We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Best Practice - Planning VPN Migration

  • Last updated on

Configuration: VPN Clients with X.509 Certs plus Static IP Assignment

Tested for this documentation with the following versions on Windows 8:

NextGen Firewall

fw_table.png

VPN Client

vppn01.png

Configuration on the NextGen Firewall

Authentication Service > MSAD Authentication > Basic

msad_conf.png

Minimum configuration of MSAD is enough.

VPN Settings > Client Networks

 client_net.png

VPN Settings > Root Certificates

root_cert.png

Must be imported and configured for client usage and if wanted with CRL’s.

VPN Settings > Server Certificates

server_cert.png

Must be imported as well.

Client to Site > External CA > Click here for options (The blue text)

ext_ca.png

If the CN should be used be careful that is only one value, like “User16” or “10034”.

The corresponding entry in the user attributes in active directory for IP Attribute “msNPCallingStationID” can be found later in this article.

Client to Site > External CA > Preauthentication Scheme > Details

ext_ca_details.png

Again the same attribute.

Client to Site > External CA > Group Policy

gp_edit.png

Nothing special to configure here.

Client to Site > External CA > Group Policy Condition

pol_condition.png

Nothing special to configure here.

Active Directory Configuration > User16 Properties > General

msad.png

Nothing special to configure here.

Active Directory Configuration > User16 Properties > Account

msad_account.png

Nothing special to configure here.

Active Directory Configuration > User16 Properties > Dial-In

msad_dialin.png

Configured an IP address and it is assigned to the clients virtual adapter.

VPN Client Test

vppn02.png

Active Directory Configuration > User16 Properties > Dial-In

msad_dialin2.png

Configured a different IP address, disconnect and connect, and it is assigned to the clients virtual adapter.

VPN Client Test

vppn03.png

VPN Client Configuration on Windows

Certificate on the Desktop

vppn_cert.png

VPN Client Profile 

vppn04.png

VPN Client Profile Properties 

vppn05.png

General Rollout Procedure

On one system a profile is created, the certificates file name should be the same. This profile is exported as a registry key and imported on all the machines. The certificates are created and also distributed to all systems into the file system. Furthermore a new shell script must be created and distributed as well utilizing the rvpn.exe with new parameters for certificate usage.

Certificate Rollout

The certificates must be deployed on all systems in a folder (on all units the same) where the VPN Client has permissions to access the file.

Registry Profile

reg.png

RVPN Shell Script Examples - Resources

Last updated on