It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda Content Shield
Overview Documentation Training Certification Materials

Best Practices Guide for Barracuda Content Shield Plus

  • Last updated on

These best practices apply to deployment of the Barracuda Content Shield (BCS) agent to endpoint machines.

If you are using both DNS Filtering and the BCS Agent:

The BCS agent periodically checks to see if a DNS response is coming from Barracuda Networks DNS Proxies. When it does, the agent tries to route the DNS request to a default public DNS server (8.8.8.8) to prevent multiple filtering. This is to prevent clashing of web policies on the DNS Proxies and the BCS Agent. 

In some cases, you can request Barracuda Networks Support to specify a different local DNS to resolve DNS queries when the BCS agent detects that a DNS response is coming from Barracuda Networks DNS Proxies.

Define All Local Domains

If you are using the BCS agent with a DNS proxy solution, do the following:

  1. Go to the AGENT SETTINGS page.
  2. I n the Define All Local Domains section, in the LOCAL DOMAINS text box, add any local (internal) domains/hostnames that should be resolved by the DNS server configured on the endpoint computer, instead of the DNS server selected by BCS Plus.

Exempt Destination Network Servers

If there are specific local networks that you do not want the BCS agent to filter such as, for example, printers or VPNs, do the following:

  1. Go to the Exemption Policies page. 
  2. In the Network Exemptions text box, enter each IP address or hostname to certain destination servers you want to bypass filtering by the BCS agent. Use CIDR notation – for example, 192.168.100.0/24 represents an IP address of 192.168.100.0 with a subnet mask of 255.255.255.0.

Using the Barracuda Active Directory Sync Tool

The Barracuda Active Directory Sync Tool can be installed either on an AD server or on a device that has direct access to the AD server. The tool periodically checks the domain controller for changed user and group information as well as group memberships. To get and install the tool, see How to Get and Configure the Barracuda Active Directory Sync Tool. Best practices include the following:

  • Use the base root OU (organizational unit) if possible.
  • Specify the users and group Base DN to limit the number of groups and users to sync – this limits the (number of) requests
  • Barracuda STRONGLY recommends configuring the tool to run with a single profile, with the Search Root of the domain as the value for both the User Base DN and Group Base DN. The tool tries not to configure groups that have no users.
  • BCS supports up to a maximum of 100 groups per user.

Exempt from Malware Prevention Component (MPC) Threat Policy

If you have the Malware Prevention Component (MPC), you can specify either a filename or full path to a file for exclusion from scanning on the THREAT POLICY page.

Note that for application binaries, only full paths are accepted, no wildcards (*) are allowed.

Network exemptions, however, do support wildcards.

For the Web Filtering Component (WFC), only the name of the application binary is needed, the full path is not necessary.