We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Management Tunnel Offloading using an Access Concentrator

  • Last updated on

For large deployments, you can reduce the load on the Control Center by configuring one or more Secure Access Concentrators (FSAC) to handle the remote management tunnels. The FSAC must be managed by the Control Center and be in the same subnet as the Control Center.

CC_VPN_Offloading.png

Before You Begin

  • Deploy a Secure Access Concentrator. Note: The Access Concentrator must be managed by the Control Center.
  • Assign a free network to be used as the VIP network.
  • Remove the VIP networks to be offloaded from the Control Center.

Step 1. Deploy an F-Series Image to be Used as the FSAC

Deploy a virtual or public cloud F-Series Firewall. Verify that the number of CPU cores, storage, and RAM are sized according to your FSAC model. If your FSAC is deployed in Azure or AWS, see Secure Access Concentrator in the Public Cloud for more information on how to integrate the FSAC with your existing cloud resources.

NextGen FSC-Series FSAC
Model
Number of Licensed Cores
Minimum Storage [GB]
Minimum Memory [GB]
FSAC 400VF1000 / ACC4002802

FSAC 600

VF2000 / ACC6104802
FSAC 800VF4000 / ACC8208802

For more information, see Virtual Systems (Vx)Microsoft Azure Deployment, Amazon AWS Deployment

Step 2. Import the FSAC Into the Control Center

The FSAC must be managed by the same Control Center that is managing the F-Series Firewalls.

For more information, see How to Import an Existing F-Series Firewall into a Control Center.

Step 3. License the Secure Access Concentrator

License and activate the FSAC using Barracuda Activation on the Control Center. The licenses are automatically downloaded and assigned to the FSAC. Go to your FSAC > Box Licenses and verify that the licenses are installed.

deploy_SAC_01.png

For more information, see How to Assign and Activate Single Licenses on a Control Center.

Step 4. Create the FSAC VPN Service

Create the Access Concentrator VPN service.

  1. Go to your Cluster > Virtual Servers > your virtual server > Assigned Services.
  2. Right-click Assigned Services and select Create Service.
  3. Enter a Service Name. The name must be unique and no longer than six characters. The service name cannot be changed later.
  4. From the Software Module list, select VPN Access Concentrator.
    deploy_SAC_02.png
  5. (optional) Change the Service IPs. For more information, see How to Configure Services.
  6. Click Finish
  7. Click Activate.

Step 5. Add VIP Networks to the Access Concentrator

Add the VIP network to the Access Concentrator.

  1. Go to your virtual server>Assigned Services > VPNAC >  SAC VPN Settings.

  2. Click Lock.
  3. Click + to add a VIP Network. The VIP Networks window opens.
  4. Enter a Name and click OK.
  5. Enter the network address of the VIP network in Network Address. E.g., 10.0.16.0
  6. Select the Netmask. E.g., 24-bit
  7. Click OK.
  8. Click Send Changes and Activate.

Step 6. Configure an Access Rule to Allow Traffic to the Control Center

Create an access rule allowing management traffic to and from the Access Concentrator to the Control Center.

  1. Go to CONFIGURATION > Configuration Tree > your Access Concentrator > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click OK
  3. Right-click in the ruleset and click New and Rule in the context menu.
  4. Create the following access rule:
    • Action – Select Pass.
    • Name – Enter a name.
    • Bi-Directional – Enable Bi-Directional.
    • Source – Select a network object containing the offloaded VIP networks.
    • Service – Select Explicit and add NGF-MGMT-BOX,NGF-MGMT-CONF, NGF-MGMT-CTRL, NTP, UDP Port 801, UDP Port 810 and authentication services as needed (E.g., LDAP).
    • Destination – Select a network object containing both the box level and CC level IP address of the Control Center.
    • Connection Method – Select Original Source IP.
    CC_VPNOffloading_04.png
  5. Click OK.
  6. Click Send Changes and Activate.

Step 7. Create a Gateway Route on the Box Level of the Control Center

If the Control Center and the SAC are in the same subnet, you must create a gateway route for the VIP network using the IP address the VPNAC is listening on as the gateway. If the SAC can be reached via the default gateway of the Control Center, the gateway route is not needed.

Add a gateway route to the VIP network and activate the network changes:

  • Target Network Address – Enter the VIP network. E.g., 10.0.16.0/24
  • Route Type – Select gateway.
  • Gateway – Enter the IP address the VPNAC service is listening on.

CC_VPNOffloading_05.png

For more information, see How to Configure Gateway Routes.

Step 8. Configure a Gateway Route and Access Rules on the Border Firewall 

If the border firewall also acts as the default gateway in your network, create a gateway route for the VIP network and an access rule to allow traffic to the VIP network. The second access rule redirects incoming management tunnel traffic from the remote F-Series Firewalls to the Access Concentrator.

Step 8.1 Add a Gateway Route

Add a gateway route to the VIP network and activate the network changes:

  • Target Network Address – Enter the VIP network. E.g., 10.0.16.0/24
  • Route Type – Select gateway.
  • Gateway – Enter the IP address the VPNAC service is listening on.

CC_VPNOffloading_05.png

For more information, see How to Configure Gateway Routes.

Step 8.2. Add an Access Rule to Allow Traffic to the VIP Network

Create an access rule to allow traffic from the LAN to the VIP network: 

  • Action – Select Pass.
  • Name – Enter a name.
  • Source – Select Trusted Network.
  • Service – Select all services you need to access on the remote F-Series Firewall.
  • Destination – Enter the VIP network. E.g., 10.0.16.0/24
  • Connection Method – Select Dynamic NAT

CC_VPNOffloading_07.png

Step 8.3 Add a Dst NAT Access Rule for Incoming MGMT Tunnel Traffic

Incoming management tunnel traffic must be redirected to the Access Concentrator.

  • Action – Select Dst NAT.
  • Name – Enter a name.
  • Source – Select Internet.
  • Service – Select Explicit  and add a service entry for TCP traffic on port 692. 
  • Destination – Select Service IPs
  • Target List – Enter the IP address the CC-VPN service is listening on. 
  • List of Critical Ports – Enter 692.
  • Connection Method – Select Original IP

CC_VPNOffloading_06.png

Step 8.4. Add an Access Rule on the Access Concentrator to Allow Traffic to the VIP Network

Create an access rule to allow traffic from the IP address of the border firewall to the VIP networks:

  • Action – Select Pass.
  • Name – Enter a name.
  • Source – Enter the IP address of the border firewall.
  • Service – Select NGF-MGMT-BOX.
  • Destination – Enter the VIP network. E.g., 10.0.16.0/24
  • Connection Method – Select Original IP.

CC_VPNOffloading_08.png

Troubleshooting

  • If the remote F-Series Firewalls are not connecting to the NextGen Control Center, verify that you can ping the VIP assigned to the firewall from the Control Center box level. It may take some time for the F-Series Firewall to be on the Status Map of the Control Center.
  • Verify that the IP address of the border firewall routing the VIP network traffic to the Access Concentrator is listed as a Remote Network of the remote management tunnel. If this IP address is missing, traffic will not be sent through the remote management tunnel.
  • Depending on the number of managed firewalls, exporting the PAR file for the Access Concentrator can take some time.
Last updated on