Jump to content


Photo

Deploying Barracuda SSL VPN Appliance in DMZ with DUO 2factor Authentication


  • Please log in to reply
1 reply to this topic

#1 JFord

JFord
  • Members
  • 2 posts

Posted 13 July 2019 - 11:10 AM

Deploying Barracuda SSL VPN Appliance 680 in DMZAD user databases
DUO for 2 factor Auth
2 Vlans - internal and DMZ
Primary Interface configured for DMZ
Secondary Interface configured for internal lan
DUO using Radius proxy
 
All above works
However I have to open the remote support tunnel to make connections to the appliance via the web login .- the internal interface wont respond to ping or https connection otherwise
I then created static routes to the internal subnets whih  solves the issue with  connecting to the internal interface - no longer requires the remote tunnel open.
However the static routes break AD and Radius  Authentication - so I have a stable connection to the appliance but AD and Radius authentication stop working.
Any help, advice, questions would be much appreciated


#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 16 July 2019 - 02:23 AM

Unfortunately multiple interfaces is a lesser-used feature of the SSL VPN and since we don't expose all parts of the routing table (specifically source-based routing) it's possible in some cases for the SSL VPN to receive an incoming connection (i.e. the SYN part of a TCP handshake) on the IP address on NIC2, but try to respond by sending the SYN/ACK out of NIC1. This has only affected a handful of customers but for those that are affected there isn't really a quick fix.

 

Generally speaking, for a deployment like this, I would recommend simply having a single NIC in the DMZ part of your network and then explicitly allow traffic from the DMZ zone into your internal network as required. The SSL VPN appliance comes with virtually no access control so by attaching it in the way you have, you are not really getting the advantages of a DMZ because clients that connect to the SSL VPN with Network Connector/IPsec will be able to hit your internal LAN directly anyway because the SSL VPN does not perform any firewalling functionality. The SSL VPN appliance is really just designed to be a "leaf" device, as it is lacking certain features that make it suitable for connecting multiple networks together.

 

Alternatively, you should look into the CloudGen Firewall which is the replacement product - the TINA VPN functionality performs better and is more secure, and the CloudGen Firewall is a firewall so access control is handled too.