Barracuda Networks VERSION SP4 User Manual
Page 20
18 Server Config – Access Control Service
List 2–2 Access Control Server - Access Control Server Settings - System Health-Validator – section General
Parameter
Description
Start System
Health-Validato
r
Setting to
yes starts the Access Control Server module before VPN health validation.
Health State
Validity (min.)
This value restricts validity time of a health state. If the client does not re-evaluate its health state within that period, all assigned
“network access rights” will be dropped.
Health State
Probation
(min.)
This value defines the probation interval of a health validation. If a client does not satisfy the health requirements in an initial health
validation step, the client will be set into probation. It will get the special network access right “probation” additionally to the rights as
it was healthy. If the client doesn’t become healthy within the probation time it will be set to health state “unhealthy” automatically
after the probation time was elapsed.
External IPs
This option defines service IP addresses as external IP addresses. This information may be used in policy rules for health
evaluation to distinguish between external and internal requests.
List 2–3 Access Control Server - Access Control Settings - System Health-Validator – section User Authentication
Parameter
Description
User
Authenticatio
n Required
If this option is set to
no
the client will not re-evaluate its health state when a user logs on. For example, no "current user" health
evaluation will take place.
PHIBS
Authenticatio
n Scheme
The used phibs scheme for basic authentication.
Fallback
PHIBS Auth.
Scheme
This option is only available if Phibs Authentication Scheme was set to
MSCHAP
. In this case this scheme is used for authentication
if the MS-CHAP authentication fails. The client will display a pop-up requesting username and password.
List 2–4 Access Control Server - Access Control Server Settings - System Health-Validator – section Local Machine Authentication
Parameter
Description
Certificate Required
If set to
yes
, a local machine authentication requires a certificate for a successful local machine authentication.
Caution:
do not forget to set a right Search String for Box Certificates since there is no "default" box certificate, which could be used
for authentication. The client needs to know which certificate of the local certificate store should be used for health
evaluation.
Search String Type
May be set to either
Issuer
or
Subject
. This setting defines how the Search String for Box Certificates is interpreted.
Search String for Box
Certificates
Either a X509 issuer string or a X509 subject string (for example C=AT, O=Barracuda, OU=*,CN=*). Pattern matching is
allowed.
List 2–5 Access Control Server - Access Control Server Settings - System Health-Validator – section General Authentication
Parameter
Description
Authentication Root Certificate
The root certificate is used to verify the validity of certificates provided by clients within a local computer health
validation process.
Root Cert. Revocation Settings
This section provides configuration settings for certificate revocation. Certificate revocation can be done by using
either CRL (LDAP) or OCSP.
List 2–6 Access Control Server - Access Control Server Settings - System Health-Validator – section Referrals
Parameter
Description
Remediation Server Location
This option defines where the remediation server can be reached. Select
This
, if the remediation server is
running on the same system as the Access Control Server. In this case
Start Remediation Server
must be set
to
yes
. Select
Other
, if it is running on another system, and specify the remediation server IP addresses in the
fields below.
Internal Remediation Server IPs
In this list, define the IP address(es) of the remediation servers that are accessible by clients within the Secure
Network.
External Remediation Server IPs
In this list, define the IP address(es) of the remediation servers that are accessible by clients within the
Restricted Network.