It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How to Configure SSL Inspection Version 10 and 11

  • Last updated on
IMPORTANT

This article applies to the Barracuda Web Security Gateway running version 10.x or 11.x. For version 12 and above, see How to Configure SSL Inspection Version 12 and Above. With version 12 and above, configuration of this feature is simplified and does not require specifying Transparent or Proxy mode.

SSL Inspection is a resource intensive feature and is configured differently by model as shown in this article. For background information, see Using SSL Inspection With the Barracuda Web Security Gateway. If you are using Google Chrome browser, see How to Configure SSL Inspection for Google Chrome Browser to prevent certificate errors users might encounter. The Barracuda Web Security Gateway 310 Vx does NOT support SSL Inspection, and the 610 Vx supports only Proxy Mode inspection, including adding domains and categories.

IMPORTANT: If you want to use SSL Inspection with Google consumer apps, see:

Use the Barracuda Web Security Gateway as a secure intermediary between HTTPS requests and destination web servers to apply granular control to applications and sub applications you want to block or allow. If you only need to block domains and content categories, you can use the HTTPS Filtering feature instead. See HTTPS Filtering With the Barracuda Web Security Gateway.

Configure SSL Inspection for Barracuda Web Security Gateway 310

The Barracuda Web Security Gateway 310 Vx virtual machine does NOT support SSL Inspection.

  1. Log in to the Barracuda Web Security Gateway web interface and go to the BLOCK/ACCEPT > Configuration page.
  2. Set Enable SSL Inspection to Yes.
  3. Select whether to use the default Barracuda Networks root certificate or create your own self-signed certificate. Barracuda Networks recommends creating your own self-signed certificate. To create one, click Create Certificate and follow instructions.

    410SSlGenerateCert.jpg
  4. Click the Download button next to Root Certificates For Browsers, and save the file to the Trusted Root Certificate path. If the certificate is installed to the personal path, it will not work correctly. The certificate must be installed on all remote devices that will be SSL inspected.

    As an administrator you may have methods of pushing the certificate to managed remote devices. For unmanaged devices, you may want to enable users to install the certificate in their browsers themselves. In this case you will need to provide them access to the certificate file. You can do so by emailing the certificate, or posting it on an internal network share, or posting it on a public or private web server.

  5. Install the certificate file in all client browsers. If you want to enable users to install the certificate in their browsers, see the note above.

SSL Inspection will then apply to YouTube for Schools access and to any SafeSearch selections you make on the BLOCK/ACCEPT > Content Filters page.

Configure SSL Inspection for Barracuda Web Security Gateway 410 and higher

  1. Log in to the Barracuda Web Security Gateway web interface, and go to the ADVANCED > SSL Inspection page.
  2. Select the SSL Inspection Method.
    • Transparent – Use with inline deployments. This inspection method is more resource intensive than the Proxy inspection method. If you have a Barracuda Web Security Gateway Vx virtual appliance, you must select Proxy since the Vx does not support inline deployment .

       Warning: This is a resource intensive feature, and Transparent inspection can, under certain configurations, result in a large impact on performance. 

      Barracuda Web Security Gateway 410 and 610 deployed inline: Note that you cannot select specific domains or categories for SSL Inspection in Transparent mode (see step 3 for details). However, SSL Inspection will automatically be applied to Safe Search, Google searches and applications and features you configure on the BLOCK/ACCEPT > Web App Monitor and Web App Control pages.
      Barracuda Web Security Gateway 910 and higher: Note that you cannot select specific content filter categories to inspect with this method.

    • Proxy Use with Forward Proxy deployments. This mode is less resource intensive than the Transparent inspection method. Configure all client web browsers with the IP address of the Barracuda Web Security Gateway as their forward proxy server. Select this method if you have a  Barracuda Web Security Gateway Vx virtual appliance . With the Barracuda Web Security Gateway 410 and 610, you can select specific domains and categories for SSL Inspection (see step 3 for details). If you are using the Chrome browser, also see How to Configure SSL Inspection for Google Chrome Browser.

    • Off Disable SSL Inspection of HTTPS traffic. This means that the Barracuda Web Security Gateway will not decrypt HTTPS traffic at the URL level. You will be able to block/allow HTTPS domains, but you will not be able to archive actions users take on social media sites such as Facebook chat content, logins on Twitter or Yahoo!, etc. as defined on the BLOCK/ACCEPT > Web App Monitor page.

  3. Optionally enter specific domains or content filter categories to SSL inspect. In most use cases, no further configuration is necessary for the Barracuda Web Security Gateway to SSL inspect sites and applications you specify on the BLOCK/ACCEPT > Web App Control page and the BLOCK/ACCEPT > Web App Monitor page.

    When to select specific domains or categories to SSL inspect You only need to specify specific domains or categories in the Domains or Content Filter Categories sections of the ADVANCED > SSL Inspection page if

    you need to SSL inspect web traffic for a domain that is not associated with any applications on the BLOCK/ACCEPT > Web App Control page.

    Because enabling SSL Inspection increases the load on system resources, you should only specify inspection domains and/or content filter categories that meet the needs of your organization. With the Barracuda Web Security Gateway 410 and 610 using Transparent Mode, you cannot select domains and categories to inspect.

    If you do need to specify domains or categories on the ADVANCED > SSL Inspection page:

    • Inspected Domains – Enter up to 5 domain names that you want inspected and filtered at the URL level. You will see the entire HTTPS URL in reports for these domains.

    • Content Filter Categories – Using the Add and Remove buttons, from the Categories List, you can add or remove content filter categories to/from the list of categories that you want to be inspected. You must use the Proxy inspection method to inspect categories.

  4. Required: Create a self-signed SSL certificate and install it in client browsers. Click Create Certificate and follow instructions.
  5. Click the Download button next to Root Certificates For Browsers, and save the file to the Trusted Root Certificate path. If the certificate is installed to the personal path, it will not work correctly. The certificate must be installed on all remote devices that will be SSL inspected. For details, see How to Create and Install a Self-Signed Certificate for SSL Inspection.

SSL Inspection Modes by Model With Version 10 and Above

Table 1.

Model Comparison

310 


410

410 Vx

610

610 Vx

810

910

1010 / 1011

Proxy Mode
 

X

X

X

X

X

X

X

  Add up to 5 domains

 

X

-

X

X

X(3)

X

X

  Add categories

 

X

-

X

X

X

X

X

Transparent Mode
 

X(1)

X(1)

X(1)

X(1)

X(2)

X (2)

X(2)

  Add up to 5 domains

 

-

-

-

-

X

X

X

  Add categories

 

-

-

-

-

-

-

-

Remote Filtering Tab (WSA) XXXXXXX
SafeSearchX(3)XXXXXXX
Web Application Control X(3)-XXXXX
Web Application Monitoring X(3)-XXXXX

Notes:

(1) In Transparent mode, you cannot configure domains or categories. If you currently use Proxy inspection and are switching to Transparent inspection, any domains or categories you have specified for SSL Inspection are disabled. If you switch back to Proxy inspection, domains and categories are restored.

(2) In Transparent mode, you can configure domains, not categories. Test SSL Inspection with a few domains to ensure system performance is satisfactory. If you currently use Proxy inspection and are switching to Transparent inspection, any categories you have specified for SSL Inspection are disabled. If you switch back to Proxy inspection, categories are restored. To prevent system overload, after switching to Transparent inspection, you cannot add more domains.

(3) Available with version 10.0

The Barracuda Web Security Gateway 310 Vx does NOT support SSL Inspection, and the 610 Vx supports only Proxy Mode inspection, including adding domains and categories.

Using SSL Inspection With the Barracuda Web Security Agent

If you have remote users with Macs or Windows laptops outside the network running the Barracuda Web Security Agent (WSA) with the Barracuda Web Security Gateway, you can configure the Barracuda Web Security Gateway to SSL Inspect HTTPS traffic. See SSL Inspection With the Barracuda Web Security Agent.