The Barracuda NextGen FSC-Series offers large-scale remote access capabilities. It enables the ever-growing number of IoT devices and micro-networks to securely connect to the central or distributed corporate datacenter. In such a scenario, a large number of small Secure Connector appliances connect via TINA VPN to their regional Secure Access Concentrator. The Access Concentrator acts as the VPN endpoint for the Secure Connectors and forwards the management traffic to the NextGen Control Center. Corporate policies such as Application Control, URL Filtering, Virus Scanning, or ATP are handled either directly on the Access Concentrator or forwarded to the border firewall. The configuration and lifecycle management for all Secure Connectors and their Access Concentrators are handled by one NextGen Control Center. The Control Center can manage multiple Secure Access Concentrators, allowing you to scale up the network at will.
Secure Access Concentrator and Integration with the NextGen Control Center
FSC-Series Devices on the NextGen Control Center
The NextGen Control Center is a central management appliance for FSC-Series and F-Series devices. The Control Center provides a central template-driven configuration management interface, firmware update management, and status information for all managed devices. F- and FSC-Series devices are managed on one Control Center. But unlike the F-Series Firewalls, the Secure Connector configuration is not configured in a tree structure; instead, configuration is handled through a single interface: the Secure Connector Editor. The Secure Connector Editor allows you to create configuration templates and link them to individual appliances. Changes to the templates are immediately pushed out to the Secure Connector. The administrator decides which configuration options are device-specific. These settings are then configured directly on the device. Although it is possible to change the configuration of an individual device via the web interface, the Control Center configuration overrides the changes made when the web interface configuration lock is released. The data and management networks for the Secure Connectors are also defined via the Control Center. When a Secure Connector is deployed, a management and a data network is automatically selected and permanently assigned to the device. Over the management network all configuration, management and container traffic is sent. The data network is used for traffic to and from the devices behind the Secure Connector.
For more information, see Secure Access Concentrator and Control Center Deployment and How to Create and Apply FSC Templates.
Secure Access Concentrator
The Access Concentrator is deployed via virtual F-Series Firewall images available for on-premise deployments or in the public cloud. It handles incoming Secure Connector VPN tunnels. Management traffic is automatically forwarded to the NextGen Control Center, and user traffic is processed either directly. If the Access Concentrator is deployed remotely in a VPN tunnel is created between the Access Concentrator and the Control Center that is also used for the Secure Connector managment traffic. If necessary, Access Concentrator can be deployed in a high availability cluster. In addition to the Access Concentrator license, you must also assign a Secure Connector Energize Update pool license. The number of instances in the pool license determines the number of Secure Connectors allowed to connect. The size of the Secure Connector pool license may not exceed the maximum number of VPN connections for the Access Concentrator model. The following models are available:
- Barracuda NextGen Firewall FSAC 400 – 2 CPU cores, up to 500 VPN connections
- Barracuda NextGen Firewall FSAC 610 – 4 CPU cores, up to 1200 VPN connections
- Barracuda NextGen Firewall FSAC 820 – 8 CPU cores, up to 2500 VPN connections
For more information, see Secure Access Concentrator and Control Center Deployment.
The Secure Connector is a small hardware appliance optimized to efficiently connect remote devices and micro-networks to the corporate datacenter via TINA VPN tunnel. The configuration is centrally managed by the NextGen Control Center, but can be overridden via the web Interface on the device.
Secure Connector WAN Connections
The Secure Connector supports the following WAN connection types:
- DHCP client
- Static IP
- Wi-Fi client
- WWAN Modem
For more information, see FSC WAN Connections.
The Secure Connector network can be configured in several ways:
- Manual – The network must be entered manually. Devices behind the Secure Connector require a static IP address.
- Manual Mapped – The network is entered manually. Devices behind the Secure Connector require a static IP address. The static network is mapped to a automatically assigned subnet out of the Secure Connector data network.
- DHCP Server – The network is entered manually. Devices behind the Secure Connector receive an IP address from the DHCP server on the Secure Connector.
- DHCP Server Mapped – The network is entered manually. Devices behind the Secure Connector receive an IP address from the DHCP server on the Secure Connector. The network is mapped to an automatically assigned subnet out of the Secure Connector data network.
- Automatic – The network assigned to the Secure Connector is assigned automatically by the Control Center.
Mapped networks must be the same size as the network assigned to the Secure Connector. The managment network offers access The Wi-Fi access point can use a separate network from the Secure Connector network, accessing the other zones via source NAT firewall rules.
For more information, see FSC Networking.
The FSC appliances use a different Firewall service from the F-Series Firewalls. The Firewall allows you to create rules defining access, source, and destination NAT based on four network zones defined for the FSC:
- WAN (including Wi-Fi client)
For more information, see FSC Firewall.
The FSC device connects to the Access Concentrator and the Control Center via one site-to-site tunnel on port TCP or UDP 692. In Operational mode, the VPN tunnel is authenticated via certificates, in Deployment mode via passphrase. The FSC Firewall only allows the user to send LAN traffic through the VPN or to WAN. It is not possible to use an Internet breakout for the devices in the LAN or Wi-Fi.
For more information, see FSC VPN.