Partner Information Partner Name Product Name Integration Overview Authentication Methods Supported Client Integration OTP Barracuda Networks Barracuda SSL VPN User Name + Security Code VIP Enterprise Gateway (EG) 8.x or higher This document describes how to integrate Barracuda SSL VPN with VIP Enterprise Gateway (EG) to allow the User Name + Security Code authentication method. In this authentication method, the first factor is validated by Active Directory (AD)/LDAP, and the second factor is validated by EG. Remote Access Integration Architecture User Name + Security Code Authentication method The following diagram illustrates how the User Name + Security Code authentication method is configured for Barracuda SSL VPN and VIP Enterprise Gateway. VIP Integration Guide for Barracuda SSL VPN Page 1 of 14
Figure 1 Authentication process for the User Name + Security Code authentication method 1. The user enters a user name, password, and a security code. 2. As the first part of the two-factor authentication process, Barracuda SSL VPN sends the user name and the password to AD/LDAP. 3. If AD/LDAP authenticates the user name and the password, AD/LDAP returns the group permission VIP Integration Guide for Barracuda SSL VPN Page 2 of 14
details and the authentication response to Barracuda SSL VPN. 4. As the second part of the two-factor authentication process, Barracuda SSL VPN sends the user name and the security code to the Validation Service. 5. The Validation Service authenticates the user name and the security code with the VIP Authentication Service. 6. If the user name and the security code are authenticated, the Validation Service returns an Access- Accept authentication response to Barracuda SSL VPN, based on which the user is allowed to log in. Integration Summary The following summary of procedures describes how to install and configure Barracuda SSL VPN for two-factor authentication through VIP Enterprise Gateway. 1. Install and Configure VIP Enterprise Gateway For more information on installing and configuring VIP Enterprise Gateway, refer to the VIP Enterprise Gateway Installation and Configuration Guide. 2. Configure Barracuda SSL VPN Complete the following procedures to configure Barracuda SSL VPN: 1. Integrate User database with Active Directory/LDAP. 2. Create Policies and assign them to AD/LDAP user accounts or Groups. 3. Configure Resources and assign Policies to the Resources. 4. Create authentication schemes and assign policies to the schemes. 5. Configure RADIUS server settings. 3. Configure and Test an end user: 1. Configure and test an end user using SSL VPN web portal. VIP Integration Guide for Barracuda SSL VPN Page 3 of 14
Install and Configure VIP Enterprise Gateway Install VIP Enterprise Gateway based on the procedures described in the VIP Enterprise Gateway Installation and Configuration Guide. Add the Validation Server in the User Name + Security Code mode. (See Figure 2 Add Validation Server Page) Figure 2 Add Validation Server Page Configure Barracuda SSL VPN Complete the procedures in this section to configure Barracuda SSL VPN. You must use the ssladmin account to login to the Barracuda SSL VPN web portal to complete these procedures. VIP Integration Guide for Barracuda SSL VPN Page 4 of 14
The examples for the links that you can use to launch the Barracuda SSL VPN web portal are https://<ip>:443 And http://<ip>:80, where 443 and 80 are the port numbers that you must use in the link to access Barracuda SSL VPN web portal. For more information on the ssladmin account and the ports to be configured, refer to the Barracuda SSL VPN Administrators Guide, Version 2.X. NOTE: The screen shots in these procedures are taken from Barracuda SSL VPN Virtual appliance (Firmware Version: 2.0.1.026). Refer to the Barracuda SSL VPN Administrators Guide, Version 2.X for specific screen shots and procedures. 1: Integrate User Database with AD/LDAP 1. In the Barracuda SSL VPN web portal, click the Access Control tab. 2. Under the Access Control tab, click User Databases. In the User Database section, view the Default, Global, and Super Users databases. The type of these databases is Built-in. You can edit the attributes of the Default database and integrate it with the AD/LDAP. This procedure explains how to integrate the Default database with AD/LDAP. Note: Alternatively, you can create a new database and integrate it with AD/LDAP. If you create a new database, you must use the More link in the Actions column to synchronize the database with AD/LDAP. VIP Integration Guide for Barracuda SSL VPN Page 5 of 14
Figure 3 User database configuration page 3. To integrate the Default database with AD/LDAP, click the Edit link in the Actions column of the Default database. 4. In the edit browser window, in the Connection section, enter the details of AD/LDAP. 5. Click Test to verify the user database configuration. 6. Click Save at the bottom of the edit browser window to save the user database configuration. 7. Under the Access Control tab, click Accounts to view the user accounts that are associated with AD/LDAP. 8. Under the Access Control tab, click Groups to view the user groups that are associated with AD/LDAP. 2: Create Policies and Assign Them to AD/LDAP Users Accounts or Groups 1. Under the Access Control tab, click Policies to create the policies and associate them with the user groups. In the Policies section, you can view the policies that you have created. VIP Integration Guide for Barracuda SSL VPN Page 6 of 14
Figure 4 Policy creation page 3: Configure Resources and Assign Policies to Resources 1. In the Barracuda SSL VPN web portal, click the Resources tab. 2. Under the Resources tab, configure the required resources and assign policies to them. For more information on configuring the resources, refer to the Barracuda SSL VPN Administrator s Guide Version 2.x. 4: Create Authentication schemes and assign policies 1. In the Barracuda SSL VPN web portal, click the Access Control tab. 2. Under the Access Control tab, click Authentication Schemes. VIP Integration Guide for Barracuda SSL VPN Page 7 of 14
3. In the Create Scheme section, enter the details to create an authentication scheme. In the Authentication Schemes section, view and manage the authentication scheme that you have created. The following figure displays the Authentication Scheme that is created for the User Name + Security Code authentication method: Figure 5 Authentication schemes and configuration page VIP Integration Guide for Barracuda SSL VPN Page 8 of 14
Figure 6 Authentication Schemes results pane 5: Configure the RADIUS Server Settings 1. In the Barracuda SSL VPN web portal, click the Access Control tab. 2. Under the Access Control tab, click Configuration. 3. In the Configuration browse window, in the RADIUS section, specify the RADIUS Server settings and click Save Changes. Note: For this RADIUS Server settings, select PAP as the authentication method. VIP Integration Guide for Barracuda SSL VPN Page 9 of 14
Figure 7 RADIUS Server settings page Configure and Test an End User 1. Click the link to launch the Barracuda SSL VPN web portal. The examples for the links that you can use to launch the Barracuda SSL VPN web portal are https://<ip>:443 and http://<ip>:80, where 443 and 80 are the port numbers that you must use in the link to access Barracuda SSL VPN web portal. VIP Integration Guide for Barracuda SSL VPN Page 10 of 14
For more information on the SSL VPN user interface and the ports, refer to the Barracuda SSL VPN Administrators Guide, Version 2.X. 2. In the first login page, enter the user name and click Login. Figure 8 First login prompt Note: If there is more than one user database configured, the first Login page displays the More link near to the Username field. Click this link to select the appropriate database before you click Login. Figure 9 User database selection login prompt 3. In the next Login page, enter the password and click Login. VIP Integration Guide for Barracuda SSL VPN Page 11 of 14
Figure 10 Second login prompt 4. In the third Login page, enter the security code and click Login. Figure 11 Third login prompt 5. After you successfully log in to Barracuda SSL VPN, you can view the user home page as shown below: VIP Integration Guide for Barracuda SSL VPN Page 12 of 14
Figure 12 User s Home page VIP Integration Guide for Barracuda SSL VPN Page 13 of 14
Copyright 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign, VeriSign Trust, and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. This document may describe features and/or functionality not present in your software or your service agreement. Contact your account representative to learn more about what is available with this Symantec product. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com http://www.verisign.com/support/contact/index.html VIP Integration Guide for Barracuda SSL VPN Page 14 of 14