Home‎ > ‎Barracuda‎ > ‎

Setting up Users on the SSL VPN 680

Contents

  1. 1 Overview:
  2. 2 Logging In As Admin:
    1. 2.1 Log In:
    2. 2.2 Change Password:
  3. 3 Setting up Accounts:
    1. 3.1 Create Groups:
    2. 3.2 Add Users:
    3. 3.3 Add Policies:
  4. 4 Creating Resources:
    1. 4.1 Web Forwards:
    2. 4.2 Applications:
    3. 4.3 Network Connector:
    4. 4.4 SSL Tunnels:

Overview:

Once the SSL VPN is installed and working, the next step is to get users on it and enable them to use it as a VPN.  This page goes through the basics of implementing that. 

Logging In As Admin:

Log In:

For user access loging in, you would connect directly to the front interface at the normal port.  (not the :8000 extension that you used for the system setup)
the default username and password is ssladmin/ssladmin.

Change Password:

Since this box is now presumably installed on the internet, you will want to quickly change the default password.  To do this, in the upper right corner of the page, select Manage Account.

Then in the Account tab, under the Change Password sub-tab, modify your password.


Setting up Accounts:

Create Groups:

From the Access Control Tab, select the Groups sub-tab.  Create the new group by entering it's name in the Name field, and then selecting the (3) Add button.  You don't need to add any users yet, as you can add the users to the groups when you create the users.  (next step)  But if you needed to add any users, you would simply add their names in the Account field, and select the Add>> button. 

Add Users:

From the Access Control Tab, under the Accounts sub-tab, enter the following fields
  • Username: (if using Radius, it needs to be the same account name)
  • Full Name: So you can track down the user
  • Password: Local Password.  (Not used if you are using Radius)
  • Email: More so you can track down the user
Then type in the first part of the group name in the Available Groups (it will auto enter the entire name for you), and select the (3) Add>> button.  Then when you are complete, select the (4) Add button.

Add Policies:

Policies are kind of like rules attached to groups or users.  Here we simply create the policies, and assign users or groups to them.  Later we will assign capabilities (resources) to the policies. 

Under the Access Control Tab, under the Policies sub-tab, enter in the name of the policy under the Name field (it can have the same name as a group if it makes things simpler).  Then select the group that should be associated to this policy and select (3) Add>>.  (you can add multiple groups if required)  Select (4) Add to create the Policy. 

Creating Resources:

Resources are things that you can use like proxied web pages, ssl portals, or tunnels. In the following section, you will create different resources and make then available to folks by binding them to Policies (that are then associated to users and groups).

Web Forwards:

Web forwards are used to present internal webpages to users.  To set one up, under the Resources tab, select the Web Forwards sub-tab, then select the type (Path-Based is fine for most everything), Name the web forward, and paste the Internal URL in the Destination URL field.   Then select Which policies have access to this web forward, and select (3) Add to save it.

Applications:

You can create links on the barracuda such that when you press on them, it automatically opens up a application and does something with it.  For example, you can have a link that automatically opens up putty, and opens up a connection with it to another site. 

To set this up, select the Resources Tab, and the Applications sub-tab.  Then fill in the following:
  • Name: The name you will use to refer to this service
  • Application: (putty or winscp)  The type of app to automatically run on the clients machine. 
  • Hostname: The IP address (or dns name) of the device to connect to with the application
  • Port: The TCP of the host to connect to

Then select the policies that can use this application by selecting them and the (3) Add>> button.  Select (4) Add to save the newly created application. 


Network Connector:

The network connector is a full-tilt ipsec vpn tunnel that you can create between the client and the barracuda.  The way the barracuda implements this service, you have very little control other then providing this service and giving the user full access.  The barracuda has no way of controlling what users have access to other then by limiting them with route statements.  The other thing to note with the Network Connector, is that users who have rights to it, can connect to it directly using the client (a modified open vpn client) and by using their barracuda username and password.  If you are using a two factor solution, users who connect with a client use the barracudas username and password, and NOT THE RADIUS PASSWORD!  (so this can be seen as a security hole.)

To create a network connector, select the Resources Tab, and the Network Connector sub-tab. 

In the Actions section, select (3) the Configure Network button, and define the DHCP range for clients, make sure the DNS Domain Name and Primary DNS Server are correct.  Then select the Policies that can use the Network connector and press save.   Note: that the DHCP range MUST be on the local subnet.  (yea, I know... Lame!)

Once you restart the service, under the Server Instance, LAN1 should be green, and under Client Configurations, a new LAN1 Client will be created. 

The Client Configuration's "LAN1 Client" icon and name is what others will see when they want to launch the Network Connect.  Because of this, I like to rename "LAN1 Client" to something a bit more meaning full like "DataCenter Network" or "Corporate Office" or something.  To do this Select (4) Copy,  to duplicate this service and allow you to modify it. 

Then under the Details Section, rename the service to something more meaningful.
 


And lower down, under the Resource Categories, Select where it will show up (in the Favorites), and the Policies for who will have access to it. 

You will also need to define routes so that the clients get proper routes pushed down to them.  (The Barracuda will default properly and traffic will be good, but the clients need to know what needs to be pushed through the tunnel, and what should not.)

Under Server Interfaces, Edit LAN1. 

Then under Routing add the routes to distribute and select (1) Add>> to enter them in the route table. 



SSL Tunnels:

These are like Network Connectors, but they only provide access to one system at a time.  This is good if you need to provide SQL access to one database or something like that.  You don't want to provide full access with the network connector, and the application that the user would use might be non-standard, so you can not provide services with the Applications. 

To create a SSL Tunnel, select the Resources Tab, and the SSL Tunnels sub-tab.  Provide a name for the tunnel, what IP you want to connect to, and over what port.  Then define what policies can use this and press Add to save


Comments