It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure the Access Control Service

  • Last updated on

The Access Control service defines security policies for network users (e.g., VPN clients) and enables the CloudGen Firewall to perform identity and health checks on clients. For this feature, the Barracuda CloudGen Firewall includes an automatic software downloader, which periodically connects to the Barracuda Networks website. To reduce the need for permanent Internet connection for Barracuda CloudGen Firewalls, the Barracuda Networks update service behaves differently on stand-alone boxes than on CC-administered boxes. Internet access using an HTTP/HTTPS proxy server is possible.

Configure the Access Control Service

Before You Begin
  • Create an Access Control service on the CloudGen Firewall. For more information, see How to Assign Services.

  • Stand-alone boxes running an Access Control Service require Internet access.

  • CC-administered boxes running an Access Control Service get the required files uploaded from the Barracuda Firewall Control Center. The CC itself requires Internet access to secure.phion.com:443.

Step 1. Configure the System Health Validator
  1. On a stand-alone CloudGen Firewall, go to CONFIGURATION > Configuration Tree > Box > Assigned Services > Access Control Service > Access Control Service Settings.
    On a Control Center, go to CONFIGURATION > Configuration Tree > Multi-Range > your range > your cluster > your box > Assigned Services > Access Control Service > Access Control Service Settings.

  2. In the Configuration menu on the left, select System Health Validator.

  3. (CC only) Define a global Trustzone if applicable. Leaving the Name field blank indicates that the local trustzone configuration (for example, only this Access Control Service should use the configured trustzone). For more information, see Configuring Access Control Service Trustzones.

  4. Set Start System Health-Validator to yes (default) to let the firewall start the Access Control Service module for authentication before VPN health validation occurs.

  5. Set Start VPN Health-Validator to yes (default: no) if required to let the Access Control Service module perform VPN health state evaluation.

  6. In the External IPs field, click + and define which service IP addresses should be declared as external. This information may be used in policy rules for health evaluation to distinguish between external and internal requests.

  7. (Optional) Adjust the parameters for the Health State Validation Cycle (default: 5): The Healthy (min.) value restricts validity time of authentication. If the client does not re-evaluate its health state within that period, all assigned network access rights will be dropped. Probation/Limited Access (min.) defines the probation interval of a health validation. If a client does not satisfy the health requirements in an initial health validation step, the client will be set into probation. It will get the special network access right probation, in addition to the rights it had when it was healthy. If the client does not become healthy within the probation time, it will be set to the health state “unhealthy” automatically after the probation time elapses.

  8. Configure User Authentication:

    • User Authentication Required is enabled by default. If set to No, the client will not re-evaluate its health state when a user logs on. For example, no current user health evaluation will take place.

    • From the Authentication drop-down menu, select the phibs Scheme used for basic authentication (default: MS CHAP).

    • When using MS CHAP, select the Fallback Authentication Scheme (default: MSAD). This scheme is used for authentication if the MS-CHAP authentication fails. The client will display a pop-up window requesting username and password.

      ac_gen.png
  9. In the Local Machine Authentication section, select whether a certificate is required for successful local machine authentication.

  10. If enabled, set the Search String Type to either Issuer or Subject. This parameter defines how the search string for box certificates is interpreted.

  11. In the Search String for Box Certificates field, enter an X.509 issuer string or an X.509 subject string (e.g. C=AT, O=Barracuda, OU=*,CN=*). Pattern matching is allowed.

When setting Certificate Required to yes for local machine authentication, you must set an accurate search string for box certificates since there is no default box certificate that can be used for authentication. The client needs to know which certificate from the local certificate store should be used for health evaluation.

  1. In the General Authentication section, select the Authentication Root/CA Certificate that should be used to verify the validity of certificates provided by clients within a local computer health validation process. On a CC, click the arrow icon on the right of the field to select a certificate from the CloudGen Firewall Certificate Store.

    cert_select.png
  2. To configure root certificate revocation settings, click Set/Edit. Certificate revocation can be done by using either CRL (LDAP) or OCSP.

  3. Configure Referrals:

  4. From the Remediation Server Location drop-down list, select where the remediation server can be reached:

    • Select This, if the remediation server is running on the same system as the Access Control Server. In this case, Start Remediation Server must be set to yes.

    • Select Other in case the remediation server is running on a different system, and specify the remediation server IP addresses in the fields below:

      • Internal Remediation Server IPs – IP address(es) of the remediation servers accessible by clients within the secure network.

      • External Remediation Server IPs – IP address(es) of the remediation servers accessible by clients within the restricted network.

      • VPN Remediation Service IPs – The IP address(es) for the Access Control Service remediation service module for VPN clients.

This IP address must not be identical with the internal or external remediation service's IP address.

Example: For the internal clients, the Access Control Service listening socket is on 10.0.8.108 and you also want to have a remediation service for clients connected via VPN:

  • Introduce an additional IP address, for example 10.0.8.150 on the virtual server layer, and insert these two bind IP addresses (10.0.8.108 and 10.0.8.150) in the Access Control Service configuration.

  • Now, open the Access Control Service settings, scroll down to the VPN Remediation Service IP addresses and select the IP address 10.0.8.150 from the drop-down menu.

  1. (CC only) Select the checkbox to enable Sync authentication to Trustzone.

Using a Barracuda Firewall Control Center, multiple Access Control Services can reference to the same trustzone. Clients that are already validated can be propagated to all Access Control Services sharing the same trustzone configuration. This also affects gateway firewall authentication.

  1. Click Send Changes and Activate.

The Health Validation Mode parameter, to be configured in Barracuda Firewall Admin within the Access Control Server Trustzones (VPN only) settings, may also be modified on the client using the following registry key:

Path

.DEFAULT\Software\Phion\phionha\settings\

Key

ScanRequired

Value

Moderate
Offensive

Step 2. Configure the Remediation Service
  1. In the Configuration menu on the left, select Remediation Service.

    rem_sevice.png
  2. Set Start Remediation Service to yes (default) to start the Access Control Server remediation service module.

  3. Set TLS required to yes (default) to allow unencrypted downloads from the remediation server.

This will increase download velocity; however, it will also decrease the security because Personal Firewall rulesets are transmitted unencrypted over the network.

  1. Click Send Changes and Activate.

Step 3. Configure Trustzone-Border Settings
  1. In the Configuration menu on the left, select Trustzone-Border.

  2. Enable Start Border Health-Validator to start the Access Control Service module responsible for trustzone border health state evaluation.

  3. In the Trustzone Border IP section, click + to add the IP address the health validator uses for listening for trustzone border health validations.

  4. In the Foreign Health Passp. Verification section, click + to add all foreign health passport verification keys here for health passports that should be trusted for this border trustzone. The health state of clients with a signed and trusted health passport is revalidated for this trustzone; however, their authentication credentials are accepted from the signed cookie.

  5. Add Allowed Peer Networks. Only peers from listed networks are allowed to perform trustzone border health validations.

  6. Click Send Changes and Activate.

Step 4. Configure Advanced Settings

Use the parameter Sync Access Cache to CC with care in case of limited bandwidth because the synchronisation consumes additional bandwidth. The parameter is available only in conjunction with a Barracuda Firewall Control Center.

  1. In the Configuration menu on the left, select Advanced.

  2. Adjust the following settings if required:

    • Log Level – This option defines the verbosity of log file output. Usually, it should be set to 0 (that is, no debug output). Higher values provide more detailed log information.

    • Number of used Threads – Number of used worker threads for health validation and remediation. The default value is 5.
      This should meet the requirements in most cases. Increasing this value leads to a more reactive server, but also increases the load on the system.

    • Keep Access Cache Entries (d) – Number of days for which access cache entries generated by activities traversing the Access Control Server should be deleted.

    • Keep Max. Access Cache Entries – Maximum number of access cache entries to keep.

    • Sync Access Cache to CC – If selected, the access cache entries of this Access Control Service are synced to the Barracuda Firewall Control Center. A consolidated health status of multiple Access Control Services will therefore be available. Additionally, the appropriate Barracuda Network Access Client service must e introduced on the CC.

    • Sync to HA – Enable / disable HA synchronization.

    • Resource Cleanup Policy – Enforce a strict resource cleanup policy in case of an overload on the service. This parameter is available only in advanced configuration mode. (Expand the Configuration Mode menu on the left and click Switch to Advanced.)

    • TLS/SSL Private Key – Corresponding RSA private key to be used with TLS.

    • Explicit TLS/SSL Certificate – The X.509 certificate to be used with TLS.

      cc_sync.png
  3. Click Send Changes and Activate.