Jump to content


Photo

FYI: required outbound connections for SSL VPN (was: Support Tunnel enhancements)


  • Please log in to reply
2 replies to this topic

#1 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 10 September 2018 - 09:02 AM

We have recently been enhancing the security and reliability of the support tunnel system. If you are filtering outbound connections from your SSL VPN (or any other Barracuda product) appliance, then you will need to allow any outbound traffic in order to establish a support tunnel connection. They should be allowed to ALL destination IP addresses; the new support tunnel is currently hosted in AWS and therefore the IP may change at any time to any IP owned by AWS. If you restrict the destination IP addresses that are contactable on these ports, then Support may be unable to help you.

 

Also please note that as of August 26th 2019 the new support tunnel will be the ONLY support tunnel infrastructure available and therefore without all these ports being open correctly there will be no way that the Support team can assist.



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 19 August 2019 - 11:01 AM

Reminder: As of August 26th (next Monday) the old support tunnel will no longer be available. If you need assistance with your Barracuda SSL VPN appliance (or any other product), then you MUST open outbound Internet access on port 22/443from your Barracuda appliance to ALL IP addresses. The new support tunnel terminates on servers which are hosted in AWS so it is impossible for Barracuda to provide a definitive list of which IP addresses must be allowed.

 

All SSL VPN appliances which are capable of running the new support tunnel should have received updates in the field - from memory this should have happened on all firmware 2.4.0.12 and above, which covers any firmware released since approximately June 2013.



#3 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 22 August 2019 - 01:48 AM

I was also reminded that changes to the update infrastructure are being implemented shortly such that our update and content servers are also now hosted in AWS and not in a Barracuda datacenter. So as well as any changes for the support tunnel system, as a customer you will need to ensure that outbound access on port 80 is allowed in order to contact the update service.

 

Please note that although some people will notice that this runs over port 80 and is therefore plaintext HTTP, be assured that all update content is pre-encrypted and signed with GPG to avoid attacks on update definitions. This works the same way as most Linux distributions, in that there is no value in increasing server load by encrypting an HTTP payload containing an already encrypted file. If anyone were to modify/corrupt the definition file during transfer, the GPG signature check and decryption would fail and the update process will abort.

 

https://campus.barra...uda-appliances/ contains a complete list of hostnames and ports which are required