We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How can I filter my VPN traffic with my Barracuda Web Filter when it is configured in inline mode?

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00001530

Scope:

Applies to all Barracuda Web Filters that are inline and need to filter VPN traffic, all firmware versions.

Answer:
  • If you have a firewall/VPN tunnel device when the Barracuda Web Filter is inline behind the firewall, the VPN traffic will not be filtered unless you perform the steps below.
  • Create a rule in your firewall blocking all port 80 traffic outbound.
*Proxy traffic to the Barracuda using one of the following methods:  GPO, Proxy PAC, or WPAD.  The following link is an example of Proxy Pac.        https://techlib.barracuda.com/BWF/ProxyWithPacFile
  • Then create a rule allowing all port 80 and port 443 traffic coming from the Barracuda Web Filter specifically to be allowed. 
  • Turn off the Pass Client IP addresses through WAN port option on the Advanced > Expert page, effectively enabling the Barracuda as the source IP for all outbound packets.
  • Lastly, on Basic > IP Configuration set Enable proxy on WAN to Yes if routing through WAN iface of the BYF
  • In the case of a VPN concentrator, you should probably use the IP of the core switch as the default gateway for all the networks aggregated by that VPN concentrator
    • Alternatively you may need to use the IP of the concentrator  (or firewall) as the default gateway for all the networks aggregated by that VPN concentrator. 
This will allow all of the VPN traffic to be filtered while being able to keep the Barracuda Web Filter on the internal network.
 
Additional Notes:
There is an option to authenticate remote/mobile users against their LDAP authentication service, or local user accounts so you don’t have unauthenticated traffic on the network.
Go to Users/Groups -> Configuration page and under Enable Basic Authentication option for the drop down menu select local users or LDAP Alias that you have configured and you want your users to be authenticated against.

You need to set browser to push traffic from your mobile users to the ip address of the web filter on port 3128, make sure that you have that port set up on the Advanced -> Proxy page under Proxy port option.

Users should be prompted to enter they credential every time they open the browser.  

If you are using Chromebooks outside the network you will use Proxy settings in Google Apps and push the traffic to the web filter. 


Link to This Page: