
Barracuda CloudGen firewall can be configured to support MFA in several modes. This guide will document how to configure 2-factor authentication,
using Microsoft Active Directory as the first factor and Token2 TOTP hardware token as the second.
The guide is based on the following components:
• Active Directory deployed on Windows Server 2016 ( IP: 192.168.50.10)
• A
Token2 programmable token(the guide below shows C301i as an example)
• Barracuda CloudGen firewall APPLIANCE VF1000 (management interface IP :192.168.50.252)
• An iPhone device with NFC enabled - this is needed for the enrollment only, subsequent logins will only require the hardware token
The steps below are describing the process using iPhone and C301i token,
but please note that the same operation can be done using any of our programmable tokens and supported platforms (i.e. Android or Windows) with minor differences.
Configure Barracuda CloudGen Firewall
1. Log in to the Barracuda CloudGen firewall with Barracuda NextGen Admin:
2. Select Configuration > Configuration Tree > Box > Infrastructure Services > Authentication Service

3. From the navigation menu, select MSAD Authentication.
4. Click Lock.
5. From the Configuration Mode section of the navigation menu, select Advanced View .
6. In the MSAD Authentication section , from the Activate Scheme drop-down list , select Yes.
7. From the Method drop-down list, select ACTIVE_DIRECTORY .
8. For Basic , click + to add a DC server.
9. In the Domain Controller Name text box, type the name of Domain Controller without domain suffix.
10. In the Domain Controller IP text box, type the IP of your Domain Controller.
11. In the Active Directory Searching User text box, enter any domain user with permission to search in Active Directory(format : DOMAIN\user)
12. In the AD Searching User Password text box type password for this user.
13. In the Base DN text box specify, where to search for user information.
12. Click OK. Leave the default value for other settings.
13. Click Send Changes.
14. Click Activation Pending.
Enable TOTP Authentication.
1. From the navigation menu, select TOTP
Authentication.
2. Click
Lock.
3. In the TOTP Authentication section, from the Activate Scheme drop-down list, select Yes.
4. From the
Method drop-down list, select
Time-based_OTP.
5. Click
Send Changes.
6. Click
Activation Pending.
Create an SSL VPN Server:
1. Select
Configuration > Configuration Tree > Box > Assigned Services.
2. Right-click
Assigned Services and select
Create Service.
3. From the
Enable Service drop-down list, select
Yes.
4. Type a
Service Name. The service name must be unique and contain more than six characters. You cannot change the service name later.
5. From the
Software Module drop-down list, select
VPN Service.
6. From the
Service Availability drop-down list, select
First + Second-IP.
7. Click
Next.
8. Leave the default settings on the
Statistics and Access Notification configuration pages.
10. Click
Finish.
11. Click
Activate.

Disable Port 443 for Site-to-Site and Client-to-Site VPN
1. Select
Configuration > Configuration Tree > Box > Assigned Services > VPN-Service > VPN Settings.
2. Click
Lock.
3. Click
Click here for Server Settings.
The Server Settings window appears.
4. For
Listen on port 443 ,uncheck it.
Configure SSL VPN Server Settings
1. Select
Configuration > Configuration Tree > Box > Assigned Services > VPN-Service > SSL-VPN.
2. From the
Enable SSL VPN drop-down list, select
Yes.
3. From the
Enable TOTP Self Service drop-down list, select Yes.
4. Next to
Listen IPs, click
+. This is the external IP address that the SSL VPN listens on
(usually the IP address used to connect to the Internet, in this guide we use local ip(192.168.50.252)).
5. Select the
Restrict to Strong Ciphers Only check box.
6. From the
Identification Type drop-down list, select
Generated-Certificate.
7. From the navigation menu, select
SSL VPN Settings.
8. From the
Identity Scheme drop-down list, select
MS Active Directory.

9. Click
Send Changes.
10. Click
Activate.
11. From the navigation menu, select
Access Control Policies.
12. Edit the
Default policy.
13. Next to
Authentication Schemes, click
+ and add
MS Active Directory, click
+ and add
Time-based OTP;

14. Click
OK.
15. Click
Send Changes.
16. Click
Activate.
Install the provisioning tool
Download and install the supported provisioning app for your device type. Refer to
this page to find the correct app for your token and the operating system.
For our example, we selected the C301i as the token model and iPhone as the platform.
Check NFC Connectivity
Next, make sure the app can communicate to the token. To do this, launch the NFC Burner app and click on "get token data" button.
The app will open the NFC prompt. Then, turn the token on (it should show digits or dashes on the LCD) and touch the top of the device (near the speaker).
If the NFC connection is successfully established, you should see the serial number and the system time of the token in the 'Results' textarea.
Please note that the timestamp value shown by the app is in UTC timezone and may not match your local time
Self Enrollment
Users can now use the SSL VPN web portal, CudaLaunch, or go to the dedicated TOTP web portal
(URL https://(IP of the SSL VPN service)/portal/totp.html) and enroll themselves for TOTP authentication.
Enter your AD credential and login. After you will see Enrollment page:

• Now, on your iPhone, launch the TOKEN2 NFC Burner app and click on 'scan QR' button.
• Point your iPhone camera to the QR code shown by Barracuda
• Once the QR code is detected by the app, the Seed field should be populated with the hex value of the TOTP profile encoded in the QR image

• Then, click on "Burn" button, turn the token on and touch the top of the device when prompted

• Make sure the results area shows 'seed successfully applied'
• Turn the token off and on again to get the new OTP generated
• In the Enrollment window, enter the 6 digit OTP shown on the token and finish wizard.
Now the account ready to use MFA.
Test the Integration
In this example, we show the one-time password authentication method.
1. Log in to the Barracuda CloudGen firewall with Barracuda NextGen Admin.
2. Select
Configuration > Configuration Tree > Box > Assigned Services > VPN-Service > SSL-VPN > Native Apps.
3. Next to Native Apps, click
+ and add an
RDP App.

4. Run the
CudaLaunch client application. You can download this application from the Barracuda NG Download Portal.
5. Type the IP address(192.168.50.252) of the Barracuda CloudGen firewall.
6. Click
Connect.

6. In the
Server certificate error dialog box, click Yes.
7. In the
Username text box, type your AD user name.
8. In the
Password(MSAD) text box, type your AD User’s password.
9. In the
Time-based OTP text box, type one-time code.
10. Click
Log in.

12. Click
Token2 RDP App to run this app.