It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda NextGen Firewall X
Overview Documentation Materials

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

How to Enable SSL VPN and CudaLaunch

  • Last updated on

Configure SSL VPN on the X-Series Firewall to give end users remote access to corporate resources. It is recommended to use a signed certificate to avoid browser certificate warnings when accessing the SSL VPN portals.

Before you begin

  • If you are running a VPN server on the same public IP address, go to VPN > Settings and verify that Use TCP Port 443 is set to No.
  • Verify that you are not using DNAT access rules to redirect HTTPS traffic on the same public IP that the SSL VPN is using.

Step 1. Enable SSL VPN

When you enable the SSL VPN portal, determine if you are using a static, dynamic, or secondary IP address for the portal. Typically, the SSL VPN portal is deployed on a static public IP address with a respective DNS A resource record. The portal can also use a secondary IP address for internal access.

Static IP address
  1. Go to the NETWORK > IP Configuration page.
  2. In the Static Interface Configuration section, click Edit to configure your static WAN interface. 

  3. In the Edit Static Network Interface window, select the SSL VPN check box.
    ssl_von_config_01.png

    If the VPN service is also enabled for this interface, go to the VPN > Settings page and verify that Use TCP Port 443 is set to No.

  4. Click Save.
Secondary IP address

Typically, a secondary IP address is used to provide the SSL VPN portal on internal network segments.

  1. Go to the NETWORK > IP Configuration page.
    • In the Management IP Configuration section, select the SSL VPN check box next to the required IP address in the Secondary IP Addresses table, OR
    • When the IP address resides in a configured static network interface, edit the interface in the Static Interface Configuration section, and select the SSL VPN check box.
  2. Click Save.
Dynamic network interface

To use a dynamic interface to access the SSL VPN portals, redirect incoming HTTPS traffic to the SSL VPN service.

  1. Go to the FIREWALL > Firewall Rules page.
  2. Add a redirect access rule with the following settings:
    • Name – Enter a name for the access rule. E.g., Redirect-to-SSL-VPN.
    • Action Select Redirect to Service
    • Source Select Internet from the list, and click +.
    • Destination Select the network object representing your incoming Internet connection, and click +.  E.g., DHCP1-Local-IP
    • Redirected To Select SSL VPN.
      ssl_von_config_02.png
  3. To enable access to the SSL VPN portal via a hostname instead of only via the IP address (because the latter may change), you can use the third-party DynDNS service.
    1. Go to the NETWORK > IP Configuration page.
    2. In Dynamic Interface Configuration, enable Use Dynamic DNS for the required interface.
  4. Click Save.

Step 2. Configure user authentication

End users must authenticate themselves before they can access internal resources and applications via SSL VPN. You can manage user authentication either locally on the firewall or externally with Active Directory, LDAP, or RADIUS. For instructions on how to configure local or external user authentication, see Managing Users and Groups.

To specify how users are authenticated for the SSL VPN:

  1. Go to the VPN > SSL VPN page and click the Server Settings tab.
  2. In the Authentication section, select the method from the User Authentication list.
  3. (optional) To restrict SSL VPN access by user group: 
    1. Set Group Access Restrictions to Yes.
    2. Enter the user groups that can access the SSL VPN in the Allowed Groups list, and click + after each entry. Use question marks (?) and asterisks (*) as wildcard characters.
    3. Enter the user groups that are denied access to the SSL VPN in the Blocked Groups list, and click + after each entry.
  4. Click Save.

Step 3. Configure SSL VPN settings

Configure the SSL VPN web portal, enable CudaLaunch, and configure general and appearance settings.

  1. Go to the VPN > SSL VPN page and click the Server Settings tab.
  2. To provide users access via CudaLaunch, set Enable CudaLaunch to Yes.
  3. Set Enforce Strong Ciphers to Yes unless you require backward compatibility with SSLv3-only clients.
  4. Set Allow SSLv3 to No. SSLv3 is considered unsafe.  

  5. In the Appearance section, customize the SSL VPN portal by uploading your company's logo, and welcome and help texts.

    Only ASCII characters are allowed in the Welcome Message and Help Text fields.

  6. Click Save.

Step 4. Upload a certificate

It is recommended to install a CA-trusted SSL certificate for the SSL VPN on the X-Series Firewall, so that web browsers do not issue a SSL warning to end users when they access the portal. By default, the Web UI certificate is used.

  1. Go to the Advanced > Certificate Manager page.
  2. Upload or create a certificate. For instructions, see How to Use and Manage Certificates with the Certificate Manager.
  3. Go to the VPN > SSL VPN page and click on the Server Settings tab. 
  4. Select the SSL VPN certificate you just created or uploaded from the Certificate drop-down list.
  5. Click Save.

Next steps

After you enable and configure the SSL VPN, end users can access the portal in their web browsers. Configure your DNS server or service to resolve sslvpn. to the public IP address of your firewall. End users can then access the portal page by opening https://sslvpn>.

web_01.pngweb_02.png

To add resources for your end users to the SSL VPN portal, see: