Applies to all Barracuda SSL VPNs, firmware version 1.4 and above.
Network Access Control (NAC) can be used to control access to the Barracuda SSL VPN whenever a user attempts to login. NAC Exceptions can also be used to further increase security. One of the methods available is to block or allow access based on the IP address of the system that a user is attempting to login from. The following will explain how this can be done for the ssladmin user:
- NAC is configured on a per database level. In order to make changes that will affect ssladmin, the Super Users database is where changes must be made. Select the dropdown box in the top right of the page and select the Super Users entry.
- Go to Access Control > NAC page, locate the Enable NAC Rules option and ensure this is set to Yes, and save the changes.
- Now locate the Logon from any IP Address option and set this to Block. Save this change.
- Configuration for setting up NAC is now done. Next, a NAC Exception must be made so that the ssladmin is able to login. Go to Access Control > NAC Exceptions.
- To create a new NAC Exception, enter a name then select Lookup. A new window will open from which we select the accounts/groups/policies that will make use of the exception. In this case, in the account section, start typing ssladmin which should appear as you start typing. Select ssladmin and click Add so that it appears in the Selected Accounts. Click Add at the bottom to take you back to the previous page. Now select the IP Address option from the Type dropdown box and the Sub Type/Expression field will now be selectable. Enter the IP Address or range that the ssladmin should be restricted to (this can be a single IP address or it can be a wildcarded range such as 192.168.0.* or even in CIDR notation such as 192.168.0.0/24). Now, ensure the Access dropdown is set to Allow & Continue and select the Add option.
The Exception will now be created. If you attempt to login with the ssladmin from a system outside of the specified IP range, the NAC checking on login will block the attempt and produce a message why. Login attempts from within the specified range will proceed with no issue.
Link to this page: