1. Barracuda Web Security Agt - Overview........................................................................ 2 1.1 Release Notes - Barracuda Web Security Agt for Macintosh.................................................... 2 1.2 Release Notes - Barracuda Web Security Agt for Windows..................................................... 3 1.3 Using the Barracuda WSA With the Barracuda Web Filter Version 7.1 and Above..................................... 6 1.3.1 Policy Lookup Only Mode With the Barracuda Web Security Agt............................................ 8 1.4 How to Install the Barracuda WSA with the Barracuda Web Filter.................................................. 8 1.4.1 GPO Installation of Barracuda WSA from the Windows Interface.............................................. 10 1.4.2 GPO Installation of the Barracuda WSA With Microsoft SBS 2008 Server....................................... 13 1.4.3 Installation using a Windows GPO from the Command Line................................................. 13 1.4.4 Manual local Installation from the Command Line......................................................... 16 1.4.5 How to Configure the Barracuda WSA With the Barracuda Web Filter.......................................... 18 1.4.6 How to Configure the Barracuda WSA With the Barracuda Web Security Service................................. 19 1.5 Using the Barracuda WSA with the Barracuda Web Security Service............................................... 20 1.6 How to Install the Barracuda WSA with the Barracuda Web Security Service......................................... 24 1.6.1 Automated Deploymt of Barracuda WSA.............................................................. 25 1.6.2 GPO Deploymt of the Barracuda WSA From the Command Line............................................ 26 1.6.3 GPO Deploymt of the Barracuda WSA From the Windows Interface......................................... 29 1.6.4 Manual Local Deploymt of Barracuda WSA from the Command Line........................................ 30 1.7 Uninstalling the Barracuda Web Security Agt for Win2K3 Server................................................. 33 1.8 Uninstalling the Barracuda Web Security Agt for Win2K8 Server................................................. 33 1.9 Requiremts for the Barracuda Web Security Agt With Windows............................................... 34 1.10 Installing the Barracuda WSA on a Macintosh................................................................ 34 1.11 Configuration Tool for Barracuda WSA Windows Clit......................................................... 35 1.12 Configuring Preferces for Barracuda WSA Macintosh Clit................................................... 37 1.13 Fallback Service Hosts and the Barracuda Web Security Service................................................. 41
Barracuda Web Security Agt - Overview Remote Filtering using the Barracuda Web Security Agt (WSA) with the Barracuda Web Filter or the Barracuda Web Security Service ables your IT departmt to provide and control contt security beyond the perimeter of the IT infrastructure. For satellite offices, mobile workers and studts, this feature allows secure web browsing access at the dpoint, from any computer and any location, that complies with the web access and security policies of the organization. Either web security solution can be configured to recognize each remote clit by traffic signed by the Barracuda WSA. Simply deploy the Barracuda WSA on each remote Windows desktop/laptop or Macintosh to proxy all clit web traffic over the Internet to the Barracuda Web Filter or the Barracuda Web Security Service. Download the files required to install the Barracuda WSA from either web security solution, and configure how it filters traffic for your remote users. Multiple unique profiles can be created to apply differt filtering rules for specific groups or individual users. If you are using the Barracuda Web Filter, the Policy Lookup Mode option ables the Barracuda WSA on the remote user's machine to look up policies configured on the Barracuda Web Filter for that user/clit, apply the policies, th route allowed web traffic from the user's machine via its usual path to the Internet. With this option abled, traffic is not routed through the Barracuda Web Filter. See Usi ng the Barracuda WSA With the Barracuda Web Filter Version 7.1 and Above for details. For Chromebooks, the Proxy Authtication feature of the Barracuda Web Filter is the best solution for remote filtering. See How to Configure Proxy Authtication. Where to Start If you are using the Barracuda Web Filter, begin with Using the Barracuda WSA With the Barracuda Web Filter. If you are using the Barracuda Web Security Service, begin with Using the Barracuda WSA with the Barracuda Web Security Service. Release Notes - Barracuda Web Security Agt for Macintosh Running version 1.5.1 of the Barracuda Web Security Agt (iwsa) requires MacOS X 10.6 (Snow Leopard) or later; however, MacOS X 10.9 (Mavericks) or later is recommded. What's New in Version 1.5.1 (Beta) This update is recommded for all users of WSA for Macintosh. Local and network security improvemts Updated default administrative handshake Anonymized version reporting for product planning What's New in Version 1.5.0 Added support for MacOS X 10.10 (Yosemite) Compatible with service hosts patched for HeartBleed and SSL POODLE New Barracuda branding Fixed in version 1.5.0 Improved compatibility with Google Apps and icloud Improved compatibility with built-in MacOS services Faster policy lookups and network connections Faster recovery from network failures Fixes issues with Policy Lookup Only mode What's New in Version 1.4.0 2
Running version 1.4.0 of the Barracuda Web Security Agt (iwsa) requires MacOS X 10.6 (Snow Leopard) or later. Host Fallback feature - The Barracuda WSA checks the currt response times of all Barracuda Web Security Service hosts and ranks them accordingly. Rankings are viewable by the admin, and the admin can choose to have the Barracuda WSA automatically switch hosts to the fastest or to set the service host manually. See Fallback Service Hosts and the Barracuda Web Security Service for details. NOTE: This feature is not active by default; you must set it to be active in the profile and sync with clits. Improved compatibility with IPv6 services. Fixed in Version 1.4.0 Works as expected with AirDrop file sharing tool on MacOSx. Barracuda Web Security Agt installer works as expected. Reduced administrative traffic betwe the clit and service host. Increased security in proxy process. What's New in Version 1.3.1 Added support for MacOS X 10.9 Mavericks and the most rect version of Safari browser. Improved compatibility with Flash networking requests. Fixed in Version 1.3.1 Temporary server error is no longer treated as a hard network failure. What's New in Version 1.3.0 Geral Availability: 8/2/13 Added support for secure Barracuda Web Security Service connections over port 8443. Improved HTTP 1.1 compatibility. Fixed in Version 1.3.0 The YouTube for Schools feature works in Policy Lookup Only (PLO) mode. Works with PLO mode wh the Barracuda Web Filter is unreachable. Resolved connection issue after correcting an invalid Barracuda Web Security Service auth key. IPv6 requests do not trigger fail op. What's New in Version 1.2.2 Geral Availability: 07/06/12 The Barracuda Web Security Agt for Mac now passes along applicable LDAP credtials in the request headers. Fixed in Version 1.2.2 Improved logging for administrative requests and resolved startup problems which occurred on some systems. Release Notes - Barracuda Web Security Agt for Windows What's New in Version 4.4.0.72 Barracuda recommds updating to this version as it resolves stability issues found in version 4.4.0. Barracuda WSA stability fixes upon continuous browsing [BNWSA-1142] The Barracuda WSA Utilities Developer logs are disabled. [BNWSA-1145] What's New in Version 4.4 Improved User Experice Silt installations do not prompt for an update Anonymized version reporting for product planning Opt-out functionality for anonymous data reporting 3
Stability improvemts during settings reload and synchronization evts Backward compatibility of Policy Lookup Mode to Barracuda Web Filter version 8.1.005 Enhanced Security Policy lookup requests to the Barracuda Web Filter are now crypted Enforced additional best practices from Microsoft Other security fixes that include verifying signature of installers and improved cryption of data betwe the Barracuda WSA and the Barracuda Web Filter Fixed in Version 4.4 Fallback Hosts (Applies to Barracuda Web Security Service) Existing connections do not drop wh changing service host or wh ranking hosts After switching service hosts, existing connections continue to use the previous host while new connections are switched to the currtly selected host What's New in Version 4.3.1 Updated branding. Fixed in Version 4.3.1 Resolved issue in which, under certain conditions, the Barracuda WSA would give a 'Service unavailable' error. [BNWSA-631] Synchronization Resolved.NET framework 4.0 version compatibility issues with the Barracuda WSA by updating the minimum requiremts for Microsoft.NET Framework by Windows OS version. See Requiremts for the Barracuda Web Security Agt With Windows in the Barracuda TechLibrary. Upgrading to the correct version of the Microsoft.NET Framework sures that the Barracuda WSA operates correctly with SQL Server, LogRhythm and other applications and synchronizes seamlessly with the host. User Interface The WSAMonitor icon displays a red exclamation mark, as expected, with a message wh in Fail Op state. [BNWSA-21] Ports higher than 42008 or 32767 no longer cause an "unable to Op settings- Value is either to small or too large for Int16" error. [BNWSA-469] Advanced button is now displayed with... extsion (GUI convtion). [BNWSA-491] Fallback hosts Wh the selected host is the last one from a list of array fallback hosts, ranking works as expected and doesn't toggle the Barracuda WSA to fail op. [BNWSA-478] Miscellaneous Resolved issue wh, after making multiple configuration changes and clicking the Save button, the following error was displayed: "Object Synchronization method was called from an unsynchronized block of code". [BNWSA-466] What's New in Version 4.3.0 Host Fallback feature - The Barracuda WSA checks the currt response times of all Barracuda Web Security Service hosts and ranks them accordingly. Rankings are viewable by the admin, and the admin can choose to have the Barracuda WSA automatically switch hosts to the fastest or to set the service host manually. See Fallback Service Hosts and the Barracuda Web Security Service for details. Fixed in Version 4.3.0 Removed default forced restart after installation complete, which could cause issues wh installing via Windows GPO. [BNWSA-258] Improvemts in filtering on Windows 8 / 8.1 systems using WFP. [BNWSA-222] Updated LSP compont to address Windows.Net 4.5 incompatibility issues with Non-IFSLSPs. [BNWSA-169] Warn page can now also be shown for local redirect address set to external Barracuda Web Filter IP address. [BNWSA-108] For SSL Traffic, fixed handling of TLS 2.1 to improve HTTPS Filtering. Fixed issues occurring in Policy Lookup Mode (Barracuda Webfilter), where monitored pages are not displayed correctly [BNWSA-257] 4
The WSATraffic.log and WSA.log files are now limited to a maximum size of 3 MB each. Wh the Barracuda WSA clit is uninstalled, all related log files are removed from the system. [BNWSA-34] Version 4.3.0.26 This version replaces version 4.3.0.24 Fixed: If Fail Op is disabled, the Barracuda Web Security Agt now only fails closed wh there is no good connection available to the service host. [BNWSA-472] Fixed: The default setting on the Barracuda Web Security Agt clit Fail Op mode is no longer disabled; the default is now that Fail Op is abled before initial successful sync with the host service. This sures that traffic betwe the clit and the Internet continues to flow ev if no connection to the Barracuda Web Security Service or the Barracuda Web Filter can be made. Version 4.3.0.24 If the Fallback feature is abled (see Fallback Service Hosts and the Barracuda Web Security Service), the Barracuda WSA no longer fails op/closed if the first fallback host is not available; rather, the next available fallback host is automatically selected. [BNWSA-465] What's New in Version 4.2.5.0 The Update options have be re-abled (backd): This relates to Auto-Update and Allow Users to Check for Updates Options, configurable on the Remote Filtering tab of the Barracuda Web Filter. The Barracuda Web Security Service only has Allow updates, which has the same effect as Auto-Update on the Barracuda Web Filter. It does not include the second configuration option on the Remote Filtering tab. Therefore, for the Barracuda Web Security Service, the Check for Updates option in the Context Mu is not available by default. Update server: d.barracuda.com. If the Update option is abled, make sure that access to this server is available through your firewall. Sync settings now available from the Context Mu: Any user can trigger the config synchronization with Service (Barracuda Web Filter / Barracuda Web Security Service) at any point of time. Before this version, this option was only available to users having access to the Local Configuration Tool or synchronization on specific evts like logon/startup. The Admin can now configure the Temporarily Disable option using command line / GPO deploymt option: Default: a. After 5 minutes, any temporarily disabled Barracuda WSA clit will be re-abled and proxy web traffic to the Barracuda Web Filter / Barracuda Web Security Service. b. The user can disable the clit 3 times and must restart the clit machine in order to reset this count. Configurable via command line / GPO on installation time: a. b. c. TDT (in ms): The lgth of time (timeout) the clit will be disabled TDC: The number of times that the user can temporarily disable the clit before needing to reboot the machine Example for cmd line config / GPO for custom timeout = 30 mins, timeout count = 5 (=> disable for 30 mins; you can do this 5 times before need to reboot the machine): BarracudaWSASetup.exe /s /v" /qn AUTH_KEY=[YOUR_AUTHKEY] SERVICE_URL=[YOUR_SERVICE_URL] ALLOW_REMOVE=1 TDT=1800000 TDC=5 The CPU monitor is now by default abled for Barracuda Web Security Service users and disabled for Barracuda Web Filter users. This configuration can now be only overridd at the time of installation, using command line / GPO deploymt: Enabled: CPU=1 Disabled: CPU=0 Example for cmd line config / GPO for disabling CPU monitor for BWFS: BarracudaWSASetup.exe /s /v" /qn AUTH_KEY=[YOUR_AUTHKEY] SERVICE_URL=[YOUR_SERVICE_URL] ALLOW_REMOVE=1 CPU=0 What's New in Version 4.2.4.47 Scheduled reboot after installation to sure that the Barracuda Web Security Agt (WSA) is running. CPU monitor for BarracudaWSA.exe to address intermittt high CPU Loads with cloud-based web contt filtering. Fixed in Version 4.2.4.47 5
Barracuda WSA componts no longer flagged as viruses by MS Windows antivirus scanners Fixed in previous versions: The Barracuda WSA tests for Barracuda Web Filter and Barracuda Web Security Service availability on each tap of the Start Service opt ion in the tooltip mu. Resolved issues wh already in 'Fail Op' mode Timeout for service availability check was shorted from 60s to 30s. Using the Barracuda WSA With the Barracuda Web Filter Version 7.1 and Above In this article: Filter Traffic From Remote Windows and Macintosh Laptops and Desktops Installing the Barracuda WSA Configuring Settings for the Barracuda WSA Exceptions to Filtering with the Barracuda WSA Application Filtering with the Barracuda WSA Using SSL Inspection for HTTPS Traffic With the Barracuda WSA Filter Traffic From Remote Windows and Macintosh Laptops and Desktops Use the Barracuda Web Security Agt (WSA) to filter web traffic, detect and block malware, and sure safe browsing for off-network users. Wh you deploy the Barracuda Web Security Agt (WSA) on each remote desktop, Mac OSX computer, or laptop, all web traffic for those clits is signed by the Barracuda WSA. The Barracuda WSA intercepts all HTTP/S and FTP traffic through any connection on the remote computer without regard to the type of web browser. This includes Ethernet, wireless, or dial-up connections. Browsing policies created on the Barracuda Web Filter are th applied to that traffic as it is returned to the clit in one of two ways: The Barracuda WSA proxies all web traffic over the Internet through a specified Barracuda Web Filter, which can monitor traffic and apply web security policies before routing that traffic to the internet. With the Barracuda Web Filter version 7.1 and higher, SSL Inspection is also available for this type of deploymt on the Barracuda Web Filter 410 and higher. - OR - The Barracuda WSA looks up and applies company policies to clit web traffic before routing it to the internet, without the need to pass the traffic through the Barracuda Web Filter. For this option, able Policy Lookup Only mode from the ADVANCED > Remote Filtering page of the Barracuda Web Filter. Note that wh using Policy Lookup Only mode, SSL Inspection of HTTPS traffic is not available. See Policy Lookup Only Mode With the Barracuda Web Security Agt. You can download the files required to install the Barracuda WSA for Windows or Macintosh and configure how it filters traffic for your remote users via the ADVANCED > Remote Filtering page in the Barracuda Web Filter web interface. The Barracuda WSA works with LDAP authticated users. Figure 1: The Barracuda WSA proxies off-network users web traffic to the Barracuda Web Filter. Installing the Barracuda WSA See How to Install the Barracuda WSA with the Barracuda Web Filter for information on installing the Barracuda WSA on a Windows machine or a Macintosh OSX machine. Th, continue with the section below to configure the agt during and after installation. 6
Configuring Settings for the Barracuda WSA All of the settings mtioned below, except for Policy Lookup Only Mode, can be configured from the Barracuda WSA clit using the Configuration tool. However, each Sync evt synchronizes the Barracuda WSA settings to those configured on the Barracuda Web Filter ADVA NCED > Remote Filtering page. A sync evt is triggered by any of the following: User logging into Barracuda WSA A network change On the Macintosh clit - Clicking the Synchronize Settings button in the WSA Preferces; on the Windows clit - clicking on the Barracuda WSA icon in the task tray and selecting Sync to update local settings For more information about the Configuration tool, see Configuration Tool for Barracuda WSA Windows Clit or Configuring Preferces for Barracuda WSA Macintosh Clit. Exceptions to Filtering with the Barracuda WSA From the ADVANCED > Remote Filtering page, you can specify domains or subnets that should bypass filtering by the Barracuda Web Filter as well as any existing proxies on the clit s LAN for which traffic should bypass filtering. Begin initial configuration of your Barracuda WSA installation by idtifying all of your internal IP addresses and proxies, th tering those in the Bypass Filter and Proxy Exception text boxes on the ADVANCED > Remote Filtering page. This will exempt these IP addresses from traffic redirection. If you have a PAC or WPAD driv proxy setup, sure that the proxy hosts are also listed as Proxy Exceptions. Also make sure to idtify the external IP address of your Barracuda Web Filter in the External Hostname/IP field so that the Barracuda WSA can direct user web traffic to that IP address. Application Filtering with the Barracuda WSA The Barracuda WSA automatically forwards web browser traffic on all ports, and forwards traffic from all other applications on ports 80 and 443. On the ADVANCED > Remote Filtering page you can specify how the Barracuda WSA filters application traffic by default (Default Filter Settings): Filter ports 80 and 443 for all applications, Filter specified applications and allow all others, or Filter specified applications and block all others. If you have specific applications that use other ports, you can add them to the Applications to Filter (All Ports) list on the ADVANCED > Remote Filtering page. You can also list specific applications to always block, or specific applications to filter. The Barracuda Web Filter Vx virtual appliance does not support application blocking. Using SSL Inspection for HTTPS Traffic With the Barracuda WSA SSL Inspection of Barracuda WSA clit traffic is currtly only available with the Barracuda Web Filter. To filter and inspect HTTPS traffic such as Facebook posts, Google search terms, Skype chat and other crypted traffic at the URL level, you can able the SSL Inspection feature: 1. Enable SSL Inspection on the Barracuda Web Filter: Barracuda Web Filter 410: Go to the BLOCK/ACCEPT > Configuration page to able SSL Inspection. Download the Root Certificate For Browsers from the page and install in the browsers of all remote machines running the Barracuda WSA. Barracuda Web Filter 610 and higher: Go to the ADVANCED > SSL Inspection page to able SSL Inspection. Download the Root Certificate For Browsers from the page and install in the browsers of all remote machines running the Barracuda WSA. 2. Synchronize the Barracuda WSA clit on all remote machines: a. On Windows clits: click on the Barracuda WSA icon in the task tray. Sync Settings to synchronize the clit with the new setting on the Barracuda Web Filter. b. On Macintosh clits: From the context mu, select WSA Preferces. On the Barracuda Web Filter tab, click the Synchroni ze Settings button. Note that SSL Inspection does NOT work wh Policy Lookup Only Mode is abled on the Barracuda Web Filter. For more information about 7
SSL Inspection, see Using SSL Inspection With the Barracuda Web Filter. Policy Lookup Only Mode With the Barracuda Web Security Agt This article applies wh you use the Barracuda Web Security Agt (WSA) with the Barracuda Web Filter. If you are using the Barracuda WSA with the Barracuda Web Security Service, this feature does not apply. For satellite offices, mobile workers and studts, the Barracuda WSA allows secure web browsing access for any computer at any location, that complies with the web access and security policies of the organization. For more information about the Barracuda WSA, see Barracuda Web Security Agt - Overview. By default, the Barracuda WSA routes clit web traffic through the Barracuda Web Filter, which monitors traffic and applies policies before routing the traffic. However, wh using Policy Lookup Only mode, the Barracuda WSA deployed on the remote machine looks up policies configured on the Barracuda Web Filter for that user/clit, applies the policies, th routes allowed web traffic from the remote machine via the usual path to the Internet. Traffic is not routed through the Barracuda Web Filter. To able this mode, simply set Policy Lookup Only Mode to Yes on the ADVA NCED > Remote Filtering page of the Barracuda Web Filter web interface. Policy Lookup Only mode saves corporate bandwidth and reduces traffic through your Barracuda Web Filter; however, the following considerations may mitigate these advantages: Since the remote clit traffic does not pass through the Barracuda Web Filter, virus and malware scanning is not applied to this traffic. This is an important consideration wh deciding whether or not to able Policy Lookup Only Mode. Wh using Policy Lookup Only mode, because clit web traffic is not routed through the Barracuda Web Filter, SSL Inspection of HTTPS traffic is not available. See Using SSL Inspection With the Barracuda Web Filter for more information. If you want to be able to regulate social media applications such as Facebook or Twitter, block applications at the URL level or use Safe Search over HTTPS, you need to use SSL Inspection and set Policy Lookup Only Mode to No. Note Policy Lookup Only mode cannot be configured from the Barracuda WSA clit using the Configuration tool. It must be configured on the Barracuda Web Filter from the ADVANCED > Remote Filtering page. How to Install the Barracuda WSA with the Barracuda Web Filter Barracuda Networks recommds reading this tire article before installing the Barracuda Web Security Agt (WSA). After the Barracuda WSA is installed and configured, your web traffic is protected by the Barracuda Web Filter automatically. The Barracuda WSA directs all traffic from web browsers, and other application traffic on ports 80 and 443, to the Barracuda Web Filter. See also: Release Notes for the Barracuda Web Security Agt for Windows OR Release Notes for the Barracuda WSA for Macintosh After installation, continue with How to Configure the Barracuda WSA With the Barracuda Web Filter. In this article: Step 1. Download the Barracuda Web Security Agt Step 2. Understand Prerequisites for Installation or Upgrade Step 3. Understand and Select Key Options Before Installation Step 4. Select a Method For Installing the Barracuda WSA Step 5. Configure the WSA Installation Uninstalling the Barracuda WSA Step 1. Download the Barracuda Web Security Agt 1. Log into the Barracuda Web Filter as admin. 2. 8
2. 3. Go to the ADVANCED > Remote Filtering page. Download the installation files for MS Windows or for the Macintosh. Click the Help button on the page for details about available file types. Step 2. Understand Prerequisites for Installation or Upgrade The remote user must have an LDAP record in the domain. Because the Barracuda Web Filter will list on port 8280 (by default) for Barracuda WSA requests, you must make this port available for incoming and outgoing traffic to the Barracuda Web Filter. The Barracuda WSA cannot forward traffic properly if personal firewalls or other devices block non-standard ports. Create a port forward on your network firewall on port 8280 to the external IP address of your Barracuda Web Filter (as specified in the External Hostname/IP Address field on the ADVANCED > Remote Filtering page). The Barracuda WSA operates on network traffic at a low level within the operating systems, so some anti-virus applications may flag the Barracuda WSA as suspicious during installation or operation. Ensure that your anti-virus clit does not block or has an exception for any Barracuda WSA files that the anti-virus clit flags as suspicious. For Windows installations: The clit PC must have Windows installed on the C:\ drive for successful installation of the Barracuda WSA. The Barracuda WSA will not install successfully wh Windows is installed on the D:\ drive. You must have Microsoft.NET framework installed before you install the Barracuda WSA using the MSI installation method. The MSI file does not install the.net framework for you. If you do not install the.net framework before you begin installation with the.msi file, a message appears prompting you to download and install the.net framework and th install the Barracuda WSA. For system requiremts for Windows installations, see Requiremts for the Barracuda Web Security Agt With Windows. For system requiremts for Macintosh installations, see Installing the Barracuda WSA on a Macintosh. The Barracuda WSA is now localized for the following languages: German Japanese Dutch Chinese Chinese Traditional Portuguese Spanish Step 3. Understand and Select Key Options Before Installation Password Protection and User Privileges During installation, you have an option to specify a password to protect configuration options and control user privileges. If you specify a password during installation, that password is required for any user to: Change configuration settings Temporarily disable the Barracuda WSA (to allow a user to connect to a public network, such as at a captive portal in a hotel or coffee shop, before the Barracuda WSA starts again automatically after two minutes) Stop or start the Barracuda WSA service Uninstall Barracuda WSA on the clit Important! There is no password reset; if the password is lost, the administrator must reinstall the Barracuda WSA. Allow Uninstall Option During installation, you can choose the Allow Uninstall Through Add/Remove Programs option to allow Windows users to remove the Barracuda WSA from a PC or laptop using the Microsoft Windows Add or Remove Programs utility. Use the password protection feature to sure that unauthorized users cannot uninstall the Barracuda WSA. Note that the Barracuda WSA does not, by default, appear in the Windows Add or Remove Programs list. Stop/Start Service Option During installation, you can choose the option to let users stop and start the Barracuda WSA from the task tray. This is sometimes helpful with troubleshooting network or performance issues, or wh the user needs to connect with their VPN (see below). You can use the password protection feature to sure that only authorized users can stop or start the Barracuda WSA. 9
VPN Interoperability The Barracuda WSA will forward all web traffic to the Barracuda Web Filter, so virtual private network (VPN) clits that rely on web browser settings to forward traffic to private networks may interfere with the Barracuda WSA s operation. In order to use a VPN clit on a PC that is running the Barracuda WSA, the d user may either have to: Stop the Barracuda WSA wh connecting with the VPN, Use the VPN in split tunnel mode, or Have the Barracuda Web Filter ter bypasses for the VPN server IP address in the Bypass Filter text box on the ADVANCED > Remote Filtering page of the Barracuda Web Filter web interface. You can also specify bypass exception network addresses in the Bypass field during manual local installation or by using the BYPASS option in a GPO installation. If you install and configure the Barracuda WSA so that d users may not stop and restart it, th only bypasses or split tunnel mode will work simultaneously with the Barracuda WSA. You can use the password protection feature, available during installation, to sure that only authorized users can stop or start the Barracuda WSA. Automatic Software Updates The Barracuda WSA periodically checks the Barracuda Web Filter for available software updates. Wh an upgrade is available, the Barracuda WSA automatically and siltly downloads and installs it, preserving any configuration information you have in place. The automatic updater works whether the Barracuda WSA is installed in regular mode or silt operating mode. Automatic updates may be disabled at installation for those network vironmts that prefer to manage upgrade deploymts manually. Step 4. Select a Method For Installing the Barracuda WSA Installation Using a Windows GPO From the Windows Interface push the Barracuda WSA to a group of remote computers using a Windows tool to create a template for the GPO. Installation using a Windows GPO from the Command Line push the Barracuda WSA to a group of remote computers from a batch (.bat) file on the server. Automated Deploymt of Barracuda WSA create a self-executing zip file to automatically pass installation parameters to the Barracuda WSA setup program. Manual local Installation from the Command Line Installing the Barracuda WSA on a Macintosh Caution Behavior in the Microsoft Small Business Server (SBS) 2008 breaks the server-clit trust relationship wh using GPO deploymt. The clit has to be rejoined to the server, manually. See GPO Installation of the Barracuda WSA With Microsoft SBS 2008 Server for instructions. Step 5. Configure the WSA Installation After you have installed the Barracuda WSA on your clit machines, continue with How to Configure the Barracuda WSA With the Barracuda Web Filter. Uninstalling the Barracuda WSA With Windows: See Uninstalling the Barracuda Web Security Agt for Win2K8 Server or Uninstalling the Barracuda Web Security Agt for Win2K3 Server, depding on your Windows server version. With the Macintosh: see Installing the Barracuda WSA on a Macintosh. GPO Installation of Barracuda WSA from the Windows Interface Note that behavior in the Microsoft Small Business Server (SBS) 2008 breaks the server-clit trust relationship wh using GPO deploymt. The clit has to be rejoined to the server, manually. See GPO Installation of the Barracuda WSA With Microsoft SBS 2008 Server for instructions. 10
Install the Barracuda WSA application on Win2K8 Server Step 1: Download the MSI Windows Installer Package and create an MST file 1. 2. 3. Log in to the Barracuda Web Filter Web interface with the administrator credtials. Navigate to the ADVANCED > Remote Filtering pag 4. 5. 6. 7. 8. 1. Create a Container or Organizational Unit. Op the Active Directory Users and Computers window. In the console tree, right-click your domain, and th select New -> Organizational Unit. Provide a name for the container and uncheck the checkbox Protect container from accidtal deletion so as to be able to delete this container later. If checkbox is marked, it is not possible to delete this container. In the same Active Directory Users and Computers window, to the Container, add the users and machines for which the policy needs to be applied. OR you can move the users from the USERS account to the container and machine accounts from COMPUTERS account to the container. Moving the users or machines prompts a warning. New domain users and computers can be created in this container. 2. Create a GPO. Click Start, point to Administrative Tools, and th click Group Policy Managemt. Expand the tree for your domain, select the newly created Container or OU, right-click and select the item Create a GPO in this domain, and Link it here. Provide a name for the GPO and click the OK button to close the window. This GPO will be added to your container and also to the Group Policy Objects list. 3. Now, select this GPO which is prest in your container and right-click. Click on Edit to op the Group Policy Managemt Editor. If you assign this application to a user, it is installed wh the user logs on to the computer. If you assign this application to a computer, it is installed wh the computer starts. 1. In the Group Policy Managemt Editor, expand Computer Configuration, th expand Policies and Software Settings. Select Software Installation, right-click and select New -> Package 2. In the op dialog box, make sure to type the full Universal Naming Convtion (UNC) path of the shared installer package that you want. For example: \\QAWIN2K8DC\msi files\barracudawsasetup.msi 3. Click Op. Select the Deploymt Method as Advanced and click OK. In the Barracuda Web Security Agt Properties window, Click on 4. 5. Log on to the server computer as an administrator. Create a shared folder on the network where you will put the installer package (.msi file) that you want to distribute. Clits to which you want to push the Barracuda WSA must have access to this shared folder. e. Click on the Download/Install link to download the Barracuda WSA MSI installer from the Download Web Security Agt section of the page. Save the MSI installer file in the shared folder on the network. Download the op source ORCA tool, a Windows installer package editor which you can use to create a Windows transform file (.mst file). You can download the ORCA tool from: http://www.softpedia.com/progdownload/orca-download-79861.html Launch the ORCA tool after download. Click on File -> Op in the dialog window. Select the installer package BarracudaWSASetupshar ed folder from the shared folder. Click on Op. Once all the database tables are loaded, select New Transform from the Transform mu item. You will see the Property table listing the following Properties with corresponding values to specify the use of Barracuda Web Filter as a service. Property:SERVICE_MODEValue:2 Property:USER_MODEValue:0 Property:SERVICE_URLValue:<Barracuda Web Filter IP Address> Property:SERVICE_PORTValue:8280 Select Gerate Transform from the Transform mu item. Save this.mst file in the same shared folder which contains the.msi file. Close the ORCA tool window. Step 2: Deploy the Barracuda WSA through the Active Directory by creating a GPO To assign an application to a computer: the Modifications tab and click the Add button. In the Op dialog box, type the full Universal Naming Convtion (UNC) path of the.mst Transform file. For example, \\QAWIN2K8DC\msi files\mysetup.mst and click Op. Click the OK button in the Barracuda Web Security Agt Properties window, and close all op windows. From the command-line window, run the command to force an update of group policy: C:\Users\Administrator>gpupdate /Force You should see the following output: Updating Policy... User Policy update has completed successfully. Computer Policy update has completed successfully. 11
To assign an application to a user: 1. 2. 1. 2. 3. Expand User Configuration, and th expand Policies and Software Settings. Select Software installation, right-click and select New -> Package. The rest of the setup for User Configuration is similar to the Computer Configuration as described above, concluding with a forced group policy update. Step 3: Application Install (both Win2K3 and Win2K8 servers) Start a computer that is joined to the domain for applying the computer-based policy. Log in as the domain user to apply the user-based policy. You should see the Barracuda WSA Monitor icon in the system tray. This indicates that the Barracuda WSA application has be installed. You can also verify this in Add/Remove Programs from the Windows Control Panel. Install the Barracuda WSA application on Win2K3 Server Step 1: Download the MSI Windows Installer Package and create an MST 1. 2. 3. 4. 5. 6. 7. 8. 1. Create a Container or Organizational Unit. Op the Active Directory Users and Computers window. In the console tree, right-click your domain, and th select New -> Organizational Unit. Provide a name for the container and Click OK. In the same Active Directory Users and Computers window, to the Container, add the users and machines for which the policy needs to be applied. OR you can move the users from the USERS account to the container and machine accounts from COMPUTERS to the container. Moving the users or machines prompts a warning. New domain users and computers can be created in this container. 2. Create a GPO. Op the Active Directory Users and Computers window, select your domain, right-click and select Properties. In the Properties window, click on the Group Policy tab. Click on New button. Provide a name for this new Policy object. Close the Properties window by clicking on Close button. 3. Link this GPO to the new Container. In the same Active Directory Users and Computers window, select the new container, right-click and choose Properties. In the Properties window, click on the Group Policy tab. Click the Add button. In the window Add a Group Policy Object Link, click the All tab. Select the new GPO and Click OK to close the window. Click on Apply and OK to close the Container Properties window. If you assign this application to a user, it is installed wh the user logs on to the computer. If you assign this application to a computer, it is installed wh the computer starts. 4. Deploy the application. 1. 2. 3. 4. Log on to the server computer as an administrator. Create a shared folder on the network where you will put the installer package (.msi file) that you want to distribute. Log in to the Barracuda Web Filter interface using the administrator credtials. Navigate to the ADVANCED > Remote Filtering page. Click on the Download/Install link to download the Barracuda WSA MSI installer from the Download Web Security Agt section of the page. Save the MSI Installer file in the shared folder. Download the op source ORCA tool, a Windows installer package editor which you can use to create a Windows transform file (.mst file). You can download the ORCA tool from: http://www.softpedia.com/progdownload/orca-download-79861.html. Launch the ORCA tool after download. Click on File -> Op in the dialog window. Select the installer package BarracudaWSASetupshar ed folder from the shared folder. Click on Op. Once all the database tables are loaded, select New Transform from the Transform mu item. Select the Property table from the left list. Scroll to the bottom of the table, right click and select Add Row. Add the following Properties with corresponding values to specify the use of Barracuda Web Filter as a service. Property:SERVICE_MODE Value:2 Property:USER_MODE Value:0 Property:SERVICE_URL Value:< Barracuda Web Filter IP Address> Property:SERVICE_PORT Value:8280 After adding all the properties, select Gerate Transform from the Transform mu item. Save this.mst file in the same shared folder which contains the.msi file. Close the ORCA tool window. Step 2: Deploy the Barracuda WSA application through the Active Directory by creating a GPO To assign the application to a computer: Right-click your domain in Active Directory Users and Computers window and select Properties. In the domain Properties window, click on the Group Policy tab. Select the new GPO and click on the Edit button. This ops the Group Policy Object Editor. Expand Computer Configuration, and th Software Settings. Select Software installation, right-click and select New -> Package In the Op dialog box, make sure you type the full Universal Naming Convtion (UNC) path of the shared installer package that you want. For example, \\WFDEVDC01\msi files\barracudawsasetup.msi Click Op. Select the Deploymt Method as Advanced and click OK. In the Barracuda Web Security Agt Properties window, Click on the Modifications tab and click the Add button. In the Op dialog box, 12
4. 5. type the full Universal Naming Convtion (UNC) path of the.mst Transform file. For example, \\WFDEVDC01\msi files\mysetup.mst and click Op. Click the OK button in the Barracuda Web Security Agt Properties window. Close all the op windows. From the command-line window, run the command to force update of group policy. C:\Documts and Settings\Administrator.WFDEVDC01>gpupdate/Force Refreshing Policy.. User Policy Refresh has completed. Computer Policy Refresh has completed. To check for errors in policy processing, review the evt log. Certain user policies are abled that can only run during login. Certain computer policies are abled that can only run during startup. 1. 2. 3. OK to Reboot? (Y/N) If the server computer is rebooted, it installs the Barracuda WSA on the server machine also. To assign the application to a user: Expand User Configuration, th expand Policies and Software Settings. Select Software installation, right-click and select New -> Package The rest of the setup for User Configuration is similar to Computer Configuration as described above, concluding with a forced group policy update. Step 3: Application Install (both Win2K3 and Win2K8 servers) Start a computer that is joined to the domain for applying the computer-based policy. Log in as the domain user to apply the user-based policy. You should see the Barracuda WSA Monitor icon in the system tray. This indicates that the Barracuda WSA application has be installed. You can also verify this in Add/Remove Programs from the Windows Control Panel. Troubleshooting A common cause of failure is that the user and/or the user s computer does not have adequate access to the share location. Verify that all access and network privileges have be configured appropriately. Additional error messages may be found in the Evt Log on the domain computer. If the Evt Log has no useful information, consider abling verbose logging and restarting the computer. Additional information on fixing Group Policy issues can be found on the Microsoft technet: http://technet.microsoft.com/-us/library/cc7 75423.aspx GPO Installation of the Barracuda WSA With Microsoft SBS 2008 Server This article addresses some behaviors specific to Microsoft Small Business Server (SBS) that the administrator needs to know about wh installing the Barracuda Web Security Agt (WSA) using a GPO. First, complete the GPO installation of the Barracuda WSA. Refer to: Installation Using a Windows GPO From the Windows Interface OR Installation using a Windows GPO from the Command Line for information about installing the Barracuda WSA using a GPO to push it out to remote clits. Next, note that using GPO deploymt on Microsoft Small Business Server (SBS) 2008 breaks the server-clit trust relationship. The clit has to be rejoined to the server, manually. After completing GPO installation steps, the clit computers will have the Barracuda WSA installed after a reboot. But in Active Directory, wh pulling the computer back into the 'SBSComputers' OU, remote access services from the server side are no longer available. The server cannot connect to the clit, ev if the clit still shows up in the console. You must remove the clit from that folder and re-join it to the DC in order to re-establish the trust relationship. Installation using a Windows GPO from the Command Line The Barracuda WSA can be pushed to a group of remote computers using a GPO from the command line with a batch file. The batch file simply needs to contain one line, indicating the name of the msiexec file that executes the.msi file used to install the application, and any options you 13
specify per the table below. The.msi installer file is downloadable from the ADVANCED > Remote Filtering page on the Barracuda Web Filter. Step 1: Download the MSI Windows Installer Package and create an MST file 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Log on to the server computer as an administrator. Create a shared folder on the network where you will put the installer package (.msi file) that you want to distribute. Clits to which you want to push the Barracuda WSA in the Windows domain must have access to this shared folder. Log in to the Barracuda Web Filter interface with the administrator credtials. Navigate to the ADVANCED > Remote Filtering page. Click on the Download/Install link to download the Barracuda WSA MSI installer from the Download Web Security Agt section of the page. Save the MSI installer file in the shared folder on the network. Create a one-line batch file (per the syntax in the example below) and save the file on a network shared folder that is accessible to all remote computers to which you want to push the Barracuda WSA. Include the options and argumts per the table below. Create a GPO container for all users / machines to which you want to push the application. Create a GPO with the Windows GPO editor. In the GPO editor, select either startup or shutdown to trigger wh the GPO installs the application on the remote machine. Add the batch file (script) you saved in the shared folder. The application should th install siltly on the remote machine wh the user either logs in or shuts down the machine. Example of the command line to put into the batch file: BarracudaWSASetup.exe /s /v"/lvemo \setup.log /qn ALLOW_REMOVE=1 EXCEPTIONS=chrome.exe safari.exe APPLICATIONS=explorer.exe firefox.exe BYPASS=11.11.11.0;*.myWebfilter.com;192.168.* PASSWORD=pass" This example also writes a log file to the setup directory called setup.log. Command Line Argumts and Options Use the following argumts and options to control the configuration of Barracuda WSA. Argumts: s runs Setup.exe in silt mode (no dialog boxes). v passes the /qn (no UI) parameter to the installer, which runs the executable in silt mode. The following table describes additional options: Option Description ALLOW_REMOVE 1 indicates that users are allowed to remove the Barracuda WSA. 0 indicates that users are NOT allowed to remove the Barracuda WSA. EXCEPTIONS APPLICATIONS BLOCKS If there are specific applications from which you don t want to capture any traffic, type them in as a pipe-delimited list. Type a pipe-delimited list of applications that will forward all ports to the Barracuda Web Filter. Type a pipe-delimited list of applications to block. Example: BLOCKS=block1.exe block2.exe 14
BYPASS Type a semi-colon-delimited list of network addresses that you want to bypass the Barracuda Web Filter, such as trusted internal networks. Guidelines: Use a * in any octet (except the first) to indicate any. Bypass tries that begin with a dot (.) will include any URL that matches the dot and subsequt string(s). For example, if you use *.example.com as a bypass try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. PASSWORD Type the password users must know to configure, stop or start the Barracuda WSA. USER_MODE 0 indicates ordinary operation. 1 indicates silt operation. SERVICE _URL Type the IP address or hostname of the Barracuda Web Filter, followed by SERVICE_PORT and the port number. SERVICE_PORT Type the port number of the Barracuda Web Filter, which is 8280 by default. This parameter follows the SERVICE_URL. Example: SERVICE_URL=myWebFilter.com SERVICE_PORT=8280 SERVICE_MODE 2 indicates that you are using the Barracuda Web Filter. Example: SERVICE_MODE=2 DISABLE_AUTOMATIC_UPDATES 1 indicates that updates are DISABLED. 0 indicates that updates are ENABLED. DEFAULT_BEHAVIOR 1 indicates that all application traffic is forwarded to ports 80 and 443 by default. 2 indicates that no application traffic is forwarded by default and you specify only the applications to filter. 3 indicates all applications are blocked by default and only applications you specify for filtering are forwarded. 15
PROXY_EXCEPTIONS Type a semi-colon-delimited list of network addresses to specify proxy exceptions for internal proxies that should be reachable by Barracuda WSA clits for internal proxying and filtering. Guidelines: Use a * in any octet (except the first) to indicate any. Entries that begin with a dot (.) will include any URL that matches the dot and subsequt string(s). For example, if you use *.example.com as a proxy exception try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. Manual local Installation from the Command Line Local installation from the command line on the remote PC follows the same procedure as Installation using a Windows GPO form the Command Line without using a GPO. You can simply execute a one line command with options and argumts as shown below to immediately install the Barracuda WSA on the remote computer. Use the following command to install on a Windows PC or laptop: BarracudaWSASetup.exe /s /v" /qb SERVICE_MODE=2 SERVICE_URL=10.1.0.51 SERVICE_PORT=8280 WD=1 Argumts and Options Use the following argumts and options to control the configuration of the Barracuda WSA. Argumts: s runs Setup.exe in silt mode (no dialog boxes). v passes the /qn (no UI) parameter to the installer, which runs the executable in silt mode. You can set the USER_MODE switch to 1 for silt operation (the d user will not see the Barracuda WSA icon in the System Tray or Start Mu). The following table describes additional options: Option ADS Description 1 indicates that users are allowed to disable the Barracuda WSA. 0 indicates that users are NOT allowed to disable the Barracuda WSA. ALLOW_REMOVE 1 indicates that users are allowed to remove the Barracuda WSA. 0 indicates that users are NOT allowed to remove the Barracuda WSA. ALLOW_UPDATE 1 allows seamless updates to the Barracuda WSA. The Check for Update mu option does not appear in the Configuration Tool (default). 0 disables seamless updates. The Check for Update mu option appears in the Configuration Tool. 16
APPLICATIONS Type a pipe-delimited list of applications to be filtered on all ports to the Barracuda Web Filter. Example: APPLICATIONS= iexplore.exe firefox.exe AUTH_KEY If you are configuring the Barracuda WSA to connect to the Barracuda Web Security Service, you must provide an AUTH_KEY d uring the installation which connects the Barracuda WSA agt to your account. You can obtain or gerate the AUTH_KEY from the Barracuda Web Security Service console in the Configuration > Key Managemt page. If you are configuring the Barracuda WSA to connect to a hardware or virtual appliance, do not use an AUTH_KEY ; instead, ter the number "1". BLOCKS Type a pipe-delimited list of applications to block. Example: BLOCKS=block1.exe block2.exe BYPASS Type a semi-colon-delimited list of network addresses that you want to bypass the Barracuda Web Filter, such as trusted internal networks. Guidelines: Use a * in any octet (except the first) to indicate any. Bypass tries that begin with a dot (.) will include any URL that matches the dot and subsequt string(s). For example, if you use *.example.com as a bypass try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. DEBUG 1 indicates that the Debug mode is ENABLED. 0 indicates that the Debug mode is DISABLED (default). DEFAULT_BEHAVIOR 1 indicates that all application traffic is forwarded to ports 80 and 443 by default. 2 indicates that no application traffic is forwarded by default and you specify only the applications to filter. 3 indicates all applications are blocked by default and only applications you specify for filtering are forwarded. DISABLE_AUTOMATIC_UPDATES 1 indicates that updates are DISABLED. 0 indicates that updates are ENABLED. EXCEPTIONS If there are specific applications from which you don t want to capture any traffic, type them in as a pipe-delimited list. 17
LANG Specifies the language that the Barracuda WSA uses on English operating systems. German: de-de Japanese: ja-jp Dutch: nl-nl Chinese: zh-cn Chinese Traditional: zh-tw Portuguese: pt-br Spanish: es-es PASSWORD PROXY_EXCEPTIONS Type the password users must know to configure, stop or start the Barracuda WSA. Type a semi-colon-delimited list of network addresses to specify proxy exceptions for internal proxies that should be reachable by Barracuda WSA clits for internal proxying and filtering. Guidelines: Use a * in any octet (except the first) to indicate any. Entries that begin with a dot (.) will include any URL that matches the dot and subsequt string(s). For example, if you use *.example.com as a proxy exception try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. SERVICE_MODE 2 indicates that you are using the Barracuda Web Filter. Example: SERVICE_MODE=2 SERVICE_PORT Type the port number of the Barracuda Web Filter, which is 8280 by default. This parameter follows the SERVICE_URL. Example: SERVICE_URL=myWebFilter.com SERVICE_PORT=8280 SERVICE_URL Type the value of the External IP address defined on the ADVANCE D > Remote Filtering page from within the Barracuda Web Filter interface, followed by SERVICE_PORT and the port number (Destin ation Port on the same page). Do not use the hostname; this parameter must use an IP address. See the example syntax at the top of this article. USER_MODE 0 indicates ordinary operation. 1 indicates silt operation. WD 1 ables the watchdog feature. 0 disables the watchdog feature (default). Here is another example using various options: BarracudaWSASetup.exe /s /v"/lvemo \setup.log /qn AUTH_KEY=11111111111111111111111111111111111111 ALLOW_REMOVE=1 EXCEPTIONS=chrome.exe safari.exe APPLICATIONS=explorer.exe firefox.exe BYPASS=11.11.11.0;*.purewire.com;192.168.* ADS=1 PASSWORD=pass" The above example also writes a log file to the setup directory called setup.log. 18
How to Configure the Barracuda WSA With the Barracuda Web Filter Initial Configuration Begin initial configuration of your Barracuda WSA installation by doing the following. After completing the steps in this article, continue with Config uration Tool for Barracuda WSA Windows Clit or Configuring Preferces for Barracuda WSA Macintosh Clit. 1. 2. 3. 4. 5. Log into the Barracuda Web Filter web interface as admin. On the ADVANCED > Remote Filtering page, idtify the external IP address of your Barracuda Web Filter in the External Hostname/IP field so that the Barracuda WSA can direct user web traffic to that IP address. Note: It is recommded that you ter the hostname of your Barracuda Web Filter in case the IP address of the appliance changes, which would interrupt service for your currt Barracuda WSA installations in the field. If you do ter the IP address and must change it at some point, the following procedure is required to sure minimal service interruptions: a. Create the new IP address forward on your network firewall while the existing/old Barracuda Web Filter IP address is still accessible to Barracuda WSA installations. b. Enter the new IP address in this field so that the Barracuda WSA in the field can be updated with the new IP address of the Barracuda Web Filter. c. Once all of your Barracuda WSA installations are updated with the new IP address, you can expire the old IP address. Idtify all of your internal IP addresses and proxies, th tering those in the Bypass Filter and Proxy Exception text boxes. This will exempt these IP addresses from traffic redirection. If you have a PAC or WPAD driv proxy setup, sure that the proxy hosts are also listed as Proxy Exceptions. Create a port forward on your network firewall on port 8280 to the external IP address of your Barracuda Web Filter (External Hostname/IP). Click the Help button on the ADVANCED > Remote Filtering page for details on the above and other configuration options. SSL Inspection and the Barracuda WSA Available with the Barracuda Web Filter 7.1 and higher If you want the Barracuda Web Filter to be able to monitor and block web traffic over HTTPS for Facebook applications, YouTube applications, Gmail and other subapplications that run over HTTPS, you can able SSL inspection on the Barracuda Web Filter and for remote users running the Barracuda WSA. To configure the Barracuda Web Filter to use SSL Inspection, see How to Configure SSL Inspection 7.0 and the ADVANCE D > SSL Inspection page in the Barracuda Web Filter web interface. Wh you configure SSL Inspection on the Barracuda Web Filter, all traffic from the Barracuda WSA is also subject to SSL Inspection automatically. For more about how SSL Inspection works and why it is important, see Using SSL Inspection With the Barracuda Web Filter. Note that SSL Inspection will not work wh is abled in the page on Policy Lookup Only Mode ADVANCED > Remote Filtering the Barracuda Web Filter. Web Connectivity Issues and the Barracuda WSA Once the Barracuda WSA is deployed for d users, the administrator can do any of the following to address any web connectivity issues users might have wh using the Barracuda WSA on their remote laptops and PCs: Temporarily disable the Barracuda WSA if the user is expericing any problems wh they are logging into the network from a hotel or other captive portal. Check to see if the Captive Portal feature is abled on the BLOCK/ACCEPT > Configuration page of your Barracuda Web Filter. Stop the Barracuda WSA service on the user s laptop or PC. Uninstall the Barracuda WSA from the users s laptop or PC. See related article on uninstalling the agt. See Also How to Install the Barracuda WSA with the Barracuda Web Filter Uninstalling the Barracuda Web Security Agt for Win2K8 Server Uninstalling the Barracuda Web Security Agt for Win2K3 Server How to Configure the Barracuda WSA With the Barracuda Web Security Service 19
Initial Configuration Begin initial configuration of your Barracuda WSA installation by doing the following. After completing the steps in this article, continue with Configuration Tool for Barracuda WSA Windows Clit or Configuring Preferces for Barracuda WSA Macintosh Clit. 1. Log into the Barracuda Web Security Service. 2. I think this is already covered for the WSS on prev. pages...flesh this out... After installing the Barracuda WSA on user clit machines, you only need to define the Ser vice Host, Port and Authtication Key on the clit. All other settings will be overwritt with what you have configured in the profile in the Barracuda Web Security Service each time the user's machine is rebooted or the user logs on. You can also force an overwrite, or Sync, of the settings on the clit: : With the Barracuda WSA for Windows - by right clicking the Barracuda WSA icon in the task tray, and selecting Sync. With the Barracuda WSA for Macintosh - by clicking Synchronize Settings in the WSA Preferces window. Related Articles Configuration Tool for Barracuda WSA Windows Clit Configuring Preferces for Barracuda WSA Macintosh Clit 2a. Create the new IP address forward on your network firewall while the existing/old Barracuda Web Security Service IP address is still accessible to Barracuda WSA installations. 2b. Enter the new IP address in this field so that the Barracuda WSA in the field can be updated with the new IP address of the Barracuda Web Security Service. 2c. Once all of your Barracuda WSA installations are updated with the new IP address, you can expire the old IP address. 3. Idtify all of your internal IP addresses and proxies, th tering those in the Bypass Filter and Proxy Exception text boxes. This will exempt these IP addresses from traffic redirection. If you have a PAC or WPAD driv proxy setup, sure that the proxy hosts are also listed as Proxy Exceptions. 4. Create a port forward on your network firewall on port 8280 to the external IP address of your Barracuda Web Security Service (External Hostname/IP). 5. See the REMOTE FILTERING > Web Security Agt page for details on the above and other configuration options. Web Connectivity Issues and the Barracuda WSA Once the Barracuda WSA is deployed for d users, the administrator can do any of the following to address any web connectivity issues users might have wh using the Barracuda WSA on their remote laptops and PCs: Temporarily disable the Barracuda WSA if the user is expericing any problems wh they are logging into the network from a hotel or other captive portal. Stop the Barracuda WSA service on the user s laptop or PC. Uninstall the Barracuda WSA from the users s laptop or PC. Using the Barracuda WSA with the Barracuda Web Security Service Use the Barracuda Web Security Agt (WSA) to filter web traffic, detect and block malware, and sure safe browsing for off-network users. Wh you deploy the Barracuda WSA on each remote desktop, Mac OSX computer, or laptop, all web traffic for those clits is signed by the Barracuda WSA. Browsing policies created in the Barracuda Web Security Service are th applied to that traffic as it is returned to the clit, providing secure web browsing access. Barracuda recommds reading and understanding this article before installing the agt. Continue with How to Install the Barracuda WSA with 20
the Barracuda Web Security Service. See also: In this article: Release Notes for Barracuda Web Security Agt for Windows OR Release Notes for Barracuda Web Security Agt for Macintosh. How the Barracuda WSA Works System Requiremts Managing the Barracuda WSA Creating Configuration Profiles for your Barracuda WSA Encryption Application Filtering Password Tamper Prevtion Password Protection User Privileges VPN Interoperability Automatic Software Updates Connection Testing Silt Operation Barracuda WSA and the Web Security Gateway How the Barracuda WSA Works The Barracuda WSA intercepts all HTTP/S and FTP traffic through any connection on the clit without regard for the type of web browser. This includes Ethernet, wireless, or dial-up connections. The Barracuda WSA: attaches user information to web requests, th directs traffic to the Barracuda Web Security Service or, if applicable, the Barracuda Web Security Gateway. The Barracuda WSA prevts malware from reaching clit computers. Only safe traffic is passed to web browsers. After the Barracuda WSA is installed and configured, your web traffic is protected by the Barracuda Web Security Service automatically. The Barracuda WSA directs all traffic from web browsers, and other application traffic on ports 80 and 443, to the Barracuda Web Security Service. Use configuration profiles to define how the Barracuda WSA filters traffic. You can install the Barracuda Web Security on Microsoft Windows or Macintosh machines. System Requiremts For Windows: see Requiremts for the Barracuda Web Security Agt With Windows. For Macintosh: see Installing the Barracuda WSA on a Macintosh Managing the Barracuda WSA You can manage the Barracuda WSA in one of three ways: If you use Barracuda WSA clits that are version 3.3 or higher, you can ctrally manage all of your Barracuda WSA clits from the RE MOTE FILTERING > Web Security Agt page of the Barracuda Web Security Service Manager interface. Configuration settings for ctrally managed Barracuda WSA clits are defined in a configuration Profile that you create on that page. You can create, modify, delete, or assign Profiles to Barracuda WSA clits in a group, on a machine, or for an individual user. If you already have Barracuda WSA version 3.3 or higher installed on your network, your configuration profiles are automatically populated in the REMOTE FILTERING > Web Security Agt page of the Barracuda Web Security Service Manager interface. You can use Windows GPO (Group Policy Object) or command line argumts to make changes to the Barracuda WSA clits on your network. To edit settings locally for an individual Agt, use the Configuration Tool in the Agt interface: see: For Windows Configuration Tool for Barracuda WSA Windows Clit For Macintosh Configuring Preferces for Barracuda WSA Macintosh Clit 21
Important! Note that any changes made on the clit with the configuration tool are OVERRIDDEN each time the Barracuda WSA synchronizes with the Barracuda Web Security Service. Synchronization happs: Wh the user logs onto the clit machine Wh the Barracuda WSA gets restarted on the clit machine If the clit machine network address changes If the user manually syncs the Barracuda WSA; only allowed if configured by administrator Creating Configuration Profiles for your Barracuda WSA 1. 2. 3. Log into the Barracuda Web Security Service. Go to the REMOTE FILTERING > Web Security Agt page. Click the Add Profile button to create a new profile and fill in the fields. The settings you select in the configuration profile allow you to define settings you can apply to specific Barracuda WSA clits. Make sure to define one or more profiles before installing the Barracuda WSA on user clits. Note: After installing the Barracuda WSA on user clit machines, you only need to define the Service Host, Port and Authtication Key on the clit. All other settings will be overwritt (synchronized with the host) with what you have configured in the profile in the Barracuda Web Security Service. Synchronization happs wh: each time the user's machine is rebooted or the user logs on. You can also force an overwrite, or Sync, of the settings on the clit: The user's machine is rebooted or the user logs on. The network IP address of the clit machine is changed. Manually, with the Barracuda WSA for Windows - by right clicking the Barracuda WSA icon in the task tray, and selecting Sync. Manually, with the Barracuda WSA for Macintosh - by clicking Synchronize Settings in the WSA Preferces window. Encryption The Barracuda WSA redirects traffic on port 8080 by default. Application Filtering The Barracuda WSA automatically forwards web browser traffic on all ports, and forwards traffic from all other applications on ports 80 and 443. You can specify how the Barracuda WSA filters application traffic by default: Filter traffic on ports 80 and 443 for all applications, Filter traffic for specified applications and allow traffic for all other applications, or Filter traffic for specified applications and block traffic for all other applications. If you have specific applications that use other ports, you can add them to the Applications to Filter (All Ports) list. To access this list, go to the Start > All Programs > Barracuda > Web Security Agt > Configuration scre, and th click Advanced to display the advanced options. Password Tamper Prevtion Password Protection You can choose an option during installation that lets users stop and start the Barracuda WSA from the task tray. This is sometimes helpful with troubleshooting network or performance issues, or wh the Barracuda WSA operates behind a Barracuda Web Security Gateway in transpart mode. You can use the password protection feature to sure that only authorized users can stop or start Barracuda WSA. During installation, you have an option to specify a password to protect configuration options and control user privileges. If you choose to specify a password, that password is required for any user to: Change configuration settings Temporarily disable the Barracuda WSA Change the service host based on response times (see Fallback Service Hosts and the Barracuda Web Security Service) Stop or start the Barracuda WSA Uninstall the Barracuda WSA There is no password reset; if the password is lost, you must reinstall the Barracuda WSA. 22
User Privileges Allow Uninstall Option You can choose the Allow Uninstall Through Add/Remove Programs option during installation to allow the user to remove the Barracuda WSA from a computer using the Microsoft Windows Add or Remove Programs window. The Barracuda WSA does not, by default, appear in the Windows Add or Remove Programs list. If you did not able the Allow Uninstall Through Add/Remove Programs option during installation, the user must contact the System Administrator for assistance. You can able the Allow Uninstall Through Add/Remove Programs option during installation and use the password protection feature to sure that unauthorized users cannot uninstall the Barracuda WSA. If you did not able the Allow Uninstall Through Add/Remove Programs option during installation, contact Barracuda Networks Technical Support to uninstall Barracuda WSA. Temporarily Disable Service Option If the Barracuda Web Security Service prevts users from logging onto a public network, such as at a captive portal in a hotel or coffee shop, you can temporarily disable Barracuda WSA and connect to the public network. After five minutes, the Barracuda WSA automatically re-ables itself. Right-click the Barracuda Networks icon on the desktop or system tray. Select Temporarily Disable. The Barracuda WSA is disabled for five minutes, during which you can connect to the previously blocked network. It th re-ables itself. The user can disable the Barracuda WSA three times before the option is no longer available. A reboot of the clit machine restarts the counter. Stop/Start Service Option You can choose an option during installation that lets users stop and start the Barracuda WSA from the task tray. This is sometimes helpful with troubleshooting network or performance issues, or wh the Barracuda WSA operates behind a Barracuda Web Security Gateway in transpart mode. You can use the password protection feature to sure that only authorized users can stop or start Barracuda WSA. If you chose the Allow User to Disable Service option during installation, the user can stop and start the Barracuda WSA service. If you specified a password during installation, the user must provide the password that you created in order to stop or start the service. To stop the Barracuda WSA: Right-click the Barracuda Networks icon on the desktop or system tray. Select Stop Service. If prompted for a password, type the password, and th click OK. The Barracuda WSA is stopped until you restart it or reboot. The Barracuda Networks icon in the system tray is grayed out. To restart the Barracuda WSA: Right-click the Barracuda Networks icon on the desktop or system tray. Select Start Service. Allow Users to Change Service Host With version 4.3.0 or higher, you can allow users the option to select another host from the Host drop-down in the context mu on the clit if there is another service host (Barracuda Web Security Service) available that has faster response times. This involves also configuring the Barracuda WSA to poll available service hosts and rank them by response times by checking the Automatically Select Service Host setting in the profile(s) you create on the REMOTE FILTERING > Web Security Agt page. See Fallback Service Hosts and the Barracuda Web Security Service for details. VPN Interoperability The Barracuda WSA is designed to forward all web traffic to the Barracuda Web Security Service, so virtual private network (VPN) clits that rely on web browser settings to forward traffic to private networks may interfere with Barracuda WSA s operation. In order to use a VPN clit on a PC that is running Barracuda WSA, a user may need to do one of the following: stop Barracuda WSA wh connecting with the VPN, use the VPN in split tunnel mode, or ter bypasses for the VPN server IP address. 23
If you install and configure Barracuda WSA so that d users may not stop and restart Barracuda WSA, th only bypasses or split tunnel mode will work simultaneously with Barracuda WSA. You can use the password protection feature, available during installation, to sure that only authorized users can stop or start Barracuda WSA. Automatic Software Updates Barracuda WSA periodically checks the Barracuda Web Security Service for available software updates. Wh an upgrade is available, Barracuda WSA automatically and siltly downloads and installs it, preserving any configuration information you have in place. The automatic updater works whether Barracuda WSA is installed in regular mode or silt operating mode. The automatic updates may be disabled at installation for those network vironmts that prefer to manually upgrade. Connection Testing At the beginning of each session, Barracuda WSA tests its connection with the Barracuda Web Security Service. If there is a problem with the connection, it displays a message that it cannot connect to the Barracuda Web Security Service. If you opted to use the password protection feature during installation and have the password, you can disable the Barracuda WSA, either permantly or temporarily. Silt Operation If other people will be using the computer or you are concerned about tampering, you may want users to remain unaware that the Barracuda WSA is installed. If so, choose the silt operation option during installation. The Barracuda WSA icon will not appear in the user s task tray, and shortcuts will not exist in the Start mu. To change settings for a Barracuda WSA installation in silt operation mode, you must go into the Barracuda Networks directory and launch Barracuda WSA configuration manually. Barracuda WSA and the Web Security Gateway In corporate vironmts that use a Barracuda Web Security Gateway, if you direct proxy clits to the Barracuda Web Security Gateway, or any other internal proxies that should be reachable by Barracuda WSA clits for internal proxying and filtering, you must specify those proxy exception network addresses. You can specify proxy exceptions during installation, on the CONFIGURATION scre in the Proxy Exceptions bo x, or by using the PROXY_EXCEPTIONS option from the command line. Proxy Exceptions for an already installed Barracuda WSA can be viewed and modified by editing the corresponding configuration profile. Select the Profile from the REMOTE FILTERING > Web Security Agt page, Configuration Profiles section. Add, edit or remove Proxy Exceptions, and th Save Changes. If you use the Barracuda WSA behind a Barracuda Web Security Gateway, the Barracuda WSA detects that the Barracuda Web Security Gateway is reachable and automatically stops redirecting traffic so that web traffic flows through the Barracuda Web Security Gateway for filtering. Continue with How to Install the Barracuda WSA with the Barracuda Web Security Service. How to Install the Barracuda WSA with the Barracuda Web Security Service To route all web traffic from Windows or Mac laptops or desktops through the Barracuda Web Security Service: Step 1. Create an Authtication Key using the Barracuda Web Security Service that you will ter during the Barracuda WSA installation process. The Authtication Key ables the Barracuda Web Security Service to idtify traffic from your remote computer(s). 1. 2. 3. In the Barracuda Web Security Service Manager, go to CONFIGURATION > Key Managemt, and click Add New Key. Type a Name for the authtication try. Select the Barracuda Web Security Gateway/Web Security Agt option; copy the value in the Key field and save it to a secure place. You will ter the Authtication key during Agt installation. Click Save Changes. Step 2. Download the installation files for MS Windows or Macintosh using the following steps: 1. Log into the Barracuda Web Security Service Manager interface. 2. Click Barracuda Web Security Service at the top of the Barracuda Cloud Control account scre. The Barracuda Web Security Service Manager interface appears on the scre. 3. From the SUPPORT tab of the Barracuda Web Service Manager, select the Barracuda Web Security Agt version you want to download to your system. Also note the Service Host URL that appears on the Support tab, as you will ter this into the Barracuda 24
3. WSA clit so it knows where to direct web traffic. Step 3. Install the Barracuda WSA for Windows either from the command line, using the automated installation option with an MSI or EXE file, or using Windows GPO. For detailed installation instructions for Automated Installation, Command Line Installation, GPO Installation, or installing on a Mac, use the instructions below: Automated Deploymt of Barracuda WSA GPO Installation of Barracuda WSA from the Windows Interface GPO Installation of the Barracuda WSA With Microsoft SBS 2008 Server Installation using a Windows GPO from the Command Line Manual local Installation from the Command Line Installing the Barracuda WSA on a Macintosh Continue by configuring the Barracuda WSA clit: Configuration Tool for Barracuda WSA Windows Clit Configuring Preferces for Barracuda WSA Macintosh Clit Fallback Service Hosts and the Barracuda Web Security Service - applies to both Windows and Macintosh deploymts Automated Deploymt of Barracuda WSA Automated Installation The Barracuda WSA is designed to support automated installation processes in place in many organizations for managing software deploymts. The Barracuda WSA installation program is available as an MSI or an EXE file for flexibility in deploymt methods. This article explains a method for creating a self-executing zip file using free tools. You can use this file to automatically pass installation parameters to the Barracuda WSA setup program. Similar processes support MSI installation methods. Consult the documtation for your software deploymt solution for details on how to use a typical MSI or EXE installation program. Requiremt for Automated Installation You must have a file archiving utility capable of creating a self-extracting.exe file. You must have Microsoft.NET framework installed before you install the Barracuda WSA using the MSI installation method. The MSI file does not install the.net framework for you. If you do not install the.net framework before you begin installation with the.msi file, a message appears prompting you to download and install the.net framework and th install the Barracuda WSA. For Microsoft.NET Framework and Windows version compatibility, see Requiremts for the Barracuda Web Security Agt With Windows. Set Up the Directory To set up the installation directory: 1. 2. 3. 4. Create a directory for the setup program (For example: c:\barracudawsa). Copy the Barracuda WSA setup file to the directory. Create a setup.bat file to execute the setup program. Example (type all on one line): C:\barracudawsasetup.msi" /qb! /lvmo c:\setup.log AUTH_KEY=11111111111111111111111111111111111111 SERVICE_URL=ple1.proxy.purewire.com SERVICE_PORT=8080 DEFAULT_BEHAVIOR=2 ADS=1 USER_MODE=0 Put the setup.bat file in your setup program directory. The Barracuda WSA uses a Service Host URL provided on the SUPPORT tab of the Barracuda Web Security Service Manager. To find the SERVICE_URL value for the setup.bat installation file, log into the Barracuda Web Security Service Manager, select the SUPPORT tab, and retrieve the Service Host URL. Create a Compressed File Use Windows Explorer to create a compressed file from the setup program directory that contains the Barracuda WSA setup program and your setup.bat file. 25
Create a Self-Extracting Archive Use the file archive utility EXE creator to create a self-extracting file of the compressed directory. Deploymt The self-extracting installation program may now be distributed via login script, network share, or other means for automated installation of the Barracuda WSA. GPO Deploymt of the Barracuda WSA From the Command Line The Barracuda WSA can be pushed to a group of remote computers using a GPO from the command line with a batch file. The batch file simply needs to contain one line, indicating the name of the msiexec file that executes the.msi file used to install the application, and any options you specify per the table below. You can download the.msi installer file from the SUPPORT > Downloads page in the Barracuda Web Security Service. Step 1: Download the MSI Windows Installer Package and create an MST file 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Log on to the server computer as an administrator. Create a shared folder on the network where you will put the installer package (.msi file) that you want to distribute. To push the Barracuda WSA in the Windows domain the desired Clits must have access to this shared folder. Log in to the Barracuda Web Security Service interface with the administrator credtials. Go to the SUPPORT tab. Click on the Barracuda WSA for Windows (msi) link. Save the MSI installer file in the shared folder on the network. Create a one-line batch file (per the syntax in the example below) and save the file on a network shared folder that is accessible to all remote computers you want to monitor. Include the options and argumts per the table below. Create a GPO container for all users / machines to which you want to push the application. Create a GPO with the Windows GPO editor. In the GPO editor, select either startup or shutdown to trigger wh the GPO installs the application on the remote machine. Add the batch file (script) you saved in the shared folder. The application should th install siltly on the remote machine wh the user either logs in or shuts down the machine. Example of the command line to put into the batch file: C:\kworking\barracudawsasetup.msi /qb /lvmo c:\kworking\bar_setup.log AUTH_KEY=0E733C7CA8F437424526F80096512C569E4D5703 SERVICE_URL=ple1.proxy.purewire.com SERVICE_PORT=8080 DEFAULT_BEHAVIOR=2 ADS=1 USER_MODE=0 RebootYesNo="No" REBOOT="Suppress" Command Line Argumts and Options Use the following argumts and options to control the configuration of Barracuda WSA. Argumts: s runs Setup.exe in silt mode (no dialog boxes). v passes the /qn (no UI) parameter to the installer, which runs the executable in silt mode. The following table describes additional options: Option Description ALLOW_REMOVE 1 (Default) Allow removal of Barracuda WSA using Add/Remove Programs. 0 Do not allow Barracuda WSA to be removed using Add/Remove Programs.. 26
ALLOW_UPDATE 1 (Default) Allow user to manually update through the Barracuda WSA Monitor and Configuration Tool. 0 Do not allow the user to manually update. Note: This has no effect on automatic updates APPLICATIONS EXCEPTIONS BLOCKS A pipe-delimited list of clit applications to be filtered on all ports. Example: APPLICATIONS=iexplore.exe firefox.exe If there are specific applications from which you don t want to capture any traffic, type them in as a pipe-delimited list. A pipe-delimited list of applications to be blocked by Barracuda WSA. Example: BLOCKS=block1.exe block2.exe BYPASS A semi-colon-delimited list of network addresses that will bypass filtering, such as trusted internal networks. Guidelines: Use a * in any octet (except the first) to indicate any. Bypass tries that begin with a dot (.) will match any URL ding with a dot and the subsequt string(s). For example, if you use *.example.com as a bypass try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. CPU (CPU Monitor) 1 means the CPU monitor is on 0 means the CPU monitor is off. Turning this feature on ables the administrator to see if there is any CPU loading issue. PASSWORD The password users must know to configure, stop or start the Barracuda WSA. USER_MODE 0 (Default) Indicates ordinary operation. The Barracuda WSA Monitor appears in the task tray and the Configuration tool appears in the Program Files mu. 1 Runs Barracuda WSA in Silt mode. SERVICE_PORT The port number through which the Barracuda WSA communicates to the Barracuda Web Security Service. This parameter follows SERVICE_URL. Example: SERVICE _PORT=8080 27
SERVICE _URL The URL of the Barracuda Web Security Service, followed by SERVICE_PORT and port number. The URL can be a domain name or IP address and is found on the SUP PORT tab of the Barracuda Web Security Service web interface. Example: SERVICE_URL=ple1.proxy.purewire.com SERVICE_PORT=8080 SERVICE_MODE 1 (Default) Using Barracuda WSA with the Barracuda Web Security Service as the host. 2 Using Barracuda WSA with Barracuda Web Filter. Example: SERVICE_MODE=1 TDC (Temporary Disable Count) TDT (Temporary Disable Timeout) DISABLE_AUTOMATIC_UPDATES The number of times a user can use the Tem porarily disable service feature. The default is 3 times, and th the user must reboot to reset the counter to 0. The number of minutes the user can temporarily disable the Barracuda WSA. The 'timeout' refers to the d of the allowable Te mporarily disable service period. Default is 5 minutes. 1 Disables automatic updates. Barracuda WSA will not check regularly for updates. 0 (Default) Enables automatic updates. DEFAULT_BEHAVIOR 1 Forwards all application traffic to ports 80 and 443 for filtering. 2 (Default) Application traffic bypasses filtering, except for the applications to filter that you specify. 3 Blocks all application traffic except for applications you specify for filtering, which are forwarded. PROXY_EXCEPTIONS A semi-colon-delimited list of network addresses to specify proxy exceptions for internal proxies that should be reachable by Barracuda WSA clits for internal proxying and filtering. Guidelines: Use a * in any octet (except the first) to indicate any. Entries that begin with a dot (.) will include any URL that matches the dot and subsequt string(s). For example, if you use *.example.com as a proxy exception try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. 28
GPO Deploymt of the Barracuda WSA From the Windows Interface If you install using GPO Deploymt, you will need to Update/Redeploy using GPO, and Uninstall using GPO. This article applies to using the Barracuda Web Security Service. To install the Barracuda WSA, do the following: 1. Create an MST file from the MSI windows installer package of WSA using the ORCA tool. To create an MST file, log into your Windows Server as administrator, and create a shared folder. This is the distribution point on the network where you will have the installer package you want to distribute and apply. 2. Log in to the Barracuda Web Security Service and download the WSA MSI installer Package from the SUPPORT tab. Save the downloaded installer package in the shared folder you created above. 3. Download the ORCA tool from http://www.softpedia.com/progdownload/orca-download-79861.html and install. This tool transforms the.msi file into a.mst file if you perform the following steps: a. Launch ORCA and click on File > Op to op the downloaded MSI installer of the Barracuda WSA and to see its setup parameters. There are four required settings to be able to connect the Barracuda WSA to the host; and upon connecting, the clit machine will sync with the settings in the profile configured on the host to the local Barracuda WSA settings. 4. i. ii. Select Transform from the mus, and th select the New Transform option. Select PROPERTY in the left Tables pane, th scroll down for the Property tries and view the AUTH_KEY. Click to edit the Value field section. DO not rame Property tries! iii. Log into the Barracuda Web Security service and go to the CONFIGURATION > Key Managemt page. Click on the key you want to use and copy the key value to use. iv. In ORCA, double click or use CTRL + A in the value field (as there is a space already there) to select everything for Auth Key, and paste the Auth Key value you just copied (so no spaces are left) in front of or behind the value. Press Enter. v. Set the property SERVICE_URL to the Service Host found in the Account Information section of the SUPPORT tab of the Barracuda Web Security Service. vi. Set the SERVICE_PORT to 8080, tering it without spaces. vii. Set the property USER_MODE: 0 (Default) Indicates ordinary operation. The Barracuda WSA Monitor appears in the task tray and the Configuration tool appears in the Program Files mu on the clit machine. 1 Runs the Barracuda WSA in Silt mode. The user does not see the Barracuda WSA Monitor running, and cannot change the local configuration. viii. Set the property SERVICE_MODE to 1. Service mode 1, the default, runs the Barracuda WSA with the Barracuda Web Security Service as the host. You should see, after tering values into these fields, that they are outlined in gre if they have be changed/modified to a new value. b. After setting the above properties according to your configuration, select the Transform mu again and select the Gerate Transform option. Save the.mst file in the folder with the Barracuda WSA MSI installer file. Deploy the Barracuda WSA application through Active Directory by creating a GPO and applying a GPO policy. To deploy the Barracuda WSA application using GPO deploymt, you need to create a container or Organizational Unit (OU), th create a GPO which you link to that OU and apply the GPO policy. a. Using your Windows Server Start mu, op Administrative Tools > Active Directory Users and Computers which displays the active directory domain users and computers. b. Select the domain where you want to add your OU, and right click, choosing New > Organizational Unit. You need to name your Organizational Unit, and unselect Protect container from accidtal deletion, because you may want to delete the OU later. c. Now you need to associate the USERS accounts or COMPUTERS accounts to your newly created OU where you will apply policies. You can add them to the created OU, move them from the existing USERS or COMPUTERS account to the new container (though this option prompts a warning), or create them in the OU. d. Finally, you need to create a GPO and link it to the new OU you created. Use the Windows Server Start mu, Administrative Tools > Group Policy Managemt and select your new OU; th right click, selecting Create a GPO in this domain, and Link it here... e. Select your GPO and right click, selecting Edit to op the Group Policy Managemt Editor. You need to decide whether to use User Configuration or Computer Configuration to specify which domain elemts your GPO policy will apply to. User Configuration applies the policy to the users in your GPO whever they log into any computer. Computer Configuration appli es the policy to any user who logs into the computer in your GPO. 29
To apply your software installation, select Software installation from User Configuration or Computer Configuration, depding on your desired configuration, and right click selecting New > Package. You will need to specify the full UNC path of the shared installer package you want (for example \\server2008\common\barracudawsasetup.msi) as the Filame of the Windows installer package, th O p the package. Select the Advanced deploymt method which allows you to add modifications to the msi file created using ORCA. For Computer Configuration: From the Modifications tab, use Add to add the MST file, typing the full Universal Naming Convtion (UNC) path of the MST transform file (for example: \\server2008\common\wsa.mst) and th Op. The Barracuda WSA will now appear in the right pane of your Group Policy Managemt Editor. Assigned vs Published Deploymt Type for Users If you decide to use User Configuration, you need to choose the deploymt type for users: 1. 2. From the Deploymt tab, : Assigned: Distributes software to users, but does not install it on their system. Wh software is assigned to a user it 'follows' them by providing shortcuts on the Programs mu of every machine they log into. If the user clicks on the shortcut, only th is the application actually installed on that system. You can select the checkbox Install this application at logon if you want the software to install (run the GPO policy) wh the user logs in. Published: Adds the application to the Add/Remove programs section of the control panel, and allows the user to install the application if necessary. Unlike Assigned software, it does not appear to be installed. A published application can be installed via documt invocation, as wh a user clicks on a zip file, WinZip would install had it be published to the user. Next, apply your GPO policy. Op a command prompt, and Run it as administrator. To force update the Group Policy use the command: C:\Users\Administrator> gpupdate /Force The Barracuda WSA will be installed on the computers wh they reboot or apply to users wh they log in. For Computer Configuration policy, the GPO policy applies at reboot, and the Barracuda WSA application is installed th. For User Configuration policy, installation depds on the deploymt type setting. See Assigned vs Published Deploymt Type for Users above. To verify that the Barracuda WSA has be installed, look for the Barracuda WSA icon in your system tray, or in the Add/Remove Programs list using your Control Panel. An application that has be installed through GPO can only be effectively uninstalled through GPO or it will reappear on your computer at reboot or user login. Additionally, you should turn off the Barracuda WSA Auto-Update feature for a Barracuda WSA installed using GPO Deploymt, as updates should be done through GPO as well. Manual Local Deploymt of Barracuda WSA from the Command Line Before beginning the installation, you must have: the Authtication Key you created for the Barracuda WSA in the Barracuda Web Security Service Manager, and the Barracuda Web Security Service Service Host URL that was provided to you by Barracuda Networks or your Barracuda Networks partner. You can also find the Service Host URL on the SUPPORT tab of the Barracuda Web Security Service Manager. See Setting Up Your Barracuda Web Security Service Account if you don't have these yet. Command Line Example At the command line, type the following all on one line: BarracudaWSASetup.exe /s /v" /qn AUTH_KEY=<paste the auth key here with no brackets> SERVICE_URL=proxy.example.com Argumts and Options Use the following argumts and options to control the configuration of the Barracuda WSA. 30
Argumts: s runs Setup.exe in silt mode (no dialog boxes). v passes the /qn (no UI) parameter to the installer, which runs the executable in silt mode. You can set the USER_MODE switch to 1 for silt operation (the d user will not see the Barracuda WSA icon in the System Tray or Start Mu). The following table describes additional options: Option ADS (Allow Disable Service) Description 1(Default) Allow user to disable Barracuda WSA using the Stop and Start service in the Barracuda WSA Monitor. 0 Do NOT allow users to stop and start Barracuda WSA from the Barracuda WSA Monitor. ALLOW_REMOVE 1 (Default) Allow removal of Barracuda WSA using Add/Remove Programs. 0 Do not allow Barracuda WSA to be removed using Add/Remove Programs. ALLOW_UPDATE 1 (Default) Allow user to manually update through the Barracuda WSA Monitor and Configuration Tool. 0 Do not allow the user to manually update. Note: This has no effect on automatic updates APPLICATIONS ATDS (Allow Temporary Disable Service) A pipe-delimited list of clit applications to be filtered on all ports. Example: APPLICATIONS=iexplore.exe firefox.exe 1 Displays option in Barracuda WSA Monitor for user to temporarily disable Barracuda WSA for five minutes at a time, no more than three times. Reboot is required to reset the counter. 0 Hides the option to temporarily disable Barracuda WSA from the Barracuda WSA Monitor. AUTH_KEY The Barracuda Web Security Service authtication key (gerated on the Barracuda Web Security Service web interface). Note: This is only needed wh you are using Barracuda Web Security Service (SERVICE_MODE=1). BLOCKS A pipe-delimited list of applications to be blocked by Barracuda WSA. Example: BLOCKS=block1.exe block2.exe BYPASS A semi-colon-delimited list of network addresses that will bypass filtering, such as trusted internal networks. Guidelines: Use a * in any octet (except the first) to indicate any. Bypass tries that begin with a dot (.) will match any URL ding with a dot and the subsequt string(s). For example, if you use *.example.com as a bypass try, any URL that ds with.example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly. DEBUG 1 Enables Debug mode. The file: c:\windows\temp\wsatraffic.log stores debug information. 0 (Default) Disables Debug mode. 31
DEFAULT_BEHAVIOR 1 Forwards all application traffic to ports 80 and 443 for filtering. 2 (Default) Application traffic bypasses filtering, except for the applications to filter that you specify. 3 Blocks all application traffic except for applications you specify for filtering, which are forwarded. DISABLE_AUTOMATIC_UPDATES 1 Disables automatic updates. Barracuda WSA will not check regularly for updates. 0 (Default) Enables automatic updates. EXCEPTIONS A pipe-delimited list of applications to bypass filtering. Example:EXCEPTIONS=app1.exe app2.exe LANG By default, Barracuda WSA uses the language indicated by the language setting of the clit computer. You may select an alternate language using the following language codes: German: de-de Japanese: ja-jp Dutch: nl-nl Chinese: zh-cn Chinese Traditional: zh-tw Portuguese: pt-br Spanish: es-es English: -US Example:LANG=de-DE PASSWORD PROXY_EXCEPTIONS SERVICE_MODE The password users must know to configure, uninstall, or stop/start the Barracuda WSA. A semi-colon-delimited list of proxy exceptions which includes internal proxies that should be reachable by Barracuda WSA clits for internal proxying and filtering. These must be exact IP addresses or host names. Example: PROXY_EXCEPTIONS=192.168.1.5;proxy.mycompany.com 1 (Default) Using Barracuda WSA with the Barracuda Web Security Service. 2 Using Barracuda WSA with Barracuda Web Filter. Example: SERVICE_MODE=1 SERVICE_PORT The port number through which the Barracuda WSA communicates to the Barracuda Web Security Service or the Barracuda Web Filter. This parameter follows SERVICE_URL. Example: SERVICE _PORT=8080 SERVICE _URL The URL of the Barracuda Web Security Service or Barracuda Web Filter, followed by SERVICE_PORT and port number. The URL can be a domain name or IP address. Example: SERVICE_URL=ple1.proxy.purewire.com SERVICE_PORT=8080 TDC (Temporary Disable Count) The number of times a user can use the Temporarily disable service feature. The default is 3 times, and th the user must reboot to reset the counter to 0. 32
TDT (Temporary Disable Timeout) USER_MODE The number of minutes the user can temporarily disable the Barracuda WSA. The 'timeout' refers to the d of the allowable Tem porarily disable service period. Default is 5 minutes. 0 (Default) Indicates ordinary operation. The Barracuda WSA Monitor appears in the task tray and the Configuration tool appears in the Program Files mu. 1 Runs Barracuda WSA in Silt mode. WD 1 Enables the watchdog feature, prevting the removal of Barracuda WSA through tampering with registry settings or network settings. 0 (Default) Disables the watchdog feature. Warning: Test this setting before deploying into your vironmt, as locking down network settings and the registry can produce unwanted side effects in your system. Example using various options: BarracudaWSASetup.exe /s /v"/lvemo \setup.log /qn AUTH_KEY=11111111111111111111111111111111111111 ALLOW_REMOVE=1 EXCEPTIONS=chrome.exe safari.exe APPLICATIONS=explorer.exe firefox.exe BYPASS=11.11.11.0;*.purewire.com;192.168.* ADS=1 PASSWORD=pass" The above example also writes a log file to the setup directory called setup.log Uninstalling the Barracuda Web Security Agt for Win2K3 Server 1. Log on to the server computer as an administrator. 2. Click Start, point to Administrative Tools, and th click Active Directory Users and Computers. Select your domain, right-click and choose Properties. Click the Group Policy tab in the domain Properties window. Select the GPO and click on Edit button. This ops the Group Policy Object Editor. 3. Expand the Configuration based on the assignmt of new GPO as follows: Computer Configuration Software Settings Software installation. User Configuration Software Settings Software installation. 4. Select "Software installation" and th select the Software "Barracuda Web Security Agt" from the right side list. Do a right-click and select All Tasks > Remove This prompts for the Removal method option. Choose the option "Immediately uninstall the software from users and computers" and click OK. 5. Close all the op windows and now run the command to force update of group policy: C:\Documts and Settings\Administrator.WFDEVDC01>gpupdate /Force Refreshing Policy... User Policy Refresh has completed. Computer Policy Refresh has completed. To check for errors in policy processing, review the evt log. Certain User policies are abled that can only run during logon. Certain Computer policies are abled that can only run during startup. OK to Reboot?. (Y/N) Rebooting the Server computer uninstalls the Barracuda WSA application if it is installed. 6. 7. 8. Start the same computer on which the Barracuda WSA application is installed (computer-based policy). Log in as the domain user to a machine on which Barracuda WSA application is installed (user-based policy). Look at the system tray - the Barracuda WSA Monitor icon should not be prest. This indicates that Barracuda WSA application has be uninstalled. You can also verify this in the Add/Remove Programs section of the Control Panel. Uninstalling the Barracuda Web Security Agt for Win2K8 Server 33
1. 2. Log on to the server computer as an administrator. Click Start, point to Administrative Tools, and th click Group Policy Managemt. Expand the tree for your domain, select the newly created Container or OU, expand the Container, select the new GPO, right-click and click Edit 3. Expand the Configuration based on the assignmt of a new GPO as follows: a. Computer Configuration Policies Software Settings Software installation. User Configuration Policies Software Settings Software installation. b. Select Software installation and th select the Software Barracuda Web Security Agt from the right side list. Right-click and select All Tasks > Remove This prompts the Removal method option. Choose the option Immediately uninstall the software from users and computers and click OK. 4. Close all the op windows. Run the command to force update of group policy. C:\.Users\Administrator>gpupdate /Force Updating Policy... User Policy update has completed successfully. Computer Policy update has completed successfully. a. b. c. Start the same computer on which Barracuda WSA application is installed (computer-based policy). Log in as the domain user to a machine on which Barracuda WSA application is installed (user-based policy). Look at the system tray - the Barracuda WSA Monitor icon should not be prest. This indicates that Barracuda WSA application has be uninstalled. You can also verify this in the Add/Remove Programs section of the Control Panel. Requiremts for the Barracuda Web Security Agt With Windows The Barracuda Web Security Agt on Windows systems supports the Microsoft.NET Framework as shown in the table in this page. Note that Microsoft Windows 10 is not currtly supported. You can install the Barracuda Web Security Agt on Windows systems that meet the following requiremts: Latest released Service Packs of 32-bit version of Windows XP, and 32-bit or 64-bit versions of Windows Vista, Windows Server 2003, Windows 7 or Windows 8.x Windows Internet Explorer version 6 or later, or Mozilla Firefox version 3 or later 1 GB RAM 2 Ghz processor 30 MB free disk space To ctrally manage Barracuda WSA clits in the Barracuda Web Security Service Manager, the Barracuda WSA must be version 3.3 or later. Microsoft.NET Framework as designated in the table:.net Framework Windows XP Windows Server 2003 Windows Vista Windows 7 / Windows Server 2008 Windows 8 / Windows Server 2012.NET Clit profile +.NET 4 Extded X X - - -.NET 4.5 N/A N/A X X X.NET 4.5.1 N/A N/A X X X.NET 4.5.2 N/A N/A X X X * The configuration in BOLD is recommded Installing the Barracuda WSA on a Macintosh 34
Macintosh System Requiremts for the Barracuda Web Security Agt You can install the Barracuda WSA on Macintosh systems that meet the following requiremts: Version 10.6 (Snow Leopard) or later operating system 50MB memory (10.5 requires 512MB, 10.6 requires 1.0GB) 3.5 GB RAM Intel or Power PC G4 or G5 processor 30 MB free disk space Using the Barracuda Web Filter: Download and Installation 1. 2. 3. 4. Log into the Barracuda Web Filter web interface. Go to the ADVANCED > Remote Filtering page. In the Download Web Security Agt section of the page, click the Download/Install link for the Macintosh OS-X. Launch the installer on the Macintosh and follow on-scre instructions. Continue with How to Configure the Barracuda WSA With the Barracuda Web Filter. Using the Barracuda Web Security Service: Download and Installation 1. 2. 3. 4. 5. Log into the Barracuda Web Security Service. Go to the SUPPORT tab. Click on Barracuda Web Security Agt for Macintosh. Launch the installer on the Macintosh and follow on-scre instructions. Wh prompted, ter the Authtication Key you created in How to Install the Barracuda WSA with the Barracuda Web Security Service. This ables the Barracuda Web Security Service to idtify traffic from your remote computer(s). To Uninstall the Barracuda Web Security Agt You can uninstall the iwsa for Macintosh in one of these three ways: 1. 2. 3. You can mount the Barracuda WSA installer image from the original disk or disk image file (.dmg) and choose Uninstall. If you used the default install, you can launch the uninstaller from /Library/Application/Support/Barracuda WSA. Running as root from the command line, you can navigate into the Uninstaller.app and invoke the uninstall.sh script directly (located in /Library/Application Support/Barracuda WSA/Uninstaller.app). Configuration Tool for Barracuda WSA Windows Clit The Configuration Tool makes it easy for the administrator to change settings for the Barracuda WSA from the clit. The tool exposes the same settings that are configured from the administrative web interface of either: The Barracuda Web Security Service REMOTE FILTERING > Web Security Agt page OR The Barracuda Web Filter ADVANCED > Remote Filtering page The Configuration Tool can optionally be password protected in the administrative web interface. To run the tool, type Configuration in the Windows Startup mu. Click on Configuration next to the Barracuda icon in the mu. Wh you run the Configuration tool you are prompted for the Barracuda WSA Password if one was configured in the administrative web interface. You th see the Configuration window (see Figure 1 below) showing the following settings: Authorization Key that was created in the administrative web interface; only applies with the Barracuda Web Security Service (Service) Host: Either the Barracuda Web Security Service currt host and drop-down listing all available service hosts, or, with the Barr acuda Web Filter, the IP address of the appliance Port Bypass IP addresses - IP addresses/ranges you want the Barracuda WSA to bypass wh filtering Figure 1. Configuration Tool showing the currt service Host with Barracuda Web Security Service. 35
The settings shown are those based on the last sync evt betwe the Barracuda WSA and the service host. A sync evt is triggered by any of the following: User logging into Barracuda WSA A network change Clicking on the Barracuda WSA icon in the task tray and selecting Sync The sync evt also updates the clit with browse policies configured in the Barracuda Web Security Service or the Barracuda Web Filter. Wh using with the Barracuda Web Security Service, from the Host drop-down, you can view a list of the available service hosts. With the Barracuda Web Security Service Wh using the service, with version 4.3.0 or higher, you can select another host from the Host drop-down. You can configure the Barracuda WSA to poll available service hosts and rank them by response times using the Auto Select Host and Allow Change Host settings (see Figure 2). Check Auto Select host to have the Barracuda WSA do this check periodically and switch to the host with the fastest response time. If you have abled Allow Change Host, you can click on Change Host in the context mu, view a list of available service hosts and response times, and select a differt Barracuda Web Security Service host. See Fallback Service Hosts and the Barracuda Web Security Service for details. Barracuda WSA Settings on the Clit Click on the Advanced button in the Configuration tool window to see and modify the profile settings that are configured on the Barracuda Web Security Service REMOTE FILTERING > Web Security Agt page or on the Barracuda Web Filter ADVANCED > Remote Filtering page. Figure 2. Advanced Configuration Tool Window. 36
Note the following exceptions: If the Allow auto update feature in the Barracuda Web Security Service profile is not checked (abled), the users with that profile will not see the Auto-update and Allow update check boxes in the configuration tool Advanced window shown above. The same applies for the Auto-update and Allow User to Check for Update settings in the Barracuda Web Filter ADVANCED > Remote Filtering page. The Policy Lookup Only Mode check box only appears for users who are remote filtered by the Barracuda Web Filter. Policy Lookup Only Mode, wh abled, means that the Barracuda WSA clit on the remote user's machine looks up policies configured on the Barracuda Web Filter for that user/clit, applies the policies, th routes allowed web traffic from the user's machine via its usual path to the Internet. In this mode, because traffic is not routed through the Barracuda Web Filter, SSL Inspection cannot be applied to HTTPS traffic from remote computers wh Policy Lookup Only Mode is abled. The Auto Select Host and Allow Change Host settings are only associated with the Barracuda Web Security Service, as explained in detail in Fallback Service Hosts and the Barracuda Web Security Service. Configuring Preferces for Barracuda WSA Macintosh Clit The administrator can access the Barracuda WSA Preferces from the context mu or from the System Preferces interface to change settings for the Barracuda WSA from the clit. The tool exposes the same settings that are configured from the administrative web interface of either: 37
The Barracuda Web Security Service REMOTE FILTERING > Web Security Agt page OR The Barracuda Web Filter ADVANCED > Remote Filtering page Barracuda WSA Preferces can optionally be password protected in the administrative web interface. The WSA Preferces window shows the following settings (see Figure 1) : Authorization Key that was created in the administrative web interface; only applies with the Barracuda Web Security Service Service Host(s): Either the Barracuda Web Security Service currt host and drop-down listing all available service hosts, or, with the Bar racuda Web Filter, the IP address of the appliance Port - the network port at which to contact the service host. Bypass - IP addresses/ranges you want the Barracuda WSA to bypass wh filtering Proxy Exceptions - The hostname(s) or IP address(es) of these existing proxies on the clit's LAN will bypass filtering of traffic. If you have a PAC or WPAD driv proxy setup, sure that the proxy hosts are listed here. Fail Op option and, if connecting to the Barracuda Web Security Service, Fallback host settings (see Fallback Service Hosts and the Barracuda Web Security Service) Also see Using the Barracuda WSA with the Barracuda Web Filter Version 7.1 and Above. Figure 1a. WSA Preferces window showing the currt Service Host with Barracuda Web Security Service. Figure 1b. WSA Preferces window showing the currt Service Host with the Barracuda Web Filter. 38
The settings shown are those based on the last sync evt betwe the Barracuda WSA and the service host. A sync evt is triggered by any of the following: Restarting or waking the Mac from sleep Logging in to another user account on the Mac Changing network connections or WiFi access points Clicking the Synchronize Settings button in the WSA Preferces as shown in Figure 1. The sync evt also updates the clit with browse policies configured in the Barracuda Web Security Service or the Barracuda Web Filter. Wh using with the Barracuda Web Security Service, from the Service Host drop-down, you can view a list of the available Service Hosts. Wh using the Barracuda Web Security Service, with version 4.3.0 or higher, you can select another host from the Service Host dropdown as shown in Figure 2. You can configure the Barracuda WSA to poll available service hosts and rank them by response times using the settings on the Web Security Service tab. Check Automatically switch to a faster service host, if available to have the Barracuda WSA do this check periodically and switch to the host with the fastest response time. See Fallback Service Hosts and the Barracuda Web Security Service for details about using this feature. Figure 2. Selecting a differt service host using the Fallback feature. 39
Barracuda WSA Preferces Wh you select WSA Preferces from the context mu, you see the window shown in Figure 1a or 1b. Click the Web Filter tab if you are using the Barracuda Web Filter, or Web Security Service tab to view the currt Host, Port and Bypass settings. Click the Applications tab to see and change filtering settings that are configured on the Barracuda Web Security Service REMOTE FILTERING > Web Security Agt page or on the Barracuda Web Filter ADVANCED > Remote Filtering page, as shown in Figure 3. Figure 3. Barracuda WSA Applications tab. To create exceptions to filtering policies, click the Exceptions button. Figure 4. Setting exceptions to filtering policies. 40
To configure settings for allowing updates, click on the Options tab, and note the following: If the Allow auto update feature in the Barracuda Web Security Service profile is not checked (abled), the users with that profile will not see the Check for Updates Automatically and Allow User to Check for Updates settings in the Options tab. The same applies for the Auto-updat e and Allow User to Check for Update settings in the Barracuda Web Filter ADVANCED > Remote Filtering page. Fallback Service Hosts and the Barracuda Web Security Service Note: This feature applies wh using the Barracuda Web Security Agt (WSA) for Windows version 4.3.0 and higher, or the iwsa for Mac version 1.4.0 and higher, with the Barracuda Web Security Service. With the Fallback feature, the administrator can choose an alternate Barracuda Web Security Service host for filtering web traffic for remote users who have the Barracuda WSA installed on their Windows laptop, desktop or Macintosh. Fallback is useful in case the intded service host is unavailable, or there is another service host available that has faster response times. This feature provides the administrator with the following options: Configure the Barracuda WSA to automatically connect to the service host with the fastest response times instead of the currt host. Select the service host manually from the clit (requires Barracuda WSA password to log in) How the Fallback Feature Works At a regular interval, the Barracuda WSA can poll Barracuda Web Security Service hosts and rank them based on response times. With Windows: Wh you run the Configuration tool from the Windows Startup mu, you see the Host, Port and Bypass settings as shown in Figure 1a. Note the Host name. This is the currt service host. Figure 1a. Barracuda WSA for Windows Configuration tool displays the currt Host and port. 41
With the Macintosh: Wh you select WSA Preferces from the Macintosh mu bar, you see the Host, Port and Bypass settings as shown in Figure 1b. Note the Service Host name. This is the currt service host. Figure 1b. Barracuda WSA for Macintosh WSA Preferces displays the currt Service Host and port. For more information about configuring the Barracuda WSA, see: For Windows: Configuration Tool for Barracuda WSA Windows Clit For Macintosh: Configuring Preferces for Barracuda WSA Macintosh Clit If you have configured an administrator password, you'll be prompted to ter it before you can configure the Barracuda WSA. The settings shown are those based on the last sync evt betwe the Barracuda WSA and the service host. A sync evt is triggered by any of the following: User logging into Barracuda WSA A network change Clicking the Synchronize Settings button in the WSA Preferces The sync evt also updates the clit with all settings configured in the Barracuda Web Security Service; the exception is Debug Mode, which is a local setting. How to Enable the Fallback Feature 1. In the Barracuda Web Security Service web interface, go to the REMOVE FILTERING > Web Security Agt page. 2. 42
2. Click on the Default Profile or any other existing profile for which you want to able or disable the feature. NOTE: This feature is, by default, NOT abled for customers using the Barracuda WSA before this feature became available. For customer accounts created after this feature became available, the Automatically Select Service Host option is set to ON by default, and the Allow User to Change Service Host is set to OFF by default. All profiles are created based on Default Profile settings. 3. Click the check box for Automatically Select Service Host to able the Barracuda WSA to ping available service hosts at a regular interval and automatically switch to the host with the fastest response time. 4. Click the check box for Allow User to Change Service Host to able users to view available service hosts by response times and select a differt host if desired. Note that whever the Barracuda WSA syncs with the Barracuda Web Security Service, settings in the service override those in the Barracuda WSA. 5. Make sure that all remote clits are synchronized with the server to get the new settings. Perform these steps for EACH profile. Whatever settings you choose in the Default Profile will apply for each new profile you create. Figure 1c. Setting Fallback feature settings in the Default Profile. How to Configure the Fallback Feature From the Barracuda WSA Note that settings that you configure in the Barracuda WSA clit will be overridd by those in the Barracuda Web Security Service wh the service syncs with the clit. With Windows: 1. 2. 3. In the Configuration tool, click the Advanced button. In the Advanced window, select the Allow Change Host check box. Click Ok. Click on the Barracuda WSA context mu in the task tray and select Change host to view and select from a list of hosts ranked by response times. Figure 2a. Configuring the Fallback feature with the Barracuda WSA for Windows. 43
With the Macintosh : 1. 2. 3. 4. From the mu bar, click on the Barracuda WSA icon and select WSA Preferces. Click on Allow the user to select a faster service host from mu as shown in Figure 1b. Click on the Barracuda WSA icon in the mu bar. Click Select Service Host to view and select from a list of available hosts ranked by response times. Figure 2b. Barracuda WSA for Macintosh context mu. 44
Table 1. Interaction betwe Auto Select Host and Allow Change Host settings for the Fallback feature. Auto Select Host / Automatically switch Allow Change Host / Allow the user to select Behavior On On The Barracuda WSA will poll and rank Service Host response times at regular intervals and switch to the fastest host if differce in response times is big ough. The user will see an option to Change Service Host in the context mu (click Barracuda WSA icon in task tray) and can view the list of hosts/response times if the Barracuda WSA is not in Silt Mode. On Off (Default) The Barracuda WSA will poll and rank Service Host response times at regular intervals and switch to the fastest host if differce in response times is big ough. User cannot change the Service Host manually. Off (Default) On The Barracuda WSA will poll and rank Service Host response times at regular interval. The user will see an option to Change Service Host in the context mu and can view the list of hosts/response times if the Barracuda WSA is not in Silt Mode. Off Off The Barracuda WSA will not poll Service Hosts to measure response times. The user will not see an option to Change Service Host in the context mu. The admin can change the service host using the Host dropdown in the Configuration Tool window or in the Barracuda Web Security Service web interface. 45
46