We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How can the Customer install the Barracuda Web Security Agent via a GPO when used with web filter?

  • Type: Knowledgebase
  • Date changed: 3 years ago
Solution #00007274

Scope:
This solution applies to the Barracuda Web Filter 410 and above.

Answer:
GPO Installation of Barracuda WSA from the Windows Interface
This article covers installation using a Windows GPO from the Windows interface on Win2K8 server and Win2k3 server.
Note that behavior in the Microsoft Small Business Server (SBS) 2008 breaks the server-client trust relationship when using GPO deployment. The client has to be rejoined to the server, manually. See GPO Installation of the Barracuda WSA With Microsoft SBS 2008 Server for instructions.

Install the Barracuda WSA application on Win2K8 Server

Step 1: Download the MSI Windows Installer Package and create an MST file
1. Log on to the server computer as an administrator.
2. Create a shared folder on the network where you will put the installer package (.msi file) that you want to distribute. Clients to which you want to push the Barracuda WSA must have access to this shared folder.
3. Log in to the Barracuda Web Filter Web interface with the administrator credentials. Navigate to the ADVANCED > Remote Filtering page.
4. Click on the Download/Install link to download the Barracuda WSA MSI installer from the Download Web Security Agent section of the page.
5. Save the MSI installer file in the shared folder on the network.
6. Download the open source ORCA tool, a Windows installer package editor which you can use to create a Windows transform file (.mst file). You can download the ORCA tool from: http://www.softpedia.com/progDownload/Orca-Download-79861.html
7. Launch the ORCA tool after download. Click on File -> Open in the dialog window. Select the installer package BarracudaWSASetupshared folder from the shared folder. Click on Open. Once all the database tables are loaded, select New Transform from the Transform menu item. Select the Property table from the left list. Scroll to the bottom of the table, right click and select “Add Row”. Add the following Properties with corresponding values to specify the use of Barracuda Web Filter as a service.
Property:SERVICE_MODEValue:2
Property:USER_MODEValue:0
Property:SERVICE_URLValue:<Barracuda Web Filter IP Address>
Property:SERVICE_PORTValue:8280
8. After adding all the properties, select “Generate Transform” from the Transform menu item. Save this .mst file in the same shared folder which contains the .msi file. Close the ORCA tool window.

Step 2: Deploy the Barracuda WSA through the Active Directory by creating a GPO
1. Create a Container or Organizational Unit. Open the Active Directory Users and Computers window. In the console tree, right-click your domain, and then select New -> Organizational Unit. Provide a name for the container and uncheck the checkbox “Protect container from accidental deletion” so as to be able to delete this container later. If checkbox is marked, it is not possible to delete this container.
In the same Active Directory Users and Computers window, to the Container, add the users and machines for which the policy needs to be applied. OR you can move the users from the USERS account to the container and machine accounts from COMPUTERS account to the container. Moving the users or machines prompts a warning. New domain users and computers can be created in this container.
2. Create a GPO. Click Start, point to Administrative Tools, and then click Group Policy Management. Expand the tree for your domain, select the newly created Container or OU, right-click and select the item “Create a GPO in this domain, and Link it here…”. Provide a name for the GPO and click the OK button to close the window. This GPO will be added to your container and also to the Group Policy Objects list.
3. Now, select this GPO which is present in your container and right-click. Click on Edit to open the Group Policy Management Editor. If you assign this application to a user, it is installed when the user logs on to the computer. If you assign this application to a computer, it is installed when the computer starts.

To assign an application to a computer:
1. In the Group Policy Management Editor, expand “Computer Configuration”, then expand “Policies” and “Software Settings”. Select “Software Installation”, right-click and select New -> Package…
2. In the open dialog box, make sure to type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example:
\\QAWIN2K8DC\msi files\BarracudaWSASetup.msi
3. Click Open. Select the Deployment Method as Advanced and click OK. In the Barracuda Web Security Agent Properties window, Click on the Modifications tab and click the Add button. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the .mst Transform file. For example, \\QAWIN2K8DC\msi files\mysetup.mst and click Open.
4. Click the OK button in the Barracuda Web Security Agent Properties window, and close all open windows.
5. From the command-line window, run the command to force an update of group policy:
C:\Users\Administrator>gpupdate /Force
You should see the following output:
Updating Policy...
User Policy update has completed successfully.
Computer Policy update has completed successfully.

To assign an application to a user:
1. Expand “User Configuration”, and then expand “Policies” and “Software Settings”.
2. Select “Software installation”, right-click and select New -> Package. The rest of the setup for User Configuration is similar to the Computer Configuration as described above, concluding with a forced group policy update.

Step 3: Application Install (both Win2K3 and Win2K8 servers)
1. Start a computer that is joined to the domain for applying the computer-based policy.
2. Log in as the domain user to apply the user-based policy.
3. You should see the Barracuda WSA Monitor icon in the system tray. This indicates that the Barracuda WSA application has been installed. You can also verify this in Add/Remove Programs from the Windows Control Panel.

Install the Barracuda WSA application on Win2K3 Server

Step 1: Download the MSI Windows Installer Package and create an MST
1. Log on to the server computer as an administrator.
2. Create a shared folder on the network where you will put the installer package (.msi file) that you want to distribute.
3. Log in to the Barracuda Web Filter interface using the administrator credentials. Navigate to the ADVANCED > Remote Filtering page.
4. Click on the Download/Install link to download the Barracuda WSA MSI installer from the Download Web Security Agent section of the page.
5. Save the MSI Installer file in the shared folder.
6. Download the open source ORCA tool, a Windows installer package editor which you can use to create a Windows transform file (.mst file). You can download the ORCA tool from:
7. Launch the ORCA tool after download. Click on File -> Open in the dialog window. Select the installer package BarracudaWSASetupshared folder from the shared folder. Click on Open. Once all the database tables are loaded, select New Transform from the Transform menu item. Select the Property table from the left list. Scroll to the bottom of the table, right click and select “Add Row”. Add the following Properties with corresponding values to specify the use of Barracuda Web Filter as a service.
Property:SERVICE_MODE Value:2
Property:USER_MODE Value:0
Property:SERVICE_URL Value:<Barracuda Web Filter IP Address>
Property:SERVICE_PORT Value:8280
8. After adding all the properties, select “Generate Transform” from the Transform menu item. Save this .mst file in the same shared folder which contains the .msi file. Close the ORCA tool window.

Step 2: Deploy the Barracuda WSA application through the Active Directory by creating a GPO
1. Create a Container or Organizational Unit. Open the Active Directory Users and Computers window. In the console tree, right-click your domain, and then select New -> Organizational Unit. Provide a name for the container and Click OK. In the same Active Directory Users and Computers window, to the Container, add the users and machines for which the policy needs to be applied. OR you can move the users from the USERS account to the container and machine accounts from COMPUTERS to the container. Moving the users or machines prompts a warning. New domain users and computers can be created in this container.
2. Create a GPO. Open the Active Directory Users and Computers window, select your domain, right-click and select Properties. In the Properties window, click on the Group Policy tab. Click on New button. Provide a name for this new Policy object. Close the Properties window by clicking on Close button.
3. Link this GPO to the new Container. In the same Active Directory Users and Computers window, select the new container, right-click and choose Properties. In the Properties window, click on the Group Policy tab. Click the Add button. In the window “Add a Group Policy Object Link”, click the All tab. Select the new GPO and Click OK to close the window. Click on Apply and OK to close the Container Properties window. If you assign this application to a user, it is installed when the user logs on to the computer. If you assign this application to a computer, it is installed when the computer starts.
4. Deploy the application.

To assign the application to a computer:
1. Right-click your domain in Active Directory Users and Computers window and select Properties. In the domain Properties window, click on the Group Policy tab. Select the new GPO and click on the Edit button. This opens the Group Policy Object Editor.
2. Expand “Computer Configuration”, and then “Software Settings”. Select “Software installation”, right-click and select New -> Package…
3. In the Open dialog box, make sure you type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\WFDEVDC01\msi files\BarracudaWSASetup.msi Click Open. Select the Deployment Method as Advanced and click OK.
4. In the Barracuda Web Security Agent Properties window, Click on the Modifications tab and click the Add button. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the .mst Transform file. For example, \\WFDEVDC01\msi files\mysetup.mst and click Open. Click the OK button in the Barracuda Web Security Agent Properties window. Close all the open windows.
5. From the command-line window, run the command to force update of group policy.
C:\Documents and Settings\Administrator.WFDEVDC01>gpupdate/Force
Refreshing Policy..
User Policy Refresh has completed.
Computer Policy Refresh has completed.
To check for errors in policy processing, review the event log. Certain user policies are enabled that can only run during login. Certain computer policies are enabled that can only run during startup.
OK to Reboot? (Y/N)
If the server computer is rebooted, it installs the Barracuda WSA on the server machine also.
To assign the application to a user:
Expand “User Configuration”, and then expand “Policies” and “Software Settings”. Select “Software installation”, right-click and select New -> Package… The rest of the setup for User Configuration is similar to Computer Configuration as described above, concluding with a forced group policy update.

Step 3: Application Install (both Win2K3 and Win2K8 servers)
1. Start a computer that is joined to the domain for applying the computer-based policy.
2. Log in as the domain user to apply the user-based policy.
3. You should see the Barracuda WSA Monitor icon in the system tray. This indicates that the Barracuda WSA application has been installed. You can also verify this in Add/Remove Programs from the Windows Control Panel.
Troubleshooting
A common cause of failure is that the user and/or the user’s computer does not have adequate access to the share location. Verify that all access and network privileges have been configured appropriately.
Additional error messages may be found in the Event Log on the domain computer.
If the Event Log has no useful information, consider enabling verbose logging and restarting the computer.
Additional information on fixing Group Policy issues can be found on the Microsoft technet: http://technet.microsoft.com/en-us/library/cc775423.aspx
Link to this article:

Installation using a Windows GPO from the Command Line
The Barracuda WSA can be pushed to a group of remote computers using a GPO from the command line with a batch file. The batch file simply needs to contain one line, indicating the name of the msiexec file that executes the .msi file used to install the application, and any options you specify per the table below. The .msi installer file is downloadable from the ADVANCED > Remote Filtering page on the Barracuda Web Filter.

Step 1: Download the MSI Windows Installer Package and create an MST file
1. Log on to the server computer as an administrator.
2. Create a shared folder on the network where you will put the installer package (.msi file) that you want to distribute. Clients to which you want to push the Barracuda WSA in the Windows domain must have access to this shared folder.
3. Log in to the Barracuda Web Filter interface with the administrator credentials. Navigate to the ADVANCED > Remote Filtering page.
4. Click on the Download/Install link to download the Barracuda WSA MSI installer from the Download Web Security Agent section of the page.
5. Save the MSI installer file in the shared folder on the network.
6. Create a one-line batch file (per the syntax in the example below) and save the file on a network shared folder that is accessible to all remote computers to which you want to push the Barracuda WSA. Include the options and arguments per the table below.
7. Create a GPO container for all users / machines to which you want to push the application.
8. Create a GPO with the Windows GPO editor.
9. In the GPO editor, select either ‘startup’ or ‘shutdown’ to trigger when the GPO installs the application on the remote machine.
10. Add the batch file (script) you saved in the shared folder. The application should then install silently on the remote machine when the user either logs in or shuts down the machine.
Example of the command line to put into the batch file:
BarracudaWSASetup.exe /s /v"/lvemo \setup.log /qn ALLOW_REMOVE=1
EXCEPTIONS=chrome.exe|safari.exe APPLICATIONS=explorer.exe|firefox.exe
BYPASS=11.11.11.0;.myWebfilter.com;192.168. PASSWORD=pass"
This example also writes a log file to the setup directory called setup.log.
Command Line Arguments and Options

Use the following arguments and options to control the configuration of Barracuda WSA.
Arguments:
s runs Setup.exe in silent mode (no dialog boxes).
v passes the /qn (no UI) parameter to the installer, which runs the executable in silent mode.
The following table describes additional options:
Option Description
ALLOW_REMOVE 1 indicates that users are allowed to remove the Barracuda WSA.
0 indicates that users are NOT allowed to remove the Barracuda WSA.
EXCEPTIONS If there are specific applications from which you don’t want to capture any traffic, type them in as a pipe-delimited list.
APPLICATIONS Type a pipe-delimited list of applications that will forward all ports to the Barracuda Web Filter.
BLOCKS Type a pipe-delimited list of applications to block. Example:
BLOCKS=block1.exe | block2.exe
BYPASS Type a semi-colon-delimited list of network addresses that you want to bypass the Barracuda Web Filter, such as trusted internal networks. Guidelines:
Use a * in any octet (except the first) to indicate “any”.
Bypass entries that begin with a dot (.) will include any URL that matches the dot and subsequent string(s). For example, if you use *.example.com as a bypass entry, any URL that ends with .example.com will bypass the proxy.
URL names that begin with a string (and not a dot) must match the string exactly.
PASSWORD Type the password users must know to configure, stop or start the Barracuda WSA.
USER_MODE 0 indicates ordinary operation.
1 indicates silent operation.
SERVICE _URL Type the IP address or hostname of the Barracuda Web Filter, followed by SERVICE_PORT and the port number.
SERVICE_PORT Type the port number of the Barracuda Web Filter, which is
8280 by default. This parameter follows the SERVICE_URL.
Example: SERVICE_URL=myWebFilter.com SERVICE_PORT=8280
SERVICE_MODE 2 indicates that you are using the Barracuda Web Filter.
Example: SERVICE_MODE=2
DISABLE_AUTOMATIC_UPDATES 1 indicates that updates are DISABLED.
0 indicates that updates are ENABLED.
DEFAULT_BEHAVIOR 1 indicates that all application traffic is forwarded to ports 80 and 443 by default.
2 indicates that no application traffic is forwarded by default and you specify only the applications to filter.
3 indicates all applications are blocked by default and only applications you specify for filtering are forwarded.
PROXY_EXCEPTIONS Type a semi-colon-delimited list of network addresses to specify proxy exceptions for internal proxies that should be reachable by Barracuda WSA clients for internal proxying and filtering. Guidelines:
Use a * in any octet (except the first) to indicate “any”. Entries that begin with a dot (.) will include any URL that matches the dot and subsequent string(s). For example, if you use *.example.com as a proxy exception entry, any URL that ends with .example.com will bypass the proxy. URL names that begin with a string (and not a dot) must match the string exactly.
Link to this article:

Link To This Page: