Page
Copyright Notice
Barracuda NG Network Access Client
Update or Migration
Uninstall
VPN Configuration
VPN Component Configuration
Pre-Connector and Remote VPN
Example Configuration
Warranty and Software License Agreement
802.1X Technical Guideline
Introduction
Endpoint Security and Network Access Control
Introduction to Barracuda NG Network Access Client
Client software consists of the following subsystems
Barracuda NG Personal Firewall
What can Barracuda NG Network Access Client be used for?
1Barracuda NG Network Access Client environment
Barracuda NG Network Access Client Administrator’s Guide
What is a Policy Rule Set?
Policy Matching Procedure
Healthy Limited Access VPN Offline
Licensing Aspects
Barracuda NG Network Access Client Administrator’s Guide
Healthy
Probation actions
VPN context
Local Machine context
Current User context
Health Matching
Matching Criteria Local Machine Current User
Health State Untrusted
Health State Probation
Health State Healthy
Health State Unhealthy
Health State Requirements
Border Patrol
Analyse Enforce Monitor
3Trust Relationships
Server Config Access Control Service
Access Control Service Settings
General
System Health Validator
ParameterDescription
Remediation Service
Trustzone-Border
Number of used Threads
Advanced
Log Level
Access Control Objects
General
Welcome Messages
Pictures
3Access Control Objects Access Control Service Bitmaps
Personal Firewall Rules
Import of a registry file
Click clipboard, import the adequate registry file
Registry Check Objects
Access Control Service Trustzone
7Access Control Service Trustzone Configuration tree
Servername Assigned Services servicename ACS
9Access Control Service Trustzone Rules
Rules
Policy Name
Deactivate Policy
Client Connection External Ignore Internal
Time Restriction
Net Bios
User Login
Policy Matching All-of-following One-of-following
Group Patterns
X509 Issuer
Microsoft
X509 Subject
X509
Required Health State Basic
Antispyware Required Scanner On
AS Engine Required Ignore Latest default Previous Last-2
Last AV Scan Action Manual Auto Remediation
Tries to execute a full system scan automatically
Last AS Scan Action Manual Auto Remediation
Update automatically
AV Engine/Pattern Manual Action Auto Remediation
Parameter Description
Personal Ruleset Name Firewall Settings
Software Yes Update No default Required Yes-Even-Major
Server
Message
Settings
802.1X Use
Use Dhcp renew
Healthy Vlan Id
Bitmap
Limited Access
Ruleset Name Limited Access Message
Health Passport
Verification Key
Passport Verification Key
802.1X
Support Chart
Double-click the appropriate VPN Firewall Rule Set
Server Config Personal Firewall Rules
Rule Set Name Tab
1Rules Incoming
Rules Incoming / Outgoing
New…
Delete
Copy
Paste
Select New… from the context menu to create a new rule
Item / Parameter Description
Comment
Inactive
Section Description
Tester view allows testing rule sets for consistency
Tester
Following entities are available for rule testing
Test Report
Options
Port Protocol Service Name Description
Icmp Parameters
Connect to the Internet
With Adsl Pptp
Preconfigured
Adapters
Listing is divided into the following columns
Following objects assigned with status multi are available
Following further adapter objects are available
Name Specify a name for the adapter object
Trust Type
Status
IPs
Adapter/Ref
User Objects
10User Object dialog
Net Objects
11Network Objects window
This object includes the Multicast network 239.255.0.0/16
Click New… to open the Net Object dialog
12Net Object dialog
Service Objects
13Service Object dialog
Kerberos
Service Name Port Protocol Connection Description
Application Objects
14Application Object dialog
HKEYLOCALMACHINE\Services registry key
Application Connection Description
Available Columns
Operating & Monitoring Barracuda NG NAC
Box Monitoring and Real-time Information
Possible values are Access, Not Restricted, or Probation
Filtering
Name of the matching policy rule
Clients MAC address as reported by the NG client
Context Menus
Visualize this Computer…
Status Tab
3Box Monitoring and Real-time Information Show time in UTC
Quarantine Tab
Access Tab
Status VPN Tab
Installation routine offers three basic ways of setup
Client Installation
Double-click setup.exe to start the installation routine
See 5.4 Customer Setup,
Complete Installation
See 5.3 Unattended Setup,
Custom Installation
Unattended Setup
Parameter Default
802.1x Enable Dhcp Renew
See description for parameter Trusted Network,
See description for parameter Windows File Sharing,
This parameter defines the Access Control Server to be used
This option prevents deactivating the NG Personal Firewall
Customer Setup
Proceed as follows to prepare a completely customized setup
Customer.inf
See 5.4.1 customer.inf,
Optionally, the following file-directives may be detailed
Directive Comment
0x00000800
0x00000008
0x00000010
0x00001000
Reg-root
Subkey
Value-entry-name
Flags
Edit profile name
Silent.cmd
Filename
Diskid
Subdir
For an overview of specific properties see -1,
System Restore
Refer to the OS help for details
Update or Migration
Uninstall
Procedure
Facts and Figures
VPN Configuration
Overview
Function Supported
Function Comment
Usage Scenario
Architecture
All Programs Barracuda NG Network Access Client NG Firewall
Barracuda NG Personal Firewall
Integration within Windows
1Windows 7 Windows Firewall and Action Center screens
Rule Set Selection
2Rule set selection
User Interface
3Graphical Interface of the Barracuda NG Personal Firewall
General Firewall Settings and Tasks Menu Bar
Firewall Menu
This tab allows you to configure blocking of Icmp packets
Disable Windows Firewall
Automatic Adapter Assignment
Block all IP Fragments
View Menu
Connect Close Block
Security Mode Menu
Load Display
NG Control Center Monitoring Firewall Activities
Summary
Events
History
11NG Control Center History window
Show Details
Resolve Source/Destination IP
Send to Rule Tester
Add Pass Rule
Filters the connection’s Traffic Policy
Filters the source IP address of the connection
Filters the application which has attempted to connect
Filters incoming or outgoing connections
Live Activity
Live Activity view details all currently active connections
Disconnect
Filter Conditions
Current State Setting the Security Mode
Configuration
Show Source Addresses…
Show Destination Addresses…
Show Adapters
Show Users
ItemDescription
Paste Pastes the selected rules from the clipboard
Action Name Comment
Inactive checkbox Select
Source / Destination
Application optional
Monitor Connections Yes
18Time restriction dialog
Adapters
19Adapter objects window
Network Connection name for example, Local Area Connection
Control Network Connections
Untrusted
Networks
Following options are available
Secured Routes are assigned to the Net-NGVPNObject
Services
22Net Object dialog
Example
Applications
24Application Object dialog
10Applications required in Microsoft Windows domains
Users
25User Object dialog
Rule Tester view allows testing rule sets for consistency
Rule Tester
Test Reports
27Test Report window
Administration Firewall Settings Wizard
Following options are available for customisation
Automatic Adapter Configuration
However, it will not pop up if
Automatic Rule Configuration
28Security Alert windows
29Security Alert Advanced Policy
Restrictive rule set only
VPN Component Configuration
Create a New Profile Using the Profile Wizard
2VPN Profile Wizard Profile Wizard
4VPN Profile Wizard Enter personal License
Configure a New Profile Manually
6VPN Profile Wizard Modify Existing Profile Using the Wizard
8NG VPN client Connect dialog
Field where characters need to be inserted
Shows the version information
11Editing options of the VPN client dialog
Barracuda NG VPN Client’s Menu Bar
13Close NG VPN Client informational window
NG VPN Client can be started in the following ways
Connection Dialog
Closes the NG VPN Client window
Click Connect to establish a connection to the VPN server
Status Dialog
Assigned domain
Assigned DNS IP address for the VPN connection
Assigned Wins address
Enable or disable compression
Uptime for the current connection
VPN server to which the client currently is connected
Local time on the VPN server
Message Dialog
16Message dialog window
VPN Profiles Configuration Window
Configured VPN server to connect to
Barracuda Networks Control / Preferences Dialog
Name of the profile
Certification Authorities Configuration Window
Store into which the certificate was saved
Modify, copy or delete an existing profile
Use this menu item to terminate a connection
Deletes the selected certificate from the certificate store
Configure specific Barracuda NG VPN adapter settings here
Opens a window with detailed certificate information
General VPN Settings section Direct Access
Connection Entries Tab
19Connection Entries tab
Barracuda Authentication
Following parameters are available for X509 authentication
External File Path to the external X.509 certificate
Advanced Settings Tab
DescriptionDescription
Virtual Adapter Configuration
Default Direct assignment
Use Access Control Service
Default Yes
Disconnecting. Recommended value No
Enable MS Logon
Fallback Profile
Be established
URL or IP address of the proxy server
User name possibly needed for proxy authentication
IP address of the VPN server
Log Window
Log entry’s time stamp
Module the respective log entry refers to
Port Security
Barracuda NG Access Monitor
Access Monitor
Monitoring
Health Agent
Property Description
Advanced Status information
State Description
5Connection error using Icmp connectivity checking see
Barracuda NG Network Access Client Administrator’s Guide
11.2.6 802.1X Authentication Port Security
Task Description
Column Description
EAP Tracer
Access Control Server IPs from Registry
Access Control Server IPs from Dhcp
Use Basic Authentication
Use Ntml Authentication
Health Agent Connectivity
Item Description
Key
Value
Health Agent Authentication
11.3.9 802.1X Settings
Ieee 802.1X Authentication
Capture 802.1X Traffic EAP
16 Log Files Description
Log Settings
Log Files
Client.xml
Connect.xml
Download.xml
DownloadLocal.xml
Create a connector to achieve following
Pre-Connector and Remote VPN
VPN Connector
Creating a Connector
Thereafter rename the default profile
Remote VPN rvpn
Remote Domain Logon Pre-Logon
Connection Procedure
Same example with 10 retries for connecting -c
Dhcp
Example Configuration
1Example configuration environment
Introduce Access Control Objects
Personal Firewall Rule Set
Introduce an Access Control Service Trustzone
Next create and edit the unrestricted rule set
Page
Configure an Access Control Service Trustzone
Policy Rule dialog is split up into these views
Barracuda NG Network Access Client Administrator’s Guide
Parameter Value
Page
Example Configuration
Configure Forwarding Firewall Rule Set
Example Configuration
Switch
Authentication Server
802.1X Technical Guideline
Client computer
Access Control Server
Disabled Enabled
Status Monitoring
EAP Packet Tracer
Using the Barracuda NG Access Monitor for Analysis
Command Description
Log Files on the Client Computer
Supplicant console interface
Switch Web Interface
These values are described in more details on
Key Logging
Path
See 14.3.9 Periodic client re-authentication by the switch,
See 14.3.11 Authentication Message Exchange,
Authentication
Switch Console Interface
Example enabling debug output
Ethernet
Operational Sequence
Start up
Token Ring
Point-to-Point
Dot3svc Windows Vista
Service Friendly Name Service Name
WZO prior to Windows Vista
Wpa-supplicant configuration
To resolve this problem proceed following steps
Runtime
You will require elevated privileges to perform this step
Successful start of the wpa-supplicant can be verified by
Verify your entries
Enter global configuration mode
Return to privileged Exec mode
Re-authentication started by the switch is illustrated
Example
Command
Enter the global configuration mode
See for the Eapol packet frames
Condition Description
Return to the privileged Exec mode
Dhcp Renew
Resetting the 802.1X Authentication process
15 phions.log Output
Shutdown
14 phions.log Output
Addendum
Packets
WPA Supplicant Log File Identifiers
Table shows an Eapol packet frame
200 802.1X Technical Guideline
Sending / receiving commands over pipe
202 802.1X Technical Guideline
Known Issues using Cisco Catalyst 3750-E Switch
Wireshark
Engineering Environment
Additionally following tools have been used for analysis
No aaa accounting dot1x default group radius
Customer Install Files
Appendix
Appendix
Barracuda NG Network Access Client Administrator’s Guide
Appendix
VPN Profile Registry Keys
VPN Profile Registry Keys
3DES AES
FAQs
Profile Registry Keys
Appendix
Configuration Parameters
214
Reconnect immidiately 10
X509 Altnames 2 X509 Issuer 2 X509 Subject 2
Introduction Server Config Access Control Service
15.6 Parameter Lists
Barracuda NG Access Monitor
Figures
220
802.1X Technical Guideline
Barracuda Networks Limited Hardware Warranty
Barracuda Networks Software License Agreement
Barracuda Networks Warranty and Software License Agreement
Page
Barracuda Networks Software License Agreement Appendix
Page
Page
No Warranty
Terms and Conditions
Page
Page
Page
Page
Limitation of Liability
Page
Page
Page
238
Page
Page
Page
Page
Disclaimer of Warranty
Miscellaneous
Page
Limits
Terms and Conditions for USE, REPRODUCTION, and Distribution
Page
Page
Page
Page
252
Page
Page
Barracuda Networks Warranty and Software License Agreement
Page
Barracuda Networks Warranty and Software License Agreement
Page
Barracuda Networks Warranty and Software License Agreement
Page
Page
Issue Date Aug 6 262
Page
264
