We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How to Get and Configure the Barracuda Chromebook Security Extension

  • Last updated on
This feature is available for the Barracuda Web Security Gateway 410 and 410 Vx and higher, running version 11.0 and above.

With the Barracuda Chromebook Security Extension installed on Chromebooks, users are identified and policy is applied based on the user whether they are inside your network or accessing the Internet from a public or private network. For example, this feature provides security for students, even when they take their Chromebooks home. Additionally, user generated traffic is logged and recorded for reporting purposes, providing administrators insight into all user activity.

The extension provides:

  • Enforcing of security policies provided by the Barracuda Web Security Gateway
  • Control and visibility over both HTTP and HTTPS traffic, without sending any user generated traffic through the Barracuda Web Security Gateway
  • Synchronizing of policy and report data between the Chromebook and the Barracuda Web Security Gateway

Note that the extension, not the Barracuda Web Security Gateway, applies block/allow policies for admin.google.com on the Chromebook.

The Barracuda Chromebook Security Extension is available from the Google Chrome Web Store at no cost, and can be configured in the Google Admin console. Follow the instructions below to get and configure the Barracuda Chromebook Security Extension.

The Barracuda Chromebook Security Extension does not support user/device pairing; it should be installed in any Chrome browser that a user logins into which is tied to their Google domain. The extension will be disabled if it detects that the device it was installed on is not running a ChromeOS.

Features supported on the Barracuda Web Security Gateway

In addition to the ability to block HTTPS sites, the extension supports these features:

With the Barracuda Web Security Gateway version 11.x:

  • Content Filtering
  • Domain Filtering
  • Custom Categories
  • Web Logs
  • Exceptions (Limited to Content Filtering and Domain filtering)
  • Reporting, limited to features listed here

Note that application blocking is supported through Chromebook Management (admin.google.com). The following do not apply for Chromebook web traffic with the extension installed:

  • Settings on the BLOCK/ACCEPT > Web App Control page; i.e. block/allow for applications listed on the page.
  • Settings on the BLOCK/ACCEPT > Web App Monitor page; i.e. social media content monitoring and suspicious keyword alerts.
  • Interactive block pages, which allow for login bypass or temporary access tokens, for example.

With the Barracuda Web Security Gateway version 12.x:

  • All the features supported by the Barracuda Web Security Gateway 11.x
  • Chromebook Granular Controls:
    • Option to set the frequency with which the extension attempts to sync traffic log data with the Barracuda Web Security Gateway.
    • Option to set the frequency with which the extension attempts to fetch and sync policy changes made by the administrator.
    • Option to configure Request Types to Filter - For example, not filtering stylesheets, images, or other object types reduces the processing load on the Chromebook.
  • Time based policies
  • Temporary Access Token features
  • Google Directory Services

The following do not apply for Chromebook web traffic with the extension installed:

  • Settings on the BLOCK/ACCEPT > Web App Control page; i.e. block/allow for applications listed on the page.
  • Settings on the BLOCK/ACCEPT > Web App Monitor page; i.e. social media content monitoring and suspicious keyword alerts.

How the Barracuda Chromebook Security Extension Works

When installed on a Chromebook, the Barracuda Chromebook Security Extension queries the Barracuda Web Security Gateway for block/accept policies and applies them to all Chromebook web traffic. The extension is configured using the Google Admin console and can optionally use the Google Cloud Directory Sync (GCDS) and G Suite Password Sync (GSPS) to synchronize Chromebook user logins with the Barracuda Web Security Gateway for user-based exception policies.

If you do not configure GCDS/SSO, you can create local users with matching usernames, which will automatically match users coming from the google domains.

ChromebookWSGDiagram.png

Unlike regular proxy traffic, Chromebook web traffic is not displayed immediately on the BASIC > Web Log page in the Barracuda Web Security Gateway web interface – it may take a few minutes for the log data display. If the Barracuda Web Security Gateway goes offline, and if the user already has the Barracuda Chromebook Security Extension installed, web traffic from that device will continue to be filtered based on the policies that were downloaded by the extension before the Barracuda Web Security Gateway went offline. In this scenario, the web logs are stored on the client machine and are displayed when the Barracuda Web Security Gateway is online again.

Authentication for Chromebook Users

For all Chromebook deployments, when using the Barracuda Chromebook Security Extension, configure Google Directory Services as the authentication service the Barracuda Web Security Gateway will use to apply policies to Chromebook users and groups. See How to Configure Google Directory Services for instructions.

As a part of the security measure taken by Google, a new sign-in email alert may be sent to the Google account when configuring Google Directory Services on the Barracuda Web Security Gateway. Until the user confirms their new login in the Google New Sign-In On Windows alert pop-up, the Test button on the Barracuda Web Security Gateway on the USERS/GROUPS > Authentication > New Authentication Service > Google Directory tab displays "Permissions Erro".

 

How to Download and Use the Barracuda Chromebook Security Extension

Step 1. Prepare the Chromebook configuration file using the Barracuda Web Security Gateway.

Start by generating a text file that specifies the Barracuda Web Security Gateway you want your Chromebooks to sync with for security policies. To create the file:

  1. Log into the Barracuda Web Security Gateway web interface as admin and go to the ADVANCED > Remote Filtering page.
  2. In the Client Configuration section, click the Chromebook Extension tab and configure the following:
    1. Set Enable Chromebook Compatibility to Yes. Port 3128 is opened by default when this option is set to Yes.  
    2. Create a shared secret, or password, which is used by the Barracuda Chromebook Security Extension on the Chromebook to communicate with this Barracuda Web Security Gateway. Do not use the  "/"   or  "\"  slash characters in the shared secret. It is important to use a text editor, such as Notepad, that does not add any markup to the text.
       For example:   17$k2Y4!   Enter in the Shared Secret field. Click Save.
    3. Click Create configuration file for Barracuda Chromebook Security Extension as shown below.
      CreateConfigFileLink.jpg

  3. You will see a popup with the required fields to generate the configuration file:

    With the Barracuda Web Security Gateway version 11.0, the fields are as follows:
    1. IP Address - This is the same as the IP Address on the BASIC > IP Configuration page.

      If Chromebooks are to be used outside of the network, you should use a domain name that resolves to the Barracuda Web Security Gateway both within and outside of the network. You may need to set up a DNAT rule on your firewall to forward port 8443 (or any other allowed port, preferably a unique port) traffic to the secure administration port on the Barracuda Web Security Gateway. Once the extension is installed, Chromebook logs and policy are synced and all communication is done via the secure admin port you configure.

    2. Web Interface HTTPS/SSL Port - This is the same as the Web Interface HTTPS/SSLPort setting on the ADVANCED > Secure Administration page.  
    3. Shared Secret - Re-enter the shared secret you created on the ADVANCED > Remote Filtering page. Click Generate.

      ConfigFileDetail.jpg
       
    4. Save the chromebook_config.json file on your local system or network.  

    With the Barracuda Web Security Gateway version 12.x, the fields are as follows: 
    1. IP Address - This is the same as the IP Address on the BASIC > IP Configuration page.

      If Chromebooks are to be used outside of the network, you should use a domain name that resolves to the Barracuda Web Security Gateway both within and outside of the network.

    2. Web Interface HTTPS/SSL Port - This is the same as the Web Interface HTTPS/SSL Port setting on the ADVANCED > Secure Administration page.  
    3. Log Sync Frequency (minutes) - Frequency with which the extension attempts to sync traffic log data with the Barracuda Web Security Gateway. Minimum setting should be 15.
    4. Policy Sync Frequency(minutes) - Frequency with which the extension attempts to fetch and sync policy changes made by the administrator. Minimum setting should be 15.
    5. Request Types to Filter - If you click Select, you will see options you can check for the extension to filter or not filter. For example, not filtering stylesheets or other object types reduces the processing load on the Chromebook.
      SelectFiltering12.x.png

    6. Click Generate to create the configuration file, and save the chromebook_config.json file on your local system or network.
     

Step 2. Configure the Barracuda Chromebook Security Extension in the Google Admin console.

  1. Log into Google Admin console as an administrator and add all managed devices per Google instructions here: Enroll Chrome devices.
  2. Go to Device Management > Chrome Management > App Management and search for Barracuda Chromebook Security Extension.
  3. Click on Barracuda Chromebook Security Extension to configure the extension in the Google Admin console.
  4. Click on User Settings. Modify the settings for: Allow installation, Force installation, and Pin to taskbar based on your setup requirements.

    User_Settings.jpg

  5. Upload the chromebook_config.json file you created in Step 1. above to the Google Admin console. In the User Settings window, under Configure, click UPLOAD CONFIGURATION FILE as shown below. You'll be prompted to select the text file that you created.
    ConfigureFileUpload.jpg
  6. Go to Device Management > Chrome Management > User Settings and scroll down to the Content section and, in the URL Blocking section, add these URLs to the URL Blacklist:  
    chrome://policy  
    chrome://extensions 

    chrome://indexeddb-internals/

    URLBlacklisting_2018.png
  7. Go to Device Management > Chrome Management > User Settings > Apps and Extensions > Allow or Block All Apps and Extensions. Disable options for the user to install extensions by selecting Block all apps and extensions except the ones I allow.
    disablePlugins.jpg
  8. Go to Device Management > Chrome Management > User Settings > User Experience > Developer Tools. Disable options for Developer Mode for users by selecting Never allow use of built-in developer tools.
    disableDevMode.jpg
  9. Go to Device Management > Chrome Management > User Settings > Content > Safe Search and Restricted Mode. Enable Safe Search under Device Management by selecting Always use Safe Search for Google Web Search.
    enableSafeSearch.png
  10. Go to Device Management > Network > General Settings and make sure that Auto-connect is not checked.
    AutoConnectUnchecked.jpg

Step 3. Configure a Secure Administration certificate on the Barracuda Web Security Gateway.

  1. On the Barracuda Web Security Gateway, go to the ADVANCED > Secure Administration page. On this page, you can create or upload an SSL certificate. Click Help on that page to read more about using SSL certificates.
  2. In the SSL Certificate Configuration section, select the Certificate Type as Private(Self-Signed) and fill in the details with the Common Name as the Barracuda Web Security Gateway IP address (or a hostname that resolves to that IP address) , and Key Size as 2048. Click Save.
    8.Private_selfsigned_ssl_cert_creation.png
  3. Reload the page, and then download the Private Root Certificate.
  4. On the Google Admin console, go to Device Management > Network > Certificates. Click Add Certificate and upload the certificate.
  5. Select Use this certificate as an HTTPS certificate authority. Click Save.
    9.Private_root_cert_upload.png

Step 4. Proxy web traffic to the Barracuda Web Security Gateway 

Each SSID that is known to be behind the Barracuda Web Security Gateway that the Barracuda Chromebook Security Extension will connect to needs to be defined in admin.google.com with proxy settings as shown in the following steps. This step prevents inline SSL Inspection Barracuda Web Security Gateway deployments from blocking Chromebooks from authentication with Google on the Chromebook login screen. For proxy deployments or non-SSL Inspection deployments, this step is not necessary, but recommended as it will avoid any deployment related issues in case deployment is switched at some point from proxy deployment to inline.

  1. Log into Google Admin console as an administrator and go to Device Management > Network > Wi-Fi. Select the Wi-Fi network to manage.

  2. Make sure the last row Apply network is per device.
    ApplyNetwork.jpg

  3. Change proxy settings to Manual Proxy Configuration.

  4. Check Use this proxy server for all protocols.

  5. Enter the host IP address or hostname for HTTP proxy host and the Proxy Port configured on the ADVANCED > Proxy page for the Port.


    ProxySettings.jpg

  6. Click Apply.

Set Up Single Sign-on for Active Directory (AD) to Sync With Google Accounts

This setup is optional.
  1. Download the Google Cloud Directory Sync (GCDS) https://support.google.com/a/answer/6120989?hl=en
  2. In the Google Admin console, go to Domains > Add/remove Domains and enter your public domain name into your admin.google.com account.
  3. Follow instructions at https://support.google.com/a/answer/6123891 to configure GCDS to sync your user configuration for LDAP.
  4. Follow instructions at https://support.google.com/a/answer/2611842?hl=en to use G Suite Password Sync (GSPS) to sync user passwords with your LDAP.`

When Using SSL Inspection

If you enable the SSL Inspection feature on the Barracuda Web Security Gateway (set to 'On' on the ADVANCED > SSL Inspection page), be sure to do the following:

  1. Download a client certificate from the Advanced > SSL Inspection page.
  2. On the Google Admin console, go to Device Management > Network > Certificates. Click Add Certificate and upload the certificate.
  3. Select Use this certificate as an HTTPS certificate authority. Click Save.

Next, add the domains listed by Google: Set Up a Hostname Whitelist to the Exempted Domains section of the page. This step prevents inline Barracuda Web Security Gateway deployments from blocking Chromebooks from authentication with Google on the Chromebook login screen.

How to Update the Barracuda Chromebook Security Extension

When there is a new version of the extension available, the user must log out of the Chromebook and log in again to get the latest version. Any time the user logs in, the latest version of the extension is in place.

Last updated on