Barracuda NextGen Firewall F-Series

Microsoft Azure - NGF0501

Lab Guide

Official training material for Barracuda certified trainings and

Authorized Training Centers.
Edition 2018 | Revision 1.0

campus.barracuda.com | campus@barracuda.com
© Barracuda Networks Inc., April 24, 2018. The information contained within this document is confidential
and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized
or used for other than internal documentary purposes without the written consent of an official representative of
Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes
no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change,
modify, transfer, or otherwise revise this publication without notice.
Lab Guide | Barracuda NextGen Firewall F Microsoft Azure - NGF0501 | 3

Lab Description
Task 1. The Firewall Engine
After a long PoC phase, the company has decided to move its resources into the cloud. Microsoft’s cloud solution has been
chosen to be the future host of all company services. With a partner, the CTO has outlined the basic network concept,
which, in phase one, is one VNET with three subnets. The first subnet is connected to a dynamic public IP and serves as the
front end to the other two subnets. The front end subnet accepts all traffic from the outside via a public IP assigned to the
firewall. The other two internal subnets host a web server and a terminal / Windows server. All the traffic of these subnets
needs to be routed through the firewall, regardless of whether it is inbound or outbound traffic.
The partner who created the PoC also offered a template for easier deployment. This template now needs to be verified
and adopted based on the topology plan and network requirements the CTO, CSO, and IT administrator have created.
• The firewall needs to be prepared for a future high availability setup.
• All outgoing traffic needs to be routed through the firewall.
• Inbound traffic must be terminated on the firewall.
• Time synchronization must be guaranteed throughout the network.
• A website should be served by the internal web server and reachable from the Internet.
• The terminal / Windows server should be reachable via RDP from the Internet.
• The terminal / Windows server itself, and all its users, should get access to the Internet.

Task 2. Secure Access to Your Virtual Network via SSL VPN and CudaLaunch
Microsoft’s Security Center, in combination with the collected data on the firewall, is reporting a growing number of
attacks on the publicly available resources. This has forced the IT administrator to take the services offline. But because
of the importance of the services, the CTO has decided to put them back online, even though they are not sufficiently
patched. The IT administrator and the CSO decided to protect the resources via an SSL VPN solution. Therefore, an SSL VPN
solution with the companion application CudaLaunch needs to be configured and rolled out to the clients.

Task 3. Secure Your Virtual Network Using a Client-to-Site VPN for Management Access
Security guidelines and best practices always highlight that a management interface must be protected from intruders.
Therefore, direct access from an untrusted network to the management interface should be prohibited. To resolve this
design flaw, only access via a client-to-site or the terminal / Windows server should be allowed. Without adding additional
services into the cloud environment, the Barracuda CA is the perfect fit to authenticate against the VPN service and grant
access to the management interface.
To protect access to the public IP / DNS name even further, the CSO has decided to use the Network Security Groups
feature. It should block all incoming traffic, except the one for SSL VPN and VPN, and allow all outgoing traffic created by
the clients inside the VNET.

Task 4. Improve IOPS Performance

Increased demand on an environment is a sign that a project has been successful. However, the IT administrator has been
getting reports that connections are sometimes dropped or get stalled. These situations resolve themselves within time,
but the admin fears that the number of such issues can increase down the road. There are already some ideas on the table
as to why these issues occur. The IT team strongly believes that the virtual machine size-limited IOPS is the reason. It is
therefore necessary to limit the IOPS and increase the number of possible IOPS without downtime.
Lab Guide | Barracuda NextGen Firewall F Microsoft Azure - NGF0501 | 5

Lab Outline

NN Use objects and inheritance of configuration values wherever possible.

The lab outline demonstrates one of several possible solutions based on the lab description above.
Therefore, use it only as a guide, not as the only solution of the lab description.

Task 1. The Firewall Engine

This lab helps you to understand the pre-deployed virtual network in Azure. After understanding the traffic flow within the
network, the pre-deployed firewall gets configured to allow access to specific resources.

Step 1. Verify the Pre-Deployed Setup

Log into Azure.
1. Access the Azure Portal at https://portal.azure.com using a pre-installed browser.
2. Log in with the credentials provided in the topology diagram:
• User: cudauser@universitybarracuda.onmicrosoft.com
• Password: <use provided credentials>

Check your preconfigured Azure topology.

1. In the left navigation pane, click Resource groups
2. Select the Resource group assigned by your instructor and verify that all settings from your network
topology plan are correct.
• Virtual Network: vNnet-X-Y
• Virtual Network > Subnets: ngnet, webnet, tsnet
• Virtual machine > Network interfaces:  NAME, PRIVATE IP ADDRESS
• Network interface > IP configurations: PRIVATE IP ADDRESS (Static)
• Network interface > IP configurations: IP forwarding > Enabled
• Route Table > Routes: Address Prefix: 0.0.0.0/0 NEXT HOP: NGFW-IP
• Route Table > Subnets: webnet
• Network security group: Inbound/Outbound security rules predefined by Azure
• Public IP Address: DNS Name (External access: dnsname.region.cloudapp.azure.com)
• Availability set > Virtual machines: NG-AS

Connect to the NextGen Firewall F - Welcome page.

1. Go to Resource Group > NGFW - Virtual Machine > Properties > Public IP Address / DNS Name Label > Overview >
Essentials and copy the DNS name.
2. Start a new tab in your web browser and paste the DNS name (External access).
3. You should now see the NextGen Firewall F - Welcome page.
4. Download and install “NextGenAdmin.exe”.

Connect to your firewall.

1. Launch NextGen Admin.
2. Select Firewall and enter the DNS name (External access) for your NGF (dnsname.region.
cloudapp.azure.com).
3. Enter your login credentials:
• Username: root
6 | Microsoft Azure - NGF0501 Barracuda NextGen Firewall F | Lab Guide

• Password: <use provided credentials>

4. The Authentication Check window opens, select Trust Key.
5. Click Sign In.
6. In NextGen Admin, the Dashboard tab is selected by default.
Lab Guide | Barracuda NextGen Firewall F Microsoft Azure - NGF0501 | 7

Step 2. Basic Network Configuration

Deactivate the preconfigured DHCP interface and configure it as an interface with a static IP.
1. Go to Configuration Tree > Network > xDSL/DHCP/ISDN
2. Click Lock.
3. In the DHCP Client Setup section, set DHCP Enabled to no.
4. In the left navigation pane, click IP Configuration.
5. In the Management IP and Network section, adjust the management interface to use a static IP address.
• Set the check box next to Interface Name labeled Other to active. You can now enter a custom value into the
Interface Name field.
• Interface Name: eth0
• Management IP: 10.8.1.4
• Associated Netmask: 24-Bit
• Responds to Ping: yes
• Use for NTPd: yes

Configure the default route.

1. Change to the Routing configuration by clicking Routing in the left navigation pane.
2. Click the + sign above the IPv4 Routing Table to add the default route. Specify the following values:
• Name: default
• Target Network Address: 0.0.0.0/0
• Gateway: 10.8.1.1
• Trust Level: Unclassified

Activate your changes.

1. Click Send Changes and Activate.
2. Go to Control > Box > Network and click on Activate new network configuration > Failsafe.

Define the DNS Server IP as 8.8.8.8 and check the Time Settings.
1. Go to Configuration > Box > Administrative Settings.
2. In the left navigation pane, expand Configuration and click DNS Settings.
3. In the Basic DNS Settings section, add 8.8.8.8 as a new entry to the DNS Server IP table.
4. In the left navigation pane, click Time Settings/NTP.
5. In the Time Settings section, choose your local time zone.
6. In the NTP Settings section, set the following parameters:
• NTP sync on Startup: yes
• Time Server IP: time.windows.com
• Start NTPd: yes

Step 3. Configure the Firewall Engine

Create a network object for every subnet within the VNET and a VNET object grouping all subnet objects.
1. Go to Configuration > Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW >
Forwarding Rules > Networks.
2. Click Lock.
3. Click the + sign in the top-right corner of the screen to open the Edit/Create Network Object window.
4. Create the following objects:
• Name:ngnet
• Include Entries: 10.8.1.0/24
• Type: Single Network Address
8 | Microsoft Azure - NGF0501 Barracuda NextGen Firewall F | Lab Guide

• Name: webnet
• Include Entries: 10.8.2.0/24
• Type: Single Network Address 

• Name: tsnet
• Include Entries: 10.8.3.0/24
• Type: Single Network Address

• Name: NG00
• Include Entries: 10.8.1.4
• Type: Single IP Address

• Name: Webserver
• Include Entries: 10.8.2.4
• Type: Single IP Address

• Name: Terminalserver
• Include Entries: 10.8.3.4
• Type: Single IP Address
• Click Send Changes and Activate

Allow HTTP/HTTPS traffic directly to the web server.

NN Do not allow the entire Internet to access the web server because this could lead to major security
issues in the environment.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules.
2. Create a rule allowing HTTP/HTTPS traffic from the Internet to the web server over the firewall.
• Name: internet-2-webserver-http-s
• Action: Dst NAT
• Source: Internet
• Service: HTTP+S
• Destination: All Firewall IPs
• Redirection: Webserver (set the Reference check box to active)
• Connection Method: Original Source IP
3. Move it to the appropriate position in the ruleset.
4. Click Send Changes and Activate.

Allow RDP traffic directly to the terminal server.

NN Do not allow the entire Internet to access the terminal server because this could lead to major security
issues in the environment.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules Access Rules.
2. Create a rule allowing RDP traffic from the Internet to the terminal server over the firewall.
• Name: internet-2-terminalserver-rdp
Lab Guide | Barracuda NextGen Firewall F Microsoft Azure - NGF0501 | 9

• Action: Dst NAT

• Source: Internet
• Service: RDP
• Destination: All Firewall IPs
• Redirection: Terminalserver (set the Reference check box to active)
• Connection Method: Original Source IP
3. Move it to the appropriate position in the ruleset.
4. Click Send Changes and Activate.

Deactivate all unnecessary rules.

1. Right-click all the preconfigured rules not needed for the setup and click Deactivate Rule.

Test the connectivity and enforcement of the access rules.

1. Open a web browser and verify that you can connect to the web server through https://[dnsname.
region.cloudapp.azure.com]
2. Open an RDP connection to the terminal server using the DNS name (External access).
3. Disable “Enhanced internet security” in the terminal server: Start > Server Manager > Local Server > Properties >
Internet Explorer Enhanced Security Configuration > Administrators/Users > OFF.

Create appropriate access rules to allow the terminal server access to the Internet.

 Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules.
1. Click Lock and the + sign to add a new:
• Name: Terminalserver-2-Internet
• Action: Pass
• Source: Terminalserver
• Service: Any
• Destination: Internet
• Connection Method: Dynamic NAT
2. Click Send Changes and Activate.

Test connectivity and accessibility.

 Open the RDP connection to the terminal server and launch Internet Explorer.
1. Go to http://www.barracuda.com
2. In NextGen Admin, monitor your session on the Firewall > Live and Firewall > History pages.

Task 2. Secure Access to Your Virtual Network via SSL VPN and CudaLaunch
Not every resource in the VNET must be shared with everyone in the Internet. SSL VPN and CudaLaunch allows you to get
access to resources inside the network, but without giving public access to these services.

Step 1. Configure the SSL VPN Service

 Connect to your firewall.
1. Launch NextGen Admin.
2. Select Firewall and enter the DNS name (External access) for your NGF (dnsname.region.cloudapp.azure.com).
3. Enter your login credentials:
• Username: root
• Password: <use provided credentials>
10 | Microsoft Azure - NGF0501 Barracuda NextGen Firewall F | Lab Guide

Activate 443 for SSL VPN service.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings > Settings.
2. Click Lock.
3. Click Click here for Server Settings.
4. Change Use port 443 to NO.
5. Click OK.
6. Click Send Changes and Activate.

Create the user for the SSL VPN within NGF Local Authentication.
1. Go to Configuration Tree > Infrastructure Services > Authentication Service > NGF Local Authentication.
2. Create a user.
• NGF Local Scheme: Yes
• Click the + sign.
• Username: <yourname>
• Password: <securepassword>
3. Click Send Changes and Activate.

Configure the SSL VPN default.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > SSL-VPN.
2. Activate the SSL VPN service in General Service Settings:
• Enable SSL VPN: Yes
• Enable CudaLaunch: Yes (up to 7.1 only)
3. Add the Listen IPs:
• In the Listen IPs table, click the + sign.
• Listen IP: 127.0.0.9
4. In the left navigation pane, click Authentication & Login.
5. In the User Authentication  section, select Authentication Scheme and add NGF Local.
6. Click Send Changes and Activate.

Check the SSL VPN service.

1. Go to Control > Resources.
2. Right-click in the table Resources and select Search for Text.
3. In the Search Window, select Search Text and search for ssl.
4. Double-click on the resource sslvpn-engine.
5. In the Info Dialog Window, check the Listening Sockets:
• Listening Sockets: 127.0.0.9:443

Create the SSL VPN - proxied web app.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > SSL-VPN.
2. In the left navigation pane, click Web Apps.
3. Add the web server:
• In the Proxied Web Apps table, click the + sign.
• Name: Webserver
• Web Apps Template: Generic
• Visible Name: Webserver
• Root URL: http://10.8.2.4
• Allowed User Groups: *
4. Click OK
5. Click Send Changes and Activate.
Lab Guide | Barracuda NextGen Firewall F Microsoft Azure - NGF0501 | 11

Create the SSL VPN - native app.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > SSL-VPN.
2. In the left navigation pane, click Native Apps.
3. Add the application server:
• In the Native Apps table, click the + sign.
• Name: terminalserver
• Visible Name: Terminalserver
• Application Server Hosts: 10.8.3.4
• Application Protocol: RDP
• Application TCP Port: 3389
• Client Loopback TCP Port: 0
• Allowed User Groups: *
4. Click OK.
5. Click Send Changes and Activate.

Allow HTTPS traffic directly to the SSL VPN service.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > Firewall > Forwarding Rules.
2. Create/Check the rule allowing HTTPS traffic from the Internet to the SSL VPN service.
• Name: SERVICE-VPN-ACCESS
• Action: App-Redirect
• Source: ANY
• Service: HTTPS,NGF-VPN
• Destination: All Firewall IPs
• Redirection: 127.0.0.9
3. Move it to the appropriate position in the ruleset.
4. Click Send Changes and Activate.

Test the connectivity and enforcement of the access rules.

1. Open a web browser and verify that you can connect to the web server https:[dnsname.
region.cloudapp.azure.com]
2. Select Continue to this Website when the certificate error comes up.
3. When the SSL VPN web portal starts, fill in the NGF local username and password and click Log in.

Step 2. CudaLaunch
Install CudaLaunch and test the RDP connection through the SSL VPN tunnel.
1. For Windows, download CudaLaunch from https://login.barracudanetworks.com
For mobile users, open a web browser and verify that you can connect to the web server
https://[DNS name/External access] 
      When the SSL VPN web portal starts, fill in the NGF local user login and password.
      On the top left of the page, select the icon Settings > Settings > Downloads > CudaLaunch
2. Install CudaLaunch and open it.
3. Add the DNS name/External access to connect with the SSL VPN service.
• Enter the hostname of the server you want to connect to:  DNS name/External access
 
4. Click Connect and fill in the NGF local username and password. Then click Log in.
5. At the top, select Apps > Terminal server and open the RDP connection to the terminal server with the
required user credentials:
• Username: student
• Password: <Terminalserver_password>
 
6. Launch NextGen Admin.
12 | Microsoft Azure - NGF0501 Barracuda NextGen Firewall F | Lab Guide

7. On the Firewall > Live and Firewall > History pages, monitor your session.

Deactivate the Dst NAT rules from the Internet to internal servers.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules.
2. Select the following rules:
• Name:internet-2-webserver-http-s
• Name:internet-2-terminalserver-rdp
3. Right-click and select Deactivate Rules.
4. Click Send Changes and Activate.

With CudaLaunch, check the RDP connection through the SSL VPN tunnel.
1. Open CudaLaunch.
2. Add the DNS name/External access to connect with the SSL VPN service.
• Enter the hostname of the server you want to connect to:  DNS name/External access
 
3. Click Connect and fill in the NGF local username and password and click Log in.
4. At the top, select Apps > Terminal server and open the RDP connection to the terminal server with the
required user credentials:
• Username: student
• Password: <Terminalserver_password>

Task 3. Secure Your Virtual Network Using a Client-to-Site VPN for Management Access
To secure management within the VNET, it is necessary to avoid any direct management connections and to block all
unsecure protocols to hosts inside the VNET. This is why a client-to-site VPN should be terminated on the NextGen Firewall
and used as the only way to access the inside of a VNET.

Step 1. Configure Client-to-Site VPN

Connect to the primary Firewall.
1. Launch NextGen Admin
2. Select Firewall and enter the DNS Name (External access) for your NGF (dnsname.region.cloudapp.azure.com)
3. Enter your login credentials: 
• Username: root 
• Password: “use your provided credentials”

Create VPN service certificate.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings > Settings
2. Click Click here for Server Settings
3. Create a new Default Key
4. Create a new certificate by using Ex/Import > New/Edit Certificate

Create a client network used for the VPN connection.

1. Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings > Client Networks
2. Right-click and open New Client Network
• Name: C2SMGMTNetwork
• Network Address: 192.168.77.0
• Network Mask: 24
• Gateway: 192.168.77.1
• Type: routed
Lab Guide | Barracuda NextGen Firewall F Microsoft Azure - NGF0501 | 13

Create a service key that can be used by the Barracuda VPN CA.
1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > VPN Settings >
Service Certificate/Keys
2. Right-click and open New Key
• Name: ServiceKey
• Key Length: 2048
3. Click Send Changes and Activate

Create a Barracuda VPN CA template routing traffic into the VNET.

1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > Client to Site >
Barracuda VPN CA > Templates
2. Right-click and open New Template
• Name: C2S-MGMT-Template
• DNS: 8.8.8.8
• Domain: cudau.org
• Network Routes: 10.8.0.0/16

Create a personal license to be used with the VPN Client and export it.
1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > VPN > Client to Site > Barracuda
VPN CA > Pool Licenses
2. Right-click on the lower field and open New personal license
• Index: <choose provided one>
• Used by: <yourname>
• Network: C2SMGMTNetwork
• Template: C2S-MGMT-Template
• ENA: no
• VPN always ON: No
• Scheme: ngflocal
• User ID: <yourname>
• VPN-Type: Personal + SSL
• License Type: File
• Server Key: ServiceKey
3. Click Export to File and export it as a *.vpn
• VPN Server: <NG00 Public IP>
4. Click Send Changes and Activate

NN This file can be directly imported into an already installed VPN Client with all settings provided except the
password. Otherwise download the VPN client from login.barracudanetworks.com

Create the user for the personal license within ngflocal.

1. Go to Configuration Tree > Infrastructure Services > Authentication Service > NGF Local Authentication
2. Create a user matching the name used in the personal license in the field User ID
• NGF Local Scheme: Yes
• Click the + sign
• Username: <yourname>
• Password: <securepassword>
3. Click Send Changes and Activate
14 | Microsoft Azure - NGF0501 Barracuda NextGen Firewall F | Lab Guide

vCreate appropriate access rules to allow VPN clients access to the subnets.
1. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Networks
2. Create a network object for the VPN network
• Name: C2S-VPN-MGMT-Network
• Include Entries: 192.168.77.0/24
• Type: Single IPv4 network
3. Go to Configuration Tree > Virtual Servers > S1 > Assigned Services > NGFW > Forwarding Rules > Access Rules
4. Allow the VPN network access to ngnet
• Name: C2S-MGMT-2-ngnet
• Action: Pass
• Source: C2S-VPN-MGMT-Network
• Service: Any
• Destination: ngnet
• Connection Method: Original Source IP
5. Click Send Changes and Activate

Test connectivity and accessibility.

1. Connect to the firewall hosted in Azure using the exported VPN profile.
2. Test connectivity to the internal IP of your firewall.

Step 2. Network Security Groups

Secure access to the network also with Azure tools
• Log into Azure.
• Configure the network security group assigned to the primary firewall.
• Allow inbound traffic for HTTP, HTTPS and the TINA protocol.
• Allow any outbound traffic.
• Test connectivity and accessibility.
• Test your connectivity by trying to access your firewall via NextGen Admin directly without connected VPN.
• Verify connectivity to the SSL VPN portal.
• Connect using the VPN Client to get back management access. 

Task 4. Improve IOPS Performance

Step 1. Increase maximum IOPS

Adding additional data disks in Raid 0 extends the maximum IOPS count.
• Log into Azure.
• Add additional data disks to the firewall.
• Limit the size of the data disks to 1 GB to save time.
• Create a RAID0 and move /phion0 onto the created RAID.

Step 2. Decrease generated IOPS

Limit the number of generated IOPS by deactivating some services, but do not weaken the monitoring features too much.
• Log into the firewall.
• Change the log mechanism to not be written to disk, but keep logs in RAM.
• We do not want to lose the logs at all, and in the future Microsoft’s OMS should be able to get logs streamed.
• Turn off statistics for all layers.
• Remove services that are not being actively used.
campus.barracuda.com | campus@barracuda.com