Jump to content


Photo

sslvpn 180 issues

sslvpn mac client

  • Please log in to reply
2 replies to this topic

#1 prgsystems account

prgsystems account
  • Members
  • 2 posts

Posted 10 December 2013 - 03:36 PM

Hi all. Ok...although my sslvpn is functioning as it should I do have a couple of questions.

 

Hardware: SSLVPN 180

Firmware: 2.3.3.216 (2013-03-13)

 

Logged in to the local admin account.

On the BASIC/Status page, Hourly & Daily stats show nothing. None of these Java apps load. (Java junk)

 

I have tried this on IE8, IE11, Firefox 25.0, Safari v7.0 and Chrome, nothing works so this page is pretty much useless.

 

Anyone else having this issue?? I surely wish Java would go away forever and we go back to some dependable html pages that ALWAYS work. 

 

Also, when it comes to Mac sslvpn client, this just baffles me to no end.

 

I cannot get over the fact that if we log in to download the Mac Client (Network Connector), we know that this DOES NOT WORK!! This is the Barracuda Network Connector for MAC. This is a know problem and has been for some time from what I gather. I spent an hour trying to figure this out and to get it to work before I remembered Tunnelbrick from that last time I set this up for another client.

Instead, we have to go out to a 3rd party and download Tunnelbrick. Then we can download the Lan-Client.

After that, then all we have to do is jump through a few more hoops to get it to work with tunnelbrick.

Copy cert.crt,ca.crt, client.key, ovpn config etc, rename folder with >tblk extension etc.

 

This just seems wrong, and a round about way of doing things.

 

 

Is there a plan to add this into a future release? Would it not be better to be able download all the required files from the appliance itself instead? Otherwise it takes an Admin to configure everyones client. Huge waste of time.

 

If I am completely wrong about this, please point me in the right direction.

 

And..one more thing. I was also trying to ADD my SSLVPN into my Cloud Control. Luckily I stumbled upon another post saying this was not yet available for the SSLVPN. Glad I didn't spend to much time on that. Perhaps a post somewhere to say this when the user logs into their account? Just a thought.

 

Tks

Howard

 

 



#2 Chris Dakin

Chris Dakin
  • Barracuda Team Members
  • 278 posts

Posted 11 December 2013 - 11:56 AM

Hi,

 

1. Hourly and Daily stats. Are these the graphs on the appliance side (port 8000 or 8443)? If so, looking at my test 180 here which I reset this morning to research your issues - the hourly graphs are updating for me (I won't be getting the daily stats until tomorrow).

If you contact me via the support channels I should be able to take a look on the backend of your box and see what's going on. Normally if it's the graphs, then it's a faulty graph API call or a local issue with SNMP.

 

2. Java Apps, nothing working. Can you be a bit more specific please? Which apps are you trying? As you mention IE and Safari, I presume you mean you are having issues on both Windows and OS X? I'm launching apps okay on both (but with a caveat regarding OS X, more later on this).

 

The current Java 7u45 version on windows has an annoying popup with text in a yellow box that says it's going to stop working soon, but this is a bug in the current version of Java and you can click past this message to launch it.

 

With OS X, if you are using the Apple supplied Java 6 and follow these steps to enable it (as an Apple update disables it): http://support.apple.com/kb/ht5559

then this was working perfectly for me on Mavericks and Mountain Lion.

 

Where I had problems though was with Sun's Java 7u45 which is giving Java Console errors about not being able to write files. I have raised a bug on this and I will get it investigated.

 

Going forward though, the reliance on Java on the client will be reduced over time as we look towards HTML5 methods of application connections.

 

3. Network Connector on OS X. The same Java issue as above applies here, when I had the Apple Java 6 enabled, I was able to download the Barracuda Network Connector client and install the config files and connect ok. (the Barracuda client is the same as tunnelblick, just a couple of revisions behind). There are sometimes issues relating to DNS injection and resetting DNS, but these can often be overcome using the up and down scripts depending on what particular issues you have. Again, here it's normally best to contact support and if they are struggling, get them to escalate the issue to SSL VPN Engineering (i.e me).

 

4. Point taken with Cloud Control, we will be introducing this in 2014 with firmware 3.0.

 

Chris.



#3 Chris Dakin

Chris Dakin
  • Barracuda Team Members
  • 278 posts

Posted 11 December 2013 - 12:41 PM

Further information for you. OS X does work with Java 1.7, but you have to alter some security settings that Apple apply to the new Java:

---

 

Chrome on Mavericks can't run the Java 1.7 JRE (it's not a native 64-bit application, whereas the Oracle-provided Java 1.7 JRE is 64-bit)

-          A workaround is to disable/uninstall the Oracle-provided Java 1.7 JRE and go back to the Apple-provided Java 1.6  - see http://support.apple.com/kb/DL1572 and http://support.apple.com/kb/HT5559

 

Safari 7 on Mavericks can run with Java 1.7 as this is 64-bit

HOWEVER, by default with Java 1.7 it'll break because Java runs in a new, super-secure mode. Can be changed by....

-          Loading up your SSL VPN website

-          Launch something that needs the launcher (application, NC web launch, SSL tunnel, tunnelled web forward, whatever)

-          If this is the first time, a warning will appear. Click the warning and choose to Trust the website

-          If you've already done this, you may get to the point where the launcher applet will "hang" while displaying a filename (probably sslexplorer.cer but could be others)

-          This is because the Java plugin is running in "safe mode" which blocks access to your filesystem (i.e. can't write to ~/.sslvpn)

-          Open Safari preferences, go to the Security tab, click "Manage Website Settings"

-          In the plugin list on the left, click Java

-          On the website list on the right, for any SSLVPNs that you log into, click the drop down box where it says "Allow" and then select "Allow unsafe mode" (see attached). For support, you can also change the default setting for “other websites” so that all new websites are automatically allowed unsafe mode (so any future VPNs you log into will automatically be allowed filesystem access). Customers shouldn’t be encouraged to do this, as they probably only log into one unit and unsafe mode opens up a security risk for malicious applications.

 

Firefox 25 on Mavericks can run with Java 1.7, you'll get a security prompt the first time you launch an SSL VPN that needs it, but the plugin runs in unsafe mode by default so nothing more is needed, it can already access the filesystem.

 

The RDC client which was provided as part of Microsoft Office for Mac (the 2.x release) hasn't been officially supported since OSX 10.7 and can't connect to recent operating systems such as Windows 8/8.1 due to not supporting recent RDP protocols. There's a new Microsoft RDC client on the App Store for OSX >= 10.6, which I'm currently putting support into the Unified RDP and Mac RDP extensions for. This can connect to anything up to Windows 8.1 no problem (in fact I'm using it right now, where the 2.x failed miserably). It’s fully supported on Mavericks and is more feature complete than the old client; there's the potential that in the future this could bring the Unified/Mac RDP extensions up to match the functionality of the native Windows extension for things like RemoteApp which would be nice for some customers.

 

The 7u45 JRE on OSX has the same errors relating to manifest files as the Windows version. The 2.4 release will come with correctly signed JARs (which is the part we have to do) but when update 51 is released in January, anyone without a valid SSL certificate which is recognised by Java may not be able to run the launcher applet because of the upcoming security restrictions. Customers need to arrange these certs and install them as normal, and will probably need to stop handing out IP addresses for accessing VPNs (I’ve had several customers give me an IP address, but you can’t easily assign an SSL cert to an IP address unless it’s your own PA/PI space, has to be a hostname).