Barracuda Load Balancer Ag Us

Barracuda Networks Technical Documentation
Barracuda Load Balancer
Administrators Guide
Version 3.6
RECLAIM YOUR NETWORK
Copyright Notice
Copyright 2004-2011, Barracuda Networks www.barracuda.com v3.6-110310-01-0310 All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice.
Trademarks
Barracuda Load Balancer is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or trademarks of their respective holders.
Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Overview . . . . . . . . . . . . . . . . . . . . . . . Features of the Barracuda Load Balancer . . . . . . Load Balancing for all IP-based Applications . . . Easy to Use and Maintain . . . . . . . . . . . . . Intrusion Prevention System . . . . . . . . . . . Auto-Discover Mode. . . . . . . . . . . . . . . . Persistence . . . . . . . . . . . . . . . . . . . . SSL Offloading . . . . . . . . . . . . . . . . . . Secure Communication with Real Servers . . . . Scheduling Policy . . . . . . . . . . . . . . . . . Automated Service Monitor . . . . . . . . . . . . Multiple Deployment Modes. . . . . . . . . . . . High Availability . . . . . . . . . . . . . . . . . . Easy Administration . . . . . . . . . . . . . . . . Last Resort Server . . . . . . . . . . . . . . . . Removing a Server without Disrupting the Service Content Rules . . . . . . . . . . . . . . . . . . . HTTP Request and Response Rewrites . . . . . Support for Layer 2 VLANs . . . . . . . . . . . . TCP Proxy. . . . . . . . . . . . . . . . . . . . . FTP Traffic. . . . . . . . . . . . . . . . . . . . . HTTP Caching and Compression . . . . . . . . . Global Server Load Balancing (GSLB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 .9 .9 10 10 10 11 11 11 11 11 11 11 12 12 12 12 12 12 13 13 13 13
Chapter 2 Load Balancing Deployment Options . . . . . . . . 15

Barracuda Load Balancer Terminology . . . . . . . . . . . . . . . . . Deployment Options Overview . . . . . . . . . . . . . . . . . . . . . Service Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . Route-Path (Recommended) . . . . . . . . . . . . . . . . . . . . . . Introduction to Route-Path . . . . . . . . . . . . . . . . . . . . . Sample Network Situations . . . . . . . . . . . . . . . . . . . . . Two-Armed Route-Path with Layer 4 Load Balancing . . . . . . . Route-Path Configured with TCP Proxy or a Layer 7 Service Type. One-Armed Route-Path using TCP Proxy or Layer 7 Service Types Two-Armed Route-Path with TCP Proxy or Layer 7 Service Types . About Multiple Network Adapters on Real Servers . . . . . . . . . Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deploying Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . Direct Server Return (DSR). . . . . . . . . . . . . . . . . . . . . . . DSR with Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . . Deploying Direct Server Return . . . . . . . . . . . . . . . . . . . Notes on DSR Deployment . . . . . . . . . . . . . . . . . . . Deployment in a Linux Environment . . . . . . . . . . . . . . Deployment in a Windows/XP Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 18 18 19 19 21 22 23 23 25 26 27 28 29 30 31 31 31 32
iii
Deployment in a Microsoft Windows Server 2003 or 2008 Environment . . 32 Verifying DSR Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 36
C h a p t e r 3 G e t t i n g Sta r t e d . . . . . . . . . . . . . . . . . . . . . . . . 3 7
Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing for Installation . . . . . . . . . . . . . . . . . Connecting the Barracuda Load Balancer to the Network Configuring WAN IP Address and Network Settings . . . Configuring Your Corporate Firewall . . . . . . . . . . . Configuring the Barracuda Load Balancer . . . . . . . . Verifying Your Subscription Status . . . . . . . . . . . . Updating the Barracuda Load Balancer Firmware . . . . Updating the IPS Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 38 39 39 40 40 42 42 43
Chapter 4 Configuring Services . . . . . . . . . . . . . . . . . . . 45

Deployment Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Load-Balanced Services. . . . . . . . . . . . . . . . . . . . Associating Real Servers with a Service . . . . . . . . . . . . . . . . Enabling Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . Persistence Settings for a Service with type Layer 7 - HTTP . . . Persistence Settings for a Service with type Layer 4 or TCP Proxy Persistence Settings for a Service with type Layer 7 - FTP . . . . Persistence Settings for a Service with type Layer 7 - RDP . . . . Remote Desktop Services Load Balancing. . . . . . . . . . . . . . . TCP Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FTP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FTP SSL Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSL Offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uploading SSL Certificates . . . . . . . . . . . . . . . . . . . . . Specifying SSL Offloading for a Service . . . . . . . . . . . . . . Updating Ports on the Real Servers . . . . . . . . . . . . . . . . Selecting a Scheduling Policy . . . . . . . . . . . . . . . . . . . . . . Adaptive Scheduling . . . . . . . . . . . . . . . . . . . . . . . . Pre-Assigned Weight . . . . . . . . . . . . . . . . . . . . . . . . Scheduling Policies . . . . . . . . . . . . . . . . . . . . . . . . . Scheduling for a Service with type Layer 7 - RDP . . . . . . . . . Viewing Current Connections . . . . . . . . . . . . . . . . . . . Configuring Intrusion Prevention . . . . . . . . . . . . . . . . . . . . Configuring a Last Resort Action . . . . . . . . . . . . . . . . . . . . Client Impersonation . . . . . . . . . . . . . . . . . . . . . . . . . . Layer 7 - HTTP Services . . . . . . . . . . . . . . . . . . . . . . . . . . Directing HTTP Requests based on Content Rules . . . . . . . . . . . Content Rule Execution . . . . . . . . . . . . . . . . . . . . . . Creating an HTTP Redirect Service. . . . . . . . . . . . . . . . . . . Modifying HTTP Requests and Responses . . . . . . . . . . . . . . . Rule Execution Order . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Caching. . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 47 47 47 48 48 48 48 48 48 49 49 49 49 50 50 50 50 50 51 51 51 52 52 52 53 54 54 54 55 55 56 56 56
iv
Barracuda Load Balancer Administrators Guide
Chapter 5 Network Configuration . . . . . . . . . . . . . . . . . . 57

VLAN Support . . . . . . . . . . . . . . . . . . . Routing to Multiple VLANs over an Interface . Making Services Accessible from the LAN/WAN . Creating Static Routes . . . . . . . . . . . . . . Allowing Real Servers to Connect to the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 58 58 59 59
C h a p t e r 6 H i g h Av a i l a b i l i t y . . . . . . . . . . . . . . . . . . . . . . . 6 1
Creating a High Availability Environment . . . . . . . . Operation of High Availability (HA) . . . . . . . . . . Requirements for HA . . . . . . . . . . . . . . . . . Failover if LAN Link Goes Down . . . . . . . . . . . Forceful or Manual Failover . . . . . . . . . . . . . . Primary and Backup Roles . . . . . . . . . . . . . . Failback . . . . . . . . . . . . . . . . . . . . . . . . Synchronization of Data Between Clustered Systems Steps to Add or Remove a System from a Cluster . . Source IP Address in a Clustered Environment. . . . Option 1 . . . . . . . . . . . . . . . . . . . . . Option 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 62 62 63 63 63 63 63 64 64 64 64
Chapter 7 Global Server Load Balancing . . . . . . . . . . . . . 65

Introduction to Global Server Load Balancing (GSLB) GSLB Examples. . . . . . . . . . . . . . . . . . GSLB Definitions . . . . . . . . . . . . . . . . . Site Selection Criteria . . . . . . . . . . . . . . . How GSLB Works . . . . . . . . . . . . . . . . . Failover . . . . . . . . . . . . . . . . . . . . Integrating with the Existing DNS Infrastructure . Site Selection Algorithms . . . . . . . . . . . . . Failover IP Address . . . . . . . . . . . . . IP Address and Location Database . . . . . Response Policy Options . . . . . . . . . . . Example Implementations . . . . . . . . . . . . . Disaster Recovery - Two Sites in the World . Direct Clients to Closest Data Center . . . . Direct Clients to Specific Region . . . . . . . GSLB Regions . . . . . . . . . . . . . . . . . . Configuring Multiple GSLB Controllers . . . . . . Steps to Install GSLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 66 66 67 67 68 68 68 68 68 68 69 69 69 69 70 70 71
Chapter 8 Managing the Barracuda Load Balancer . . . . . 75

Administrative Settings . . . . . . . . . . . . . . . . Controlling Access to the Web Interface . . . . . Customizing the Appearance of the Web Interface Setting the Time Zone of the System . . . . . . . Enabling SSL for Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 76 76 76 76
v
Monitoring the Barracuda Load Balancer. . . . . . . . . . . . . . . Monitoring the Health of Services and Real Servers . . . . . . . Enabling or Disabling Real Servers . . . . . . . . . . . . . . . . Remotely Administering Real Servers . . . . . . . . . . . . . . Viewing Performance Statistics . . . . . . . . . . . . . . . . . . Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . Automating the Delivery of System Alerts and SNMP Traps . . . SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . Managing Multiple Systems with the Barracuda Control Center . Viewing System Tasks . . . . . . . . . . . . . . . . . . . . . . Maintaining the Barracuda Load Balancer . . . . . . . . . . . . . . Backing up and Restoring Your System Configuration . . . . . . Updating the Firmware of Your Barracuda Load Balancer . . . . Updating the Intrusion Prevention Rules Using Energize Updates Replacing a Failed System . . . . . . . . . . . . . . . . . . . . Reloading, Restarting, and Shutting Down the System . . . . . . Using the Built-in Troubleshooting Tools . . . . . . . . . . . . . Rebooting the System in Recovery Mode. . . . . . . . . . . . . Reboot Options . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
78 78 78 78 79 79 79 79 80 80 81 81 81 82 82 82 83 83 84
Appendix A Extended Match and Condition Expressions . 85

Quick reference . . . . . . . . . . . . . . . . . . . . . . Structure of an Extended Match or Condition Expression. Operators . . . . . . . . . . . . . . . . . . . . . . . . . Elements . . . . . . . . . . . . . . . . . . . . . . . . . Joins. . . . . . . . . . . . . . . . . . . . . . . . . . . . Combining . . . . . . . . . . . . . . . . . . . . . . . . . Escaping . . . . . . . . . . . . . . . . . . . . . . . . . Macro Definitions . . . . . . . . . . . . . . . . . . . . . No Name Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 86 86 86 87 87 88 88 89
Appendix B Barracuda Load Balancer Hardware . . . . . . . i

Front Panel of the Barracuda Load Balancer . . . Barracuda Load Balancer 240, 340, and 440 . Barracuda Load Balancer 640 . . . . . . . . Back Panel of the Barracuda Load Balancer . . . Barracuda Load Balancer, all models . . . . . Hardware Compliance . . . . . . . . . . . . . . Notice for the USA . . . . . . . . . . . . . . Notice for Canada . . . . . . . . . . . . . . . Notice for Europe (CE Mark) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii . ii . iii .iv .iv .v .v .v .v
Appendix C Limited Warranty and License

Barracuda Networks Limited Hardware Warranty (v 2.1) . . . . . . . . Exclusive Remedy. . . . . . . . . . . . . . . . . . . . . . . . . . . . Exclusions and Restrictions . . . . . . . . . . . . . . . . . . . . . . . Barracuda Networks Software License Agreement (v 2.1) . . . . . . . Barracuda Networks Energize Updates and Other Subscription Terms . . . . . . . . . . . . . . . . . . . .
vii
vii vii vii viii xii
vi
Barracuda Networks Software License Agreement Appendix . . . . . . . xii
vii
viii
Chapter 1 Introduction
This chapter provides an overview of the Barracuda Load Balancer and includes the following topics: Overview on page 8 Features of the Barracuda Load Balancer on page 9
Introduction 7
Overview
Organizations use load balancers to distribute traffic across a set of servers in their network. In the event a server goes down, the load balancer automatically detects this failure and forwards traffic only to the remaining functioning servers, maintaining high availability of the services provided by the servers. The Barracuda Load Balancer is designed to help organizations achieve their high availability objectives by providing:
Note
Integrated Service Monitor to monitor servers Comprehensive failover capabilities in case of server failure Distribution of traffic across multiple servers Integrated protection from network intrusions Automatic failover to a backup Barracuda Load Balancer if needed
The Barracuda Load Balancer directs traffic to servers. It is not designed for link balancing that distributes traffic across multiple Internet connections - try the Barracuda Link Balancer instead.
The Barracuda Load Balancer is designed to provide comprehensive load-balancing capabilities to any IP-based application, including: Internet sites with high traffic requirements, including Web, FTP, media streaming, and content delivery networks Hosted applications such as Microsoft Windows Remote Desktop Services, Exchange Server and Office Communications Server Other IP services requiring optimal performance, including SMTP, DNS, RADIUS, and TFTP
Features specifically for HTTP traffic include: Rules that direct traffic based on request content HTTP request and response rules to modify requests and responses HTTP caching and compression.
Features of the Barracuda Load Balancer

The Barracuda Load Balancer is designed with the following features: Load Balancing for all IP-based Applications .................................... 9 Easy to Use and Maintain ................................................................. 10 Intrusion Prevention System .............................................................. 10 Auto-Discover Mode .......................................................................... 10 Persistence ......................................................................................... 11 SSL Offloading................................................................................... 11 Secure Communication with Real Servers ......................................... 11 Scheduling Policy .............................................................................. 11 Automated Service Monitor ............................................................... 11 Multiple Deployment Modes .............................................................. 11 High Availability ................................................................................ 11 Easy Administration........................................................................... 12 Last Resort Server ............................................................................. 12 Content Rules..................................................................................... 12 Removing a Server without Disrupting the Service........................... 12 HTTP Request and Response Rewrites .............................................. 12 Support for Layer 2 VLANs ............................................................... 12 TCP Proxy.......................................................................................... 13 FTP Traffic ........................................................................................ 13 HTTP Caching and Compression ...................................................... 13 Global Server Load Balancing (GSLB) ............................................. 13
Load Balancing for all IP-based Applications

The Barracuda Load Balancer is designed to provide fast and comprehensive IP load-balancing capabilities to any IP-based application, including: HTTP HTTPS (SSL) SSH SMTP IMAP RDP (Remote Desktop Services) POP3 NTP ASP Streaming Media DNS LDAP RADIUS TFTP FTP, FTPS Other TCP/UDP-based services
Introduction 9
Easy to Use and Maintain

The Barracuda Load Balancer is extremely easy to deploy, featuring automatic discovery and configuration tools through an intuitive Web interface.
Intrusion Prevention System

To help secure your network, the Intrusion Prevention System (IPS) can automatically receive intrusion prevention and security updates from Barracuda Central, an advanced 24/7 security operations center that works to continuously monitor and block the latest Internet threats. The Intrusion Prevention System protects your load-balanced services from the following common threats: Denial of Service (DDoS) attacks. Protocol-specific attacks. The Barracuda Load Balancer contains protocol-specific guards that protect your Real Servers from attacks targeting the SMTP, DNS, and LDAP protocols. Application-specific attacks. The Barracuda Load Balancer protects common applications that are particularly vulnerable to external attacks. These applications include IIS, Websphere, Cold Fusion, Exchange, and many more. Operating system-specific attacks. The Barracuda Load Balancer contains Microsoft and UNIXspecific detection capabilities that identify malicious activity against these operating systems.
Exploit signatures are regularly updated at Barracuda Central and are automatically delivered to your Barracuda Load Balancer via Energize Updates. The following figure shows how Barracuda Central provides the latest updates through the Energize Update feature.
Figure 1.1: Barracuda Energize Updates
Auto-Discover Mode
All models of the Barracuda Load Balancer support Auto-Discovery of Real Servers and applications running on the servers to ensure quick and easy deployment of new servers. For common applications there is no need to manually configure each port.
10
Persistence
The Barracuda Load Balancer supports technologies that direct clients back to the same server, including client IP address and cookies. The length of time that session persistence is maintained during a time of inactivity can be defined on a Service level.
SSL Offloading
The Barracuda Load Balancer has the ability to handle SSL encryption and decryption locally, to help ease the burden on the Real Servers. SSL offloading is not available if using the Direct Server Return mode of deployment or if the Service type is Layer 7 - RDP. SSL offloading is available on models 340 and above.
Secure Communication with Real Servers

The Barracuda Load Balancer can use SSL to encrypt the data that passes between it and each of the Real Servers. This feature, which is also known as back-end SSL, is available on models 340 and above.
Scheduling Policy
The Barracuda Load Balancer supports multiple scheduling policies that support server weighting including Weighted Least Connection and Weighted Round Robin. Server weights can be preassigned based on server capacity or they can be dynamically calculated by the adaptive scheduling algorithm based on factors such as the load reported by the servers.
Automated Service Monitor

Barracuda Load Balancer features a fully integrated Service Monitor which performs automated tests to determine the availability of your servers. Traffic is re-routed to other servers within seconds if a server becomes unavailable.
Multiple Deployment Modes

The Barracuda Load Balancers support Route-Path, Bridge-Path, and Direct Server Return deployment modes. Route-Path offers increased flexibility, while Bridge-Path allows deployment without changes to existing IP infrastructure. Direct Server Return is ideal for Layer 4 load balancing of content delivery networks.
High Availability
With simple setup through the Web administrative interface, the Barracuda Load Balancer supports High Availability configurations. Point the backup Barracuda Load Balancer to the primary
Introduction 11
Barracuda Load Balancer's management IP address to synchronize configurations and bring your server farm to enterprise grade availability. This feature is available on models 340 and above.
Easy Administration
The SSL-secured Web interface of the Barracuda Load Balancer allows for convenient configuration and monitoring.
Last Resort Server

You can specify a Last Resort Server, which is the server to which all traffic for a particular Service is routed in the event that all of the associated Real Servers are not available. The Last Resort Server can be located on a different network, or even across the Internet, so long as it is reachable by the Barracuda Load Balancer.
Removing a Server without Disrupting the Service

You can remove a Real Server from the server farm for maintenance or other reasons by changing its status to disabled or to maintenance mode. Changing it to disabled terminates all connections immediately. When placed in maintenance mode, the server keeps existing connections but does not accept any new ones. Once the active connections are closed, you can perform the server maintenance. You can also add or delete a Real Server without disrupting the Service.
Content Rules
The Barracuda Load Balancer can route application (Layer 7) traffic to different servers based on content rules that examine incoming requests. This allows you to partition your servers by content and efficiently direct requests to the relevant server. For example, image requests can be directed to a server that hosts all of the images and has been optimized for image delivery. This feature is available on models 340 and above.
HTTP Request and Response Rewrites

Powerful regular expression support allows you to create rules that modify HTTP requests and responses if a pattern is matched. This feature is available on models 340 and above.
Support for Layer 2 VLANs

The Barracuda Load Balancer supports Layer 2 VLANs. This feature is available on models 340 and above.
12
TCP Proxy
The Barracuda Load Balancer acts as a full TCP proxy for incoming and outgoing connections for Services with type TCP Proxy. This feature is available on models 340 and above.
FTP Traffic
The Barracuda Load Balancer has support for Layer 7 FTP and FTPS. This feature is available on models 340 and above.
HTTP Caching and Compression

HTTP response data caching and compression are available options for Layer 7 HTTP and HTTPS Services. This feature is available on models 440 and above.
Global Server Load Balancing (GSLB)

GSLB provides a variety of ways to specify how traffic is directed to various sites, including priority and geographical location. The Barracuda Load Balancer uses those parameters while monitoring the health of each data center to route requests to the optimal site. This feature is available on models 440 and above.
Introduction 13
14
Chapter 2 Load Balancing Deployment Options

This chapter provides a list of terms used in this document and describes the Barracuda Load Balancer deployment options. It includes the following topics: Barracuda Load Balancer Terminology on page 16 Deployment Options Overview on page 18 Route-Path (Recommended) on page 19 Bridge-Path on page 27 Direct Server Return (DSR) on page 29
Load Balancing Deployment Options 15
Barracuda Load Balancer Terminology

Understanding the following terms will aid in administering the Barracuda Load Balancer.
Table 2.1: Barracuda Load Balancer terminology Term

Service
Description
A combination of a Virtual IP (VIP) address and one or more TCP/UDP ports that the Service is to listen on. Traffic arriving over the designated port(s) to the specified Virtual IP address is directed to one of the Real Servers that are associated with that Service. The Service Monitor monitors the availability of the Real Servers. It can be configured either on a per-Service or per-Real Server basis to use one of several different methods to establish the availability of a Real Server. If the Service Monitor finds that no Real Servers are available, you can specify a Last Resort Server to which all traffic for the Service will be routed. The IP address assigned to a specific Service. A client uses the Virtual IP address to connect to the load-balanced Service. The Virtual IP address must be different than the WAN IP address of the Barracuda Load Balancer. One of the systems that perform the actual work of the load-balanced Service. The Barracuda Load Balancer assigns new connections to it as determined by the scheduling policy in effect for the Service. A collection of Real Servers. The entity requesting connection to a load-balanced Service. Clients may be external or internal. A returning connection is routed to the same Real Server that handled a previous request from the same client within a specified time. Examples of Services that may need persistence settings are Web sites that have shopping carts or require some sort of login. See Enabling Persistence on page 48 for more information. Specifies how the Barracuda Load Balancer determines which Real Server is to receive the next connection request. Each Service can be configured with a different policy. More information can be found in Selecting a Scheduling Policy on page 50. Deployment modes for the Barracuda Load Balancer. They differ in how the Real Servers are connected. Details and benefits of each mode can be found in the sections Route-Path (Recommended) on page 19 and Bridge-Path on page 27. Option that is enabled on individual Real Servers. However, because it can affect how a deployment is designed, it is often treated as a mode of its own. More details on this can be found in the section on Direct Server Return (DSR) on page 29. A collection of systems on an isolatable subnet. In Route-Path mode, for example, all systems associated with the LAN interface would be in one (or more) logical network(s) 10.1.1.x, and all systems connected to the WAN interface would be in another logical network of 192.168.1.x. A group of systems that are physically connected to each other, usually over a switch or VLAN.
Service Monitor
Virtual IP (VIP) address
Real Server
Server Farm Client Persistence
Scheduling policy
Route-Path Bridge-Path
Direct Server Return
Logical Network
Physical Network
16
Term
WAN IP Address
Description
The IP address associated with the port that connects the Barracuda Load Balancer to the WAN. It may be used to access the Web administration interface. This address must be different than the Virtual IP addresses assigned to the Services. Two Barracuda Load Balancers can be joined as an active-passive pair in a cluster. The active system performs the load-balancing while the passive one monitors it, ready to take over operations if the first one fails. For more information, see Creating a High Availability Environment on page 62. The WAN port is used for both external and internal traffic that passes through the Barracuda Load Balancer. The Barracuda Load Balancer is deployed in-line, using both the WAN and LAN ports. The Virtual IP addresses and the Real Servers must be on different subnets.
High Availability
One-armed Mode Two-armed Mode
Deployment Options Overview

Services on the Barracuda Load Balancer can be deployed in the following three modes: Route-Path Bridge-Path Direct Server Return.
All of these deployment modes require specific network configurations. The Barracuda Load Balancer must be in either Route-Path or Bridge-Path mode. Direct Server Return is an option that you may choose for each Real Server. Choose the deployment mode for the Barracuda Load Balancer based on the type of network configuration that currently exists at your site as well as on the types of Services you wish to load balance. Route-Path is recommended over Bridge-Path because it provides a more robust deployment. Enabling the Direct Server Return option is recommended only for Real Servers that generate a much greater volume of outbound traffic relative to the inbound traffic.
Service Types
A Service is the access point that the client uses for the functionality provided by the Real Servers. There are multiple Service types supported by the Barracuda Load Balancer. Because the choice of Service type may affect the deployment method, this table gives a brief overview.
Table 2.2: Service Types Service Type

Layer 4 Layer 4 with SSL offloading TCP Proxy Layer 7- HTTP Layer 7 - FTP Layer 7 - RDP
Description
Traffic passes in half-NAT mode, meaning the destination IP address is changed to that of the Real Server, but the source IP address remains intact. Same as TCP Proxy with SSL offloading. Traffic passes in full-NAT mode, meaning that both the source and destination IP addresses are changed. The Barracuda Load Balancer acts as a full proxy. Connections from the client are terminated at the Barracuda Load Balancer and new ones are established between the Barracuda Load Balancer and the Real Servers.
18
Route-Path (Recommended)
This section describes the Route-Path method of deployment. It includes the following: Introduction to Route-Path ................................................................ 19 Sample Network Situations ................................................................ 21 Two-Armed Route-Path with Layer 4 Load Balancing...................... 22 Route-Path Configured with TCP Proxy or a Layer 7 Service Type. 23 One-Armed Route-Path using TCP Proxy or Layer 7 Service Types 23 Two-Armed Route-Path with TCP Proxy or Layer 7 Service Types .. 25 About Multiple Network Adapters on Real Servers........................... 26
Introduction to Route-Path
Route-Path is the most commonly used deployment method. If a Service type of Layer 4 with SSL offloading not enabled is used in a two-armed deployment, the Barracuda Load Balancer has to be the default gateway for all downstream Real Servers. For all other cases, the Real Servers and VIP addresses can be positioned in a variety of ways. The following table provides an overview of the Route-Path deployment options.
Table 2.3: Route-Path Deployment Options Type of Traffic

TCP or UDP
Topology Options (Route-Path)
Service Type
Notes
Barracuda Load Balancer has to be the default gateway for all downstream Real Servers. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Requires loopback adapter on each Real Server. Can keep IP addresses of the Real Servers. SSL offloading and other Layer 7 capabilities are not supported.
Two-armed. Usually this is the Layer 4 recommended deployment for Layer 4 traffic. One-armed. TCP Proxy
TCP
TCP
Two-armed is recommended for best performance.
TCP Proxy
TCP or UDP
One-armed. Best performance if almost all traffic is outgoing
Layer 4 with Real Servers in Direct Server Return mode

TCP with SSL processing offloaded to the Barracuda Load Balancer

One-armed.
Service Type
TCP Proxy
Notes
Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers.There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers.There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer.
TCP with SSL processing offloaded to the Barracuda Load Balancer
Two-armed is recommended for best performance.
TCP Proxy
HTTP (Web servers)
Two-armed.
Layer 7 - HTTP
HTTP (Web servers)
One-armed.
Layer 7 - HTTP
FTP (FTP servers)
Two-armed.
Layer 7 - FTP
FTP (FTP servers)
One-armed.
Layer 7 - FTP
Remote Desktop Services
Two-armed. Recommended for better performance.
Layer 7 - RDP
20

Remote Desktop Services

One-armed.
Service Type
Layer 7 - RDP
Notes
Can keep IP addresses of the Real Servers.There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer.
Sample Network Situations

To assist you in deciding how to deploy the Barracuda Load Balancer in your network, here are some common cases with suggested deployments. All of these cases use a Route-Path deployment.
1.
The Barracuda Load Balancer provides Layer 4 load balancing of TCP/IP traffic. Use two-armed Route-Path with one or more Layer 4 Services. The Barracuda Load Balancer provides SSL offloading and Layer 4 load balancing of TCP/IP traffic. Use a one or two-armed Route-Path with one or more Layer 4 Services. If you use onearmed Route-Path, you will not need to reconfigure the IP addresses of the Real Servers. Two-armed Route-Path provides better performance.
2.
3.
The Real Servers are on the same subnet as the Barracuda Load Balancer and the configuration cannot be changed. Use one-armed Route-Path with a TCP Proxy Service. Or, if almost all of the traffic is outbound, use Direct Server Return with a Layer 4 Service.
4.
There is an existing IT infrastructure using Windows where the Web servers need to communicate with systems such as Active Directory Domain Services, ISA Servers or domain controllers. To avoid changing those network settings, either: Use one-armed Route-Path with a TCP Proxy Service. Use Direct Server Return with a Layer 4 Service. For best performance, the recommended deployment is to use a two-armed Route-Path with a Layer 4 Service.
5.
The outbound traffic is far greater than the inbound traffic, for example, if the Real Servers are providing streamed audio or visual media. Use Direct Server Return with a Layer 4 Service to increase throughput. There is a need to remotely administer the Real Servers individually. Create new Services, each of which only load balances a single Real Server. Deploy the Real Servers in a one-armed mode where they are on the WAN side of the Barracuda Load Balancer and serving a TCP Proxy Service. Or, deploy the Real Servers on the WAN side in Direct Server Return mode serving a Layer 4 Service.
6.
More deployment examples are presented in the rest of this chapter.
Two-Armed Route-Path with Layer 4 Load Balancing

If you are planning to use the Barracuda Load Balancer to provide Layer 4 load balancing of TCP/IP or UDP traffic, this is usually the best option for your situation. If you want the Barracuda Load Balancer to provide SSL offloading for TCP/IP or UDP traffic, use a Service type of TCP Proxy instead. See Route-Path Configured with TCP Proxy or a Layer 7 Service Type on page 23. Deploying the Barracuda Load Balancer in a two-armed Route-Path configuration requires changing the IP addresses of all of the Real Servers, but gives greater performance. If a Service type of Layer 4 (with SSL offloading not enabled) is used, the Barracuda Load Balancer has to be able to handle the responses to client requests that are issued by the Real Servers. To do this, make the Barracuda Load Balancer the default gateway for all downstream Real Servers.
Figure 2.1: Two-armed Route-Path network with Layer 4 Services
22
Route-Path Configured with TCP Proxy or a Layer 7 Service Type

Choosing a Service type of TCP Proxy, one of the Layer 7 Service types, or Layer 4 with SSL offloading enabled makes the Barracuda Load Balancer act as a full proxy. Connections from the client are terminated at the Barracuda Load Balancer and new ones are established between the Barracuda Load Balancer and the Real Servers. Using the TCP Proxy or Layer 7 Service type allows the Real Servers to be located anywhere, as long as they can be routed to by the Barracuda Load Balancer (e.g. on the same subnet or VLAN or preconfigured static routes). This can be used in one-armed configurations for applications like Microsoft Exchange Server or Microsoft Office Communications Server as well as for custom applications. In two-armed configurations, Real Servers can access the VIP addresses of any TCP Proxy or Layer 7 Services that are on the same side of the Barracuda Load Balancer. There are multiple alternatives for configuration when using the Barracuda Load Balancer in the Route-Path mode with one or more TCP Proxy or Layer 7 Services or Layer 4 Services with SSL offloading enabled: Some or all of the Real Servers are on the same subnet as the LAN IP address. Some or all of the Real Servers are on the same subnet as the WAN IP address. Some or all of the Real Servers are on the same VLAN as the Barracuda Load Balancer. Some or all of the Real Servers are on a different subnet than either the WAN or LAN IP address but accessible via static routes. Some or all of the Real Servers are on a different subnet and responding to a TCP Proxy or Layer 7 Service. Virtual IP addresses are on the same subnet as the WAN interface of the Barracuda Load Balancer, and Real Servers on a subnet separate from the VIPs. Virtual IP addresses are on the same subnet as the LAN interface of the Barracuda Load Balancer and Real Servers on a subnet separate from the VIPs.
One-Armed Route-Path using TCP Proxy or Layer 7 Service Types

A one-armed route-path topology either has all of the Real Servers and the VIP addresses on the WAN or (less commonly) all of the Real Servers and the VIP addresses on the LAN. If the Service type is Layer 4 and not using SSL offloading, the Real Servers will need to be configured in Direct Server Return mode. See Direct Server Return (DSR) on page 29 for details. Alternatively, use the TCP Proxy Service type or one of the Layer 7 Service types. This provides a quick way to insert the Barracuda Load Balancer into an existing infrastructure with minimal changes to the network. No changes are required to the IP addresses of the Real Servers. The Barracuda Load Balancer may be on the same subnet as the Real Servers. Alternatively, the Real Servers are reachable through a router from the Barracuda Load Balancer. Figure 2.2 shows a WAN-side deployment using one-armed route-path and TCP Proxy or Layer 7 Services. The gateway IP address of the Real Servers remains the same as it was before the introduction of the Barracuda Load Balancer to the network. All of the Virtual IP addresses and IP addresses of the Real Servers are connected to the WAN port.
Figure 2.2: One-armed Route-Path using TCP Proxy or a Layer 7 Service
If desired, you can keep an externally accessible IP address on a Real Server so that external clients can still access that address (for example, for FTP) only on that one system. Because configuration changes are not required, only that traffic which needs to be load balanced passes through the Barracuda Load Balancer. Figure 2.3 shows another example of a one-armed route path deployment using TCP Proxy Services. In this case, the Services are provided by multiple Barracuda Spam & Virus Firewalls and Email servers.
24
Figure 2.3: One-armed TCP Proxy Service with Barracuda Spam & Virus Firewalls
As shown in the diagram, email passes through this network in the following way:
#1 Email is sent to the VIP address for the TCP Proxy Service that represents the Barracuda Spam
& Virus Firewalls.

#2 It is directed to the appropriate Barracuda Spam & Virus Firewall for processing. #3 After passing spam and virus checks, the email is sent to the VIP address for the email Service. #4 The Barracuda Load Balancer load balances the email traffic and passes it to an email server.
Two-Armed Route-Path with TCP Proxy or Layer 7 Service Types

Figure 2.4 shows a network where there are Virtual IP addresses available on both the WAN and LAN side. Clients coming from the Internet or intranet can access the database or Web Service. On the LAN side, the Web servers can access the database Service. Two-armed Route-Path with a Service with type Layer 7 - RDP is the recommended configuration when deploying the Barracuda Load Balancer in a Microsoft Terminal Services environment.
Figure 2.4: Two-armed TCP Proxy or Layer 7 Service
About Multiple Network Adapters on Real Servers

Real Servers that are on multiple networks simultaneously may break the route path. If a Real Server has more than one network adapter enabled, which gives traffic an alternate route around the Barracuda Load Balancer, the deployment will not work properly even though it may appear to work initially. There are two exceptions where Real Servers may have multiple network adapters: The networks that the Real Servers are on are isolated from each other and cannot access the WAN network without going through the Barracuda Load Balancer. Static routes for incoming and outgoing traffic for each IP address of each Real Server have been defined.
26
Bridge-Path
Bridge-Path deployment entails placing the Barracuda Load Balancer inline with your existing IP infrastructure so that it can load balance the Real Servers without changing IP addresses. The LAN interface must be on the same logical switch as the Real Servers. The WAN and LAN interfaces must be on physically separate networks. If you are considering using a bridge-path deployment because you want to avoid changing the IP addresses of your Real Servers, we recommend that you instead use a TCP Proxy Service and RoutePath. The following table describes the advantages and disadvantages of deploying your Barracuda Load Balancer in Bridge-Path mode.
Advantages
Disadvantages
Minimal network changes since the existing IP Separate physical networks required for downstream infrastructure is reused. Real Servers keep Real Servers their existing IP addresses. Less resilient to network misconfigurations Improper configuration of a Bridge-Path network may result in a broadcast storm, resulting in network outages
Figure 2.5: Sample Bridge-Path network layout
Deploying Bridge-Path
In Bridge-Path mode, the Real Servers must be physically isolated behind the Barracuda Load Balancer. This means that each Real Server is no longer visible on the network if the Barracuda Load Balancer becomes unavailable (a separate switch is required for models 440 and below). The Real Servers must be on the same subnet and logical network as the Barracuda Load Balancer, the VIPs, and the rest of the WAN, and they must specify the same gateway as the Barracuda Load Balancer. Make sure that the Operating Mode of the Barracuda Load Balancer is set to Bridge-Path on the Basic > IP Configuration page. The LAN IP Address on the same page is not used.
28
Direct Server Return (DSR)

Direct Server Return is an option associated with a Real Server which allows for increased outbound traffic throughput when performing sustained uploads, such as streamed audio or visual media. With DSR, connection requests and incoming traffic are passed from the Barracuda Load Balancer to the Real Server, but all outgoing traffic goes directly from the Real Server to the client. Because the Barracuda Load Balancer does not process the outgoing traffic in DSR mode, Layer 7 applications (HTTP, TCP Proxy and RDP), SSL offloading and cookie persistence are not supported with DSR. Using DSR requires enabling a non-ARPing loopback adapter on each Real Server. Additionally, your applications may need to be explicitly bound to the loopback adapter. Instructions for enabling a loopback adapter can be found in Deploying Direct Server Return on page 31. You may have DSR servers and non-DSR servers running the same Service. Real Servers that are in DSR mode must be on the same subnet as the WAN of the Barracuda Load Balancer. The following table summarizes the advantages and disadvantages of deploying your Real Servers in DSR mode.
Advantages
Ideal for high-bandwidth requirements such as content delivery networks Keeps existing IP addresses of Real Servers
Disadvantages
Requires flat network topology Requires non-ARPing loopback adapter on Real Servers Client IP persistence only Only Layer 4 load balancing is supported HTTP, TCP Proxy and RDP are not supported SSL offloading is not supported. No actions can be performed on the response headers and data (e.g. caching, compression, URL rewrites).
See Figure 2.6 for an example of a DSR deployment.
Figure 2.6: Sample Direct Server Return, one-armed architecture
As shown in the diagram, this is how Direct Server Return works:

#1 The request comes to the switch and is passed to the VIP address on the Barracuda Load
Balancer.
#2 A Real Server is selected, and the data frame of the packet is modified to be the MAC address of
that Real Server.

#3 The packet is then placed back on the network. #4 Because the VIP address is bound to the Real Servers loopback interface, the Real Server
accepts the packet.

#5 The Real Server responds directly to the client using the VIP address as the source IP address.
DSR with Bridge-Path

DSR in conjunction with Bridge-Path deployment is not supported.
30
Deploying Direct Server Return

Direct Server Return (DSR) uses a flat network topology at the Layer 2 (Switching) and Layer 3 (IP) levels, which means that the Barracuda Load Balancer, VIP addresses, and Real Servers all must be within the same IP network and connected on the same switch. Figure 2.6 above shows this topology. Each Real Server must be one hop away from the Barracuda Load Balancer and using the WAN port. The switch of the Real Servers must be directly connected into the WAN port of the Load Balancer, or connected to a series of switches that eventually reach the WAN port of the Load Balancer without going through any other networking devices. If you specify Route-Path deployment for the Barracuda Load Balancer, but only use Real Servers with Direct Server Return enabled, the physical LAN port is used for management or not at all. On the Basic > Services page, each Real Server listed under each Service must individually be configured for Direct Server Return mode. Edit each Real Server and select Enable for the Direct Server Return option.
Notes on DSR Deployment

When deploying Real Servers in Direct Server Return mode, note the following: The Barracuda Load Balancer needs to have the WAN adapter plugged into the same switch or VLAN as all of the Real Servers. The WAN IP, all VIPs, and all of the Real Servers that use Direct Server Return must be on the same IP subnet. Each Real Server needs to recognize the VIP as a local address. This requires enabling of a nonARPing virtual adapter such as a loopback adapter and binding it to the VIP address of the loadbalanced Service. Because this is not a true adapter, there should be no gateway defined in the TCP/IP settings for this adapter. Real Servers accepting traffic from multiple VIPs must have a loopback adapter enabled for each VIP. Additionally, the applications on each Real Server must be aware of both the Virtual IP address as well as the real IP addresses.
Deployment in a Linux Environment

To add a non-ARPing adapter to a Real Server running Linux, add an alias to the lo (loopback) adapter. The following commands are examples of how to do this for some versions of Linux. Consult your operating system vendor if you need more details about how to add a non-ARPing loopback adapter.
1.
Edit your rc.local file (usually located at /etc/rc.d/rc.local) and add the following:
sysctl -w net.ipv4.conf.lo.arp_ignore=1 sysctl -w net.ipv4.conf.lo.arp_announce=2 sysctl -w net.ipv4.conf.all.arp_ignore=1 sysctl -w net.ipv4.conf.all.arp_announce=2 ifconfig <interface_name> <ip_address> netmask 255.255.255.255 -arp up
where:
<interface_name> is lo:<number> (e.g. lo:0, lo:1, lo:2) <ip_address> is the Virtual IP Address for the Service
For example:
ifconfig lo:1 192.168.4.217 netmask 255.255.255.255 -arp up
2.
httpd.conf must have a VirtualHost entry for the VIPs. Edit the file to add these two lines:
listen <virtual_ip_address>:80 listen <real_ip_address>:80
where:
<virtual_ip_address> is the Virtual IP Address for the Service <real_ip_address> is the actual IP Address for the Real Server
3.
To check if the loopback adapter is working, make sure the Real Server is bound to the loopback adapters IP address. Output from the ifconfig command should show the presence of the loopback adapter.
Deployment in a Windows/XP Environment

For information on how to add a non-ARPing adapter in a Windows/XP environment, refer to http://support.microsoft.com/kb/839013. Or, check the Microsoft Support Site for your operating system. Applications running on Microsoft Real Servers must be configured to accept traffic received on the VIP addresses (the loopback IP addresses). To do this, add the VIP addresses to IIS (Internet Information Services) on each Real Server. The VIP addresses must be listed above the real IP address of the Real Server. Associate the Web site or application with the VIP addresses.
Deployment in a Microsoft Windows Server 2003 or 2008 Environment

To make servers that are running Microsoft Windows Server 2003 and Windows Server 2008 ready for DSR, there are several steps that must be taken on each server.
Table 2.4: Steps to make Microsoft Windows Server 2003 and 2008 ready for DSR DSR in a Microsoft Windows Server 2003 or 2008 Environment
Disable the Windows firewall. Enable traffic to the loopback adapter. Install the loopback adapter. Configure the loopback adapter. In particular, stop the loopback adapter from responding to ARP requests. Remember that the loopback adapter has the same IP address as the VIP address. Make the Windows networking stack use the weak host model. This step is required to allow the modified packet to be accepted by Windows Server 2008 servers. If you are using IIS, add the loopback adapter to your site bindings. You need to ensure that the IP address for the loopback adapter is included in the site bindings in IIS.
These detailed instructions describe how to deploy DSR in a Windows Server 2003 or 2008 environment. Perform these steps for each server.
32
1.
Disable the Windows firewall.
For Microsoft Windows Server 2003 and Windows Server 2008 you need to disable the built in firewall or manually change the rules to enable traffic to and from the loopback adapter. By default, the Windows firewall blocks all connections to the loopback adapter.
2.
Install the loopback adapter.

2a. For Windows Server 2003: to install the Microsoft loopback adapter refer to
http://support.microsoft.com/kb/842561. This note describes how to install the loopback
adapter. Follow the instructions in Method 1. When done, proceed to step 3.

2b. For Windows Server 2008 or Windows Server 2008 R2, follow these instructions to
install a loopback adapter on one server: 1. Open Device Manager. On the Start menu, click Run and type devmgmt.msc at the prompt. 2. Right-click on the server name and click Add legacy hardware. 3. When prompted by the wizard, choose to Install the hardware that I manually select from a list (Advanced). 4. Find Network Adapter in the list and click Next. 5. From the listed manufacturers select Microsoft and then Microsoft Loopback Adapter. See Figure 2.7.
Figure 2.7: Adding a loopback adapter in Windows Server 2008
6. This will add a new network interface to your server.
3.
Configure the loopback adapter.
After the loopback adapter is installed, follow these steps to configure it: In Control Panel, double-click Network and Dial up Connections. Right-click the newly installed loopback adapter and click Properties. Click to clear the Client for Microsoft Networks check box. Click to clear the File and Printer Sharing for Microsoft Networks check box. Click TCP/IP properties. Enter the VIP address and the subnet mask. Click Advanced. Change the Interface Metric to 254. This stops the adapter from responding to ARP requests. 3i. Click OK.
3a. 3b. 3c. 3d. 3e. 3f. 3g. 3h.
4.
Make the Windows networking stack use the weak host model.
34
If you are using Windows Server 2003, you can skip to the next step. If you are using Windows Server 2008 or Windows Server 2008 R2, this step tells you how to make the Windows networking stack use the weak host model (which is the same model used in Windows Server 2003). DSR works by modifying the destination MAC address of the incoming traffic to one of the Real Servers behind your VIP. In versions of Windows prior to 2008, the Windows networking stack used a weak host model which allowed the host to receive packets on an interface not assigned as the destination IP address of the packet being received. With Windows Server 2008, Microsoft has implemented a strong host model which breaks the method that DSR uses. Open a command prompt with elevated permissions. To determine the interface ID for both the loopback adapter and the main NIC on the server, type:
netsh interface ipv4 show interface
Note the IDX for both the main network interface and the loopback adapter you created. If you have not changed the interface names for this server then usually the main NIC will display as Local Area Connection and the loopback adapter will be named Local Area Connection 2. An entry will be displayed that includes the IDX numbers for both your loopback adapter and your Internet facing NIC. For each of these adapters enter these three commands:
netsh interface ipv4 set interface <IDX number for Server NIC> weakhostreceive=enabled netsh interface ipv4 set interface <IDX number for loopback> weakhostreceive=enabled netsh interface ipv4 set interface <IDX number for loopback> weakhostsend=enabled
For example:
netsh interface ipv4 set interface 23 weakhostreceive=enabled netsh interface ipv4 set interface 24 weakhostreceive=enabled netsh interface ipv4 set interface 24 weakhostsend=enabled 5.
If you are using IIS, add the loopback adapter to your site bindings.
By default, IIS includes all interfaces, however, if you have configured a site to be bound to an individual IP address, you need to ensure that the IP address for the loopback adapter (your VIP address) is also included in the site bindings in IIS. Follow these steps to bind the loopback adapter, referring to Figure 2.8: Open the Internet Information Services (IIS) Manager. Expand the Sites Folder. Click Default Web Site or the name of the site you are modifying. Click Bindings on the Actions panel. Click Add... and click HTTP or HTTPS in the Type list. Enter the IP address of your loopback adapter and the port. Click OK. 5f. On the Actions panel click Restart under Manage Web Site to ensure the new bindings take effect.
5a. 5b. 5c. 5d. 5e.
Figure 2.8: Add Site Binding using IIS
Verifying DSR Deployment

When you are done adding the loopback adapters, try to ping the Real Servers and the VIP, and telnet to the Real Servers. If the ping doesnt work or if in response to the telnet you get a connection refused from the VIP, then the loopback adapter has not been configured correctly. Try to verify that the loopback adapters are non-ARPing. On either Linux or Windows systems, use the arp -a command. Also, check the systems event logs to check for IP address conflicts. If, later, once the Service is set up, the client tries to connect but is unable to access the application, then the IIS (Windows) or application has not been associated with the real IP address and the VIP.
36
Chapter 3 Getting Started

This chapter provides instructions for installing the Barracuda Load Balancer. It includes the following topics: Initial Setup ....................................................................................... 38 A similar process is described in the Barracuda Load Balancer Quick Start Guide.
Getting Started 37
Initial Setup
These are the general steps to set up your Barracuda Load Balancer. For more detailed instructions for each step, see the following reference pages. Preparing for Installation .................................................................. 38 Connecting the Barracuda Load Balancer to the Network ............... 39 Configuring WAN IP Address and Network Settings ......................... 39 Configuring Your Corporate Firewall ............................................... 40 Configuring the Barracuda Load Balancer....................................... 40 Updating the Barracuda Load Balancer Firmware .......................... 42 Verifying Your Subscription Status..................................................... 42 Updating the IPS Definitions............................................................. 43
Preparing for Installation

Before installing your Barracuda Load Balancer, complete the following tasks: Decide which type of deployment is most suitable to your network. For more information on the deployment options, see Deployment Options Overview on page 18. Make any necessary changes to your network, according to your chosen method of deployment. Identify the ports used by the services or applications that you want to load-balance. Verify you have the necessary equipment: Barracuda Load Balancer (check that you have received the correct model) AC power cord Ethernet cables Mounting rails and screws VGA monitor (recommended) PS2 keyboard (recommended)
38
Connecting the Barracuda Load Balancer to the Network

1.
Fasten the Barracuda Load Balancer to a standard 19-inch rack or other stable location.
Caution
Do not block the cooling vents located on the front and rear of the unit.
2.
If using Route-Path, then the network switch referenced in the following steps may be the same physical switch. If using Bridge-Path, however, then separate switches on different Layer 2 networks must be used.
2a. Connect a CAT5 Ethernet cable from the WAN interface on the Barracuda Load
Balancer to the network switch through which the traffic destined to the VIP addresses will be routed. 2b. Connect a CAT5 Ethernet cable from the LAN interface on the Barracuda Load Balancer to the network switch where the Real Servers reside.
Caution
Do not connect any other cables to the unit. The connectors on the back panel are for diagnostic purposes only.
3.
Connect the following to your Barracuda Load Balancer: Power cord VGA monitor PS2 keyboard After you connect the AC power cord, you may hear the fan operate for a couple of seconds and then power off. This behavior is normal.
4.
Press the Power button located on the front of the unit. The login prompt for the administrative console displays on the monitor, and the power light on the front of the Barracuda Load Balancer turns on. For a description of each indicator light, refer to the section that describes the model of your Barracuda Load Balancer in Front Panel of the Barracuda Load Balancer on page ii.
Configuring WAN IP Address and Network Settings

The Barracuda Load Balancer is assigned a default WAN IP address of 192.168.200.200.
To set a new WAN IP address from the administrative console:
1. 2.
Connect your keyboard and monitor directly to the Barracuda Load Balancer. At the barracuda login prompt, enter admin for the login and admin for the password. The User Confirmation Requested window displays the current IP configuration of the Barracuda Load Balancer.
3.
Using your Tab key, select Change to change the WAN IP configuration.
Getting Started 39
4.
Enter the new WAN IP address, netmask, and default gateway for your Barracuda Load Balancer. Save your changes. The Primary and Secondary DNS fields are optional at this time, but if not entered here then they must be entered in Step 3c.) of To configure the Barracuda Load Balancer: on page 40.
Configuring Your Corporate Firewall

If your Barracuda Load Balancer is located behind a corporate firewall, refer to Table 3.1 for the ports that need to be opened on your corporate firewall to allow communication between the Barracuda Load Balancer, Virtual IP addresses and remote servers.
Table 3.1: Ports to Open on Your Corporate Firewall Port

22 53 80 123 any ports used by Services
Direction
Out Out Out Out as needed
Protocol
TCP TCP/UDP TCP UDP as needed
Description
Remote diagnostics and technical support services DNS (Domain Name Server) IPS and firmware updates (unless configured to use a proxy) NTP (Network Time Protocol) 1:1 NATs as needed, and any port required to access the VIP of a loadbalanced Service.
To send system alerts and notifications to the administrator, the Barracuda Load Balancer must be able to communicate with the mail server over the port specified on the Basic > Administration page. This may require opening that port on the firewall. Certain protocols require additional ports to be open. Examples include FTP and streaming media protocols. When configuring Services using these protocols ensure that the additional ports required are not blocked by the firewall.
Configuring the Barracuda Load Balancer

After specifying the IP address of the Barracuda Load Balancer and opening the necessary ports on your corporate firewall, configure the Barracuda Load Balancer from the Web interface. Make sure the system being used to access the Web interface is connected to the same network as the Barracuda Load Balancer, and that the appropriate routing is in place to allow connection to the Barracuda Load Balancers IP address via a Web browser.
To configure the Barracuda Load Balancer:
1.
From a Web browser, enter the IP address of the Barracuda Load Balancer followed by a colon and port 8000. For example: http://192.168.200.200:8000. To log into the Web interface, enter admin for the username and admin for the password. Select Basic > IP Configuration, and perform the following steps:
3a. Enter the following information in the WAN IP Configuration section:
2. 3.
40
3b.
3c. 3d. 3e. 3f.
IP Address. The address associated with the port that connects the Barracuda Load Balancer to the WAN. Subnet Mask. The subnet mask assigned to the WAN interface of the Barracuda Load Balancer. Default Gateway. The default router for network traffic not destined for the local subnet. Allow administration access. Set to Yes if you want to allow administration access via this IP address. The port that is used is configured on the Basic > Administration page. If the Barracuda Load Balancer is in Bridge-Path mode, or if only Direct Server Return mode is being employed, then go to Step 3c.) If you are configuring a backup Barracuda Load Balancer do not complete the LAN IP Address and LAN Netmask fields on the backup system. If the backup unit becomes active and if it is in Route-Path mode, it uses the LAN IP Address and Netmask that are configured on the primary Barracuda Load Balancer. For more information, see Creating a High Availability Environment on page 62. Enter the following information in the LAN IP Configuration section: LAN IP Address. The address that connects the Barracuda Load Balancer to the LAN. This is only used for two-armed Route-Path mode or, if in one-armed RoutePath mode, for management. LAN Netmask. The subnet mask tied to the LAN. This is only used for Route-Path mode. Allow administration access. Set to Yes if you want to allow administration access via this IP address. The port that is used is configured on the Basic > Administration page. Enter the IP address of your primary and secondary DNS servers. Enter the default hostname and default domain name of the Barracuda Load Balancer. If the Barracuda Load Balancer is behind a proxy server, enter the relevant parameters. Click Save Changes.
Note
When the IP address of your Barracuda Load Balancer on the IP Configuration page is changed, you will be disconnected from the Web interface. Log in again using the new IP address.
3g. If you want this Barracuda Load Balancer to operate in Bridge-Path mode, and this is not a backup Barracuda Load Balancer in a cluster, click Convert to change the
operation from Route-Path to Bridge-Path.

4.
Select Basic > Administration, and perform the following steps:

4a. Assign a new administration password to the Barracuda Load Balancer. 4b. Make sure the local time zone is set correctly.
Time on the Barracuda Load Balancer is automatically updated via NTP (Network Time Protocol). It requires that port 123 is opened for outbound UDP traffic on your firewall (if the Barracuda Load Balancer is located behind one). It is important that the time zone is set correctly because this information is used to coordinate traffic distribution and in all logs and reports. 4c. If desired, change the port number used to access the Barracuda Load Balancer user interface. The default port is 8000.
Getting Started 41
4d. Enter the amount of time, in minutes, for the length of your Web interface session
before you are logged off due to inactivity.

4e. (Optional) Specify your local SMTP server. Enter the email address for your
administrator to receive system alerts and notifications. 4f. Click Save Changes.
Verifying Your Subscription Status

If the Barracuda Load Balancer has access to the activation servers, your Energize Update and Instant Replacement subscriptions are most likely active. If not, you will see a warning at the top of every page. You must activate your subscriptions before continuing. Click on the link in the warning message or use the link on the Basic > Status page to open up the Barracuda Networks Product Activation page in a new browser window. Fill in the required fields and click Activate. A confirmation page will display the terms of your subscription. On the Basic > Status page, you may need to enter the activation code from the Barracuda Networks Product Activation page to activate your Barracuda Load Balancer
Note
If your subscription status does not change to Current, or if you have trouble filling out the Product Activation page, call your Barracuda Networks sales representative.
Updating the Barracuda Load Balancer Firmware

To update the firmware on the Barracuda Load Balancer:
1. 2. 3.
Select Advanced > Firmware Update. Read the release notes to learn about the latest features and fixes provided in the new firmware version. Click Download Now next to Latest General Release. Click OK on the download duration window. Updating the firmware may take several minutes. Do not turn off the unit during this process.
Download Now is disabled if the Barracuda Load Balancer is running the latest firmware
version.
4. 5. 6.
The Barracuda Load Balancer begins downloading the latest firmware version. Click Refresh to view the download status, until you see a message stating that the download has completed. Click Apply Now when the download completes. Click OK when prompted to reboot the Barracuda Load Balancer. A Status page displays the progress of the reboot. Once the reboot is complete, the login page appears.
42
Updating the IPS Definitions

To apply the newest definitions for the Intrusion Prevention System:
1. 2. 3. 4. 5.
Select Advanced > Energize Updates. Select Hourly or Daily for Automatically Update. The recommended setting is Hourly for IPS definitions. Check to see if the current version is the same as the latest general release. If the rules are up-todate, proceed to the next section. If the rules are not up-to-date, continue to the next step. Click Update to download and install the latest available IPS definitions onto the Barracuda Load Balancer. Click Save Changes.
Your Barracuda Load Balancer should be ready for operation. For more configuration tasks, including creating Services, refer to the next chapter, Configuring Services on page 45.
Getting Started 43
44
Chapter 4 Configuring Services

This chapter describes the configuration tasks you can perform from the Web interface after you have completed the installation. The following topics are covered: Deployment Guides ............................................................................ 46 Creating Services ............................................................................... 47 Layer 7 - HTTP Services ................................................................... 54
Detailed information for all options on a page in the Web interface is available from the online help for that page.
Configuring Services 45
Deployment Guides
The following documents provide detailed instructions to help you deploy the Barracuda Load Balancer in specific environments. If you are using one of the following Microsoft products, refer to the corresponding guide.
Remote Desktop Services in Windows Server 2008 R2:

Deploying the Barracuda Load Balancer with Remote Desktop Services in Windows Server 2008 R2
Microsoft Lync Server:

Deploying the Barracuda Load Balancer with Microsoft Lync Server 2010
Microsoft Office Communications Server:

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2
Microsoft Exchange Server:

Deploying the Barracuda Load Balancer with Microsoft Exchange Server 2010
All of these deployment guides are located at http://www.barracudanetworks.com/documentation.
46
Creating Services
This section describes the configuration tasks related to creating Services and associating Real Servers with them. The following topics are covered: Creating Load-Balanced Services...................................................... 47 Associating Real Servers with a Service ........................................... 47 Enabling Persistence ......................................................................... 48 Remote Desktop Services Load Balancing ........................................ 48 SSL Offloading................................................................................... 49 TCP Proxy.......................................................................................... 49 FTP Service ....................................................................................... 49 FTP SSL Service ................................................................................ 49 Selecting a Scheduling Policy............................................................ 50 Configuring Intrusion Prevention ...................................................... 52 Configuring a Last Resort Action...................................................... 52 Client Impersonation ......................................................................... 53
Creating Load-Balanced Services

A Service is a combination of a Virtual IP (VIP) address and one or more TCP/UDP ports. Traffic arriving at the designated port(s) for the specified Virtual IP address is directed to one of the Real Servers that are associated with that particular Service. The Barracuda Load Balancer determines which connections or requests are distributed to each Real Server based on the scheduling policy selected for the Service. The Basic > Services page lets you create Services by identifying a Virtual IP address, port and one or more Real Servers. Once you have created a Service, you can configure advanced settings (including Service Type) by clicking the Edit graphic next to the Service. If the creation of the Service is successful, the Service name appears on the Basic > Services page with a green, orange, or red health indicator next to it. Detailed descriptions of the settings are available in the online help.
Associating Real Servers with a Service

You can identify the Real Servers that handle the traffic for a Service when you create the Service or later, using the Basic > Services page. Edit advanced Real Server settings by clicking the Edit graphic next to the Real Server. From this page, you can: Enable the Real Server or disable it in one of two ways. Disabled mode terminates all existing connections immediately. Maintenance mode allows existing connections to terminate naturally. In either case, no new connections or request are accepted until the Real Server is enabled again. If this Real Server is associated with a Layer 7 - HTTP Service, specify whether this Real Server accepts only HTTP requests that match a content rule. Change the weight of this Real Server to be used when assigning client connections. Specify if the Real Server is using Direct Server Return. Require all communication between the Real Server and the Barracuda Load Balancer be encrypted using SSL. Change or execute the Testing Method for the Real Server.
Enabling Persistence
The Barracuda Load Balancer supports a variety of ways to direct clients back to the same Real Server after a period of inactivity.
Persistence Settings for a Service with type Layer 7 - HTTP

There are a variety of supported persistence methods for HTTP sessions: HTTP Cookie - When a new client initiates contact, the Barracuda Load Balancer inserts a cookie into the outgoing response. This cookie is returned by the client with each subsequent request but is never forwarded to the Real Server. The Barracuda Load Balancer uses the cookie to direct multiple requests from the client to the same Real Server. Client IP - The Barracuda Load Balancer can also maintain persistence based on client IP address. An individual client IP address can be used or you can specify a subnet mask so that subsequent connections from systems from the same subnet go to the same Real Server. HTTP Header - All incoming HTTP requests are directed to the same Real Server based on the value of the specified header. URL Parameter - All incoming HTTP requests are directed to the same Real Server based on the value of the specified parameter in the URL.
Persistence Settings for a Service with type Layer 4 or TCP Proxy

Only Client IP persistence is supported. Enter a subnet mask to make subsequent connections from systems from the same subnet go to the same Real Server. 255.255.255.255 means that only the client IP address is used. The persistence time value is the maximum number of seconds during which a client is directed to the same server after a period of inactivity.
Persistence Settings for a Service with type Layer 7 - FTP

Persistence is not supported.
Persistence Settings for a Service with type Layer 7 - RDP

Session persistence is maintained by querying Windows Server 2003 Terminal Services Session Directory, Windows Server 2008 Terminal Services Session Broker or Windows Server 2008 R2 Session Broker. For more on this topic, see Remote Desktop Services Load Balancing on page 48.
Remote Desktop Services Load Balancing

The Barracuda Load Balancer may be deployed with a Terminal Server farm that is using Windows Server 2003 Terminal Services, Windows Server 2008 Terminal Services or Windows Server 2008 R2 Remote Desktop Services.
To create a Layer 7 - RDP Service:
1. 2.
Using the Basic > Services page, create a Service on port 3389. Edit the Service and set the Service Type to Layer 7 - RDP.
48
The Barracuda Load Balancer supports the use of Session Directory and TS Session Broker routing tokens. The Barracuda Load Balancer uses the routing token supplied by the Session Director or Session Broker to determine which host to use. To make this work properly: If the Real Server is running a version of Windows Server prior to Windows Server 2008 R2, clear the Use IP address redirection check box when configuring the network adapter. If the Real Server is running Windows Server 2008 R2, select Use token redirection when configuring the network adapter.
There is a guide to deploying the Barracuda Load Balancer with Remote Desktop Services located at
http://www.barracudanetworks.com/documentation.
TCP Proxy
You can create a TCP Proxy Service to make the Barracuda Load Balancer act as a full TCP proxy. Using the TCP Proxy Service allows the Real Servers to be located anywhere, as long as they are reachable by the Barracuda Load Balancer. See Deployment Options Overview on page 18 for examples of deployments using TCP Proxy Services.
FTP Service
You can create a Service with type Layer 7 - FTP to allow the Barracuda Load Balancer to process FTP traffic from the clients to the servers. An FTP client connects to an FTP server to manipulate files on that server. Both passive and active FTP are supported. If passive FTP will be used and if the Barracuda Load Balancer is behind a NATing firewall, you should specify an IP address and one or more ports that are sent in the response to a PASV request from a client. The client connects to the specified IP address and port to receive the data. Usually this address is the external IP address that is translated by the firewall to the Virtual IP address of the FTP Service. The port or ports are those allowed by the firewall. Enter the IP address and port(s) on the Service Detail page.
FTP SSL Service

A Service with type Layer 7 - FTP and SSL enabled supports encrypted FTP traffic. An FTP SSL Service only supports passive and not active FTP.
SSL Offloading
The Barracuda Load Balancer is able to perform decryption and encryption of SSL traffic to reduce the load on the Real Servers. The encrypted traffic received on the VIP address is decrypted before it is passed to the Real Servers, and traffic coming from the Real Servers is encrypted before it leaves the Barracuda Load Balancer. No SSL configuration on the Real Servers is necessary; all SSL certificates are stored on the Barracuda Load Balancer. SSL offloading is not compatible with Direct Server Return. It is also not available for Services with type Layer 7 - RDP.
To set up SSL offloading, complete the following tasks:

1. 2. 3.
Upload one SSL certificate for each Service to the Barracuda Load Balancer. Identify the Services that are using SSL offloading. Change the port used by the Real Servers, if necessary.
These tasks are described in the following sections.
Uploading SSL Certificates

One SSL certificate for each Service to be offloaded must be stored on the Barracuda Load Balancer. A certificate can be ordered from a trusted Certificate Authority such as Verisign. Or, if SSL processing was previously done on the server, then retrieve the certificate from that server. To view, edit or add SSL certificates to the Barracuda Load Balancer, go to the Basic > Certificates page.
Specifying SSL Offloading for a Service

To configure SSL offloading for a Service, go to the Basic > Services page and edit the Service.On the Service Detail page, set Enable HTTPS/SSL to Yes. Select the SSL certificate you wish to use from the SSL Certificate list.
Updating Ports on the Real Servers

If the Real Servers were using port 443 before, update their port setting on the Barracuda Load Balancer. Go to the Basic > Services page and click Edit for each Real Server for the Service. On the Real Server Detail page update the port. For example, the Service may use port 443 while the Real Servers use port 80.
Selecting a Scheduling Policy

The Barracuda Load Balancer supports multiple scheduling methods to determine which Real Server that is associated with a Service gets the next new connection. On an ongoing basis each Real Server is assigned a weight, which indicates the proportion of the load that this Real Server will bear relative to other Real Servers. Weights are either calculated dynamically using Adaptive Scheduling, or they are pre-assigned. These Real Server weights are then used by the scheduling algorithm, which is either Weighted Round-Robin or Weighted Least Connections, to determine which Real Server gets the next connection.
Adaptive Scheduling
The Adaptive Scheduling feature polls the Real Servers frequently and assigns weights to those Real Servers using the information gathered. The parameter polled may be: CPU Load, determined by an SNMP query. If you wish to use this and you have Real Servers running a version of Windows, Knowledgebase Solution #00004306 in the Barracuda Networks Support Center http://www.barracudanetworks.com/support describes the required OID. You can view this solution by using this link: http://www.barracuda.com/kb?id=50160000000Hptb. Number of Windows Terminal Server sessions, determined by an SNMP query. In order to use this option, Real Servers must allow the Barracuda Load Balancer SNMP access to the community specified in the SNMP Community String box. This option is not available if the
50
Service Type is Layer 7 - RDP (see Scheduling for a Service with type Layer 7 - RDP on page 51). A URL provided by each Real Server which specifies a load value. If this option is selected, the Barracuda Load Balancer will poll the URL http://[Real Server IP Address]/barracuda_load/ and expect the output to look like LOAD=23 (showing the load as an integer between 0 and 100). Weights are assigned to each Real Server using the formula (100 - LOAD). For example, if the Load URL value is 23, the Real Server will be assigned a weight of 77. In order for the URL query to work, you must create a load determination script and make the results available by running a Web server on the Real Server that responds to the poll at the Real Servers IP address and port 80.
If, for example, all Real Servers have the same value for CPU load, then the Real Servers will be assigned the same weight. These weights will change as the value of the CPU Load for each Real Server varies. Configure adaptive scheduling for a Service by editing it using the Basic > Services page. On the Service Detail page, select the adaptive scheduling algorithm to use when making weight adjustments.
Pre-Assigned Weight
As an alternative to adaptive scheduling, static weights for each Real Server can be used. If some of the Real Servers are faster or have more capacity than others, you can tell the Barracuda Load Balancer to direct more traffic to them by increasing their weight relative to the other Real Servers. Configure the static weight for a Real Server by editing it on the Basic > Services page. On the Real Server Detail page, enter a weight value to be compared against the weights of all other Real Servers for this Service. For example, a Real Server with a weight of 50 will get half the amount of traffic as a Real Server with a weight of 100, but will get twice that of a Real Server with a weight of 25.
Scheduling Policies
The Barracuda Load Balancer considers the weight values for the Real Servers and then applies a scheduling algorithm, either Weighted Round-Robin or Weighted Least Connections, to determine which Real Server gets the next connection. In Weighted Round-Robin, Real Servers with higher weights get more connections than those with lower weights and Real Servers with equal weights get equal connections. The scheduling sequence is generated according to the Real Server weights. New connections are directed to the different Real Servers based on the scheduling sequence in a round-robin manner. The shortcoming with this method is that a majority of long-lived connections may go to the same Real Server. In Weighted Least Connections, the Barracuda Load Balancer considers the number of live connections that each Real Server has, as well as the weight values. The Real Servers with higher weight values will receive a larger percentage of live connections at any one time. The Barracuda Load Balancer dynamically checks the number of live connections for each Real Server. Weighted Least Connections is the recommended choice. To configure whether Weighted Round-Robin or Weighted Least Connections will be used for a Service, edit the Service on the Basic > Services page.
Scheduling for a Service with type Layer 7 - RDP

If the Service Type is Layer 7 - RDP, the Barracuda Load Balancer keeps track of the number of RDP sessions on each Real Server. This number is used in conjunction with Real Server weights when selecting which Real Server gets the next new session. The Real Server weights are determined by one of the following:
Executing an SNMP GET for the CPU load on the Real Servers; Polling a URL provided by each Real Server which specifies a load value; or Retrieving pre-configured static weights (from the Real Server Detail page).
The number of active RDP sessions and the Real Server weights are used as input to the Weighted Round Robin or Weighted Least Connections algorithm. On the Service Detail page the Terminal Sessions adaptive scheduling option is disabled for Layer 7 - RDP Services. Because the number of RDP sessions on each Real Server is maintained internally, there is no need for the adaptive scheduling algorithm to issue an SNMP query to get the number of active Windows Terminal Sessions.
Viewing Current Connections

To see the number of current open connections/requests/sessions with each Service and each Real Server, navigate to the Basic > Server Health page. The bars on the page display the approximate percentage of all traffic that is currently connected to each Service or Real Server. Sometimes it may appear that a Real Server is handling more traffic than it should be based on its calculated weight. This is caused by persistence. If clients that were previously connected reconnect within a short period of time, they are directed to the same Real Server regardless of its current load.
Configuring Intrusion Prevention

You can enable or disable the Intrusion Prevention System (IPS) for all Services on the Barracuda Load Balancer from the Basic > Intrusion Prevention page. This page displays a list of all of the Services and whether IPS is enabled for each one. By default, IPS is disabled for a newly created Service. To enable IPS for an individual Service, edit the Service and select the IPS option on the Service Detail page. To test if the IPS is working on the Barracuda Load Balancer, there is a simple URL that will generate a test IPS catch. To test with this URL, create or locate a Web Service (with at least one Real Server) on port 80 from the Basic > Services page. Then type the following address in your browser window:
http://VIP/?Barracuda-IPS-Web
where VIP is the VIP address of the Web Service. If IPS is on, it will block this. Your browser will give an error because the connection will be immediately rejected. There should also be an IPS catch in the Intrusion Prevention Log on the Basic > Intrusion Prevention page. Refer to Intrusion Prevention System on page 10 for an overview of IPS and how the Energize Updates feature works.
Configuring a Last Resort Action

If all of the Real Servers associated with a Service are unavailable then one of the following will occur, based on the Last Resort Action setting configured for the Service on the Service Detail page: A failure message is returned or the connection closed, depending on the Service Type: Layer 7 - HTTP HTTP 503 Service unavailable is returned. Layer 4 ICMP port unreachable error is returned Layer 7 - TCP Proxy and Layer 7 - RDP Proxy The TCP connection is closed.
52
The connection is closed (TCP) or an ICMP port unreachable error returned (UDP). All traffic is directed to a Last Resort Server.
To increase the availability of the Services, specify a Last Resort Server for each Service. This is the server to which all traffic for a particular Service is routed in the event that all Real Servers associated with that Service are not available. The Barracuda Load Balancer does not perform any health checks on the Last Resort Server. The Last Resort Server can be located anywhere, so long as it is reachable by the Barracuda Load Balancer. It has the same deployments options available as any Real Server. If it is associated with a Layer 7 Service, any policies configured for the Service will also be applied to the Last Resort Server.
Client Impersonation
By default, for TCP Proxy and Layer 7 - HTTP Services, the Barracuda Load Balancers IP address is used when a client connects to the Real Server. You can enable the Client Impersonation option on the Service Detail page to use the clients IP address instead. Alternatively, for Layer 7 - HTTP Services only, if you wish to enable connection pooling, you can identify an HTTP header that has the client IP address as its value.
Layer 7 - HTTP Services

This section describes topics unique to Services with type Layer 7 - HTTP. The following topics are covered: Directing HTTP Requests based on Content Rules ........................... 54 Creating an HTTP Redirect Service .................................................. 55 Modifying HTTP Requests and Responses ........................................ 55 Configuring Caching ......................................................................... 56 Configuring Compression .................................................................. 56
Directing HTTP Requests based on Content Rules

Content rules are used to direct HTTP requests to specific Real Servers that are associated with a Layer 7 - HTTP Service. This functionality is also known as content switching or URL switching. A content rule includes: One or more expressions that specify a pattern in the host, URL or header fields of the request The Real Server or Servers that handle the matching request The load balancing algorithm used to direct requests to the Real Servers Persistence: none, HTTP cookie, HTTP header, URL parameter or client IP address
Use these rules to partition requests to Real Servers that deliver different types of data, such as: Content optimized for a mobile device Content in a particular language Images or video Data that is maintained on different servers but you want to make it appear to have come from one source.
Create a content rule by clicking Add Rule next to a Layer 7 - HTTP Service on the Basic > Services page. This option only appears next to a Service that has at least one Real Server associated with it. Edit an existing content rule by clicking the Edit icon next to the rule name on the Basic > Services page. You can edit one or more Real Servers from the Basic > Services page to accept only HTTP requests that match a content rule. Requests that fail to match any rule are directed to the Real Servers for the Service that are not configured to exclusively handle requests that match a content rule. For example, a Real Server which only delivers images can be configured to accept only HTTP requests that match a content rule.
Content Rule Execution

There are up to three types of patterns in each content rule: host match, URL match, and extended match. Extended matches are compared to values in the HTTP header. If there are multiple rules for a Service, the most specific host and URL match will be executed. For example, if a Service has these two rules: Rule A - host www.example.com, URL /images/* Rule B - host www.example.com, URL /images/*.png
and if the incoming request is for www.example.com/images/x.png then the most specific matching rule, which is Rule B, is executed.
54 Barracuda Load Balancer Administrators Guide
If a rule has the most specific host and URL for a request, any extended match expressions for that rule are evaluated in the order established by the Extended Match Order field. If the request does not match any extended match expression for the rule then the request is considered to have failed to match any rule. The possible values for the content rules can be found in the online help. A detailed description of the extended match syntax can be found in Extended Match and Condition Expressions on page 85.
Creating an HTTP Redirect Service

HTTP Redirect causes all HTTP traffic on the specified port on a virtual IP address to be redirected to port 443 on the same virtual IP address. It allows client requests on the specified port when SSL requests are only being served on port 443. HTTP requests that are addressed to http://VIP:port/ are
redirected to https://VIP/.
To create an HTTP Redirect Service, start by creating a Service with Service Type of Layer 7 - HTTP. Because the only purpose of this Service is to redirect HTTP requests to another Service (the one at port 443), no Real Servers can be added. In fact, only a couple of other options on the Service Detail page are relevant. All of the other options are hidden (and the settings, if any, ignored). Make sure to create a Service for the same VIP on port 443.
Modifying HTTP Requests and Responses

You can set up rules to modify HTTP requests and responses that pass through the Barracuda Load Balancer. These rules, which are associated with a Layer 7 - HTTP Service, are listed on the Advanced > URL Rewrites page. One HTTP request rewrite rule is created automatically. It sets the X-Forwarded-For header to the IP address of the client. The Real Server can examine the X-Forwarded-For header to discover the true identity of the requestor, rather than using the sending IP address, which is the IP address of the Barracuda Load Balancer. You can create response rewrite rules to remove server banners or other header or body information which you do not want the clients to see. The actions which can be performed by the request rewrite rules are: Insert Header - Inserts a header in the request. Remove Header - Removes the header from the request. Rewrite Header - Rewrites the value of the header in the request Rewrite URL - Rewrites the request URL to the URL specified in the rule. Redirect the URL - Redirects the request to the URL specified in the rule and sends that redirect back to the client.
Only the first three actions are valid for response header rewrite rules. Response body rules allow any text string (content-type must begin with text/) in an outbound HTTP response body to be rewritten. The online help for the Advanced > URL Rewrites page lists the syntax for the rules. In addition, a detailed description of the condition expressions, which specify when the rewrite should occur, is found in Extended Match and Condition Expressions on page 85.
Rule Execution Order

Content rules are evaluated first on incoming HTTP traffic. The rules on the Advanced > URL Rewrites page are evaluated second.
Configuring Caching
Caching is a process of storing commonly used information in local memory for quick retrieval rather than sending repeated requests to the Web server for the same information. This can improve performance (sometimes dramatically) and reliability. It also reduces the resource utilization on the Web servers. Caching can store Web pages and commonly used objects such as graphics files. Caching provides the following benefits: Reduced latency when retrieving Web content. An overall reduction in bandwidth and server load. Automatic identification and replication of site content.
You can enable caching on any Layer 7 - HTTP Service.
Configuring Compression
Compression improves the response time for clients accessing the service through dial-up or other slow methods. Enabling this feature compresses web pages that use HTML, JavaScript, Java and other text-based languages, resulting in a reduction in download time. You can enable compression on any Layer 7 - HTTP Service. We recommend enabling compression for text based content-types like text/plain, text/html, etc.
56
Chapter 5 Network Configuration

This chapter describes the network configuration tasks you can perform from the Web interface. The following topics are covered: Modifying LAN and WAN IP Addresses ............................................ 58 VLAN Support .................................................................................... 58 Making Services Accessible from the LAN/WAN ............................... 58 Creating Static Routes ....................................................................... 59 Detailed information for all options on a page in the Web interface is available from the online help for that page.
Network Configuration 57
Modifying LAN and WAN IP Addresses

The Basic > IP Configuration page contains the basic network configuration for your Barracuda Load Balancer. This page also contains the setting to specify whether this Barracuda Load Balancer operates in Route-Path or Bridge-Path mode. Finally, if the Barracuda Load Balancer is behind a proxy server, you can configure its location so that it can download firmware and Energize Updates.
VLAN Support
The Barracuda Load Balancer supports Layer 2 VLANs to segment traffic. Use the Advanced > Advanced IP Config page to identify VLANs on the Barracuda Load Balancer. You can then associate Services or Real Servers with VLANs. In Bridge mode, if VLANs are being used, both the LAN and WAN ports must be on the same VLAN.
To associate a Real Server with a VLAN:
1. 2. 3. 4.
Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN Configuration table. Go to the Basic > Services page and add the Real Server. Using the Advanced > Advanced IP Config page, in the Custom Virtual Interfaces table, create an interface for the Real Server. Using the Advanced > Advanced IP Config page, add a static route to the Real Server if necessary.
To associate a Service with a VLAN:

1. 2. 3.
Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN Configuration table. Go to the Basic > Services page and add the Service. Using the Advanced > Advanced IP Config page, in the System Virtual Interfaces table, locate the entry for the Service. Select the VLAN from the Port list and save your changes.
Routing to Multiple VLANs over an Interface

If any interface on the Barracuda Load Balancer has to route to multiple VLANs, it must be connected to the VLAN switch via a trunk (or hybrid) link, since multiple VLAN traffic can only be transported over trunk links. If the Real Servers are distributed across multiple VLANs, say 100, 105, and 111, then the LAN port must be connected to a trunk port on the VLAN switch.
Making Services Accessible from the LAN/WAN

You can add virtual interface(s) to the physical port (WAN or LAN) used to communicate with the Services.
To make a Service accessible from the LAN:
1. 2.
Go to the Basic > Services page and add the Service. Using the Advanced > Advanced IP Config page, in the System Virtual Interfaces table, locate the entry for the Service. Select LAN from the Port list and save your changes.
58
If you want to be able to access the Service from the WAN also, create another Service with a different VIP but the same Real Servers.
Creating Static Routes

You can create static routes to specify the exact route to a remote network.
To add a static route:
1. 2.
Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN Configuration table, if necessary. On the same page, fill in the fields in the Static Routes table.
Allowing Real Servers to Connect to the Internet

If the Real Servers are on a private network on the LAN side of the Barracuda Load Balancer and the WAN is on a public network, Real Servers are not allowed by default to connect to the Internet. You can override this behavior if, for example, the Real Servers need to get operating system or application updates.
To allow Real Servers to connect directly to the Internet:
1.
Using the Advanced > Advanced IP Config page, create a source network address translation (source NAT) rule to map the internal IP address of a Real Server to an external IP address or some other IP address on the WAN side of the Barracuda Load Balancer that is translated by the firewall to an external IP address.
See also Source IP Address in a Clustered Environment on page 64 for information about the source IP address of incoming traffic.
Network Configuration 59
60
Chapter 6 High Availability

This chapter describes how to configure a high availability environment by clustering two Barracuda Load Balancers. The following topics are covered: Creating a High Availability Environment ........................................ 62
High Availability 61
Creating a High Availability Environment

The High Availability option allows you to create a cluster with two Barracuda Load Balancers as an active-passive pair. Only one system actively processes traffic at any one time, but the two systems continuously share almost all configuration and monitor each others health.
Operation of High Availability (HA)

The active system in a clustered pair handles all of the traffic until: The passive system detects that the active system is no longer responsive on the WAN. The active system detects that its LAN connection has been lost (optional). The administrator manually forces failover using the Web interface.
If any of these conditions occur, the passive system becomes active, assumes all of the Virtual IP addresses of the Services and the LAN IP address of the other Barracuda Load Balancer, and performs the load balancing. Clustered Barracuda Load Balancers negotiate which is the active one according to the Virtual Router Redundancy Protocol (VRRP) specification. The two systems must be configured with the same cluster shared secret and group ID. If other systems on the same subnet are also using VRRP, the cluster group ID must be unique. The passive Barracuda Load Balancer does not do any load-balancing or monitoring of Services or Real Servers. If you look at the Web interface of the passive system, you will see that all of the Services and Real Servers on a page such as Basic > Services have red health indicators.
Requirements for HA
Before joining two systems together, each Barracuda Load Balancer must meet the following requirements: Barracuda Load Balancer models 340 or higher Same model Activated and on the same version of firmware Able to access all Real Servers Able to reach the other Barracuda Load Balancer on the WAN interface Both WAN interfaces are connected to the same switch (physical network)
To speed up recognition of a newly active Barracuda Load Balancer, disable spanning tree protocol on the ports of the switch where the WAN ports of the two Barracuda Load Balancers are connected. If it is a Cisco switch, enable Spanning Tree PortFast on the ports connected to the WAN ports of the Barracuda Load Balancers. When the Barracuda Load Balancer becomes active it sends out a gratuitous ARP. It continues to send a gratuitous ARP every minute. The passive system does not issue any ARPs.
62
Failover if LAN Link Goes Down

There is an option to fail over to the passive system if the active system cannot detect its LAN link. In one-armed deployments (including Direct Server Return), the LAN port does not need to be monitored as the Real Servers are all connected to the WAN, so this option should be disabled. If the Barracuda Load Balancer is in bridge-path mode, LAN port monitoring is compulsory.
Forceful or Manual Failover

You can force failover to the passive system using the Web interface. This transfers the load to the passive system without bringing down any of the interfaces of the active system. When the passive system has become active, LAN or WAN cables can be removed or other maintenance performed on the now-passive system.
Primary and Backup Roles

When two systems are joined in a cluster, the system that joins the cluster is the backup system. The other one has the role of primary system. Initially, the primary system is the active system. Either of the systems in a cluster is capable of being the active system. The backup and primary roles are important when discussing failback.
Failback
There is an automatic failback option that can be configured if you want the originally active (primary) system to take over the Virtual IP addresses and resume load balancing upon its recovery after a failover. This option can be found on the Advanced > High Availability page. You can manually switch to the primary system using the Failback command that is available on the same page. It may be better to opt for manual failback, as it can minimize the number of times that service is interrupted. For example, if the primary system suffers an outage, the backup system takes over. When the primary system recovers, if automatic failback is selected, then it will once again become the active system. This means two interruptions of service. If manual failback is selected, then the backup system will continue processing traffic even after the recovery of the primary system.
Synchronization of Data Between Clustered Systems

When two Barracuda Load Balancers are initially joined, most configuration settings are copied from the primary system in the cluster to the backup system (the system that joins the cluster). These settings are synchronized between the systems on an ongoing basis.
High Availability 63
Table 6.1 identifies what is synchronized and what is unique.
Table 6.1: Data Shared Between Clustered Systems Shared Data

Global system settings configured through the Web interface. Any SSL Certificates that have been installed. All of the static routes and VLANs, etc., configured on the Advanced > Advanced IP Config page.
Unique Data
All of the system IP configuration (WAN IP address, operating mode, DNS servers and domain) configured on the Basic > IP Configuration page except for the LAN IP address. System password, time zone and Web interface HTTP port as configured on the Basic > Administration page. The parameters on the Advanced > Appearance page. The HTTPS port and SSL certificate used to access the Web interface as configured on the Advanced > Secure Administration page.
Steps to Add or Remove a System from a Cluster

Detailed instructions for the following tasks related to high availability can be found in the online help for the Advanced > High Availability page: Viewing an existing cluster. Creating a cluster of two Barracuda Load Balancers. Removing a Barracuda Load Balancer from the cluster. Updating the firmware of clustered Barracuda Load Balancers. These instructions are designed to minimize the number of service interruptions while updating firmware on both systems.
Source IP Address in a Clustered Environment

By default, the source IP address of traffic sent to the Real Servers is translated (source NATd) to be the WAN IP address of the Barracuda Load Balancer. If the Barracuda Load Balancer is clustered, the WAN IP address is not shared between the two clustered systems. To use the same source IP address in the event of failover, implement one of the following two options. The changes made will be propagated automatically to the passive system. Detailed steps for each of these options can be found in the online help.
Option 1
On the active system, create a custom virtual interface that associates an externally-accessible IP address with the WAN port. Use this IP address to create a source NAT rule. This interface will be used by the backup system if failover occurs.
Option 2
On the active system, remove the default rule that uses the WAN IP address as the source IP address, and turn on IP masquerading for the Real Servers.
64
Chapter 7 Global Server Load Balancing

This chapter describes how to configure Global Server Load Balancing or GSLB. The following topics are covered: Introduction to Global Server Load Balancing (GSLB) .................... 66 Steps to Install GSLB ......................................................................... 71 Detailed information for all options on a page in the Web interface is available from the online help for that page.
Global Server Load Balancing 65
Introduction to Global Server Load Balancing (GSLB)

This section contains an introduction to GSLB and how it is implemented using the Barracuda Load Balancer. The following topics are covered: GSLB Examples ................................................................................. 66 GSLB Definitions ............................................................................... 66 Site Selection Criteria........................................................................ 67 How GSLB Works .............................................................................. 67 Integrating with the Existing DNS Infrastructure.............................. 68 Site Selection Algorithms ................................................................... 68 Example Implementations .................................................................. 69 GSLB Regions .................................................................................... 70 Configuring Multiple GSLB Controllers............................................ 70
Global Server Load Balancing (GSLB) allows you to coordinate how traffic is processed among multiple data. A Barracuda Load Balancer acts as a controller, selecting the location to which traffic is directed based on the parameters that you configure and the health of the data centers. This allows you to allocate the work among multiple data centers and to ensure that if one data center fails then traffic is redirected automatically to a functioning data center.
GSLB Examples
GSLB can be useful when: You have a number of server farms that are physically located around the world and you want incoming connections to be directed to the closest healthy server farm. You have two data centers and you want one of them to be reserved for use in the event of a disaster. You can assign the first with a high priority and have all traffic directed to it, while the other is used only if the first data center fails. You have multiple data centers and each has region-specific content. Depending on the location of the client, requests can be directed to the data center most appropriate for that region.
GSLB Definitions
A site is a network location that hosts data. It may be a Service on a Barracuda Load Balancer with a server farm or one Real Server. A GSLB Controller is the Barracuda Load Balancer which determines where traffic is directed. It contains configuration information about the sites and it performs health checks on all sites in regular intervals. Only one GSLB Controller is active at a time. It is recommended that you configure one or more backup GSLB Controllers. A region defines a geographical area, usually composed of one or more countries. You can define custom regions or use the predefined regions.
66
Site Selection Criteria

The GSLB Service allows you to specify that traffic be directed to a site based on one of three parameters: Proximity of the system making the request to a site that can serve the request; The region of the system making the request; or The priority order of the sites.
How GSLB Works

The GSLB Controller controls which IP address for a sub-domain is given to a client. These steps illustrate the process:
1. 2.
A client tries to connect to a domain name such as www.example.com. It asks its local DNS server for the IP address of the domain name, and the server issues a DNS request on its behalf. This request is eventually directed to the GSLB Controller (Barracuda Load Balancer) that acts as an authoritative DNS server for the delegated sub-domain www. The GSLB Controller considers the site selection algorithm and the health of the sites and issues a DNS response that contains a list of one or more IP addresses of valid sites. The client tries to connect to the first address in the list.
3.
In Figure 7.1 How GSLB Works, the selection algorithm is based on the region of the client. The GSLB Controller determines the region where the request originated. The US client is returned the address of the site which handles clients from the US region (207.77.188.166) while the client from Europe is given the address of the site which supports content for the European region (216.129.205.232).
Figure 7.1: How GSLB Works
Failover
The record that is returned by the GSLB Controller in response to a DNS query has a time to live (TTL) value of 10 seconds, meaning that the DNS servers across the Internet need to request the IP address of site again if the record is older than 10 seconds. If a site becomes unavailable, it will be removed from the list of IP addresses returned, the caches will be updated quickly and traffic will be directed to a healthy site.
Integrating with the Existing DNS Infrastructure

In a typical GSLB deployment of the Barracuda Load Balancer, the existing DNS domain nameserver continues as the authoritative nameserver for the zone or domain, e.g. barracuda.com. But a hostname or sub-domain, e.g. www, is delegated to the Barracuda Load Balancer that acts as the GSLB Controller. When a DNS query for www.barracuda.com is received, it is forwarded to the GSLB Controller. The GSLB Controller acts as the authoritative DNS server for delegated sub-domains, returning definitive answers to DNS queries about domain names installed in its configuration. On the GSLB Controller you can identify one or more IP addresses of sites that serve a single domain name. When asked to resolve a host, the GSLB Controller returns a list of IP addresses of the sites that are both available and that match the site selection algorithm.
Site Selection Algorithms

As already described, when the GSLB Controller receives a DNS request to resolve a sub-domain, it replies with a list of one or more IP addresses of valid sites that are both available and that match the site selection algorithm. This site selection algorithm is also called the Response Policy. Three Response Policies are available: one is based on site priority and the other two are based on location.
Failover IP Address
If no sites match the Response Policy or if all sites that match the Response Policy fail the health check, a pre-configured Failover IP address for the sub-domain is returned. This is the IP address of a site that can accept the traffic if the other systems become unavailable. The health of the site at the Failover IP address is not monitored.
IP Address and Location Database

In order to provide location-based Response Policies, the Barracuda Load Balancer uses a database of IP addresses and geographical locations. This database is updated by the Location Definitions which are part of the Energize Updates maintained by Barracuda Central.
Response Policy Options

Three Response Policies are supported: Geo IP, Region Only and By Priority. Geo IP and Region Only are based on the location of the client. By Priority is based only on the configured priority of the site.
68
Geo IP The GSLB Controller determines the location of the system making the request based on the Location Definitions and compares that to the location of each site. It returns a list of site IP addresses ordered from closest to furthest. Geo IP does not consider site priority. Region Only The GSLB Controller determines the region of the system making the request based on the Location Definitions. If the originating system is in a region that is associated with one or more sites, a list of the healthy site IP address(es) is returned. The most specific matches appear first in the list; any sites that are associated with All Countries are last in the list. If the location of the originating system cannot be determined then any healthy sites that are associated with All Countries are returned. If neither of the preceding cases identifies at least one site IP address, the Failover IP address is returned. Region Only does not consider site priority. By Priority The GSLB Controller returns a list of site IP addresses ordered from lowest to highest priority value. Location is not considered.
Example Implementations
Following are some sample situations and how to configure the site selection algorithm for each one on the Barracuda Load Balancer that acts as the GSLB Controller.
Disaster Recovery - Two Sites in the World

You have two sites and you want all traffic directed to one of the sites while the other is on standby and used only in the case of the failure of the first site. Create an entry for each site giving the primary site priority 1 (highest) and the backup priority 2. Make the Response Policy By Priority so that only priority is considered when directing traffic. When a query for the address of the domain name is received, a response containing one or more IP addresses is returned. If it is operational, the primary sites IP address will be returned first in the list and the backup sites IP address will be second. If the primary site becomes unavailable, only the second site's IP address will be returned. The primary site will be monitored, even after failure, so that when it becomes available then its IP address will once again be first in the returned list.
Direct Clients to Closest Data Center

You have a number of server farms that are physically located around the world, and you want clients to be directed to the closest healthy server farm. Make the Response Policy Geo IP to send client requests to the geographically nearest site. If you have a backup site, set the Failover IP address to its IP address.
Direct Clients to Specific Region

You have multiple data centers, each with region-specific content, and you want client requests from a certain region to be directed to the data center that supports that region. Make the Response Policy Region Only to associate requests with a region based on the location of the client and direct traffic to the appropriate data center.
If you have a backup site, set the Failover IP address to its IP address. Content switching rules can be used to direct HTTP traffic within the backup data center (see Directing HTTP Requests based on Content Rules on page 54).
GSLB Regions
GSLB regions are used only if the Response Policy is Region Only, to direct traffic to data centers with region-specific content. Add a region to a host on the Advanced > GSLB Services page so that traffic that originates in that region is directed to the Site IP address. A number of predefined regions are listed on the Advanced > GSLB Settings page. You can also create a custom region by specifying a region name and then adding one or more regions from a list.
Configuring Multiple GSLB Controllers

Only one GSLB Controller is active at any one time. However, you can configure multiple GSLB Controllers to increase the availability of your infrastructure in these two ways: Operate in High Availability mode, in which case all of the GSLB information is copied to the passive system. Configure one or more other Barracuda Load Balancers (or clustered pairs) as GSLB Controllers where: Each system or clustered pair has a DNS entry pointing to it. The first available entry is used by a client. The GSLB configuration is synchronized manually between all GSLB Controllers unless they are passive systems in a cluster.
Figure 7.2 Multiple GSLB Controllers shows three clustered pairs of Barracuda Load Balancers, all in different locations. Each of these six Barracuda Load Balancers can act as GSLB Controllers and they share the same GSLB-specific configuration. The GSLB Controllers are listed in the order they are to be used as name servers in the DNS entry for the domain (see Steps to Install GSLB on page 71). If in the example becomes unavailable, will take over as GSLB Controller. If both and become unavailable, will take over operation as the GSLB Controller, and so on. Check Steps to Install GSLB on page 71 for instructions on how to install multiple GSLB Controllers.
70
Figure 7.2: Multiple GSLB Controllers
Steps to Install GSLB

Execute these tasks to design your GSLB network and to configure one or more GSLB Controllers. Each step is described in more detail in the following sections. Step 1: Define the layout of your GSLB network. Step 2: If you plan to use a location-based Response Policy: Step 2a: Define Regions (Region Only). Step 2b: Turn on Location Definitions updates. On each active GSLB Controller, complete Step 3. Step 3: Set the DNS Service IP Address. For each sub-domain to be hosted, complete Step 4. Step 4: Delegate a sub-domain to the GSLB Controller. For each GSLB Controller that may receive traffic for a given sub-domain and which is not the passive system for a cluster, complete Steps 5-7. Step 5: Configure the DNS records on the GSLB Controller to identify the sub-domains that are being hosted. Step 6: Choose the Response Policy. Step 7: Enter the Failover IP address. Step 8: Identify the rest of the sites that serve this sub-domain.
Step 1: Define the layout of your GSLB network

Decide which Barracuda Load Balancers will act as your active and passive GSLB Controllers. GSLB Controllers must be externally accessible. They may also act as the load balancer for a server farm. Decide whether the site selection should be based on region, geographical proximity or by preconfigured priority. Determine what will happen in the case of a site failure. Gather the IP addresses (IP addresses of Real Servers or VIP addresses of Services) of the sites.
Step 2: Perform Location Specific Tasks

Skip the two tasks in this step if you do not intend to use a geographically-based Response Policy (Geo IP or Region Only). If the Response Policy is Region Only, decide which site or sites are associated with each region where requests originate. In either case, make sure the Location Definitions are set to automatically update on every GSLB Controller. This setting is on the Advanced > Energize Updates page.
Step 3: Set the DNS Service IP Address

For each active GSLB Controller, select the IP address to be used as the DNS Service IP address. DNS requests will be send to this IP address. It must be reachable from the WAN, LAN or VLAN of the GSLB Controller. If the GSLB Controller is in HA mode and a system failover occurs, the passive system will assume this address and handle the requests directed to it. If the GSLB Controller is not in HA mode, this address could be the externally reachable IP address of the GSLB Controller. On each active GSLB Controller, go to the Advanced > GSLB Services page and enter the DNS Service IP Address. If this is a clustered system, the passive system will be updated automatically.
Step 4: Delegate a Sub-Domain to the GSLB Controller

This step needs to be done at your domain registrar or wherever your domains are hosted. In order to delegate a sub-domain to be resolved by the GSLB Controller, records must be added to the zone file of the domain so that DNS requests for the sub-domain will be forwarded to the GSLB Controller for resolution. For example, if the domain is example.com, and you want to host www.example.com behind the GSLB Controller, you will need to add a DNS NS (nameserver) record to associate www.example.com with each GSLB Controller. If there are four GSLB Controllers (two active, two passive) there are two records, one for each clustered pair:
www.example.com. IN NS ns1.www.example.com. www.example.com. IN NS ns2.www.example.com.
Add an A (host) record for each GSLB Controller with its IP address and the domain www:
ns1.www.example.com. IN A <DNS Service IP address of first cluster> ns2.www.example.com. IN A <DNS Service IP address of second cluster>
where <DNS Service IP address...> is the DNS Service IP address assigned to each clustered pair. Do not enter the <>s. Do add the dot at the end of the nameserver.
72
Note
The remainder of the steps are performed on the Barracuda Load Balancer(s) that may act as the GSLB Controller. If you have a clustered GSLB Controller, you only need to do these steps on the active system because the configuration between two clustered Barracuda Load Balancers are synchronized automatically. If you have one or more GSLB Controllers at different locations that are acting as backups, you will need to do these steps on those GSLB Controllers as well. You must keep the GSLB configuration synchronized between the active GSLB Controller and the backups, but not on the passive system in any cluster.
Step 5: Create the Host DNS Record on each GSLB Controller

This step must be done on each GSLB Controller that is not a passive system in the cluster. Using the Web interface of the Barracuda Load Balancer, create the records that describe the domain or domains that are available to the GSLB Controller. The following example generates the A (host) record for www.example.com on the GSLB Controller. The domain name is example.com and the host is www. This A record is initially associated with one site IP address but more site IP addresses can be added later.
To create the DNS records on the GSLB Controller:
1. 2.
Navigate to the Advanced > GSLB Services page. In the Add New GSLB Service section, supply the following information: Zone Name the zone maintained by your existing DNS server, e.g. example.com Host The host name (or sub-domain) to be resolved, e.g. www Site IP The IP address that is to receive the traffic. This may be a Service on a Barracuda Load Balancer, or a server. Region This associates a region with the Site IP address. If you want the GSLB Controller to select the site based on region, select the region from the list. If the region you want is not already defined, add a custom region using the Advanced > GSLB Settings page. Otherwise, select All Countries from the list.
A DNS record will be created for www.example.com. Some of the fields in the record will contain default values for settings such as the Response Policy, which you can customize by editing the entry in the table.
Step 6: Choose the Response Policy

Response Policies are described in the section Response Policy Options on page 68. The Response Policy is defined for a host e.g. www.example.com. Edit the Host record on the Advanced > GSLB Services page to modify the Response Policy.
Step 7: Set the Failover IP Address

If you have a site that can handle the traffic in the case of failure of all sites that match the Response Policy, enter its IP address as the Failover IP address in the Host record on the Advanced > GSLB Services page.
Step 8: Identify the rest of the sites that serve this host
To configure all of the sites that can process the traffic for this host (e.g. www.example.com), go to the Advanced > GSLB Services page and click Add New Site. You may want to associate a new site with a region or assign a priority to it. Remember that regions are only relevant if the Response Policy is Region Only. Similarly, priority is only considered by the By Priority Response Policy.
74
Chapter 8 Managing the Barracuda Load Balancer

This chapter describes the monitoring and maintenance tasks you can do to check on performance and to maintain the Barracuda Load Balancer. The following topics are covered: Administrative Settings ...................................................................... 76 Monitoring the Barracuda Load Balancer ........................................ 78 Maintaining the Barracuda Load Balancer....................................... 81 Detailed information for all options on a page in the Web interface is available from the online help for that page.
Managing the Barracuda Load Balancer 75
Administrative Settings
This section covers the basic administrative settings for your Barracuda Load Balancer. Controlling Access to the Web Interface...............................................76 Customizing the Appearance of the Web Interface............................ 76 Setting the Time Zone of the System .................................................. 76 Enabling SSL for Administration....................................................... 76
Controlling Access to the Web Interface

Use the Basic > Administration page to perform the following tasks related to controlling access to the Web interface such as: Change the password of the administration account. Specify the IP addresses or subnet mask of the systems that can access the Web interface. All other systems will be denied access. Change the port used to access the Web interface. Change the length of time of inactivity allowed until the administrator is logged out of the Web interface.
Use the Basic > IP Configuration page to allow or deny access to the Web interface from the WAN and LAN IP addresses.
Customizing the Appearance of the Web Interface

The Advanced > Appearance page allows you to customize the images used on the Web interface. Available only for Barracuda Load Balancers model 440 and above.
Setting the Time Zone of the System

The Basic > Administration page allows you to set the time zone of your Barracuda Load Balancer. The current time on the system is automatically updated via Network Time Protocol (NTP). When the Barracuda Load Balancer resides behind a firewall, NTP requires port 123 to be opened for outbound UDP traffic. It is important that the time zone is set correctly because this information is used to coordinate traffic distribution and in all logs and reports. Note: The Barracuda Load Balancer automatically reboots when you change the time zone.
Enabling SSL for Administration

The Advanced > Secure Administration page allows you to configure SSL for the Web interface for your Barracuda Load Balancer.
76
SSL ensures that your passwords and the rest of the data transmitted to and received from the Web interface is encrypted as well. You can require HTTPS to be used for secure access, and you can specify the certificate to be used.
Note
The SSL configuration referred to here is only related to the Web interface. To enable SSL offloading for a Service, refer to SSL Offloading on page 49.
In order to only allow secured connections when accessing the Web interface, you need to supply a digital SSL certificate which will be stored on the Barracuda Load Balancer. This certificate is used as part of the connection process between client and server (in this case, a browser and the Web interface on the Barracuda Load Balancer). The certificate contains the server name, the trusted certificate authority, and the servers public encryption key. The SSL certificate which you supply may be either private or trusted. A private, or self-signed, certificate provides strong encryption without the cost of purchasing a certificate from a trusted certificate authority (CA). However, the client Web browser will be unable to verify the authenticity of the certificate and a warning will be sent about the unverified certificate. To avoid this warning, download the Private Root Certificate and import it into each browser that accesses the Barracuda Load Balancer Web interface. You may create your own private certificate using the Advanced > Secure Administration page. You may also use the default pre-loaded Barracuda Networks certificate. The client Web browser will display a warning because the hostname of this certificate is barracuda.barracudanetworks.com and it is not a trusted certificate. Access to the Web interface using the default certificate may be less secure. A trusted certificate is a certificate signed by a trusted certificate authority (CA). The benefit of this certificate type is that the signed certificate is recognized by the browser as trusted, thus preventing the need for manual download of the Private Root Certificate.
Monitoring the Barracuda Load Balancer

This section describes the monitoring tasks you can perform from the Web interface of the Barracuda Load Balancer. This section covers the following topics: Monitoring the Health of Services and Real Servers ........................ 78 Enabling or Disabling Real Servers .................................................. 78 Viewing Performance Statistics ......................................................... 79 Viewing Logs...................................................................................... 79 Automating the Delivery of System Alerts and SNMP Traps ............ 79 Managing Multiple Systems with the Barracuda Control Center ..... 80 Viewing System Tasks......................................................................... 80
Monitoring the Health of Services and Real Servers

The Service Monitor checks the health of each Service and Real Server on an ongoing basis. Specify which test to perform and how frequently to do the test by editing the Service or Real Server on the Basic > Services page. The Basic > Services and Basic > Health pages display the health of all loadbalanced Services and associated Real Servers. There are many different methods available to establish the availability of a Service or Real Server. These include TCP port check, HTTP GET request, DNS query and RADIUS test. The various tests are fully documented in the online help. The tests always try to use the configured Real Server port for the Service unless the Real Server port is set to ALL. In that case, the tests use the default port for the test type (e.g. SMTP = 25, HTTP = 80, DNS = 53, HTTPS = 443, IMAP = 143, POP = 110 and SNMP = 161). If a Real Server is associated with more than one Service it will be checked more frequently than the Test Delay interval. The Service Monitor performs its health checks for each Services' set of Real Servers independently.
Enabling or Disabling Real Servers

You can change the status of your Real Servers by going to the Basic > Health page. For example, you can disable your Real Servers to perform maintenance or to temporarily disassociate them from a Service. There are three status modes: enabled, disabled and maintenance. Click Enable to make a Real Server be part of the pool of servers handling requests or connections. Select Disable to terminate all existing connections or Maintenance to allow existing connections to terminate naturally. In either case, no new connections or request are accepted until the Real Server is enabled again.
Remotely Administering Real Servers

If you need to remotely administer Real Servers that are located behind the Barracuda Load Balancer, then for each Real Server, create a Service which load balances only that one Real Server. Use the VIP for that administration Service whenever you need to ssh to or perform RDP administration on that Real Server.
78
Viewing Performance Statistics

The Basic > Status page provides an overview of the health and performance of your Barracuda Load Balancer, including: Traffic statistics, which shows the number of connections or requests for various types of traffic since the last system reset for up to five Services. The subscription status of Energize Updates. Performance statistics, such as CPU temperature and system load. Performance statistics displayed in red signify that the value exceeds the normal threshold. Hourly and daily traffic statistics.
Viewing Logs
The Basic > Event Log page maintains a list of all noteworthy events that affect the operation of the Barracuda Load Balancer, such as attacks upon various Services and status changes for a Real Server. You can view the Syslog, which contains administrative updates such as logins and configuration changes as well as all of the system events contained in the Event Log, using the Advanced > Syslog page. You can also enter an IP address where the syslog output can be directed. If Intrusion Prevention System is enabled, you can look at messages related to it in the Intrusion Prevention Log on the Basic > Intrusion Prevention page.
Automating the Delivery of System Alerts and SNMP Traps

The Basic > Administration page allows you to configure the Barracuda Load Balancer to automatically email notifications to the addresses you specify. To enter multiple addresses, separate each address with a comma. An email notification is generated if the number of operating Real Servers for a Service falls below a preset threshold. You can also configure SNMP traps to be generated when certain events occur. Go to the Advanced
> SNMP Configuration page to see the list of possible traps.
SNMP Monitoring
Using the Barracuda Load Balancer SNMP agent, you can use an SNMP monitor to query the system for a variety of statistics such as the number of current connections, bandwidth, and system CPU temperature. SNMP v2c and SNMP v3 are both supported by the SNMP agent. SNMP v2c queries and responses are not encrypted, so it is less secure. When using SNMP v3, traffic is encrypted and you can allow access only by specified users with passwords. For more information about monitoring the Barracuda Load Balancer using SNMP, see the technical paper SNMP Monitoring for the Barracuda Load Balancer located at
http://www.barracudanetworks.com/documentation.
Managing Multiple Systems with the Barracuda Control Center

The Barracuda Control Center (BCC) enables administrators to manage, monitor and configure multiple Barracuda Load Balancers (firmware version 3.6 and higher) at one time from one console. You can connect one or more Barracuda Load Balancers to the BCC by doing the following:
1. 2. 3.
If you don't already have an account with Barracuda Networks, visit http://login.barracudanetworks.com to create one. Make a note of your username (email address) and password. Log into your Barracuda Load Balancer as the administrator. On the Advanced > Firmware Upgrade page, check to make sure you have the latest firmware installed. If not, download and install it now. From the Advanced > Control Center page, enter the Barracuda Networks username and password you created and click Yes to connect to the BCC. Note that your Barracuda Load Balancer can connect with only one BCC account at a time. Log into the BCC with your username and password and you will see your Barracuda Load Balancer statistics displayed on the Basic > Status page. To access the Web interface of your Barracuda Load Balancer, click on the link in the Products column in the Control Center pane on the left side of the page. Or you can click on the product name in the Product column of the Unit Health pane on the right side of the page. Follow steps 3 and 4 to connect every subsequent Barracuda Load Balancer to the BCC.
4.
5.
6.
To disconnect your Barracuda Load Balancer and the BCC, from the Advanced > Control Center page, enter the BCC username and password and click No for Connect to Barracuda Control Center. Do this when you know that there will be a loss of connectivity between the appliance and the BCC due to the appliance being physically moved or other network connectivity issues.
Viewing System Tasks

The Advanced > Task Manager page provides a list of tasks that are in the process of being performed and also displays any errors encountered when performing these tasks. Some of the tasks that the Barracuda Load Balancer tracks include: Cluster setup Configuration restoration
If a task takes a long time to complete, you can click the Cancel link next to the task name and then run the task at a later time when the system is less busy. The Task Errors section lists an error until you manually remove it from the list.
80
Maintaining the Barracuda Load Balancer

This section describes how to manage and maintain your Barracuda Load Balancer using the Web interface. This section covers the following topics: Backing up and Restoring Your System Configuration ..................... 81 Updating the Firmware of Your Barracuda Load Balancer.............. 81 Updating the Intrusion Prevention Rules Using Energize Updates .. 82 Replacing a Failed System ................................................................ 82 Reloading, Restarting, and Shutting Down the System ..................... 82 Using the Built-in Troubleshooting Tools .......................................... 83 Rebooting the System in Recovery Mode........................................... 83
Backing up and Restoring Your System Configuration

The Advanced > Backup page lets you back up and restore the configuration of your Barracuda Load Balancer. You should back up your system on a regular basis in case you need to restore this information on a replacement Barracuda Load Balancer or in the event your current system data becomes corrupt. If you are restoring a backup file on a new Barracuda Load Balancer that is not configured, you need to assign your new system an IP address and DNS information on the Basic > IP Configuration page. Note the following about the backup file: Do not edit backup files. Any configuration changes you want to make need to be done through the Web interface. The configuration backup file contains a checksum that prevents the file from being uploaded to the system if any changes are made. You can safely view a backup file in Windows WordPad or Microsoft Word. You should avoid viewing backup files in Windows Notepad because the file can become corrupted if you save the file from this application. The following information is not included in the backup file: System password System IP information DNS information
Updating the Firmware of Your Barracuda Load Balancer

The Advanced > Firmware Update page allows you to manually update the firmware version of the system or revert to a previous version. The only time you should revert back to an old firmware version is if you recently downloaded a new version that is causing unexpected problems. In this case, call Barracuda Networks Technical Support before reverting back to a previous firmware version. If you have the latest firmware version already installed, the Download Now button will be disabled. If you have two Barracuda Load Balancers configured in High Availability mode, update the firmware on the passive Barracuda Load Balancer first. Then update the firmware on the active Barracuda Load Balancer. The passive Barracuda Load Balancer becomes operational when the active system is rebooted, thus maintaining availability.
If your Barracuda Load Balancers are not in High Availability mode, applying a new firmware version results in a temporary loss of service. For this reason, you should apply new firmware versions during non-busy hours.
Updating the Intrusion Prevention Rules Using Energize Updates

The Advanced > Energize Updates page allows you to manually update the Intrusion Prevention System rules, as well as change the interval at which the Barracuda Load Balancer checks for updates. We recommend that the Automatically Update setting be set to Hourly so your Barracuda Load Balancer receives the latest rules as soon as new threats are identified by Barracuda Central.
Replacing a Failed System

Before you replace your Barracuda Load Balancer, use the tools provided on the Advanced > Troubleshooting page to try to resolve the problem. In the event that a Barracuda Load Balancer fails and you cannot resolve the issue, customers that have purchased the Instant Replacement service can call Technical Support and arrange for a new unit to be shipped out within 24 hours. After receiving the new system, ship the old Barracuda Load Balancer back to Barracuda Networks at the address below with an RMA number marked clearly on the package. Barracuda Networks Technical Support can provide details on the best way to return the unit. Barracuda Networks 3175 S. Winchester Blvd Campbell, CA 95008
Note
To set up the new Barracuda Load Balancer so it has the same configuration as your old failed system, restore the backup file from the old system onto the new system, and then manually configure the new systems IP information on the Basic > IP Configuration page. For information on restoring data, refer to Backing up and Restoring Your System Configuration on page 81.
Reloading, Restarting, and Shutting Down the System

The System Reload/Shutdown section on the Basic > Administration page allows you to shutdown, restart, and reload system configuration on the Barracuda Load Balancer. Shutting down the system powers off the unit. Restarting the system reboots the unit. Reloading the system re-applies the system configuration. You can also reboot the Barracuda Load Balancer by pressing RESET on the front panel of the Barracuda Load Balancer. Do not press and hold the RESET button for more than a couple of seconds. Holding it for five seconds or longer changes the IP address of the system. Pressing RESET for five seconds sets the
82
WAN IP address to 192.168.200.200. Pressing RESET eight seconds changes the WAN IP address to 192.168.1.200. Pressing the button for 12 seconds changes the WAN IP address to 10.1.1.200.
Using the Built-in Troubleshooting Tools

The Advanced > Troubleshooting page provides various tools that help troubleshoot network connectivity issues that may be impacting the performance of your Barracuda Load Balancer. You can ping other devices from the Barracuda Load Balancer, perform a traceroute from the Barracuda Load Balancer to any another system, and execute other tests.
Rebooting the System in Recovery Mode

If your Barracuda Load Balancer experiences a serious issue that impacts its core functionality, you can use diagnostic and recovery tools that are available at the reboot menu to return your system to an operational state. Before you use the diagnostic and recovery tools, do the following: Use the built-in troubleshooting tools on the Advanced > Troubleshooting page to help diagnose the problem. Perform a system restore from the last known good backup file. Contact Barracuda Networks Technical Support for additional troubleshooting tips.
As a last resort, you can reboot your Barracuda Load Balancer and run a memory test or perform a complete system recovery, as described in this section.
To perform a system recovery or hardware test:
1. 2.
Connect a monitor and keyboard directly to your Barracuda Load Balancer. Reboot the system by doing one of the following: Click Restart on the Basic > Administration page. Press the Power button on the front panel to turn off the system, and then press the Power button again to turn the system back on. The Barracuda splash screen displays with the following three boot options:
Barracuda Recovery Hardware_Test
3.
Use your keyboard to select the desired boot option, and click Enter. You must select the boot option within three seconds of the splash screen appearing. If you do not select an option within three seconds, the Barracuda Load Balancer defaults to starting up in the normal mode (first option). For a description of each boot option, refer to Reboot Options on page 84.
Reboot Options
Table 8.1 describes the options available at the reboot menu.
Table 8.1: Reboot Options Reboot Options

Barracuda
Description
Starts the Barracuda Load Balancer in the normal (default) mode. This option is automatically selected if no other option is specified within the first three (3) seconds of the splash screen appearing. Displays the Recovery Console where you can select the following options: Perform file system repairRepairs the file system on the Barracuda Load Balancer. Perform full system re-imageRestores the factory settings on your Barracuda Load Balancer and clears out all configuration information. Enable remote administrationInitiates a connection to Barracuda Central that allows Barracuda Networks Technical Support to access the system. Another method for enabling this troubleshooting connection is to click Establish Connection to Barracuda Central on the Advanced>Troubleshooting page. Run diagnostic memory testRuns a diagnostic memory test from the operating system. If problems are reported when running this option, we recommend running the Hardware_Test option next.
Recovery
Hardware_Test
Performs a thorough memory test that shows most memory related errors within a two-hour time period. The memory test is performed outside of the operating system and can take a long time to complete. Reboot your Barracuda Load Balancer to stop the hardware test. You may do this by pressing Ctrl-Alt-Del on the keyboard, or by pressing the RESET button on the Barracuda Load Balancer.
84
Appendix A Extended Match and Condition Expressions

Extended Match and Condition expressions can used in content rules, HTTP request rewrite rules and HTTP response rewrite rules. To learn more about these rules, all of which only apply to Layer 7 Services, see the following: Directing HTTP Requests based on Content Rules on page 54 Modifying HTTP Requests and Responses on page 55.
This appendix documents the syntax of the extended match and condition expressions. A few examples: Header Host co example.com - match a request whose Host header contains example.com Parameter userid ex - match any request in which the parameter 'userid' is present (Header Host eq www.example.com) && (Client-IP eq 10.0.0.0/24) - match a request whose host header is www.example.com and the request client's IP address is in the 10.0.0.* subnet.
Quick reference
Expression: Element Match (Expression) [Join (Expression) ...] Join: &&, || Element Match: Element [Element Name] Operator [Value] Element: Request Elements: Method, HTTP-Version, Client-IP, URI, URI-Path, Header Request Parameters: Parameter, Pathinfo Response Elements: Status-code, Response-Header Operator: Matching: eq, neq, req, nreq Containing: co, nco, rco, nrco Existence: ex, nex
Extended Match and Condition Expressions 85
Structure of an Extended Match or Condition Expression

The following explains the components of an Extended Match or Condition expression. An expression consists of one or more Element Matches, combined using Join operators to indicate AND and OR operations to combine the Element Matches. Parentheses must be used to delimit individual Element Matches when using join operators. Parentheses can be nested. An Element Match consists of an Element, an optional Element Name, an Operator followed by an optional Value. Some elements like "Header" require an Element Name like "User-Agent", whereas some elements like "HTTP-Version" require no further qualification. Also, some operators like "eq" (stands for "equals") require a value, whereas some operators like "ex" (stands for "exists") require no value. Tokens are delimited by space and the parenthesis characters. Double quotes (") can be used to enclose single tokens which contain parenthesis characters or spaces. The back-slash character can also be used to escape, that is, remove the special meaning of the special characters (space and parentheses).
Operators
The following are the possible operators in an Element Match. The operators are case insensitive, for example "eq", "Eq" and "EQ" are all treated the same. eq - true if the operand is equal to the given value. A case insensitive string comparison is performed. Thus, a value of "01" is not the same as a value of "1", whereas values "one" and "ONE" are treated the same. neq - true if the operand is not equal to the given value. A case insensitive string comparison is performed. co - true if the operand contains the given value. nco - true if the operand does not contain the given value. rco - true if the operand contains the given value, which is treated as a regular expression. nrco - true if the operand does not contain the given value, which is treated as a regular expression. req - true if the operand matches the given value, which is treated as a regular expression. nreq - true if the operand does not match the given value, which is treated as a regular expression. ex - true if the operand exists. A value is not required nex - true if the operand does not exist. A value is not required
Elements
The following are the different Elements allowed in the expression. Elements and Element Names are case insensitive, so "Method" and "METHOD" are treated the same. Method - The HTTP Method that was received in the request. Example: (Method eq GET) HTTP-Version - This refers to the version of the HTTP protocol of the request. Example: (HTTP-Version eq HTTP/1.1)
86
Header - An HTTP header in the request. An Element Name to identify which header is required to follow the word "Header". Example: (Header Accept co gzip). This will check if the "Accept:" header contains the string "gzip". Client-IP - This refers to the IP address of the client sending the request. The IP address can be either host IP address or subnet IP address specified by a mask. Only "eq" and "neq" operations are possible for this element. Examples: (client-ip eq 192.168.1.0/24), (Client-IP eq 192.168.1.10) URI - The URI is the Uniform Resource Identifier in the request. This includes any query parameters in the request. Example: (URI rco /abc.*html?userid=b) URI-path - This refers to the path portion of the URI, which excludes any query parameters. Example: (URI-path req \/.*copy%20[^/]*) Pathinfo - This refers to the portion of URL which is interpreted as PATH_INFO on the server. The Barracuda Load Balancer uses a set of known extensions to determine whether a portion of the URL is a Pathinfo or not. For example, if the request URL is /twiki/view.cgi/Engineering, then, "/Engineering" is considered to be the pathinfo rather than part of the URL. Example: (PathInfo rco abc*) Parameter - This refers to a parameter in the query string part of the URL. the servers as a name-value pair. The special parameter "$NONAME_PARAM" is used to refer to the case where the parameter name is absent. Examples: (Parameter sid eq 1234), (Parameter $NONAME_PARAM co abcd) Status-code - This refers to the status code of the response returned by the servers. Example: (status-code eq 302) Response-header - This refers to the HTTP response header in the response. The term "Response-header" should be followed by the name of the header on which the action is to be applied. Example: (Response-Header Set-Cookie co sessionid)
Each expression may use only some of these elements. The following restrictions apply: The Extended Match expression in the Content Rules can use these elements: Method, HTTPVersion, Header, Client-IP, URI, URI-Path, Pathinfo and Parameters. Request Rewrite Condition allows these elements: Method, HTTP-Version, Header, Client-IP, Parameter, Pathinfo and URI. Response Rewrite Condition allows these elements: Header, Status-code and Response-Header.
Joins
Each expression can be joined with another expression by one of the following: || - This checks if either of the expressions are true. && - This checks if both the expressions are true.
Combining
More than one Element Match can be combined together by using the join operators || and && provided the Element Matches are enclosed in parentheses. Combining Element Matches without parentheses is not allowed. Example: (Header cookie ex) && (URI rco .*\.html) && (Method eq GET)
Nested sub-expressions can be created by enclosing parentheses within expressions. This makes the expression more readable as well as unambiguous. Example: (HTTP-Version eq HTTP/1.1) && ((Header Host eq www.example.com) || (Header Host eq website.example.com))
Escaping
The space character and the parentheses characters are special characters since they cause the parser to split the string into tokens at these separators. In some cases, it is required to specify these characters as part of the value itself. For example, the User-Agent header typically contains both spaces and parentheses, as in: User-Agent: Mozilla/5.0 (Linux i686; en-US; rv:1.8.1.3) Firefox/2.0.0.3 The spaces and parenthesis characters in such cases must be escaped by prefixing these characters with a back-slash (\), or the entire value can be enclosed in double-quotes ("). Examples: Header User-Agent eq "Mozilla/5.0 (Linux i686; en-US; rv:1.8.1.3) Firefox/2.0.0.3" Header User-Agent eq Mozilla/5.0\ $Linux\ i686;\ en-US;\ rv:1.8.1.3$\ Firefox/2.0.0.3
To specify the double-quote character itself, it must be escaped with a back-slash. This is true inside a quoted string, or a non-quoted string. Note that the single quote character has no special meaning, and is treated as any other character. To specify the back-slash character itself, it must be escaped as "\\". This is true within quoted strings or non-quoted strings. The back-slash character escapes all characters, not just the special characters. Thus, "\c" stands for the character "c" etc. In other words, back-slash followed by any character stands for the character, whether or not that character has a special meaning in the syntax.
Macro Definitions
The Barracuda Load Balancer supports several macros to assist in configuring policies. The following table describes these macros arranged by the areas where they can be used. The URI in these cases does not include the host.
Table A.1: Macro Definitions Name Description

Request Rewrites
$SRC_ADDR
Inserts the source (client) IP address. You can use it for the new value (Rewrite Value parameter) when inserting or rewriting a header. Should be specified in the new value, if you are rewriting or redirecting the URI. $URI specifies the complete request URI including the query string. Adds the username.* Adds the password.*
$URI
$AUTH_USER $AUTH_PASSWD
88
Name
$AUTH_GROUPS
Description
Adds the user roles.* *Note: (1) The URL is not protected, i.e. access-control or authentication is off. The value substituted for the above three macros will be the special string "NCURLNotProtected". (2) The client has not logged in. The value substituted for the above three macros will be the special string "NCNoUserSession". (3) The user does not belong to any groups. The value substituted for $AUTH_GROUPS will be the special string "NCNOUserRoles". URL ACLs
$NONAME_PARAM
Inserts a parameter with no name (see No Name Parameters on page 89)
No Name Parameters
There might be times when you want to configure a parameter without a name. For example, consider a site that pops up an advertising window when a user lands there. A Javascript adds a query string that results in the following GET request:
GET /ad?xxx
Note
The Barracuda Load Balancer does not learn no name parameters such as query strings like "GET /ad?0" added by a Javascript. Workaround: Add a null value URL ACL.
The Barracuda Load Balancer treats xxx as the value of a parameter. In this case, you cannot create an exception rule based on the xxx value because there is no way to associate it with a named parameter. To address such situations (that is, requests with parameter name-value pairs of the type ?xxx or ?=xxx where xxx is the value), you can use a special token: $NONAME_PARAM (case insensitive). This token allows you to create an expression for a parameter without a name as in the following examples:
set set set = parameter $NONAME_PARAM ex = parameter $NONAME_PARAM eq 0 = parameter $noname_param co xxx
90
Appendix B Barracuda Load Balancer Hardware

This appendix provides hardware information for the Barracuda Load Balancer. The following topics are covered: Front Panel of the Barracuda Load Balancer.....................................ii Back Panel of the Barracuda Load Balancer..................................... iv Hardware Compliance ......................................................................... v
Barracuda Load Balancer Hardware i
Front Panel of the Barracuda Load Balancer

Figure B.1 and Figure B.2 illustrate the front panels for each model.
Barracuda Load Balancer 240, 340, and 440

Figure B.1 shows the front components as described in Table B.1.
Figure B.1: Barracuda Load Balancer Front Panel for models 240, 340, and 440
3 4 567 8 9
Table B.1 describes the front components on the Barracuda Load Balancer 240, 340, and 440.
Table B.1: Front Panel Descriptions for Barracuda Load Balancer 240, 340, and 440 Diagram Location
1 2 3 4 5 6 7 8 9
Component Name
WAN port LAN port System indicator Reserved for future use Reserved for future use Data I/O System Power Reset Button Power Button
Description
Port for WAN connection Port for LAN connection Red at power on; if this stays red it indicates a problem.
Blinks during data transfer Displays system power Resets the Barracuda Load Balancer Powers on/off the Barracuda Load Balancer
ii
Barracuda Load Balancer 640

Figure B.2 shows the front components as described in Table B.2.
Figure B.2: Barracuda Load Balancer Front Panel for model 640
345678 9
Table B.2 describes the front components on the Barracuda Load Balancer 640.
Table B.2: Front Panel Descriptions for Barracuda Load Balancer 640 Diagram Location
1 2 3 4 5 6 7 8 9 10
]
10 1 2
Component Name
WAN port LAN port System indicator Reserved for future use Reserved for future use Data I/O System Power Reset Button Power Button LAN ports Blinks during data transfer Displays system power Resets the Barracuda Load Balancer Powers on/off the Barracuda Load Balancer Twelve (12) additional LAN switches, available to connect to Real Servers
Description
Port for WAN connection Port for LAN connection Red at power on; if this stays red it indicates a problem.
Barracuda Load Balancer Hardware iii
Back Panel of the Barracuda Load Balancer

Figure B.3 illustrates the back panel for all models.
Barracuda Load Balancer, all models

Figure B.3 shows the back components as described in Table B.3.
Figure B.3: Barracuda Load Balancer Back Panel
34
Table B.3 describes the back components on all models of the Barracuda Load Balancer.
Table B.3: Barracuda Load Balancer Back Component Descriptions Diagram Location
1 2 3 4 5 6 7 8 9
Component Name
Power Supply Fan Mouse Port Keyboard Port Serial Port Parallel Port Monitor Port USB Ports (4) Ethernet Port
Description
Connection for the AC power cord; standard power supply Location of the fan Connection for the mouse Connection for the keyboard Connection for the serial console cable Connection for the parallel cable Connection for the monitor Connection for USB devices Not used
iv
Hardware Compliance
This section contains compliance information for the Barracuda Load Balancer hardware.
Notice for the USA

Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This device complies with part 15 of the FCC Rules. Operation is subject to the following conditions:
1. 2.
This device may not cause harmful interference, and This device must accept any interference received including interference that may cause undesired operation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user in encouraged to try one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and the receiver. Plug the equipment into an outlet on a circuit different from that of the receiver. Consult the dealer on an experienced radio/ television technician for help.
Notice for Canada

This apparatus compiles with the Class B limits for radio interference as specified in the Canadian Department of Communication Radio Interference Regulations.
Notice for Europe (CE Mark)

This product is in conformity with the Council Directive 89/336/EEC, 92/31/EEC (EMC).
Barracuda Load Balancer Hardware v
vi
Appendix C Limited Warranty and License

Barracuda Networks Limited Hardware Warranty (v 2.1)
Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or authorized Distributor selling the Barracuda Networks product, if sale is not directly by Barracuda Networks, Inc., ("Barracuda Networks") warrants that commencing from the date of delivery to Customer (but in case of resale by a Barracuda Networks reseller, commencing not more than sixty (60) days after original shipment by Barracuda Networks, Inc.), and continuing for a period of one (1) year: (a) its products (excluding any software) will be free from material defects in materials and workmanship under normal use; and (b) the software provided in connection with its products, including any software contained or embedded in such products will substantially conform to Barracuda Networks published specifications in effect as of the date of manufacture. Except for the foregoing, the software is provided as is. In no event does Barracuda Networks warrant that the software is error free or that Customer will be able to operate the software without problems or interruptions. In addition, due to the continual development of new techniques for intruding upon and attacking networks, Barracuda Networks does not warrant that the software or any equipment, system or network on which the software is used will be free of vulnerability to intrusion or attack. The limited warranty extends only to you the original buyer of the Barracuda Networks product and is non-transferable.
Exclusive Remedy
Your sole and exclusive remedy and the entire liability of Barracuda Networks under this limited warranty shall be, at Barracuda Networks or its service centers option and expense, the repair, replacement or refund of the purchase price of any products sold which do not comply with this warranty. Hardware replaced under the terms of this limited warranty may be refurbished or new equipment substituted at Barracuda Networks option. Barracuda Networks obligations hereunder are conditioned upon the return of affected articles in accordance with Barracuda Networks then-current Return Material Authorization ("RMA") procedures. All parts will be new or refurbished, at Barracuda Networks discretion, and shall be furnished on an exchange basis. All parts removed for replacement will become the property of Barracuda Networks. In connection with warranty services hereunder, Barracuda Networks may at its discretion modify the hardware of the product at no cost to you to improve its reliability or performance. The warranty period is not extended if Barracuda Networks repairs or replaces a warranted product or any parts. Barracuda Networks may change the availability of limited warranties, at its discretion, but any changes will not be retroactive. IN NO EVENT SHALL BARRACUDA NETWORKS LIABILITY EXCEED THE PRICE PAID FOR THE PRODUCT FROM DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THE PRODUCT, ITS ACCOMPANYING SOFTWARE, OR ITS DOCUMENTATION.
Exclusions and Restrictions

This limited warranty does not apply to Barracuda Networks products that are or have been (a) marked or identified as "sample" or "beta," (b) loaned or provided to you at no cost, (c) sold "as is," (d) repaired, altered or modified except by Barracuda Networks, (e) not installed, operated or
vii
maintained in accordance with instructions supplied by Barracuda Networks, or (f) subjected to abnormal physical or electrical stress, misuse, negligence or to an accident. EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS MAKES NO OTHER WARRANTY, EXPRESS, IMPLIED OR STATUTORY, WITH RESPECT TO BARRACUDA NETWORKS PRODUCTS, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, AVAILABILITY, RELIABILITY, USEFULNESS, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS' PRODUCTS AND THE SOFTWARE ARE PROVIDED "AS-IS" AND BARRACUDA NETWORKS DOES NOT WARRANT THAT ITS PRODUCTS WILL MEET YOUR REQUIREMENTS OR BE UNINTERRUPTED, TIMELY, AVAILABLE, SECURE OR ERROR FREE, OR THAT ANY ERRORS IN ITS PRODUCTS OR THE SOFTWARE WILL BE CORRECTED. FURTHERMORE, BARRACUDA NETWORKS DOES NOT WARRANT THAT BARRACUDA NETWORKS PRODUCTS, THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH BARRACUDA NETWORKS PRODUCTS WILL BE USED WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK.
Barracuda Networks Software License Agreement (v 2.1)

PLEASE READ THIS SOFTWARE LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE USING THE BARRACUDA NETWORKS SOFTWARE. BY USING THE BARRACUDA SOFTWARE YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU ARE A CORPORATION, PARTNERSHIP OR SIMILAR ENTITY, THEN THE SOFTWARE LICENSE GRANTED UNDER THIS AGREEMENT IS EXPRESSLY CONDITIONED UPON ACCEPTANCE BY A PERSON WHO IS AUTHORIZED TO SIGN FOR AND BIND THE ENTITY. IF YOU ARE NOT AUTHORIZED TO SIGN FOR AND BIND THE ENTITY OR DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE YOU MAY RETURN THE SOFTWARE OR HARDWARE CONTAINING THE SOFTWARE FOR A FULL REFUND TO YOUR PLACE OF PURCHASE. 1. The software and documentation, whether on disk, in flash memory, in read only memory, or on any other media or in any other form (collectively "Barracuda Software") is licensed, not sold, to you by Barracuda Networks, Inc. ("Barracuda") for use only under the terms of this Agreement, and Barracuda reserves all rights not expressly granted to you. The rights granted are limited to Barracuda's intellectual property rights in the Barracuda Software and do not include any other patent or intellectual property rights. You own the media on which the Software is recorded but Barracuda retains ownership of the Software itself. If you have not completed a purchase of the Software and made payment for the purchase, the Software may only be used for evaluation purposes and may not be used in any production capacity. Furthermore the Software, when used for evaluation, may not be secure and may use publically available passwords. 2. Permitted License Uses and Restrictions. If you have purchased a Barracuda Networks hardware product, this Agreement allows you to use the Software only on the single Barracuda labeled hardware device on which the software was delivered. You may not make copies of the Software. You may not make a backup copy of the Software. If you have purchased a Barracuda Networks Virtual Machine you may use the software only in the licensed number of instances of the licensed sizes and you may not exceed the licensed capacities. You may make a reasonable number of backup copies of the Software. If you have purchased client software you may install the software only on the number of licensed clients. You may make a reasonable number of backup copies of the Software. For all purchases you may not modify or create derivative works of the Software except as provided by the Open Source Licenses included below. You may not make the Software available over a
viii Barracuda Load Balancer Administrators Guide
network where it could be utilized by multiple devices or copied. Unless otherwise expressly provided in the documentation, your use of the Software shall be limited to use on a single hardware chassis, on a single central processing unit, as applicable, or use on such greater number of chassis or central processing units as you may have paid Barracuda Networks the required license fee; and your use of the Software shall also be limited, as applicable and set forth in your purchase order or in Barracuda Networks' product catalog, user documentation, or web site, to a maximum number of (a) seats (i.e. users with access to install Software), (b) concurrent users, sessions, ports, and/or issued and outstanding IP addresses, and/or (c) central processing unit cycles or instructions per second. Your use of the Software shall also be limited by any other restrictions set forth in your purchase order or in Barracuda Networks' product catalog, user documentation or Web site for the Software. The BARRACUDA SOFTWARE IS NOT INTENDED FOR USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, LIFE SUPPORT MACHINES, OR OTHER EQUIPEMENT IN WHICH FAILURE COULD LEAD TO DEATH, PERSONAL INJURY, OR ENVIRONMENTAL DAMAGE. YOU EXPRESSLY AGREE NOT TO USE IT IN ANY OF THESE OPERATIONS. 3. You may not transfer, rent, lease, lend, or sublicense the Software or allow a third party to do so. YOU MAY NOT OTHERWISE TRANSFER THE SOFTWARE OR ANY OF YOUR RIGHTS AND OBLIGATIONS UNDER THIS AGREEMENT. You agree that you will have no right and will not, nor will it assist others to: (i) make unauthorized copies of all or any portion of the Software; (ii) sell, sublicense, distribute, rent or lease the Software; (iii) use the Software on a service bureau, time sharing basis or other remote access system whereby third parties other than you can use or benefit from the use of the Software; (iv) disassemble, reverse engineer, modify, translate, alter, decompile or otherwise attempt to discern the source code of all or any portion of the Software; (v) utilize or run the Software on more computers than you have purchased license to; (vi) operate the Software in a fashion that exceeds the capacity or capabilities that were purchased by you. 4. THIS AGREEMENT SHALL BE EFFECTIVE UPON INSTALLATION OF THE SOFTWARE OR PRODUCT AND SHALL TERMINATE UPON THE EARLIER OF: (A) YOUR FAILURE TO COMPLY WITH ANY TERM OF THIS AGREEMENT OR (B) RETURN, DESTRUCTION OR DELETION OF ALL COPIES OF THE SOFTWARE IN YOUR POSSESSION. Rights of Barracuda Networks and your obligations shall survive any termination of this Agreement. Upon termination of this Agreement by Barracuda Networks, You shall certify in writing to Barracuda Networks that all copies of the Software have been destroyed or deleted from any of your computer libraries, storage devices, or any other location. 5. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT THE USE OF THE BARRACUDA SOFTWARE IS AT YOUR OWN RISK AND THAT THE ENTIRE RISK AS TO SATISFACTION, QUALITY, PERFORMANCE, AND ACCURACY IS WITH YOU. THE BARRACUDA SOFTWARE IS PROVIDED "AS IS" WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND BARRACUDA HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE BARRACUDA SOFTWARE, EITHER EXPRESSED OR IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTIBILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR ANY APPLICATION, OF ACCURACY, AND OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS. BARRACUDA DOES NOT WARRANT THE CONTINUED OPERATION OF THE SOFTWARE, THAT THE PERFORMANCE WILL MEET YOUR EXPECTATIONS, THAT THE FUNCTIONS WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION WILL BE ERROR FREE OR CONTINUOUS, THAT CURRENT OR FUTURE VERSIONS OF ANY OPERATING SYSTEM WILL BE SUPPORTED, OR THAT DEFECTS WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION GIVEN BY BARRACUDA OR AUTHORIZED BARRACUDA REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE BARRACUDA SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION. FURTHERMORE BARRACUDA NETWORKS SHALL ASSUME NO WARRANTY FOR ERRORS/BUGS, FAILURES OR DAMAGE WHICH
ix
WERE CAUSED BY IMPROPER OPERATION, USE OF UNSUITABLE RESOURCES, ABNORMAL OPERATING CONDITIONS (IN PARTICULAR DEVIATIONS FROM THE INSTALLATION CONDITIONS) AS WELL AS BY TRANSPORTATION DAMAGE. IN ADDITION, DUE TO THE CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR INTRUDING UPON AND ATTACKING NETWORKS, BARRACUDA NETWORKS DOES NOT WARRANT THAT THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH THE SOFTWARE IS USED WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED PERPETUAL ZERO COST LICENSE TO BARRACUDA FOR ANY PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS WHICH YOU EITHER OWN OR CONTROL THAT ARE UTILIZED IN ANY BARRACUDA PRODUCT. 6. Termination and Fair Use Policy. BARRACUDA SHALL HAVE THE ABSOLUTE AND UNILATERAL RIGHT AT ITS SOLE DISCRETION TO DENY USE OF, OR ACCESS TO BARRACUDA SOFTWARE, IF YOU ARE DEEMED BY BARRACUDA TO BE USING THE SOFTWARE IN A MANNER NOT REASONABLY INTENDED BY BARRACUDA OR IN VIOLATION OF ANY LAW. 7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL BARRACUDA BE LIABLE FOR PERSONAL INJURY OR ANY INCIDENTAL SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR ABILITY TO USE OR INABILITY TO USE THE BARRACUDA SOFTWARE HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF BARRACUDA HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. In no event shall Barracuda's total liability to you for all damages exceed the amount of one hundred dollars.The following terms govern your use of the Energize Update Software except to the extent a particular program (a) is the subject of a separate written agreement with Barracuda Networks or (b) includes a separate "click-on" license agreement as part of the installation and/or download process. To the extent of a conflict between the provisions of the foregoing documents, the order of precedence shall be (1) the written agreement, (2) the click-on agreement, and (3) this Energize Update Software License. 8. Content Restrictions. YOU MAY NOT (AND MAY NOT ALLOW A THIRD PARTY TO) COPY, REPRODUCE, CAPTURE, STORE, RETRANSMIT, DISTRIBUTE, OR BURN TO CD (OR ANY OTHER MEDIUM) ANY COPYRIGHTED CONTENT THAT YOU ACCESS OR RECEIVE THROUGH USE OF THE PRODUCT CONTAINING THE SOFTWARE. YOU ASSUME ALL RISK AND LIABILITY FOR ANY SUCH PROHIBITED USE OF COPYRIGHTED CONTENT. You agree not to publish any benchmarks, measurements, or reports on the product without Barracuda Networks written express approval. 9. Third Party Software. Some Software which supports Bare Metal Disaster Recovery of Microsoft Windows Vista and Microsoft Windows 2008 Operating Systems (DR6) contains and uses components of the Microsoft Windows Pre-Installation Environment (WINPE) with the following restrictions: (i) the WINPE components in the DR6 product are licensed and not sold and may only be used with the DR6 product; (ii) DR6 is provided "as is"; (iii) Barracuda and its suppliers reserve all rights not expressly granted; (iv) license to use DR6 and the WINPE components is limited to use of the product as a recovery utility program only and not for use as a general purpose operating system; (v) Reverse engineering, decompiling or disassembly of the WINPE components, except to the extent expressly permitted by applicable law, is prohibited; (vi) DR6 contains a security feature from Microsoft that will automatically reboot the system without warning after 24 hours of continuous use; (vii) Barracuda alone will provide support for customer issues with DR6 and Microsoft and its Affiliates are released of all liability related to its use and operation; and, (viii) DR6 is subject to U.S. export jurisdiction.
10. Trademarks. Certain portions of the product and names used in this Agreement, the Software and the documentation may constitute trademarks of Barracuda Networks. You are not authorized to use any such trademarks for any purpose.
11. Export Restrictions. You may not export or re-export the Software without: (a) the prior written consent of Barracuda Networks, (b) complying with applicable export control laws, including, but not limited to, restrictions and regulations of the Department of Commerce or other United States agency or authority and the applicable EU directives, and (c) obtaining any necessary permits and licenses. In any event, you may not transfer or authorize the transfer of the Software to a prohibited territory or country or otherwise in violation of any applicable restrictions or regulations. If you are a United States Government agency the Software and documentation qualify as "commercial items", as that term is defined at Federal Acquisition Regulation ("FAR") (48 C.F.R.) 2.101, consisting of "commercial computer software" and "commercial computer software documentation" as such terms are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which this Agreement may be incorporated, Government end user will acquire the Software and documentation with only those rights set forth in this Agreement. Use of either the Software or documentation or both constitutes agreement by the Government that the Software and documentation are "commercial computer software" and "commercial computer software documentation", and constitutes acceptance of the rights and restrictions herein. 12. General. THIS AGREEMENT IS GOVERNED BY THE LAWS OF THE STATE OF CALIFORNIA, USA WITH JURISDICTION OF SANTA CLARA COUNTY, CALIFORNIA, UNLESS YOUR HEADQUARTERS IS LOCATED IN SWITZERLAND, THE EU, OR JAPAN. IF YOUR HEADQUARTERS IS LOCATED IN SWITZERLAND THE SWISS MATERIAL LAW SHALL BE USED AND THE JURISDICTION SHALL BE ZURICH. IF YOUR HEADQUARTERS IS LOCATED IN THE EU, AUSTRIAN LAW SHALL BE USED AND JURISDICTION SHALL BE INNSBRUCK. IF YOUR HEADQUARTERS IS LOCATED IN JAPAN, JAPANESE LAW SHALL BE USED AND JURISDICTION SHALL BE TOKYO. THIS AGREEMENT WILL NOT BE SUBJECT TO ANY CONFLICT-OF-LAWS PRINCIPLES IN ANY JURISDICTION. THIS AGREEMENT WILL NOT BE GOVERNED BY THE U.N. CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALES OF GOODS. This Agreement is the entire agreement between You and Barracuda Networks regarding the subject matter herein and supersedes any other communications with respect to the Software. If any provision of this Agreement is held invalid or unenforceable, the remainder of this Agreement will continue in full force and effect. Failure to prosecute a party's rights with respect to a default hereunder will not constitute a waiver of the right to enforce rights with respect to the same or any other breach. 13. Assignability. You may not assign any rights or obligations hereunder without prior written consent from Barracuda Networks. 14. Billing Issues. You must notify Barracuda of any billing problems or discrepancies within sixty (60) days after they first appear on the statement you receive from your bank, Credit Card Company, other billing company or Barracuda Networks. If you do not bring such problems or discrepancies to Barracuda Networks attention within the sixty (60) day period, you agree that you waive the right to dispute such problems or discrepancies. 15. Collection of Data. You agree to allow Barracuda Networks to collect information ("Statistics") from the Software in order to fight spam, virus, and other threats as well as optimize and monitor the Software. Information will be collected electronically and automatically. Statistics include, but are not limited to, the number of messages processed, the number of messages that are categorized as spam, the number of virus and types, IP addresses of the largest spam senders, the number of emails classified for Bayesian analysis, capacity and usage, and other statistics. Your data will be kept private and will only be reported in aggregate by Barracuda Networks.
xi
16. Subscriptions. Software updates and subscription information provided by Barracuda Energize Updates or other services may be necessary for the continued operation of the Software. You acknowledge that such a subscription may be necessary. Furthermore some functionality may only be available with additional subscription purchases. Obtaining Software updates on systems where no valid subscription has been purchased or obtaining functionality where subscription has not been purchased is strictly forbidden and in violation of this Agreement. All initial subscriptions commence at the time of activation and all renewals commence at the expiration of the previous valid subscription. Unless otherwise expressly provided in the documentation, you shall use the Energize Updates Service and other subscriptions solely as embedded in, for execution on, or (where the applicable documentation permits installation on non-Barracuda Networks equipment) for communication with Barracuda Networks equipment owned or leased by you. All subscriptions are non-transferrable. Barracuda Networks makes no warranty that subscriptions will continue uninterrupted. Subscription may be terminated without notice by Barracuda Networks for lack of full payment. 17. Auto Renewals. If your Software purchase is a time based license, includes software maintenance, or includes a subscription, you hereby agree to automatically renew this purchase when it expires unless you notify Barracuda 15 days before the renewal date. Barracuda Networks will automatically bill you or charge you unless notified 15 days before the renewal date. 18. Time Base License. If your Software purchase is a time based license you expressly acknowledge that the Software will stop functioning at the time the license expires. You expressly indemnify and hold harmless Barracuda Networks for any and all damages that may occur because of this. 19. Support. Telephone, email and other forms of support will be provided to you if you have purchased a product that includes support. The hours of support vary based on country and the type of support purchased. Barracuda Networks Energize Updates typically include Basic support. 20. Changes. Barracuda Networks reserves the right at any time not to release or to discontinue release of any Software or Subscription and to alter prices, features, specifications, capabilities, functions, licensing terms, release dates, general availability or other characteristics of any future releases of the Software or Subscriptions. 21. Open Source Licensing. Barracuda Networks products may include programs that are covered by the GNU General Public License (GPL) or other Open Source license agreements, in particular the Linux operating system. It is expressly put on record that the Software does not constitute an edited version or further development of the operating system. These programs are copyrighted by their authors or other parties, and the authors and copyright holders disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks. Further details may be provided in an appendix to this agreement where the licenses are re-printed. Barracuda Networks makes available the source code used to build Barracuda products available at source.barracuda.com. This directory includes all the programs that are distributed on the Barracuda products. Obviously not all of these programs are utilized, but since they are distributed on the Barracuda product we are required to make the source code available.
Barracuda Networks Energize Updates and Other Subscription Terms

Barracuda Networks Software License Agreement Appendix
The GNU General Public License (GPL) Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
xii
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program
xiii
is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement). These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
xiv
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
xv
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF GNU TERMS AND CONDITIONS Barracuda Networks Products may contain programs that are copyright (c)1995-2005 International Business Machines Corporation and others. All rights reserved. These programs are covered by the following License: "Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the
xvi Barracuda Load Balancer Administrators Guide
Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation." Barracuda Networks Products may include programs that are covered by the BSD License: "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE." Barracuda Networks Products may include the libspf library which is Copyright (c) 2004 James Couzens & Sean Comeau, All rights reserved. It is covered by the following agreement: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Barracuda Networks Products may contain programs that are Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The name "Carnegie Mellon University" must not be used to endorse or promote products derived from this software without prior written permission. For permission or any other legal details, please contact Office of Technology Transfer, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213-3890 (412) 268-4387, fax: (412) 268-7395, techtransfer@andrew.cmu.edu . Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/)." CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, AND IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
xvii
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Barracuda Networks Software may include programs that are covered by the Apache License or other Open Source license agreements. The Apache license is re-printed below for you reference. These programs are copyrighted by their authors or other parties, and the authors and copyright holders disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks.
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the
xviii
purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
xix
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS Barracuda Networks makes available the source code used to build Barracuda products available at source.barracuda.com. This directory includes all the programs that are distributed on the Barracuda products. Obviously not all of these programs are utilized, but since they are distributed on the Barracuda product we are required to make the source code available.
xx
Index
A
Adaptive Scheduling 50, 51 administration interface logging in 40 Administration page 76, 79, 82 Advanced IP Config page 58, 59 alerts 79
E
Enable, Real Server 78 Energize Updates 82
F
failed system, replacing 82 Failover IP Address 68 Figure 2.3 25 firewall, configuring 40 Firmware Update page 81 front panel details ii
B
back panel details iv backing up configuration 81 Backup page 81 Barracuda Load Balancer configuring 40, 47, 57 managing 81 monitoring 78 Barracuda Load Balancer Terminology 16 Barracuda Spam & Virus Firewall, deploying with the Barracuda Load Balancer 24 Basic > Server Health 52 Bridge mode with VLANs 58 Bridge-Path 16, 28 By Priority 69
G
Geo IP 69 GSLB Response Policies 68
H
hardware compliance information v hardware test 84 Health page 78 High Availability 17 updating firmware 81
C
character tags 85, i, vii configuring, Barracuda Load Balancer 40 content rules extended match 54 host match 54 how to create 54 how to edit 54 URL match 54
I
IP address setting 39 IP Configuration page 58
L
Last Resort Action 52 Last Resort Server 12, 16, 52, 53, 55, 56 Layer 7 - RDP Service, scheduling 51 Logical Network 16
D
definitions, updating 43, 82 diagnostic memory test 84 Direct Server Return 16, 29, 31 Directing HTTP requests - content rules 54 disabled mode, Real Server 47 Disabled, Real Server 78
Index - xxi
M
maintenance mode, Real Server 47 Maintenance, Real Server 78 modify HTTP request or response headers 55
monitoring Services 78
U
UDP ports 40 updating definitions 43, 82 firmware 81 updating firmware 81
N
network time protocol 41 notifications 79 NTP 41
V
Virtual IP (VIP) 16, 18
P
Persistence 16 Physical Network 16 proxy server 58
W
WAN IP Address 17 Weighted Least Connections 51 Weighted Round-Robin 51
R
Real Server 16 reboot options 83 recovery mode 83 Region Only 69 re-imaging system 84 reloading the system 82 remote administration 84 repairing, file system 84 replacing failed system 82 RESET button, using 82 restarting the system 82 restoring configuration 81 Route-Path 16
X
X-Forwarded-For 55
S
Scheduling policy 16 Server Farm 16 Service 16, 18 Service Monitor 16, 18, 78 Services, monitoring 78 shutting down the system 82 SNMP traps 79 source IP address 64 source NAT 59, 64 SSL Certificates 50 SSL Offloading 49 SSL offloading 49 SSL Offloading, configuring 50 Status page 79
T
Task Manager page 80 TCP ports 40 testing memory 84 time zone, setting 76 Troubleshooting page 83
xxii - Index

Barracuda Load Balancer Ag Us

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Barracuda Load Balancer Ag Us

Diunggah oleh

Hak Cipta:

Format Tersedia

Barracuda Networks Technical Documentation

Barracuda Load Balancer

RECLAIM YOUR NETWORK

Chapter 2 Load Balancing Deployment Options . . . . . . . . 15

Chapter 4 Configuring Services . . . . . . . . . . . . . . . . . . . 45

Barracuda Load Balancer Administrators Guide

Chapter 5 Network Configuration . . . . . . . . . . . . . . . . . . 57

Chapter 7 Global Server Load Balancing . . . . . . . . . . . . . 65

Chapter 8 Managing the Barracuda Load Balancer . . . . . 75

Appendix A Extended Match and Condition Expressions . 85

Appendix B Barracuda Load Balancer Hardware . . . . . . . i

Appendix C Limited Warranty and License

Barracuda Load Balancer Administrators Guide

Barracuda Networks Software License Agreement Appendix . . . . . . . xii

Barracuda Load Balancer Administrators Guide

Barracuda Load Balancer Administrators Guide

Features of the Barracuda Load Balancer

Load Balancing for all IP-based Applications

Easy to Use and Maintain

Intrusion Prevention System

Figure 1.1: Barracuda Energize Updates

Barracuda Load Balancer Administrators Guide

Secure Communication with Real Servers

Automated Service Monitor

Multiple Deployment Modes

Last Resort Server

Removing a Server without Disrupting the Service

HTTP Request and Response Rewrites

Support for Layer 2 VLANs

Barracuda Load Balancer Administrators Guide

HTTP Caching and Compression

Global Server Load Balancing (GSLB)

Barracuda Load Balancer Administrators Guide

Chapter 2 Load Balancing Deployment Options

Load Balancing Deployment Options 15

Barracuda Load Balancer Terminology

Table 2.1: Barracuda Load Balancer terminology Term

Virtual IP (VIP) address

Server Farm Client Persistence

Direct Server Return

Barracuda Load Balancer Administrators Guide

One-armed Mode Two-armed Mode

Load Balancing Deployment Options 17

Deployment Options Overview

Table 2.2: Service Types Service Type

Barracuda Load Balancer Administrators Guide

Table 2.3: Route-Path Deployment Options Type of Traffic

Topology Options (Route-Path)

Two-armed is recommended for best performance.

One-armed. Best performance if almost all traffic is outgoing

Layer 4 with Real Servers in Direct Server Return mode

Load Balancing Deployment Options 19

Table 2.3: Route-Path Deployment Options Type of Traffic

Topology Options (Route-Path)

TCP with SSL processing offloaded to the Barracuda Load Balancer

Two-armed is recommended for best performance.

HTTP (Web servers)

HTTP (Web servers)

FTP (FTP servers)

FTP (FTP servers)

Remote Desktop Services

Two-armed. Recommended for better performance.

Barracuda Load Balancer Administrators Guide