It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure NAC for SSL VPN

  • Last updated on

SSL VPN Network Access Control (NAC) limits access to the web portals of the SSL VPN service according to a variety of factors based on attributes of the connecting device. Users who fail the NAC check are not allowed to log in until they have a conforming system. You can define exceptions for each category. Use exceptions to allow/block specific versions denied in the NAC block list. For example, to allow only Windows 7 to connect: Block all Windows operating systems in the NAC block list and then add an exception for Windows 7. NAC settings do not apply to clients connecting via CudaLaunch. The following parameters are evaluated by the SSL VPN service when the user logs in:

  • Desktop operating systems
  • Mobile operating systems
  • Desktop Browser types and versions
  • Browser Plugins
  • Mobile Browser types and versions

Step 1. Configure NAC Block List

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN > SSL VPN.
  2. Click Lock
  3. In the left menu, click NAC.
  4. Set Enable NAC to Yes
    NAC01.png
  5. For each parameter, select the versions that should be blocked. Select none to not block according to this criteria. If the version number is not in the dropdown, select Other and type in the version number.
    NAC02.png
  6. Click Send Changes and Activate.

Step 2. (optional) Configure NAC Exceptions

To exempt some configurations from the restrictions defined above,  define NAC Exceptions to block or deny an entire category. Exceptions will override the criteria configured in Step 1. For example, to allow only Windows 7 to connect: Block all Windows operating systems in the NAC block list and then add an exception for Windows 7.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN > SSL VPN.
  2. Click Lock
  3. In the left menu, click NAC.
  4. Click + for each NAC Exception. The Enter Name window opens.
  5. Enter a name.
  6. Click OK. The NAC Exceptions window opens.
  7. Select the Access policy.
  8. Select the Exception Type.
    NAC03.png
  9. Click OK. The subtype for the selected Type is displayed. E.g., Mobile Browser type if you selected Mobile Browser as the Exception Type.
  10. Select the subtype and Version for the Exception type you previously selected. Select Other to enter a version number that is not listed.
    NAC04.png
  11. Click OK.
  12. Click Send Changes and Activate.

All users accessing the SSL VPN mobile and desktop portal must now conform to the requirements set in the NAC block list. When a user logs in with a device that fails one or more of the server-side NAC checks, the following block pages are displayed:

NAC_block_mobile.pngNAC_block_desktop.png

Check the sslvpn log file to find out which NAC block rule caused the user to be rejected:

NAC05.png