We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Agent

Using the Barracuda WSA with the Barracuda Web Security Service

  • Last updated on

Use the Barracuda Web Security Agent (WSA) to filter web traffic, detect and block malware, and ensure safe browsing for off-network users. When you deploy the Barracuda WSA on each remote desktop, Mac OSX computer, or laptop, all web traffic for those clients is signed by the Barracuda WSA. Browsing policies created in the Barracuda Web Security Service are then applied to that traffic as it is returned to the client, providing secure web browsing access.

Barracuda recommends reading and understanding this article before installing the agent. Continue with How to Install the Barracuda WSA with the Barracuda Web Security Service.

See also:

How the Barracuda WSA Works

The Barracuda WSA intercepts all HTTP/S and FTP traffic through any connection on the client without regard for the type of web browser. This includes Ethernet, wireless, or dial-up connections.

The Barracuda WSA:

  • attaches user information to web requests, then
  • directs traffic to the Barracuda Web Security Service or, if applicable, the Barracuda Web Security Gateway.

The Barracuda WSA prevents malware from reaching client computers. Only safe traffic is passed to web browsers.

After the Barracuda WSA is installed and configured, your web traffic is protected by the Barracuda Web Security Service automatically. The Barracuda WSA directs all traffic from web browsers, and other application traffic on ports 80 and 443, to the Barracuda Web Security Service. Use configuration profiles to define how the Barracuda WSA filters traffic.

You can install the Barracuda Web Security on Microsoft Windows or Macintosh machines.

System Requirements

Managing the Barracuda WSA

You can manage the Barracuda WSA in one of three ways:

  • If you use Barracuda WSA clients that are version 3.3 or higher, you can centrally manage all of your Barracuda WSA clients from the REMOTE FILTERING > Web Security Agent page of the Barracuda Web Security Service Manager interface. Configuration settings for centrally managed Barracuda WSA clients are defined in a configuration Profile that you create on that page. You can create, modify, delete, or assign Profiles to Barracuda WSA clients in a group, on a machine, or for an individual user. If you already have Barracuda WSA version 3.3 or higher installed on your network, your configuration profiles are automatically populated in the REMOTE FILTERING > Web Security Agent page of the Barracuda Web Security Service Manager interface.
  • You can use Windows GPO (Group Policy Object) or command line arguments to make changes to the Barracuda WSA clients on your network. 

To edit settings locally for an individual Agent, use the Configuration Tool in the Agent interface: see:

Note that any changes made on the client with the configuration tool are OVERRIDDEN each time the Barracuda WSA synchronizes with the Barracuda Web Security Service. Synchronization happens:

  • When the user logs onto the client machine
  • When the Barracuda WSA gets restarted on the client machine
  • If the client machine network address changes
  • If the user manually syncs the Barracuda WSA; only allowed if configured by administrator

Creating Configuration Profiles for your Barracuda WSA

  1. Log into the Barracuda Web Security Service.
  2. Go to the REMOTE FILTERING > Web Security Agent page.
  3. Click the Add Profile button to create a new profile and fill in the fields. The settings you select in the configuration profile allow you to define settings you can apply to specific Barracuda WSA clients. Make sure to define one or more profiles before installing the Barracuda WSA on user clients. Note: After installing the Barracuda WSA on user client machines, you only need to define the Service Host, Port and Authentication Key on the client. All other settings will be overwritten (synchronized with the host) with what you have configured in the profile in the Barracuda Web Security Service. Synchronization happens when: each time the user's machine is rebooted or the user logs on. You can also force an overwrite, or Sync, of the settings on the client:
    • The user's machine is rebooted or the user logs on.
    • The network IP address of the client machine is changed.
    • Manually, with the Barracuda WSA for Windows - by right clicking the Barracuda WSA icon in the task tray, and selecting Sync.
    • Manually, with the Barracuda WSA for Macintosh - by clicking Synchronize Settings in the WSA Preferences window.

Encryption

The Barracuda WSA redirects traffic on port 8080 by default.

Application Filtering

The Barracuda WSA automatically forwards web browser traffic on all ports, and forwards traffic from all other applications on ports 80 and 443. You can specify how the Barracuda WSA filters application traffic by default:

  • Filter traffic on ports 80 and 443 for all applications,
  • Filter traffic for specified applications and allow traffic for all other applications, or
  • Filter traffic for specified applications and block traffic for all other applications.

If you have specific applications that use other ports, you can add them to the Applications to Filter (All Ports) list. To access this list, go to the Start > All Programs > Barracuda > Web Security Agent > Configuration screen, and then click Advanced to display the advanced options.

Password Tamper Prevention

Password Protection

You can choose an option during installation that lets users stop and start the Barracuda WSA from the task tray. This is sometimes helpful with troubleshooting network or performance issues, or when the Barracuda WSA operates behind a Barracuda Web Security Gateway in transparent mode. 

You can use the password protection feature to ensure that only authorized users can stop or start Barracuda WSA. During installation, you have an option to specify a password to protect configuration options and control user privileges. If you choose to specify a password, that password is required for any user to:

There is no password reset; if the password is lost, you must reinstall the Barracuda WSA.

User Privileges

Allow Uninstall Option

You can choose the Allow Uninstall Through Add/Remove Programs option during installation to allow the user to remove the Barracuda WSA from a computer using the Microsoft Windows Add or Remove Programs window. The Barracuda WSA does not, by default, appear in the Windows Add or Remove Programs list.

If you did not enable the Allow Uninstall Through Add/Remove Programs option during installation, the user must contact the System Administrator for assistance. You can enable the Allow Uninstall Through Add/Remove Programs option during installation and use the password protection feature to ensure that unauthorized users cannot uninstall the Barracuda WSA. If you did not enable the Allow Uninstall Through Add/Remove Programs option during installation, contact  Barracuda Networks Technical Support  to uninstall Barracuda WSA.

Temporarily Disable Service Option

If the Barracuda Web Security Service prevents users from logging onto a public network, such as at a captive portal in a hotel or coffee shop, you can temporarily disable Barracuda WSA and connect to the public network. After five minutes, the Barracuda WSA automatically re-enables itself.

  • Right-click the Barracuda Networks icon on the desktop or system tray.
  • Select Temporarily Disable.

The Barracuda WSA is disabled for five minutes, during which you can connect to the previously blocked network. It then re-enables itself.

The user can disable the Barracuda WSA three times before the option is no longer available. A reboot of the client machine restarts the counter.

Stop/Start Service Option

You can choose an option during installation that lets users stop and start the Barracuda WSA from the task tray. This is sometimes helpful with troubleshooting network or performance issues, or when the Barracuda WSA operates behind a Barracuda Web Security Gateway in transparent mode. 

You can use the password protection feature to ensure that only authorized users can stop or start Barracuda WSA. If you chose the Allow User to Disable Service option during installation, the user can stop and start the Barracuda WSA service. If you specified a password during installation, the user must provide the password that you created in order to stop or start the service.

To stop the Barracuda WSA:

  • Right-click the Barracuda Networks icon on the desktop or system tray.
  • Select Stop Service.
  • If prompted for a password, type the password, and then click OK.

The Barracuda WSA is stopped until you restart it or reboot. The Barracuda Networks icon in the system tray is grayed out.

To restart the Barracuda WSA:

  • Right-click the Barracuda Networks icon on the desktop or system tray.
  • Select Start Service.

Allow Users to Change Service Host

With version 4.3.0 or higher, you can allow users the option to select another host from the Host drop-down in the context menu on the client if there is another service host (Barracuda Web Security Service) available that has faster response times. This involves also configuring the Barracuda WSA to poll available service hosts and rank them by response times by checking the Automatically Select Service Host setting in the profile(s) you create on the REMOTE FILTERING > Web Security Agent page. See Fallback Service Hosts and the Barracuda Web Security Service for details.

VPN Interoperability

The Barracuda WSA is designed to forward all web traffic to the Barracuda Web Security Service, so virtual private network (VPN) clients that rely on web browser settings to forward traffic to private networks may interfere with Barracuda WSA’s operation. In order to use a VPN client on a PC that is running Barracuda WSA, a user may need to do one of the following:

  • stop Barracuda WSA when connecting with the VPN,
  • use the VPN in split tunnel mode, or
  • enter bypasses for the VPN server IP address.

If you install and configure Barracuda WSA so that end users may not stop and restart Barracuda WSA, then only bypasses or split tunnel mode will work simultaneously with Barracuda WSA.

You can use the password protection feature, available during installation, to ensure that only authorized users can stop or start Barracuda WSA.

Automatic Software Updates

Barracuda WSA periodically checks the Barracuda Web Security Service for available software updates. When an upgrade is available, Barracuda WSA automatically and silently downloads and installs it, preserving any configuration information you have in place. The automatic updater works whether Barracuda WSA is installed in regular mode or silent operating mode. The automatic updates may be disabled at installation for those network environments that prefer to manually upgrade.

Connection Testing

At the beginning of each session, Barracuda WSA tests its connection with the Barracuda Web Security Service. If there is a problem with the connection, it displays a message that it cannot connect to the Barracuda Web Security Service. If you opted to use the password protection feature during installation and have the password, you can disable the Barracuda WSA, either permanently or temporarily.

Silent Operation

If other people will be using the computer or you are concerned about tampering, you may want users to remain unaware that the Barracuda WSA is installed. If so, choose the silent operation option during installation. The Barracuda WSA icon will not appear in the user’s task tray, and shortcuts will not exist in the Start menu. To change settings for a Barracuda WSA installation in silent operation mode, you must go into the Barracuda Networks directory and launch Barracuda WSA configuration manually.

Barracuda WSA and the Web Security Gateway

In corporate environments that use a Barracuda Web Security Gateway, if you direct proxy clients to the Barracuda Web Security Gateway, or any other internal proxies that should be reachable by Barracuda WSA clients for internal proxying and filtering, you must specify those proxy exception network addresses. You can specify proxy exceptions during installation, on the CONFIGURATION screen in the Proxy Exceptions box, or by using the PROXY_EXCEPTIONS option from the command line. Proxy Exceptions for an already installed Barracuda WSA can be viewed and modified by editing the corresponding configuration profile. Select the Profile from the REMOTE FILTERING > Web Security Agent page, Configuration Profiles section. Add, edit or remove Proxy Exceptions, and then Save Changes.

If you use the Barracuda WSA behind a Barracuda Web Security Gateway, the Barracuda WSA detects that the Barracuda Web Security Gateway is reachable and automatically stops redirecting traffic so that web traffic flows through the Barracuda Web Security Gateway for filtering.

Continue with How to Install the Barracuda WSA with the Barracuda Web Security Service.

Last updated on