Beruflich Dokumente
Kultur Dokumente
Lab Guide
campus.barracuda.com | campus@barracuda.com
© Barracuda Networks Inc., April 24, 2018. The information contained within this document is confidential
and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized
or used for other than internal documentary purposes without the written consent of an official representative of
Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes
no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change,
modify, transfer, or otherwise revise this publication without notice.
Lab Guide | Barracuda NextGen Firewall F Microsoft Azure - NGF0501 | 3
Lab Description
Task 1. The Firewall Engine
After a long PoC phase, the company has decided to move its resources into the cloud. Microsoft’s cloud solution has been
chosen to be the future host of all company services. With a partner, the CTO has outlined the basic network concept,
which, in phase one, is one VNET with three subnets. The first subnet is connected to a dynamic public IP and serves as the
front end to the other two subnets. The front end subnet accepts all traffic from the outside via a public IP assigned to the
firewall. The other two internal subnets host a web server and a terminal / Windows server. All the traffic of these subnets
needs to be routed through the firewall, regardless of whether it is inbound or outbound traffic.
The partner who created the PoC also offered a template for easier deployment. This template now needs to be verified
and adopted based on the topology plan and network requirements the CTO, CSO, and IT administrator have created.
• The firewall needs to be prepared for a future high availability setup.
• All outgoing traffic needs to be routed through the firewall.
• Inbound traffic must be terminated on the firewall.
• Time synchronization must be guaranteed throughout the network.
• A website should be served by the internal web server and reachable from the Internet.
• The terminal / Windows server should be reachable via RDP from the Internet.
• The terminal / Windows server itself, and all its users, should get access to the Internet.
Task 2. Secure Access to Your Virtual Network via SSL VPN and CudaLaunch
Microsoft’s Security Center, in combination with the collected data on the firewall, is reporting a growing number of
attacks on the publicly available resources. This has forced the IT administrator to take the services offline. But because
of the importance of the services, the CTO has decided to put them back online, even though they are not sufficiently
patched. The IT administrator and the CSO decided to protect the resources via an SSL VPN solution. Therefore, an SSL VPN
solution with the companion application CudaLaunch needs to be configured and rolled out to the clients.
Task 3. Secure Your Virtual Network Using a Client-to-Site VPN for Management Access
Security guidelines and best practices always highlight that a management interface must be protected from intruders.
Therefore, direct access from an untrusted network to the management interface should be prohibited. To resolve this
design flaw, only access via a client-to-site or the terminal / Windows server should be allowed. Without adding additional
services into the cloud environment, the Barracuda CA is the perfect fit to authenticate against the VPN service and grant
access to the management interface.
To protect access to the public IP / DNS name even further, the CSO has decided to use the Network Security Groups
feature. It should block all incoming traffic, except the one for SSL VPN and VPN, and allow all outgoing traffic created by
the clients inside the VNET.
Lab Outline
Define the DNS Server IP as 8.8.8.8 and check the Time Settings.
1. Go to Configuration > Box > Administrative Settings.
2. In the left navigation pane, expand Configuration and click DNS Settings.
3. In the Basic DNS Settings section, add 8.8.8.8 as a new entry to the DNS Server IP table.
4. In the left navigation pane, click Time Settings/NTP.
5. In the Time Settings section, choose your local time zone.
6. In the NTP Settings section, set the following parameters:
• NTP sync on Startup: yes
• Time Server IP: time.windows.com
• Start NTPd: yes
• Name: webnet
• Include Entries: 10.8.2.0/24
• Type: Single Network Address
• Name: tsnet
• Include Entries: 10.8.3.0/24
• Type: Single Network Address
• Name: NG00
• Include Entries: 10.8.1.4
• Type: Single IP Address
• Name: Webserver
• Include Entries: 10.8.2.4
• Type: Single IP Address
• Name: Terminalserver
• Include Entries: 10.8.3.4
• Type: Single IP Address
• Click Send Changes and Activate
NN Do not allow the entire Internet to access the web server because this could lead to major security
issues in the environment.
1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules.
2. Create a rule allowing HTTP/HTTPS traffic from the Internet to the web server over the firewall.
• Name: internet-2-webserver-http-s
• Action: Dst NAT
• Source: Internet
• Service: HTTP+S
• Destination: All Firewall IPs
• Redirection: Webserver (set the Reference check box to active)
• Connection Method: Original Source IP
3. Move it to the appropriate position in the ruleset.
4. Click Send Changes and Activate.
NN Do not allow the entire Internet to access the terminal server because this could lead to major security
issues in the environment.
1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules Access Rules.
2. Create a rule allowing RDP traffic from the Internet to the terminal server over the firewall.
• Name: internet-2-terminalserver-rdp
Lab Guide | Barracuda NextGen Firewall F Microsoft Azure - NGF0501 | 9
Create appropriate access rules to allow the terminal server access to the Internet.
Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules.
1. Click Lock and the + sign to add a new:
• Name: Terminalserver-2-Internet
• Action: Pass
• Source: Terminalserver
• Service: Any
• Destination: Internet
• Connection Method: Dynamic NAT
2. Click Send Changes and Activate.
Open the RDP connection to the terminal server and launch Internet Explorer.
1. Go to http://www.barracuda.com
2. In NextGen Admin, monitor your session on the Firewall > Live and Firewall > History pages.
Task 2. Secure Access to Your Virtual Network via SSL VPN and CudaLaunch
Not every resource in the VNET must be shared with everyone in the Internet. SSL VPN and CudaLaunch allows you to get
access to resources inside the network, but without giving public access to these services.
Create the user for the SSL VPN within NGF Local Authentication.
1. Go to Configuration Tree > Infrastructure Services > Authentication Service > NGF Local Authentication.
2. Create a user.
• NGF Local Scheme: Yes
• Click the + sign.
• Username: <yourname>
• Password: <securepassword>
3. Click Send Changes and Activate.
Step 2. CudaLaunch
Install CudaLaunch and test the RDP connection through the SSL VPN tunnel.
1. For Windows, download CudaLaunch from https://login.barracudanetworks.com
For mobile users, open a web browser and verify that you can connect to the web server
https://[DNS name/External access]
When the SSL VPN web portal starts, fill in the NGF local user login and password.
On the top left of the page, select the icon Settings > Settings > Downloads > CudaLaunch
2. Install CudaLaunch and open it.
3. Add the DNS name/External access to connect with the SSL VPN service.
• Enter the hostname of the server you want to connect to: DNS name/External access
4. Click Connect and fill in the NGF local username and password. Then click Log in.
5. At the top, select Apps > Terminal server and open the RDP connection to the terminal server with the
required user credentials:
• Username: student
• Password: <Terminalserver_password>
6. Launch NextGen Admin.
12 | Microsoft Azure - NGF0501 Barracuda NextGen Firewall F | Lab Guide
7. On the Firewall > Live and Firewall > History pages, monitor your session.
With CudaLaunch, check the RDP connection through the SSL VPN tunnel.
1. Open CudaLaunch.
2. Add the DNS name/External access to connect with the SSL VPN service.
• Enter the hostname of the server you want to connect to: DNS name/External access
3. Click Connect and fill in the NGF local username and password and click Log in.
4. At the top, select Apps > Terminal server and open the RDP connection to the terminal server with the
required user credentials:
• Username: student
• Password: <Terminalserver_password>
Task 3. Secure Your Virtual Network Using a Client-to-Site VPN for Management Access
To secure management within the VNET, it is necessary to avoid any direct management connections and to block all
unsecure protocols to hosts inside the VNET. This is why a client-to-site VPN should be terminated on the NextGen Firewall
and used as the only way to access the inside of a VNET.
Create a service key that can be used by the Barracuda VPN CA.
1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings >
Service Certificate/Keys
2. Right-click and open New Key
• Name: ServiceKey
• Key Length: 2048
3. Click Send Changes and Activate
Create a personal license to be used with the VPN Client and export it.
1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > Client to Site > Barracuda
VPN CA > Pool Licenses
2. Right-click on the lower field and open New personal license
• Index: <choose provided one>
• Used by: <yourname>
• Network: C2SMGMTNetwork
• Template: C2S-MGMT-Template
• ENA: no
• VPN always ON: No
• Scheme: ngflocal
• User ID: <yourname>
• VPN-Type: Personal + SSL
• License Type: File
• Server Key: ServiceKey
3. Click Export to File and export it as a *.vpn
• VPN Server: <NG00 Public IP>
4. Click Send Changes and Activate
NN This file can be directly imported into an already installed VPN Client with all settings provided except the
password. Otherwise download the VPN client from login.barracudanetworks.com
vCreate appropriate access rules to allow VPN clients access to the subnets.
1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Networks
2. Create a network object for the VPN network
• Name: C2S-VPN-MGMT-Network
• Include Entries: 192.168.77.0/24
• Type: Single IPv4 network
3. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules
4. Allow the VPN network access to ngnet
• Name: C2S-MGMT-2-ngnet
• Action: Pass
• Source: C2S-VPN-MGMT-Network
• Service: Any
• Destination: ngnet
• Connection Method: Original Source IP
5. Click Send Changes and Activate