Вы находитесь на странице: 1из 114

Barracuda Networks Technical Documentation

Barracuda Load Balancer

Administrators Guide
Version 4.1

RECLAIM YOUR NETWORK

Copyright Notice
Copyright 2004-2012, Barracuda Networks
www.barracuda.com
v4.1-120124-05-0413-sk
All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice.

Trademarks
Barracuda Load Balancer is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or
trademarks of their respective holders.

Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Features of the Barracuda Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Load Balancing for all IP-based Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Easy to Use and Maintain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Auto-Discover Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
SSL Offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Secure Communication with Real Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Scheduling Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Automated Service Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Multiple Deployment Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Easy Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Last Resort Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Removing a Server without Disrupting the Service. . . . . . . . . . . . . . . . . . . . . . . . . .12
Content Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
HTTP Request and Response Rewrites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Support for Layer 2 VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
TCP and UDP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
FTP Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
HTTP Caching and Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Global Server Load Balancing (GSLB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

C h a p t e r 2 L o a d B a l a n c i n g D e p l o y m e n t O p t i o n s . . . . . . . 15
Barracuda Load Balancer Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Deployment Options Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Service Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Route-Path (Recommended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Introduction to Route-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Sample Network Situations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Two-Armed Route-Path with Layer 4 Load Balancing . . . . . . . . . . . . . . . . . . . . . . .20
Route-Path Configured with TCP Proxy, UDP Proxy or a Layer 7 Service Type . . .20
One-Armed Route-Path using TCP Proxy, UDP Proxy, or Layer 7 Service Types . .21
Two-Armed Route-Path with TCP Proxy, UDP Proxy or Layer 7 Service Types. . . .23
About Multiple Network Adapters on Real Servers . . . . . . . . . . . . . . . . . . . . . . . . . .24
Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Deploying Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Direct Server Return. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Direct Server Return with Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Deploying Direct Server Return . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Notes on DSR Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Deployment in a Linux Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Deployment in a Windows/XP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Deployment in a Microsoft Windows Server 2003 or 2008 Environment . . . . . .29
Verifying DSR Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Virtual Appliance Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Backing Up the VM System State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

iii

C h a p t e r 3 G e t t i n g Sta r t e d . . . . . . . . . . . . . . . . . . . . . . . 35
Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Preparing for Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Connecting the Barracuda Load Balancer to the Network . . . . . . . . . . . . . . . . . . . .36
Configuring WAN IP Address and Network Settings. . . . . . . . . . . . . . . . . . . . . . . . .37
Configuring Your Corporate Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Configuring the Barracuda Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Verifying Your Subscription Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Updating the Barracuda Load Balancer Firmware . . . . . . . . . . . . . . . . . . . . . . . . . .40
Updating the IPS Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

C h a p t e r 4 C o n f i g u r i n g S e r v i c e s . . . . . . . . . . . . . . . . . . 41
Deployment Guides for Microsoft Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Creating Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Creating Load-Balanced Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Associating Real Servers with a Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Persistence Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Layer 7 - HTTP(S) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Layer 4 -TCP, TCP Proxy, Secure TCP Proxy or Layer 4 - UDP . . . . . . . . . . .44
UDP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Layer 7 - FTP(S) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Layer 7 - RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Remote Desktop Services Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
TCP Proxy, Secure TCP Proxy and UDP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
FTP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
FTPS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
SSL Offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Uploading SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Specifying SSL Offloading for a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Updating Ports on the Real Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Securing Communication with the Real Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Selecting a Scheduling Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Adaptive Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Pre-Assigned Weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Scheduling Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Scheduling for a Service with type Layer 7 - RDP . . . . . . . . . . . . . . . . . . . . . . .48
Viewing Current Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Configuring Intrusion Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Configuring a Last Resort Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Client Impersonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Layer 7 - HTTP(S) Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Directing HTTP Requests based on Content Rules . . . . . . . . . . . . . . . . . . . . . . . . .50
Content Rule Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Content Rule Caching and Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Setting Up an HTTP Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Modifying HTTP Requests and Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Rule Execution Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Configuring Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Configuring Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Hosting Multiple Domains with one Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Server Name Indication (SNI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Wildcard Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Subject Alternative Name (SAN) Certificates . . . . . . . . . . . . . . . . . . . . . . . . . .54
iv

Barracuda Load Balancer Administrators Guide

C h a p t e r 5 N e t w o r k C o n f i g u r a t i o n . . . . . . . . . . . . . . . . . 55
VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Routing to Multiple VLANs over an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Making Services Accessible from the LAN/WAN . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Creating Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Allowing Real Servers to Connect to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . .57

C h a p t e r 6 H i g h Av a i l a b i l i t y . . . . . . . . . . . . . . . . . . . . . . 59
Creating a High Availability Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Operation of High Availability (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Requirements for HA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Management Access to the Passive System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Failover if LAN Link Goes Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Forceful or Manual Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Primary and Backup Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Failback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Synchronization of Data Between Clustered Systems . . . . . . . . . . . . . . . . . . . . . . .62
Detailed Steps to Add or Remove a System from a Cluster . . . . . . . . . . . . . . . . . . .62
Source IP Address in a Clustered Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Option 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Option 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

C h a p t e r 7 G l o b a l S e r v e r L o a d B a l a n c i n g . . . . . . . . . . . . 63
Introduction to Global Server Load Balancing (GSLB). . . . . . . . . . . . . . . . . . . . . . . . . .64
GSLB Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
GSLB Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Site Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
How GSLB Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Integrating with the Existing DNS Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Site Selection Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Failover IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
IP Address and Location Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Response Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Example Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Disaster Recovery - Two Sites in the World . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Direct Clients to Closest Data Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Direct Clients to Specific Region . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
GSLB Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Configuring Multiple GSLB Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Steps to Install GSLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

C h a p t e r 8 M a n a g i n g t h e B a r r a c u d a L o a d B a l a n c e r . . . . 73
Administrative Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Controlling Access to the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Customizing the Appearance of the Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . .74
Setting the Time Zone of the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Enabling SSL for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Monitoring the Barracuda Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Monitoring the Health of Services and Real Servers . . . . . . . . . . . . . . . . . . . . . . . .76
Monitor Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Enabling or Disabling Real Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Remotely Administering Real Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Viewing Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
v

Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77


Automating the Delivery of System Alerts and SNMP Traps . . . . . . . . . . . . . . . . . .78
SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Managing Multiple Systems with the Barracuda Cloud Control . . . . . . . . . . . . . . . .78
Viewing System Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Maintaining the Barracuda Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Backing up and Restoring Your System Configuration . . . . . . . . . . . . . . . . . . . . . . .80
Updating the Firmware of Your Barracuda Load Balancer . . . . . . . . . . . . . . . . . . . .80
Updating the Intrusion Prevention Rules Using Energize Updates. . . . . . . . . . . . . .81
Replacing a Failed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Reloading, Restarting, and Shutting Down the System . . . . . . . . . . . . . . . . . . . . . .81
Using the Built-in Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Rebooting the System in Recovery Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Reboot Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

A p p e n d i x A E x t e n d e d M a t c h a n d C o n d i t i o n E x p r e s s i o n s 85
Quick reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Structure of an Extended Match or Condition Expression. . . . . . . . . . . . . . . . . . . . .86
Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Joins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Combining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Escaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Macro Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
No Name Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

A p p e n d i x B I n t e r n e t P r o t o c o l Ve r s i o n 6 ( I P v 6 ) . . . . . . . 91
Using IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

A p p e n d i x C B a r r a c u d a L o a d B a l a n c e r H a r d w a r e . . . . . . 93
Front Panel of the Barracuda Load Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Barracuda Load Balancer Models 240, 340, and 440. . . . . . . . . . . . . . . . . . . . . . . .94
Barracuda Load Balancer Model 640 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Back Panel of the Barracuda Load Balancer Models 240, 340 and 440 . . . . . . . . . . . .96
Power Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Hardware Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Notice for the USA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Notice for Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Notice for Europe (CE Mark). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Appendix D Limited Warranty and License

99

Barracuda Networks Limited Hardware Warranty (v 2.1) . . . . . . . . . . . . . . . . . . . . .99


Exclusive Remedy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Exclusions and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Barracuda Networks Software License Agreement (v 2.1) . . . . . . . . . . . . . . . . . . .100
Barracuda Networks Energize Updates and Other Subscription Terms . . . . . . . . .104
Barracuda Networks Software License Agreement Appendix . . . . . . . . . . . . .104

vi

Barracuda Load Balancer Administrators Guide

Chapter 1
Introduction
This chapter provides an overview of the Barracuda Load Balancer and includes the following topics:
Overview .............................................................................................. 8
Features of the Barracuda Load Balancer .......................................... 9

Introduction 7

Overview
Organizations use load balancers to distribute traffic across a set of servers in their network. In the
event a server goes down, the load balancer automatically detects this failure and forwards traffic only
to the remaining functioning servers, maintaining high availability of the services provided by the
servers. The Barracuda Load Balancer is designed to help organizations achieve their high availability
objectives by providing:

Integrated Service Monitor to monitor servers


Comprehensive failover capabilities in case of server failure
Distribution of traffic across multiple servers
Integrated protection from network intrusions

Automatic failover to a backup Barracuda Load Balancer if needed

Note

The Barracuda Load Balancer directs traffic to servers. The best solution for distributing traffic
across multiple Internet connections with failover capability is the Barracuda Link Balancer.

The Barracuda Load Balancer is designed to provide comprehensive load-balancing capabilities to


any IP-based application, including:

Internet sites with high traffic requirements, including web, FTP, media streaming, and content
delivery networks
Hosted applications such as Microsoft Windows Remote Desktop Services, Exchange Server
and Office Communications Server
Other IP services requiring optimal performance, including SMTP, DNS, RADIUS, and TFTP

Features specifically for HTTP traffic include:

Rules that direct traffic based on request content


HTTP request and response rules to modify requests and responses
HTTP caching and compression.

Barracuda Load Balancer Administrators Guide

Features of the Barracuda Load Balancer


The Barracuda Load Balancer is designed with the following features:
Load Balancing for all IP-based Applications .................................... 9
Easy to Use and Maintain ................................................................. 10
Intrusion Prevention System .............................................................. 10
Auto-Discover Mode .......................................................................... 10
Persistence ......................................................................................... 11
SSL Offloading................................................................................... 11
Secure Communication with Real Servers ......................................... 11
Scheduling Policy .............................................................................. 11
Automated Service Monitor ............................................................... 11
Multiple Deployment Modes .............................................................. 11
High Availability ................................................................................ 12
Easy Administration........................................................................... 12
Last Resort Server ............................................................................. 12
Content Rules..................................................................................... 12
Removing a Server without Disrupting the Service........................... 12
HTTP Request and Response Rewrites .............................................. 12
Support for Layer 2 VLANs ............................................................... 13
TCP and UDP Proxy ......................................................................... 13
FTP Traffic ........................................................................................ 13
HTTP Caching and Compression ...................................................... 13
Global Server Load Balancing (GSLB) ............................................. 13

Load Balancing for all IP-based Applications


The Barracuda Load Balancer is designed to provide fast and comprehensive IP load-balancing
capabilities to any IP-based application, including:

HTTP
HTTPS (SSL)
SSH
SMTP
IMAP
RDP (Remote Desktop Services)
POP3
NTP
ASP
SIP
Streaming Media
DNS
LDAP
RADIUS
TFTP
FTP, FTPS
Other TCP/UDP-based services

Introduction 9

Easy to Use and Maintain


The Barracuda Load Balancer is extremely easy to deploy, featuring automatic discovery and
configuration tools through an intuitive web interface.

Intrusion Prevention System


To help secure your network, the Intrusion Prevention System (IPS) can automatically receive
intrusion prevention and security updates from Barracuda Central, an advanced 24/7 security
operations center that works to continuously monitor and block emerging Internet threats.
An alternative solution for intrusion prevention is the Barracuda NG Firewall.
The Intrusion Prevention System protects your load-balanced services from the following common
threats:

Denial of Service (DDoS) attacks.


Protocol-specific attacks. The Barracuda Load Balancer contains protocol-specific guards that
protect your Real Servers from attacks targeting the SMTP, DNS, and LDAP protocols.
Application-specific attacks. The Barracuda Load Balancer protects common applications that
are particularly vulnerable to external attacks. These applications include IIS, Websphere, Cold
Fusion, Exchange, and many more.
Operating system-specific attacks. The Barracuda Load Balancer contains Microsoft and UNIXspecific detection capabilities that identify malicious activity against these operating systems.

Exploit signatures are regularly updated at Barracuda Central and are automatically delivered to your
Barracuda Load Balancer via Energize Updates. The following figure shows how Barracuda Central
provides the latest updates through the Energize Update feature.

Figure 1.1: Barracuda Energize Updates

Auto-Discover Mode
All models of the Barracuda Load Balancer support Auto-Discovery of Real Servers and applications
running on the servers to ensure quick and easy deployment of new servers. For common applications
there is no need to manually configure each port.

10

Barracuda Load Balancer Administrators Guide

Persistence
The Barracuda Load Balancer incorporates technologies that can direct returning clients to the same
server to achieve session persistence. Persistence methods supported include client IP address,
cookies, HTTP headers and URL parameter.
The length of time that session persistence is maintained during a period of inactivity by the client can
be defined on a Service level. Servers can be omitted from persistence using content rules.

SSL Offloading
The Barracuda Load Balancer has the ability to handle SSL encryption and decryption locally, to help
ease the burden on the Real Servers. SSL offloading is available on models 340 and above.

Secure Communication with Real Servers


The Barracuda Load Balancer can use SSL to encrypt the data that passes between it and each of the
Real Servers. The feature, which is also known as back-end SSL, is available on models 340 and
above.

Scheduling Policy
The Barracuda Load Balancer incorporates multiple scheduling policies that support server weighting
including Weighted Least Requests and Weighted Round Robin. Server weights can be predefined
based on server capacity or can be dynamically calculated and assigned by the adaptive scheduling
algorithm based on factors such as the load reported by the servers.

Automated Service Monitor


The Barracuda Load Balancer features a fully integrated Service Monitor which conducts
configurable automated tests to determine the availability of servers. Servers are automatically
disabled or enabled in the load balanced pool based on these test results.

Multiple Deployment Modes


The Barracuda Load Balancers support Route-Path, Bridge-Path, and Direct Server Return
deployment modes. Route-Path offers increased flexibility, while Bridge-Path allows deployment
without changes to existing IP infrastructure. Direct Server Return is ideal for Layer 4 load balancing
of content delivery networks.

Introduction 11

High Availability
You can easily create an active-passive redundant configuration with two Barracuda Load Balancers.
The passive Load Balancer can synchronize configurations with the active system and bring your
server farm to enterprise grade availability. This feature is available on models 340 and above.

Easy Administration
The SSL-secured web interface of the Barracuda Load Balancer allows for convenient and secure
configuration, management and monitoring.

Last Resort Server


You can specify a Last Resort Server, which is the server to which all traffic is routed in the event that
all associated Real Servers for a particular Service become unavailable. The Last Resort Server can
be located on a different network, or even on the Internet, as long as it is reachable from the Barracuda
Load Balancer.

Removing a Server without Disrupting the Service


You can remove a Real Server from the server farm for maintenance or other reasons by changing its
status to disabled or to maintenance mode. Changing it to disabled terminates all connections
immediately. When placed in maintenance mode, the server keeps existing connections but does not
accept any new ones. Once the active connections are closed, you can perform the server
maintenance.
You can also add or delete a Real Server without disrupting the Service.

Content Rules
The Barracuda Load Balancer can route application (Layer 7) traffic to different servers based on
content rules that examine incoming requests. This allows you to partition your servers by content and
efficiently direct requests to the relevant server. For example, requests for images can be directed to
a server that has been optimized for image delivery. This feature is available on models 340 and
above.

HTTP Request and Response Rewrites


Powerful regular expression support allows you to create rules that modify HTTP requests and
responses. This feature is available on models 340 and above.

12

Barracuda Load Balancer Administrators Guide

Support for Layer 2 VLANs


The Barracuda Load Balancer supports Layer 2 VLANs. This feature is available on models 340 and
above.

TCP and UDP Proxy


The Barracuda Load Balancer can act as a full TCP or UDP proxy for incoming and outgoing
connections. This feature is available on models 340 and above.

FTP Traffic
The Barracuda Load Balancer has support for Layer 7 FTP and FTPS. This feature is available on
models 340 and above.

HTTP Caching and Compression


Options for caching and compression of HTTP response data are available for Layer 7 HTTP and
HTTPS Services. This feature is available on models 440 and above.

Global Server Load Balancing (GSLB)


GSLB provides a variety of ways to specify how traffic is directed to various sites, including priority
and geographical location. The Barracuda Load Balancer uses those parameters while monitoring the
health of each data center to route requests to the optimal site. This feature is available on models 440
and above.

Introduction 13

14

Barracuda Load Balancer Administrators Guide

Chapter 2
Load Balancing Deployment Options
This chapter provides a list of terms used in this document and describes the Barracuda Load Balancer
deployment options. It includes the following topics:
Barracuda Load Balancer Terminology ............................................ 16
Deployment Options Overview .......................................................... 17
Route-Path (Recommended)............................................................... 18
Bridge-Path........................................................................................ 24
Direct Server Return .......................................................................... 26
Virtual Appliance Deployment ........................................................... 32

Load Balancing Deployment Options 15

Barracuda Load Balancer Terminology


Understanding the following terms will aid in administering the Barracuda Load Balancer.

Table 2.1: Barracuda Load Balancer terminology


Term

Description

Service

A combination of a Virtual IP (VIP) address and one or more TCP/UDP ports that the Service is to listen
on. Traffic arriving over the designated port(s) to the specified Virtual IP address is directed to one of the
Real Servers that are associated with that Service.

Service Monitor

The Service Monitor monitors the availability of the Real Servers. It can be configured either on a perService or per-Real Server basis to use one of several different methods to establish the availability of a
Real Server. If the Service Monitor finds that no Real Servers are available, you can specify a Last
Resort Server to which all traffic for the Service will be routed.

Virtual IP (VIP)
address

The IP address assigned to a specific Service. A client uses the Virtual IP address to connect to the
load-balanced Service. The Virtual IP address must be different than the WAN IP address of the
Barracuda Load Balancer.

Real Server

One of the systems that perform the actual work of the load-balanced Service. The Barracuda Load
Balancer assigns new connections to it as determined by the scheduling policy in effect for the Service.

Server Farm

A collection of Real Servers.

Client

The entity requesting connection to a load-balanced Service. Clients may be external or internal.

Persistence

A returning connection is routed to the same Real Server that handled a previous request from the same
client within a specified time. Examples of Services that may need persistence settings are websites that
have shopping carts or require some sort of login. See Persistence Settings on page 44.

Scheduling policy

Specifies how the Barracuda Load Balancer determines which Real Server is to receive the next
connection request. Each Service can be configured with a different policy. More information can be
found in Selecting a Scheduling Policy on page 46.

Route-Path
Bridge-Path

Deployment modes for the Barracuda Load Balancer. They differ in how the Real Servers are connected.
Details and benefits of each mode can be found in the sections Route-Path (Recommended) on page 18
and Bridge-Path on page 24.

Direct Server
Return

Option that is enabled on individual Real Servers. However, because it can affect how a deployment is
designed, it is often treated as a mode of its own. More details on this can be found in the section on
Direct Server Return on page 26.

Logical Network

A collection of systems on an isolatable subnet. In Route-Path mode, for example, all systems
associated with the LAN interface would be in one (or more) logical network(s) 10.1.1.x, and all systems
connected to the WAN interface would be in another logical network of 192.168.1.x.

Physical Network

A group of systems that are physically connected to each other, usually over a switch or VLAN.

WAN IP Address

The IP address associated with the port that connects the Barracuda Load Balancer to the WAN. It may
be used to access the web administration interface.
This address must be different than the Virtual IP addresses assigned to the Services.

High Availability

Two Barracuda Load Balancers can be joined as an active-passive pair in a cluster. The active system
performs the load-balancing while the passive one monitors it, ready to take over operations if the first
one fails. For more information, see Creating a High Availability Environment on page 60.

One-armed Mode

The WAN port is used for both external and internal traffic that passes through the Barracuda Load
Balancer.

Two-armed Mode

The Barracuda Load Balancer is deployed in-line, using both the WAN and LAN ports. The Virtual IP
addresses and the Real Servers must be on different subnets.

16

Barracuda Load Balancer Administrators Guide

Deployment Options Overview


Services on the Barracuda Load Balancer can be deployed in the following three modes:

Route-Path
Bridge-Path
Direct Server Return

All of these deployment modes require specific network configurations. The Barracuda Load
Balancer must be in either Route-Path or Bridge-Path mode. Direct Server Return is an option that
you may choose for each Real Server.
Choose the deployment mode for the Barracuda Load Balancer based on the type of network
configuration that currently exists at your site as well as on the types of Services you wish to load
balance. Route-Path is recommended over Bridge-Path because it provides a more robust
deployment. Enabling the Direct Server Return option is recommended only for Real Servers that
generate a much greater volume of outbound traffic relative to the inbound traffic.

Service Types
A Service is the access point that the client uses for the functionality provided by the Real Servers.
There are multiple Service types supported by the Barracuda Load Balancer. Because the choice of
Service type may affect the deployment method, this table gives a brief overview.

Table 2.2: Service Types


Service Type

Description

Layer 4 - TCP
Layer 4 - UDP

Traffic passes in half-NAT mode, meaning the destination IP address is changed


to that of the Real Server, but the source IP address remains intact.

TCP Proxy
UDP Proxy
Layer 7- HTTP
Layer 7 - FTP
Layer 7 - RDP

Traffic passes in full-NAT mode, meaning that both the source and destination IP
addresses are changed. The Barracuda Load Balancer acts as a full proxy.
Connections from the client are terminated at the Barracuda Load Balancer and
new ones are established between the Barracuda Load Balancer and the Real
Servers.

Secure TCP Proxy


Layer 7- HTTPS
Layer 7 - FTPS

Same description as their non-secure counterparts. In addition, Services with this


type perform SSL offloading using a certificate that is specified when the Service
type is selected.

Load Balancing Deployment Options 17

Route-Path (Recommended)
This section describes the Route-Path method of deployment. It includes the following:
Introduction to Route-Path ....................................................................................... 18
Sample Network Situations ....................................................................................... 19
Two-Armed Route-Path with Layer 4 Load Balancing............................................. 20
Route-Path Configured with TCP Proxy, UDP Proxy or a Layer 7 Service Type ... 20
One-Armed Route-Path using TCP Proxy, UDP Proxy, or Layer 7 Service Types .. 21
Two-Armed Route-Path with TCP Proxy, UDP Proxy or Layer 7 Service Types .... 23
About Multiple Network Adapters on Real Servers.................................................. 24

Introduction to Route-Path
Route-Path is the most commonly used deployment method. If a Service type of Layer 4 - UDP or
Layer 4 - TCP is used in a two-armed deployment, the Barracuda Load Balancer has to be the default
gateway for all downstream Real Servers. For all other cases, the Real Servers and VIP addresses can
be positioned in a variety of ways.
The following table provides an overview of the Route-Path deployment options.

Table 2.3: Route-Path Deployment Options


Type of Traffic

Topology
Options
(Route-Path)

Service Type

Notes

TCP or UDP

Two-armed. Usually Layer 4 - UDP, Layer


the recommended
4 - TCP
deployment for Layer
4 traffic.

Barracuda Load Balancer has to be the default gateway


for all downstream Real Servers.

UDP

One- or two-armed.

UDP Proxy

UDP Proxy supports persistence using both client IP


address and port. Many UDP applications involve all client
requests coming from one client IP address. A Service
with type UDP Proxy and configured with persistence of
client IP port number distributes traffic across all of the
Real Servers. Layer 4 - UDP Services only consider client
IP address.

TCP

One- or two-armed.
Two-armed is
recommended for
best performance.

TCP Proxy

Can keep IP addresses of the Real Servers. There is a


TCP Connection between the Barracuda Load Balancer
and the Real Server. Any response goes back to the
Barracuda Load Balancer.

TCP or UDP

One-armed. Best
Layer 4 - TCP or Layer Requires loopback adapter on each Real Server. Can
performance if almost 4 - UDP with Real
keep IP addresses of the Real Servers. SSL offloading
all traffic is outgoing Servers in Direct
and other Layer 7 capabilities are not supported.
Server Return mode

TCP with SSL


processing offloaded
to the Barracuda
Load Balancer

One- or two-armed.
Two-armed is
recommended for
best performance.

Secure TCP Proxy

Can keep IP addresses of Real Servers. There is a TCP


connection between Barracuda Load Balancer and Real
Server. Any response goes back to Barracuda Load
Balancer.

HTTP (web servers) One- or two-armed.

Layer 7 - HTTP or
Layer 7 - HTTPS

Can keep IP addresses of the Real Servers. There is a


TCP connection between the Barracuda Load Balancer
and the Real Server. Any response goes back to the
Barracuda Load Balancer.

18

Barracuda Load Balancer Administrators Guide

Table 2.3: Route-Path Deployment Options


Type of Traffic

Topology
Options
(Route-Path)

FTP (FTP servers)

Remote Desktop
Services

Service Type

Notes

One- or two-armed.

Layer 7 - FTP or
Layer 7 - FTPS

Can keep IP addresses of the Real Servers. There is a


TCP connection between the Barracuda Load Balancer
and the Real Server. Any response goes back to the
Barracuda Load Balancer.

One- or two-armed.
Two-armed is
recommended for
best performance.

Layer 7 - RDP

Can keep IP addresses of the Real Servers. There is a


TCP connection between the Barracuda Load Balancer
and the Real Server. Any response goes back to the
Barracuda Load Balancer.

Sample Network Situations


To assist you in deciding how to deploy the Barracuda Load Balancer in your network, here are some
common cases with suggested deployments. All of these cases use a Route-Path deployment.
1.

The Barracuda Load Balancer provides Layer 4 load balancing of TCP/IP traffic.
Use two-armed Route-Path with one or more Layer 4 - TCP Services.

2.

The Barracuda Load Balancer provides Layer 4 load balancing of UDP traffic.
Use two-armed Route-Path with one or more Layer 4 - UDP Services.

3.

The Barracuda Load Balancer provides SSL offloading and Layer 4 load balancing of TCP/IP
traffic.
Use a one or two-armed Route-Path with one or more Secure TCP Proxy Services. If you
use one-armed Route-Path, you will not need to reconfigure the IP addresses of the Real
Servers. Two-armed Route-Path provides better performance.

4.

The Real Servers are on the same subnet as the Barracuda Load Balancer and the configuration
cannot be changed.
Use one-armed Route-Path with a TCP Proxy Service (or a Secure TCP Proxy Service if
SSL offloading is required). Or, if almost all of the traffic is outbound, use Direct Server
Return with a Layer 4 Service.

5.

There is an existing IT infrastructure using Windows where the web servers need to
communicate with systems such as Active Directory Domain Services, ISA Servers or domain
controllers. To avoid changing those network settings, either:
Use one-armed Route-Path with a TCP Proxy Service.
Use Direct Server Return with a Layer 4 Service.
For best performance, the recommended deployment is to use a two-armed Route-Path with a
Layer 4 Service.

6.

The outbound traffic is far greater than the inbound traffic, for example, if the Real Servers are
providing streamed audio or visual media.
Use Direct Server Return with a Layer 4 Service to increase throughput.

7.

There is a need to remotely administer the Real Servers individually.


Create new Services, each of which only load balances a single Real Server.
Deploy the Real Servers in a one-armed mode where they are on the WAN side of the
Barracuda Load Balancer and serving a TCP Proxy Service.
Or, deploy the Real Servers on the WAN side in Direct Server Return mode serving a
Layer 4 Service.

More deployment examples are presented in the rest of this chapter.


Load Balancing Deployment Options 19

Two-Armed Route-Path with Layer 4 Load Balancing


If you are planning to use the Barracuda Load Balancer to provide Layer 4 load balancing of TCP/IP
or UDP traffic, this is usually the best option for your situation.
If you want the Barracuda Load Balancer to provide SSL offloading for TCP/IP traffic, use a Service
type of Secure TCP Proxy instead. See Route-Path Configured with TCP Proxy, UDP Proxy or a
Layer 7 Service Type on page 20.
Deploying the Barracuda Load Balancer in a two-armed Route-Path configuration requires changing
the IP addresses of all of the Real Servers, but gives greater performance. If a Service type of Layer
4 is used, the Barracuda Load Balancer has to be able to handle the responses to client requests that
are issued by the Real Servers. To do this, make the Barracuda Load Balancer the default gateway for
all downstream Real Servers.

Figure 2.1: Two-armed Route-Path network with Layer 4 Services

Route-Path Configured with TCP Proxy, UDP Proxy or a Layer 7


Service Type
Choosing a Service type of TCP Proxy, UDP Proxy or one of the Layer 7 Service types makes the
Barracuda Load Balancer act as a full proxy. Connections from the client are terminated at the
Barracuda Load Balancer and new ones are established between the Barracuda Load Balancer and the
Real Servers.
Using one of these Service types allows the Real Servers to be located anywhere, as long as they can
be routed to by the Barracuda Load Balancer (e.g. on the same subnet or VLAN or pre-configured
20

Barracuda Load Balancer Administrators Guide

static routes). This can be used in one-armed configurations for applications like Microsoft Exchange
Server or Microsoft Office Communications Server as well as for custom applications. In two-armed
configurations, Real Servers can access the VIP addresses of any TCP Proxy, UDP Proxy, or Layer
7 Services that are on the same side of the Barracuda Load Balancer.
There are multiple alternatives for configuration when using the Barracuda Load Balancer in the
Route-Path mode with one or more TCP Proxy, UDP Proxy, or Layer 7 Services:

Some or all of the Real Servers are on the same subnet as the LAN IP address.
Some or all of the Real Servers are on the same subnet as the WAN IP address.
Some or all of the Real Servers are on the same VLAN as the Barracuda Load Balancer.
Some or all of the Real Servers are on a different subnet than either the WAN or LAN IP address
but accessible through static routes.
Some or all of the Real Servers are on a different subnet and responding to a TCP Proxy, UDP
Proxy, or Layer 7 Service.
Virtual IP addresses are on the same subnet as the WAN interface of the Barracuda Load
Balancer, and Real Servers on a subnet separate from the VIPs.
Virtual IP addresses are on the same subnet as the LAN interface of the Barracuda Load
Balancer and Real Servers on a subnet separate from the VIPs.

One-Armed Route-Path using TCP Proxy, UDP Proxy, or Layer 7


Service Types
A one-armed route-path topology either has all of the Real Servers and the VIP addresses on the WAN
or (less commonly) all of the Real Servers and the VIP addresses on the LAN.
If the Service type is Layer 4 - TCP or UDP, the Real Servers will need to be configured in Direct
Server Return mode. See Direct Server Return on page 26 for details.
Alternatively, use the TCP Proxy Service type, the UDP Proxy Service type or one of the Layer 7
Service types. This provides a quick way to insert the Barracuda Load Balancer into an existing
infrastructure with minimal changes to the network. No changes are required to the IP addresses of
the Real Servers. The Barracuda Load Balancer may be on the same subnet as the Real Servers.
Alternatively, the Real Servers are reachable through a router from the Barracuda Load Balancer.
Figure 2.2 shows a WAN-side deployment using one-armed route-path and TCP Proxy, UDP Proxy
or Layer 7 Services. The gateway IP address of the Real Servers remains the same as it was before
the introduction of the Barracuda Load Balancer to the network. All of the Virtual IP addresses and
IP addresses of the Real Servers are connected to the WAN port.

Load Balancing Deployment Options 21

Figure 2.2: One-armed Route-Path using TCP Proxy, UDP Proxy, or a Layer 7 Service

If desired, you can keep an externally accessible IP address on a Real Server so that external clients
can still access that address (for example, for FTP) only on that one system. Because configuration
changes are not required, only that traffic which needs to be load balanced passes through the
Barracuda Load Balancer.
Figure 2.3 shows an example of a one-armed route path deployment using TCP Proxy Services. In
this case, the Services are provided by multiple Barracuda Spam & Virus Firewalls and Email servers.

22

Barracuda Load Balancer Administrators Guide

Figure 2.3: One-armed TCP Proxy Service with Barracuda Spam & Virus Firewalls

As shown in the diagram, email passes through this network in the following way:
#1 Email is sent to the VIP address for the TCP Proxy Service that represents the Barracuda Spam

& Virus Firewalls.


#2 It is directed to the appropriate Barracuda Spam & Virus Firewall for processing.
#3 After passing spam and virus checks, the email is sent to the VIP address for the email Service.
#4 The Barracuda Load Balancer load balances the email traffic and passes it to an email server.

Two-Armed Route-Path with TCP Proxy, UDP Proxy or Layer 7 Service


Types
Figure 2.4 shows a network where there are Virtual IP addresses available on both the WAN and
LAN side. Clients coming from the Internet or intranet can access the database or web Service. On
the LAN side, the web servers can access the database Service.
Two-armed Route-Path with a Service with type Layer 7 - RDP is the recommended configuration
when deploying the Barracuda Load Balancer in a Microsoft Terminal Services environment.

Load Balancing Deployment Options 23

Figure 2.4: Two-armed TCP Proxy, UDP Proxy, or Layer 7 Service

About Multiple Network Adapters on Real Servers


Real Servers that are on multiple networks simultaneously may break the route path. If a Real Server
has more than one network adapter enabled, which gives traffic an alternate route around the
Barracuda Load Balancer, the deployment will not work properly even though it may appear to work
initially. There are two exceptions where Real Servers may have multiple network adapters:

The networks that the Real Servers are on are isolated from each other and cannot access the
WAN network without going through the Barracuda Load Balancer.
Static routes for incoming and outgoing traffic for each IP address of each Real Server have
been defined.

Bridge-Path
Bridge-Path deployment entails placing the Barracuda Load Balancer inline with your existing IP
infrastructure so that it can load balance the Real Servers without changing IP addresses. The LAN
interface must be on the same logical switch as the Real Servers. The WAN and LAN interfaces must
be on physically separate networks.
If you are considering using a Bridge-Path deployment because you want to avoid changing the IP
addresses of your Real Servers, we recommend that you instead use a TCP Proxy Service and RoutePath.

24

Barracuda Load Balancer Administrators Guide

The following table describes the advantages and disadvantages of deploying your Barracuda Load
Balancer in Bridge-Path mode.

Advantages

Disadvantages

Minimal network changes since the existing IP Separate physical networks required for downstream
infrastructure is reused. Real Servers keep
Real Servers
their existing IP addresses.
Less resilient to network misconfigurations
Improper configuration of a Bridge-Path network may
result in a broadcast storm, resulting in network outages

Figure 2.5: Sample Bridge-Path network layout

Deploying Bridge-Path
In Bridge-Path mode, the Real Servers must be physically isolated behind the Barracuda Load
Balancer. This means that each Real Server is no longer visible on the network if the Barracuda Load
Balancer becomes unavailable (a separate switch is required for models 440 and below). The Real
Servers must be on the same subnet and logical network as the Barracuda Load Balancer, the VIPs,
and the rest of the WAN, and they must specify the same gateway as the Barracuda Load Balancer.
Make sure that the Operating Mode of the Barracuda Load Balancer is set to Bridge-Path on the
Basic > IP Configuration page. The LAN IP Address on the same page is not used.
Load Balancing Deployment Options 25

Direct Server Return


Direct Server Return (DSR) is an option associated with a Real Server which allows for increased
outbound traffic throughput when performing sustained uploads, such as streamed audio or visual
media. With DSR, connection requests and incoming traffic are passed from the Barracuda Load
Balancer to the Real Server, but all outgoing traffic goes directly from the Real Server to the client.
Because the Barracuda Load Balancer does not process the outgoing traffic in DSR mode, Layer 7
Service types (HTTP, FTP, UDP, TCP Proxy and RDP), SSL offloading and cookie persistence are
not supported with DSR.
Using DSR requires enabling a non-ARPing loopback adapter on each Real Server. Additionally,
your applications may need to be explicitly bound to the loopback adapter. Instructions for enabling
a loopback adapter can be found in Deploying Direct Server Return on page 27.
You may have DSR servers and non-DSR servers running the same Service. Real Servers that are in
DSR mode must be on the same subnet as the WAN of the Barracuda Load Balancer.
The following table summarizes the advantages and disadvantages of deploying your Real Servers in
DSR mode.

Advantages

Disadvantages

Ideal for high-bandwidth requirements such


as content delivery networks

Requires flat network topology

Keeps existing IP addresses of Real Servers

Requires non-ARPing loopback adapter on Real Servers


Client IP persistence only
Only Layer 4 load balancing is supported
HTTP, TCP Proxy, UDP Proxy, FTP and RDP are not
supported
SSL offloading is not supported.
No actions can be performed on the response headers
and data (e.g. caching, compression, URL rewrites).

See Figure 2.6 for an example of a DSR deployment.

26

Barracuda Load Balancer Administrators Guide

Figure 2.6: Sample Direct Server Return, one-armed architecture

As shown in the diagram, this is how Direct Server Return works:


#1 The request comes to the switch and is passed to the VIP address on Barracuda Load Balancer.
#2 A Real Server is selected, and the data frame of the packet is modified to be the MAC address of

that Real Server.


#3 The packet is then placed back on the network.
#4 Because the VIP address is bound to the Real Servers loopback interface, the Real Server

accepts the packet.


#5 The Real Server responds directly to the client using the VIP address as the source IP address.

Direct Server Return with Bridge-Path


DSR in conjunction with Bridge-Path deployment is not supported.

Deploying Direct Server Return


DSR uses a flat network topology at the Layer 2 (Switching) and Layer 3 (IP) levels, which means
that the Barracuda Load Balancer, VIP addresses, and Real Servers all must be within the same IP
network and connected on the same switch. Figure 2.6 above shows this topology. Each Real Server
must be one hop away from the Barracuda Load Balancer and using the WAN port. The switch of the
Real Servers must be directly connected into the WAN port of the Load Balancer, or connected to a
series of switches that eventually reach the WAN port of the Load Balancer without going through
any other networking devices.

Load Balancing Deployment Options 27

If you specify Route-Path deployment for the Barracuda Load Balancer, but only use Real Servers
with Direct Server Return enabled, the physical LAN port is used for management or not at all.
On the Basic > Services page, each Real Server listed under each Service must individually be
configured for Direct Server Return mode. Edit each Real Server and select Enable for the Direct
Server Return option.

Notes on DSR Deployment


When deploying Real Servers in Direct Server Return mode, note the following:

The Barracuda Load Balancer needs to have the WAN adapter plugged into the same switch or
VLAN as all of the Real Servers.
The WAN IP, all VIPs, and all of the Real Servers that use Direct Server Return must be on the
same IP subnet.
Each Real Server needs to recognize the VIP as a local address. This requires enabling of a nonARPing virtual adapter such as a loopback adapter and binding it to the VIP address of the loadbalanced Service. Because this is not a true adapter, there should be no gateway defined in the
TCP/IP settings for this adapter.
Real Servers accepting traffic from multiple VIPs must have a loopback adapter enabled for
each VIP. Additionally, the applications on each Real Server must be aware of both the Virtual
IP address as well as the real IP addresses.

Deployment in a Linux Environment


To add a non-ARPing adapter to a Real Server running Linux, add an alias to the lo (loopback)
adapter. The following commands are examples of how to do this for some versions of Linux. Consult
your operating system vendor if you need more details about how to add a non-ARPing loopback
adapter.
1.

Edit your rc.local file (usually located at /etc/rc.d/rc.local) and add the following:
sysctl -w net.ipv4.conf.lo.arp_ignore=1
sysctl -w net.ipv4.conf.lo.arp_announce=2
sysctl -w net.ipv4.conf.all.arp_ignore=1
sysctl -w net.ipv4.conf.all.arp_announce=2
ifconfig <interface_name> <ip_address> netmask 255.255.255.255
-arp up

where:
<interface_name> is lo:<number> (e.g. lo:0, lo:1, lo:2)
<ip_address> is the Virtual IP Address for the Service

For example:
ifconfig lo:1 192.168.4.217 netmask 255.255.255.255 -arp up

2.

httpd.conf must have a VirtualHost entry for the VIPs. Edit the file to add these two lines:
listen <virtual_ip_address>:80
listen <real_ip_address>:80

28

Barracuda Load Balancer Administrators Guide

where:
<virtual_ip_address> is the Virtual IP Address for the Service
<real_ip_address> is the actual IP Address for the Real Server
3.

To check if the loopback adapter is working, make sure the Real Server is bound to the loopback
adapters IP address. Output from the ifconfig command should show the presence of the
loopback adapter.

Deployment in a Windows/XP Environment


For information on how to add a non-ARPing adapter in a Windows/XP environment, refer to
http://support.microsoft.com/kb/839013. Or, check the Microsoft Support Site for your operating system.
Applications running on Microsoft Real Servers must be configured to accept traffic received on the
VIP addresses (the loopback IP addresses). To do this, add the VIP addresses to IIS (Internet
Information Services) on each Real Server. The VIP addresses must be listed above the real IP address
of the Real Server. Associate the website or application with the VIP addresses.

Deployment in a Microsoft Windows Server 2003 or 2008 Environment


To make servers that are running Microsoft Windows Server 2003 and Windows Server 2008 ready
for DSR, there are several steps that must be taken on each server.

Table 2.4: Steps to make Microsoft Windows Server 2003 and 2008 ready for DSR
DSR in a Microsoft Windows Server 2003 or 2008 Environment
Disable the Windows firewall. Enable traffic to the loopback adapter.
Install the loopback adapter.
Configure the loopback adapter. In particular, stop the loopback adapter from responding to ARP
requests. Remember that the loopback adapter has the same IP address as the VIP address.
Make the Windows networking stack use the weak host model. This step is required to allow the
modified packet to be accepted by Windows Server 2008 servers.
If you are using IIS, add the loopback adapter to your site bindings. You need to ensure that the IP
address for the loopback adapter is included in the site bindings in IIS.

These detailed instructions describe how to deploy DSR in a Windows Server 2003 or 2008
environment. Perform these steps for each server.
1.

Disable the Windows firewall.

For Microsoft Windows Server 2003 and Windows Server 2008 you need to disable the built in
firewall or manually change the rules to enable traffic to and from the loopback adapter. By default,
the Windows firewall blocks all connections to the loopback adapter.
2.

Install the loopback adapter.


2a. For Windows Server 2003: to install the Microsoft loopback adapter refer to
http://support.microsoft.com/kb/842561. This note describes how to install the loopback
adapter. Follow the instructions in Method 1. When done, proceed to step 3.
2b. For Windows Server 2008 or Windows Server 2008 R2, follow these instructions to
install a loopback adapter on one server:

Load Balancing Deployment Options 29

1. Open Device Manager. On the Start menu, click Run and type devmgmt*.msc at the
prompt.
2. Right-click on the server name and click Add legacy hardware.
3. When prompted by the wizard, choose to Install the hardware that I manually select
from a list (Advanced).
4. Find Network Adapter in the list and click Next.
5. From the listed manufacturers select Microsoft and then Microsoft Loopback
Adapter. See Figure 2.7.

Figure 2.7: Adding a loopback adapter in Windows Server 2008

6. This adds a new network interface to your server.


3.

Configure the loopback adapter.

After the loopback adapter is installed, follow these steps to configure it:
In Control Panel, double-click Network and Dial up Connections.
Right-click the newly installed loopback adapter and click Properties.
Click to clear the Client for Microsoft Networks check box.
Click to clear the File and Printer Sharing for Microsoft Networks check box.
Click TCP/IP properties.
Enter the VIP address and the subnet mask.
Click Advanced.
Change the Interface Metric to 254. This stops the adapter from responding to ARP
requests.
3i. Click OK.
3a.
3b.
3c.
3d.
3e.
3f.
3g.
3h.

4.

30

Make the Windows networking stack use the weak host model.

Barracuda Load Balancer Administrators Guide

If you are using Windows Server 2003, you can skip to the next step. If you are using Windows Server
2008 or Windows Server 2008 R2, this step tells you how to make the Windows networking stack use
the weak host model (which is the same model used in Windows Server 2003).
DSR works by modifying the destination MAC address of the incoming traffic to one of the Real
Servers behind your VIP. In versions of Windows prior to 2008, the Windows networking stack used
a weak host model which allowed the host to receive packets on an interface not assigned as the
destination IP address of the packet being received. With Windows Server 2008, Microsoft has
implemented a strong host model which breaks the method that DSR uses.
Open a command prompt with elevated permissions. To determine the interface ID for both the
loopback adapter and the main NIC on the server, type:
netsh interface ipv4 show interface

Note the IDX for both the main network interface and the loopback adapter you created. If you have
not changed the interface names for this server then usually the main NIC will display as Local Area
Connection and the loopback adapter will be named Local Area Connection 2.
An entry will be displayed that includes the IDX numbers for both your loopback adapter and your
Internet facing NIC. For each of these adapters enter these three commands:
netsh interface ipv4 set interface <IDX number for Server NIC>
weakhostreceive=enabled
netsh interface ipv4 set interface <IDX number for loopback>
weakhostreceive=enabled
netsh interface ipv4 set interface <IDX number for loopback>
weakhostsend=enabled

For example:
netsh interface ipv4 set interface 23 weakhostreceive=enabled
netsh interface ipv4 set interface 24 weakhostreceive=enabled
netsh interface ipv4 set interface 24 weakhostsend=enabled
5.

If you are using IIS, add the loopback adapter to your site bindings.

By default, IIS includes all interfaces, however, if you have configured a site to be bound to an
individual IP address, you need to ensure that the IP address for the loopback adapter (your VIP
address) is also included in the site bindings in IIS.
Follow these steps to bind the loopback adapter, referring to Figure 2.8:
Open the Internet Information Services (IIS) Manager.
Expand the Sites Folder.
Click Default Web Site or the name of the site you are modifying.
Click Bindings on the Actions panel.
Click Add... and click HTTP or HTTPS in the Type list. Enter the IP address of your
loopback adapter and the port. Click OK.
5f. On the Actions panel click Restart under Manage Web Site to ensure the new bindings
take effect.
5a.
5b.
5c.
5d.
5e.

Load Balancing Deployment Options 31

Figure 2.8: Add Site Binding using IIS

Verifying DSR Deployment


When you are done adding the loopback adapters, try to ping the Real Servers and the VIP, and telnet
to the Real Servers. If the ping doesnt work or if in response to the telnet you get a connection refused
from the VIP, then the loopback adapter has not been configured correctly.
Try to verify that the loopback adapters are non-ARPing. On either Linux or Windows systems, use
the arp -a command. Also, check the systems event logs to check for IP address conflicts.
If, later, once the Service is set up, the client tries to connect but is unable to access the application,
then the IIS (Windows) or application has not been associated with the real IP address and the VIP.

Virtual Appliance Deployment


Barracuda Networks offers a virtual appliance version of the Barracuda Load Balancer to provide
organizations a way to save money, simplify deployments and reduce their environmental footprint.
As an organization grows, virtual appliances can be easily scaled for performance and capacity and
also lend themselves to quicker backup and disaster recovery. The Barracuda Load Balancer Vx
virtual appliance easily integrates with a number of virtual environments including Microsoft HyperV, Sun/Oracle VirtualBox and VirtualBox OSE, Citrix Xen Server, and VMware ESX, ESXi and
VirtualBox.

32

Barracuda Load Balancer Administrators Guide

You can deploy the Barracuda Load Balancer Vx only in Route-Path mode. Bridge-Path deployment
is not supported. One common option is to use a Service type of TCP Proxy in a one-armed RoutePath deployment, where the WAN port of the Barracuda Load Balancer is used for all load-balanced
traffic, as shown in Figure 2.9.

Figure 2.9: One-armed Route-Path deployment

Another is a two-armed Route-Path deployment, where the Barracuda Load Balancer is deployed
in-line, performing a NAT from the WAN network to the LAN, as shown in Figure 2.10.

Figure 2.10: Two-armed Route-Path deployment

Load Balancing Deployment Options 33

Getting Started
Before downloading and installing a Barracuda Load Balancer Vx, you will need the following:

A configured server running a virtualization platform.


Your license token from the email you received from Barracuda Networks Customer Services.
The virtualization platform client installed on your local machine.
6 GB of free space on your VM client (local) machine if you are using the ZIP download method
of getting the virtual machine image.
40 GB hard disk space on the server.
RAM: 340Vx: 2GB - 1 core, 440Vx: 2GB - 2 cores, 640Vx: 4GB - 4 cores
On the server, one NIC for a one-armed deployment and two NICs for a two-armed deployment.
If you plan to use a two-armed deployment, the first installed NIC is the WAN and the second
installed NIC is the LAN.

Backing Up the VM System State


Virtual machine environments generally provide a snapshot capability, which captures the state of
a system as it is running. Once a snapshot is created, you can perform additional operations on the
system and revert to the snapshot in the case of disaster recovery (or for any other reason). Because
this feature is so powerful, Barracuda Networks strongly recommends performing a snapshot at
certain points in time:

Before upgrading the VM firmware.


Before making major changes to your configuration (this makes snapshotting a convenient
undo mechanism).
After completing and confirming a large set of changes, such as initial configuration.
As a periodic backup mechanism.

Barracuda Networks also strongly recommends that you review your virtual environment
documentation regarding snapshotting capabilities and be familiar with its features and limitations.

34

Barracuda Load Balancer Administrators Guide

Chapter 3
Getting Started
This chapter provides instructions for installing the Barracuda Load Balancer. It includes the
following topics:
Initial Setup ....................................................................................... 36
A similar process is described in the Barracuda Load Balancer Quick Start Guide.

Getting Started 35

Initial Setup
These are the general steps to set up your Barracuda Load Balancer. For more detailed instructions
for each step, see the following reference pages.
Preparing for Installation .................................................................. 36
Connecting the Barracuda Load Balancer to the Network ............... 36
Configuring WAN IP Address and Network Settings ......................... 37
Configuring Your Corporate Firewall ............................................... 37
Configuring the Barracuda Load Balancer....................................... 38
Updating the Barracuda Load Balancer Firmware .......................... 40
Verifying Your Subscription Status..................................................... 39
Updating the IPS Definitions............................................................. 40

Preparing for Installation


Before installing your Barracuda Load Balancer, complete the following tasks:

Decide which type of deployment is most suitable to your network. For more information on the
deployment options, see Deployment Options Overview on page 17.
Make any necessary changes to your network, according to your chosen method of deployment.
Identify the ports used by the services or applications that you want to load-balance.
Verify you have the necessary equipment:
Barracuda Load Balancer (check that you have received the correct model)
AC power cord
Ethernet cables
Mounting rails and screws
VGA monitor (recommended)
PS2 keyboard (recommended)

Connecting the Barracuda Load Balancer to the Network


1.

Fasten the Barracuda Load Balancer to a standard 19-inch rack or other stable location.

2.

Connect the Barracuda Load Balancer to your network:


2a. Connect a CAT5 Ethernet cable from the WAN interface on the Barracuda Load

Balancer to the network switch through which the traffic destined to the VIP addresses
will be routed.
2b. For models 240, 340 and 440: Connect a CAT5 Ethernet cable from the LAN interface
on the Barracuda Load Balancer to the network switch where the Real Servers reside. If
desired, connect a CAT5 Ethernet cable from the Ethernet port on the back of the
appliance to the network switch for your management network.
2c. For model 640 only: Connect Port 1 through Port 2 to the Real Servers. Connect a
CAT5 Ethernet cable from the MGMT interface on the front of the Barracuda Load
Balancer to the network switch for your management network.

36

Barracuda Load Balancer Administrators Guide

3.

Connect the following to your Barracuda Load Balancer:


Power cord. AC input voltage range is 100-200 volts at 50/60 Hz.
VGA monitor
PS2 keyboard
After you connect the AC power cord, you may hear the fan operate for a couple of seconds and
then power off. This behavior is normal.

4.

Press the Power button located on the front of the unit.


You will see the login prompt for the administrative console appear on the monitor and the
power light on the front of the Barracuda Load Balancer turn on. For a description of each
indicator light, refer to the section that describes the model of your Barracuda Load Balancer in
Front Panel of the Barracuda Load Balancer on page 94.

Configuring WAN IP Address and Network Settings


The Barracuda Load Balancer is assigned a default WAN IP address of 192.168.200.200.
To set a new WAN IP address from the administrative console:
1.

Connect your keyboard and monitor directly to the Barracuda Load Balancer.

2.

At the barracuda login prompt, enter admin for the login and admin for the password.
The User Confirmation Requested window displays the current IP configuration of the
Barracuda Load Balancer.

3.

Using your Tab key, select Change to change the WAN IP configuration.

4.

Enter the new WAN IP address, netmask, and default gateway for your Barracuda Load
Balancer. Save your changes. The Primary and Secondary DNS fields are optional at this time,
but if not entered here then they must be entered in Step 3d.) of To configure the Barracuda
Load Balancer: on page 38.

Configuring Your Corporate Firewall


If your Barracuda Load Balancer is located behind a corporate firewall, refer to Table 3.1 for the ports
that need to be opened on your corporate firewall to allow communication between the Barracuda
Load Balancer, Virtual IP addresses and remote servers.

Table 3.1: Ports to Open on Your Corporate Firewall


Port

Direction Protocol

Description

22

Out

TCP

Remote diagnostics and technical support services

53

Out

TCP/UDP

DNS (Domain Name Server)

80

Out

TCP

IPS and firmware updates (unless configured to use a proxy)

123

Out

UDP

NTP (Network Time Protocol)

as needed

1:1 NATs as needed, and any port required to access the


VIP of a load-balanced Service.

any ports used as needed


by Services

To send system alerts and notifications to the administrator, the Barracuda Load Balancer must be
able to communicate with the mail server over the port specified on the Basic > Administration page.
This may require opening that port on the firewall.
Getting Started 37

Certain protocols require additional ports to be open. Examples include FTP and streaming media
protocols. When configuring Services using these protocols ensure that the additional ports required
are not blocked by the firewall.

Configuring the Barracuda Load Balancer


After specifying the IP address of the Barracuda Load Balancer and opening the necessary ports on
your corporate firewall, configure the Barracuda Load Balancer from the web interface. Make sure
the system being used to access the web interface is connected to the same network as the Barracuda
Load Balancer, and that the appropriate routing is in place to allow connection to the Barracuda Load
Balancers IP address via a web browser.
To configure the Barracuda Load Balancer:
1.

From a web browser, enter the IP address of the Barracuda Load Balancer followed by a colon
and port 8000.
For example: http://192.168.200.200:8000.

2.

To log into the web interface, enter admin for the username and admin for the password.

3.

Select Basic > IP Configuration, and perform the following steps:


3a. Enter the following information in the WAN IP Configuration section:

IP Address. The address associated with the port that connects the Barracuda Load
Balancer to the WAN.
Subnet Mask. The subnet mask assigned to the WAN interface of the Barracuda
Load Balancer.
Default Gateway. The default router for network traffic not destined for the local
subnet.
Allow administration access. Set to Yes if you want to allow administration access
using this IP address. The web interface port has a default of 8000 but can be
changed on the Basic > Administration page.
3b. If the Barracuda Load Balancer is in Bridge-Path mode, or if only Direct Server Return
mode is being employed, then go to Step 3c.)
If you are configuring a passive Barracuda Load Balancer in a cluster, then go to Step
3c.). If the system becomes active and if it is in Route-Path mode, it will assume the
LAN IP address and netmask that are configured on the originally-active Barracuda
Load Balancer. See Creating a High Availability Environment on page 60.
Enter the following information in the LAN IP Configuration section:
LAN IP Address and LAN Netmask. The address that connects the Barracuda Load
Balancer to the LAN. This is only used for two-armed Route-Path mode or, if in onearmed Route-Path mode, for management.
Allow administration access. Set to Yes if you want to allow administration access
using this IP address. The web interface port has a default of 8000 but can be
changed on the Basic > Administration page.
3c. If desired, enter the following information in the Management IP Configuration section:
Management IP Address and Management Netmask. The management IP address
can be used only for administration access and is optional. It should not be on the
same network as either the LAN or WAN IP address. On certain 640 models, it is
used by the MGMT port on the front of the unit; on most other models, it is used by
the Ethernet port on the back of the appliance.
Allow administration access. Set to Yes. The web interface port has a default of
8000 but can be changed on the Basic > Administration page.
38

Barracuda Load Balancer Administrators Guide

3d.
3e.
3f.
3g.

Enter the IP address of your primary and secondary DNS servers.


Enter the default hostname and default domain name of the Barracuda Load Balancer.
If the Barracuda Load Balancer is behind a proxy server, enter the relevant parameters.
Click Save Changes.

Note

If you change the IP address that you were using to access your Barracuda Load Balancer, you will
be disconnected from the web interface. Use the new IP address to connect and log in again.

3h. If you want this Barracuda Load Balancer to operate in Bridge-Path mode, and this is
not a backup Barracuda Load Balancer in a cluster, click Convert to change the

operation from Route-Path to Bridge-Path.


4.

Select Basic > Administration, and perform the following steps:


4a. Assign a new administration password to the Barracuda Load Balancer.
4b. Make sure the local time zone is set correctly.

4c.
4d.
4e.
4f.

Time on the Barracuda Load Balancer is automatically updated via NTP (Network
Time Protocol). It requires that port 123 is opened for outbound UDP traffic on your
firewall (if the Barracuda Load Balancer is located behind one).
It is important that the time zone is set correctly because this information is used to
coordinate traffic distribution and in all logs and reports. Also, if this system is going to
be clustered with another one, both systems must have the same time zone.
If desired, change the port number used to access the Barracuda Load Balancer user
interface. The default port is 8000.
Enter the amount of time, in minutes, for the length of your web interface session
before you are logged off due to inactivity.
(Optional) Specify your local SMTP server. Enter the email address for your
administrator to receive system alerts and notifications.
Click Save Changes.

Verifying Your Subscription Status


If the Barracuda Load Balancer has access to the activation servers, your Energize Update and Instant
Replacement subscriptions are most likely active. If not, you will see a warning at the top of every
page. You must activate your subscriptions before continuing.
Click on the link in the warning message or use the link on the Basic > Status page to open up the
Barracuda Networks Product Activation page in a new browser window. Fill in the required fields
and click Activate. A confirmation page displays the terms of your subscription. On the Basic > Status
page, you may need to enter the activation code from the Barracuda Networks Product Activation
page to activate your Barracuda Load Balancer
Note

If your subscription status does not change to Current, or if you have trouble filling out the Product
Activation page, call your Barracuda Networks sales representative.

Getting Started 39

Updating the Barracuda Load Balancer Firmware


To update the firmware on the Barracuda Load Balancer:
1.

Select Advanced > Firmware Update.

2.

Read the release notes to learn about the latest features and fixes in the new firmware version.

3.

Click Download Now next to Latest General Release. Click OK on the download duration
window.
Updating the firmware may take several minutes. Do not turn off the unit during this process.
Download Now is disabled if the Barracuda Load Balancer is running the latest firmware

version.
4.

The Barracuda Load Balancer begins downloading the latest firmware version. Click Refresh to
view the download status, until you see a message stating that the download has completed.

5.

Click Apply Now when the download completes.

6.

Click OK when prompted to reboot the Barracuda Load Balancer.


A Status page displays the progress of the reboot. Once complete, the login page appears.

Updating the IPS Definitions


If you are configuring a passive Barracuda Load Balancer in a cluster, then you may skip this step.
To apply the newest definitions for the Intrusion Prevention System:
1.

Select Advanced > Energize Updates.

2.

Select Hourly or Daily for Automatically Update. The recommended setting is Hourly for IPS
definitions.

3.

Check to see if the current version is the same as the latest general release. If the rules are
up-to-date, proceed to the next section. If the rules are not up-to-date, continue to the next step.

4.

Click Update to download and install the latest available IPS definitions onto the Barracuda
Load Balancer.

5.

Click Save Changes.

Your Barracuda Load Balancer should be ready for operation. For more configuration tasks, including
creating Services, refer to the next chapter, Configuring Services on page 41. If this is a passive
Barracuda Load Balancer in a cluster, the system is ready for clustering.

40

Barracuda Load Balancer Administrators Guide

Chapter 4
Configuring Services
This chapter describes the configuration tasks you can perform from the web interface after you have
completed the installation. The following topics are covered:
Deployment Guides for Microsoft Environments............................... 42
Creating Services ............................................................................... 43
Layer 7 - HTTP(S) Services............................................................... 50
Detailed information for all options on a page in the web interface is available from the online help
for that page.

Configuring Services 41

Deployment Guides for Microsoft Environments


A set of deployment white papers provide detailed instructions to help you install the Barracuda Load
Balancer in specific environments. If you want to use the Barracuda Load Balancer with one of the
following Microsoft products, refer to the corresponding guide.

Remote Desktop Services in Windows Server 2008 R2:


Deploying the Barracuda Load Balancer with Remote Desktop Services in Windows Server
2008 R2

Microsoft Lync Server 2010:


Deploying the Barracuda Load Balancer with Microsoft Lync Server 2010

Microsoft Office Communications Server 2007:


Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2

Microsoft Exchange Server 2010:


Deploying the Barracuda Load Balancer with Microsoft Exchange Server 2010

All of these deployment guides are located at http://www.barracuda.com/documentation, in the Barracuda


Load Balancer section of the page.

42

Barracuda Load Balancer Administrators Guide

Creating Services
This section describes the configuration tasks related to creating Services and associating Real
Servers with them. The following topics are covered:
Creating Load-Balanced Services...................................................... 43
Associating Real Servers with a Service ........................................... 43
Persistence Settings ........................................................................... 44
Remote Desktop Services Load Balancing ........................................ 45
TCP Proxy, Secure TCP Proxy and UDP Proxy ............................... 45
FTP Service ....................................................................................... 45
FTPS Service ..................................................................................... 45
SSL Offloading................................................................................... 45
Securing Communication with the Real Servers ............................... 46
Selecting a Scheduling Policy............................................................ 46
Configuring Intrusion Prevention ...................................................... 48
Configuring a Last Resort Action...................................................... 49
Client Impersonation ......................................................................... 49

Creating Load-Balanced Services


A Service is a combination of a Virtual IP (VIP) address and one or more TCP/UDP ports. Traffic
arriving at the designated port(s) for the specified Virtual IP address is directed to one of the Real
Servers that are associated with that particular Service. The Barracuda Load Balancer determines
which connections or requests are distributed to each Real Server based on the scheduling policy
selected for the Service.
The Basic > Services page lets you create Services by identifying a Virtual IP address, port and one
or more Real Servers. Once you have created a Service, you can configure advanced settings
(including Service type) by clicking the Edit graphic next to the Service. If the creation of the Service
is successful, the Service name appears on the Basic > Services page with a green, orange, or red
health indicator next to it.
Detailed descriptions of the settings are available in the online help.

Associating Real Servers with a Service


You can identify the Real Servers that handle the traffic for a Service when you create the Service or
later, using the Basic > Services page. Edit advanced Real Server settings by clicking the Edit graphic
next to the Real Server. From this page, you can:

Enable the Real Server or disable it in one of two ways. Disabled mode terminates all existing
connections immediately. Maintenance mode allows existing connections to terminate naturally.
In either case, no new connections or request are accepted until the Real Server is enabled again.
If this Real Server is associated with a Layer 7 - HTTP Service, specify whether this Real Server
accepts only HTTP requests that match a content rule.
Change the weight of this Real Server to be used when assigning client connections.
Specify if the Real Server is using Direct Server Return.
Require all communication between the Real Server and the Barracuda Load Balancer be
encrypted using SSL.
Change or execute the Testing Method for the Real Server.
Configuring Services 43

Persistence Settings
The Barracuda Load Balancer supports multiple options to direct clients back to the same Real Server,
depending on the Service type.

Layer 7 - HTTP(S)
There are a variety of supported persistence methods for HTTP sessions:

HTTP Cookie - When a client initiates contact, the Barracuda Load Balancer inserts a cookie
into the outgoing response. This cookie is returned by the client with each subsequent request.
The Barracuda Load Balancer strips the cookie from the request and then directs the request to
the same Real Server.
Client IP Address - Subsequent requests from a client with a recurring IP address or systems
from the same subnet go to the same Real Server.
HTTP Header - All incoming HTTP requests are directed to the same Real Server based on the
value of a header. The application (e.g., Microsoft Exchange) specifies the name of the header to
be examined.
URL Parameter - All incoming HTTP requests are directed to the same Real Server based on
the value of the specified parameter in the URL.

Layer 4 -TCP, TCP Proxy, Secure TCP Proxy or Layer 4 - UDP


Only client IP address persistence is supported. An individual client IP address can be used or you can
specify a subnet mask so that subsequent TCP connections or UDP datagrams from systems from the
same subnet go to the same Real Server.

UDP Proxy
A UDP Proxy Service supports persistence using both client IP address and port to distribute the
traffic across all of the Real Servers. This helps mitigate the fact that many UDP applications involve
all client requests coming from one client IP address.

Layer 7 - FTP(S)
Persistence is not supported.

Layer 7 - RDP
Session persistence is achieved by querying Windows Server 2003 Terminal Services Session
Directory, Windows Server 2008 Terminal Services Session Broker or Windows Server 2008 R2
Session Broker. For more on this topic, see Remote Desktop Services Load Balancing on page 45.

44

Barracuda Load Balancer Administrators Guide

Remote Desktop Services Load Balancing


The Barracuda Load Balancer may be deployed with a Terminal Server farm that is using Windows
Server 2003 Terminal Services, Windows Server 2008 Terminal Services or Windows Server 2008
R2 Remote Desktop Services. The Barracuda Load Balancer uses the routing token supplied by the
Session Director or the TS Session Broker to determine which Real Server to use.
There are settings that need to be configured on the Real Servers to allow the Barracuda Load
Balancer to use the routing tokens. Refer to the guide to deploying the Barracuda Load Balancer with
Remote Desktop Services located at http://www.barracudanetworks.com/documentation.

TCP Proxy, Secure TCP Proxy and UDP Proxy


You can create a TCP Proxy Service, a Secure TCP Proxy Service or a UDP Proxy Service to make
the Barracuda Load Balancer act as a full TCP or UDP proxy. Using these Service types allows the
Real Servers to be located anywhere, as long as they are reachable by the Barracuda Load Balancer.
See Deployment Options Overview on page 17 for examples of deployments using TCP and UDP
Proxy Services. A Secure TCP Proxy Service provides SSL offloading.

FTP Service
You can create a Service with type Layer 7 - FTP to allow the Barracuda Load Balancer to process
FTP traffic from the clients to the servers. An FTP client connects to an FTP server to manipulate files
on that server. Both passive and active FTP are supported.
If passive FTP will be used and if the Barracuda Load Balancer is behind a NATing firewall, you
should specify an IP address and one or more ports that are sent in the response to a PASV request
from a client. The client connects to the specified IP address and port to receive the data. Usually this
address is the external IP address that is translated by the firewall to the Virtual IP address of the FTP
Service. The port or ports are those allowed by the firewall. Enter the IP address and port(s) on the
Service Detail page.

FTPS Service
A Service with type Layer 7 - FTPS supports encrypted FTP traffic. It only supports passive and not
active FTP.

SSL Offloading
The Barracuda Load Balancer can perform decryption and encryption of SSL traffic to reduce the load
on the Real Servers. The encrypted traffic received on the VIP address is decrypted before it is passed
to the Real Servers, and traffic coming from the Real Servers is encrypted before it leaves the
Barracuda Load Balancer. No SSL configuration on the Real Servers is necessary; all SSL certificates
are stored on the Barracuda Load Balancer.
If the Barracuda Load Balancers and the Real Servers are on a trusted network, such as within the
same datacenter, enabling SSL offloading does not compromise security. If this is not the case, the

Configuring Services 45

Barracuda Load Balancer can re-encrypt the traffic before directing it to the Real Servers. See
Securing Communication with the Real Servers on page 46 for more details.
SSL offloading is not compatible with Direct Server Return. It is also not available for Layer 4, UDP
Proxy or Layer 7 - RDP Service types.
To set up SSL offloading, complete the following tasks:
1.

Upload one SSL certificate for each Service to the Barracuda Load Balancer.

2.

Identify the Services that are using SSL offloading as secure Service types.

3.

Change the port used by the Real Servers, if necessary.

These tasks are described in the following sections.

Uploading SSL Certificates


One SSL certificate for each Service to be offloaded must be stored on the Barracuda Load Balancer.
A certificate can be ordered from a trusted Certificate Authority such as VeriSign. Or, if SSL
processing was previously done on the server, then retrieve the certificate from that server.
To view, edit or add SSL certificates to the Barracuda Load Balancer, go to the Basic > Certificates
page.

Specifying SSL Offloading for a Service


To configure SSL offloading for a Service, go to the Basic > Services page and edit the Service. On
the Service Detail page, change the Service type to the secure Service type (e.g., TCP Proxy to Secure
TCP Proxy). Select the SSL certificate you wish to use from the SSL Certificate list.

Updating Ports on the Real Servers


If the Real Servers were using port 443 before, update their port setting on the Barracuda Load
Balancer. Go to the Basic > Services page and click Edit for each Real Server for the Service. On the
Real Server Detail page update the port. For example, the Service may use port 443 while the Real
Servers use port 80.

Securing Communication with the Real Servers


If you want all communication between the Real Servers and the Barracuda Load Balancer to be
encrypted using SSL, you can configure this option by editing each Real Server on the Basic >
Services page. An SSL certificate must exist on the Real Server.

Selecting a Scheduling Policy


The Barracuda Load Balancer supports multiple scheduling methods to determine which Real Server
that is associated with a Service gets the next new connection. On an ongoing basis each Real Server
is assigned a weight, which indicates the proportion of the load that this Real Server will bear relative
to other Real Servers. Weights are either calculated dynamically using Adaptive Scheduling, or they
are pre-assigned. These Real Server weights are then used by the scheduling algorithm, which is
either Weighted Round-Robin or Weighted Least Connections, to determine which Real Server gets
the next connection.

46

Barracuda Load Balancer Administrators Guide

Adaptive Scheduling
The Adaptive Scheduling feature polls the Real Servers frequently and assigns weights to those Real
Servers using the information gathered. The parameter polled may be:

CPU Load, determined by an SNMP query. If you wish to use this and you have Real Servers
running a version of Windows, Knowledgebase Solution #00004306 in the Barracuda Networks
Support Center http://www.barracudanetworks.com/support describes the required OID. You can
view this solution by using this link: http://www.barracuda.com/kb?id=50160000000Hptb.
Number of Windows Terminal Server sessions, determined by an SNMP query. In order to use
this option, Real Servers must allow the Barracuda Load Balancer SNMP access to the
community specified in the SNMP Community String box. This option is not available if the
Service type is Layer 7 - RDP (see Scheduling for a Service with type Layer 7 - RDP on page
48).
A URL provided by each Real Server which specifies a load value. If this option is selected, the
Barracuda Load Balancer will poll the URL http://[Real Server IP Address]/barracuda_load/ and
expect the output to look like LOAD=23 (showing the load as an integer between 0 and 100).
Weights are assigned to each Real Server using the formula (100 - LOAD). For example, if the
Load URL value is 23, the Real Server will be assigned a weight of 77. In order for the URL
query to work, you must create a load determination script and make the results available by
running a web server on the Real Server that responds to the poll at the Real Servers IP address
and port 80.

If, for example, all Real Servers have the same value for CPU load, then the Real Servers will be
assigned the same weight. These weights will change as the value of the CPU Load for each Real
Server varies.
Configure adaptive scheduling for a Service by editing it using the Basic > Services page. On the
Service Detail page, select the adaptive scheduling algorithm to use when making weight adjustments.

Pre-Assigned Weight
As an alternative to adaptive scheduling, static weights for each Real Server can be used. If some of
the Real Servers are faster or have more capacity than others, you can tell the Barracuda Load
Balancer to direct more traffic to them by increasing their weight relative to the other Real Servers.
Configure the static weight for a Real Server by editing it on the Basic > Services page. On the Real
Server Detail page, enter a weight value to be compared against the weights of all other Real Servers
for this Service. For example, a Real Server with a weight of 50 will get half the amount of traffic as
a Real Server with a weight of 100, but will get twice that of a Real Server with a weight of 25.
If the Service is configured to use adaptive scheduling, these static weight values are ignored.

Scheduling Policies
The Barracuda Load Balancer considers the weight values for the Real Servers and then applies a
scheduling algorithm, either Weighted Round-Robin or Weighted Least Connections, to determine
which Real Server gets the next connection.
In Weighted Round-Robin, Real Servers with higher weights get more connections than those with
lower weights and Real Servers with equal weights get equal connections. The scheduling sequence
is generated according to the Real Server weights. New connections are directed to the different Real
Servers based on the scheduling sequence in a round-robin manner. The shortcoming with this
method is that a majority of long-lived connections may go to the same Real Server.

Configuring Services 47

In Weighted Least Connections, the Barracuda Load Balancer considers the number of live
connections that each Real Server has, as well as the weight values. The Real Servers with higher
weight values will receive a larger percentage of live connections at any one time. The Barracuda
Load Balancer dynamically checks the number of live connections for each Real Server.
Weighted Least Connections is the recommended choice.
To configure whether Weighted Round-Robin or Weighted Least Connections will be used for a
Service, edit the Service on the Basic > Services page.

Scheduling for a Service with type Layer 7 - RDP


If the Service type is Layer 7 - RDP, the Barracuda Load Balancer keeps track of the number of RDP
sessions on each Real Server. This number is used in conjunction with Real Server weights when
selecting which Real Server gets the next new session. The Real Server weights are determined by
either one of these adaptive scheduling methods:

Executing an SNMP GET for the CPU load on the Real Servers,
Polling a URL provided by each Real Server which specifies a load value,

or by retrieving pre-configured static weights (from the Real Server Detail page).
The number of active RDP sessions and the Real Server weights are used as input to the Weighted
Round Robin or Weighted Least Connections algorithm.
On the Service Detail page the Terminal Sessions adaptive scheduling option is disabled for Layer 7
- RDP Services. Because the number of RDP sessions on each Real Server is maintained internally,
there is no need for the adaptive scheduling algorithm to issue an SNMP query to get the number of
active Windows Terminal Sessions.

Viewing Current Connections


To see the number of current open connections/requests/sessions with each Service and each Real
Server, navigate to the Basic > Server Health page. The bars on the page display the approximate
percentage of all traffic that is currently connected to each Service or Real Server.
Sometimes it may appear that a Real Server is handling more traffic than it should be based on its
calculated weight. This is caused by persistence. If clients that were previously connected reconnect
within a short period of time, they are directed to the same Real Server regardless of its current load.

Configuring Intrusion Prevention


You can enable or disable the Intrusion Prevention System (IPS) for all Services on the Barracuda
Load Balancer from the Basic > Intrusion Prevention page. This page displays a list of all of the
Services and whether IPS is enabled for each one.
By default, IPS is disabled for a newly created Service. To enable IPS for an individual Service, edit
the Service and select the IPS option on the Service Detail page.

48

Barracuda Load Balancer Administrators Guide

To test if the IPS is working on the Barracuda Load Balancer, there is a simple URL that will generate
a test IPS catch. To test with this URL, create or locate a web Service (with at least one Real Server)
on port 80 from the Basic > Services page. Then type the following address in your browser window:
http://VIP/?Barracuda-IPS-Web

where VIP is the VIP address of the web Service. If IPS is on, it will block this. Your browser will
give an error because the connection will be immediately rejected. There should also be an IPS catch
in the Intrusion Prevention Log on the Basic > Intrusion Prevention page.
Refer to Intrusion Prevention System on page 10 for an overview of IPS and how the Energize
Updates feature works.

Configuring a Last Resort Action


The Last Resort action for a Service is taken if all of the Real Servers associated with the Service are
unavailable. This setting is configured on the Service Detail page.
There are three options:

Return a failure message or close the connection, depending on the Service type. The details can
be found in the online help.
Reset the connection.
Direct all traffic to a Last Resort Server.

To increase the availability of the Service, identify a Last Resort Server.


The Last Resort Server can be located anywhere, so long as it is reachable by the Barracuda Load
Balancer. It has the same deployments options available as any Real Server. If it is associated with a
Layer 7 Service, any policies configured for the Service will also be applied to the Last Resort Server.
The Barracuda Load Balancer does not perform any health checks on the Last Resort Server.

Client Impersonation
By default, for TCP Proxy and Layer 7 - HTTP Services (and their secure versions), the Barracuda
Load Balancers IP address is used when a client connects to the Real Server. You can enable the
Client Impersonation option on the Service Detail page to use the clients IP address instead.
Alternatively, for Layer 7 - HTTP(S) Services only, if you wish to enable connection pooling, you
can identify an HTTP header that has the client IP address as its value.

Configuring Services 49

Layer 7 - HTTP(S) Services


This section describes topics unique to Services with type Layer 7 - HTTP and Layer 7 - HTTPS.
The following topics are covered:
Introduction........................................................................................ 50
Directing HTTP Requests based on Content Rules ........................... 50
Setting Up an HTTP Redirect ............................................................ 51
Modifying HTTP Requests and Responses ........................................ 52
Configuring Caching ......................................................................... 52
Configuring Compression .................................................................. 53
Hosting Multiple Domains with one Service ..................................... 53

Introduction
HTTP or HTTPS traffic can be handled to a varying degree by the Barracuda Load Balancer before
it is directed to a web server. The handling differs based on the type of the Service that receives the
traffic.

Choose a Layer 4 - TCP Service type if you want the traffic simply redirected to the web servers
and using only client IP based persistence. This requires a two-armed deployment.
If you only need client IP based persistence but want to use a one-armed deployment, choose a
TCP Proxy Service type.
To take advantage of Layer 7 handling such as directing requests based on content rules,
inspecting and modifying HTTP headers, SSL offloading, or persistence based on cookies,
choose either Layer 7 - HTTP (for HTTP traffic) or Layer 7 - HTTPS (for HTTPS traffic).

The rest of this section describes the Layer 7 processing options.

Directing HTTP Requests based on Content Rules


Content rules are used to direct HTTP requests to specific Real Servers associated with a Layer
7 - HTTP(S) Service. This functionality is also known as content switching or URL switching. A
content rule includes:

One or more expressions that specify a pattern in the host, URL or header fields of the request
The Real Server or Servers that handle the matching request
The load balancing algorithm used to direct requests to the Real Servers
Persistence: none, HTTP cookie, HTTP header, URL parameter or client IP address

Use these rules to partition requests to Real Servers that deliver different types of data, such as:

Content optimized for a mobile device


Content in a particular language
Images or video
Data that is maintained on different servers but you want to make it appear to have come from
one source.

Create a content rule by clicking Rule next to a Layer 7 - HTTP(S) Service on the Basic > Services
page. This option only appears next to a Service that has at least one Real Server associated with it.
Click on the Edit icon next to the rule name on the Basic > Services to edit an existing content rule.
50

Barracuda Load Balancer Administrators Guide

You can edit one or more Real Servers from the Basic > Services page to accept only HTTP requests
that match a content rule. Requests that fail to match any rule are directed to the Real Servers for the
Service that are not configured to exclusively handle requests that match a content rule. For example,
a Real Server which only delivers images can be configured to accept only HTTP requests that match
a content rule.

Content Rule Execution


There are up to three types of patterns in each content rule: host match, URL match, and extended
match. Extended matches are compared to values in the HTTP header.
If there are multiple rules for a Service, the most specific host and URL match will be executed. For
example, if a Service has these two rules:

Rule A - host www.example.com, URL /images/*


Rule B - host www.example.com, URL /images/*.png

and if the incoming request is for www.example.com/images/x.png then the most specific
matching rule, which is Rule B, is executed.
If a rule has the most specific host and URL for a request, any extended match expressions for that
rule are evaluated in the order established by the Extended Match Order field. If the request does not
match any extended match expression for the rule then the request is considered to have failed to
match any rule.
The possible values for the content rules can be found in the online help. A detailed description of the
extended match syntax can be found in Extended Match and Condition Expressions on page 85.

Content Rule Caching and Compression


You can enable caching and compression on the data that matches a content rule using the Websites
> HTTP Caching and the Websites > HTTP Compression pages.

Setting Up an HTTP Redirect


HTTP redirect causes all HTTP traffic on the specified port on a virtual IP address to be redirected to
another port (usually port 443) on the same virtual IP address, where SSL requests are served.
Implementing HTTP redirect requires configuring two Services, an HTTP redirect Service and an HTTPS
Service. HTTP requests that are addressed to http://VIP:HTTP_redirect_Service_port/ are redirected to
https://VIP:HTTPS_Service_port/.

This is useful when a site supports only HTTPS access. A client may initially access the site using
HTTP, which is the default for most browsers if the URI scheme is not entered. The redirect option
allows the client to be transparently moved over to the secure site.
To enable the redirect, create an HTTP redirect Service with Service type of Layer 7 - HTTP. Edit the
Service and enable HTTP redirect. Because this Service only redirects HTTP requests to an HTTPS
Service (the one at the redirect port), you cannot add Real Servers. In fact, few configuration options
on the Service Detail page are relevant, and all of the other options are hidden (and the settings, if any,
ignored).
Finally, you need to create a Layer 7 - HTTPS Service for the same VIP address on the redirect port
to receive the redirected requests.

Configuring Services 51

Modifying HTTP Requests and Responses


You can set up rules to modify HTTP requests and responses that pass through the Barracuda Load
Balancer. These rules, which are associated with a Layer 7 - HTTP(S) Service, are listed on the
Websites > URL Rewrites page.
One HTTP request rewrite rule is created automatically. It sets the X-Forwarded-For header to the IP
address of the client. The Real Server can examine the X-Forwarded-For header to discover the true
identity of the requestor, rather than using the sending IP address, which is the IP address of the
Barracuda Load Balancer.
You can create response rewrite rules to remove server banners or other header or body information
which you do not want the clients to see.
The actions which can be performed by the request rewrite rules are:

Insert Header - Inserts a header in the request.


Remove Header - Removes the header from the request.
Rewrite Header - Rewrites the value of the header in the request
Rewrite URL - Rewrites the request URL to the URL specified in the rule.
Redirect the URL - Redirects the request to the URL specified in the rule and sends that redirect
back to the client.

Only the first three actions are valid for response header rewrite rules. Response body rules allow any
text string (content-type must begin with text/) in an outbound HTTP response body to be rewritten.
The online help for the Websites > URL Rewrites page lists the syntax for the rules. In addition, a
detailed description of the condition expressions, which specify when the rewrite should occur, is
found in Extended Match and Condition Expressions on page 85.

Rule Execution Order


Content rules are evaluated first on incoming HTTP traffic. The rules on the Websites > URL Rewrites
page are evaluated second.

Configuring Caching
Caching is a process of storing commonly used information in local memory for quick retrieval rather
than sending repeated requests to the web server for the same information. This can improve
performance (sometimes dramatically) and reliability. It also reduces the resource utilization on the
web servers. Caching can store web pages and commonly used objects such as graphics files. Caching
provides the following benefits:

Reduced latency when retrieving web content.


An overall reduction in bandwidth and server load.
Automatic identification and replication of site content.

By default, caching is disabled, but you can enable caching on any Layer 7 - HTTP(S) Service or
content rule on the Websites > HTTP Caching page. For each Service or content rule you can specify
a set of parameters that determine what is cached.

52

Barracuda Load Balancer Administrators Guide

Configuring Compression
Compression improves the response time for clients accessing the service through dial-up or other
slow methods. Enabling this feature compresses web pages that use HTML, JavaScript, Java and
other text-based languages, resulting in a reduction in download time.
By default, compression is disabled, but you can enable compression on any Layer 7 - HTTP(S)
Service or content rule on the Websites > HTTP Compression page. For each Service or content rule
you can specify the content types and minimum response size to be compressed. Barracuda Networks
recommends enabling compression for text based content-types like text/plain, text/html, etc.

Hosting Multiple Domains with one Service


Hosting multiple SSL-enabled sites on a single server usually requires a unique IP address for each
domain, but the Barracuda Load Balancer supports three alternative ways to host multiple domains
on one Service. This is particularly useful in a virtual hosting scenario, where you may have several
domains hosted on a single Real Server, using the same IP address. These methods are:

Server Name Indication (SNI)


Wildcard certificates
Subject Alternative Name (SAN) certificates

Server Name Indication (SNI)


SNI extends the SSL/TLS protocol to solve the issue of hosting multiple domains on the same IP
address. If each domain has a distinct SSL certificate, there needs to be a way for the Real Server to
select the proper certificate for a particular domain. The virtual domain information is sent as part of
the SSL/TLS negotiation between the client and server. Clients supporting this extension send the
domain name when initializing a secure SSL session. The server side component will look at the
domain name and send the corresponding certificate to the client.
For SNI to work properly, both the client browser and the web servers must support the SNI
extension. SNI is already supported on most major browser platforms, and on both Apache and IIS.
With SNI, you can use the Barracuda Load Balancer to assign any number and any type of certificates
(single, wildcard or SAN) to a single Barracuda Load Balancer Service. SNI support applies only to
Services with type Layer 7 - HTTPS. To enable SNI, edit the Service and change the setting on the
Service Detail page. On the same page, you can enter multiple domain names and associate a
certificate with each one. Client requests for domains that are not associated with any certificate will
get the default certificate.You can add as many certificates to the Service as needed.

Wildcard Certificates
Another alternative is to use wildcard certificates. This allows you to use a single certificate for subdomains within a domain. If you use a wildcard certificate, you only have to set up a single Service
on the Barracuda Load Balancer to serve multiple sub-domains. For example, you can configure a
single Layer 7 - HTTPS Service using a wildcard certificate, such as *.example.com, for
https://sales.example.com or https://support.example.com.

Configuring Services 53

On the negative side, wildcard certificates:

Are more expensive (typically 3-5x more expensive than single domain certificates).
Cannot support multi-domains that are distinct from each other, such as www.mysite1.com and
www.mysite2.com. Multi-domain support is especially critical for web hosting providers or
Managed Service Providers (MSP) who may have multiple virtual web servers representing
numerous domains on a single physical server using a single IP address.
Cannot secure host names on different base domains, such as www.mysite1.com and
www.mysite1.net.

Subject Alternative Name (SAN) Certificates


SAN certificates fall between a wildcard certificate and a single domain certificate, as each certificate
allows you to specify a list of domain names to be protected. A SAN certificate for
www.example.com could have the domains www.examples.net and www.ex.com listed as
alternative names for the same Service. On the negative side, SAN certificates are more expensive
than single domain certificates and are often limited to 3-5 domains. More importantly, not all
Certificate Authorities sell SAN enabled certificates.

54

Barracuda Load Balancer Administrators Guide

Chapter 5
Network Configuration
This chapter describes the network configuration tasks you can perform from the web interface.
The following topics are covered:
Modifying LAN and WAN IP Addresses ............................................ 56
VLAN Support .................................................................................... 56
Making Services Accessible from the LAN/WAN ............................... 56
Creating Static Routes ....................................................................... 57
Detailed information for all options on a page in the web interface is available from the online help
for that page.

Network Configuration 55

Modifying LAN and WAN IP Addresses


The Basic > IP Configuration page contains the basic network configuration for your Barracuda Load
Balancer. This page also contains the setting to specify whether this Barracuda Load Balancer
operates in Route-Path or Bridge-Path mode. Finally, if the Barracuda Load Balancer is behind a
proxy server, you can configure its location so that it can download firmware and Energize Updates.

VLAN Support
The Barracuda Load Balancer supports Layer 2 VLANs to segment traffic. Use the Advanced >
Advanced IP Config page to identify VLANs on the Barracuda Load Balancer. You can then associate
Services or Real Servers with VLANs.
In Bridge-Path mode, if VLANs are used, both the LAN and WAN ports must be on the same VLAN.
To associate a Real Server with a VLAN:
1.

On the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN
Configuration table.

2.

Go to the Basic > Services page and add the Real Server.

3.

On the Advanced > Advanced IP Config page, in the Custom Virtual Interfaces table, create an
interface for the Real Server.

4.

On the Advanced > Advanced IP Config page, add a static route to the Real Server if necessary.

To associate a Service with a VLAN:


1.

On the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN
Configuration table.

2.

Go to the Basic > Services page and add the Service.

3.

On the Advanced > Advanced IP Config page, in the System Virtual Interfaces table, locate the
entry for the Service. Select the VLAN from the Port list and save your changes.

Routing to Multiple VLANs over an Interface


If any interface on the Barracuda Load Balancer has to route to multiple VLANs, it must be connected
to the VLAN switch via a trunk (or hybrid) link, since multiple VLAN traffic can only be transported
over trunk links. If the Real Servers are distributed across multiple VLANs, say 100, 105, and 111,
then the LAN port must be connected to a trunk port on the VLAN switch.

Making Services Accessible from the LAN/WAN


You can add virtual interface(s) to the physical port (WAN or LAN) used to communicate with the
Services.
To make a Service accessible from the LAN:
1.

Go to the Basic > Services page and add the Service.

2.

On the Advanced > Advanced IP Config page, in the System Virtual Interfaces table, locate the
entry for the Service. Select LAN from the Port list and save your changes.

To access the Service from the WAN, create another Service with a different VIP but the same Real
Servers.
56

Barracuda Load Balancer Administrators Guide

Creating Static Routes


You can create static routes to specify the exact route to a remote network.
To add a static route:
1.

On the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN
Configuration table, if necessary.

2.

On the same page, fill in the fields in the Static Routes table.

Allowing Real Servers to Connect to the Internet


If the Real Servers are on a private network on the LAN side of the Barracuda Load Balancer and the
WAN is on a public network, Real Servers are not allowed by default to connect to the Internet. You
can override this behavior if, for example, the Real Servers need to get operating system or application
updates. This option is available in both Route-Path and Bridge-Path mode.
To allow Real Servers to connect directly to the Internet:
1.

On the Advanced > Advanced IP Config page, create a source network address translation
(source NAT) rule to map the internal IP address of a Real Server to an external IP address or
some other IP address on the WAN side of the Barracuda Load Balancer that is translated by the
firewall to an external IP address.

See also Source IP Address in a Clustered Environment on page 62 for information about the source
IP address of incoming traffic.

Network Configuration 57

58

Barracuda Load Balancer Administrators Guide

Chapter 6
High Availability
This chapter describes how to configure a high availability environment by clustering two Barracuda
Load Balancers.
The following topics are covered:
Creating a High Availability Environment ........................................ 60

High Availability 59

Creating a High Availability Environment


The High Availability option allows you to create a cluster with two Barracuda Load Balancers as an
active-passive pair. Only one system actively processes traffic at any one time, but the two systems
continuously share almost all configuration and monitor each others health.

Operation of High Availability (HA)


The active system in a clustered pair handles all of the traffic until:

The passive system detects that the active system is no longer responsive on the WAN.
The active system detects that its LAN connection has been lost (optional).
The administrator manually forces failover using the web interface.

If any of these conditions occur, the passive system becomes active, assumes all of the Virtual IP
addresses of the Services and the LAN IP address of the other Barracuda Load Balancer, and performs
the load balancing.
Clustered Barracuda Load Balancers negotiate which is the active one according to the Virtual Router
Redundancy Protocol (VRRP) specification. The two systems must be configured with the same
cluster shared secret and group ID. If other systems on the same subnet are also using VRRP, the
cluster group ID must be unique.
The passive Barracuda Load Balancer does not do any load-balancing or monitoring of Services or
Real Servers. If you look at the web interface of the passive system, you will see that all of the
Services and Real Servers on a page such as Basic > Services have red health indicators.

Requirements for HA
Before joining two systems together, each Barracuda Load Balancer must meet the following
requirements:

Barracuda Load Balancer models 340 or higher


Same model
Activated and on the same version of firmware
Able to access all Real Servers
Able to reach the other Barracuda Load Balancer on the WAN interface
Both WAN interfaces are connected to the same switch (physical network)

In addition, the active system should be fully configured. For the passive system, complete the
instructions in the section called Configuring the Barracuda Load Balancer on page 38. Do not
configure Services on the passive system.
To speed up recognition of a newly active Barracuda Load Balancer, disable spanning tree protocol
on the ports of the switch where the WAN ports of the two Barracuda Load Balancers are connected.
If it is a Cisco switch, enable Spanning Tree PortFast on the ports connected to the WAN ports of the
Barracuda Load Balancers.
When the Barracuda Load Balancer becomes active it sends out a gratuitous ARP. It continues to send
a gratuitous ARP every minute. The passive system does not issue any ARPs.

60

Barracuda Load Balancer Administrators Guide

Management Access to the Passive System


Unless the management port is configured, you will have to use the WAN IP address to access the
web interface of the passive system. To configure the management IP address, use the Basic > IP
Config page (do this on both systems).

Failover if LAN Link Goes Down


There is an option to fail over to the passive system if the active system cannot detect its LAN link.
In one-armed deployments (including Direct Server Return), the LAN port does not need to be
monitored as the Real Servers are all connected to the WAN, so this option should be disabled. If the
Barracuda Load Balancer is in Bridge-Path mode, LAN port monitoring is compulsory.

Forceful or Manual Failover


You can force failover to the passive system using the web interface. This transfers the load to the
passive system without bringing down any of the interfaces of the active system. When the passive
system has become active, LAN or WAN cables can be removed or other maintenance performed on
the now-passive system.

Primary and Backup Roles


When two systems are joined in a cluster, the system that joins the cluster is the backup system. The
other one has the role of primary system. Initially, the primary system is the active system. Either of
the systems in a cluster is capable of being the active system. The backup and primary roles are
important when discussing failback.

Failback
There is an automatic failback option that can be configured if you want the originally active
(primary) system to take over the Virtual IP addresses and resume load balancing upon its recovery
after a failover. This option can be found on the Advanced > High Availability page.
You can manually switch to the primary system using the Failback command that is available on the
same page.
It may be better to opt for manual failback, as it can minimize the number of times that service is
interrupted. For example, if the primary system suffers an outage, the backup system takes over.
When the primary system recovers, if automatic failback is selected, then it will once again become
the active system. This means two interruptions of service. If manual failback is selected, then the
backup system continues processing traffic even after the recovery of the primary system.

High Availability 61

Synchronization of Data Between Clustered Systems


When two Barracuda Load Balancers are initially joined, most configuration settings are copied from
the primary system in the cluster to the backup system (the system that joins the cluster). These
settings are synchronized between the systems on an ongoing basis.
Table 6.1 identifies what is synchronized and what is unique.

Table 6.1: Data Shared Between Clustered Systems


Shared Data

Unique Data

Global system settings configured


through the web interface.

All of the system IP configuration (WAN IP address,


management IP address, operating mode, DNS servers and
domain) configured on the Basic > IP Configuration page
except for the LAN IP address.

Any SSL Certificates that have been


installed.

All of the static routes and VLANs, etc., System password, time zone and web interface HTTP port
as configured on the Basic > Administration page.
configured on the Advanced >
Advanced IP Config page.
The parameters on the Advanced > Appearance page.
The HTTPS port and SSL certificate used to access the web
interface as configured on the Advanced > Secure
Administration page.

Detailed Steps to Add or Remove a System from a Cluster


Detailed instructions for creating a cluster or removing a Barracuda Load Balancer from a cluster can
be found in the online help for the Advanced > High Availability page. The same help page also
describes how to update the firmware of both systems in a cluster. These instructions are designed to
minimize the number of service interruptions while updating firmware on both systems.

Source IP Address in a Clustered Environment


By default, the source IP address of traffic sent to the Real Servers is translated (source NATd) to be
the WAN IP address of the Barracuda Load Balancer. If the Barracuda Load Balancer is clustered,
the WAN IP address is not shared between the two clustered systems. To use the same source IP
address in the event of failover, implement one of the following two options. The changes made will
be propagated automatically to the passive system.
Detailed steps for each of these options can be found in the online help.

Option 1
On the active system, create a custom virtual interface that associates an externally-accessible IP
address with the WAN port. Use this IP address to create a source NAT rule. This interface will be
used by the backup system if failover occurs.

Option 2
On the active system, remove the default rule that uses the WAN IP address as the source IP address,
and turn on IP masquerading for the Real Servers.

62

Barracuda Load Balancer Administrators Guide

Chapter 7
Global Server Load Balancing
This chapter describes how to configure Global Server Load Balancing or GSLB.
The following topics are covered:
Introduction to Global Server Load Balancing (GSLB) .................... 64
Steps to Install GSLB ......................................................................... 69
Detailed information for all options on a page in the web interface is available from the online help
for that page.

Global Server Load Balancing 63

Introduction to Global Server Load Balancing (GSLB)


This section contains an introduction to GSLB and how it is implemented using the Barracuda Load
Balancer.
The following topics are covered:
GSLB Examples ................................................................................. 64
GSLB Definitions ............................................................................... 64
Site Selection Criteria........................................................................ 65
How GSLB Works .............................................................................. 65
Integrating with the Existing DNS Infrastructure.............................. 66
Site Selection Algorithms ................................................................... 66
Example Implementations .................................................................. 67
GSLB Regions .................................................................................... 67
Configuring Multiple GSLB Controllers............................................ 68

Global Server Load Balancing (GSLB) allows you to coordinate how traffic is processed among
multiple data centers. A Barracuda Load Balancer acts as a controller, selecting the location to which
traffic is directed based on the parameters that you configure and the health of the data centers. This
allows you to allocate the work among multiple data centers and to ensure that if one data center fails
then traffic is redirected automatically to a functioning data center.

GSLB Examples
GSLB can be useful when:

You have a number of server farms that are physically located around the world and you want
incoming connections to be directed to the closest healthy server farm.
You have two data centers and you want one of them to be reserved for use in the event of a
disaster. You can assign the first with a high priority and have all traffic directed to it, while the
other is used only if the first data center fails.
You have multiple data centers and each has region-specific content. Depending on the location
of the client, requests can be directed to the data center most appropriate for that region.

GSLB Definitions

64

A site is a network location that hosts data. It may be a Service on a Barracuda Load Balancer
with a server farm or one Real Server.
A GSLB Controller is the Barracuda Load Balancer which determines where traffic is directed.
It contains configuration information about the sites and it performs health checks on all sites in
regular intervals. Only one GSLB Controller is active at a time. It is recommended that you
configure one or more backup GSLB Controllers.
A region defines a geographical area, usually composed of one or more countries. You can
define custom regions or use the predefined regions.

Barracuda Load Balancer Administrators Guide

Site Selection Criteria


The GSLB Service allows you to specify traffic to be directed to a site based on one of three
parameters:

Proximity of the system making the request to a site that can serve the request;
The region of the system making the request; or
The priority order of the sites.

How GSLB Works


The GSLB Controller controls which IP address for a sub-domain is given to a client. These steps
illustrate the process:
1.

A client tries to connect to a domain name such as www.example.com. It asks its local DNS
server for the IP address of the domain name, and the server issues a DNS request on its behalf.

2.

This request is eventually directed to the GSLB Controller (Barracuda Load Balancer) that acts
as an authoritative DNS server for the delegated sub-domain www. The GSLB Controller
considers the site selection algorithm and the health of the sites and issues a DNS response that
contains a list of one or more IP addresses of valid sites.

3.

The client tries to connect to the first address in the list.

In Figure 7.1, the selection algorithm is based on the region of the client. The GSLB Controller
determines the region where the request originated. The US client is returned the address of the site
which handles clients from the US region (207.77.188.166) while the client from Europe is given the
address of the site which supports content for the European region (216.129.205.232).

Figure 7.1: How GSLB Works

Failover
The record that is returned by the GSLB Controller in response to a DNS query has a time to live
(TTL) value of 10 seconds, meaning that the DNS servers across the Internet need to request the IP
address of the site again if the record is older than 10 seconds. If a site becomes unavailable, it is
removed from the list of returned IP addresses, the caches update quickly, and traffic is directed to a
healthy site.
Global Server Load Balancing 65

Integrating with the Existing DNS Infrastructure


In a typical GSLB deployment of the Barracuda Load Balancer, the existing DNS domain nameserver
continues as the authoritative nameserver for the zone or domain, e.g. barracuda.com. But a
hostname or sub-domain, e.g. www, is delegated to the Barracuda Load Balancer that acts as the GSLB
Controller. When a DNS query for www.barracuda.com is received, it is forwarded to the GSLB
Controller.
The GSLB Controller acts as the authoritative DNS server for delegated sub-domains, returning
definitive answers to DNS queries about domain names installed in its configuration. On the GSLB
Controller you can identify one or more IP addresses of sites that serve a single domain name. When
asked to resolve a host, the GSLB Controller returns a list of IP addresses of the sites that are both
available and that match the site selection algorithm.

Site Selection Algorithms


As already described, when the GSLB Controller receives a DNS request to resolve a sub-domain, it
replies with a list of one or more IP addresses of valid sites that are both available and that match the
site selection algorithm. This site selection algorithm is also called the Response Policy. Three
Response Policies are available: one is based on site priority and the other two are based on location.

Failover IP Address
If no sites match the Response Policy or if all sites that match the Response Policy fail the health
check, a pre-configured Failover IP address for the sub-domain is returned. This is the IP address of
a site that can accept the traffic if the other systems become unavailable.
The health of the site at the Failover IP address is not monitored.

IP Address and Location Database


In order to provide location-based Response Policies, the Barracuda Load Balancer uses a database
of IP addresses and geographical locations. This database is updated by the Location Definitions
which are part of the Energize Updates maintained by Barracuda Central.

Response Policy Options


Three Response Policies are supported: Geo IP, Region Only and By Priority. Geo IP and Region
Only are based on the location of the client. By Priority is based only on the configured priority of
the site.

66

Geo IP The GSLB Controller determines the location of the system making the request based
on the Location Definitions and compares that to the location of each site. It returns a list of site
IP addresses ordered from closest to furthest.
Geo IP does not consider site priority.
Region Only The GSLB Controller determines the region of the system making the request
based on the Location Definitions.
If the originating system is in a region that is associated with one or more sites, a list of
the healthy site IP address(es) is returned. The most specific matches appear first in the
list; any sites that are associated with All Countries are last in the list.
If the location of the originating system cannot be determined then any healthy sites that
are associated with All Countries are returned.

Barracuda Load Balancer Administrators Guide

If neither of the preceding cases identifies at least one site IP address, the Failover IP
address is returned.
Region Only does not consider site priority.
By Priority The GSLB Controller returns a list of site IP addresses ordered from lowest to
highest priority value. Location is not considered.

Example Implementations
Following are some sample situations and how to configure the site selection algorithm for each one
on the Barracuda Load Balancer that acts as the GSLB Controller.

Disaster Recovery - Two Sites in the World


You have two sites and you want all traffic directed to one of the sites while the other is on standby
and used only in the case of the failure of the first site. Create an entry for each site giving the primary
site priority 1 (highest) and the backup priority 2. Make the Response Policy By Priority so that only
priority is considered when directing traffic.
When a query for the address of the domain name is received, a response containing one or more IP
addresses is returned. If it is operational, the primary sites IP address will be returned first in the list
and the backup sites IP address will be second. If the primary site becomes unavailable, only the
second site's IP address will be returned.
The primary site will be monitored, even after failure, so that when it becomes available then its IP
address will once again be first in the returned list.

Direct Clients to Closest Data Center


You have a number of server farms that are physically located around the world, and you want clients
to be directed to the closest healthy server farm. Make the Response Policy Geo IP to send client
requests to the geographically nearest site. If you have a backup site, set the Failover IP address to its
IP address.

Direct Clients to Specific Region


You have multiple data centers, each with region-specific content, and you want client requests from
a certain region to be directed to the data center that supports that region. Make the Response Policy
Region Only to associate requests with a region based on the location of the client and direct traffic
to the appropriate data center.
If you have a backup site, set the Failover IP address to its IP address. Content switching rules can be
used to direct HTTP traffic within the backup data center (see Directing HTTP Requests based on
Content Rules on page 50).

GSLB Regions
GSLB regions are used only if the Response Policy is Region Only, to direct traffic to data centers
with region-specific content. Add a region to a host on the Advanced > GSLB Services page so that
traffic that originates in that region is directed to the Site IP address.
A number of predefined regions are listed on the Advanced > GSLB Settings page. You can also
create a custom region by specifying a region name and then adding one or more regions from a list.
Global Server Load Balancing 67

Configuring Multiple GSLB Controllers


Only one GSLB Controller is active at any one time. However, you can configure multiple GSLB
Controllers to increase the availability of your infrastructure in these two ways:

Operate in High Availability mode, in which case all of the GSLB information is copied to the
passive system.
Configure one or more other Barracuda Load Balancers (or clustered pairs) as GSLB
Controllers where:
Each system or clustered pair has a DNS entry pointing to it. The first available entry is
used by a client.
The GSLB configuration is synchronized manually between all GSLB Controllers unless
they are passive systems in a cluster.

Figure 7.2 shows three clustered pairs of Barracuda Load Balancers, all in different locations. Each
of these six Barracuda Load Balancers can act as GSLB Controllers and they share the same
GSLB-specific configuration. The GSLB Controllers are listed in the order they are to be used as
name servers in the DNS entry for the domain (see Steps to Install GSLB on page 69). If
in the
example becomes unavailable,
will take over as GSLB Controller. If both
and
become
unavailable,
will take over operation as the GSLB Controller, and so on.
Check Steps to Install GSLB on page 69 for instructions on how to install multiple GSLB Controllers.

Figure 7.2: Multiple GSLB Controllers

68

Barracuda Load Balancer Administrators Guide

Steps to Install GSLB


Execute these tasks to design your GSLB network and to configure one or more GSLB Controllers.
Each step is described in more detail in the following sections.
Step 1: Define the layout of your GSLB network.
Step 2: If you plan to use a location-based Response Policy:
Step 2a: Define Regions (Region Only).
Step 2b: Turn on Location Definitions updates.
On each active GSLB Controller, complete Step 3.
Step 3: Set the DNS Service IP Address.
For each sub-domain to be hosted, complete Step 4.
Step 4: Delegate a sub-domain to the GSLB Controller.
For each GSLB Controller that may receive traffic for a given sub-domain and which is not the
passive system for a cluster, complete Steps 5-7.
Step 5: Configure the DNS records on the GSLB Controller to identify the sub-domains that are
being hosted.
Step 6: Choose the Response Policy.
Step 7: Enter the Failover IP address.
Step 8: Identify the rest of the sites that serve this sub-domain.

Step 1: Define the layout of your GSLB network


Decide which Barracuda Load Balancers will act as your active and passive GSLB Controllers. GSLB
Controllers must be externally accessible. They may also act as the load balancer for a server farm.
Decide whether the site selection should be based on region, geographical proximity or by preconfigured priority. Determine what will happen in the case of a site failure. Gather the IP addresses
(IP addresses of Real Servers or VIP addresses of Services) of the sites.

Step 2: Perform Location Specific Tasks


Skip the two tasks in this step if you do not intend to use a geographically-based Response Policy
(Geo IP or Region Only).
If the Response Policy is Region Only, decide which site or sites are associated with each region
where requests originate.
In either case, make sure the Location Definitions are set to automatically update on every GSLB
Controller. This setting is on the Advanced > Energize Updates page.

Step 3: Set the DNS Service IP Address


For each active GSLB Controller, select the IP address to be used as the DNS Service IP address. DNS
requests will be send to this IP address. It must be reachable from the WAN, LAN or VLAN of the
GSLB Controller. If the GSLB Controller is in HA mode and a system failover occurs, the passive
system will assume this address and handle the requests directed to it. If the GSLB Controller is not
in HA mode, this address could be the externally reachable IP address of the GSLB Controller.
On each active GSLB Controller, go to the Advanced > GSLB Services page and enter the DNS
Service IP Address. If this is a clustered system, the passive system will be updated automatically.

Global Server Load Balancing 69

Step 4: Delegate a Sub-Domain to the GSLB Controller


This step needs to be done at your domain registrar or wherever your domains are hosted.
In order to delegate a sub-domain to be resolved by the GSLB Controller, records must be added to
the zone file of the domain so that DNS requests for the sub-domain will be forwarded to the GSLB
Controller for resolution.
For example, if the domain is example.com, and you want to host www.example.com behind the
GSLB Controller, you will need to add a DNS NS (nameserver) record to associate
www.example.com with each GSLB Controller. If there are four GSLB Controllers (two active, two
passive) there are two records, one for each clustered pair:
www.example.com. IN NS ns1.www.example.com.
www.example.com. IN NS ns2.www.example.com.

Add an A (host) record for each GSLB Controller with its IP address and the domain www:
ns1.www.example.com. IN A <DNS Service IP address of first cluster>
ns2.www.example.com. IN A <DNS Service IP address of second cluster>

where <DNS Service IP address...> is the DNS Service IP address assigned to each clustered
pair. Do not enter the <>s. Do add the dot at the end of the nameserver.

Note

The remainder of the steps are performed on the Barracuda Load Balancer(s) that may act as the
GSLB Controller. If you have a clustered GSLB Controller, you only need to do these steps on the
active system because the configuration between two clustered Barracuda Load Balancers are
synchronized automatically. If you have one or more GSLB Controllers at different locations that
are acting as backups, you must complete these steps on those GSLB Controllers as well. You
must keep the GSLB configuration synchronized between the active GSLB Controller and the
backups, but not on the passive system in any cluster.

Step 5: Create the Host DNS Record on each GSLB Controller


This step must be done on each GSLB Controller that is not a passive system in the cluster. Using the
web interface of the Barracuda Load Balancer, create the records that describe the domain or domains
that are available to the GSLB Controller.
The following example generates the A (host) record for www.example.com on the GSLB
Controller. The domain name is example.com and the host is www. This A record is initially
associated with one site IP address but more site IP addresses can be added later.

70

Barracuda Load Balancer Administrators Guide

To create the DNS records on the GSLB Controller:


1.

Navigate to the Advanced > GSLB Services page.

2.

In the Add New GSLB Service section, supply the following information:
Zone Name the zone maintained by your existing DNS server, e.g. example.com
Host The host name (or sub-domain) to be resolved, e.g. www
Site IP The IP address that is to receive the traffic. This may be the VIP address of
Service on a Barracuda Load Balancer, or the IP address of a server.
Region This associates a region with the Site IP address.
If you want the GSLB Controller to select the site based on region, select the region
from the list. If the region you want is not already defined, add a custom region using
the Advanced > GSLB Settings page.
Otherwise, select All Countries from the list.

A DNS record will be created for www.example.com. Some of the fields in the record will contain
default values for settings such as the Response Policy, which you can customize by editing the entry
in the table.

Step 6: Choose the Response Policy


Response Policies are described in the section Response Policy Options on page 66.
The Response Policy is defined for a host e.g. www.example.com. Edit the Host record on the
Advanced > GSLB Services page to modify the Response Policy.

Step 7: Set the Failover IP Address


If you have a site that can handle the traffic in the case of failure of all sites that match the Response
Policy, enter its IP address as the Failover IP address in the Host record on the Advanced > GSLB
Services page.

Step 8: Identify the rest of the sites that serve this host
To configure all of the sites that can process the traffic for this host (e.g. www.example.com), go to
the Advanced > GSLB Services page and click Add New Site.
You may want to associate a new site with a region or assign a priority to it. Remember that regions
are only relevant if the Response Policy is Region Only. Similarly, priority is only considered by the
By Priority Response Policy.

Global Server Load Balancing 71

72

Barracuda Load Balancer Administrators Guide

Chapter 8
Managing the Barracuda Load Balancer
This chapter describes the monitoring and maintenance tasks you can do to check on performance and
to maintain the Barracuda Load Balancer. The following topics are covered:
Administrative Settings ...................................................................... 74
Monitoring the Barracuda Load Balancer ........................................ 76
Maintaining the Barracuda Load Balancer....................................... 80
Detailed information for all options on a page in the web interface is available from the online help
for that page.

Managing the Barracuda Load Balancer 73

Administrative Settings
This section covers the basic administrative settings for your Barracuda Load Balancer.
Controlling Access to the Web Interface...............................................74
Customizing the Appearance of the Web Interface............................ 74
Setting the Time Zone of the System .................................................. 74
Enabling SSL for Administration....................................................... 75

Controlling Access to the Web Interface


Use the Basic > Administration page to perform the following tasks related to controlling access to
the web interface such as:

Change the password of the administration account.


Specify the IP addresses or subnet mask of the systems that can access the web interface. All
other systems will be denied access.
Change the port used to access the web interface.
Change the length of time of inactivity allowed until the administrator is logged out of the web
interface.

Use the Basic > IP Configuration page to allow or deny access to the web interface from the WAN
and LAN IP addresses, and, optionally, to configure a management IP address.

Customizing the Appearance of the Web Interface


The Advanced > Appearance page allows you to customize the images used on the web interface.
Available only for Barracuda Load Balancers model 440 and above.

Setting the Time Zone of the System


The Basic > Administration page allows you to set the time zone of your Barracuda Load Balancer.
The current time on the system is automatically updated via Network Time Protocol (NTP). When the
Barracuda Load Balancer resides behind a firewall, NTP requires port 123 to be opened for outbound
UDP traffic.
It is important that the time zone is set correctly because this information is used to coordinate traffic
distribution and in all logs and reports.
Note: The Barracuda Load Balancer automatically reboots when you change the time zone.

74

Barracuda Load Balancer Administrators Guide

Enabling SSL for Administration


The Advanced > Secure Administration page allows you to configure SSL for the web interface for
your Barracuda Load Balancer.
SSL ensures that your passwords and the rest of the data transmitted to and received from the web
interface is encrypted as well. You can require HTTPS to be used for secure access, and you can
specify the certificate to be used.

Note

The SSL configuration referred to here is only related to the web interface. To enable SSL
offloading for a Service, refer to SSL Offloading on page 45.

In order to only allow secured connections when accessing the web interface, you need to supply a
digital SSL certificate which will be stored on the Barracuda Load Balancer. This certificate is used
as part of the connection process between client and server (in this case, a browser and the web
interface on the Barracuda Load Balancer). The certificate contains the server name, the trusted
certificate authority, and the servers public encryption key.
The SSL certificate which you supply may be either private or trusted. A private, or self-signed,
certificate provides strong encryption without the cost of purchasing a certificate from a trusted
certificate authority (CA). However, the client web browser will be unable to verify the authenticity
of the certificate and a warning will be sent about the unverified certificate. To avoid this warning,
download the Private Root Certificate and import it into each browser that accesses the Barracuda
Load Balancer web interface. You may create your own private certificate using the Advanced >
Secure Administration page.
You may also use the default pre-loaded Barracuda Networks certificate. The client web browser will
display a warning because the hostname of this certificate is barracuda.barracudanetworks.com and
it is not a trusted certificate. Access to the web interface using the default certificate may be less
secure.
A trusted certificate is a certificate signed by a trusted certificate authority (CA). The benefit of this
certificate type is that the signed certificate is recognized by the browser as trusted, thus preventing
the need for manual download of the Private Root Certificate.

Managing the Barracuda Load Balancer 75

Monitoring the Barracuda Load Balancer


This section describes the monitoring tasks you can perform from the web interface of the Barracuda
Load Balancer. This section covers the following topics:
Monitoring the Health of Services and Real Servers ........................ 76
Enabling or Disabling Real Servers .................................................. 77
Viewing Performance Statistics ......................................................... 77
Viewing Logs...................................................................................... 77
Automating the Delivery of System Alerts and SNMP Traps ............ 78
Managing Multiple Systems with the Barracuda Cloud Control....... 78
Viewing System Tasks......................................................................... 79

Monitoring the Health of Services and Real Servers


The Service Monitor checks the health of each Service and Real Server on an ongoing basis. Specify
which test to perform and how frequently to do the test by editing the Service or Real Server on the
Basic > Services page. The Basic > Services and Basic > Health pages display the health of all loadbalanced Services and associated Real Servers.
There are many different methods available to establish the availability of a Service or Real Server.
These include TCP port check, HTTP GET request, DNS query and RADIUS test. The various tests
are fully documented in the online help.
The tests always use the configured Real Server port for the Service unless the Real Server port is set
to ALL. In that case, the tests use the default port for the test type (e.g. SMTP = 25, HTTP = 80,
DNS = 53, HTTPS = 443, IMAP = 143, POP = 110 and SNMP = 161).
If a Real Server is associated with more than one Service, but with the same test and test interval for
each Service, it will be tested once per test interval. Otherwise, it may be checked more frequently.
Unless the tests are identical, the Service Monitor performs its health checks for each Services set of
Real Servers independently.

Monitor Groups
Monitor groups are sets of tests that are conducted on Real Servers. Use them when one test does not
give a complete picture of the health of a Real Server. You can specify a monitoring group with two
or more tests and the Service Monitor will perform all the tests in the group. The failure of any one
test means the Real Server is considered to be unavailable and it will be removed from the loadbalancing pool.
Create monitor groups that contain one or more tests on the Advanced > Monitor Groups page. Then
edit the Real Service or Service. The monitor groups will appear in the Testing Methods for the
Service Detail or Real Server Detail page.

76

Barracuda Load Balancer Administrators Guide

Enabling or Disabling Real Servers


You can change the state of a Real Server to either enabled, disabled or maintenance. Enable a Real
Server to make it accept new requests, connections or sessions. Disable a Real Server to terminate all
existing connections immediately or put it into maintenance mode to allow existing connections to
terminate naturally.
Disabling your Real Servers allows you to perform maintenance or to temporarily disassociate them
from a Service. A Real Server that is in disabled or maintenance mode will not accept any new
connections or requests until it is enabled.
There are two ways to change the status of a Real Server:

Use the Disable/Maintenance/Enable actions on the Basic > Server Health page.
Edit the Real Server on the Basic > Services page.

Remotely Administering Real Servers


To remotely administer Real Servers that are located behind the Barracuda Load Balancer, for each
Real Server, create a Service which load balances only that one Real Server. Use the VIP address for
that Service whenever you need to ssh to or perform RDP administration on that Real Server.

Viewing Performance Statistics


The Basic > Status page provides an overview of the health and performance of your Barracuda Load
Balancer, including:

Traffic statistics, which shows the number of connections or requests for various types of traffic
since the last system reset for up to five Services.
The subscription status of Energize Updates.
Performance statistics, such as CPU temperature and system load. Performance statistics
displayed in red signify that the value exceeds the normal threshold.
Hourly and daily traffic statistics.

Viewing Logs
The Basic > Event Log page maintains a list of all noteworthy events that affect the operation of the
Barracuda Load Balancer, such as attacks upon various Services and status changes for a Real Server.
You can view the Syslog, which contains administrative updates such as logins and configuration
changes as well as all of the system events contained in the Event Log, using the Advanced > Syslog
page. You can also enter an IP address where the syslog output can be directed.
If Intrusion Prevention System is enabled, you can look at messages related to it in the Intrusion
Prevention Log on the Basic > Intrusion Prevention page.

Managing the Barracuda Load Balancer 77

Automating the Delivery of System Alerts and SNMP Traps


The Basic > Administration page allows you to configure the Barracuda Load Balancer to
automatically email notifications to the addresses you specify. To enter multiple addresses, separate
each address with a comma. An email notification is generated if the number of operating Real
Servers for a Service falls below a preset threshold.
You can also configure SNMP traps to be generated when certain events occur. Go to the Advanced
> SNMP Configuration page to see the list of possible traps.

SNMP Monitoring
Using the Barracuda Load Balancer SNMP agent, you can use an SNMP monitor to query the system
for a variety of statistics such as the number of current connections, bandwidth, and system CPU
temperature.
SNMP v2c and SNMP v3 are both supported by the SNMP agent. SNMP v2c queries and responses
are not encrypted, so it is less secure. When using SNMP v3, traffic is encrypted and you can allow
access only by specified users with passwords.
For more information about monitoring the Barracuda Load Balancer using SNMP, see the technical
paper SNMP Monitoring for the Barracuda Load Balancer located at
http://www.barracudanetworks.com/documentation.

Managing Multiple Systems with the Barracuda Cloud Control


Barracuda Cloud Control enables administrators to manage, monitor, and configure multiple
Barracuda Load Balancers (firmware version 3.6 and higher) at one time from one console. You can
connect one or more Barracuda Load Balancers to Barracuda Cloud Control by doing the following:
1.

If you dont already have an account with Barracuda Networks, visit


http://login.barracudanetworks.com to create one.

2.

Make a note of your username (email address) and password.

3.

Log into your Barracuda Load Balancer as the administrator. On the Advanced > Firmware
Upgrade page, verify you have the latest firmware installed. If not, download and install it now.

4.

From the Advanced > Cloud Control page, enter the Barracuda Networks username and
password you created and click Yes to connect to Barracuda Cloud Control. Note that your
Barracuda Load Balancer can connect with only one Barracuda Cloud Control account at a time.

5.

Log into Barracuda Cloud Control with your username and password. The Barracuda Load
Balancer statistics display in the Basic > Status page. To access the web interface of your
Barracuda Load Balancer, click on the link in the Products column in the pane on the left side of
the page, or you can click on the product name in the Product column of the Unit Health pane on
the right side of the page.

6.

Follow steps 3 and 4 to connect every subsequent Barracuda Load Balancer to Barracuda Cloud
Control.

To disconnect your Barracuda Load Balancer and Barracuda Cloud Control, from the Advanced >
Cloud Control page, enter the Barracuda Cloud Control username and password, and click No for
Connect to Barracuda Cloud Control. Use this step when there is to be a loss of connectivity between
the appliance and Barracuda Cloud Control due to the appliance being physically moved or other
network connectivity issues.
78

Barracuda Load Balancer Administrators Guide

Viewing System Tasks


The Advanced > Task Manager page provides a list of tasks that are in the process of being performed
and also displays any errors encountered when performing these tasks.
Some of the tasks that the Barracuda Load Balancer tracks include:

Cluster setup
Configuration restoration

If a task takes a long time to complete, you can click the Cancel link next to the task name and then
run the task at a later time when the system is less busy.
The Task Errors section lists an error until you manually remove it from the list.

Managing the Barracuda Load Balancer 79

Maintaining the Barracuda Load Balancer


This section describes how to manage and maintain your Barracuda Load Balancer using the web
interface. This section covers the following topics:
Backing up and Restoring Your System Configuration ..................... 80
Updating the Firmware of Your Barracuda Load Balancer.............. 80
Updating the Intrusion Prevention Rules Using Energize Updates .. 81
Replacing a Failed System ................................................................ 81
Reloading, Restarting, and Shutting Down the System ..................... 81
Using the Built-in Troubleshooting Tools .......................................... 82
Rebooting the System in Recovery Mode........................................... 82

Backing up and Restoring Your System Configuration


Use the Advanced > Backup page to back up and restore Barracuda Load Balancer configuration. You
should back up your system on a regular basis in case you need to restore this information on a
replacement Barracuda Load Balancer or in the event your current system data becomes corrupt.
If you are restoring a backup file on a new Barracuda Load Balancer that is not configured, you need
to assign your new system an IP address and DNS information on the Basic > IP Configuration page.
Note the following about the backup file:

Do not edit backup files. Any configuration changes you want to make need to be done through
the web interface. The configuration backup file contains a checksum that prevents the file from
being uploaded to the system if any changes are made.
You can safely view a backup file in Windows WordPad or Microsoft Word. You should avoid
viewing backup files in Windows Notepad because the file can become corrupted if you save the
file from this application.
The following information is not included in the backup file:
System password
System IP information
DNS information

Updating the Firmware of Your Barracuda Load Balancer


The Advanced > Firmware Update page allows you to manually update the firmware version of the
system or revert to a previous version. The only time you should revert back to an old firmware
version is if you recently downloaded a new version that is causing unexpected problems. In this case,
call Barracuda Networks Technical Support before reverting back to a previous firmware version.
If you have the latest firmware version already installed, the Download Now button is disabled.
If you have two Barracuda Load Balancers configured in High Availability mode, update the
firmware on the passive Barracuda Load Balancer first, then update the firmware on the active
Barracuda Load Balancer. The passive Barracuda Load Balancer becomes operational when the
active system is rebooted, thus maintaining availability.
If your Barracuda Load Balancers are not in High Availability mode, applying a new firmware
version results in a temporary loss of service. For this reason, you should apply new firmware versions
during non-busy hours.
80

Barracuda Load Balancer Administrators Guide

Updating the Intrusion Prevention Rules Using Energize Updates


The Advanced > Energize Updates page allows you to manually update the Intrusion Prevention
System rules, as well as change the interval at which the Barracuda Load Balancer checks for updates.
We recommend that the Automatically Update setting be set to Hourly so your Barracuda Load
Balancer receives the latest rules as soon as new threats are identified by Barracuda Central.

Replacing a Failed System


Before you replace your Barracuda Load Balancer, use the tools provided on the Advanced >
Troubleshooting page to try to resolve the problem.
In the event that a Barracuda Load Balancer fails and you cannot resolve the issue, customers that
have purchased the Instant Replacement service can call Technical Support and arrange for a new unit
to be shipped out within 24 hours.
After receiving the new system, ship the old Barracuda Load Balancer back to Barracuda Networks
at the address below with an RMA number marked clearly on the package. Barracuda Networks
Technical Support can provide details on the best way to return the unit.
Barracuda Networks
3175 S. Winchester Blvd
Campbell, CA 95008
Note

To set up the new Barracuda Load Balancer so it has the same configuration as your old failed
system, restore the backup file from the old system onto the new system, and then manually
configure the new systems IP information on the Basic > IP Configuration page. For information
on restoring data, refer to Backing up and Restoring Your System Configuration on page 80.

Reloading, Restarting, and Shutting Down the System


The System Reload/Shutdown section on the Basic > Administration page allows you to shutdown,
restart, and reload system configuration on the Barracuda Load Balancer.
Shutting down the system powers off the unit. Restarting the system reboots the unit. Reloading the
system re-applies the system configuration.
You can also reboot the Barracuda Load Balancer models 240, 340 and 440 by pressing RESET on
the front panel of the Barracuda Load Balancer. Do not press and hold the RESET button for more
than a couple of seconds. Holding it for five seconds or longer changes the IP address of the system.
Pressing RESET for five seconds sets the WAN IP address to 192.168.200.200. Pressing RESET
eight seconds changes the WAN IP address to 192.168.1.200. Pressing the button for 12 seconds
changes the WAN IP address to 10.1.1.200.

Managing the Barracuda Load Balancer 81

Using the Built-in Troubleshooting Tools


The Advanced > Troubleshooting page provides various tools that help troubleshoot network
connectivity issues that may be impacting the performance of your Barracuda Load Balancer.
You can ping other devices from the Barracuda Load Balancer, perform a traceroute from the
Barracuda Load Balancer to any another system, and execute other tests.

Rebooting the System in Recovery Mode


If your Barracuda Load Balancer experiences a serious issue that impacts its core functionality, you
can use diagnostic and recovery tools that are available at the reboot menu to return your system to
an operational state.
Before you use the diagnostic and recovery tools, do the following:

Use the built-in troubleshooting tools on the Advanced > Troubleshooting page to help diagnose
the problem.
Perform a system restore from the last known good backup file.
Contact Barracuda Networks Technical Support for additional troubleshooting tips.

As a last resort, you can reboot your Barracuda Load Balancer and run a memory test or perform a
complete system recovery, as described in this section.
To perform a system recovery or hardware test:
1.

Connect a monitor and keyboard directly to your Barracuda Load Balancer.

2.

Reboot the system by doing one of the following:


Click Restart on the Basic > Administration page.
Press the Power button on the front panel to turn off the system, and then press the Power
button again to turn the system back on.
The Barracuda splash screen displays with the following three boot options:
Barracuda
Recovery
Hardware_Test

3.

Use your keyboard to select the desired boot option, and click Enter.
You must select the boot option within three seconds of the splash screen appearing. If you do
not select an option within three seconds, the Barracuda Load Balancer defaults to starting up in
the normal mode (first option).
For a description of each boot option, refer to Reboot Options on page 83.

82

Barracuda Load Balancer Administrators Guide

Reboot Options
Table 8.1 describes the options available at the reboot menu.

Table 8.1: Reboot Options


Reboot Options Description
Barracuda

Starts the Barracuda Load Balancer in the normal (default) mode. This option is
automatically selected if no other option is specified within the first three (3)
seconds of the splash screen appearing.

Recovery

Displays the Recovery Console where you can select the following options:
Perform file system repairRepairs the file system on the Barracuda Load
Balancer.
Perform full system re-imageRestores the factory settings on your
Barracuda Load Balancer and clears out all configuration information.
Enable remote administrationInitiates a connection to Barracuda Central
that allows Barracuda Networks Technical Support to access the system.
Another method for enabling this troubleshooting connection is to click
Establish Connection to Barracuda Central on the
Advanced>Troubleshooting page.
Run diagnostic memory testRuns a diagnostic memory test from the
operating system. If problems are reported when running this option, we
recommend running the Hardware_Test option next.

Hardware_Test

Performs a thorough memory test that shows most memory related errors within a
two-hour time period. The memory test is performed outside of the operating
system and can take a long time to complete.
Reboot your Barracuda Load Balancer to stop the hardware test. You may do this
by pressing Ctrl-Alt-Del on the keyboard. You can also reboot a model 240, 340
or 440 by pressing the RESET button on the front panel of the appliance.

Managing the Barracuda Load Balancer 83

84

Barracuda Load Balancer Administrators Guide

Appendix A
Extended Match and Condition Expressions
Extended Match and Condition expressions can used in content rules, HTTP request rewrite rules and
HTTP response rewrite rules. To learn more about these rules, all of which only apply to Layer 7 HTTP(S) Services, see the following:

Directing HTTP Requests based on Content Rules on page 50


Modifying HTTP Requests and Responses on page 52.

This appendix documents the syntax of the extended match and condition expressions.
A few examples:
Header Host co example.com - match a request whose Host header contains example.com
Parameter userid ex - match any request in which the parameter 'userid' is present
(Header Host eq www.example.com) && (Client-IP eq 10.0.0.0/24) - match a
request whose host header is www.example.com and the requesting client's IP address is in the
10.0.0.* subnet.

Quick reference

Expression:
Element Match
(Expression) [Join (Expression) ...]
Join:
&&, ||
Element Match:
Element [Element Name] Operator [Value]
Element:
Request Elements: Method, HTTP-Version, Client-IP, URI, URI-Path, Header
Request Parameters: Parameter, Pathinfo
Response Elements: Status-code, Response-Header
Operator:
Matching: eq, neq, req, nreq
Containing: co, nco, rco, nrco
Existence: ex, nex

Extended Match and Condition Expressions 85

Structure of an Extended Match or Condition Expression


The following explains the components of an Extended Match or Condition expression.
An expression consists of one or more Element Matches, combined using Join operators to indicate
AND and OR operations to combine the Element Matches. Parentheses must be used to delimit
individual Element Matches when using join operators. Parentheses can be nested.
An Element Match consists of an Element, an optional Element Name, an Operator followed by an
optional Value. Some elements like Header require an Element Name like User-Agent, whereas
some elements like HTTP-Version require no further qualification. Also, some operators like eq
(stands for equals) require a value, whereas some operators like ex (stands for exists) require
no value.
Tokens are delimited by space and the parenthesis characters. Double quotes (") can be used to
enclose single tokens which contain parenthesis characters or spaces. The back-slash character can
also be used to escape, that is, remove the special meaning of the special characters (space and
parentheses).

Operators
The following are the possible operators in an Element Match. The operators are case insensitive; for
example, eq, Eq and EQ are all treated the same.

86

eq - true if the operand is equal to the given value. A case insensitive string comparison is
performed. Thus, a value of 01 is not the same as a value of 1, whereas values one and
ONE are treated the same.
neq - true if the operand is not equal to the given value. A case insensitive string comparison is
performed.
co - true if the operand contains the given value.
nco - true if the operand does not contain the given value.
rco - true if the operand contains the given value, which is treated as a regular expression.
nrco - true if the operand does not contain the given value, which is treated as a regular
expression.
req - true if the operand matches the given value, which is treated as a regular expression.
nreq - true if the operand does not match the given value, which is treated as a regular
expression.
ex - true if the operand exists. A value is not required
nex - true if the operand does not exist. A value is not required

Barracuda Load Balancer Administrators Guide

Elements
The following are the different Elements allowed in the expression. Elements and Element Names are
case insensitive, so Method and METHOD are treated the same.

Method - The HTTP Method that was received in the request. Example: (Method eq GET)
HTTP-Version - This refers to the version of the HTTP protocol of the request. Example:
(HTTP-Version eq HTTP/1.1)
Header - An HTTP header in the request. An Element Name to identify which header is
required to follow the word Header. Example: (Header Accept co gzip). This will check if the
Accept: header contains the string gzip.
Client-IP - This refers to the IP address of the client sending the request. The IP address can be
either host IP address or subnet IP address specified by a mask. Only eq and neq operations
are possible for this element. Examples: (client-ip eq 192.168.1.0/24), (Client-IP eq
192.168.1.10)
URI - The URI is the Uniform Resource Identifier in the request. This includes any query
parameters in the request. Example: (URI rco /abc.*html?userid=b)
URI-path - This refers to the path portion of the URI, which excludes any query parameters.
Example: (URI-path req \/.*copy%20[^/]*)
Pathinfo - This refers to the portion of URL which is interpreted as PATH_INFO on the server.
The Barracuda Load Balancer uses a set of known extensions to determine whether a portion of
the URL is a Pathinfo or not. For example, if the request URL is /twiki/view.cgi/Engineering,
then, /Engineering is considered to be the pathinfo rather than part of the URL. Example:
(PathInfo rco abc*)
Parameter - This refers to a parameter in the query string part of the URL. the servers as a
name-value pair. The special parameter $NONAME_PARAM is used to refer to the case
where the parameter name is absent. Examples: (Parameter sid eq 1234), (Parameter
$NONAME_PARAM co abcd)
Status-code - This refers to the status code of the response returned by the servers. Example:
(status-code eq 302)
Response-header - This refers to the HTTP response header in the response. The term
Response-header should be followed by the name of the header on which the action is to be
applied. Example: (Response-Header Set-Cookie co sessionid)

Each expression may use only some of these elements. The following restrictions apply:

The Extended Match expression in the Content Rules can use these elements: Method, HTTPVersion, Header, Client-IP, URI, URI-Path, Pathinfo and Parameters.
Request Rewrite Condition allows these elements: Method, HTTP-Version, Header, Client-IP,
Parameter, Pathinfo and URI.
Response Rewrite Condition allows these elements: Header, Status-code and Response-Header.

Extended Match and Condition Expressions 87

Joins
Each expression can be joined with another expression by one of the following:

|| - True if either of the expressions are true.


&& - True only if both the expressions are true.

Combining
More than one Element Match can be combined together by using the join operators || and &&
provided the Element Matches are enclosed in parentheses. Combining Element Matches without
parentheses is not allowed. Example: (Header cookie ex) && (URI rco .*\.html) &&
(Method eq GET)

Nested sub-expressions can be created by enclosing parentheses within expressions. This makes the
expression more readable as well as unambiguous. Example: (HTTP-Version eq HTTP/1.1) &&
((Header Host eq www.example.com) || (Header Host eq website.example.com))

Escaping
The space character and the parentheses characters are special characters since they cause the parser
to split the string into tokens at these separators. In some cases, it is required to specify these
characters as part of the value itself. For example, the User-Agent header typically contains both
spaces and parentheses, as in:
User-Agent: Mozilla/5.0 (Linux i686; en-US; rv:1.8.1.3) Firefox/2.0.0.3
The spaces and parenthesis characters in such cases must be escaped by prefixing these characters
with a back-slash (\), or the entire value can be enclosed in double-quotes (). Examples:

Header User-Agent eq Mozilla/5.0 (Linux i686; en-US; rv:1.8.1.3) Firefox/2.0.0.3


Header User-Agent eq Mozilla/5.0\ \(Linux\ i686;\ en-US;\ rv:1.8.1.3\)\ Firefox/2.0.0.3

To specify the double-quote character itself, it must be escaped with a back-slash. This is true inside
a quoted string, or a non-quoted string. Note that the single quote character has no special meaning,
and is treated as any other character.
To specify the back-slash character itself, it must be escaped as \\. This is true within quoted strings
or non-quoted strings.
The back-slash character escapes all characters, not just the special characters. Thus, \c stands for
the character c etc. In other words, back-slash followed by any character stands for the character,
whether or not that character has a special meaning in the syntax.

88

Barracuda Load Balancer Administrators Guide

Macro Definitions
The Barracuda Load Balancer supports several macros to assist in configuring policies. The following
table describes these macros arranged by the areas where they can be used. The URI in these cases
does not include the host.

Table A.1: Macro Definitions


Name

Description
Request Rewrites

$SRC_ADDR

Inserts the source (client) IP address. You can use it for the new value
(Rewrite Value parameter) when inserting or rewriting a header.

$URI

Should be specified in the new value, if you are rewriting or redirecting the
URI. $URI specifies the complete request URI including the query string.

$AUTH_USER

Adds the username.*

$AUTH_PASSWD

Adds the password.*

$AUTH_GROUPS

Adds the user roles.*


*Note:
(1) The URL is not protected, i.e. access-control or authentication is off. The
value substituted for the above three macros will be the special string
NCURLNotProtected.
(2) The client has not logged in. The value substituted for the above three
macros will be the special string NCNoUserSession.
(3) The user does not belong to any groups. The value substituted for
$AUTH_GROUPS will be the special string NCNOUserRoles.
URL ACLs

$NONAME_PARAM

Inserts a parameter with no name (see No Name Parameters on page 90)

Extended Match and Condition Expressions 89

No Name Parameters
There might be times when you want to configure a parameter without a name. For example, consider
a site that pops up an advertising window when a user lands there. A Javascript adds a query string
that results in the following GET request:
GET /ad?xxx

Note

The Barracuda Load Balancer does not learn no name parameters such as query strings like
"GET /ad?0" added by a Javascript. Workaround: Add a null value URL ACL.

The Barracuda Load Balancer treats xxx as the value of a parameter. In this case, you cannot create
an exception rule based on the xxx value because there is no way to associate it with a named
parameter.
To address such situations (that is, requests with parameter name-value pairs of the type ?xxx or
?=xxx where xxx is the value), you can use a special token: $NONAME_PARAM (case insensitive).
This token allows you to create an expression for a parameter without a name as in the following
examples:
set
set
set

90

= parameter $NONAME_PARAM ex
= parameter $NONAME_PARAM eq 0
= parameter $noname_param co xxx

Barracuda Load Balancer Administrators Guide

Appendix B
Internet Protocol Version 6 (IPv6)
The Barracuda Load Balancer supports IPv6 as well as IPv4. This appendix describes the following:
Using IPv6 ......................................................................................... 92

Internet Protocol Version 6 (IPv6) 91

Using IPv6
To enable IPv6 support, go to the Basic > IP Configuration page and enable it. Using the same page,
assign IPv6 addresses to the relevant interfaces. Only then can you connect to an IPv6 network.
The following table lists the combinations of IPv6 and IPv4 interfaces to Services and Real Servers
that can be used when IPv6 is enabled:

Table B.1: IPv6 and IPv4 interface combinations


VIP Address

Real Server
Addresses

IPv6

IPv6

Used when the complete network setup is being migrated


to support IPv6 based addressing.

IPv6

IPv4

Used when you wish to publish IPv6 addresses for web


applications without changing the addressing in your
internal network.

IPv4

IPv6

Used when third party applications connecting to your


applications are not yet ready to communicate via IPv6.

IPv4

IPv4

Used in current deployments without any IPv6 support.

Use Case

IPv6 is not supported in these two areas:

92

Connecting to the Barracuda Networks Technical Support Center via a support tunnel is not
possible using IPv6 addresses. If you need to do this, make sure you have IPv4 addresses
configured for the WAN and LAN IP addresses on the BASIC > IP Configuration page.
IPv6 addresses cannot be configured on the Administrative Console.

Barracuda Load Balancer Administrators Guide

Appendix C
Barracuda Load Balancer Hardware
This appendix provides hardware information for the Barracuda Load Balancer. The following topics
are covered:
Front Panel of the Barracuda Load Balancer.................................................94
Barracuda Load Balancer Models 240, 340, and 440 ....................................94
Barracuda Load Balancer Model 640 .............................................................95
Back Panel of the Barracuda Load Balancer Models 240, 340 and 440 .......96
Power Requirements ........................................................................................96
Hardware Compliance .....................................................................................97

Barracuda Load Balancer Hardware 93

Front Panel of the Barracuda Load Balancer


The appliances vary in appearance according to their model numbers, as described in this section.

Barracuda Load Balancer Models 240, 340, and 440


Figure C.1 shows the front components on the Barracuda Load Balancer 240, 340, and 440.

Figure C.1: Barracuda Load Balancer Front Panel for 240, 340 and 440 models
WAN

LAN

System

Disk Light
Reserved

Table C.1 describes the front components.

Table C.1: Front Panel Descriptions for Barracuda Load Balancer 240, 340, and 440
Label

94

Description

WAN

Port for WAN connection

LAN

Port for LAN connection

System

Displays system power

Reserved

Reserved for future use

Disk Light

Shows disk activity

Power Light

Displays system power

Reset

Resets the Barracuda Load Balancer

Power Button

Powers on/off the Barracuda Load Balancer

Barracuda Load Balancer Administrators Guide

Reset Power
Button

Power Light

Barracuda Load Balancer Model 640


Figure C.2 shows the front components as described in Table C.2. The power switch is on the back
of the appliance. There is no reset button on this model.

Figure C.2: Barracuda Load Balancer Front Panel for model 640
Serial Power Light

Disk Light USB Mgmt WAN

Ports

LOAD BALANCER 640

SERIAL

USB

MGMT

WAN

PORT 1

PORT 2

PORT 3

PORT 4

PORT 5

PORT 6

PORT 7

PORT 8

PORT 9

PORT 10

Table C.2 describes the front components on the Barracuda Load Balancer 640.

Table C.2: Front Panel Descriptions for Barracuda Load Balancer 640
Label

Description

Serial

Can be used to access the administrative console. The settings are


9600/8-N-1.

Power Light

Displays system power

Disk Light

Shows disk activity

USB

Reserved for future use

MGMT

Can be used as a management port. If there is no port with this label,


use the Ethernet port on the back for management.

WAN

Port for WAN connection

Ports

Connect these ports to the Real Servers

Barracuda Load Balancer Hardware 95

Back Panel of the Barracuda Load Balancer Models 240,


340 and 440
Figure C.3 illustrates the back panel which is described in Table C.3.

Figure C.3: Barracuda Load Balancer Models 240, 340 and 440 Back Panel

Table C.3: Barracuda Load Balancer Back Component Descriptions


Diagram Location

Component Name

Description

Power Supply

Connection for the AC power cord; standard


power supply

Fan

Location of the fan

Mouse Port

Connection for the mouse

Keyboard Port

Connection for the keyboard

Serial Port

Connection for the serial console cable. The


settings are 9600/8-N-1.

Parallel Port

Connection for the parallel cable

Monitor Port

Connection for the monitor

USB Ports (4)

Reserved for future use

Ethernet Port

Can be used as a management port

Power Requirements
AC input voltage 100-240 volts
Frequency 50/60 Hz

96

Barracuda Load Balancer Administrators Guide

Hardware Compliance
This section contains compliance information for the Barracuda Load Balancer hardware.

Notice for the USA


Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This
device complies with part 15 of the FCC Rules.
Operation is subject to the following conditions:
1.

This device may not cause harmful interference, and

2.

This device must accept any interference received including interference that may cause
undesired operation. If this equipment does cause harmful interference to radio or television
reception, which can be determined by turning the equipment off and on, the user in encouraged
to try one or more of the following measures:

Reorient or relocate the receiving antenna.


Increase the separation between the equipment and the receiver.
Plug the equipment into an outlet on a circuit different from that of the receiver.
Consult the dealer or an experienced radio/television technician for help.

Notice for Canada


This apparatus complies with the Class B limits for radio interference as specified in the Canadian
Department of Communication Radio Interference Regulations.

Notice for Europe (CE Mark)


This product is in conformity with the Council Directive 89/336/EEC, 92/31/EEC (EMC).

Barracuda Load Balancer Hardware 97

98

Barracuda Load Balancer Administrators Guide

Appendix D
Limited Warranty and License
Barracuda Networks Limited Hardware Warranty (v 2.1)
Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or authorized Distributor
selling the Barracuda Networks product, if sale is not directly by Barracuda Networks, Inc.,
("Barracuda Networks") warrants that commencing from the date of delivery to Customer (but in case
of resale by a Barracuda Networks reseller, commencing not more than sixty (60) days after original
shipment by Barracuda Networks, Inc.), and continuing for a period of one (1) year: (a) its products
(excluding any software) will be free from material defects in materials and workmanship under
normal use; and (b) the software provided in connection with its products, including any software
contained or embedded in such products will substantially conform to Barracuda Networks published
specifications in effect as of the date of manufacture. Except for the foregoing, the software is
provided as is. In no event does Barracuda Networks warrant that the software is error free or that
Customer will be able to operate the software without problems or interruptions. In addition, due to
the continual development of new techniques for intruding upon and attacking networks, Barracuda
Networks does not warrant that the software or any equipment, system or network on which the
software is used will be free of vulnerability to intrusion or attack. The limited warranty extends only
to you the original buyer of the Barracuda Networks product and is non-transferable.

Exclusive Remedy
Your sole and exclusive remedy and the entire liability of Barracuda Networks under this limited
warranty shall be, at Barracuda Networks or its service centers option and expense, the repair,
replacement or refund of the purchase price of any products sold which do not comply with this
warranty. Hardware replaced under the terms of this limited warranty may be refurbished or new
equipment substituted at Barracuda Networks option. Barracuda Networks obligations hereunder are
conditioned upon the return of affected articles in accordance with Barracuda Networks then-current
Return Material Authorization ("RMA") procedures. All parts will be new or refurbished, at
Barracuda Networks discretion, and shall be furnished on an exchange basis. All parts removed for
replacement will become the property of Barracuda Networks. In connection with warranty services
hereunder, Barracuda Networks may at its discretion modify the hardware of the product at no cost to
you to improve its reliability or performance. The warranty period is not extended if Barracuda
Networks repairs or replaces a warranted product or any parts. Barracuda Networks may change the
availability of limited warranties, at its discretion, but any changes will not be retroactive. IN NO
EVENT SHALL BARRACUDA NETWORKS LIABILITY EXCEED THE PRICE PAID FOR THE
PRODUCT FROM DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES RESULTING FROM THE USE OF THE PRODUCT, ITS ACCOMPANYING
SOFTWARE, OR ITS DOCUMENTATION.

Exclusions and Restrictions


This limited warranty does not apply to Barracuda Networks products that are or have been (a)
marked or identified as "sample" or "beta," (b) loaned or provided to you at no cost, (c) sold "as is,"
(d) repaired, altered or modified except by Barracuda Networks, (e) not installed, operated or
99

maintained in accordance with instructions supplied by Barracuda Networks, or (f) subjected to


abnormal physical or electrical stress, misuse, negligence or to an accident.
EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS MAKES NO OTHER
WARRANTY, EXPRESS, IMPLIED OR STATUTORY, WITH RESPECT TO BARRACUDA
NETWORKS PRODUCTS, INCLUDING WITHOUT LIMITATION ANY IMPLIED
WARRANTY OF TITLE, AVAILABILITY, RELIABILITY, USEFULNESS,
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR
ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. EXCEPT
FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS' PRODUCTS AND THE
SOFTWARE ARE PROVIDED "AS-IS" AND BARRACUDA NETWORKS DOES NOT
WARRANT THAT ITS PRODUCTS WILL MEET YOUR REQUIREMENTS OR BE
UNINTERRUPTED, TIMELY, AVAILABLE, SECURE OR ERROR FREE, OR THAT ANY
ERRORS IN ITS PRODUCTS OR THE SOFTWARE WILL BE CORRECTED. FURTHERMORE,
BARRACUDA NETWORKS DOES NOT WARRANT THAT BARRACUDA NETWORKS
PRODUCTS, THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH
BARRACUDA NETWORKS PRODUCTS WILL BE USED WILL BE FREE OF
VULNERABILITY TO INTRUSION OR ATTACK.

Barracuda Networks Software License Agreement (v 2.1)


PLEASE READ THIS SOFTWARE LICENSE AGREEMENT ("AGREEMENT") CAREFULLY
BEFORE USING THE BARRACUDA NETWORKS SOFTWARE. BY USING THE
BARRACUDA SOFTWARE YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS
LICENSE. IF YOU ARE A CORPORATION, PARTNERSHIP OR SIMILAR ENTITY, THEN
THE SOFTWARE LICENSE GRANTED UNDER THIS AGREEMENT IS EXPRESSLY
CONDITIONED UPON ACCEPTANCE BY A PERSON WHO IS AUTHORIZED TO SIGN FOR
AND BIND THE ENTITY. IF YOU ARE NOT AUTHORIZED TO SIGN FOR AND BIND THE
ENTITY OR DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, DO NOT USE
THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE YOU MAY
RETURN THE SOFTWARE OR HARDWARE CONTAINING THE SOFTWARE FOR A FULL
REFUND TO YOUR PLACE OF PURCHASE.
1. The software and documentation, whether on disk, in flash memory, in read only memory, or on
any other media or in any other form (collectively "Barracuda Software") is licensed, not sold, to you
by Barracuda Networks, Inc. ("Barracuda") for use only under the terms of this Agreement, and
Barracuda reserves all rights not expressly granted to you. The rights granted are limited to
Barracuda's intellectual property rights in the Barracuda Software and do not include any other patent
or intellectual property rights. You own the media on which the Software is recorded but Barracuda
retains ownership of the Software itself. If you have not completed a purchase of the Software and
made payment for the purchase, the Software may only be used for evaluation purposes and may not
be used in any production capacity. Furthermore the Software, when used for evaluation, may not be
secure and may use publically available passwords.
2. Permitted License Uses and Restrictions. If you have purchased a Barracuda Networks hardware
product, this Agreement allows you to use the Software only on the single Barracuda labeled
hardware device on which the software was delivered. You may not make copies of the Software.
You may not make a backup copy of the Software. If you have purchased a Barracuda Networks
Virtual Machine you may use the software only in the licensed number of instances of the licensed
sizes and you may not exceed the licensed capacities. You may make a reasonable number of backup
copies of the Software. If you have purchased client software you may install the software only on
the number of licensed clients. You may make a reasonable number of backup copies of the Software.
For all purchases you may not modify or create derivative works of the Software except as provided
by the Open Source Licenses included below. You may not make the Software available over a
100

Barracuda Load Balancer Administrators Guide

network where it could be utilized by multiple devices or copied. Unless otherwise expressly provided
in the documentation, your use of the Software shall be limited to use on a single hardware chassis,
on a single central processing unit, as applicable, or use on such greater number of chassis or central
processing units as you may have paid Barracuda Networks the required license fee; and your use of
the Software shall also be limited, as applicable and set forth in your purchase order or in Barracuda
Networks' product catalog, user documentation, or web site, to a maximum number of (a) seats (i.e.
users with access to install Software), (b) concurrent users, sessions, ports, and/or issued and
outstanding IP addresses, and/or (c) central processing unit cycles or instructions per second. Your
use of the Software shall also be limited by any other restrictions set forth in your purchase order or
in Barracuda Networks' product catalog, user documentation or Web site for the Software. The
BARRACUDA SOFTWARE IS NOT INTENDED FOR USE IN THE OPERATION OF
NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, LIFE
SUPPORT MACHINES, OR OTHER EQUIPEMENT IN WHICH FAILURE COULD LEAD TO
DEATH, PERSONAL INJURY, OR ENVIRONMENTAL DAMAGE. YOU EXPRESSLY AGREE
NOT TO USE IT IN ANY OF THESE OPERATIONS.
3. You may not transfer, rent, lease, lend, or sublicense the Software or allow a third party to do so.
YOU MAY NOT OTHERWISE TRANSFER THE SOFTWARE OR ANY OF YOUR RIGHTS
AND OBLIGATIONS UNDER THIS AGREEMENT. You agree that you will have no right and will
not, nor will it assist others to: (i) make unauthorized copies of all or any portion of the Software; (ii)
sell, sublicense, distribute, rent or lease the Software; (iii) use the Software on a service bureau, time
sharing basis or other remote access system whereby third parties other than you can use or benefit
from the use of the Software; (iv) disassemble, reverse engineer, modify, translate, alter, decompile
or otherwise attempt to discern the source code of all or any portion of the Software; (v) utilize or run
the Software on more computers than you have purchased license to; (vi) operate the Software in a
fashion that exceeds the capacity or capabilities that were purchased by you.
4. THIS AGREEMENT SHALL BE EFFECTIVE UPON INSTALLATION OF THE SOFTWARE
OR PRODUCT AND SHALL TERMINATE UPON THE EARLIER OF: (A) YOUR FAILURE TO
COMPLY WITH ANY TERM OF THIS AGREEMENT OR (B) RETURN, DESTRUCTION OR
DELETION OF ALL COPIES OF THE SOFTWARE IN YOUR POSSESSION. Rights of Barracuda
Networks and your obligations shall survive any termination of this Agreement. Upon termination of
this Agreement by Barracuda Networks, You shall certify in writing to Barracuda Networks that all
copies of the Software have been destroyed or deleted from any of your computer libraries, storage
devices, or any other location.
5. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT THE USE OF THE BARRACUDA
SOFTWARE IS AT YOUR OWN RISK AND THAT THE ENTIRE RISK AS TO
SATISFACTION, QUALITY, PERFORMANCE, AND ACCURACY IS WITH YOU. THE
BARRACUDA SOFTWARE IS PROVIDED "AS IS" WITH ALL FAULTS AND WITHOUT
WARRANTY OF ANY KIND, AND BARRACUDA HEREBY DISCLAIMS ALL WARRANTIES
AND CONDITIONS WITH RESPECT TO THE BARRACUDA SOFTWARE, EITHER
EXPRESSED OR IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTIBILITY, OF
SATISFACTORY QUALITY, OF FITNESS FOR ANY APPLICATION, OF ACCURACY, AND
OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS. BARRACUDA DOES NOT
WARRANT THE CONTINUED OPERATION OF THE SOFTWARE, THAT THE
PERFORMANCE WILL MEET YOUR EXPECTATIONS, THAT THE FUNCTIONS WILL
MEET YOUR REQUIREMENTS, THAT THE OPERATION WILL BE ERROR FREE OR
CONTINUOUS, THAT CURRENT OR FUTURE VERSIONS OF ANY OPERATING SYSTEM
WILL BE SUPPORTED, OR THAT DEFECTS WILL BE CORRECTED. NO ORAL OR
WRITTEN INFORMATION GIVEN BY BARRACUDA OR AUTHORIZED BARRACUDA
REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE BARRACUDA
SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY
SERVICING, REPAIR, OR CORRECTION. FURTHERMORE BARRACUDA NETWORKS
SHALL ASSUME NO WARRANTY FOR ERRORS/BUGS, FAILURES OR DAMAGE WHICH
101

WERE CAUSED BY IMPROPER OPERATION, USE OF UNSUITABLE RESOURCES,


ABNORMAL OPERATING CONDITIONS (IN PARTICULAR DEVIATIONS FROM THE
INSTALLATION CONDITIONS) AS WELL AS BY TRANSPORTATION DAMAGE. IN
ADDITION, DUE TO THE CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR
INTRUDING UPON AND ATTACKING NETWORKS, BARRACUDA NETWORKS DOES NOT
WARRANT THAT THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON
WHICH THE SOFTWARE IS USED WILL BE FREE OF VULNERABILITY TO INTRUSION
OR ATTACK. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL
PROVIDE AN UNLIMITED PERPETUAL ZERO COST LICENSE TO BARRACUDA FOR ANY
PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS WHICH YOU EITHER OWN OR
CONTROL THAT ARE UTILIZED IN ANY BARRACUDA PRODUCT.
6. Termination and Fair Use Policy. BARRACUDA SHALL HAVE THE ABSOLUTE AND
UNILATERAL RIGHT AT ITS SOLE DISCRETION TO DENY USE OF, OR ACCESS TO
BARRACUDA SOFTWARE, IF YOU ARE DEEMED BY BARRACUDA TO BE USING THE
SOFTWARE IN A MANNER NOT REASONABLY INTENDED BY BARRACUDA OR IN
VIOLATION OF ANY LAW.
7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT
SHALL BARRACUDA BE LIABLE FOR PERSONAL INJURY OR ANY INCIDENTAL
SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS
INTERRUPTION, OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT
OF OR RELATED TO YOUR ABILITY TO USE OR INABILITY TO USE THE BARRACUDA
SOFTWARE HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY AND
EVEN IF BARRACUDA HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. In no
event shall Barracuda's total liability to you for all damages exceed the amount of one hundred
dollars.The following terms govern your use of the Energize Update Software except to the extent a
particular program (a) is the subject of a separate written agreement with Barracuda Networks or (b)
includes a separate "click-on" license agreement as part of the installation and/or download process.
To the extent of a conflict between the provisions of the foregoing documents, the order of precedence
shall be (1) the written agreement, (2) the click-on agreement, and (3) this Energize Update Software
License.
8. Content Restrictions. YOU MAY NOT (AND MAY NOT ALLOW A THIRD PARTY TO)
COPY, REPRODUCE, CAPTURE, STORE, RETRANSMIT, DISTRIBUTE, OR BURN TO CD
(OR ANY OTHER MEDIUM) ANY COPYRIGHTED CONTENT THAT YOU ACCESS OR
RECEIVE THROUGH USE OF THE PRODUCT CONTAINING THE SOFTWARE. YOU
ASSUME ALL RISK AND LIABILITY FOR ANY SUCH PROHIBITED USE OF
COPYRIGHTED CONTENT. You agree not to publish any benchmarks, measurements, or reports
on the product without Barracuda Networks written express approval.
9. Third Party Software. Some Software which supports Bare Metal Disaster Recovery of Microsoft
Windows Vista and Microsoft Windows 2008 Operating Systems (DR6) contains and uses
components of the Microsoft Windows Pre-Installation Environment (WINPE) with the following
restrictions: (i) the WINPE components in the DR6 product are licensed and not sold and may only
be used with the DR6 product; (ii) DR6 is provided "as is"; (iii) Barracuda and its suppliers reserve
all rights not expressly granted; (iv) license to use DR6 and the WINPE components is limited to use
of the product as a recovery utility program only and not for use as a general purpose operating
system; (v) Reverse engineering, decompiling or disassembly of the WINPE components, except to
the extent expressly permitted by applicable law, is prohibited; (vi) DR6 contains a security feature
from Microsoft that will automatically reboot the system without warning after 24 hours of
continuous use; (vii) Barracuda alone will provide support for customer issues with DR6 and
Microsoft and its Affiliates are released of all liability related to its use and operation; and, (viii) DR6
is subject to U.S. export jurisdiction.

102

Barracuda Load Balancer Administrators Guide

10. Trademarks. Certain portions of the product and names used in this Agreement, the Software and
the documentation may constitute trademarks of Barracuda Networks. You are not authorized to use
any such trademarks for any purpose.

11. Export Restrictions. You may not export or re-export the Software without: (a) the prior written
consent of Barracuda Networks, (b) complying with applicable export control laws, including, but not
limited to, restrictions and regulations of the Department of Commerce or other United States agency
or authority and the applicable EU directives, and (c) obtaining any necessary permits and licenses.
In any event, you may not transfer or authorize the transfer of the Software to a prohibited territory
or country or otherwise in violation of any applicable restrictions or regulations. If you are a United
States Government agency the Software and documentation qualify as "commercial items", as that
term is defined at Federal Acquisition Regulation ("FAR") (48 C.F.R.) 2.101, consisting of
"commercial computer software" and "commercial computer software documentation" as such terms
are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through
227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any
agreement into which this Agreement may be incorporated, Government end user will acquire the
Software and documentation with only those rights set forth in this Agreement. Use of either the
Software or documentation or both constitutes agreement by the Government that the Software and
documentation are "commercial computer software" and "commercial computer software
documentation", and constitutes acceptance of the rights and restrictions herein.
12. General. THIS AGREEMENT IS GOVERNED BY THE LAWS OF THE STATE OF
CALIFORNIA, USA WITH JURISDICTION OF SANTA CLARA COUNTY, CALIFORNIA,
UNLESS YOUR HEADQUARTERS IS LOCATED IN SWITZERLAND, THE EU, OR JAPAN. IF
YOUR HEADQUARTERS IS LOCATED IN SWITZERLAND THE SWISS MATERIAL LAW
SHALL BE USED AND THE JURISDICTION SHALL BE ZURICH. IF YOUR
HEADQUARTERS IS LOCATED IN THE EU, AUSTRIAN LAW SHALL BE USED AND
JURISDICTION SHALL BE INNSBRUCK. IF YOUR HEADQUARTERS IS LOCATED IN
JAPAN, JAPANESE LAW SHALL BE USED AND JURISDICTION SHALL BE TOKYO. THIS
AGREEMENT WILL NOT BE SUBJECT TO ANY CONFLICT-OF-LAWS PRINCIPLES IN ANY
JURISDICTION. THIS AGREEMENT WILL NOT BE GOVERNED BY THE U.N.
CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALES OF GOODS. This
Agreement is the entire agreement between You and Barracuda Networks regarding the subject
matter herein and supersedes any other communications with respect to the Software. If any provision
of this Agreement is held invalid or unenforceable, the remainder of this Agreement will continue in
full force and effect. Failure to prosecute a party's rights with respect to a default hereunder will not
constitute a waiver of the right to enforce rights with respect to the same or any other breach.
13. Assignability. You may not assign any rights or obligations hereunder without prior written
consent from Barracuda Networks.
14. Billing Issues. You must notify Barracuda of any billing problems or discrepancies within sixty
(60) days after they first appear on the statement you receive from your bank, Credit Card Company,
other billing company or Barracuda Networks. If you do not bring such problems or discrepancies to
Barracuda Networks attention within the sixty (60) day period, you agree that you waive the right to
dispute such problems or discrepancies.
15. Collection of Data. You agree to allow Barracuda Networks to collect information ("Statistics")
from the Software in order to fight spam, virus, and other threats as well as optimize and monitor the
Software. Information will be collected electronically and automatically. Statistics include, but are
not limited to, the number of messages processed, the number of messages that are categorized as
spam, the number of virus and types, IP addresses of the largest spam senders, the number of emails
classified for Bayesian analysis, capacity and usage, and other statistics. Your data will be kept private
and will only be reported in aggregate by Barracuda Networks.

103

16. Subscriptions. Software updates and subscription information provided by Barracuda Energize
Updates or other services may be necessary for the continued operation of the Software. You
acknowledge that such a subscription may be necessary. Furthermore some functionality may only
be available with additional subscription purchases. Obtaining Software updates on systems where
no valid subscription has been purchased or obtaining functionality where subscription has not been
purchased is strictly forbidden and in violation of this Agreement. All initial subscriptions commence
at the time of activation and all renewals commence at the expiration of the previous valid
subscription. Unless otherwise expressly provided in the documentation, you shall use the Energize
Updates Service and other subscriptions solely as embedded in, for execution on, or (where the
applicable documentation permits installation on non-Barracuda Networks equipment) for
communication with Barracuda Networks equipment owned or leased by you. All subscriptions are
non-transferrable. Barracuda Networks makes no warranty that subscriptions will continue uninterrupted. Subscription may be terminated without notice by Barracuda Networks for lack of full
payment.
17. Auto Renewals. If your Software purchase is a time based license, includes software
maintenance, or includes a subscription, you hereby agree to automatically renew this purchase when
it expires unless you notify Barracuda 15 days before the renewal date. Barracuda Networks will
automatically bill you or charge you unless notified 15 days before the renewal date.
18. Time Base License. If your Software purchase is a time based license you expressly acknowledge
that the Software will stop functioning at the time the license expires. You expressly indemnify and
hold harmless Barracuda Networks for any and all damages that may occur because of this.
19. Support. Telephone, email and other forms of support will be provided to you if you have
purchased a product that includes support. The hours of support vary based on country and the type
of support purchased. Barracuda Networks Energize Updates typically include Basic support.
20. Changes. Barracuda Networks reserves the right at any time not to release or to discontinue release
of any Software or Subscription and to alter prices, features, specifications, capabilities, functions,
licensing terms, release dates, general availability or other characteristics of any future releases of the
Software or Subscriptions.
21. Open Source Licensing. Barracuda Networks products may include programs that are covered
by the GNU General Public License (GPL) or other Open Source license agreements, in particular the
Linux operating system. It is expressly put on record that the Software does not constitute an edited
version or further development of the operating system. These programs are copyrighted by their
authors or other parties, and the authors and copyright holders disclaim any warranty for such
programs. Other programs are copyright by Barracuda Networks. Further details may be provided in
an appendix to this agreement where the licenses are re-printed. Barracuda Networks makes available
the source code used to build Barracuda products available at source.barracuda.com. This directory
includes all the programs that are distributed on the Barracuda products. Obviously not all of these
programs are utilized, but since they are distributed on the Barracuda product we are required to make
the source code available.

Barracuda Networks Energize Updates and Other Subscription Terms


Barracuda Networks Software License Agreement Appendix
The GNU General Public License (GPL) Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.

104

Barracuda Load Balancer Administrators Guide

59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing
it is not allowed.

Preamble
The licenses for most software are designed to take away your freedom to share and change it. By
contrast, the GNU General Public License is intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users. This General Public License applies
to most of the Free Software Foundation's software and to any other program whose authors commit
to using it. (Some other Free Software Foundation software is covered by the GNU Library General
Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses
are designed to make sure that you have the freedom to distribute copies of free software (and charge
for this service if you wish), that you receive source code or can get it if you want it, that you can
change the software or use pieces of it in new free programs; and that you know you can do these
things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to
ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the
recipients all the rights that you have. You must make sure that they, too, receive or can get the source
code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which
gives you legal permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that
there is no warranty for this free software. If the software is modified by someone else and passed on,
we want its recipients to know that what they have is not the original, so that any problems introduced
by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger
that redistributors of a free program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any patent must be licensed for
everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION


0. This License applies to any program or other work which contains a notice placed by the copyright
holder saying it may be distributed under the terms of this General Public License. The "Program",
below, refers to any such program or work, and a "work based on the Program" means either the
Program or any derivative work under copyright law: that is to say, a work containing the Program or
a portion of it, either verbatim or with modifications and/or translated into another language.
(Hereinafter, translation is included without limitation in the term "modification".) Each licensee is
addressed as "you".
Activities other than copying, distribution and modification are not covered by this License; they are
outside its scope. The act of running the Program is not restricted, and the output from the Program

105

is covered only if its contents constitute a work based on the Program (independent of having been
made by running the Program). Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any
medium, provided that you conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and
to the absence of any warranty; and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer
warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based
on the Program, and copy and distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and
the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is
derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when
started running for such interactive use in the most ordinary way, to print or display an announcement
including an appropriate copyright notice and a notice that there is no warranty (or else, saying that
you provide a warranty) and that users may redistribute the program under these conditions, and
telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on the Program is not required to
print an announcement).
These requirements apply to the modified work as a whole. If identifiable sections of that work are
not derived from the Program, and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those sections when you distribute them
as separate works. But when you distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of this License, whose permissions
for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote
it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely
by you; rather, the intent is to exercise the right to control the distribution of derivative or collective
works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a
work based on the Program) on a volume of a storage or distribution medium does not bring the other
work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code
or executable form under the terms of Sections 1 and 2 above provided that you also do one of the
following:
a) Accompany it with the complete corresponding machine-readable source code, which must be
distributed under the terms of Sections 1 and 2 above on a medium customarily used for software
interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge
no more than your cost of physically performing source distribution, a complete machine-readable
copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on
a medium customarily used for software interchange; or,

106

Barracuda Load Balancer Administrators Guide

c) Accompany it with the information you received as to the offer to distribute corresponding source
code. (This alternative is allowed only for noncommercial distribution and only if you received the
program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For
an executable work, complete source code means all the source code for all modules it contains, plus
any associated interface definition files, plus the scripts used to control compilation and installation
of the executable. However, as a special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary form) with the major components
(compiler, kernel, and so on) of the operating system on which the executable runs, unless that
component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place,
then offering equivalent access to copy the source code from the same place counts as distribution of
the source code, even though third parties are not compelled to copy the source along with the object
code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided
under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License. However, parties who have
received copies, or rights, from you under this License will not have their licenses terminated so long
as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else
grants you permission to modify or distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by modifying or distributing the
Program (or any work based on the Program), you indicate your acceptance of this License to do so,
and all its terms and conditions for copying, distributing or modifying the Program or works based on
it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient
automatically receives a license from the original licensor to copy, distribute or modify the Program
subject to these terms and conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties
to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not excuse you from the conditions
of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may not distribute the
Program at all. For example, if a patent license would not permit royalty-free redistribution of the
Program by all those who receive copies directly or indirectly through you, then the only way you
could satisfy both it and this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the
balance of the section is intended to apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims
or to contest validity of any such claims; this section has the sole purpose of protecting the integrity
of the free software distribution system, which is implemented by public license practices. Many
people have made generous contributions to the wide range of software distributed through that
system in reliance on consistent application of that system; it is up to the author/donor to decide if he
or she is willing to distribute software through any other system and a licensee cannot impose that
choice.

107

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of
this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by
copyrighted interfaces, the original copyright holder who places the Program under this License may
add an explicit geographical distribution limitation excluding those countries, so that distribution is
permitted only in or among countries not thus excluded. In such case, this License incorporates the
limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public
License from time to time. Such new versions will be similar in spirit to the present version, but may
differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of
this License which applies to it and "any later version", you have the option of following the terms
and conditions either of that version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of this License, you may choose any
version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution
conditions are different, write to the author to ask for permission. For software which is copyrighted
by the Free Software Foundation, write to the Free Software Foundation; we sometimes make
exceptions for this. Our decision will be guided by the two goals of preserving the free status of all
derivatives of our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT
WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER
PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS
WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
END OF GNU TERMS AND CONDITIONS
Barracuda Networks Products may contain programs that are copyright (c)1995-2005 International
Business Machines Corporation and others. All rights reserved. These programs are covered by the
following License: "Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute,
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
provided that the above copyright notice(s) and this permission notice appear in all copies of the
108

Barracuda Load Balancer Administrators Guide

Software and that both the above copyright notice(s) and this permission notice appear in supporting
documentation."
Barracuda Networks Products may include programs that are covered by the BSD License:
"Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
The names of the authors may not be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE."
Barracuda Networks Products may include the libspf library which is Copyright (c) 2004 James
Couzens & Sean Comeau, All rights reserved. It is covered by the following agreement:
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met: 1. Redistributions of source code must retain the
above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in
binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution. THIS
SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Barracuda Networks Products may contain programs that are Copyright (c) 1998-2003 Carnegie
Mellon University. All rights reserved. Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following conditions are met: 1. Redistributions
of source code must retain the above copyright notice, this list of conditions and the following
disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials provided with
the distribution. The name "Carnegie Mellon University" must not be used to endorse or promote
products derived from this software without prior written permission. For permission or any other
legal details, please contact Office of Technology Transfer, Carnegie Mellon University, 5000
Forbes Avenue, Pittsburgh, PA 15213-3890 (412) 268-4387, fax: (412) 268-7395, techtransfer@andrew.cmu.edu . Redistributions of any form whatsoever must retain the following
acknowledgment: "This product includes software developed by Computing Services at Carnegie
Mellon University (http://www.cmu.edu/computing/)." CARNEGIE MELLON UNIVERSITY
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, AND IN NO EVENT
SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,

109

NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION


WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Barracuda Networks Software may include programs that are covered by the Apache License or other
Open Source license agreements. The Apache license is re-printed below for you reference. These
programs are copyrighted by their authors or other parties, and the authors and copyright holders
disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks.

Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by
Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is
granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are
controlled by, or are under common control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the direction or management of such entity,
whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding
shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this
License.
"Source" form shall mean the preferred form for making modifications, including but not limited to
software source code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a
Source form, including but not limited to compiled object code, generated documentation, and
conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under
the License, as indicated by a copyright notice that is included in or attached to the work (an example
is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or
derived from) the Work and for which the editorial revisions, annotations, elaborations, or other
modifications represent, as a whole, an original work of authorship. For the purposes of this License,
Derivative Works shall not include works that remain separable from, or merely link (or bind by
name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any
modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted
to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity
authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent to the Licensor or its
representatives, including but not limited to communication on electronic mailing lists, source code
control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the

110

Barracuda Load Balancer Administrators Guide

purpose of discussing and improving the Work, but excluding communication that is conspicuously
marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a
Contribution has been received by Licensor and subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform,
sublicense, and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and
otherwise transfer the Work, where such license applies only to those patent claims licensable by such
Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their
Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent
litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the
Work or a Contribution incorporated within the Work constitutes direct or contributory patent
infringement, then any patent licenses granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof
in any medium, with or without modifications, and in Source or Object form, provided that You meet
the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices stating that You changed the files;
and
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright,
patent, trademark, and attribution notices from the Source form of the Work, excluding those notices
that do not pertain to any part of the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works
that You distribute must include a readable copy of the attribution notices contained within such
NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at
least one of the following places: within a NOTICE text file distributed as part of the Derivative
Works; within the Source form or documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and wherever such third-party notices normally
appear. The contents of the NOTICE file are for informational purposes only and do not modify the
License. You may add Your own attribution notices within Derivative Works that You distribute,
alongside or as an addendum to the NOTICE text from the Work, provided that such additional
attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or
different license terms and conditions for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally
submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions
of this License, without any additional terms or conditions. Notwithstanding the above, nothing
herein shall supersede or modify the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.

111

6. Trademarks. This License does not grant permission to use the trade names, trademarks, service
marks, or product names of the Licensor, except as required for reasonable and customary use in
describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor
provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT,
MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible
for determining the appropriateness of using or redistributing the Work and assume any risks
associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including
negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including
any direct, indirect, special, incidental, or consequential damages of any character arising as a result
of this License or out of the use or inability to use the Work (including but not limited to damages for
loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial
damages or losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works
thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this License. However, in accepting such
obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of
any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor
harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your
accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
Barracuda Networks makes available the source code used to build Barracuda products available at
source.barracuda.com. This directory includes all the programs that are distributed on the Barracuda
products. Obviously not all of these programs are utilized, but since they are distributed on the
Barracuda product we are required to make the source code available.

112

Barracuda Load Balancer Administrators Guide

Index

Adaptive Scheduling 46, 47


administration interface
logging in 38
Administration page 74, 78, 81
Advanced IP Config page 56, 57
alerts 78

Energize Updates 81

B
back panel details 96
back-end SSL, definiton 11
backing up configuration 80
Backup page 80
Barracuda Load Balancer
configuring 38, 43, 55
managing 80
monitoring 76
terminology 16
Barracuda Spam & Virus Firewall, deploying with the
Barracuda Load Balancer 22
Basic > Server Health 48
Bridge-Path 16, 25
By Priority 67

C
character tags 85, 91, 93, 99
configuring, Barracuda Load Balancer 38
content rules
extended match 51
host match 51
how to create 50
how to edit 50
URL match 51

F
failed system, replacing 81
Failover IP Address 66
Figure 2.3 23
firewall, configuring 37
Firmware Update page 80

G
Geo IP 66
GSLB Response Policies 66

H
hardware compliance information 97
hardware test 83
Health page 76, 77
High Availability 16
updating firmware 80

I
IP address
setting 37
IP Configuration page 56

L
Last Resort Action 49
Last Resort Server 12, 16, 49, 52, 53
Layer 7 - RDP Service, scheduling 48
Logical Network 16

definitions, updating 40, 81


diagnostic memory test 83
Direct Server Return 16, 26, 28
Directing HTTP requests - content rules 50
disabled mode, Real Server 43

maintenance mode, Real Server 43


Maintenance, Real Server 77
modify HTTP request or response headers 52
monitoring
Services 76, 77

Index - 113

network time protocol 39


notifications 78
NTP 39

UDP ports 37
updating
definitions 40, 81
firmware 80
updating firmware 80

P
Persistence 16
Physical Network 16
proxy server 56

R
Real Server 16
reboot options 82
recovery mode 82
Region Only 66
re-imaging system 83
reloading the system 81
remote administration 83
repairing, file system 83
replacing failed system 81
RESET button, using 81
restarting the system 81
restoring configuration 80
Route-Path 16

S
SAN certificates 54
Scheduling policy 16
Server Farm 16
Service 16, 17
Service Monitor 16, 76
Services, monitoring 76, 77
shutting down the system 81
SNI 53
SNMP traps 78
source IP address 62
source NAT 57, 62
SSL Certificates 46
SSL Offloading 45
SSL offloading 46
SSL Offloading, configuring 46
Status page 77

T
Task Manager page 79
TCP ports 37
testing memory 83
time zone, setting 74
Troubleshooting page 82
114 - Index

V
Virtual IP (VIP) 16, 17

W
WAN IP Address 16
Weighted Least Connections 48
Weighted Round-Robin 47
Wildcard certificates 53

X
X-Forwarded-For 52