Solution #00006178
Scope:
This solution applies to Barracuda SSL VPNs, all firmware versions.
Answer:
The following functionality will not work if Java is entirely disabled in a browser being used to access the SSL VPN:
- NAC agent-based checking
- Tunnel-based web forwards
- Drive mappings
- SSL Tunnels
- Applications
- Remote assistance
- Key authentication
If customers do not use any of the features above, they should disable Java from launching from the browser completely, as per the alert from the US Dept. of Homeland Security: http://www.us-cert.gov/cas/techalerts/TA13-010A.html
How can I mitigate against these risks while still using Java for the SSL VPN?
The Barracuda SSL VPN applet is signed, so the first time it launches the agent you can inspect its certificate and ensure that it is signed by Barracuda Networks and is therefore the official Applet that we distribute.
We recommend that customers do the following:
- Use the latest Java update on client machines.
- Disable Java execution from their browsers when it is not needed, as is recommended in the alert.
- Always check the validity of an applet to make sure it has been signed and comes from a trusted and known source.
- For the Internet Explorer browser in Windows, there are a number of registry key edits that you can make to disallow Java applets from untrusted sources (details can be found in the Additional Notes section below).
To allow Java to run in Internet Explorer only for Trusted Sites, change the following registry setting:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
by adding a new DWORD of 1C00 and set it to 00000000.
You can then check to see if Internet Explorer still allows any site (that you have not authorized) to run Java by navigating to http://www.java.com/en/download/installed.jsp and clicking on the 'Verify Java version' link. You should get a message stating 'We are unable to verify if Java is currently installed and enabled in your browser'.
Now navigate to the SSL VPN's web interface and access its Internet Options->Security tab.
Click Trusted sites and click the Sites button.
Enter the SSL VPN device's URL and then click on Add to add the SSL VPN URL to the list of trusted sites.
Click Close then OK.
The Agent should be then allowed to launch for the SSL VPN site, but not to other untrusted sites.
If the Java Plug-in ActiveX helper is installed in the browser, the security setting above can be bypassed, therefore it is also important to check Internet Explorer's Add-Ons for the Java Plug-in 10.x.x (not the ones which say SSV helper). This Add-On can be disabled or you can do this via registry setting by navigating to:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
and setting "Compatibility Flags"=dword:00000400
Link to This Page:
https://campus.barracuda.com/solution/50160000000JAA8AAO