The Barracuda SSL VPN is the only product in the Barracuda portfolio which has any client-side dependencies on Java, the rest of the products are either web-based or use native apps (such as Firewall Admin, the Outlook add-ins for email filtering/archiving, etc). So this only concerns the SSL VPN product. This product has been in maintenance mode for a little under 2 years (we announced this in November 2016 on our community forums, and I believe that potential new customers are told this and we suggest deploying a CloudGen Firewall for modern remote access).
With regard to the server-side, we are planning to keep the Java server stack up to date for the foreseeable future in order to maximise the security of the appliance itself as it is constantly connected to the Internet, and in the case of most customers accepts connections from anywhere in the world by necessity. This will run on a different version of the Java Runtime Environment, needs minimal code changes and is an acceptable effort to reduce this security risk which falls within the maintenance mode commitment.
With regard to the client-side, unfortunately there will not be a commitment to rewriting the large portion of the codebase which would be required in order to work with the latest client-side Java Runtime Environment. This would require far more developer effort than the server-side code and since there are no Java-based SSL VPN services listening on clients (the SSL VPN Agent only connects outbound to SSL VPN appliances) this falls outside of the maintenance mode commitment which was outlined almost 2 years ago, long before the recent changes (and associated press coverage) around Oracle Java support and licensing.
Ultimately this means that once Oracle Java 8 goes end of public support in Jan 2019, there are a few potential paths:
- You enter a contract with Oracle in order to continue receiving updates to Oracle Java 8 on your systems, once they are no longer publicly available
- You continue to keep the current version installed, as my understanding is that the charges only refer to receiving further updates, not to the continued use of the last public release of Oracle Java 8
- You remove the system-installed version of Java from your clients, and switch to using our Standalone SSL VPN Agent which bundles its own copy of Oracle Java 8 that does not include the web applet. This removes one of the largest Java client attack vectors (i.e. potential malicious “drive-by" applets running in the browser just by visiting a website)
- You switch to an alternative product - in this case Support would be happy to help you evaluate (and potentially migrate to) the CloudGen Firewall. There may also be some deals to help you switch products, but I am a technical resource not a sales resource, so this is outside of my control
Of the above options, I strongly recommend investigating the Standalone SSL VPN Agent as having Oracle Java 8 installed is only half the battle when it comes to the web-based SSL VPN Agent. The other half of the battle is whether the browser will run Java applets. With the release of macOS Mojave today, and the resulting update to Safari on both Mojave and High Sierra, Macs no longer have this functionality as Java applet support has been removed by Apple so having Oracle Java 8 installed still won't help. Internet Explorer 11 is the only browser which will still run Java applets.