We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How to Configure SSL Inspection Version 12 and Above

  • Last updated on

This article applies to the Barracuda Web Security Gateway 310 and higher running version 12.0 and above. For background information, see Using SSL Inspection With the Barracuda Web Security Gateway. If you are using Google Chrome browser, see How to Configure SSL Inspection for Google Chrome Browser to prevent certificate errors users might encounter.

IMPORTANT: If you want to use SSL Inspection with Google consumer apps, see G Suite Control Over HTTPS.

Use the Barracuda Web Security Gateway as a secure intermediary between HTTPS requests and destination web servers to apply granular control to applications and sub applications you want to block or allow. If you only need to block domains and content categories, then you can use the HTTPS Filtering feature instead. See HTTPS Filtering With the Barracuda Web Security Gateway.

Configure SSL Inspection for Barracuda Web Security Gateway 310

The Barracuda Web Security Gateway 310 Vx virtual machine does NOT support SSL Inspection.

  1. Log in to the Barracuda Web Security Gateway web interface, and go to the BLOCK/ACCEPT > Configuration page.
  2. Set Enable SSL Inspection to Yes.
  3. Select whether to use the default Barracuda root certificate or create your own self-signed certificate. Barracuda recommends creating your own self-signed certificate. To create one,  click Create Certificate and follow instructions.

    410SSlGenerateCert.jpg
  4. Click the Download button next to Root Certificates For Browsers, and save the file to the Trusted Root Certificate path. If the certificate is installed to the personal path, it will not work correctly. The certificate must be installed on all remote devices that will be SSL inspected.

    As an administrator you may have methods of pushing the certificate to managed remote devices. For unmanaged devices, you may want to enable users to install the certificate in their browsers themselves. In this case you will need to provide them access to the certificate file. You can do so by emailing the certificate, or posting it on an internal network share, or posting it on a public or private web server.

  5. Install the certificate file in all client browsers. If you want to enable users to install the certificate in their browsers, see the note above.

Configure SSL Inspection for Barracuda Web Security Gateway 410 and higher

  1. Log in to the Barracuda Web Security Gateway web interface, and go to the ADVANCED > SSL Inspection page.
  2. Set SSL Inspection to ON.
  3. Select whether to use the default Barracuda root certificate or create your own self-signed certificate; Barracuda recommends creating your own self-signed certificate. To create one,  click Create Root Certificate under Available Certificates and follow instructions in the wizard. If you are deploying multiple Barracuda Web Security Gateways, you can upload a root certificate from one Barracuda Web Security Gateway to the others in the cluster. Use Upload Certificate to install the certificate.

    SSLCertsTable12.png

  4. Click the Download button in the table under Client Certificate for the certificate you want to install on clients and save the file to your trusted root certificate path. If the certificate is installed to the personal path, it will not work correctly. The certificate must be installed on all remote devices that will be SSL inspected.
  5. Install the certificate file in all client browsers. If you want to enable users to install the certificate in their browsers, set Enable Browser Certificate Download to Yes. To require users to authenticate before downloading the certificate, set Enable Browser Certificate Download to Yes.
  6. In most use cases, no further configuration is necessary for the Barracuda Web Security Gateway to SSL inspect sites and applications you specify on the BLOCK/ACCEPT > Web App Control page and the BLOCK/ACCEPT > Web App Monitor page. However, you can also choose to enter specific domains to exempt from SSL Inspection, and/or specific users, domains, networks or content filter categories to SSL inspect.

    You only need to specify specific domains or categories in the Domains or Content Filter Categories sections of the ADVANCED > SSL Inspection page if

    you need to SSL inspect web traffic for a domain that is not associated with any applications on the BLOCK/ACCEPT > Web App Control page.

  7. Optional: configure specific application of or exemption from SSL Inspection. Click Help on the ADVANCED > SSL Inspection page for more configuration details.

    • Inspected Domains – Enter domain names that you want inspected and filtered at the URL level. You only need to specify domains to inspect if you want to show entire URLs in reports on web requests. 

    • Content Filter Categories – Using the check boxes in the Categories List, you can add or remove content filter categories to/from the list of categories that you want to be inspected. 

    • Inspected Users/Groups If you want to add specific domains to inspect, you must first choose one or more users or groups (e.g. All Users, Authenticated Users, etc.) for which you want to apply SSL Inspection. Note that If you choose Unauthenticated Users, SSL Inspection will not be applied to Barracuda WSA clients, as they are always authenticated with the Barracuda Web Security Gateway. Additionally, if you select an LDAP group, any Barracuda WSA users not in that group will not be subject to SSL Inspection.
    • Inspected Networks – Enter the IP address and Netmask in the table for any network(s) for which you want to ssl inspect traffic. 
    • Exempt Domains – Optionally add any domains you want to bypass SSL Inspection. For example, if you have enabled any of the Safe Search categories in the Safe Browsing section of the BLOCK/ACCEPT > Content Filter page, you might want to exempt one or more domains from Safe Search.

SSL Inspection Modes by Model

Table 1.

 MODEL COMPARISON

310

410

410 Vx

610

610 Vx

810

910

1010 / 1011

Remote Filtering Tab (WSA)-XXXXXXX
Safe SearchX(1)XXXXXXX
Web Application Control-XXXXXXX
Web Application Monitoring-X XXXXX

(1) Available with version 10.0 and above

The Barracuda Web Security Gateway 310 Vx does NOT support SSL Inspection, and the 610 Vx supports only Proxy Mode inspection, including adding domains and categories.

Using SSL Inspection With the Barracuda Web Security Agent

If you have remote users with Macs or Windows laptops outside the network running the Barracuda Web Security Agent (WSA) with the Barracuda Web Security Gateway, you can configure the Barracuda Web Security Gateway to SSL Inspect HTTPS traffic. See SSL Inspection With the Barracuda Web Security Agent.

Last updated on