Healthy, Probation actions | Barracuda Networks VERSION SP4 specification

Fig. 1–2Client-Server actions during connection, health validation and assigning network access

Client connection	Health state change				Server action	Client action
to server	Health state change				Server action	Client action
Client	User
mode
Local
Machine
Client collects and sends
user & system information
to Access Control Service					User Information
					User Information
Matching	Yes	Health condition			Yes
Matching	Yes	matching			Yes
Identity?		matching
Identity?		requirements?
		requirements?
exception		No
No Rule		No
Automatic	No	Already in			Yes
revalidation		probation?
(configurable)
Health state change to	Health state change to			Health state change to		Health state change to
Untrusted	Unhealthy: Probation			Unhealthy: Restricted		Healthy
Access Ctrl Service sends	Access Control Service sends		Access Ctrl Service sends			Access Ctrl Service sends
ACTION Get policy	probation actions			ACTION Activate policy		ACTION Get policy
attributes for Untrusted	to client			attributes for Quarantine		attributes for Healthy
Untrusted policy	Probation actions				Quarantine policy	Healthy policy
attributes requested	Probation actions				attributes activated	attributes requested
attributes requested	executed by client				attributes activated	attributes requested
and activated by client	executed by client				by client	and activated by client
and activated by client					by client	and activated by client
Access according to	Access rights				Restricted access	Full access
configured "Untrusted"	Access rights				to Quarantine	according to
configured "Untrusted"	remain unchanged				to Quarantine	according to
rights profile	remain unchanged				network segment	client profile
rights profile					network segment	client profile

10 Introduction

Image 12

Barracuda Networks VERSION SP4 manual Healthy, Probation actions

Contents

Page Copyright Notice Barracuda NG Network Access Client Update or Migration UninstallVPN Configuration VPN Component Configuration Pre-Connector and Remote VPN Example ConfigurationWarranty and Software License Agreement 802.1X Technical Guideline Endpoint Security and Network Access Control Introduction to Barracuda NG Network Access ClientIntroduction Client software consists of the following subsystems Barracuda NG Personal Firewall What can Barracuda NG Network Access Client be used for? 1Barracuda NG Network Access Client environment Barracuda NG Network Access Client Administrator’s Guide What is a Policy Rule Set? Policy Matching ProcedureHealthy Limited Access VPN Offline Licensing Aspects Barracuda NG Network Access Client Administrator’s Guide Healthy Probation actions Local Machine context Current User contextVPN context Health Matching Matching Criteria Local Machine Current User Health State Untrusted Health State ProbationHealth State Healthy Health State Unhealthy Health State Requirements Border Patrol Analyse Enforce Monitor 3Trust Relationships Server Config Access Control Service Access Control Service SettingsGeneral System Health Validator ParameterDescription Remediation Service Trustzone-Border Advanced Log LevelNumber of used Threads Access Control Objects General Welcome Messages Pictures 3Access Control Objects Access Control Service Bitmaps Personal Firewall Rules Click clipboard, import the adequate registry file Registry Check ObjectsImport of a registry file Access Control Service Trustzone 7Access Control Service Trustzone Configuration tree Servername Assigned Services servicename ACS 9Access Control Service Trustzone Rules Rules Policy Name Deactivate PolicyClient Connection External Ignore Internal Time Restriction Net Bios User LoginPolicy Matching All-of-following One-of-following Group Patterns X509 Issuer MicrosoftX509 Subject X509 Required Health State Basic Antispyware Required Scanner On AS Engine Required Ignore Latest default Previous Last-2 Last AV Scan Action Manual Auto RemediationTries to execute a full system scan automatically Last AS Scan Action Manual Auto Remediation Update automatically AV Engine/Pattern Manual Action Auto Remediation Parameter Description Personal Ruleset Name Firewall Settings Software Yes Update No default Required Yes-Even-MajorServer Message Settings 802.1X UseUse Dhcp renew Healthy Vlan Id Limited Access Ruleset Name Limited Access MessageBitmap Health Passport Verification KeyPassport Verification Key 802.1X Support Chart Server Config Personal Firewall Rules Rule Set Name TabDouble-click the appropriate VPN Firewall Rule Set 1Rules Incoming Rules Incoming / Outgoing New… DeleteCopy Paste Select New… from the context menu to create a new rule Item / Parameter DescriptionComment Inactive Section Description Tester view allows testing rule sets for consistency Tester Following entities are available for rule testing Test Report Options Port Protocol Service Name Description Icmp ParametersConnect to the Internet With Adsl Pptp Preconfigured AdaptersListing is divided into the following columns Following objects assigned with status multi are available Following further adapter objects are available Name Specify a name for the adapter object Trust Type StatusIPs Adapter/Ref User Objects 10User Object dialog Net Objects 11Network Objects window This object includes the Multicast network 239.255.0.0/16 Click New… to open the Net Object dialog 12Net Object dialog Service Objects 13Service Object dialog Service Name Port Protocol Connection Description Application ObjectsKerberos 14Application Object dialog HKEYLOCALMACHINE\Services registry key Application Connection Description Operating & Monitoring Barracuda NG NAC Box Monitoring and Real-time InformationAvailable Columns Possible values are Access, Not Restricted, or Probation FilteringName of the matching policy rule Clients MAC address as reported by the NG client Context Menus Visualize this Computer… Status Tab 3Box Monitoring and Real-time Information Show time in UTC Access Tab Status VPN TabQuarantine Tab Client Installation Double-click setup.exe to start the installation routineInstallation routine offers three basic ways of setup Complete Installation See 5.3 Unattended Setup,See 5.4 Customer Setup, Custom Installation Unattended SetupParameter Default 802.1x Enable Dhcp Renew See description for parameter Trusted Network, See description for parameter Windows File Sharing, This parameter defines the Access Control Server to be used This option prevents deactivating the NG Personal Firewall Customer Setup Proceed as follows to prepare a completely customized setupCustomer.inf See 5.4.1 customer.inf, Optionally, the following file-directives may be detailed Directive Comment 0x00000800 0x000000080x00000010 0x00001000 Reg-root SubkeyValue-entry-name Flags Edit profile name Silent.cmd FilenameDiskid Subdir For an overview of specific properties see -1, System Restore Refer to the OS help for details Update or Migration Uninstall Procedure VPN Configuration OverviewFacts and Figures Function Supported Function Comment Usage Scenario Architecture All Programs Barracuda NG Network Access Client NG Firewall Barracuda NG Personal Firewall Integration within Windows 1Windows 7 Windows Firewall and Action Center screens Rule Set Selection 2Rule set selection User Interface 3Graphical Interface of the Barracuda NG Personal Firewall General Firewall Settings and Tasks Menu Bar Firewall Menu This tab allows you to configure blocking of Icmp packets Disable Windows FirewallAutomatic Adapter Assignment Block all IP Fragments View Menu Connect Close Block Security Mode Menu Load Display NG Control Center Monitoring Firewall Activities Summary Events History 11NG Control Center History window Show Details Resolve Source/Destination IPSend to Rule Tester Add Pass Rule Filters the connection’s Traffic Policy Filters the source IP address of the connectionFilters the application which has attempted to connect Filters incoming or outgoing connections Live Activity Live Activity view details all currently active connections Disconnect Filter Conditions Current State Setting the Security Mode Configuration Show Source Addresses… Show Destination Addresses…Show Adapters Show Users ItemDescription Paste Pastes the selected rules from the clipboard Action Name Comment Inactive checkbox SelectSource / Destination Application optional Monitor Connections Yes 18Time restriction dialog Adapters 19Adapter objects window Network Connection name for example, Local Area Connection Control Network Connections Networks Following options are availableUntrusted Secured Routes are assigned to the Net-NGVPNObject Services 22Net Object dialog Example Applications 24Application Object dialog 10Applications required in Microsoft Windows domains Users 25User Object dialog Rule Tester view allows testing rule sets for consistency Rule Tester Test Reports 27Test Report window Administration Firewall Settings Wizard Following options are available for customisation Automatic Adapter Configuration However, it will not pop up if Automatic Rule Configuration 28Security Alert windows 29Security Alert Advanced Policy Restrictive rule set only VPN Component Configuration Create a New Profile Using the Profile Wizard 2VPN Profile Wizard Profile Wizard 4VPN Profile Wizard Enter personal License Configure a New Profile Manually 6VPN Profile Wizard Modify Existing Profile Using the Wizard 8NG VPN client Connect dialog Field where characters need to be inserted Shows the version information 11Editing options of the VPN client dialog Barracuda NG VPN Client’s Menu Bar 13Close NG VPN Client informational window Connection Dialog Closes the NG VPN Client windowNG VPN Client can be started in the following ways Click Connect to establish a connection to the VPN server Status Dialog Assigned domainAssigned DNS IP address for the VPN connection Assigned Wins address Enable or disable compression Uptime for the current connectionVPN server to which the client currently is connected Local time on the VPN server Message Dialog 16Message dialog window VPN Profiles Configuration Window Configured VPN server to connect toBarracuda Networks Control / Preferences Dialog Name of the profile Certification Authorities Configuration Window Store into which the certificate was savedModify, copy or delete an existing profile Use this menu item to terminate a connection Configure specific Barracuda NG VPN adapter settings here Opens a window with detailed certificate informationDeletes the selected certificate from the certificate store General VPN Settings section Direct Access Connection Entries Tab 19Connection Entries tab Barracuda Authentication Following parameters are available for X509 authentication Advanced Settings Tab DescriptionDescriptionExternal File Path to the external X.509 certificate Virtual Adapter Configuration Default Direct assignmentUse Access Control Service Default Yes Disconnecting. Recommended value No Enable MS LogonFallback Profile Be established User name possibly needed for proxy authentication IP address of the VPN serverURL or IP address of the proxy server Log Window Log entry’s time stamp Module the respective log entry refers to Barracuda NG Access Monitor Access MonitorPort Security Monitoring Health Agent Property Description Advanced Status information State Description 5Connection error using Icmp connectivity checking see Barracuda NG Network Access Client Administrator’s Guide 11.2.6 802.1X Authentication Port Security Task Description Column Description EAP Tracer Access Control Server IPs from Registry Access Control Server IPs from DhcpUse Basic Authentication Use Ntml Authentication Health Agent Connectivity Item Description Key Value Health Agent Authentication 11.3.9 802.1X Settings Ieee 802.1X Authentication Capture 802.1X Traffic EAP Log Settings Log Files16 Log Files Description Client.xml Connect.xmlDownload.xml DownloadLocal.xml Pre-Connector and Remote VPN VPN ConnectorCreate a connector to achieve following Creating a Connector Thereafter rename the default profile Remote VPN rvpn Remote Domain Logon Pre-Logon Connection Procedure Same example with 10 retries for connecting -c Dhcp Example Configuration 1Example configuration environment Introduce Access Control Objects Personal Firewall Rule Set Introduce an Access Control Service Trustzone Next create and edit the unrestricted rule setPage Configure an Access Control Service Trustzone Policy Rule dialog is split up into these views Barracuda NG Network Access Client Administrator’s Guide Parameter Value Page Example Configuration Configure Forwarding Firewall Rule Set Example Configuration Switch Authentication Server802.1X Technical Guideline Client computer Access Control Server Disabled EnabledStatus Monitoring EAP Packet Tracer Using the Barracuda NG Access Monitor for Analysis Command DescriptionLog Files on the Client Computer Supplicant console interface Switch Web Interface These values are described in more details onKey Logging Path See 14.3.9 Periodic client re-authentication by the switch, See 14.3.11 Authentication Message Exchange, Authentication Switch Console InterfaceExample enabling debug output Ethernet Operational Sequence Start upToken Ring Point-to-Point Service Friendly Name Service Name WZO prior to Windows VistaDot3svc Windows Vista Wpa-supplicant configuration To resolve this problem proceed following steps RuntimeYou will require elevated privileges to perform this step Successful start of the wpa-supplicant can be verified by Enter global configuration mode Return to privileged Exec modeVerify your entries Re-authentication started by the switch is illustrated Example Command Enter the global configuration modeSee for the Eapol packet frames Condition Description Return to the privileged Exec mode Dhcp Renew Resetting the 802.1X Authentication process Shutdown 14 phions.log Output15 phions.log Output Addendum PacketsWPA Supplicant Log File Identifiers Table shows an Eapol packet frame 200 802.1X Technical Guideline Sending / receiving commands over pipe 202 802.1X Technical Guideline Known Issues using Cisco Catalyst 3750-E Switch WiresharkEngineering Environment Additionally following tools have been used for analysis No aaa accounting dot1x default group radius Customer Install Files Appendix Appendix Barracuda NG Network Access Client Administrator’s Guide Appendix VPN Profile Registry Keys VPN Profile Registry Keys 3DES AES FAQs Profile Registry Keys Appendix Configuration Parameters 214 Reconnect immidiately 10 X509 Altnames 2 X509 Issuer 2 X509 Subject 2 Introduction Server Config Access Control Service 15.6 Parameter Lists Barracuda NG Access Monitor Figures 220 802.1X Technical Guideline Barracuda Networks Limited Hardware Warranty Barracuda Networks Software License Agreement Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Software License Agreement Appendix Page Page No Warranty Terms and Conditions Page Page Page Page Limitation of Liability Page Page Page 238 Page Page Page Page Disclaimer of Warranty Miscellaneous Page Limits Terms and Conditions for USE, REPRODUCTION, and Distribution Page Page Page Page 252 Page Page Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Warranty and Software License Agreement Page Barracuda Networks Warranty and Software License Agreement Page Page Issue Date Aug 6 262 Page 264