Barracuda Icon
Chat
Live Chat

Hi, I'm Rosa.
How may I help you?

How may I help you?

Click below to send us a Message

Support

A global support network of experts.
At your service.

Back to Knowledgebase

How do I configure Attributes and what do the options mean on my Barracuda SSL VPN?

Solution #00006090
Scope:
This solution applies to Barracuda SSL VPN models, all firmware versions.
Answer:
Creating a new attribute------------------------
Navigate to Advanced>Attributes.

Name: This field is the SSL VPN internal name. This needs to be entered without spaces.e.g, You create an attribute called myAttribute, you will be able to refer to it as ${userAttributes:myAttribute}.

Label: The full text label explaining what this attribute is used for (may contain spaces)
Type:

  • User - Values for this Attribute are stored on a per user basis
  • Policy - Values for this Attribute are stored on a per policy basis

Format: There are 5 formats to choose from:
  • Text: Applies a string validator that allows any string up to 8192 characters
  • Number: Applies an integer validator that allows any number from 0 to 9999999
  • Checkbox: Applies a Boolean validator. Even though this says Checkbox, this presents a Radio button with Yes/No
  • Password: Applies the same string validator as above, but when the user enters the text value the characters are starred *
  • Text Area: Applies the same string validator as above, but allows multi line entry

For more information on validation, see Appendix 1: Validators section below.

Visibility: For User Attributes, there are 4 visibility options which control who can edit or use the attribute:

User or Administrator may use, view and override: Users can view and edit the value in Account>Attributes. The administrator can view and edit the value by editing a user account, then finding that attribute in the user's properties. This option is the most flexible for users as they may enter the value of the attribute themselves. Useful, for example, if you wanted to use the hostname for user's RDP sessions but didn't want the admin to have to pre-edit the value for all users.


User may use or view, Administrator can change: Users can view the value in Account>Attributes, but not edit it. The administrator can view and edit the value for a user by editing their account. This option can be useful if you want the administrator to retain control of the value of the attribute (read-only for users).


User may use, Administrator can view or change: Users cannot even view the value of the attribute, even through it will be used if assigned to a launched resource. The administrator can view and edit the value for a user by editing their account. This option can be useful if you need to pass some sensitive parameter that you do not wish the user to see.


User confidential: Users can view and edit the value in Account>Attributes.The administrator cannot view or edit the value at all. This value is even encrypted in the database to enforce the confidentiality. This option can be useful for items you do not want even the administrator of the SSL VPN to know, such as user passwords.


When you edit an Attribute, 4 more options are presented.


Default Value: Set a default value for the attribute rather than having a blank entry.

Category: If you are creating Attributes which you would like grouped together, you can define a category for them. Attributes in the same category will be grouped together in a separate block under this category heading to make these Attributes easier to see.

Weight: If no weight is provided, then Attributes will be ordered alphabetically according to their Attribute name. You may override this by applying a weight to each Attribute (0 is the highest priority and will be at the top of the list, higher numbers are lower priority).

Validator: Some Attribute types already have a validator entered by default. For more on validators, see Appendix 1: Validators.


Where are User and Policy Attributes used in the SSL/VPN?

The following locations are places where Attributes may be used:
  • Basic > Quick Launch
  • Basic > Configuration > SMTP: Email Address Attribute
  • Resources > Web Forwards: such as authentication parameters or parts of URLs
  • Resources > Network Places: such as authentication, server or path shares
  • Resources > Applications: virtually all fields can accept attributes
  • Resources > SSL Tunnels: destination hos
  • Resources > Profiles: virtually all fields can accept attributes
  • Access Control > Security Settings: such as Client Certificate user attribute, OTP message text
  • Access Control > Configuration: RADIUS attributes, SMS gateway address


Usage examples:
For example in an Application shortcut, anywhere you see the ${} button, you can click on this to select an Attribute.Also note that you can use attributes as part of a body of text. For example if you have an Attribute for a web path, then you could have a Web Forward URL like http://myserver.com/${userAttributes:webpath}

Special case with Network Places: If you have an Active Directory configured the SSL VPN automatically pulls the value for a user's AD home directory and assigns this to 2 attributes. For example, if the user's home directory is \\server\share then 'server' gets assigned to ${userAttributes:homeDirectoryServer} and 'share' gets assigned to ${userAttributes:homeDirectoryShare}. These 2 attributes can then be used in setting up a Network Place (as the host and path are 2 separate text fields).


What is the difference between User and Policy Attributes?
When a user launches a resource with a User Attribute, if they do not have a value for this Attribute stored, then the SSL VPN will first prompt for that value (this saves that value by default although you can opt to not save the value).

If the user wants to change this value at any time, they go to the Account > Attributes, where they will be able to see this value and change it.

With a Policy Attribute, the value for this has to be defined by editing the Policy (the attribute will appear at the bottom). Only ssladmin or a delgated account with permissions to edit Policies can set this value. A good case for using Policy Attributes could be if a set of users all access the same public file share for their department, then you could define the policy that all these users are a member of with that value - hence only needing to define the value once.

Appendix 1: Validators

If you edit an Attribute, you may choose to create your own validator for the attribute value.Following is a description of all 17 validator types and the options for these. Not all of these may make sense with regards to Attributes as they may have been designed for other areas of the SSL VPN code.A validator will be in the format: com.sslexplorer.input.validators.validatorType(option1=value,option2=value,...)


com.sslexplorer.input.validators.AsciiValidatorNo options.Ensures that the String contains only ASCII characters.


com.sslexplorer.input.validators.BooleanValidatorNo options.Checks for a true or false state. Only makes sense with the Check Box attribute.


com.sslexplorer.input.validators.EmailAddressValidatorNo options.Checks for email address in the format string@string.


com.sslexplorer.input.validators.HostnameOrIPAddressValidatorNo options.Checks for valid hostname/ipaddress strings (allows alphanumeric, '.', '_' and '-' up to 255 characters in length).


com.sslexplorer.input.validators.HostnameOrIPAddressWithPortValidatorNo options.Checks for hostname/ipaddress and port in the format hostname[:port] or IPAddress[:port].


com.sslexplorer.input.validators.HostnameOrIPAddressWithReplacementsValidatorNo options.Checks for hostname/ipaddress and port strings. The string may also contain other attributes as replacement variables.e.g myserver:${userAttributes:port} should be allowed by this validator


com.sslexplorer.input.validators.IntegegerValidatorOptions (int minValue, int maxValue)Checks for an integer between two valuesminValue - The minimum integer value. This defaults to zero if omittedmaxValue - The maximum integer value. This defaults to 2147483647 if omitted


com.sslexplorer.input.validators.IPAddressPatternValidatorNo options.Checks for IP addresses or networks of the following formats:IP address in the format [n].[n].[n].[n] where 'n' is a number between 1 and 3 characters in length or * for wildcard.IP address in the format [n].[n].[n].[n] but including replacements as per the Replacements validator above.IP address in the CIDR format [n].[n].[n].[n]/[X] where 'n' is a number between 1 and 3 characters in length and 'X' is a number between between 1 and 3 characters in length. com.sslexplorer.input.validators.IPV4AddressValidatorNo options.A different implementation of the IPAddressPatternValidator? without using regular expressions internally but should check addresses, CIDR and wildcards as above.


com.sslexplorer.input.validators.IPV6AddressValidatorNo options.Checks if the input is a valid IPv6 address which should match any of the below formats:fe80:0000:0000:0000:0204:61ff:fe9d:f156 - full form of IPv6fe80:0:0:0:204:61ff:fe9d:f156 - drop leading zeroesfe80::204:61ff:fe9d:f156 - collapse multiple zeroes to :: in the IPv6 addressfe80:0000:0000:0000:0204:61ff:254.157.241.86 - IPv4 dotted quad at the endfe80:0:0:0:0204:61ff:254.157.241.86 - drop leading zeroes, IPv4 dotted quad at the endfe80::204:61ff:254.157.241.86 - dotted quad at the end, multiple zeroes collapsed::1 - localhostfe80:: - link-local prefix2001:: - global unicast prefix


com.sslexplorer.input.validators.LDAPSyntaxValidatorNo options.Checks if a string for a valid LDAP DN (i.e starts with cn= or ou=).


com.sslexplorer.input.validators.MACAddressValidatorNo options.Checks for a string containing a MAC address (6 groups of 2 hexadecimal characters separated optionally with ':' or '-'.


com.sslexplorer.input.validators.NoneBlankStringValidatorNo options.Checks for a non blank string only


com.sslexplorer.input.validators.PortValidatorNo options.Checks for a valid IP port number in the range of 0 to 65535.


com.sslexplorer.input.validators.SizeValidatorNo options.Checks for strings in a size format, i.e. [width]x[height].


com.sslexplorer.input.validators.StringValidatorOptions (int minLength, int maxLength, String regExp, String pattern, boolean trim)Checks a string input and accepts the following properties:minLength - The minimum string length. This defaults to zero if omittedmaxLength - The maximum string value. This defaults to 255 if omittedregExp - A regular expression to validate against. By default no pattern is matchedpattern - A pattern to validate against. By default no pattern is matched. Pattern is a simplified form of regular expression that accepts only ? and *trim - Boolean indicating whether to trim white space before validating (defaults to true)


com.sslexplorer.input.validators.TimeValidatorNo options.Checks for a time in 24hour HH:MM format.


Link to this page:
http://www.barracuda.com/kb?id=50160000000IyIy