d time is recorded. Entries are th totaled to provide a total time for each domain. User Browsing Summary Report The User Browsing Summary report prests how much total time a user spds surfing the web each day by using web requests/connections. Because it reflects actual time spt on the Internet, it must account for activities that occur in the background without the user initiating new requests, such as: having multiple tabs or web browsers op at the same time, web ads that constantly auto-update, and webmail or streaming media sites that constantly refresh as long as the web browser window is op. User Browsing Reports are available in PDF only, because they can reach considerable size and affect the performance wh viewed in the web browser. In order to more accurately reflect user behavior vs. auto-gerated web traffic, this report does not include these overlaps and background activities. Using the example above (cnn.com) the browse time in the report will be recorded as 2 minutes regardless of: The number of domains visited/requested during this 2 minute window The number of tabs op Any streaming media that happs to be playing at the same time How to Use Scheduled Reports In this article: Viewing and Editing Existing Reports Creating a Scheduled Report Configuring Traffic Reports Configuring User Browsing Reports Deleting a Scheduled Report Editing a Scheduled Report Report Descriptions Manage reports for the Barracuda Web Security Service by accessing your Barracuda Cloud Control login. You can schedule reports to run automatically at regular intervals you choose, such as at the conclusion of mandatory reporting periods. You can 72

73 configure Barracuda Web Security Service Manager to scheduled reports (in.pdf format) to groups or individuals. Viewing and Editing Existing Reports Select the REPORTS tab th select Scheduled to view a list of all currtly scheduled reports. To edit an existing report, click the report s name. Creating a Scheduled Report In the Barracuda Web Security Service Manager, click the REPORTS tab, and th click Scheduled. Click Add New. The Scheduled Report Settings page appears. Enter a Name for the report. Select the time Period you want to report on. Select a Delivery Schedule to control how frequtly the Barracuda Web Security Service Manager creates the report. Select whether you want the report to cover all users or a group of users. If you choose Group, the Barracuda Web Security Service Manager displays a text box for you to define which groups you want to cover If you configured the Barracuda Web Security Service to integrate with your existing directory service, rather than defining local groups in the Barracuda Web Security Service Manager, you must add the group names on the CONFIGURATION > Group Managemt page to use them here for group-based reporting. Enter the addresses of report recipits in the To Addresses field. Choose the reports you want to gerate by clicking the caret(s) to expand the Traffic Reports and User Browsing areas. You can select one or more Traffic Report (s) and/or User Browsing reports within the same schedule. See below for additional configuration instructions for each section. Wh you are finished, click Save. Group-based scheduled reports are available only for User Browsing reports. Configuring Traffic Reports Both the Show Chart and Show Table checkboxes are selected by default. You can deselect one of them if you want the report to focus on the other. If you chose one of the Top instances reports, use the Top drop-down to choose the number of instances you want the report to include. Configuring User Browsing Reports Choose betwe Summary view, which provides an overview of activity, and Activity view, which examines activity data in greater detail. Deleting a Scheduled Report In the Barracuda Web Security Service Manager, click the REPORTS tab, and th click Scheduled. Select the Delete checkbox next to the report(s) you want to delete. Click Delete Selected. Editing a Scheduled Report In the Barracuda Web Security Service Manager, click the REPORTS tab, and th click Scheduled. Select the report you want to edit. Make your changes, and th click Save. Report Descriptions The following table lists the reports shipped with Barracuda Web Security Service Manager and provides brief descriptions of their contts. Use the instructions in the preceding sections to gerate an Immediate report or schedule a report to run automatically. Report Protocol Bytes In Description Incoming byte totals for a time period you specify, brok out by protocol. Example protocols are HTTP, HTTPS, and FTP. 73

74 Protocol Bytes Out Protocol Connections Top Applications Blocked Top Blocked Categories Top Blocked Viruses Top Categories Bytes In Top Categories Bytes Out Top Categories By Time Top Categories Connections Top Sites Top Sites By Time Top Users - Application Blocks Top Users - Bytes In Top Users - Bytes Out Top Users - By Time Top Users - Connections Top users by Malware Blocked Top users by Virus Blocked Total traffic Bytes In Total traffic Bytes Out Total traffic - Connections User Browsing Activity Report User Browsing Summary Same as above, but bytes outgoing. Number of connections per time, brok out by protocol. Most frequtly blocked Applications and the number of times each has be blocked. Most frequtly blocked Categories and the number of times each has be blocked. Most frequtly blocked virus programs and the number of times each has be blocked. Top categories of incoming web traffic, measured in bytes. Top categories of outgoing web traffic, measured in bytes. Top categories of web traffic, based on time spt surfing. Top categories of web traffic, measured in number of connections. Top requested websites. Shows number of requests per site. All pages within a site are included. Top sites visited, based on time spt surfing. Shows who is causing the most blocked Applications and the number of times each has be blocked. Top users, measured in bytes in and brok out by protocol. Example protocols are HTTP, HTTPS, and FTP. Top users, measured in bytes out and brok out by protocol. Example protocols are HTTP, HTTPS, and FTP. Top users based on time spt surfing. Top users based on number of connections made out to the Internet. Shows who is causing the most Malware to be blocked and the number of blocks. Shows who is causing the most viruses to be blocked and the number of blocks. Total amount of incoming traffic for all protocol types, measured in bytes. Total amount of outgoing traffic for all protocol types, measured in bytes. Total amount of outgoing traffic for all protocol types, measured in connections. Detail data on browsing activity of a specific user. Data on browsing activity of a specific user, rolled up to summarize overall activity and trds. Monitoring Barracuda Web Security Service Activity In this article: Using the Dashboard 74

75 Activity tab: Overall look at traffic and top access types. Security tab: Blocked traffic. Global tab: Cross customer traffic profile. Forsics Using the Dashboard The Dashboard is the landing page wh you log into the Barracuda Web Security Service Manager. It graphically displays up-to-date information about blocked connections, viruses, malware, and applications. By clicking on or flying over some graphics, you can see additional details. The Dashboard displays data cached over the past hour. It has three tabs, each with a specific data focus. Activity tab: Overall look at traffic and top access types. Total Traffic Activity by Supercategory Top Users Top Applications Top File Types Top Sites Security tab: Blocked traffic. Blocking Activity Blocks By Category Top Users By Blocks Top Application Blocks Top Malware Blocks Top Virus Blocks Global tab: Cross customer traffic profile. Global Traffic Global Blocking Activity Global Activity By Supercategory Global Blocks By Category Global Top Application Global File Types Forsics The Forsics page (on the Reports tab) displays information about every action tak by the URL filtering, Anti-Virus, and Anti-Malware gines. You can use this information to analyze the behavior of specific users, user groups, or the filtering gines themselves. By default, all transactions are displayed. You can: Sort columns by clicking on their headings. Choose how many tries to show. Click the date link to show detailed request and response data for the record. If applicable, click the username link to display the groups to which the user belongs. If the Forsics page displays no information initially, adjust and apply new filter settings to display data. Initially, only the last 15 minutes of web activity are displayed. Administering the Barracuda Web Security Service 75

76 In This Section Administrators and Role-based Administration Important Web Security Service Update - September 2013 Key Managemt Setting the System Time Zone Administrators and Role-based Administration Role-based Administration is available in firmware 4.0 and higher. Each Barracuda Web Security Service account has a primary Administrator who initially establishes the account and has unlimited access to users (including administrators), groups, rules and reports. Using Role-based Administration, this administrator can create additional administrators and associate them with roles which have privileges appropriate to the role. In addition, some Administrator roles allow you to restrict administrative privileges only to specified groups of users. (To restrict privileges to specific groups and users, users and groups must be configured. Refer to Authtication with the Barracuda Web Security Service.) Role Types An administrator must be assigned one of the following roles: Administrator able to view, add, edit and delete other users (including Administrators), groups, group members, rules, and reports. Cannot be restricted by groups. Audit able to view all users, groups, group members, rules, and reports. Cannot add, edit, or delete anything. Cannot be restricted by groups. Manage able to create rules, and view or schedule reports. Can be restricted to specific groups. Cannot create new groups, but can add rules or reports specific to restricted groups only. Monitor able to view and schedule reports. Can be restricted to specific groups. Privileges only apply to specified groups. Support able to create rules. Can be restricted to specific groups. Privileges apply only to specified groups. All of the roles can view the Dashboard. The Manage, Monitor, and Support roles can only view dashboard items pertint to the groups they can access. All roles can view all rules, but can only add, edit, disable, or delete rules which apply only to groups to which they are restricted. An administrator is added with full access to all users, but administrator access can be limited using the steps described in Editing and Limiting Access of an Administrator. To add an administrator, How to Log into your Barracuda Cloud Control Account. Navigate to Account/Support. Select Set up and manage users. Select Add User. Provide the following information for your new user: Name Privileges Starting Page Select Web Security Service under Product Entitlemts. Save. The new Administrator appears in the left All Users pane of the Account > Users tab. Editing and Limiting Access of an Administrator Click on the Barracuda Web Security Service icon to continue configuration of the newly added administrator. You can edit an administrator to change the Display Name, select a Role, or restrict access of an administrator to specified groups. To edit an Administrator: The CONFIGURATION > Administrators page displays all currt administrative users for your account. 4. Select the Administrator to edit. The Edit Administrator page appears. You may ter a or select a for the Administrator. Display name Role Administrator and Roles do not allow limiting access to groups. If your administrator role is, or, you Audit Manage Monitor Support can limit access by selecting and selecting. You can add groups one at a time that you wish Limit Access To Groups Add New Groups to allow this administrator to view, add, edit or delete. The administrator will not be allowed access to members of any other groups. 76

77 4. Save Changes. Your changes appear for the Administrator you edited. The groups the administrator can access are listed on the Edit Administrator page. Warning Do not remove the primary Administrator account or the administrator account you are currtly logged in to. Important Web Security Service Update - September 2013 While most Barracuda customers use a hostname such as ple7.flex.purewire.com, for example, for their Barracuda Web Security Service proxy server setting, some may still be using hardcoded static IP addresses. If you are using a static IP address for your proxy server setting, please change the proxy server address to pools.flex.barracuda.com immediately to avoid service interruption. These IP subnets will no longer be active to the Web Security Service by September 23 rd, 2013: / /24 Only customers using Forward Proxy deploymts using any IP in the subnet mtioned above will be affected. Web Security Agt users and Web Security Gateway users will NOT be affected. Users with Forward Proxy settings in their browsers using hostnames will also NOT be affected. Some common hostnames used by customers in the past are listed below, and these will continue to work: Several methods are prested here to change the proxy settings. Manual Proxy Configuration The process is gerally explained in How to Manually Configure Proxy Settings. For example, to change any IP address-based proxy host to pools.flex.barracuda.com, using Internet Explorer: Op Internet Options Click on the Connections tab Op the LAN settings section In the Proxy Server section, change any statically allocated address assignmt to pools.flex.barracuda.com. Figure Hardcoded IP address for proxy server address (incorrect): 77

78 Figure Hostname 'pools.flex.barracuda.com' for proxy server address (correct): 78

79 Group Policy Method If you are using Group Policy Managemt to roll out proxy settings, see How to Configure Proxy Settings Using Group Policy Managemt. PAC + WPAD Method See How to Configure Proxy Settings Using PAC Files and WPAD. Hostnames For the Proxy Server Address Common hostnames which can be used for the proxy server address include: pools.flex.barracuda.com pxy.flex.barracuda.com pxy.atl.flex.barracuda.com pxy.fra.flex.barracuda.com 79

80 pxy.lon.flex.barracuda.com pxy.nrt.flex.barracuda.com pxy.orf.flex.barracuda.com pxy.sin.flex.barracuda.com pxy.sjc.flex.barracuda.com atl.flex.purewire.com mi.flex.purewire.com orf.flex.purewire.com ple7.flex.purewire.com proxy.flex.purewire.com rzc.flex.purewire.com sjc.flex.purewire.com lonproxy.purewire.com pleproxy.purewire.com pleproxy.purewire.com ple5.proxy.purewire.com ple7.proxy.purewire.com poolproxy.purewire.com Key Managemt Keys, which attach user information to web traffic, are used to control and manage access to Barracuda Web Security Flex. You can manage keys in the following ways: Create keys for Barracuda Web Security Gateway or Barracuda WSA to able them to work with the Barracuda Web Security Flex. Edit keys if you want to change their names. Enable/disable keys to turn Barracuda Web Security Gateway or Barracuda WSA on or off using Barracuda Web Security Flex. For example, you might want to temporarily disable a Barracuda Web Security Gateway while changes are made to a portion of a network. Delete keys. Any IP address, Barracuda WSA or Barracuda Web Security Gateway that had be using the key will require a new key to function. Creating and Editing a Key Manage authtication keys for Barracuda Web Security Flex by accessing your Barracuda Networks customer login account. To create a key: If you are not already in the Barracuda Web Security Flex Manager interface, click the Web Security Flex icon at the top of the Barracuda Networks customer login account scre. The Barracuda Web Security Flex Manager interface appears in the scre. Log in to the Barracuda Web Security Flex Manager. Select the CONFIGURATION tab, and th click Key Managemt. 4. Click Add New Key. 5. Enter a key Name. Consider using intuitive names, for example, New York office Gateway. 6. Choose a key Type: Choose Barracuda Web Security Gateway/Web Security Agt if this key is for an Barracuda Web Security Gateway or if you are installing Barracuda Web Security Agt. If you are creating this key for initial setup of a Barracuda Web Security Gateway, copy the key, 80

81 Click Save. To edit a key: 4. Click Save. and th paste it onto the Keys tab in the Barracuda Web Security Gateway interface. If you are creating the key to install the Barracuda Web Security Agt software, copy it and paste it into the Barracuda Web Security Agt installer. Choose IP Address if you are creating a key that allows traffic from a specific IP address to connect to and use Barracuda Web Security Flex. In the Barracuda Web Security Flex Manager, click the CONFIGURATION tab, and th click Key Managemt. Click the name of the key you want to edit. The Key Managemt Editing page appears. Make changes to the key Name or Type. You can copy the key data, but do NOT make any changes to it. Use the checkboxes to make any of the following changes: Select Enable to able a key and allow any IP address or Barracuda Web Security Gateway using that key to access the Barracuda Web Security Flex. Clear the Enable checkbox to prevt any IP address or Barracuda Web Security Gateway using that key to access the Barracuda Web Security Flex. Select Delete to delete the key. Any IP address or Barracuda Web Security Gateway that had be using the key will require a new key to function. Setting the System Time Zone The system time zone setting affects filtering, logging and reporting. To create web use rules that restrict activity based on time-of-day, to sure the correct time is logged and reported by Barracuda Web Security Flex, and to create meaningful reports (which cover time periods starting and ding at midnight) you need to select a time zone setting for the Barracuda Web Security Flex. To do so, log in to your Barracuda Networks Account. To set the time zone: In the Barracuda Web Security Flex Manager, on the CONFIGURATION tab, select Time Zone. The Time Zone page displays the currt setting. To change the time zone, select a Region, and th select the specific location in that region. Click Save. Advanced Configuration In this Section For more advanced configuration options, read the following articles: Barracuda Safe Browser Setup Guide - With the Barracuda Web Security Service How to Configure YouTube for Schools How to Configure YouTube for Schools Barracuda Safe Browser Setup Guide - With the Barracuda Web Security Service In this article: Basic Setup in the Barracuda Web Security Service Basic Setup of the ios Mobile Device Managing the Application in ios The Default browser Creating shortcuts to web pages on the device home scre Authtication Managing Filtering Options 81

82 Managing Devices Related Articles Barracuda Safe Browser - FAQ Barracuda Safe Browser User Guide If you have a Barracuda Web Security Service Account, you can deploy and use the Barracuda Safe Browser on mobile devices. If you don't have an account, see to create one. The Barracuda Safe Browser supports ios 4.3 Create a Barracuda Cloud Control Account and higher. Basic Setup in the Barracuda Web Security Service The Barracuda Safe Browser provides the same functionality as ios browsers, but it's integrated with the Barracuda Web Security Service. There are two ways to provision the Barracuda Safe Browser. Option 1 - Provision devices from within the Barracuda Web Security Service: If you don't know the external IP address of your Wi-Fi network, leave the IP address field blank on the REMOTE FILTERING > Safe Browser> Provisioning page. Go ahead and create a Shared Secret.. Log into your Barracuda Web Security Service account and navigate to the REMOTE FILTERING > Safe Browser > Provisioning page. Click Add IP and ter a Location (ex: Finance, Studt Housing, London Office ) and the external IP address of your Wi-Fi network. This IP address will be used by the Barracuda Web Security Service to idtify a device or group of mobile devices managed by this account. Select Enabled or Disabled for this IP address. Click Add. Click Add to provision this IP address. The first time a user logs into the Barracuda Safe Browser from their device, provisioning will be automatic. See Authtication below to configure LDAP authtication for users. Option 2 - If you don't know the external IP address of your Wi-Fi network, or if users will launch the browser from outside the network: Give your users the Provisioning Key and Shared Secret. The first time a user launches the Barracuda Safe Browser on their device, they will be prompted to ter the Provisioning Key and Sha red Secret to provision the device. 4. See Authtication below to configure LDAP authtication for users. Basic Setup of the ios Mobile Device 4. From within your Wi-Fi network, launch the Safari browser on your ios device and visit the itunes App Store to fetch the Barracuda Safe Browser application. Wh the application has downloaded, you'll see the Safe Browser icon on the display. From within the organization's Wi-Fi network, run the Barracuda Safe Browser. You will see a popup that says "Device Provisioned". If you see an error message instead, check to make sure that you have tered the external IP address for your network in the Barracuda Web Security Service as described above. Enable Restrictions for the Safari browser locally on the device through Settings > Restrictions, or using an MDM or Apple Configurator. Once the local browser is restricted, the icon for that browser will disappear from the UI on the mobile device, and the user is ready to run Barracuda Safe Browser with policies you've configured in the Barracuda Web Security Service. Your Barracuda Web Security Service policy will now be applied to all traffic from the Barracuda Safe Browser and will be reflected in reports. Managing the Application in ios The Default browser You cannot make the Barracuda Safe Browser the default browser. This is because ios does not allow changing the default browser. You can restrict Safari as described above, and th use an alternate browser like the Barracuda Safe Browser. However, links from s, social media feeds and other apps will need to be copied and pasted to the address bar. View Bookmarks: From the Bookmarks button at the bottom of the ios display, you can view bookmarks provisioned to the device by the Barracuda Web Security Service as well as the bookmarks added by the user. 82

83 From the Settings button in the Barracuda Safe Browser you can: Change the Home Page of the browser Change the default Search Engine Set the browser to either request web sites rdered for desktops or for mobile devices Accept Cookies Set Private Browsing to On or Off. Setting to On means that neither the browsing history nor cookies will be saved/stored. Clear History Clear Cookies and Data Log Out Touch About to see: Username, Host name, Authtication Key, Device ID, Provisioned To, and Version Creating shortcuts to web pages on the device home scre While you cannot create shortcuts from the Barracuda Safe Browser, you can create shortcuts with the Apple Configurator tool that contain a URL that starts with bsb:// e.g. bsb:// This link, for example, would launch a shortcut into the Barracuda Safe Browser. These shortcuts can be pushed out to devices via an MDM or a mobile config file. Authtication On the REMOTE FILTERING > Safe Browser > Provisioning page, configure the following settings: Session Authtication: If you want to require users to log in with LDAP credtials before browsing, select Forced Authtication. Sele cting Optional Authtication will give the user the choice of either logging in and browsing with assigned polices, or browsing as a guest under a differt set of policies. Select None if you don t want the user to be prested with a log in option the user will only browse as a guest. Use the REMOTE FILTERING > Authtication page to configure your authtication server. The only required settings are IP address, Server Alias, Port and UID Attribute. Note: If you configure LDAP authtication in the Barracuda Web Security Service for your Barracuda Safe Browser users, you can apply user-specific policies for each mobile user. Otherwise you can only apply global policies to all mobile users. To configure LDAP authtication, you'll need to expose your LDAP server to the Internet by port forwarding from your Barracuda Web Security Service extern al IP address to port 389 (non-secure) or port 636 (secure) for your LDAP server. Currtly the Barracuda Web Security Service supports Microsoft Active Directory. Only one authtication server can be configured. Session Timeout: If you have configured LDAP authtication for your mobile users, use this setting to specify the amount of time, in minutes, that is allowed to elapse before a user's login expires and re-authtication is required. To disable session expiration (so that a session does not expire until the user logs off), set this value to 0 hours or minutes. The recommded setting is 24 hours. Idle Timeout - If you have configured LDAP authtication for your mobile users, use this setting to specify the amount of time, in minutes, that a user's session is allowed to remain idle before that login session automatically expires. To disable session expiration based on idle time, set this value to 0 hours or minutes. The recommded setting is 8 hours. Managing Filtering Options On the REMOTE FILTERING > Safe Browser page, configure the following settings: Bypass Password: Creating a password means that the user (or the administrator of the mobile device) can ter it to bypass all filtering by pressing the Bypass action button on their mobile device. Bypass Filter: Enter any IP addresses that you want to bypass filtering by the Barracuda Web Security Service. Fail Op: Set to Yes if you want the Barracuda Safe Browser to allow all web requests if the mobile device cannot reach the Barracuda Web Security Service for some reason. Setting to No means that all requests would be blocked in that case. Enable Geolocation: Setting to Yes means that the last location from which the user of the device logged in, or that the settings were synchronized, will be displayed in the Barracuda Web Security Service. If this feature is abled, th on the Remote Filtering > Safe Browser > Last Se Devices page, you'll see the username, the domain, the Device ID, the IP address, the last-se location and time/date that the user last made a web request. This feature is useful for locating lost or stol devices. Allow Temporary Bypass Filtering: Enabling this feature allows the administrator or user to temporarily bypass filtering by the Barracuda Web Security Service for up to 5 minutes, at which point filtering automatically resumes. If you are connecting from an Internet cafe or hotel portal, for example, and need to temporarily disable the Barracuda Safe Browser to be connected to that network, this provides a 5 minute period in which to do so. Only 3 temporary bypasses are allowed once the Barracuda Safe Browser is installed. The Bypass Password, configured per above, is not required. Allow Bypass Filtering: Users who have administrative rights on their mobile devices can bypass filtering indefinitely in their Barracuda 83

84 Safe Browser. The Bypass Password, configured per above, is required. Managing Devices From the REMOTE FILTERING > Safe Browser > Last Se Devices page you can view the last logged activity from any mobile device running the Barracuda Safe Browser, including the Domain, Username, Device Type/OS, MAC Address, IP Address, Location and Date/Time Last Se. How to Configure YouTube for Schools This feature applies to the Barracuda Web Security Service 4.1 and higher. You can create your own school account for access to YouTube EDU contt as well as a customized playlist of videos, viewable only within your own school network. Learn more about YouTube for Schools by visiting YouTube for Schools. For educational institutions wishing to use YouTube For Schools filtering, you must configure your YouTube account, and your Barracuda Web Security Service to use this feature. The following steps configure your YouTube account so Barracuda Web Security Service can use YouTube for Schools: Log into your YouTube.com account and sign up for YouTube for Schools here: YouTube.com will provide you with a security tok, or unique ID, which is a string of characters. Save this string which you will need to supply wh you configure your Barracuda Web Security Service to use YouTube for Schools. All outgoing traffic to YouTube.com from Barracuda Web Security Service will include a custom HTTP header which idtifies your school s network. The following steps configure your Barracuda Web Security Service account to use YouTube for Schools: On the CONFIGURATION page, select Contt Filtering Services th the Safe Browsing page. Enable YouTube for Schools, th ter the saved security tok in the YouTube Header Code text box. Save Changes. Remote Filtering for Offsite and Mobile Users Remote Filtering ables your IT departmt to provide and control contt security beyond the perimeter of the IT infrastructure. For satellite offices, remote and mobile workers, and studts, the Remote Filtering feature allows secure web browsing access, from any computer or ios device and any location, that complies with the web access and security policies of the organization. Remote Filtering is also available with the B arracuda Web Filter 410 and higher. Three options give you flexibility in how you protect your remote and mobile users online: Filter traffic from remote Windows laptops and desktops Deploy the Barracuda Web Security Agt (WSA) on each remote desktop or laptop and proxy all web traffic over the Internet to the Barracuda Web Security Service, which can monitor web traffic and apply web security policies. Also available with the Barracuda Web Filter. Filter traffic from iphones and ipads Deploy and use the Barracuda Safe Browser on ios mobile devices in place of the native browser, applying the same security policies as those applied by the Barracuda Web Security Service to other users in the rest of your network. Also available with the Barracuda Web Filter. Limited Warranty Barracuda Online Services Licse and Warranty READ THIS AGREEMENT CAREFULLY. Barracuda Networks, Inc. will provide Barracuda Networks Products or Services to you only if you accept all of the these terms and conditions, the Barracuda Networks Privacy Policy, as well as any operating rules, policies, price schedules, and other supplemtal documts published by Barracuda Networks from time to time, all of which are incorporated herein by referce (collectively, Licse and Warranty or this Agreemt ). BY DOWNLOADING OR USING THE BARRACUDA NETWORKS PRODUCTS AND SERVICES, 84

85 YOU ARE AGREEING ON BEHALF OF THE ENTITY USING THE BARRACUDA NETWORKS PRODUCTS AND SERVICES THAT YOU WILL BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT AND THAT YOU HAVE THE AUTHORITY TO BIND THE ENTITY. Definition of Terms 1 Barracuda Networks, we, us, or our mean Barracuda Networks, Inc. and its subsidiaries. 2 You, yourself, user, subscriber, clit, and you refer to the individual or legal tity registering for or using the Barracuda Networks Products or Services. 3 Barracuda Networks Products or Services means data backup services, web filtering and security services, websites (including without limitation, backup.barracuda.com, and control.barracuda.com), hardware, all other documtation, features, tools, Barracuda Networks Software or Hardware, and any other products or services provided by Barracuda Networks or its authorized agts, distributors, and licsees. 4 Barracuda Networks Software or Hardware means software or hardware provided or sold to you or for your use by Barracuda Networks. Barracuda Networks Software means the software licsed for your use located on Barracuda Networks Hardware or for installation on your network or computers. Barracuda Networks Hardware means hardware purchased or provided for your use by Barracuda Networks. 5 Computer means a desktop or laptop computer, network device, and any storage device attached to them in any fashion. 6 Personal Information means information that you may provide at the time of registration or otherwise, such as name, physical location or address, IP address, address, gder, year of birth, billing information, paymt information, and postal code. 7 Backup Data includes any data you back up through Use of the Barracuda Networks Products or Services and any related data that are in the possession of Barracuda Networks or affiliates. 8 To Publish documts or information means to provide to or make them accessible to you by mailing, ing, desktop messaging, faxing, or delivering them to you and/or by posting them to or any other website you visit to register for, subscribe to, licse, buy, or Use Barracuda Networks Products or Services. 9 To Use Barracuda Networks Products or Services means each time you visit a Barracuda Networks website, register with Barracuda Networks, download Barracuda Networks Software or receive Barracuda Networks Hardware, use Barracuda Networks Software or Hardware, view the status of a Barracuda Networks product, control a Barracuda Networks Product or Service, view the status of your Backup Data, store or restore Backup Data, or request support. 10 Barracuda Networks Affiliate means persons or tities who have provided products, licses, or services to Barracuda Networks and persons or tities with which Barracuda Networks has tered into an agreemt to sublicse or to provide Barracuda Networks Products or Services to users. 11 Activation Date means the earlier of: (i) the date Barracuda Networks grants you access to the services and (ii) the date on which you complete the online activation process. 12 Authorized User means an employee or a contractor of Customer who is authorized to use the Barracuda networks services provided hereunder. 13 Maximum Data Traffic Limit. An average of 950MB of data traffic per user per month. Barracuda Backup Services If you are using Barracuda Networks Backup Services and have paid for such services, the terms of this section apply; otherwise, they do not. 1 Guarantee of Data Backup. Barracuda Networks is responsible for backing up your data in accordance with the selections you make through the web-based control panel. Barracuda Networks does not make any further guarantee, expressed or implied, to backup any other data on or off of the clit s premises beyond the particular files and directories indicated by you in the control panel. 2 Data Backup Status Reporting. Barracuda Networks will provide you with the ability to view the condition of the overall backup status, as well as, backup status of individual files via the web-based control panel. It is your responsibility to verify that the data you intd to backup is accurately setup in the web-based control panel and is being backed-up and reporting no errors. Barracuda Networks will, in addition, monitor backup status and alert you by or telephone to pottial problems, however, Barracuda Networks cannot be held responsible in any way if data is not backed up. It is your responsibility to verify that Barracuda Networks has the correct contact information for providing any alerts regarding backup issues. 3 Data Restoration. Barracuda Networks will provide various tools for you to restore data that has be backed-up. These tools include the secure web-based control panel and local network access using FTP protocol. 85

86 4 Failed Data Backups. Barracuda Networks is committed to maintaining reliable and redundant infrastructure to store your data. Barracuda Networks will normally complete your selected backup transfers within 72 hours. If the data backups are not completed within this time frame, Barracuda Networks will provide you notice via the control panel interface. This provision is restricted by the condition of your data network and all physical and Internet connectivity requiremts being suitable for Barracuda Networks to perform its function properly. If Barracuda Networks indicates your data is properly backed up and it is determined that the data cannot be restored as a direct result of a defect or error with a Barracuda Networks Product or Service, you shall be eligible for a refund. Properly backed up data is limited to data that the control panel shows as successfully backed up and for which there are no backup process warnings or errors reported in the control panel. You are solely responsible for verifying that the necessary files to restore specialized software systems, such as databases and other data vironmts, are being created and are included in the data Barracuda Networks is backing up for you. The maximum amount of the refund shall be the total amount of money you have paid to Barracuda Networks directly related to the impacted product or service. 5 Barracuda Networks Products and Services save your data to a server operated by Barracuda Networks or a Barracuda Networks Affiliate. A copy of each file you designate is saved. Barracuda Networks Products and Services scans for changes or additions to these files and th periodically creates a copy of modified or newly designated file. You will not be able to restore files that Barracuda Networks has not completed copying or files that have be changed but not yet be backed up or not eligible for back up. 6 All your data, backed up by Barracuda Networks or otherwise stored via a Barracuda Networks Product or Service, is considered confidtial and private, and will be secured using standard and proprietary cryption methods, and stored in facilities secured electronically and physically. In order to sure integrity of data, Barracuda Networks computer software conducts bit level comparisons on some files and stores the data in an unidtifiable format on Barracuda Networks storage servers. Barracuda Networks personnel require no express permission from the you to view this unidtifiable version of the raw data being stored on Barracuda Networks storage servers. Barracuda Networks will also review information pertaining to file names, sizes, and revision dates for the purpose of confirming that your data is stored correctly. From time to time, you may request that Barracuda Networks personnel assist in setup process, the data restoration process, or review information in the web-based control panel. This action may expose information and the contts of your data to Barracuda Networks personnel. Your provide permission for Barracuda Personnel to view this data. Barracuda Networks Web Filtering and Security Services If you are using Barracuda Networks Web Filtering and Security Services and have paid for such services the terms of this section apply, otherwise they do not. 1 Subject to the terms and conditions of this Agreemt, as of the Activation Date, Barracuda Networks will provide to you access to Barracuda Networks service, and bug fixes or other minor hancemts or improvemts to such service. You acknowledge and agree that the service will redirect your Internet web traffic to Barracuda Networks servers and such traffic will be checked against rules regarding malware uploaded by you to the service and th the traffic will be transmitted back to you. 2 Subject to the terms and conditions of this Agreemt, if you order or download one or more Barracuda Networks Hardware or Software products. Barracuda Networks hereby grants to you a non-exclusive, non-transferable, limited licse (without the right to sublicse) to use the Barracuda Networks Hardware or Software products solely as necessary to access and use the services as described herein. 3 Subject to the terms and conditions of this Agreemt, Barracuda Networks hereby grants to you (and to each Authorized User for whom you have paid the applicable fee a non-exclusive, non-transferable, limited licse (without the right to sublicse) to access and use the services via the Internet, solely for your internal business purposes and only in accordance with any applicable documtation. Your use of the services is subject to the Maximum Data Traffic Limit. 4 If usage of the service by Customer s Authorized Users exceeds the Maximum Data Traffic Limit in any giv month during the term of the Agreemt, Barracuda Networks will charge you the th-currt overage fees and/or terminate this Agreemt immediately. 4. Acceptance of Licse and Warranty; Modification; Cancellation By registering to use Barracuda Networks Products or Services, and each time you use a Barracuda Networks Product or Service, you affirm your acceptance of these Licse and Warranty and agree to comply with them now and throughout the period of your use of the Barracuda Networks Products or Services and thereafter, as noted in Section 6 (Barracuda Networks Licse to You) below. If you do not agree to these Licse and Warranty in their tirety, do not Use Barracuda Networks Products or Services. Barracuda Networks may change the Licse and Warranty at any time, without prior notice to you, and in its sole discretion. The new or modified Licse and Warranty will be effective immediately upon posting on our website at control.barracuda.com, or backup.barracuda.com. If you do not agree to be bound by Barracuda Networks Licse and Warranty as Published by Barracuda Networks from time to time, your sole and exclusive remedy is to discontinue using Barracuda Networks Products or Services and return any Barracuda Networks products. If you wish to cancel your Barracuda Networks licse after a change in the Licse and Warranty, you must do so in writing or by within thirty (30) caldar days after your next Use of a Barracuda Networks Product or Service following the change in the Licse and Warranty. For 86

87 this type of cancellation you will receive a pro-rata refund for the unused portion of your Barracuda Networks licse as of your date of notice. You acknowledge and agree that if you do elect to cancel your licse within this specified period after a change in the Licse and Warranty, or if you cancel your licse or fail to rew an expired or terminated licse for any reason, Barracuda Networks may delete any information that Barracuda Networks has obtained through your Use of Barracuda Networks Products or Services, including without limitation, your Backup Data, Configuration data, and account data. Barracuda Networks will not have any Backup Data available for your use. 4.1 Requiremts for Registration or Use of Barracuda Networks Products: Barracuda Networks Products or Services are intded and offered only for lawful Use by individuals or organizations with the legal capacity and authority under applicable law to ter into a contract. Barracuda Networks does not offer Barracuda Networks Products or Services to minors or where prohibited by law. By registering for and/or by Using Barracuda Networks Products or Services, you represt and warrant that you have the legal capacity and authority to ter into a binding agreemt to adhere to the Barracuda Networks Licse and Warranty and that you will Use Barracuda Networks Products or Services only in accordance with these Licse and Warranty and with all applicable laws. If you are Using Barracuda Networks Products or Services on behalf of an tity or organization, you warrant, represt, and covant to Barracuda Networks that you are duly authorized to agree to these Licse and Warranty on behalf of the organization and to bind the organization to them. You agree to provide accurate and complete information wh you register for a Barracuda Networks Product or Service and you agree to keep such information accurate and complete during the tire time that you Use Barracuda Networks Products or Services. We may ask you from time to time to establish a user name or password to access or Use the Barracuda Networks Products or Services. You are solely responsible for any consequces arising in whole or in part out of your failure to maintain the confidtiality of your username and/or password. You acknowledges that the use of or connection to the Internet provides the opportunity for unauthorized third parties to circumvt security precautions and illegally gain access to Barracuda Networks Products and Services. Accordingly, Barracuda Networks cannot and does not guaranty the privacy, security or authticity of any information so transmitted over or stored in any system connected to the Internet. 4. Lawful Use of Barracuda Networks Products or Services: You may not Use Barracuda Networks Products or Services for any unlawful purpose. Without limiting the foregoing: Barracuda Networks Products or Services may not be Used to store, backup, or distribute child pornography and may not be Used in violation of U.S. export control laws or the export or import regulations of other countries. You agree to comply strictly with all such laws and regulations and acknowledge that you have the responsibility to obtain licses to export, re-export, or import as may be required. You may not Use Barracuda Networks Products or Services if you are a citiz, national, or residt of, or are under control of, the governmt of Cuba, Iran, Sudan, Libya, North Korea, Syria, or any other country to which the United States has prohibited export. Each time you Use Barracuda Networks Products or Services you represt, warrant, and covant that: (i) You are not a citiz, national, or residt of, nor under the control of, any such country to which the United States has prohibited export; (ii) You will not download or otherwise export or re-export the Barracuda Networks Software or Hardware, directly or indirectly, to the above mtioned countries nor to citizs, nationals or residts of those countries; (iii) You are not listed on the U.S. Departmt of Treasury s Lists of Specially Designated Nationals, Specially Designated Terrorists, and Specially Designated Narcotic Traffickers, the U.S. Departmt of State s List of Statutorily Debarred Parties, or the U.S. Departmt of Commerce s Died Persons List, Entity List, or Unverified List Table of Dial Orders; (iv) You will not download or otherwise export or re-export the Barracuda Networks Software or Hardware, directly or indirectly, to persons on the above mtioned lists; (v) You will neither Use nor allow the Barracuda Networks Software or Hardware to be Used for, any purposes prohibited by United States federal or state law, including, without limitation, for the developmt, design, manufacture or production of nuclear, chemical, or biological weapons of mass destruction; (vi) The Barracuda Networks Software or Hardware will not be exported, directly, or indirectly, in violation of these laws, nor will the Barracuda Networks Products or Services be Used for any purpose prohibited by these laws including, without limitation, nuclear, chemical, or biological weapons proliferation; and (vii) You are not using or permitting others to use Barracuda Networks Products or Services to create, store, backup, distribute, or provide access to child pornography. 5. Changes to the Barracuda Networks Products or Services Barracuda Networks has the right at any time to change, modify, add to, discontinue, or retire any Barracuda Networks Product or Service and any aspect or feature of the Barracuda Networks Products or Services including, but not limited to, the software, hours of availability, equipmt needed for access or Use, the types of files that are backed-up (not every file on your computer is backed-up), the maximum disk space that will be allotted on Barracuda Networks servers on your behalf either cumulatively or for any particular service, or the availability of Barracuda Networks Products or Services on any particular device or communications service. Barracuda Networks will provide notice of material changes to the Barracuda Networks Products or Services or changes to this Agreemt by posting them to control.barracuda.com, or backup.barracuda.com. Barracuda Networks shall have no obligation to provide you with notice of any such changes in any other manner. It shall be your responsibility to check our website periodically to inform yourself of any such changes. From time to time, Barracuda Networks may issue new releases, revisions, or hancemts to the Barracuda Networks Products or Services available to you free of charge or for a fee. New releases, revisions or hancemts may be licsed, downloaded, and installed only to the 87

88 extt that you hold a valid licse to Use the Barracuda Networks Products or Services being updated or upgraded, and you may Use them only in accordance with the th-currt Licse and Warranty and any additional licse terms that may accompany them. Barracuda Networks may automatically update Barracuda Networks Products or Services you have installed on your computer without your prior const. If any automatic updates involve the paymt of additional fees, we will provide you with the opportunity to approve such fees prior to the new functionality being abled. If you fail or refuse to approve such fees, Barracuda Networks may, in its sole discretion, terminate your currt licse, continue to support your currt Barracuda Networks Products or Services without the automatic update, or replace your Barracuda Networks Products or Services with other Barracuda Networks Products or Services. If Barracuda Networks terminates your currt licse on account of your failure or refusal to approve such fees, th Barracuda Networks will refund, on a pro-rata basis based on the remaining term of the currt licse, any fees related to the period during which you will not have access to your Barracuda Networks Products or Services. If Barracuda Networks updates the Barracuda Networks Products or Services without requiring an additional fee and you object to such change, your sole remedy shall be to terminate your use of the Barracuda Networks Products and Services. Barracuda Networks reserves the right at any time to charge or modify fees for the Barracuda Networks Products or Services. However, such fees shall not be charged unless your prior agreemt to pay such charges is obtained. Thus, if at any time Barracuda Networks requires a fee for the Service, you will be giv reasonable advance notice of such fees and the opportunity to cancel before such charges are imposed. If you elect not to pay any fees charged by Barracuda Networks, Barracuda Networks shall have the right to cease providing Barracuda Networks Products or Services to you. 6. Barracuda Networks Licse to You; Rewals, Modifications, Limits 6.1 Scope of Licse. Barracuda Networks grants you a non-exclusive, non-transferable limited and revocable licse to use the Barracuda Networks Software or Hardware only on the hardware provided by Barracuda Networks for which you have paid the applicable fees and taxes and from which you are licsed to access the Barracuda Networks Products or Services, and to Use the Barracuda Networks Products or Services for the sole and exclusive purposes of connecting to and using the Barracuda Networks Products or Services for your personal or internal business purposes in accordance with these Licse and Warranty, provided you comply and remain in compliance with this Agreemt. We reserve all other rights to the Barracuda Networks Products or Services. You may not sub-licse, or charge others to Use or access, the Barracuda Networks Products or Services and you may not redistribute the Barracuda Networks Products or Services or provide others with access to or Use of them, unless you have tered into a Reseller, Affiliate or similar Agreemt with Barracuda Networks to gage in this activity. Without limiting the forgoing, you will not permit others to Use the Barracuda Networks Products or Services to access or decrypt data stored on servers provided by Barracuda Networks or Barracuda Networks Affiliates; you will not Use or permit others to Use the Barracuda Networks Products or Services to decrypt data crypted by others; and you will not Use or permit others to Use the Barracuda Networks Products or Services to provide cryption or decryption services to others, whether or not such services are compsated. 6.2 Rewals and Paymts. You agree that Barracuda Networks shall have the right to automatically and without notice rew your licse to continue to Use the Barracuda Networks Products or Services upon expiration of your th-currt licse, and that as part of such rewal Barracuda Networks shall have the right to charge the applicable rewal fees and any applicable taxes to any credit card you used to purchase your th-currt licse. You agree that if you elect to not permit Barracuda Networks the right to automatically rew your licse to Use Barracuda Networks Products or Services or your credit card information on file with Barracuda Networks does not permit automatic rewal, th Barracuda Networks may terminate your licse. You agree that if you have licsed Barracuda Networks Products or Services for a period of greater than ninety (90) caldar days you have thirty (30) caldar days from the date that your licse was rewed to elect to discontinue your Use of Barracuda Networks Products or Services. If you have licsed Barracuda Networks Products or Services for a period of less than or equal to ninety (90) caldar days you have sev (7) caldar days from the date that your licse was rewed to elect to discontinue your Use of Barracuda Networks Products or Services. If you elect to discontinue your Use of Barracuda Networks Products or Services within this period, you will be issued a full refund for the amount of your licse rewal. You are responsible for suring that Barracuda Networks has currt and accurate records necessary, to rew your licse, including without limitation, credit card data. Any paymt not received from you by the due date shall accrue (except with respect to charges th under reasonable and good faith dispute), at the lower of one and a half perct (5%) of the outstanding balance per month (being 18% per annum), or the maximum rate permitted by law, from the date such paymt is due until the date paid. You also agree to pay all sums expded (including reasonable legal fees) in collecting overdue paymts. 6.3 Barracuda Networks does not offer any refunds for purchases of Barracuda Networks Products or Services, except as expressly provided in this Agreemt. 6.4 Permitted Licse Uses and Restrictions. This Licse allows you to use the Barracuda Networks Software provided on the Barracuda Networks Hardware only on the single Barracuda labeled hardware device on which the software was delivered. You may not make copies of the Barracuda Networks Software provided on the Barracuda Networks Hardware and you may not make the software available over a network where it could be utilized by multiple devices or copied. You may not make a backup copy of the software. You may not modify or create derivative works of the software except as provided by the Op Source Licses included below. The BARRACUDA SOFTWARE IS NOT 88

89 INTENDED FOR USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, LIFE SUPPORT MACHINES, OR OTHER EQUIPMENT IN WHICH FAILURE COULD LEAD TO DEATH, PERSONAL INJURY, OR ENVIRONMENTAL DAMAGE. You may not transfer, rt, lease, ld, or sublicse the Barracuda Networks Software. 7. Assignmt and Delegation by Barracuda Networks Barracuda Networks may, in its sole discretion, transfer or assign all or any part of its rights in the Barracuda Networks Software or Hardware, the Barracuda Networks Products or Services, and any licse or contract related thereto, and may delegate all or any portion of its duties, if any, under any such Barracuda Networks Products or Services, licses, or other contracts. 8. No Transfers or Modifications by You You may not sell, assign, grant a security interest in or otherwise transfer any right in the Barracuda Networks Products or Services, nor incorporate them (or any portion of them) into another product or service. You may not copy the Barracuda Networks Products or Services. You may not translate, reverse-gineer or reverse-compile or decompile, disassemble, make derivative works from, or otherwise attempt to discover any source code in the Barracuda Networks Software or Hardware or decrypt any files that are not associated with your computer. You agree not to create Internet links to any database portion or frame or mirror any data contained in any Barracuda Networks Product or Service. You agree not to make any data accessible from or use Barracuda Networks Product or Service in automatic, semi-automatic or manual tools designed to create virus signatures, virus detection routines, or any other data or code for detecting malicious code or data. You agree to delete any Barracuda Networks Software from any device on which it is installed prior to selling or transferring the device. You may not modify the Barracuda Networks Software or Hardware or use it in any way not expressly authorized by these Licse and Warranty. You may not obtain the communications protocol for accessing the Barracuda Networks Products. You may not authorize or assist any third party to do any of the foregoing. 9. Protection of Data You are solely responsible for protecting the information on your computer such as by installing anti-virus software, updating your applications, password protecting your files, and not permitting third party access to your computer. You understand that the Barracuda Networks Products or Services may back-up files that are no longer usable due to corruption from viruses, software malfunctions or other causes. This might result in you restoring files that are no longer usable. 9.1 For the purposes of maintaining hardware systems responsible for providing Barracuda Networks services to you, you grant to Barracuda Networks permission to obtain remote access to such Barracuda Networks Products and Services in order to perform routine software maintance and system health evaluations. Some of these functions include, but are not limited to, the maintance of operating systems & Barracuda Networks software, installation and setup of new software versions, installation of security patch updates, hardware health monitoring, processor load monitoring, and bandwidth usage monitoring. 9.2 From time to time, you may request that Barracuda Networks personnel assist in setup process, the data restoration process, or review information in the web-based control panel for a Barracuda Networks Product or Service. This action may expose information and the contts of your data to Barracuda Networks personnel. Your provide permission for Barracuda Personnel to view this data. 10. Deletion of Backup and other data If your licse to Use Barracuda Networks Products or Services expires, is terminated, is not rewed, or is otherwise discontinued for any reason, Barracuda Networks and the Barracuda Networks Affiliates may, without notice, delete or dy you access to any of your data that may be in their possession or control. You agree that if your licse has be terminated, expired, or otherwise lapsed for any reason, that your files may not be available should you wish to restore them, your data may not be viewable, and that network traffic may be blocked. You agree that Barracuda Networks and Barracuda Networks Affiliates may retain (but shall have no obligation to retain) your data for a period after your licse has be terminated, expired, or otherwise lapsed, as part of Barracuda Networks marketing to you the opportunity to purchase, rew, or extd a licse. 1 Customer Support Subject to paymt by you of the applicable fees, and provided that you are in compliance with the terms and conditions of this Agreemt, Barracuda Networks will provide you standard support services for the specific product purchased by you. Support may be available only on selected days and during a limited number of hours. Support may also be available through only certain delivery vehicles such as or telephone and some support may only be available for the paymt of an additional fee or charge. As part of the delivery of support Barracuda Networks may employ a variety of tools or services to aid in the process of resolving your issues. You grant Barracuda Networks the right to use these tools and hold Barracuda Networks harmless for the use of these tools as well as the guidance provided by the support staff who in no way 89

90 can be fully aware of all of the complexities associated with the Barracuda Networks Product and Services, your computer, and your infrastructure. 1 Restrictions on Access to Barracuda Networks Products or Services You may access Barracuda Networks Products or Services only through the interfaces and protocols provided or authorized by Barracuda Networks. You agree that you will not access Barracuda Networks Products through unauthorized means, such as unlicsed software clits or tampering. Certain Barracuda Networks Products backup only certain types of files. You agree not to circumvt these limitations in any way, including but not limited to, changing file extsions or header information. 1 Communications You are responsible for obtaining and maintaining all of the hardware, software, and services that you may need to access and Use Barracuda Networks Products or Services. Without limiting the foregoing, you must pay all charges, taxes, and other costs and fees related to obtaining your own Internet access, telephone, computer, and other equipmt. and any communications or other charges incurred by you to access Barracuda Networks Products or Services. 14. Termination and Fair Use Policy BARRACUDA NETWORKS SHALL HAVE THE ABSOLUTE AND UNILATERAL RIGHT IN ITS SOLE DISCRETION TO DENY USE OF AND ACCESS TO ALL OR ANY PORTION OF BARRACUDA NETWORKS PRODUCTS OR SERVICES TO USERS WHO ARE DEEMED BY BARRACUDA NETWORKS TO BE USING THE BARRACUDA NETWORKS PRODUCTS OR SERVICES IN A MANNER NOT REASONABLY INTENDED BY BARRACUDA NETWORKS OR IN VIOLATION OF LAW, INCLUDING BUT NOT LIMITED TO SUSPENDING OR TERMINATING A USER S ACCOUNT WITH BARRACUDA NETWORKS AND THE LICENSE TO USE THE BARRACUDA NETWORKS PRODUCTS OR SERVICES. You agree that Barracuda Networks may terminate your Account and access to the Barracuda Networks Products or Services for reasons including, but not be limited to, breaches or violations of these Terms of Service, a request by you to terminate your Account, discontinuance or material modification to the Barracuda Networks Products or Services, unexpected technical issues or problems, extded periods of inactivity and requests by law forcemt or other governmt agcies. Termination of your Barracuda Networks Account includes termination of access to the Barracuda Networks Products or Services, deletion of your Account information such as your ID and Password and deletion of data in your Account as permitted or required by law. Upon Termination, you agree to uninstall and destroy software componts provided to you as part of the Barracuda Networks Products or Services. You agree that we may, in our sole discretion and from time to time, establish or amd geral operating practices to maximize the operation and availability of Barracuda Networks Products or Services and to prevt abuses. As part of these practices, we reserve the right to monitor our system to idtify excessive consumption of network resources and to take such technical and other remedies as we deem appropriate. Your consumption of Barracuda Networks Products or Services may be deemed excessive if, within any month, your usage greatly exceeds the average level of monthly usage of Barracuda Networks users, gerally. In the evt you are deemed to have violated this policy, we reserve the right to offer an alternative pricing plan that will permit you to continue to use Barracuda Networks Products or Services. Although violations of this policy have be infrequt, we nevertheless reserve the right to terminate or suspd your licse and any licse to use the Barracuda Networks Software or Hardware, without prior notice in the evt of a violation of this policy. 15. Data Collection, Encryption, Privacy, and Disclosure Barracuda Networks will collect and use Personal Information in accord with the terms of our Barracuda Networks Privacy Policy, which is incorporated into and made a part of these Licse and Warranty. You hereby const to Barracuda Networks use of your Personal Information under the terms of the Barracuda Networks Privacy Policy, as it may be amded from time to time. To provide its services, Barracuda Networks Software or Hardware routinely scans your computer network in order to detect new, modified, or deleted data files that require further action to complete backup and restore operations. Barracuda Networks Software or Hardware also catalogs the number and total storage size of various file types on your computer network. Data is transmitted to and stored at Barracuda Networks storage facilities in an crypted format. You hereby give authorization for Barracuda Networks to access the data during the process of assisting you with any support request or data restoration process. 16. Warranties 16.1 SOFTWARE WARRANTY. Barracuda Networks warrants that the Barracuda Networks Products or Services will for a period of thirty (30) days from the date of registration and paymt perform substantially as specified in the applicable Barracuda Networks documtation. If you satisfactorily demonstrate to Barracuda Networks within such thirty (30) day period that a Barracuda Networks Product or Service contains errors, th as Barracuda Networks sole and exclusive liability and as your sole and exclusive remedy, Barracuda Networks shall at its sole option either use commercially reasonable efforts to correct the errors reported by you, replace the Barracuda Networks Product or Services affected with a 90

91 substantially conforming product or service, or refund the fee you paid for the Barracuda Networks Product or Service and terminate your licse under the Licse and Warranty. Barracuda Networks does not warrant the results of its correction or replacemt Barracuda Networks Products or Services. Correction or replacemt under this Section 16 (Warranties), and the issuance of any corrections, patches, bug fixes, workarounds, upgrades, hancemts, or updates by Barracuda Networks to you, shall not be deemed to begin a new, extded, or additional licse, licse period, or warranty period. In addition, due to the continual developmt of new techniques for intruding upon and attacking networks, Barracuda Networks does not warrant that the software or any equipmt, system or network on which the software is used will be free of vulnerability to intrusion or attack. The limited warranty extds only to you the original buyer of the Barracuda Networks product and is non-transferable LIMITED HARDWARE WARRANTY. Barracuda Networks or authorized Distributor selling the Barracuda Networks Product or Service, if sale is not directly by Barracuda Networks, warrants that commcing from the date of delivery to you (but in case of resale by a Barracuda Networks reseller, commcing not more than sixty (60) days after original shipmt by Barracuda Networks), and continuing for a period of one (1) year: (a) its hardware products (excluding any software) will be free from material defects in materials and workmanship under normal use; and (b) the software provided in connection with its hardware, including any software contained or embedded in such products will substantially conform to Barracuda Networks published specifications in effect as of the date of manufacture. Except for the foregoing, the software is provided as is. In no evt does Barracuda Networks warrant that the software is error free or that you will be able to operate the software without problems or interruptions. In addition, due to the continual developmt of new techniques for intruding upon and attacking networks, Barracuda Networks does not warrant that the software or any equipmt, system or network on which the software is used will be free of vulnerability to intrusion or attack. The limited warranty extds only to you the original buyer of the Barracuda Networks product and is non-transferable. Your sole and exclusive remedy and the tire liability of Barracuda Networks under this limited warranty shall be, at Barracuda Networks or its service cters option and expse, the repair, replacemt or refund of the purchase price of any hardware sold which do not comply with this warranty. Hardware replaced under the terms of this limited warranty may be refurbished or new equipmt substituted at Barracuda Networks option. Barracuda Networks obligations hereunder are conditioned upon the return of affected articles in accordance with Barracuda Networks th-currt Return Material Authorization ( RMA ) procedures. All parts will be new or refurbished, at Barracuda Networks discretion, and shall be furnished on an exchange basis. All parts removed for replacemt will become the property of the Barracuda Networks. In connection with warranty services hereunder, Barracuda Networks may at its discretion modify the hardware of the product at no cost to you to improve its reliability or performance. The warranty period is not extded if Barracuda Networks repairs or replaces a warranted product or any parts. Barracuda Networks may change the availability of limited warranties, at its discretion, but any changes will not be retroactive. IN NO EVENT SHALL BARRACUDA NETWORKS LIABILITY EXCEED THE PRICE PAID FOR THE PRODUCT FROM DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THE PRODUCT, ITS ACCOMPANYING SOFTWARE, OR ITS DOCUMENTATION. This limited warranty does not apply to Barracuda Networks products that are or have be (a) marked or idtified as sample or beta, (b) loaned or provided to you at no cost, (c) sold as is, (d) repaired, altered or modified except by Barracuda Networks, (e) not installed, operated or maintained in accordance with instructions supplied by Barracuda Networks, or (f) subjected to abnormal physical or electrical stress, misuse, negligce or to an accidt. EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS MAKES NO OTHER WARRANTY, EXPRESS, IMPLIED OR STATUTORY, WITH RESPECT TO BARRACUDA NETWORKS PRODUCTS OR SERVICES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, AVAILABILITY, RELIABILITY, USEFULNESS, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS PRODUCTS AND SERVICES AND THE SOFTWARE IS PROVIDED AS-IS AND BARRACUDA NETWORKS DOES NOT WARRANT THAT ITS PRODUCTS OR SERVICES WILL MEET YOUR REQUIREMENTS OR BE UNINTERRUPTED, TIMELY, AVAILABLE, SECURE OR ERROR FREE, OR THAT ANY ERRORS IN ITS PRODUCTS OR THE SOFTWARE WILL BE CORRECTED. FURTHERMORE, BARRACUDA NETWORKS DOES NOT WARRANT THAT BARRACUDA NETWORKS PRODUCTS OR SERVICES, THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH BARRACUDA NETWORKS PRODUCTS WILL BE USED WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK DISCLAIMER OF OTHER WARRANTIES. THE LIMITED WARRANTY IN THE PRECEDING PARAGRAPH IS IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, WRITTEN OR ORAL, INCLUDING BUT NOT LIMITED TO, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT, AND ANY WARRANTY ARISING BY STATUTE OR OTHERWISE IN LAW, OR FROM A COURSE OF DEALING OR USAGE OF TRADE. Barracuda Networks and the Barracuda Networks Affiliates do not warrant that the functions contained in the Barracuda Networks Products or Services will meet your requiremts, that the operation of the Barracuda Networks Products or Services will be uninterrupted or error-free, or that defects in the Barracuda Networks Products or Services will be corrected. Barracuda Networks and Barracuda Networks Affiliates do not warrant or make any represtations regarding the use or the results of the use of the Barracuda Networks Products or Services in terms of their correctness, accuracy, reliability or otherwise. Barracuda Networks and Barracuda Networks Affiliates do not represt or warrant that users will be able to access or use the Barracuda Networks Products or Services at times or locations of their choosing, or that Barracuda Networks and Barracuda Networks Affiliates will have adequate capacity for any user s requiremts. No oral or writt statemt, information or advice giv by Barracuda Networks, Barracuda Networks Affiliates, or their respective employees, distributors, dealers, or agts shall create any warranties in addition to those express warranties set forth in this Section 16 (Warranties). You may have other statutory rights. However, to the full extt permitted by law, the duration of statutorily required warranties, if any, shall be limited to the warranty period. 17. Limitation of Liability 91

92 With respect to defects or deficicies in the Barracuda Networks Products or Services, the liability of Barracuda Networks and Barracuda Networks Affiliates will be limited to performance of its responsibilities under Section 16 (Warranties) above. With respect to other breaches of contract, the liability of Barracuda Networks and Barracuda Networks Affiliates shall be limited to your actual damages, and in no evt will such liability exceed the total amount received by Barracuda Networks from you under these Licse and Warranty for your currt licse period, and only such amounts as relate to the computer affected by the breach. IN NO EVENT WILL Barracuda Networks, THE Barracuda Networks CONTRACTS, Barracuda Networks DISTRIBUTORS OR Barracuda Networks SUPPLIERS BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR ANY LOST PROFITS, LOST DATA, INTERRUPTION OF BUSINESS, OR OTHER SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING OUT OF THE USE OR INABILITY TO USE THE Barracuda Networks PRODUCTS OR SERVICES OR TO USE OR RETRIEVE ANY BACKUP DATA, WHETHER FOR BREACH OF WARRANTY OR OTHER CONTRACT BREACH, NEGLIGENCE OR OTHER TORT, OR ON ANY STRICT LIABILITY THEORY, EVEN IF Barracuda Networks HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES OR A REMEDY SET FORTH IN THESE TERMS OF USE IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE, AND WHETHER OR NOT SUCH LOSS OR DAMAGES ARE FORESEEABLE. Neither Barracuda Networks nor any Barracuda Networks Affiliate assumes any liability to any party other than you arising out of your Use or inability to Use the Barracuda Networks Products or Services. The limitations of damages set forth above are fundamtal elemts of the bargain betwe Barracuda Networks and you. Barracuda Networks would not be able to provide the Barracuda Networks Products or Services to you without such limitations. 18. Indemnification YOU AGREE TO DEFEND, INDEMNIFY AND HOLD HARMLESS Barracuda Networks, Barracuda Networks AFFILIATES, AND THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES AND AGENTS FROM AND AGAINST ALL CLAIMS, DAMAGES, LOSSES, LIABILITIES, AND EXPENSES, INCLUDING WITHOUT LIMITATION ATTORNEYS FEES, ARISING OUT OF YOUR USE OF THE Barracuda Networks PRODUCTS OR SERVICES AND/OR YOUR VIOLATION OF ANY TERM OF THESE Licse and Warranty. Barracuda Networks RESERVES THE RIGHT, AT ITS OWN EXPENSE AND IN ITS SOLE DISCRETION, TO ASSUME THE EXCLUSIVE DEFENSE AND CONTROL OF ANY MATTER OTHERWISE SUBJECT TO INDEMNIFICATION BY YOU. IN THAT EVENT, AND ONLY IN SUCH EVENT, SHALL YOU HAVE NO FURTHER OBLIGATION TO PROVIDE A DEFENSE FOR Barracuda Networks IN THAT MATTER. If Barracuda Networks chooses to provide its own defse in connection with any matter subject to indemnification under these Licse and Warranty, you shall participate and cooperate in the defse of Barracuda Networks and Barracuda Networks Affiliates, at your own expse, to the full extt requested by Barracuda Networks. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED PERPETUAL ZERO COST LICENSE TO BARRACUDA FOR ANY PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS WHICH YOU EITHER OWN OR CONTROL THAT ARE UTILIZED IN ANY Barracuda Networks product. 19. Trademarks, Service Marks, and Other Intellectual Property All trademarks, service marks or other similar items appearing on the Barracuda Networks Products or Service are the property of their respective owners, including, without limitation, Barracuda Networks, Inc. The Barracuda Networks Products or Services are protected by copyright and other intellectual property laws, title, ownership rights, and intellectual property rights in the Barracuda Networks Products or Services shall remain with Barracuda Networks and its licsors. You agree not to take any action to jeopardize, limit, or interfere in any manner with Barracuda Networks or its licsor s ownership of or rights with respect to the Barracuda Networks Products or Services. 20. U.S. Governmt Restricted Right The Barracuda Networks Software or Hardware is a commercial item as that term is defined at 48 C.F.R. 101, consisting of commercial computer software and commercial computer software documtation as such terms are used in 48 C.F.R. 121 Consistt with 48 C.F.R and 48 C.F.R through , all U.S. Governmt d users acquire the Barracuda Networks Software or Hardware with only those rights set forth therein. 2 High Risk Activity You acknowledge and agree that the Barracuda Networks Products or Services are not intded for use with any high risk or strict liability activity, including, without limitation, air or space travel, technical building or structural design, power plant design or operation, life support or emergcy medical operations or uses, and that Barracuda Networks makes no warranty and shall have no liability arising from any Use of the Barracuda Networks Products or Services in any high risk or strict liability activities. 2 Dispute Resolution, Arbitration, Governing Law, and Vue (a) Arbitration of Domestic (U.S.) Disputes. All disputes arising under or relating to this Agreemt shall be resolved by final and binding 92

93 arbitration conducted before a single arbitrator pursuant to the commercial arbitration rules of Resolute Systems, Inc. that were in force as of April 30, Evidtiary hearings and any other proceedings requiring personal attdance of parties or their represtatives or witnesses shall be conducted in San Jose, CA or such other place within the United States as the arbitrator may direct in the case of all other Licsees. (b) Arbitration of International Disputes. Notwithstanding the provisions of Subsection 22(a) (Arbitration of Domestic Disputes), any dispute arising under this Agreemt that involves a dispute betwe Barracuda Networks and a person who is neither a citiz nor a residt of the United States, shall, at either party s request, be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said Rules, with such arbitration to be conducted in USA or such other place as the parties to such arbitration may agree. (c) Exceptions to Agreemt to Arbitrate. Notwithstanding the provisions of Subsections 22(a) (Arbitration of Domestic Disputes) and 22(b) (Arbitration of International Disputes), disputes pertaining to i) export controls, ii) unlawful Use of the Barracuda Networks Products or Services, or iii) the scope, applicability, or compliance with governmtal or court-ordered access to or limits on use of Backup Data, shall not be resolved by arbitration, but shall instead by resolved by referce to a judicial or administrative body with jurisdiction over the dispute. (d) Costs of Arbitration. The administrative expses, arbitrator fees, and facility charges associated with the arbitration, whether domestic or international, shall be split equally betwe the parties. Each party shall be solely responsible for its attorney fees, expert witness fees, and other costs, fees, and expses, except as may otherwise be provided in Section 18 (Indemnification). (e) Discovery Procedures in Arbitration. The parties shall be titled to such discovery as in the judgmt of the arbitrator is appropriate, in light of the nature and objectives of arbitration, to sure that each party has an adequate opportunity to determine the factual bases for its claims and defses. (f) Form and Effects of Award. The arbitrator shall rder a naked award. Judgmt on any arbitral award under this Agreemt may be tered in any court of compett jurisdiction. It is the intt of the parties that neither the award nor any resulting judgmt have res judicata (claim preclusion) or collateral estoppel (issue preclusion) effects except as betwe the parties themselves. (g) Governing Law. The arbitration undertaking in this Agreemt shall be governed by, construed, and interpreted in accordance with the Federal Arbitration Act, 9 U.S.C. 1 et seq. and, in the case of arbitrations involving one or more non-u.s. parties, by the Convtion on the Recognition and Enforcemt of Foreign Arbitral Awards and the U.S. legislation implemting the same, 9 U.S.C. 201 et seq. To the extt that the Arbitration provisions of this Agreemt do not apply, the federal and state courts sitting in Santa Clara Country, California, USA shall have exclusive jurisdiction and vue to adjudicate any dispute arising out of this Agreemt. Each party hereto expressly consts to the personal jurisdiction of the courts of California and service of process being effected by registered U.S. mail or by private delivery service providing proof of delivery, st to the party being served. All other provisions of this Agreemt shall be governed by and construed and interpreted in accordance with the internal laws of the State of California Santa Clara Country, USA, without regard to conflict of law provisions. The United Nations Convtion on Contracts for the International Sale of Goods as well as any other similar law, regulation or statute in effect in any other jurisdiction shall not apply. 2 Termination, Expiration, Cancellation (a) Limited Term. Your licse will d upon the expiration of its stated term, upon your non-rewal of the licses, upon your cancellation of the licse, wh Barracuda Networks elects to discontinue the product, upon your breach of these Licse and Warranty (if such breach is not cured within the time indicated below in this Section 23 (Termination, Expiration, Cancellation), or wh Barracuda Networks cancels or terminates your licse, whichever occurs first (any such expiration, cancellation, discontinuation, or termination are referred to hereafter as termination. ) (b) Termination for Unlawful or Abusive Use, Other Breach. Barracuda Networks may block your access to your Backup Data and/or terminate your Use of the Barracuda Networks Products or Services if Barracuda Networks reasonably believes that the Backup Data may contain child pornography or are being used to support other types of illegal activities, if providing Barracuda Networks Products or Services to a person located in a particular country would violate U.S. or other applicable law, or if your continued Use of Barracuda Networks Products or Services may damage, disable, overburd, or impair our servers or networks. (c) Right to use termination. If you breach these Licse and Warranty, your right to Use the Barracuda Networks Products or Services shall automatically terminate if you fail to cure the breach after sev (7) caldar days after notice from Barracuda Networks or any of the Barracuda Networks Affiliates, unless your breach is due to violations of Section 4 (Lawful Use), Section 8 (No Transfers or Modifications by You), Section 18 (Indemnification), Section 19 (Trademarks), Section 20 (U.S. Governmt Restrictions), in which case termination will be without notice and without any right to cure. (d) Upon termination: i) you shall immediately cease any and all Use of the Barracuda Networks Products or Services and delete all copies of them; ii) the Barracuda Networks Software or Hardware may be disabled by Barracuda Networks without notice to you; and iii) you will no longer have the right to access or retrieve your Backup Data; you hereby grant Barracuda Networks the unrestricted right to delete all such Personal Information and Backup Data at any time after termination, without notice. 24. Survival 93

94 In the evt of any termination, expiration, or cancellation, the restrictions on your Use of the Software and the other applicable restrictions as set forth in Section 4 (Lawful Use), Section 6 (Barracuda Networks Licse), Section 8 (No Transfers or Modifications by You), Section 16 (Warranties), Section 17 (Limitation of Liability), Section 18 (Indemnification),Section 19 (Trademarks, Service Marks, and Other Intellectual Property), Section 20 (U.S. Governmt Restricted Right), Section 21 (High Risk Activity), Section 22 (Dispute Resolution, Governing Law, Vue), Section 24 (Survival), Section 25 (Notice), Section 28 (Limitation on Actions), and Section 30 (Miscellaneous) shall survive such termination, expiration, or cancellation, and you agree to remain bound by those terms. 25. Notice Any notice that may or must be giv by Barracuda Networks in connection with this Agreemt or in connection with the Use of the Barracuda Networks Products or Services, may be giv by sding it to the address provided by you upon registering for the Barracuda Networks Products or Services or as you may provide from time to time thereafter by modifying your user profile at You are responsible for suring that your accurate address is available to Barracuda Networks and provide any needed updates. Barracuda Networks may, in its sole discretion, use other means of providing notice, such as: desktop notification; regular, certified, or registered mail; fax; commercial delivery service; or messger. All such notices shall be deemed giv wh dispatched with paymt of delivery charges made or arranged. You hereby const to receiving notice by any such means. Notwithstanding the foregoing, Barracuda Networks has no obligation to provide notice or attempt to locate a you other than through the address provided. 26. English Language These Licse and Warranty were negotiated and writt in English. Any inconsistcy betwe the Licse and Warranty as expressed in English and any other language shall, to the full extt permitted by applicable law, be resolved by referce to the English version. Les parties ont convu de rediger cette tte anglais. 27. Entire Agreemt; Applicability of Terms; Construction; Limit to Modifications; Conflicts in Terms These Licse and Warranty (including the items incorporated by referce and modifications that may be made from time to time), constitute the tire agreemt betwe Barracuda Networks and you regarding Barracuda Networks Products or Services, and supersedes all prior agreemts betwe you and Barracuda Networks regarding the subject matters hereof. Any item or service furnished by Barracuda Networks in furtherance of these Licse and Warranty, although not specifically idtified in them, shall nevertheless be covered by these Licse and Warranty unless specifically covered by some other agreemt tered into in writt or electronic form betwe you and us. Any modification or change in these Licse and Warranty proposed or offered by you shall not become a part of these Licse and Warranty unless accepted in a writing dated after the effective date of the applicable Licse and Warranty and signed by an authorized officer of Barracuda Networks. Should there be any conflict in terms betwe this Agreemt and any other documt, the terms and conditions set forth in this Agreemt shall govern. Any referces that are singular or plural and any referces that are masculine, feminine, or neuter in gder, are meant to be used interchangeably as the context of the stce might imply. 28. Limitation on Actions Unless otherwise required by law, an action or proceeding by you to force an obligation, duty, or right arising under this Agreemt or by law must be commced within one year after the cause of action accrues. 29. Copyright Infringemt Notification As provided in the Digital Millnium Copyright Act of 1998, we have designated the following individual for notification of pottial copyright infringemt regarding web sites hosted by Barracuda Networks: [email protected] If you believe contt hosted by Barracuda Networks infringes a copyright, please provide the following information to the person idtified above (17 U.S.C. 512): (i) A physical or electronic signature of the copyright owner or authorized agt; (ii) Idtification of the copyrighted work(s) claimed to have be infringed; (iii) Idtification of the material that is claimed to be infringing or to be the subject of the infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficit to permit us to locate the material; (iv) Information regarding how we may contact you (e.g., mailing address, telephone number, address); (v) A statemt that the copyright owner or its authorized agt has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agt, or the law; and (vi) A statemt that the information in the notification is accurate, and made under palty of perjury, and, if an agt is providing the notification, a statemt that the agt is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed. 94

95 30. Miscellaneous You agree to reimburse Barracuda Networks for any costs or fees related to its forcemt of this Agreemt, including without limitation the expert fees and attorney fees regularly charged by the experts and legal counsel chos by Barracuda Networks. Barracuda Networks is not responsible for misprints, errors or omissions in its advertising and promotional materials. If you have designated a person (whether by , orally, by registering such person with Barracuda Networks, or by granting such person access to your username and password) to have access to your Backup Data, in the possession or control of Barracuda Networks, you hereby grant Barracuda Networks the right to give that person access to your Backup Data, including without limitation in the evt of your death or incapacity. 3 Severability This Agreemt will be forced to the fullest extt permitted by applicable law. If for any reason any provision of this Agreemt is held to be invalid or unforceable under applicable law to any extt, th (i) such provision will be interpreted, construed, or reformed to the extt reasonably required to rder it valid, forceable, and consistt with the original intt underlying such provision and ii) such invalidity or unforceability will not affect the validity or forceability of any other provision of this Agreemt and all such provisions shall remain in full force and effect. 3 Billing Issues You must notify us about any billing problems or discrepancies within sixty (60) days after they first appear on the statemt you receive from your bank or credit card company or other billing company. Sd such notification to us at the Barracuda Networks Contact Information indicated in Section 33 (Barracuda Networks Contact Information) below. If you do not bring such problems or discrepancies to our atttion within that sixty (60) day period, you agree that you waive the right to dispute such problems or discrepancies. 3 Barracuda Networks Contact Information If you have any questions or commts, please contact us at [email protected]. Although we strongly prefer communication, you may also sd regular postal mail to the address on our web site at Op Source Licsing Barracuda Networks Products and Services may include programs that are covered by the GNU Geral Public Licse (GPL) or other Op Source licse agreemts. The GNU licse is re-printed below for you referce. These programs are copyrighted by their authors or other parties, and the authors and copyright holders disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks. The GNU Geral Public Licse (GPL) Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA USA Everyone is permitted to copy and distribute verbatim copies of this licse documt, but changing it is not allowed. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This Licse applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this Geral Public Licse. The Program, below, refers to any such program or work, and a work based on the Program means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term modification.) Each licsee is addressed as you. Activities other than copying, distribution and modification are not covered by this Licse; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contts constitute a work based on the Program (indepdt of having be made by running the Program). Whether that is true depds on what the Program does. You may copy and distribute verbatim copies of the Program s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this Licse and to the absce of any warranty; and give any other recipits of the Program a copy of this Licse along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry promint notices stating that you changed the files and the date of any change. 95

96 b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licsed as a whole at no charge to all third parties under the terms of this Licse. c) If the modified program normally reads commands interactively wh run, you must cause it, wh started running for such interactive use in the most ordinary way, to print or display an announcemt including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this Licse. (Exception: if the Program itself is interactive but does not normally print such an announcemt, your work based on the Program is not required to print an announcemt.) These requiremts apply to the modified work as a whole. If idtifiable sections of that work are not derived from the Program, and can be reasonably considered indepdt and separate works in themselves, th this Licse, and its terms, do not apply to those sections wh you distribute them as separate works. But wh you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this Licse, whose permissions for other licsees extd to the tire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intt of this section to claim rights or contest your rights to work writt tirely by you; rather, the intt is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this Licse. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a writt offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major componts (compiler, kernel, and so on) of the operating system on which the executable runs, unless that compont itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, th offering equivalt access to copy the source code from the same place counts as distribution of the source code, ev though third parties are not compelled to copy the source along with the object code. You may not copy, modify, sublicse, or distribute the Program except as expressly provided under this Licse. Any attempt otherwise to copy, modify, sublicse or distribute the Program is void, and will automatically terminate your rights under this Licse. However, parties who have received copies, or rights, from you under this Licse will not have their licses terminated so long as such parties remain in full compliance. You are not required to accept this Licse, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this Licse. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this Licse to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. Each time you redistribute the Program (or any work based on the Program), the recipit automatically receives a licse from the original licsor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipits exercise of the rights granted herein. You are not responsible for forcing compliance by third parties to this Licse. If, as a consequce of a court judgmt or allegation of patt infringemt or for any other reason (not limited to patt issues), conditions are imposed on you (whether by court order, agreemt or otherwise) that contradict the conditions of this Licse, they do not excuse you from the conditions of this Licse. If you cannot distribute so as to satisfy simultaneously your obligations under this Licse and any other pertint obligations, th as a consequce you may not distribute the Program at all. For example, if a patt licse would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, th the only way you could satisfy both it and this Licse would be to refrain tirely from distribution of the Program. If any portion of this section is held invalid or unforceable under any particular circumstance, the balance of the section is intded to apply and 96

97 the section as a whole is intded to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patts or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemted by public licse practices. Many people have made gerous contributions to the wide range of software distributed through that system in reliance on consistt application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licsee cannot impose that choice. This section is intded to make thoroughly clear what is believed to be a consequce of the rest of this Licse. If the distribution and/or use of the Program is restricted in certain countries either by patts or by copyrighted interfaces, the original copyright holder who places the Program under this Licse may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this Licse incorporates the limitation as if writt in the body of this Licse. The Free Software Foundation may publish revised and/or new versions of the Geral Public Licse from time to time. Such new versions will be similar in spirit to the prest version, but may differ in detail to address new problems or concerns. Each version is giv a distinguishing version number. If the Program specifies a version number of this Licse which applies to it and any later version, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this Licse, you may choose any version ever published by the Free Software Foundation. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are differt, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software gerally. NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF GNU TERMS AND CONDITIONS Barracuda Networks Products and Services may contain programs that are copyright (c) International Business Machines Corporation and others. All rights reserved. These programs are covered by the following Licse: Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documtation files (the Software ), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documtation. Barracuda Networks Products and Services may include programs that are covered by the BSD Licse: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documtation and/or other materials provided with the distribution. The names of the authors may not be used to dorse or promote products derived from this software without specific prior writt permission. THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Barracuda Networks Products and Services may include the libspf library which is Copyright (c) 2004 James Couzs & Sean Comeau All rights reserved. It is covered by the following agreemt: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following 97

98 disclaimer in the documtation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Barracuda Networks Products and Services may contain programs that are Copyright (c) Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documtation and/or other materials provided with the distribution. The name Carnegie Mellon University must not be used to dorse or promote products derived from this software without prior writt permission. For permission or any other legal details, please contact Office of Technology Transfer Carnegie Mellon University 5000 Forbes Avue Pittsburgh, PA (412) , fax: (412) [email protected]. Redistributions of any form whatsoever must retain the following acknowledgmt: This product includes software developed by Computing Services at Carnegie Mellon University ( CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Barracuda Networks Products and Services may include programs that are covered by the Apache Licse or other Op Source licse agreemts. The Apache licse is re-printed below for you referce. These programs are copyrighted by their authors or other parties, and the authors and copyright holders disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks. Apache Licse Version 0, January TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions. Licse shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this documt. Licsor shall mean the copyright owner or tity authorized by the copyright owner that is granting the Licse. Legal Entity shall mean the union of the acting tity and all other tities that control, are controlled by, or are under common control with that tity. For the purposes of this definition, control means (i) the power, direct or indirect, to cause the direction or managemt of such tity, whether by contract or otherwise, or (ii) ownership of fifty perct (50%) or more of the outstanding shares, or (iii) beficial ownership of such tity. You (or Your ) shall mean an individual or Legal Entity exercising permissions granted by this Licse. Source form shall mean the preferred form for making modifications, including but not limited to software source code, documtation source, and configuration files. Object form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, gerated documtation, and conversions to other media types. Work shall mean the work of authorship, whether in Source or Object form, made available under the Licse, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appdix below). Derivative Works shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represt, as a whole, an original work of authorship. For the purposes of this Licse, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. Contribution shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is inttionally submitted to Licsor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, submitted means any form of electronic, verbal, or writt communication st to the Licsor or its represtatives, including but not limited to communication on electronic mailing lists, source 98

99 code control systems, and issue tracking systems that are managed by, or on behalf of, the Licsor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as Not a Contribution. Contributor shall mean Licsor and any individual or Legal Entity on behalf of whom a Contribution has be received by Licsor and subsequtly incorporated within the Work. Grant of Copyright Licse. Subject to the terms and conditions of this Licse, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright licse to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicse, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patt Licse. Subject to the terms and conditions of this Licse, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patt licse to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such licse applies only to those patt claims licsable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patt litigation against any tity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patt infringemt, th any patt licses granted to You under this Licse for that Work shall terminate as of the date such litigation is filed. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipits of the Work or Derivative Works a copy of this Licse; and (b) You must cause any modified files to carry promint notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patt, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a NOTICE text file as part of its distribution, th any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documtation, if provided along with the Derivative Works; or, within a display gerated by the Derivative Works, if and wherever such third-party notices normally appear. The contts of the NOTICE file are for informational purposes only and do not modify the Licse. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an adddum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the Licse. You may add Your own copyright statemt to Your modifications and may provide additional or differt licse terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this Licse. Submission of Contributions. Unless You explicitly state otherwise, any Contribution inttionally submitted for inclusion in the Work by You to the Licsor shall be under the terms and conditions of this Licse, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate licse agreemt you may have executed with Licsor regarding such Contributions. Trademarks. This Licse does not grant permission to use the trade names, trademarks, service marks, or product names of the Licsor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the contt of the NOTICE file. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licsor provides the Work (and each Contributor provides its Contributions) on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriatess of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this Licse. Limitation of Liability. In no evt and under no legal theory, whether in tort (including negligce), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligt acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidtal, or consequtial damages of any character arising as a result of this Licse or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), ev if such Contributor has be advised of the possibility of such damages. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistt with this Licse. However, in accepting such 99

100 obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defd, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF APACHE TERMS AND CONDITIONS 100