The Barracuda SecureEdge Manager allows administrators to configure SecureEdge Access settings on a global level as default settings per workspace. In addition to Web Filtering, SecureEdge Access now also incorporates several new safety features such as Tamper Proof, Windows Pre-Logon, User Device Limit, and Trusted Platform Module (TPM) Enforcement. These features are valid per workspace and offer overrides per enrolled user. For more information on how to set up the Access Agent network configuration, see How to Configure SecureEdge Access Agent Network.
The following new features have been added to the Zero Trust Access settings:
TPM Enforcement – TPM is a secure container that creates/stores cryptographic keys and can be used to improve the security of your device. Enforcing TPM helps to protect a user’s identity and authenticates their device. A new option for Zero Trust Access enrollment ensures that the SecureEdge Access Agent is using keys generated by and stored in a TPM. This feature is valid per workspace and offers overrides per enrolled user. Administrators can enforce TPM either globally as shown below or as a user-override option ( e.g., Tamper Proof) via the SecureEdge Manager.
Breakout Domain – Allows you to configure specific domains (internal or private) to be resolved by the DNS servers configured in the local network. You must provide a valid domain, a mix of hostnames, domains, and domain patterns starting with a wildcard subdomain (e.g.,
*.trusted.partner.net). This feature is valid per workspace, which means all SecureEdge Access Agents in the same workspace will receive the same list of breakout domains. You can verify that changes to the breakout domains in the Audit Log have been made.
Configure Zero Trust Access Settings
Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.
In the left menu, click the Tenants/Workspaces icon.
From the drop-down menu, select the workspace your SecureEdge Access should be configured for.
Go to Access > Settings.
Expand the Settings menu on the left and select General.
The Settings page opens. In the Zero Trust Access Settings section, specify values for the following:
Client Network DNS Suffix – Enter a DNS suffix to be used for your client network.
Tamper Proof – Click to enable/disable. By default, Tamper Proof is disabled. Note: For devices running iOS, iPadOS, or Android, an MDM solution is required.
If Tamper Proof is enabled, the user will no longer be able to do the following:
Disable the SecureEdge Access Agent
Unenroll
The right-click Quit option for SecureEdge Access Agent will not be available in the system tray. Note: This applies to desktop applications.
If Tamper Proof is disabled, all of the above-mentioned features are available to the user.
Windows Pre-Logon – Click to enable/disable. By default, Windows Pre-Logon is disabled.
If Windows Pre-Logon is enabled, administrators can manage user devices running Windows without the user being logged in. Connectivity to the Point of Entry (PoE) will already be established during system startup, even when no user is logged in on the endpoint device.
User Device Limit – Select a user device limit from the drop-down menu. You can choose between 1 to 10 devices per user. User Device Limit refers to the number of devices the user is allowed to enroll. By default, User Device Limit is 5.
Web Filtering – Click to enable/disable DNS-based web filtering. By default, Web Filtering is enabled.
If Web Filtering is enabled, all web traffic will be checked against the defined Web Filter policy. You can enforce Web Filtering policies for the web traffic that the clients connect to via the SecureEdge Access Agent in order to establish a secure connection to access internal and external company resources. For more information, see Web Filter Policies.
TPM Enforcement – Click to enable/disable. By default, TPM Enforcement is disabled.
If TPM Enforcement is enabled, it ensures that the SecureEdge Access Agent is using a TPM-generated key that is stored in a Trusted Platform Module (TPM). TPM is a non-exportable, secure device authentication certificate using the TPM chip on your device. Note that by using TPM, it is not possible to access a private key directly.
If TPM Enforcement is disabled, older devices without TPM support can still be enrolled.
Breakout Domains – Enter a valid domain. To enter more domains, click +. Note: Domains will be resolved via the DNS servers configured in the local network.
Click Save.
After configuration is complete, verify your SecureEdge Access settings on the SecureEdge Access Agent. The usage of ZTNA features is as follows:
You can enable/disable Tamper Proof for all users in a workspace.
You can enable/disable Windows Pre-Logon for all users. A user can use a dedicated service account for enabling Windows Pre-Logon. When Windows Pre-Logon is enabled, the connection gets established before the user logs into their account, and the same enrollment link is shared across all users who log in on a device. For example: User A logs in and does the enrollment with identity X. User A logs out, and User B logs in. The device will still get enrolled with identity X, and User B is not required to start from scratch.
You can enable/disable Web Filtering for all users. If enabled, all web traffic will be checked against the defined Web Filter policy.
By default, User Device Limit is 5. The range is between 1 and 10.
You can enable/disable TPM Enforcement for all users in a workspace. In addition, you can override TPM Enforcement for a specific user via the Access user settings even when TPM Enforcement is disabled for an entire workspace, and vice versa. You can verify that changes to TPM Enforcement in the Audit Log have been made.
You can define a list of breakout domains in the SecureEdge Manager (incl. Wildcard support) that will always get resolved locally.
Further Information
The SecureEdge Access settings of the ZTNA features can also be defined on a user level. For more information how to set up ZTNA features per user, see How to Configure SecureEdge Access User Settings.
For more information on Access Agent network configuration, see How to Configure a SecureEdge Access Agent Network.