The Barracuda SSL VPN service lets you configure a default permission profile to define monitoring and access control settings for users who connect to the SSH proxy. If some of the configurable settings should apply only to specific users, you can also configure custom permission profiles and add them to specific users. The following article provides step-by-step instructions on how to configure default and custom permission profile settings.
Configure Default Permissions
To configure the default permission profile that applies to all users who connect to the SSH proxy, complete the following steps:
Step 1. Configure User Monitoring
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > SSH Proxy.
- In the left menu, select Default Permission Profiles.
- Click Lock.
- If terminal sessions of users should be recorded to a local file, enable Record Terminal Session.
- In the Recorded Users table, add the login names of the users whose sessions should be recorded.
- In the Inactivity Grace Time field, specify the maximum inactivity time in seconds a user may spend within the proxy menu before being disconnected.
- Click Send Changes and Activate.
Step 2. Configure Target Access Control
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > SSH Proxy.
- In the left menu, click Switch to Advanced View.
- Click Lock.
In the Target Access Control section, enable Allow Console Access if local addresses on the firewall should be accepted as legitimate targets.
From the Access Control Policy list, specify how users should be granted access to certain destinations:
- By Explicit Network Restriction – Users are given access based on the list of addresses in the Explicit Network ACL table.
- In the Explicit Network ACL table, add users who are not in the Blocked User Groups table if you want to give them additional access rights due to source network restrictions.
- By Referenced Target Access List – Users are given access to certain destinations based on destination hosts defined in an access list.
- Select a configured list from the Target Access List menu. For more information on creating target access lists, see How to Configure the SSH Proxy.
- By Explicit Network Restriction – Users are given access based on the list of addresses in the Explicit Network ACL table.
- In the Custom Source IP field, define the source IP address for outbound SSH connections.
Select the SSH protocol version used for connecting to remote targets.
From the Outbound Compression Policy list, select how the SSH proxy should handle outbound compression.
- If users are supposed to make X-Windows connections through the proxy service, enable Forward X11 connections.
- If connecting users should be allowed to authenticate themselves at a target system with public key authentication, enable Allow Public Keys.
Enable Support Agent Forwarding if the connection to the authentication agent (if any) is forwarded to the connecting user’s machine.
- In the Target Alive Interval[s] field, define the timeout interval in seconds after which, if no data has been received from the server, the proxy should send a message through the encrypted channel to request a response. (0 means that no messages are sent.)
- In the Target Alive Max Count field, define the number of server alive messages which may be sent without the proxy receiving any messages back from the target server. If this threshold is reached while server alive messages are being sent, the proxy will disconnect from the server, terminating the session.
- From the Outbound Log Level list, select the log level for outbound connections.
From the SSH Escape Character list, select the escape character if required.
- Click OK.
- Click Send Changes and Activate.
Configure Custom Permission Profiles
If some of the configurable settings should apply only to specific users, configure custom permission profiles. The settings for the default and custom permission profiles are similar. To configure custom permission profiles,
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > SSH Proxy.
- In the left menu, select Custom Permission Profiles.
- Click Lock.
- In the left menu, click Switch to Advanced View.
- Next to Profile Settings, click +, enter a name for the profile and click OK to open the Profile Settings configuration.
- Configure the custom profile settings as described in Configure Default Permission Profiles.
- Click OK.
- Click Send Changes and Activate.
Apply Permission Profiles to Users
After configuring custom permission profiles, you can apply them to specific users.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > SSH Proxy.
- In the left menu, select User Authorization.
- Click Lock.
- In the User Authorization table, add profiles for your users. For each entry, configure the following settings:
- User Names – In this table, add the names of users to which the profile settings will be applied.
- Applicable Permission Profile – Select the permission profile to be applied to the users listed in the User Names table.
- Click OK.
- Click Send Changes and Activate.