We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Secure Access Concentrator and Control Center Deployment

  • Last updated on

To integrate Secure Connectors into your network, you must configure the Secure Access Concentrator and the NextGen Control Center to manage and route traffic from and to the Secure Connector VIP networks. The Control Center can manage multiple Secure Access Concentrators.

Before You Begin

  • Define the public IP address for Point of Entry for the Secure Access Concentrator. The Secure Connectors will connect to this public IP address.
  • Define the management and data networks used for the Secure Connectors. Depending on your setup, create a global/range or cluster network object for them.
  • Create a service object for the following Secure Connector services:
    • NGS-MGMT – TCP/UDP 889 and TCP/UDP 888 
    • NGS-VPN – TCP/UDP 692. If a custom port is used, replace the port with the custom port
    For more information, see Service Objects.
  • Create network objects for the Secure Connector management and data networks. For more information, see Network Objects.
  • You must have the license tokens for the Secure Access Concentrator and the Secure Connector Energize Updates pool license.

Deploy and Configure a Secure Access Concentrator

Step 1. Deploy an F-Series Firewall Image to be Used as the Access Concentrator

Deploy a virtual or public cloud F-Series Firewall. Verify that the number of CPU cores, storage, and RAM are sized according to your Access Concentrator model. If you are deploying in the public cloud, see Secure Access Concentrator in the Public Cloud for more information on Access Concentrator cloud deployment options.

Access ConcentratorVF / ACC ModelNumber of Licensed CoresMinimum Storage [GB]Minimum Memory [GB]
FSAC 400VF1000 / ACC4002802

FSAC 610

VF2000 / ACC6104802
FSAC 820VF4000 / ACC8208802

For more information, see Virtual Systems (Vx) or Microsoft Azure Deployment.

Step 2. Import the Access Concentrator into the Control Center

The Access Concentrator must be managed by the same Control Center that is managing the Secure Connectors.

For more information, see How to Import an Existing F-Series Firewall into a Control Center.

Step 3. License the Secure Access Concentrator

License and activate the Access Concentrator using Barracuda Activation on the Control Center. The licenses are automatically downloaded and installed. On your Access Concentrator, go to CONTROL > Licenses or CONFIGURATION > Configuration Tree > Box > Licenses to verify that the licenses are installed.

deploy_SAC_01.png

For more information, see How to Assign and Activate Single Licenses on a Control Center.

Step 4. Import the Secure Connector Pool License

Import and activate the Secure Connector Energize Updates (EU) pool license. The number of Secure Connectors allowed to connect to a single Access Concentrator is determined by the EU pool licenses assigned to the Access Concentrator.

  1. Log into the Control Center.
  2. Go to CONTROL > Barracuda Activation.
  3. Right-click in the Pool Licenses section and select Import Pool License from the context menu. The Activate Pool License window opens.
    deploy_SAC_03.png
  4. Enter the Secure Connector Energize Updates license Token.
  5. From the Filter list, select All.
  6. From the Product list, select your Access Concentrator model: FSAC400, FSAC610, or FSAC820.
  7. Click OK.
    deploy_SAC_04.png
  8. Fill in the Activation Form. Wait for the license to be activated and downloaded.
Step 5. Assign the Secure Connector Pool License to the Access Concentrator
  1. Go to your cluster > your Access Concentrator > Box Licenses. 
  2. Click Lock.
  3. In the Licenses list, click + and select Import from Pool Licenses. The Select Pool Licenses window opens.
  4. Clear the Show only Licenses for VFxxx check box. 
  5. Double-click the pool license you installed in Step 4.
    deploy_SAC_04a.png
  6. Click Send Changes and Activate.

The Secure Connector EU pool license is now added to the Access Concentrator licenses.

deploy_SAC_05.png

Step 6. Create the Access Concentrator VPN Service

Create the Access Concentrator VPN service. The Access Concentrator VPN service and the VPN service are mutually exclusive - only one can run on a firewall at the same time.

  1. Go to your cluster > Virtual Servers > your virtual server > Assigned Services.
  2. Right-click Assigned Services and select Create Service.
  3. Enter a Service Name. The name must be unique and no longer than six characters. The service name cannot be changed later.
  4. From the Software Module list, select Access Concentrator VPN Service.
    deploy_SAC_02.png
  5. (optional) Change the Service IPs. For more information, see How to Configure Services.
  6. Click Finish
  7. Click Activate.
Step 7. Configure the Access Concentrator VPN Service

Create the Access Concentrator VPN key used to authenticate the Secure Connectors and enter the IP address and port the Secure Connectors will use to connect to this Access Concentrator.

If managed F-Series Firewalls also connect through the same public IP address, change the port used by the Secure Connectors to avoid redirecting the F-Series Firewall management tunnels to the Access Concentrator. To configure the Access Concentrator to also handle F-Series Firewall management tunnels, see How to Configure Management Tunnel Offloading using an Access Concentrator.

  1. Go to your cluster > Virtual Servers > your Access Concentrator virtual server > Assigned Services > VPNAC > VPN Settings.
  2. Click Lock.
  3. In the left menu, click Secure Connector.
  4. Add the public IP address the Secure Connectors use to connect as the FSAC Entry Point
  5. (optional) Enter the FSAC Entry Point Port. Default: 692
    deploy_SAC_06.png
  6. In the left menu, click Secure Access Concentrator.
  7. Click New Key to create a Server Key.
  8. Click Send Changes and Activate.

Step 8. Add Access Rules for Secure Connector VIP Network

Create access rules to allow Secure Connector traffic to the Control Center and to the border firewall. TCP/UDP 889 is used for communication between the Control Center and the Secure Connectors.

  1. Go to your cluster > Virtual Servers > your Access Concentrator virtual server > Assigned Services > Firewall > Forwarding Rules. 
  2. Click Lock.
  3. Create a PASS access rule to allow management traffic from the Secure Connector VIP network to the Control Center:
    • Action – Select PASS.
    • Source – Select the Secure Connector VIP network(s) associated with this Access Concentrator. 
    • Service – Select the NGS-MGMT service object for Secure Connector management traffic: TCP/UDP 889 and TCP/UDP 888.
    • Destination – Select the network object for the Control Center IP address. 
    • Connection – Select Original Source IP.
    sca_rule_01.png
  4. Create a PASS access rule to allow all other traffic from the Secure Connector VIP network(s):
    • Action – Select PASS.
    • Source – Select the Secure Connector VIP network(s) associated with this Access Concentrator. 
    • Service – Select the service you want to allow.
    • Destination – Select the destination network
    • Connection – Select Original Source IP.
    sca_rule_02.png
  5. (optional) Create a PASS access rule to allow Internet access from the Secure Connector VIP network(s):

    You must use 0.0.0.0/0 as the Remote Network in the Secure Connector VPN settings.

    • Action – Select PASS.
    • Source – Select the Secure Connector VIP network(s) associated with this Access Concentrator. 
    • Service – Select the service you want to allow.
    • Destination – Select Internet.
    • Connection – Select Original Source IP.
    sca_rule_03.png
  6. Adjust the order of the access rules, so that no rule above them matches the same traffic.
  7. Click Send Changes and Activate.

(optional) Configure the F-Series Border Firewall

For the data networks assigned to the Secure Connectors to be able to reach on-premises networks or the Internet, the border firewall must be configured to route and allow traffic to these networks using the Access Concentrator as the default gateway. Also, create a Dst NAT access rule to redirect incoming Secure Connector VPN tunnels to the Access Concentrator.

Step 1. Add Gateway Routes

Configure a gateway route to send traffic for the Secure Connector data networks through the Access Concentrator.

  1. Go to your cluster > Boxes > your border F-Series Firewall > Network.
  2. Click Lock.
  3. Add a gateway route for every Secure Connector data network assigned to the Access Concentrator.
    • Target Network Address – Enter the Secure Connector VIP network.
    • Route Type – Select gateway.
    • Gateway – Enter the server IP of the Access Concentrator.
  4. Click Send Changes and Activate.
  5. Activate the network configuration. For more information, see How to Activate Network Changes.
Step 2. Forward Incoming Secure Connector VPN Tunnels to the Access Concentrator
  1. Go to your cluster > Virtual Servers > your border F-Series Firewall > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Create a PASS access rule to allow management traffic from the Secure Connector VIP network to the Control Center:
    • Action – Select Dst NAT.
    • Source – Select Internet.
    • Service – Select the NGS-VPN service object for the incoming Secure Connector VPN tunnel. Default: TCP 692
    • Destination – Enter the IP address used as the FSAC Entry Point in Step 7.
    • Connection – Select Original Source IP.
    • Redirect to – Enter the server IP address the Access Concentrator is listening on. If a non-standard port is used, add the port number: E.g., 10.0.15.66:692
    sca_rule_04.png
  4. Click OK.
  5. Click Send Changes and Activate.
Step 2. Add Access Rules to Allow Secure Connector Traffic

Create access rules to allow traffic from the Secure Connector network to the local networks and/or to the Internet.

  1. Go to your cluster > Virtual Servers > your F-Series border Firewall virtual server > Assigned Services > Firewall > Forwarding Rules. 
  2. Click Lock.
  3. Add the following PASS access rule for access to other networks reachable by the border firewall:
    • Action – Select PASS
    • Source – Select the network object containing the Secure Connector networks.
    • Service – Select the service object. E.g., HTTP+S
    • Destination – Select the destination networks.
    • Connection – Select Dynamic NAT for Internet and connections to the same subnet
  4. Add the following access rule to allow devices and users in a Secure Connector network access to the Internet:
    • Action – Select PASS
    • Source –  Select the network object containing the Secure Connector networks.
    • Service – Select the service object. E.g., HTTP+S
    • Destination – Select Internet.
    • Connection – Select Dynamic NAT for Internet and connections to the same subnet.
  5. Click Send Changes and Activate.

Configure the NextGen Control Center

The Control Center manages the configuration for all Secure Connector devices and the associated Access Concentrator. The Control Center communicates with the Secure Connectors on TCP 889. If the Control Center and the Access Concentrator are in the same network, you must also add a gateway route. Otherwise, the Access Concentrator must be reachable via the default gateway of the Control Center.

Step 1. Enable CC Database Support

Enable CC database support on the box level of the NextGen Control Center.

  1. Log into the box layer of your NextGen Control Center.
  2. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > CC Database.
  3. Click Lock.
  4. Set Use CC Database to yes.
    deploy_CC_01.png
  5. Click Send Changes and Activate.
Step 2. Add a Gateway Route if Access Concentrator and Control Center are in the Same Subnet

If the Secure Access Concentrator and the Control Center are in the same subnet, you must add a gateway route to direct all Secure Connector traffic directly to the Access Concentrator. If the Access Concentrator is reachable via the default gateway of the NextGen Control Center, proceed with the next step.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. Click Lock.
  3. Add a gateway route for every Secure Connector management network:
    • Target Network Address – Enter the Secure Connector VIP network.
    • Route Type – Select gateway.
    • Gateway – Enter the Server IP of the Access Concentrator.
    sca_route_01.png
  4. Click Send Changes and Activate.
  5. Activate the network configuration. For more information, see How to Activate Network Changes.

You can now reach the server IP address of every Access Concentrator from the Control Center.

Step 3. Add FSC-Series VIP Networks

The individual FSC-Series Secure Connectors automatically receive a subnet from the Secure Connector VIP network defined on the Control Center. Choose a VIP network large enough to support the number of Secure Connector appliances you are deploying. Secure Connector networks cannot be resized later.

  1. Log into the Control Center.
  2. Go to Multi-Range > Global Settings > Secure Connector Networks.
  3. Click Lock.
  4. Click Add Net.
    add_net.png
    The Create Net windows opens.
  5. Enter the Unique Net Identifier.
  6. Enter the VIP Network/Mask.
  7. Select Management as the Network Type.
  8. Select the Access Concentrator VPN Service this Secure Connector VIP network will be assigned to.
  9. Set Globally available to yes for this network to be visible to all CC admins.
    create_net.png
  10. Click OK
  11. (optional) Create additional Secure Connector VIP networks.
  12. Click Send Changes and Activate.
Step 3. Enable FSC-Series Support for the Cluster
  1. Go to your cluster > Cluster Properties.  
  2. Click Lock.
  3. Set Enable Secure Connector Editor to yes
  4. From the Secure Connector Release drop-down list, select the Secure Connector firmware version.
  5. Set Enable Secure Connector Networks to yes
    enable_fsc.png
  6. Click Send Changes and Activate.

Next Steps

Last updated on