Jump to content


Photo

SSL VPN appliances and Apple computers (Updated for Catalina Developer Preview)


  • Please log in to reply
19 replies to this topic

#1 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 22 November 2017 - 10:27 AM

Updated for Catalina (Developer Preview)

 

Network Connector

 

This is a 32-bit application, and (as expected, and documented in this post in 2017) no longer runs on macOS Catalina. A bug is open for this, but because the product is in maintenance mode, it is not clear whether the time required to fix this issue will be available. Users of Network Connector should investigate alternative VPN options; either IPsec on their legacy SSL VPN appliance, or migrating to the newer CloudGen Firewall and using the Barracuda VPN Client to form a TINA connection. TINA is the preferred option as the Firewall is the more future-proof product and TINA offers advantages over both Network Connector and IPsec.

 

Alternatively, if there is no other option, you can use a third-party client called TunnelBlick - documentation on how to do this will follow. 

 

Touch Bar models

 

The issue still remains with Touch Bar models of MacBook Pro, where the SSL VPN Agent cannot run in either the Standalone or web version. This is an unfortunate situation where these models were not shipping at the time we moved the product into maintenance mode, and they fell on the wrong side of that cut off date. A ticket is open, but this issue is unlikely to be fixed. As above, the migration path is towards the CloudGen Firewall product, and CudaLaunch (which is the Firewall equivalent of the SSL VPN Agent, but is NOT reliant on Java and has no issues with the Touch Bar on laptops that have one)

 

-------

Notes for Mojav

 

Java in Safari 12 and above

 

Safari 12 or higher will no longer run the Java plugin. This means that on macOS all browser-based SSL VPN Agent resources are unusable, including (but not limited to)

- Tunnelled Web Forwards

- SSL Tunnels

- Applications such as Remote Desktop

- Agent-based NAC

 

If you rely on this functionality, you must make sure to investigate the Standalone SSL VPN Agent option before you or your users begin to upgrade to Mojave or higher. My testing with the Standalone SSL VPN Agent proved successful, including launching RDP which was often not working in High Sierra.

 

Network Connector

 

Network Connector still has the same caveat as High Sierra - when you make your first Network Connector connection, you will get a warning about the kernel module needing to be improved. You MUST open the Preferences applet and accept this change within 30 minutes otherwise the operating system removes this option and makes it far more complicated to make the exception, and potentially impossible for end users to do themselves. There is also a warning that Network Connector is a 32-bit application, which is true, but it still works well. The known issue that potentially causes network issues after disconnecting Network Connector still exists, for which there is a workaround on this forum.

 

Since my original post it has been publicised that macOS Mojave is the last version which will support 32-bit applications. This means that Network Connector in its current form will stop working on the next major release of macOS (10.15, name TBA). As this is not a security vulnerability, no commitment has been made thus far to creating a new release of Network Connector.

 

----

Notes for High Sierra or older

 

Java in Safari on High Sierra (10.13)

Safari is the only macOS browser which can still run Java applets. More steps are now needed to allow the plugin to run in Unsafe Mode, in order to allow it to download files. See the post below for more information. This is a new operating system restriction with no automatic fix available from Barracuda.

 

Network Connector on High Sierra (10.13)

The kernel level driver used by Network Connector is now subject to the new kernel security mechanisms in High Sierra (https://developer.apple.com/library/content/technotes/tn2459/_index.html). Network Connector can still be used, however immediately after installing/running it the first time, a security prompt must be manually accepted in System Preferences. See the post below for more information. This is a new operating system restriction with no automatic fix available from Barracuda.

 

SSL VPN Agent on MacBook Pro models with Touch Bar

These are unsupported by the SSL VPN Agent (neither the web Agent, nor the Standalone Agent). There is an issue with the use of a particular Java library and the Touch Bar (this affects other Java-based applications including Eclipse). There is a bug ticket open for this, but as it is not a security vulnerability, this is not being considered for a fix while the product is in maintenance mode.

 

Launching RDP from the SSL VPN Agent

There is an issue with fully updated systems (macOS 10.13.1, Java 8u151) where RDP connections cannot be automatically launched anymore. The SSL Tunnel opens correctly and an RDP connection can still be launched manually, but it appears that the operating system now further sandboxes Java processes such that they cannot launch applications in the user's session, the app has to be launched by the user themselves. A bug ticket is open and this is still under further investigation, potential workarounds include launching the Remote Desktop client manually, or using IPsec/Network Connector to open a traditional network connection.



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 22 November 2017 - 10:31 AM

Network Connector kernel extension

The first time Network Connector is launched, the user will see the following two notifications:

 

Attached File  Screen Shot 2017-09-07 at 13.45.08.png   160.72KB   1 downloads

 

For 30 minutes after this notification is shown, the user is able to allow the kernel extension to load by opening the System Preferences application and opening the Security and Privacy section:

 

Attached File  Screen Shot 2017-09-07 at 13.45.18.png   98.59KB   1 downloads

 

The Tunnelblick kernel extension can then be allowed by pushing the button in the bottom of this dialogue box:

 

Attached File  Screen Shot 2017-09-07 at 13.45.21.png   66.18KB   1 downloads

 

Once this has been done, Network Connector can be re-launched and should connect successfully.



#3 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 22 November 2017 - 10:42 AM

Java in Safari

(Screenshots will be added at a later date)

This is more involved than in previous releases.

 

  • Step one is to open Safari and visit your SSL VPN, then try to launch a resource which requires the SSL VPN Agent to be running. After this, open the Safari preferences window with Cmd-comma, or by using the drop down menu. When the Preferences window is open, go to the Websites tab. Scroll down to the Plugins section and click the Java entry to select it.
  • Under "Currently Open Websites" you should see the hostname of your SSL VPN.
  • Where the "Off" text appears next to this hostname, click it to open the drop down menu and set it to "On"
  • If a notification pops up, click "Trust".
  • Hold down the Alt key on the keyboard, and click the "On" text to open the drop down menu again.
  • This time, as well as the previous On/Off/Ask choices, there should be two extra entries at the bottom of the menu
  • The bottom entry should be "Run in Safe Mode" and is ticked by default. Click this to deselect it.
  • A second notification should show up. Click "Trust" again to confirm that you want the Java applet to be able to download files.
  • Close the preferences window and re-launch the Agent-based resource. It should now launch the SSL VPN Agent successfully.


#4 Weedjhinie Calixte

Weedjhinie Calixte
  • Members
  • 1 posts

Posted 05 December 2017 - 07:49 PM

I believe this is what Ive been experiencing an issue with.



#5 Michael Chang

Michael Chang
  • Members
  • 1 posts

Posted 23 January 2018 - 11:05 AM

I cannot install SSL VPN Standalone agent on a macbookpro with touchbar

 

Is there a fix to this yet? I do not get a grey out key icon on my task bar on mac OS x high sierra



#6 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 06 February 2018 - 09:16 AM

Neither the standalone or web SSL VPN Agent work on Macbook Pros with Touch Bars at this moment in time. There is an open bug for this, but since the product has been in maintenance mode since before the Touch Bar model was released and this is not a vulnerability, it is not currently planned to be addressed.



#7 john simon

john simon
  • Members
  • 3 posts

Posted 07 March 2018 - 12:28 PM

Gavin, which device are you referring to: "since the product has been in maintenance mode?"

 

We have a model 380 vpn appliance which is still under a service contract, and it appears that you are still selling them on your website.



#8 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 07 March 2018 - 12:33 PM

Hi John, please see the sticky thread at the top of this forum - https://community.ba...intenance-mode/

 

I recommend reading the full thing, but the shortened version is that since November 2016 no new features are to be added to the SSL VPN, only high priority bugfixes and security updates. We recommend investigating the NextGen Firewall F-Series as an alternative for new deployments.



#9 john simon

john simon
  • Members
  • 3 posts

Posted 07 March 2018 - 01:28 PM

I guess it's a difference in understanding the terminology Gavin. To me having the SSL VPN Agent with current gen laptops is not a new feature; it's the fundamental reason the appliance is sold.



#10 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 07 March 2018 - 04:45 PM

Unfortunately the Touch Bar Macbook Pro was not necessarily a current gen product as it wasn't yet shipping at the time the maintenance mode decision and announcement were made - it's unfortunate that the timing fell that way but we did not envisage that a supplemental piece of hardware (rather than a core change to the Macbook Pro hardware) could break existing functionality. The assumption from our side based on the lack of availability of hardware was that it would be fine but we wanted to be clear with customers on all platforms what they could expect regarding future development.

 

You're right in that it's still on the website - this is because the product line is still active in general. Without getting into any detailed company information, I can safely tell you that new sales are down, however renewals are still strong. What we're finding is that (as we implied in the maintenance mode announcement) existing customers are generally happy with the functionality they receive and the workflow their users are used to, therefore are happy to keep renewing subscriptions and having security fixes addressed. We also have an increase in returns figures as people may buy a new box and (again, as expected) find that as a new user experience it's harder to sell.



#11 roger finch

roger finch
  • Members
  • 10 posts

Posted 13 March 2018 - 04:14 AM

Hey

 

last week all our home users on Macs experienced this:-

 

Launching RDP from the SSL VPN Agent

There is an issue with fully updated systems (macOS 10.13.1, Java 8u151) where RDP connections cannot be automatically launched anymore. The SSL Tunnel opens correctly and an RDP connection can still be launched manually, but it appears that the operating system now further sandboxes Java processes such that they cannot launch applications in the user's session, the app has to be launched by the user themselves. A bug ticket is open and this is still under further investigation, potential workarounds include launching the Remote Desktop client manually, or using IPsec/Network Connector to open a traditional network connection.

 

it's been fine up until then.

 

the manual method works, but why has it happened in the first place? is there going to be a fix?

 

thanks

 



#12 roger finch

roger finch
  • Members
  • 10 posts

Posted 21 March 2018 - 03:08 AM

Hi

 

today it's properly broken. we can't use the manual method

 

we get "Remote Desktop Connection cannot verify the identity of the computer that you want to connect to"

 

any one else having issues?



#13 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 27 March 2018 - 07:26 AM

This is a side effect of the way our SSL Tunnels work - the local end of the tunnel is opened on a random port on localhost/127.0.0.1. This then becomes the endpoint of the RDP connection no matter what the hostname is that you're connecting to. Unfortunately this means that the certificate will never fully verify because the hostname never matches. The only workaround would be to do what's already optional on tunnelled web forwards and modify the hosts file when the RDP connection is launched. This wouldn't work without Java, and would require admin rights, so isn't really useful for most customers.

 

So unfortunately there is no workaround for certificate verification issues apart from marking the certificates as manually trusted (I don't remember where the option is, but there should be a checkbox you can tick during the connection process to do this)



#14 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 22 June 2018 - 03:42 AM

This morning I did a very quick test of the macOS Mojave Developer Preview...

 

Safari (at least in the Developer Preview) will no longer run the Java plugin. This means that on macOS all browser-based SSL VPN Agent resources are unusable, including (but not limited to)

- Tunnelled Web Forwards

- SSL Tunnels

- Applications such as Remote Desktop

- Agent-based NAC

 

If you rely on this functionality, you must make sure to investigate the Standalone SSL VPN Agent option before you or your users begin to upgrade to Mojave later this year. My testing with the Standalone SSL VPN Agent proved successful, including launching RDP which was often not working in High Sierra.

 

Network Connector still has the same caveat as High Sierra - when you make your first Network Connector connection, you will get a warning about the kernel module needing to be improved. You MUST open the Preferences applet and accept this change within 30 minutes otherwise the operating system removes this option and makes it far more complicated to make the exception, and potentially impossible for end users to do themselves. There is also a warning that Network Connector is a 32-bit application, which is true, but it still works well. The known issue that potentially causes network issues after disconnecting Network Connector still exists, for which there is a workaround on this forum.



#15 Greg Shaffer

Greg Shaffer
  • Members
  • 2 posts

Posted 23 July 2018 - 12:44 PM

Gavin - can you tell me if we would encounter any of these issues if we purchased an F series device as a replacement?  I searched that forum but did not find anything one way or the other - at least not for the touchbar issue.  We would be very unhappy if we ordered one and it turned out to have the same problems.



#16 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 26 July 2018 - 11:20 AM

The F-series uses a totally different architecture both on the client and server side - so there should be no issues that the two products share. In particular, the touch bar issue is relating to Java (and affects multiple Java apps, the most notable being Eclipse) which CudaLaunch on the client side does not use.

 

All Barracuda devices are available as trial editions if you speak to the Sales team (either virtual, or via a demo appliance), so there should never be a situation where a customer needs to be unhappy. We allow and encourage you to evaluate first for a short period of time, and only order when you know that the product actually meets your needs.



#17 Greg Shaffer

Greg Shaffer
  • Members
  • 2 posts

Posted 24 September 2018 - 12:01 PM

Confirmed - the F18 firewall does not have this problem.  The configuration is a bit more complicated, but it seems to be a good replacement for the SSLVPN 180.  Note that you do need an Advanced Remote Access subscription if you want to have more than one concurrent user accessing using many/most of the features (e.g. RD).



#18 Chris Lockett

Chris Lockett
  • Members
  • 1 posts

Posted 09 November 2018 - 05:10 PM

Is there any news regarding a potential fix for this?  I was able to install SSL VPN agent on a MacBook w/ touch bar running mojave but when I try to launch the agent the screen flashes and will not start the agent.  Have tried launch the agent several different ways all with the same result.  

 

Can't run the vpn off the web since Safari doesn't support java and now we can't launch via the agent.  Need a solution for this!  



#19 Gavin Chappell

Gavin Chappell
  • Moderators
  • 418 posts
  • LocationNottingham, UK

Posted 10 November 2018 - 08:29 AM

Hi Chris, as explained in my opening post, the product has been in maintenance mode for the last two years and only vulnerabilities and "stop ship" bugs will be addressed. This is not considered a "stop ship" so there will not be a solution forthcoming for this product, our advice is to evaluate moving to a CloudGen Firewall which has many advantages over the legacy appliance.



#20 Elliot Montrone

Elliot Montrone
  • Members
  • 11 posts

Posted 20 November 2018 - 10:21 AM

Apparently advertised features not working is an acceptable level of service at Barracuda.  For some reason the semantics of the phrase "maintenance mode" makes it acceptable to charge a support fee and provide almost no support.  It's Laughable.