How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

Similar documents
How to Configure a Remote Management Tunnel for an F-Series Firewall

How to Set Up VPN Certificates

How to Configure an ISP with DHCP

Example - Configuring a Site-to-Site IPsec VPN Tunnel

VMware Horizon View Deployment

How to Configure a Client-to-Site L2TP/IPsec VPN

History Page. Barracuda NextGen Firewall F

Defining IPsec Networks and Customers

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

How to Configure a Dynamic Mesh VPN with the GTI Editor

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Configuration Guide Barracuda NG Firewall. TheGreenBow IPsec VPN Client. Written by: TheGreenBow TechSupport Team Company:

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

KB How to Configure IPSec Tunneling in Windows 2000

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Configuring Virtual Servers

Authentication, Encryption, Transport, and VPN Routing

User Manual. SSV Remote Access Gateway. Web ConfigTool

How to Configure IPSec Tunneling in Windows 2000

HP Load Balancing Module

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Virtual Private Cloud. User Guide. Issue 03 Date

Using the Terminal Services Gateway Lesson 10

How to Configure Connection Fallback using Multiple VPN Gateways

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

Configuring the CSS for Device Management

Barracuda Firewall Release Notes 6.5.x

VPN Connection through Zone based Firewall Router Configuration Example

How to Configure SSL Interception in the Firewall

Configuring a Hub & Spoke VPN in AOS

Authentication, Encryption, Transport, IP Version and VPN Routing

vcloud Director Tenant Portal Guide vcloud Director 8.20

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO

Cisco Unified Operating System Administration Web Interface

Configuring the VPN Client

Cisco Unified Operating System Administration Web Interface for Cisco Emergency Responder

How to Create a TINA VPN Tunnel between F- Series Firewalls

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org

MRD-310 MRD G Cellular Modem / Router Web configuration reference guide. Web configuration reference guide

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Deploying F5 with Microsoft Remote Desktop Services

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

AT&T Cloud Web Security Service

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

Using Diagnostic Tools

Configuring L2TP over IPsec

SIP Proxy Deployment Guide. SIP Server 8.1.1

Module 9. Configuring IPsec. Contents:

G806+H3C WSR realize VPN networking

Example - Allowing SIP-based VoIP Traffic

How to Create a Custom Connection Object

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

How to Make the Client IP Address Available to the Back-end Server

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

CompTIA Exam JK0-023 CompTIA Network+ certification Version: 5.0 [ Total Questions: 1112 ]

How to Configure the Barracuda VPN Client for Windows

Load Balancing Sage X3 ERP. Deployment Guide v Copyright Loadbalancer.org, Inc

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Identity Firewall. About the Identity Firewall

Table of Contents 1 IKE 1-1

Application Note Asterisk BE with Remote Phones - Configuration Guide

How to Configure a High Availability Cluster in Azure via Web Portal and ASM

Installing and Configuring vcloud Connector

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Configuring the Catena Solution

GSS Administration and Troubleshooting

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

CCNA Security PT Practice SBA

MCSA Guide to Networking with Windows Server 2016, Exam

Wave 5.0. Wave OpenVPN Server Guide for Wave 5.0

TheGreenBow IPsec VPN Client. Configuration Guide Palo Alto. Website: Contact:

How to Configure an ISP using a WWAN Modem

Firepower Threat Defense Site-to-site VPNs

How to Configure CC Administrative Roles

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Managing External Identity Sources

Juniper JN DX Specialist (JNCIS-DX) Download Full Version :

Cisco QuickVPN Installation Tips for Windows Operating Systems

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Configuring Network Proximity

Troubleshoot. What to Do If. Locate chip.log File

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

Implementation Guide - VPN Network with Static Routing

Troubleshoot. What to Do If. Locate chip.log File. Procedure

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

Transcription:

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls If the managed NG Firewall can not directly reach the NG Control Center it must connect via a remote management tunnel. The remote NG Firewall uses the certificate keys exchanged at deployment to authenticate to the NG Control Center. Since it is not recommended to use an external IP address as a management IP the remote NG Firewall is assigned a Virtual IP (VIP) in the local network. The VIP is used to connect to the remote NG Firewall from the local network. Depending on whether the VIP is a subnet of the local network, or a separate network access rule and route entries on the border firewall and a access rule on the CC firewall are needed. In this article: Before you Begin Use an available network or subnet to be used for the VIP addresses You need the external IP address of the border firewall. Step 1. Configure a VIP Network on the NG Control Center 1. Open the Box VIP Network Ranges page (Config > Multi-Range > Global Settings). 2. In the left menu, click VIP Networks. 3. Click Lock. 4. In the VIP Networks table, add an entry for the network range. Configure the following settings for the entry: Name A name for the network range. Address Range Start Enter the VIP Network network address. Address Range Netmask The netmask. 5. (optional) In the left menu, click VPN Settings. 6. (optional) The VPN Settings are set to sensible default values. If necessary you can change these settings: Click here for VPN Settings... Pending Session Limitation Only five NG Firewalls are allowed to initiate management tunnels at the same time. Connection attempts exceeding the limit are blocked. This features makes sure that the Control Center is not overloaded due to too many management tunnel requests. Use Tunnels for Authentication (rarely used) Registers the tunnel network and credentials so that all traffic going through the management tunnel is treated as traffic from an authenticated 1 / 9

user. You can use this criteria to create access rules in the CC firewall. To improve startup speed, disable this feature. You can see these virtual management tunnel users on the box level of the NG Control Center in FIREWALL > Users. Prebuild Cookies on Startup Prebuilds cookies when the VPN service is started. This might slow the VPN service startup but increases the speed of tunnel builds. This setting also prevents high system loads on Barracuda NG Firewalls with a large number of VPN tunnels. High system load caused by the VPN service can occur, if a large number of VPN tunnels are established simultaneously after an unit reboot or ISP outage. 7. (optional) In the left menu click on Rekey/Alive Rates. The rekey/alive rates are set to sensible default values. If necessary you can change these settings: Click here for Rekey/Alive Rates... Server enforces Limits Specifies that the VPN service of the Barracuda NG Control Center enforces the key limits. If disabled, the Barracuda NG Firewall enforces the limits. Key Time Limit [Minutes] The rekey period. Key Byte Limit [Mbytes] The rekey period after specified amount of Mbytes. Tunnel Probing [Seconds] The interval in which keepalive packets sent to the remote tunnel end. the Tunnel Timeout [Seconds] The length of time after which a tunnel is considered down if an answer has not been received by the vpnc process. Enter a smaller value for the Tunnel Timeout than the Tunnel Probing value. 8. 9. Click OK. Click Send Changes and Activate. Step 2. Configuration of the Managed NG Firewall Step 2.1. Make the External IP Address Available on the Box Layer One external IP address must be available on the box layer of the remote NG Firewall to ensure that the management tunnel can be initiated even if the virtual server hosted on the NG is down. If you are using dynamic Internet connection, skip this step. 1. 2. 3. 4. 5. 6. 7. Open the Network page for the managed NG Firewall (Multi-Range > your range > your cluster > your managed NG Firewall ). Click Lock. In the left menu click on IP Configuration. Click + in the Additional Local IPs section. The IP Address Configuration window opens. Configure the additional local IP address: Interface Select the interface for the Internet connection IP Address Enter the external IP address for the managed NG Firewall. Responds to Ping Select Yes. Default Gateway Enter the default gateway supplied by your ISP. Click OK. Click Send Changes and Activate. Step 2.2. Remote Management Tunnel Settings 1. Open the Network page for the managed NG Firewall (Multi-Range > your range > your cluster > your managed NG Firewall ). 2. Click Lock. 3. In the left menu click Management Access. 2 / 9

4. 5. 6. 7. 8. 9. Set Enable Tunnel to yes. Enter a free Virtual IP (VIP) for the managed NG Firewall. Click the Tunnel Details Edit button. The Tunnel Details window opens. Enter all IP addresses that need to be reached through the management tunnel. Typically this would be: NG Control Center IP Address NG Control Center box layer IP Address Authentication Servers IP addresses E.g, the Active Directory server(s). External NTP servers Enter the external IP address of the border firewall in the VPN Point of Entry list. You can define multiple points of entry if your border firewall is using multiple ISPs. E.g., 62.99.0.40 (optional) If needed you can change the advanced settings for the management tunnel. Advanced Configuration Mode Some settings are only available in advanced configuration mode. Expand the Configuration Mode menu in the left menu and click Switch to Advanced. Management Tunnel Configuration Setting Remote Networks VPN Server Key VPN Server VPN Port Outbound Proxy Description In this table, add the IP addresses of all management workstations that access the firewall, as well as all required external authentication servers like MSAD. Click this button to import the public RSA key of the VPN service the tunnel client will connect to. In this field, add the IP address of the tunnel the client will connect to (usually the server IP address of the system that is running the VPN service). In this field, specify the VPN port. If the system must go through an intermittent proxy server when connecting to the target server, select the proxy server type: To use the proxy that has been configured on the Administrative Settings page, select Like-System-Settings. If you select HTTPS or SOCKS4/5, you must also specify a proxy address and port. If you select HTTPS, the username and password are optional. Transport Protocol Select TCP or UDP for VPN transports. Encryption Cipher Select AES, AES-256, CAST, Blowfish, DES, or 3DES. VPN Outbound IP Proxy Server IP The IP address for establishing the tunnel. If you do not specify an IP address, the IP address is chosen according to the current routing configuration. If the management setup provides a proxy server, specify its IP address. Proxy Server Port If the management setup provides a proxy server, specify its server port. Proxy User Proxy Password If you are using HTTPS, enter the username for proxy server authentication. If you are using HTTPS, set the password for proxy server authentication. Connection Monitoring Setting Reachable IPs No. of ICMP Probes Waiting Period [s/probe] Description Add the IP addresses of hosts that should be reachable through the tunnel. The number of ICMP echo packages that are sent via the VPN tunnel (default: 2 ). The number of seconds per probe to wait for an answer (e.g. probes=3 and waiting period=2 results in 3x2 s waiting time; default: 1 ). 3 / 9

Run Probe Every [s] The i nterval in seconds that ICMP probes are run (default: 15 ). Failure Standoff [s] Alarm Period [s] If no connection is possible, time in seconds to wait before a retry (default: 45 ). The time in seconds after an unsuccessful connection attempt before an alarm is set off (default: 120 ). Rekey/Alive Rates Setting Key Time Limit [Minutes] Tunnel Probing [Sec] Tunnel Timeout [Sec] Serial Console Settings Description Specifies the interval in which tunnel keys are regenerated. Note, that specifying low values causes higher system load. The interval in which keep alive packets are sent to the remote tunnel end. The timeout after which the tunnel will be actively re-established after probing has failed. To edit the serial console settings, you must be in the advanced configuration mode. To access this mode, expand the Configuration Mode menu in the left navigation pane and then click Switch to Advanced. Descriptions of the settings that you can configure in the Connection Details configuration window from the Serial Console section of the Network - Management Access page: 10. 11. Setting PPP Remote IP PPP Local IP Require PAP Description (Advanced Configuration Mode) Enter the IP address of the client when connecting via the serial IP address. (Advanced Configuration Mode) Enter the IP address of the Barracuda NG Firewall. If this field is empty, the Box IP address is used. (Advanced Configuration Mode) Specifies if the connecting client is required to authenticate itself to the Barracuda NG Firewall [possible users: root or support user]. Click OK. Click Send Changes and Activate. Step 3. Create an DNAT Access Rule for the MGMT Tunnels on the Border NG Firewall You must create a destination NAT access rule to forward the management tunnel traffic to the NG Control Center: Action Select Dst NAT. Source Select Internet. Service Create and then select a service object to allow TCP traffic on port 692. Destination Enter the VIP network or select a network object containing the VIP network. Target List Enter the IP address of the NG Control Center. E.g., 10.0.10.77 List of Critical Ports Enter 692. Connection Select Dynamic SNAT. 4 / 9

Step 4. Create and Deploy the PAR file to the remote NG Firewall You must create a PAR file for the remote NG Firewall on the NG Control Center and then deploy the configuration. Step 5. (optional) Create Access Rules and Routing Entries for separate VIP networks You only need to complete these steps if you are using VIP addresses which are not part of your local network. You must have a CC firewall service running on the box level of your NG Control Center. For more information, see Control Center CC Firewall. Step 5.1 Create a Routing Entry for the VIP Network on the Border Firewall 1. 2. 3. 4. Open the Network page for your border firewall (Box > Network). In the left menu click Routing. Click Lock. Add a route for the VIP network: Target Network Address Enter the VIP network. E.g., 10.0.11.0./24 Route Type Select gateway. Gateway Enter the IP address of the NG Control Center E.g., 10.0.10.70 Trust Level Select Trusted. 5 / 9

5. 6. 7. Click OK. Click Send Changes and Activate. Activate the network changes on the Box page (CONTROL > Box). Step 5.2. Create a Access Rule to on the Border Firewall To forward traffic from the local network through the remote management tunnel to the remote NG Firewall you must create a routing entry on the border firewall and a access rule permitting traffic from the local to the VIP network: Create the following access rule on your border firewall. Action Select PASS. Source Select Trusted LAN. Service Select Any. Destination Enter the VIP network or select a network object containing the VIP network. Connection Select Dynamic SNAT. 6 / 9

Step 5.3. Create an Access Rule in the CC Firewall on the NG Control Center You must be running the CC Firewall on the NG Control Center to create an access rule. For more information, see Control Center CC Firewall. 1. 2. 3. 4. Log in to the box layer of your NG Control Center. Verify that you are running a CC Firewall service. Open the Forwarding Rules page (Simple Config > Config Tree > Virtual Servers > S1 > Firewall). Create an access rule with the following settings: Action Select PASS. Source Select Trusted Networks. Bidirectional Set the bidirectional checkbox. Service Select Any. Destination Enter the VIP network or select a network object containing the VIP network. Connection Select No Src NAT. 7 / 9

5. Click OK. 6. Click Send Changes and Activate. 8 / 9

Figures 9 / 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback