Example - Barracuda Network Access Client Configuration

Similar documents
MultiSite Manager. Setup Guide

How to Configure a High Availability Cluster in Azure via Web Portal and ASM

How do I set up a branch office VPN tunnel with the Management Server?

MultiSite Manager. Setup Guide

Configuring Network Load Balancing with Cerberus FTP Server

How to Perform a Manual High Availability Failover

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Virtual Appliance Setup Guide

VPN-1 VE Evaluation Guide

QUANTIFY INSTALLATION GUIDE

How to Make the Client IP Address Available to the Back-end Server

Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager

Sophos Anti-Virus for NetApp Storage Systems startup guide

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Stellar Phoenix Exchange Server Backup

Secret Server Installation Windows Server 2012

Central Administration User Guide

Install MS SQL Server 2012 Express Edition

F-Secure Mobile Security for Business. Getting Started Guide

Client applications are available for PC and Mac computers and ios and Android mobile devices. Internet

StreamServe Persuasion SP5 Control Center

To begin, visit this URL:

Avigilon Control Center System Integration Guide

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Content Filtering Client Policy & Reporting Administrator s Guide

Installing and Configuring vcenter Multi-Hypervisor Manager

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

Best Practice Configurations for OfficeScan (OSCE) 10.6

How To Install & Use Metascan With Policy Patrol

WhatsUp Gold v16.3 Installation and Configuration Guide

Laptop Backup - Administrator Guide (Windows)

Configuring PDM. Starting PDM with Internet Explorer CHAPTER

Configuring the BIG-IP system for FirePass controllers

Configuring Trend Micro Content Security

Trend Micro Hosted Security. Best Practice Guide

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

NovaBACKUP xsp Version 15.0 Upgrade Guide

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015

VPNC Interoperability Profile

Universal Printer Driver Guide

Application Notes for Configuring Yealink T-22 SIP Phones to interoperate with Avaya IP Office - Issue 1.0

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

Sonicwall Reporting Server

Symantec AntiVirus Corporate Edition Patch Update

Lotus Foundations Start Getting Started

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

NTP Software QFS for NAS, Hitachi Edition

SonicWALL Security Quick Start Guide. Version 4.6

Configure Microsoft Dynamics AX Connector for Mobile Applications

Central Administration QuickStart Guide

Creating a New Database and a Table Owner in SQL Server 2005 for exchange@pam

ESET NOD32 Antivirus 4 for Linux Desktop. Quick Start Guide

Network Load Balancing

Installing and Configuring Active Directory Agent

Windows Server Update Services 3.0 SP2 Step By Step Guide

Accops HyWorks v2.5. Quick Start Guide. Last Update: 4/18/2016

Upgrade Guide. CA Application Delivery Analysis 10.1

CLEARPASS ONGUARD CONFIGURATION GUIDE

Creating a Client-To-Site VPN. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs.

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

AWS Plug-in Guide. Qlik Sense 1.1 Copyright QlikTech International AB. All rights reserved.

SonicOS Enhanced Release Notes TZ 180 Series and TZ 190 Series SonicWALL, Inc. Firmware Release: August 28, 2007

Step-by-step installation guide for monitoring untrusted servers using Operations Manager (Part 1 of 3)

EMC Data Domain Management Center

How To - Implement Clientless Single Sign On Authentication with Active Directory

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

Basic Exchange Setup Guide

Using Remote Desktop with No-IP

H3C SSL VPN RADIUS Authentication Configuration Example

Manager. Configuration Guide. ICS Software Solutions Clarendon House Church Lane Naphill HP14 4US Buckinghamshire

Easy Setup Guide for the Sony Network Camera

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Setup Guide for Exchange Server

Citrix NetScaler Load Balancer Configuration

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

The Global Rules set is evaluated first and contains the global access rules that apply to all NG firewalls using the shared service.

Installing Policy Patrol on a separate machine

Application Server Installation

Back-up Server DOC-OEMSPP-S/2014-BUS-EN-10/12/13

Security Rights-based authorization in DASH Plugin for SCCM

Networking Guide Redwood Manager 3.0 August 2013

Cloud Attached Storage

NSi Mobile Installation Guide. Version 6.2

How to install and use CrossTec Remote Control or SchoolVue in a Virtual and or Terminal Service environment

Using Cisco UC320W with Windows Small Business Server

Brother Automatic Printing OPERATION MANUAL

SonicWALL SRA Virtual Appliance Getting Started Guide

Nexio Connectus Cluster Set Up with SQL Server Backend

Nexio Connectus with Nexio G-Scribe

How to Restore a Windows System to Bare Metal

Burst Technology bt-loganalyzer SE

Sophos Mobile Control Installation guide. Product version: 3

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Safe internet: Getting Started Guide

Transcription:

Example - Barracuda Network Access Client Configuration Introducing an active Barracuda Network Access Client environment involves several components, such as global objects, trustzone settings, Access Control Service, and gateway firewall configuration. Using the Barracuda Network Access Client does not necessarily require complex policy rulesets. Although rulesets will become more elaborate due to required exceptions, this example includes only one policy within the Local Machine ruleset. Example scenario The client LAN has an IP address range of 10.0.8.0/24. The protected servers are located in the 172.16.0.0/24 network. In addition to the protected servers, one server acts as a Microsoft Domain Controller and as a remediation server for updating the antivirus patterns. This server has an IP address of 172.16.0.10. Even unknown or unhealthy clients need access to this server. Access to the other servers in the 172.16.0.0/24 network should only be available for clients conforming to the corporate health policy. The health policy requires having a client installed and the personal firewall enabled. In addition, the company uses Trend Micro antivirus products, so it is required to have the Antivirus engine enabled and to receive regular antivirus pattern updates. Before you begin Prepare the Access Control Objects for referencing when configuring the trustzone. Setting up a Barracuda Network Access Client infrastructure usually starts with configuring two different welcome messages, two different Personal Firewall rulesets, and one welcome bitmap. To give users customized information regarding their health state, define different welcome messages for unrestricted access (healthy status) and quarantine (unhealthy status). If a computer is quarantined, having all the necessary information to contact the company's IT support will be useful. Example - Barracuda Network Access Client Configuration 1 / 7

For more information, see Configuring Access Control Objects in the Barracuda NextGen Firewall documentation. Step 1. Create a personal firewall ruleset All of your clients, regardless of their health state, require network access. They need to contact the Access Control Service (TCP port 44000 - this rule is included in the default ruleset) and the Microsoft Domain Controller. Otherwise, users cannot log in. In addition, depending on the antivirus or anti-spyware product, access to HTTP servers may be necessary. Backup software, remote support, and automatic software distribution often trigger connections from server to client, so it may be necessary to modify the incoming ruleset of your personal firewall to allow incoming connections. First, create the quarantine ruleset: 1. 2. 3. Expand the Access Control Objects configuration node. Right-click Personal Firewall Rules and select New Access Control Firewall Ruleset. Create an object for the ruleset, named restrictedaccess In the restrictedaccess ruleset, the following rules must be added: Explicitly block Skype application. Allow connections to the remediation servers (172.16.0.10). Allow HTTP/HTTPS connections to the Internet. Some antivirus products use HTTP or HTTPS to download updates to engines and patterns. Create another ruleset for healthy clients, named unrestrictedaccess Step 2. Introduce an Access Control Service Trustzone The hierarchical structure of a Barracuda NextGen Control Center allows introducing Access Control Service Trustzones at different levels (Global, Range, and Cluster). Thus, a decision about the proper place for a company's trustzone is required. You may use global trustzones or switch to range trustzones. On a stand-alone unit, configure your trustzone within the Access Control Service > Access Control Trustzone node. For range-based or cluster-based Access Control Services, you can only reference trustzones within the same administrative scope. Trustzones from a different range or cluster cannot be referenced. Example - Barracuda Network Access Client Configuration 2 / 7

To guarantee that the policy trustzone has a public/private key pair to properly authenticate clients to all participating Access Control Services, you must create a Health Passport Signing Key in Settings > Identity > Health Passport Signing Key. The Health Passport is used for authenticating against other Access Control Service instances (e.g., Remediation Service or Border Patrol). Click New Key to create a new Health Passport Signing key. In this setup with locally created public/private keys, use the previously created key and export the public part into the clipboard. This public key is imported again as the Health Passport Verification key. Step 3. Create a policy rule Create at least one rule within the Local Machine policy ruleset. The first available rule should be a catch-all rule that usually should be at the end of your policy ruleset. The Policy Rule dialog is split up into these views: Identity Matching Required Health State Policy Assignments For the Identity Matching and Required Health State views, Basic and Advanced configuration dialogs exist. Since the Access Control Service in this example setup is only reachable using private IP addresses, you can restrict the Networks section to the private address ranges. Basic > Policy Matching is set to One-of-following. Therefore, you do not need to specify further matching criteria. Example - Barracuda Network Access Client Configuration 3 / 7

In the next step, configure the Required Health State conditions. For the catch-all rule, you can define the same policies you require for known clients because security policies usually further restrict unknown clients instead of granting them lower health requirements. To comply to the above-mentioned security requirements, you must set the following parameters in Access Control Service Trustzone > Local Machine > Edit Policy Rule: Barracuda Personal FW On Required <Auto-remediation> The Required <Autoremediation> value automatically enables the Barracuda Personal Firewall if deactivated. Windows Security Center > Virus Protection Checking engine and pattern versions of antivirus or anti-spyware products requires up-to-date information on the server side. Continue with the Policy Assignments view and assign the following attributes: 1. 2. 3. 4. Assign the unrestrictedaccess firewall object as Ruleset Name. Assign the Welcome message. This message is displayed as soon as a user has logged in. Assign, for example, the Barracuda Network Access Client Logo as welcome picture. For limited access, assign the appropriate ruleset and message. For the catch-all rule matching all clients in the LAN, no automatic client update is required. Therefore, the Software Update Required parameter is set to No. Before deploying new client versions to large-scale environments, the client software will usually be tested on a limited number of clients. It is thus recommended that you create a separate policy rule matching only a limited number of clients. Automatic software updates should therefore be enabled only in this policy rule. After a smaller number of clients has been updated successfully, you can enable automatic software updates for the rest of the company's clients. In the example, you are not required to manually add Network Access Policies. Instead, you can set up your access rules on the gateway firewall using the implicit roles unhealthy, healthy, probation and untrusted. Step 4. Configure the forwarding firewall ruleset Enforcement of the security policy is provided by the Barracuda Network Access Client software installed on the endpoint itself. Whenever leaving the local collision domain, F-Series Firewalls can provide additional protection. To enforce the health policy, F-Series Firewalls may interpret the access policy attribute assigned to the Example - Barracuda Network Access Client Configuration 4 / 7

endpoint within their rulesets. This provides a way to enforce network access control concepts based on date and time, identity and health state as well as the type of network access. To allow communication with protected servers only for clients conforming to the health policy, modify the gateway access ruleset as follows: 1. 2. 3. Open the forwarding firewall ruleset and navigate to the Users and Groups section. Select New in the context menu to create a new user object. After defining a name for the user object, for example, healthy-clients, add a new User Condition: 1. Within the Policy Roles Patterns section, change the logic operation to One Pattern must match (OR). 2. Add two new Policy Roles Patterns: healthy and probation. 3. Close the User Condition dialog. 4. Create or edit the Healthy-Access-to-Protected-Servers access rule: Example - Barracuda Network Access Client Configuration 5 / 7

Add a reference to the new healthy-clients user object within the Authenticated user dialog box If the user authentication is assigned to the access rule, only clients either fully conforming to the healthy policy or clients in probation state are allowed to access the protected network. To avoid blocking new connections and terminating existing connections for a few minutes because the antivirus patterns are not up-to-date, Barracuda Networks even allows access for clients in probation status. Remember that the client is in probation status while it tries to execute the remediation actions. If the remediation fails, the client becomes unhealthy. Example - Barracuda Network Access Client Configuration 6 / 7

Example - Barracuda Network Access Client Configuration 7 / 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information