Barracuda SecureEdge Access delivers all Secure Service Edge (SSE) services to your endpoint with a quick and easy configuration. The SSE services are offered in four different plans. For more information, see SecureEdge Access Plans. SecureEdge Access is a scalable, fully managed Barracuda SaaS solution. |Both the SecureEdge SaaS service and SecureEdge Access are available by subscription and hosted and managed by Barracuda Networks. You can activate SecureEdge Access using a product activation key. For more information on how to activate the Barracuda SaaS Service, see How to Activate the Barracuda SaaS Service Using an Activation Key.
Before You Begin
Create a Barracuda Cloud Control account. For more information, see Create a Barracuda Cloud Control Account.
To deploy SecureEdge Access, configure SecureEdge Access with the following steps:
Step 1. Activate SecureEdge Access Using Activation Key
After your order is placed with Barracuda Networks, you will receive an email from Barracuda Customer Services with a product activation key. In the Product Key section, click Activate.
Log in with your Barracuda Cloud Control account.
Complete the 4-step product activation process.
Accept the license agreement to complete the subscription. Your product subscription is activated as soon as the activation procedure is complete.
After accepting the terms, you are directed to the SecureEdge dashboard. You can verify your subscriptions in the SecureEdge Manager via Profile > Subscription. You can proceed with Step 2.
Step 2. Access Points of Presence (PoPs)
SecureEdge Access deploys by default through its PoP network using a global SaaS platform to provide seamless connections from anywhere. For more information, see Understanding Points of Presence (PoPs) and Points of Entry (PoEs).
(Optional) Step 2. Private Points of Presence (PoE)
Barracuda SecureEdge supports three different types of points of entry: firewalls, edge services, and sites. The SecureEdge Manager allows you to configure the points of entry by selecting either an existing edge service, site, or firewall that the Barracuda SecureEdge Access Agent can connect to. Registration of CloudGen Firewalls is token based. The CloudGen Firewall fetches a requisite certificate and a zero trust access policy from the cloud services; however, it does not get security features or SD-WAN policies from the service. On the Points of Presence page, you can find information on enrolled points of entry in the Barracuda SecureEdge environment.
For more information, see How to Configure Private Points of Presence (PoE).
Step 3. Connect to Identity Management
The Barracuda SecureEdge Manager allows you to configure an identity provider as well as user directory via the Identity > Settings tab and sync with Zero Trust access. With SecureEdge Identity Management, you can enroll users/groups with their respective devices to create secure remote access to internal and external enterprise resources, whether on-premises or in the cloud with a quick and easy configuration via the SecureEdge Access Agent. For more information, see Identity Management.
The Barracuda SecureEdge Manager supports the following identity providers and user directories:
Identity Providers | User Directories |
|---|---|
Barracuda Cloud Control | Barracuda Cloud Control |
Microsoft Entra ID | Microsoft Entra ID |
Google Workspace | Google Workspace |
OpenID Connect | Okta |
SAML 2.0 | LDAP |
Okta Workforce | SCIM |
Step 4. Enroll Users, Groups, or Devices
Barracuda SecureEdge lets administrators enroll users, groups, or devices via the SecureEdge Enrollment page. To do so, first create an enrollment invitation on the Enrollments page. Depending on license availability, you can enroll users, groups, and devices. To connect with an Access Agent, first download the Barracuda SecureEdge Access Agent. Next, install and run the SecureEdge Access Agent.
For more information, see:
Step 5. Verify Enrolled Devices and Users
After the enterprise enrollment process is completed, your device protection will be automatically enabled. On the Enrolled User and Enrolled Devices pages, you can find detailed information on enrolled users and devices, respectively.
Enrolled Users
For more information, see How to Verify Enrolled Users
Enrolled Devices
For more information, see How to Verify Enrolled Devices
(Optional) Settings for an Enrolled User
The Settings page for an enrolled user offers various access and device setup options.
Users can change their license and device profile. For more information, see Device Settings.
SecureEdge access settings can be overridden and user-level configurations created. Enable User Override before adjusting settings like Tamperproof, Windows Pre-Logon, Web Filtering, and Trusted Platform Module (TPM) Enforcement. For details, see Access Settings.
To configure a custom Access Agent network configuration, you must specify the network DNS suffix and enable the Use Manual Configuration option. For more information, see How to Configure a SecureEdge Access Agent Network
(Optional) Access Global Enrollment Settings
You can configure SecureEdge Access device settings and unattended enrollment settings on a global level. The Enrollment Settings page includes device and unattended enrollment settings:
Device settings – Specifies the parameters User device limit and Global breakout domains.
Enrollment settings – Adds Certificates and the Domain for unattended enrollment.
 |  |
For more information, see Device Settings and Unattended Enrollment: Adding Certificates and Domain Configuration.
Step 6 Create a Zero Trust Access Policy
The Zero Trust Access policy defines the resources made available to end users of the Barracuda SecureEdge Access Agent and the associated access restrictions. The Zero Trust Access page displays all defined policies with respect to your selected workspace.
For more information, see Zero Trust Access Policies.
Additional Information
To add a Zero Trust Access Policy for Zero Trust Access to reach a website for which no pre-defined apps exists (for example, zoom.us, msn.com, microsoft.com, tiktok.com, or whatsapp.com), you must define a custom web application. However, this overwrites the ‘non-interceptable’ property that states that SSL Inspection should not inspect such a website. In this case, you must configure an SSL Inspection rule with the respective client network as source and a custom web application as destination, and set SSL Inspection for these websites to Do Not Inspect.