It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Client-to-Site Group Policy Settings

  • Last updated on

The following sections provide additional details on the client-to-site VPN server parameter settings.

Group Policy Tab

The VPN Group Policy specifies the network IPsec settings. You can group patterns to require users to meet certain criteria, as provided by the group membership of the external authentication server (e.g., CN=vpnusers*). You can also define conditions to be met by the certificate (e.g., O (Organization) must be the company name).

Setting

Description

Mandatory Client Credentials

Select the credentials required for client authentication:

  • X.509 Certificate – Client certificate authentication mandatory. 

  • External Authentication – User password authentication mandatory. 

  • IPsec needs Xauth – Select to allow only IPsec clients that support Xauth.

Select Login must match AltName in Certificate if certificate lookup is done by Alternative Name.

Primary Authentication Scheme

Select an authentication scheme from the list to be used by all client-to-site VPN connections.

Default Authentication Scheme

The default or fallback authentication scheme used to authenticate VPN clients.

Select the Ras Login permission required check box if Remote Access login is required. As soon as Ras Login permission required is activated, only an MSAD user with this option can connect. Users in other authentication databases, for example, LDAP, do not have this option as default and will not be able to connect. As a workaround, the user can be assigned a Boolean attribute with the name msNPAllowDialin in the directory. The VPN server itself does not distinguish between directories when querying.

Secondary Authentication Scheme

When using multi-factor authentication, select the secondary authentication scheme from the list. This feature requires an Advanced Remote Access subscription.

Enable SAML support

Allows VPN clients to connect using the SAML authentication.

Note that this option requires a valid SAML configuration in the Authentication Service.

Ras Login permission required

Select this option if you want to enforce that only users with a RAS permission are allowed to be authenticated.

Server Certificate

(Optional) Select the server certificate used by the VPN server to authenticate to the VPN client, or use the default server certificate configured in the VPN settings.

Server Protocol Key

Select your X.509 server certificate.

Used Root Certificate

(Optional) Select the root certificate used to validate client certificates.

X509 Login Extraction Field

Extract the username from the selected client certificate field. The X.509 Login Extraction Field is only used for pre-authentication.

IP Attribute Name

Set the VPN client IP address to the attribute configured in the LDAP, MSAD, or RADIUS server.

VPN Group Policy Name Attribute

Name of the attribute field on the authentication server that contains group information.  The VPN group policy is pinned to the value returned by the LDAP, MSAD, or RADIUS server.

Preauthentication Scheme

Attributes from LDAP, MSAD, or TACACS+ authentication schemes are used to determine the default authentication scheme for the user. As soon as only a username is used, the configured default authentication scheme will be used. The username must also exist in LDAP (or the corresponding authentication scheme) or the option Alternative Login Name Field must be used.

  • Authentication Selector Field – Enter the attribute name (e.g., memberOf for group membership information, distinguishedName for object path) whose attribute value is used to select the authentication scheme. Example: ngflocal, msad, etc.
    Right-click and select New name to Scheme Mapping to create mappings between attribute values and authentication schemes that should be used in case of a pattern match.
    Example: If all users located within the Organizational Unit (OU) RADIUSUsers should be authenticated with RADIUS, you can create a mapping for the distinguishedName attribute like this:

vpn_preauth.png
  • (optional) Alternative Login Name Field – Enter the attribute name where an alternative username can be stored if an additional username should be used for a user with the same password.

  • IP Address Field – IP attribute name without pre-authentication: Enter the attribute name where the IP address for the VPN client is stored.

The field must exist in LDAP/MSAD and return the desired IP address as value. A combination consisting of fixed and dynamic IP addresses in the same VPN Client is not recommended. In this case, consider using two VPN Client networks instead. To avoid IP collisions, you could also generate Barracuda VPN Lic File entries. This would exclude IP addresses from being assigned dynamically.

  • VPN Group Field – Enter the attribute name where the VPN group policy name is stored. The VPN group policy name attribute lets you assign a VPN group policy directly to the client, without a pre-authentication scheme. Example: If the LDAP field NGVPNGROUPPOLICY for a user contains iOS, the user gets the corresponding group policy assigned.

  • Group Information – Select the source of the user group information.

    • From Preauthentication – Use group information from the pre-authentication scheme.

    • From Authentication – Use group information from the default authentication scheme.

Group Policy Settings

Common Settings

Setting

Description

Name

Enter a name for the policy. For example, Group Policy.

  • The Common Settings field is automatically updated with this name, and the check box is automatically selected as soon as you fill in the details.

  • This name is also used on native VPN clients on iOS and Android

Statistic Name

Enter a name to better allocate statistics entries.

Network

Select the VPN client network the group policy applies to.

DNS

Enter the IP address of the DNS server used for the clients.

WINS

If applicable, enter the IP address of the WINS server. 

Network Routes

Add all networks that should be reachable by the VPN clients. Enter 0.0.0.0/0 for all traffic to be sent through the client-to-site VPN. 

Access Control List (ACL)

Add an Access Control List.

Group Policy Condition

Right-click the Group Policy Condition field and select Create New Policy

Group Policy Condition

Right-click the Group Policy Condition field and select New Rule. In the X509 Certificate Conditions section of the Group Policy Condition window, set filters for the certificate. For each certificate condition, select the certificate field from the drop-down list, enter the required value, and click Add/Change

Setting

Description

External Group

Define the groups on the authentication server that will be assigned the policy. E.g., CN=vpnusers* or * for everybody

Client

Enter the IP address of the client network.

X509 Subject

To let everyone with a valid certificate log on, click Edit/Show and add the following condition to the Subject field: CN=*. Certificate condition entries are case insensitive and can contain the quantification patterns ? (zero or one) and * (zero or more).

Cert Policy / OID

(Optional) Enter an OID to allow only certificates with a specific key usage. E.g., Client Authentication (1.3.6.1.5.5.7.3.2)

Peer

Enter the IP address of the peer network.

Barracuda Tab - Barracuda Settings
IPsec IKEv1 Tab - IPsec IKE1 Phase II Settings

Setting

Description

Disable

Clear the check box, and then select Group Policy Name (Create New).

Edit Phase 1

Click to edit the Phase 1 settings.

Encryption

The data encryption algorithm.

Hash Meth

The hash algorithm.

DH-Group

The Diffie-Hellman Group that specifies the type of key exchange. DH Group1 to Group18 are supported.

Time

The re-keying time in seconds that the server offers to the partner.

Minimum

The minimum re-keying time in seconds that the server accepts from its partner.

Maximum

The maximum re-keying time in seconds that the server accepts from its partner.

IPsec IKEv2 Tab - IPsec IKE1 Phase I Settings

Configure the same settings for IPsec Phase I that you selected for IPsec Phase II.

Rules Tab

The Rules tab lets you edit the group VPN settings. For parameters, see the Group Policy Tab section above. To create a rule, right-click in the window and select New Rule.

Setting

Description

Assigned VPN Group

Select the VPN group the rule should apply to.

Group Pattern

Enter the group pattern, or click Lookup to perform an AD lookup and search for the group pattern.

Use One-Time Password

Select the check box to enable one-time password authentication for users in the VPN group.

Subject

Click Edit/Show to open the Certificate Condition window. Configuration may contain patterns (*,?). Equal keys are slash delimited: To match for DC=foo, DC=bar, you have to enter DC=bar/foo. The order of the distinguished name parts is reversed.

Certificate Policy

Enter the certificate policy (OID 2.5.29.32). It will be checked if the transmitted certificate contains the certificate policies extension (OID 2.5.29.32) and if one of the contained values matches the configuration. For more information, see http://oid-info.com/get/2.5.29.32.

Generic v3 OID / Content

Enter an OID to allow only certificates with a specific key usage. E.g., Client Authentication (1.3.6.1.5.5.7.3.2).

You can enter an OID of an arbitrary X.509 v3 extension that will then be searched in the extensions of the transmitted certificate and checked against the value configured in the Content field.

V_ASN1_IA5STRING and V_ASN1_OCTET_STRING entries can be entered as value, entries of another type will be configured as hexadecimal DER-encoded chain: e.g., for presence of the attribute clientAuth in the Extended Key Usage extension, the OID 2.5.29.37 with the value 300A06082B06010505070302 must be searched.

Peer Condition

Select the check boxes for the client types used by the peer.

  • Barracuda Client – Barracuda VPN Client or Barracuda Network Access Client including CudaLaunch for Android and iOS.

  • IPsec Client – IPsec clients such as the native Windows, Android, or iOS IPsec VPN clients.

  • Transparent Agent (SSL-VPN) – The legacy SSL VPN transparent VPN client.

Peer Address/Network

Click Add to add the IP address of the peer network.

Common Tab

See Common Settings section above.

Barracuda Tab

Setting

Description

Name

Enter a name for the Barracuda Client connection.

Enable VPN Client NAC

Enables the Barracuda Network Access Client. For more information, see Barracuda Network Access and VPN Client

ENA

Possible values are:

  • OFF: This is the default setting.

  • ON: An active ENA option blocks all traffic on non-VPN interfaces, e.g., LAN. This option is normally used in conjunction with the default route 0.0.0.0/0, so that all traffic is routed through VPN.

This option works only for Windows OS-based clients (Barracuda VPN Client & Secure Personal Access Client (SPAC) option must be installed) and Barracuda VPN Client for Linux (using a source routing based solution).

VPN Rules

Assigns an online ruleset configured in the VPN FW tab.

Offline Rules

Assigns an offline ruleset configured in the Offline FW tab.

Message

Welcome messages can be used to display customized messages to welcome users to the corporate network, inform them about security policies, or display administrator contact details. Create a custom welcome message in the Message tab of the Client to Site page, and then select the message in this section.

Bitmap

Upload a 150x80 pixel, 256 color BMP bitmap in the Pictures tab of the Client-to-Site page, and then select the custom bitmap in this section.

Firewall Always ON

The Network Access Client needs to be installed with Firewall Always ON enabled to allow VPN connections.

VPN Always ON

If enabled, users cannot disconnect manually from the VPN.

Key Time Limit

The period of time after which the re-keying process is started.

Key Traffic Limit

The keys of the VPN tunnel are renewed after this amount of traffic.

Tunnel Probing

The interval between tunnel probes. If probes are not answered in the time period specified by the Tunnel Timeout setting, the tunnel is terminated.

Tunnel Timeout

The length of time in which tunnel probes must be correctly answered before the tunnel is terminated. If, for some reason, the enveloping connection breaks down, the tunnel must be re-initialized. This is extremely important in setups with redundant possibilities to build the enveloping connection.

Accepted Ciphers

The ciphers that can be used to establish the connection.

Enforce Windows Security Settings

Enforce Windows security features:

  • Network Firewall – A personal firewall must be enabled.

  • Windows Update – MS Windows Automatic Update must be enabled.

  • User Account Control – User Account Control must be enabled.

  • Virus Protection – An antivirus product must be enabled.

  • Spyware Protection – An anti-spyware product must be enabled.

  • Internet Security Settings – Internet Security Settings must be enabled.

Disk Encryption

If checked, a client will be able to connect only if he has disk encryption enabled.

IPsec Tab

See IPsec IKEv1 Tab - IPsec IKE1 Phase II Settings section above.