Administrators Guide
Version 3.6
Copyright Notice
Copyright 2004-2011, Barracuda Networks www.barracuda.com v3.6-110310-01-0310 All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice.
Trademarks
Barracuda Load Balancer is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered trademarks or trademarks of their respective holders.
Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Overview . . . . . . . . . . . . . . . . . . . . . . . Features of the Barracuda Load Balancer . . . . . . Load Balancing for all IP-based Applications . . . Easy to Use and Maintain . . . . . . . . . . . . . Intrusion Prevention System . . . . . . . . . . . Auto-Discover Mode. . . . . . . . . . . . . . . . Persistence . . . . . . . . . . . . . . . . . . . . SSL Offloading . . . . . . . . . . . . . . . . . . Secure Communication with Real Servers . . . . Scheduling Policy . . . . . . . . . . . . . . . . . Automated Service Monitor . . . . . . . . . . . . Multiple Deployment Modes. . . . . . . . . . . . High Availability . . . . . . . . . . . . . . . . . . Easy Administration . . . . . . . . . . . . . . . . Last Resort Server . . . . . . . . . . . . . . . . Removing a Server without Disrupting the Service Content Rules . . . . . . . . . . . . . . . . . . . HTTP Request and Response Rewrites . . . . . Support for Layer 2 VLANs . . . . . . . . . . . . TCP Proxy. . . . . . . . . . . . . . . . . . . . . FTP Traffic. . . . . . . . . . . . . . . . . . . . . HTTP Caching and Compression . . . . . . . . . Global Server Load Balancing (GSLB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 .9 .9 10 10 10 11 11 11 11 11 11 11 12 12 12 12 12 12 13 13 13 13
Deployment in a Microsoft Windows Server 2003 or 2008 Environment . . 32 Verifying DSR Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 36
C h a p t e r 3 G e t t i n g Sta r t e d . . . . . . . . . . . . . . . . . . . . . . . . 3 7
Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing for Installation . . . . . . . . . . . . . . . . . Connecting the Barracuda Load Balancer to the Network Configuring WAN IP Address and Network Settings . . . Configuring Your Corporate Firewall . . . . . . . . . . . Configuring the Barracuda Load Balancer . . . . . . . . Verifying Your Subscription Status . . . . . . . . . . . . Updating the Barracuda Load Balancer Firmware . . . . Updating the IPS Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 38 39 39 40 40 42 42 43
iv
C h a p t e r 6 H i g h Av a i l a b i l i t y . . . . . . . . . . . . . . . . . . . . . . . 6 1
Creating a High Availability Environment . . . . . . . . Operation of High Availability (HA) . . . . . . . . . . Requirements for HA . . . . . . . . . . . . . . . . . Failover if LAN Link Goes Down . . . . . . . . . . . Forceful or Manual Failover . . . . . . . . . . . . . . Primary and Backup Roles . . . . . . . . . . . . . . Failback . . . . . . . . . . . . . . . . . . . . . . . . Synchronization of Data Between Clustered Systems Steps to Add or Remove a System from a Cluster . . Source IP Address in a Clustered Environment. . . . Option 1 . . . . . . . . . . . . . . . . . . . . . Option 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 62 62 63 63 63 63 63 64 64 64 64
Monitoring the Barracuda Load Balancer. . . . . . . . . . . . . . . Monitoring the Health of Services and Real Servers . . . . . . . Enabling or Disabling Real Servers . . . . . . . . . . . . . . . . Remotely Administering Real Servers . . . . . . . . . . . . . . Viewing Performance Statistics . . . . . . . . . . . . . . . . . . Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . Automating the Delivery of System Alerts and SNMP Traps . . . SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . Managing Multiple Systems with the Barracuda Control Center . Viewing System Tasks . . . . . . . . . . . . . . . . . . . . . . Maintaining the Barracuda Load Balancer . . . . . . . . . . . . . . Backing up and Restoring Your System Configuration . . . . . . Updating the Firmware of Your Barracuda Load Balancer . . . . Updating the Intrusion Prevention Rules Using Energize Updates Replacing a Failed System . . . . . . . . . . . . . . . . . . . . Reloading, Restarting, and Shutting Down the System . . . . . . Using the Built-in Troubleshooting Tools . . . . . . . . . . . . . Rebooting the System in Recovery Mode. . . . . . . . . . . . . Reboot Options . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
78 78 78 78 79 79 79 79 80 80 81 81 81 82 82 82 83 83 84
vii
vii vii vii viii xii
vi
vii
viii
Chapter 1 Introduction
This chapter provides an overview of the Barracuda Load Balancer and includes the following topics: Overview on page 8 Features of the Barracuda Load Balancer on page 9
Introduction 7
Overview
Organizations use load balancers to distribute traffic across a set of servers in their network. In the event a server goes down, the load balancer automatically detects this failure and forwards traffic only to the remaining functioning servers, maintaining high availability of the services provided by the servers. The Barracuda Load Balancer is designed to help organizations achieve their high availability objectives by providing:
Note
Integrated Service Monitor to monitor servers Comprehensive failover capabilities in case of server failure Distribution of traffic across multiple servers Integrated protection from network intrusions Automatic failover to a backup Barracuda Load Balancer if needed
The Barracuda Load Balancer directs traffic to servers. It is not designed for link balancing that distributes traffic across multiple Internet connections - try the Barracuda Link Balancer instead.
The Barracuda Load Balancer is designed to provide comprehensive load-balancing capabilities to any IP-based application, including: Internet sites with high traffic requirements, including Web, FTP, media streaming, and content delivery networks Hosted applications such as Microsoft Windows Remote Desktop Services, Exchange Server and Office Communications Server Other IP services requiring optimal performance, including SMTP, DNS, RADIUS, and TFTP
Features specifically for HTTP traffic include: Rules that direct traffic based on request content HTTP request and response rules to modify requests and responses HTTP caching and compression.
Introduction 9
Exploit signatures are regularly updated at Barracuda Central and are automatically delivered to your Barracuda Load Balancer via Energize Updates. The following figure shows how Barracuda Central provides the latest updates through the Energize Update feature.
Auto-Discover Mode
All models of the Barracuda Load Balancer support Auto-Discovery of Real Servers and applications running on the servers to ensure quick and easy deployment of new servers. For common applications there is no need to manually configure each port.
10
Persistence
The Barracuda Load Balancer supports technologies that direct clients back to the same server, including client IP address and cookies. The length of time that session persistence is maintained during a time of inactivity can be defined on a Service level.
SSL Offloading
The Barracuda Load Balancer has the ability to handle SSL encryption and decryption locally, to help ease the burden on the Real Servers. SSL offloading is not available if using the Direct Server Return mode of deployment or if the Service type is Layer 7 - RDP. SSL offloading is available on models 340 and above.
Scheduling Policy
The Barracuda Load Balancer supports multiple scheduling policies that support server weighting including Weighted Least Connection and Weighted Round Robin. Server weights can be preassigned based on server capacity or they can be dynamically calculated by the adaptive scheduling algorithm based on factors such as the load reported by the servers.
High Availability
With simple setup through the Web administrative interface, the Barracuda Load Balancer supports High Availability configurations. Point the backup Barracuda Load Balancer to the primary
Introduction 11
Barracuda Load Balancer's management IP address to synchronize configurations and bring your server farm to enterprise grade availability. This feature is available on models 340 and above.
Easy Administration
The SSL-secured Web interface of the Barracuda Load Balancer allows for convenient configuration and monitoring.
Content Rules
The Barracuda Load Balancer can route application (Layer 7) traffic to different servers based on content rules that examine incoming requests. This allows you to partition your servers by content and efficiently direct requests to the relevant server. For example, image requests can be directed to a server that hosts all of the images and has been optimized for image delivery. This feature is available on models 340 and above.
12
TCP Proxy
The Barracuda Load Balancer acts as a full TCP proxy for incoming and outgoing connections for Services with type TCP Proxy. This feature is available on models 340 and above.
FTP Traffic
The Barracuda Load Balancer has support for Layer 7 FTP and FTPS. This feature is available on models 340 and above.
Introduction 13
14
Description
A combination of a Virtual IP (VIP) address and one or more TCP/UDP ports that the Service is to listen on. Traffic arriving over the designated port(s) to the specified Virtual IP address is directed to one of the Real Servers that are associated with that Service. The Service Monitor monitors the availability of the Real Servers. It can be configured either on a per-Service or per-Real Server basis to use one of several different methods to establish the availability of a Real Server. If the Service Monitor finds that no Real Servers are available, you can specify a Last Resort Server to which all traffic for the Service will be routed. The IP address assigned to a specific Service. A client uses the Virtual IP address to connect to the load-balanced Service. The Virtual IP address must be different than the WAN IP address of the Barracuda Load Balancer. One of the systems that perform the actual work of the load-balanced Service. The Barracuda Load Balancer assigns new connections to it as determined by the scheduling policy in effect for the Service. A collection of Real Servers. The entity requesting connection to a load-balanced Service. Clients may be external or internal. A returning connection is routed to the same Real Server that handled a previous request from the same client within a specified time. Examples of Services that may need persistence settings are Web sites that have shopping carts or require some sort of login. See Enabling Persistence on page 48 for more information. Specifies how the Barracuda Load Balancer determines which Real Server is to receive the next connection request. Each Service can be configured with a different policy. More information can be found in Selecting a Scheduling Policy on page 50. Deployment modes for the Barracuda Load Balancer. They differ in how the Real Servers are connected. Details and benefits of each mode can be found in the sections Route-Path (Recommended) on page 19 and Bridge-Path on page 27. Option that is enabled on individual Real Servers. However, because it can affect how a deployment is designed, it is often treated as a mode of its own. More details on this can be found in the section on Direct Server Return (DSR) on page 29. A collection of systems on an isolatable subnet. In Route-Path mode, for example, all systems associated with the LAN interface would be in one (or more) logical network(s) 10.1.1.x, and all systems connected to the WAN interface would be in another logical network of 192.168.1.x. A group of systems that are physically connected to each other, usually over a switch or VLAN.
Service Monitor
Real Server
Scheduling policy
Route-Path Bridge-Path
Logical Network
Physical Network
16
Term
WAN IP Address
Description
The IP address associated with the port that connects the Barracuda Load Balancer to the WAN. It may be used to access the Web administration interface. This address must be different than the Virtual IP addresses assigned to the Services. Two Barracuda Load Balancers can be joined as an active-passive pair in a cluster. The active system performs the load-balancing while the passive one monitors it, ready to take over operations if the first one fails. For more information, see Creating a High Availability Environment on page 62. The WAN port is used for both external and internal traffic that passes through the Barracuda Load Balancer. The Barracuda Load Balancer is deployed in-line, using both the WAN and LAN ports. The Virtual IP addresses and the Real Servers must be on different subnets.
High Availability
All of these deployment modes require specific network configurations. The Barracuda Load Balancer must be in either Route-Path or Bridge-Path mode. Direct Server Return is an option that you may choose for each Real Server. Choose the deployment mode for the Barracuda Load Balancer based on the type of network configuration that currently exists at your site as well as on the types of Services you wish to load balance. Route-Path is recommended over Bridge-Path because it provides a more robust deployment. Enabling the Direct Server Return option is recommended only for Real Servers that generate a much greater volume of outbound traffic relative to the inbound traffic.
Service Types
A Service is the access point that the client uses for the functionality provided by the Real Servers. There are multiple Service types supported by the Barracuda Load Balancer. Because the choice of Service type may affect the deployment method, this table gives a brief overview.
Description
Traffic passes in half-NAT mode, meaning the destination IP address is changed to that of the Real Server, but the source IP address remains intact. Same as TCP Proxy with SSL offloading. Traffic passes in full-NAT mode, meaning that both the source and destination IP addresses are changed. The Barracuda Load Balancer acts as a full proxy. Connections from the client are terminated at the Barracuda Load Balancer and new ones are established between the Barracuda Load Balancer and the Real Servers.
18
Route-Path (Recommended)
This section describes the Route-Path method of deployment. It includes the following: Introduction to Route-Path ................................................................ 19 Sample Network Situations ................................................................ 21 Two-Armed Route-Path with Layer 4 Load Balancing...................... 22 Route-Path Configured with TCP Proxy or a Layer 7 Service Type. 23 One-Armed Route-Path using TCP Proxy or Layer 7 Service Types 23 Two-Armed Route-Path with TCP Proxy or Layer 7 Service Types .. 25 About Multiple Network Adapters on Real Servers........................... 26
Introduction to Route-Path
Route-Path is the most commonly used deployment method. If a Service type of Layer 4 with SSL offloading not enabled is used in a two-armed deployment, the Barracuda Load Balancer has to be the default gateway for all downstream Real Servers. For all other cases, the Real Servers and VIP addresses can be positioned in a variety of ways. The following table provides an overview of the Route-Path deployment options.
Service Type
Notes
Barracuda Load Balancer has to be the default gateway for all downstream Real Servers. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Requires loopback adapter on each Real Server. Can keep IP addresses of the Real Servers. SSL offloading and other Layer 7 capabilities are not supported.
Two-armed. Usually this is the Layer 4 recommended deployment for Layer 4 traffic. One-armed. TCP Proxy
TCP
TCP
TCP Proxy
TCP or UDP
Service Type
TCP Proxy
Notes
Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers.There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers.There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer. Can keep IP addresses of the Real Servers. There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer.
TCP Proxy
Two-armed.
Layer 7 - HTTP
One-armed.
Layer 7 - HTTP
Two-armed.
Layer 7 - FTP
One-armed.
Layer 7 - FTP
Layer 7 - RDP
20
Service Type
Layer 7 - RDP
Notes
Can keep IP addresses of the Real Servers.There is a TCP Connection between the Barracuda Load Balancer and the Real Server. Any response goes back to the Barracuda Load Balancer.
The Barracuda Load Balancer provides Layer 4 load balancing of TCP/IP traffic. Use two-armed Route-Path with one or more Layer 4 Services. The Barracuda Load Balancer provides SSL offloading and Layer 4 load balancing of TCP/IP traffic. Use a one or two-armed Route-Path with one or more Layer 4 Services. If you use onearmed Route-Path, you will not need to reconfigure the IP addresses of the Real Servers. Two-armed Route-Path provides better performance.
2.
3.
The Real Servers are on the same subnet as the Barracuda Load Balancer and the configuration cannot be changed. Use one-armed Route-Path with a TCP Proxy Service. Or, if almost all of the traffic is outbound, use Direct Server Return with a Layer 4 Service.
4.
There is an existing IT infrastructure using Windows where the Web servers need to communicate with systems such as Active Directory Domain Services, ISA Servers or domain controllers. To avoid changing those network settings, either: Use one-armed Route-Path with a TCP Proxy Service. Use Direct Server Return with a Layer 4 Service. For best performance, the recommended deployment is to use a two-armed Route-Path with a Layer 4 Service.
5.
The outbound traffic is far greater than the inbound traffic, for example, if the Real Servers are providing streamed audio or visual media. Use Direct Server Return with a Layer 4 Service to increase throughput. There is a need to remotely administer the Real Servers individually. Create new Services, each of which only load balances a single Real Server. Deploy the Real Servers in a one-armed mode where they are on the WAN side of the Barracuda Load Balancer and serving a TCP Proxy Service. Or, deploy the Real Servers on the WAN side in Direct Server Return mode serving a Layer 4 Service.
6.
22
If desired, you can keep an externally accessible IP address on a Real Server so that external clients can still access that address (for example, for FTP) only on that one system. Because configuration changes are not required, only that traffic which needs to be load balanced passes through the Barracuda Load Balancer. Figure 2.3 shows another example of a one-armed route path deployment using TCP Proxy Services. In this case, the Services are provided by multiple Barracuda Spam & Virus Firewalls and Email servers.
24
Figure 2.3: One-armed TCP Proxy Service with Barracuda Spam & Virus Firewalls
As shown in the diagram, email passes through this network in the following way:
#1 Email is sent to the VIP address for the TCP Proxy Service that represents the Barracuda Spam
26
Bridge-Path
Bridge-Path deployment entails placing the Barracuda Load Balancer inline with your existing IP infrastructure so that it can load balance the Real Servers without changing IP addresses. The LAN interface must be on the same logical switch as the Real Servers. The WAN and LAN interfaces must be on physically separate networks. If you are considering using a bridge-path deployment because you want to avoid changing the IP addresses of your Real Servers, we recommend that you instead use a TCP Proxy Service and RoutePath. The following table describes the advantages and disadvantages of deploying your Barracuda Load Balancer in Bridge-Path mode.
Advantages
Disadvantages
Minimal network changes since the existing IP Separate physical networks required for downstream infrastructure is reused. Real Servers keep Real Servers their existing IP addresses. Less resilient to network misconfigurations Improper configuration of a Bridge-Path network may result in a broadcast storm, resulting in network outages
Deploying Bridge-Path
In Bridge-Path mode, the Real Servers must be physically isolated behind the Barracuda Load Balancer. This means that each Real Server is no longer visible on the network if the Barracuda Load Balancer becomes unavailable (a separate switch is required for models 440 and below). The Real Servers must be on the same subnet and logical network as the Barracuda Load Balancer, the VIPs, and the rest of the WAN, and they must specify the same gateway as the Barracuda Load Balancer. Make sure that the Operating Mode of the Barracuda Load Balancer is set to Bridge-Path on the Basic > IP Configuration page. The LAN IP Address on the same page is not used.
28
Advantages
Ideal for high-bandwidth requirements such as content delivery networks Keeps existing IP addresses of Real Servers
Disadvantages
Requires flat network topology Requires non-ARPing loopback adapter on Real Servers Client IP persistence only Only Layer 4 load balancing is supported HTTP, TCP Proxy and RDP are not supported SSL offloading is not supported. No actions can be performed on the response headers and data (e.g. caching, compression, URL rewrites).
Balancer.
#2 A Real Server is selected, and the data frame of the packet is modified to be the MAC address of
30
Edit your rc.local file (usually located at /etc/rc.d/rc.local) and add the following:
sysctl -w net.ipv4.conf.lo.arp_ignore=1 sysctl -w net.ipv4.conf.lo.arp_announce=2 sysctl -w net.ipv4.conf.all.arp_ignore=1 sysctl -w net.ipv4.conf.all.arp_announce=2 ifconfig <interface_name> <ip_address> netmask 255.255.255.255 -arp up
where:
<interface_name> is lo:<number> (e.g. lo:0, lo:1, lo:2) <ip_address> is the Virtual IP Address for the Service
For example:
ifconfig lo:1 192.168.4.217 netmask 255.255.255.255 -arp up
2.
httpd.conf must have a VirtualHost entry for the VIPs. Edit the file to add these two lines:
listen <virtual_ip_address>:80 listen <real_ip_address>:80
where:
<virtual_ip_address> is the Virtual IP Address for the Service <real_ip_address> is the actual IP Address for the Real Server
3.
To check if the loopback adapter is working, make sure the Real Server is bound to the loopback adapters IP address. Output from the ifconfig command should show the presence of the loopback adapter.
Table 2.4: Steps to make Microsoft Windows Server 2003 and 2008 ready for DSR DSR in a Microsoft Windows Server 2003 or 2008 Environment
Disable the Windows firewall. Enable traffic to the loopback adapter. Install the loopback adapter. Configure the loopback adapter. In particular, stop the loopback adapter from responding to ARP requests. Remember that the loopback adapter has the same IP address as the VIP address. Make the Windows networking stack use the weak host model. This step is required to allow the modified packet to be accepted by Windows Server 2008 servers. If you are using IIS, add the loopback adapter to your site bindings. You need to ensure that the IP address for the loopback adapter is included in the site bindings in IIS.
These detailed instructions describe how to deploy DSR in a Windows Server 2003 or 2008 environment. Perform these steps for each server.
32
1.
For Microsoft Windows Server 2003 and Windows Server 2008 you need to disable the built in firewall or manually change the rules to enable traffic to and from the loopback adapter. By default, the Windows firewall blocks all connections to the loopback adapter.
2.
install a loopback adapter on one server: 1. Open Device Manager. On the Start menu, click Run and type devmgmt.msc at the prompt. 2. Right-click on the server name and click Add legacy hardware. 3. When prompted by the wizard, choose to Install the hardware that I manually select from a list (Advanced). 4. Find Network Adapter in the list and click Next. 5. From the listed manufacturers select Microsoft and then Microsoft Loopback Adapter. See Figure 2.7.
3.
After the loopback adapter is installed, follow these steps to configure it: In Control Panel, double-click Network and Dial up Connections. Right-click the newly installed loopback adapter and click Properties. Click to clear the Client for Microsoft Networks check box. Click to clear the File and Printer Sharing for Microsoft Networks check box. Click TCP/IP properties. Enter the VIP address and the subnet mask. Click Advanced. Change the Interface Metric to 254. This stops the adapter from responding to ARP requests. 3i. Click OK.
3a. 3b. 3c. 3d. 3e. 3f. 3g. 3h.
4.
Make the Windows networking stack use the weak host model.
34
If you are using Windows Server 2003, you can skip to the next step. If you are using Windows Server 2008 or Windows Server 2008 R2, this step tells you how to make the Windows networking stack use the weak host model (which is the same model used in Windows Server 2003). DSR works by modifying the destination MAC address of the incoming traffic to one of the Real Servers behind your VIP. In versions of Windows prior to 2008, the Windows networking stack used a weak host model which allowed the host to receive packets on an interface not assigned as the destination IP address of the packet being received. With Windows Server 2008, Microsoft has implemented a strong host model which breaks the method that DSR uses. Open a command prompt with elevated permissions. To determine the interface ID for both the loopback adapter and the main NIC on the server, type:
netsh interface ipv4 show interface
Note the IDX for both the main network interface and the loopback adapter you created. If you have not changed the interface names for this server then usually the main NIC will display as Local Area Connection and the loopback adapter will be named Local Area Connection 2. An entry will be displayed that includes the IDX numbers for both your loopback adapter and your Internet facing NIC. For each of these adapters enter these three commands:
netsh interface ipv4 set interface <IDX number for Server NIC> weakhostreceive=enabled netsh interface ipv4 set interface <IDX number for loopback> weakhostreceive=enabled netsh interface ipv4 set interface <IDX number for loopback> weakhostsend=enabled
For example:
netsh interface ipv4 set interface 23 weakhostreceive=enabled netsh interface ipv4 set interface 24 weakhostreceive=enabled netsh interface ipv4 set interface 24 weakhostsend=enabled 5.
If you are using IIS, add the loopback adapter to your site bindings.
By default, IIS includes all interfaces, however, if you have configured a site to be bound to an individual IP address, you need to ensure that the IP address for the loopback adapter (your VIP address) is also included in the site bindings in IIS. Follow these steps to bind the loopback adapter, referring to Figure 2.8: Open the Internet Information Services (IIS) Manager. Expand the Sites Folder. Click Default Web Site or the name of the site you are modifying. Click Bindings on the Actions panel. Click Add... and click HTTP or HTTPS in the Type list. Enter the IP address of your loopback adapter and the port. Click OK. 5f. On the Actions panel click Restart under Manage Web Site to ensure the new bindings take effect.
5a. 5b. 5c. 5d. 5e.
36
Getting Started 37
Initial Setup
These are the general steps to set up your Barracuda Load Balancer. For more detailed instructions for each step, see the following reference pages. Preparing for Installation .................................................................. 38 Connecting the Barracuda Load Balancer to the Network ............... 39 Configuring WAN IP Address and Network Settings ......................... 39 Configuring Your Corporate Firewall ............................................... 40 Configuring the Barracuda Load Balancer....................................... 40 Updating the Barracuda Load Balancer Firmware .......................... 42 Verifying Your Subscription Status..................................................... 42 Updating the IPS Definitions............................................................. 43
38
Fasten the Barracuda Load Balancer to a standard 19-inch rack or other stable location.
Caution
Do not block the cooling vents located on the front and rear of the unit.
2.
If using Route-Path, then the network switch referenced in the following steps may be the same physical switch. If using Bridge-Path, however, then separate switches on different Layer 2 networks must be used.
2a. Connect a CAT5 Ethernet cable from the WAN interface on the Barracuda Load
Balancer to the network switch through which the traffic destined to the VIP addresses will be routed. 2b. Connect a CAT5 Ethernet cable from the LAN interface on the Barracuda Load Balancer to the network switch where the Real Servers reside.
Caution
Do not connect any other cables to the unit. The connectors on the back panel are for diagnostic purposes only.
3.
Connect the following to your Barracuda Load Balancer: Power cord VGA monitor PS2 keyboard After you connect the AC power cord, you may hear the fan operate for a couple of seconds and then power off. This behavior is normal.
4.
Press the Power button located on the front of the unit. The login prompt for the administrative console displays on the monitor, and the power light on the front of the Barracuda Load Balancer turns on. For a description of each indicator light, refer to the section that describes the model of your Barracuda Load Balancer in Front Panel of the Barracuda Load Balancer on page ii.
Connect your keyboard and monitor directly to the Barracuda Load Balancer. At the barracuda login prompt, enter admin for the login and admin for the password. The User Confirmation Requested window displays the current IP configuration of the Barracuda Load Balancer.
3.
Using your Tab key, select Change to change the WAN IP configuration.
Getting Started 39
4.
Enter the new WAN IP address, netmask, and default gateway for your Barracuda Load Balancer. Save your changes. The Primary and Secondary DNS fields are optional at this time, but if not entered here then they must be entered in Step 3c.) of To configure the Barracuda Load Balancer: on page 40.
Direction
Out Out Out Out as needed
Protocol
TCP TCP/UDP TCP UDP as needed
Description
Remote diagnostics and technical support services DNS (Domain Name Server) IPS and firmware updates (unless configured to use a proxy) NTP (Network Time Protocol) 1:1 NATs as needed, and any port required to access the VIP of a loadbalanced Service.
To send system alerts and notifications to the administrator, the Barracuda Load Balancer must be able to communicate with the mail server over the port specified on the Basic > Administration page. This may require opening that port on the firewall. Certain protocols require additional ports to be open. Examples include FTP and streaming media protocols. When configuring Services using these protocols ensure that the additional ports required are not blocked by the firewall.
From a Web browser, enter the IP address of the Barracuda Load Balancer followed by a colon and port 8000. For example: http://192.168.200.200:8000. To log into the Web interface, enter admin for the username and admin for the password. Select Basic > IP Configuration, and perform the following steps:
3a. Enter the following information in the WAN IP Configuration section:
2. 3.
40
3b.
IP Address. The address associated with the port that connects the Barracuda Load Balancer to the WAN. Subnet Mask. The subnet mask assigned to the WAN interface of the Barracuda Load Balancer. Default Gateway. The default router for network traffic not destined for the local subnet. Allow administration access. Set to Yes if you want to allow administration access via this IP address. The port that is used is configured on the Basic > Administration page. If the Barracuda Load Balancer is in Bridge-Path mode, or if only Direct Server Return mode is being employed, then go to Step 3c.) If you are configuring a backup Barracuda Load Balancer do not complete the LAN IP Address and LAN Netmask fields on the backup system. If the backup unit becomes active and if it is in Route-Path mode, it uses the LAN IP Address and Netmask that are configured on the primary Barracuda Load Balancer. For more information, see Creating a High Availability Environment on page 62. Enter the following information in the LAN IP Configuration section: LAN IP Address. The address that connects the Barracuda Load Balancer to the LAN. This is only used for two-armed Route-Path mode or, if in one-armed RoutePath mode, for management. LAN Netmask. The subnet mask tied to the LAN. This is only used for Route-Path mode. Allow administration access. Set to Yes if you want to allow administration access via this IP address. The port that is used is configured on the Basic > Administration page. Enter the IP address of your primary and secondary DNS servers. Enter the default hostname and default domain name of the Barracuda Load Balancer. If the Barracuda Load Balancer is behind a proxy server, enter the relevant parameters. Click Save Changes.
Note
When the IP address of your Barracuda Load Balancer on the IP Configuration page is changed, you will be disconnected from the Web interface. Log in again using the new IP address.
3g. If you want this Barracuda Load Balancer to operate in Bridge-Path mode, and this is not a backup Barracuda Load Balancer in a cluster, click Convert to change the
Time on the Barracuda Load Balancer is automatically updated via NTP (Network Time Protocol). It requires that port 123 is opened for outbound UDP traffic on your firewall (if the Barracuda Load Balancer is located behind one). It is important that the time zone is set correctly because this information is used to coordinate traffic distribution and in all logs and reports. 4c. If desired, change the port number used to access the Barracuda Load Balancer user interface. The default port is 8000.
Getting Started 41
4d. Enter the amount of time, in minutes, for the length of your Web interface session
administrator to receive system alerts and notifications. 4f. Click Save Changes.
If your subscription status does not change to Current, or if you have trouble filling out the Product Activation page, call your Barracuda Networks sales representative.
Select Advanced > Firmware Update. Read the release notes to learn about the latest features and fixes provided in the new firmware version. Click Download Now next to Latest General Release. Click OK on the download duration window. Updating the firmware may take several minutes. Do not turn off the unit during this process.
Download Now is disabled if the Barracuda Load Balancer is running the latest firmware
version.
4. 5. 6.
The Barracuda Load Balancer begins downloading the latest firmware version. Click Refresh to view the download status, until you see a message stating that the download has completed. Click Apply Now when the download completes. Click OK when prompted to reboot the Barracuda Load Balancer. A Status page displays the progress of the reboot. Once the reboot is complete, the login page appears.
42
Select Advanced > Energize Updates. Select Hourly or Daily for Automatically Update. The recommended setting is Hourly for IPS definitions. Check to see if the current version is the same as the latest general release. If the rules are up-todate, proceed to the next section. If the rules are not up-to-date, continue to the next step. Click Update to download and install the latest available IPS definitions onto the Barracuda Load Balancer. Click Save Changes.
Your Barracuda Load Balancer should be ready for operation. For more configuration tasks, including creating Services, refer to the next chapter, Configuring Services on page 45.
Getting Started 43
44
Detailed information for all options on a page in the Web interface is available from the online help for that page.
Configuring Services 45
Deployment Guides
The following documents provide detailed instructions to help you deploy the Barracuda Load Balancer in specific environments. If you are using one of the following Microsoft products, refer to the corresponding guide.
46
Creating Services
This section describes the configuration tasks related to creating Services and associating Real Servers with them. The following topics are covered: Creating Load-Balanced Services...................................................... 47 Associating Real Servers with a Service ........................................... 47 Enabling Persistence ......................................................................... 48 Remote Desktop Services Load Balancing ........................................ 48 SSL Offloading................................................................................... 49 TCP Proxy.......................................................................................... 49 FTP Service ....................................................................................... 49 FTP SSL Service ................................................................................ 49 Selecting a Scheduling Policy............................................................ 50 Configuring Intrusion Prevention ...................................................... 52 Configuring a Last Resort Action...................................................... 52 Client Impersonation ......................................................................... 53
Enabling Persistence
The Barracuda Load Balancer supports a variety of ways to direct clients back to the same Real Server after a period of inactivity.
Using the Basic > Services page, create a Service on port 3389. Edit the Service and set the Service Type to Layer 7 - RDP.
48
The Barracuda Load Balancer supports the use of Session Directory and TS Session Broker routing tokens. The Barracuda Load Balancer uses the routing token supplied by the Session Director or Session Broker to determine which host to use. To make this work properly: If the Real Server is running a version of Windows Server prior to Windows Server 2008 R2, clear the Use IP address redirection check box when configuring the network adapter. If the Real Server is running Windows Server 2008 R2, select Use token redirection when configuring the network adapter.
There is a guide to deploying the Barracuda Load Balancer with Remote Desktop Services located at
http://www.barracudanetworks.com/documentation.
TCP Proxy
You can create a TCP Proxy Service to make the Barracuda Load Balancer act as a full TCP proxy. Using the TCP Proxy Service allows the Real Servers to be located anywhere, as long as they are reachable by the Barracuda Load Balancer. See Deployment Options Overview on page 18 for examples of deployments using TCP Proxy Services.
FTP Service
You can create a Service with type Layer 7 - FTP to allow the Barracuda Load Balancer to process FTP traffic from the clients to the servers. An FTP client connects to an FTP server to manipulate files on that server. Both passive and active FTP are supported. If passive FTP will be used and if the Barracuda Load Balancer is behind a NATing firewall, you should specify an IP address and one or more ports that are sent in the response to a PASV request from a client. The client connects to the specified IP address and port to receive the data. Usually this address is the external IP address that is translated by the firewall to the Virtual IP address of the FTP Service. The port or ports are those allowed by the firewall. Enter the IP address and port(s) on the Service Detail page.
SSL Offloading
The Barracuda Load Balancer is able to perform decryption and encryption of SSL traffic to reduce the load on the Real Servers. The encrypted traffic received on the VIP address is decrypted before it is passed to the Real Servers, and traffic coming from the Real Servers is encrypted before it leaves the Barracuda Load Balancer. No SSL configuration on the Real Servers is necessary; all SSL certificates are stored on the Barracuda Load Balancer. SSL offloading is not compatible with Direct Server Return. It is also not available for Services with type Layer 7 - RDP.
Configuring Services 49
Upload one SSL certificate for each Service to the Barracuda Load Balancer. Identify the Services that are using SSL offloading. Change the port used by the Real Servers, if necessary.
Adaptive Scheduling
The Adaptive Scheduling feature polls the Real Servers frequently and assigns weights to those Real Servers using the information gathered. The parameter polled may be: CPU Load, determined by an SNMP query. If you wish to use this and you have Real Servers running a version of Windows, Knowledgebase Solution #00004306 in the Barracuda Networks Support Center http://www.barracudanetworks.com/support describes the required OID. You can view this solution by using this link: http://www.barracuda.com/kb?id=50160000000Hptb. Number of Windows Terminal Server sessions, determined by an SNMP query. In order to use this option, Real Servers must allow the Barracuda Load Balancer SNMP access to the community specified in the SNMP Community String box. This option is not available if the
50
Service Type is Layer 7 - RDP (see Scheduling for a Service with type Layer 7 - RDP on page 51). A URL provided by each Real Server which specifies a load value. If this option is selected, the Barracuda Load Balancer will poll the URL http://[Real Server IP Address]/barracuda_load/ and expect the output to look like LOAD=23 (showing the load as an integer between 0 and 100). Weights are assigned to each Real Server using the formula (100 - LOAD). For example, if the Load URL value is 23, the Real Server will be assigned a weight of 77. In order for the URL query to work, you must create a load determination script and make the results available by running a Web server on the Real Server that responds to the poll at the Real Servers IP address and port 80.
If, for example, all Real Servers have the same value for CPU load, then the Real Servers will be assigned the same weight. These weights will change as the value of the CPU Load for each Real Server varies. Configure adaptive scheduling for a Service by editing it using the Basic > Services page. On the Service Detail page, select the adaptive scheduling algorithm to use when making weight adjustments.
Pre-Assigned Weight
As an alternative to adaptive scheduling, static weights for each Real Server can be used. If some of the Real Servers are faster or have more capacity than others, you can tell the Barracuda Load Balancer to direct more traffic to them by increasing their weight relative to the other Real Servers. Configure the static weight for a Real Server by editing it on the Basic > Services page. On the Real Server Detail page, enter a weight value to be compared against the weights of all other Real Servers for this Service. For example, a Real Server with a weight of 50 will get half the amount of traffic as a Real Server with a weight of 100, but will get twice that of a Real Server with a weight of 25.
Scheduling Policies
The Barracuda Load Balancer considers the weight values for the Real Servers and then applies a scheduling algorithm, either Weighted Round-Robin or Weighted Least Connections, to determine which Real Server gets the next connection. In Weighted Round-Robin, Real Servers with higher weights get more connections than those with lower weights and Real Servers with equal weights get equal connections. The scheduling sequence is generated according to the Real Server weights. New connections are directed to the different Real Servers based on the scheduling sequence in a round-robin manner. The shortcoming with this method is that a majority of long-lived connections may go to the same Real Server. In Weighted Least Connections, the Barracuda Load Balancer considers the number of live connections that each Real Server has, as well as the weight values. The Real Servers with higher weight values will receive a larger percentage of live connections at any one time. The Barracuda Load Balancer dynamically checks the number of live connections for each Real Server. Weighted Least Connections is the recommended choice. To configure whether Weighted Round-Robin or Weighted Least Connections will be used for a Service, edit the Service on the Basic > Services page.
Executing an SNMP GET for the CPU load on the Real Servers; Polling a URL provided by each Real Server which specifies a load value; or Retrieving pre-configured static weights (from the Real Server Detail page).
The number of active RDP sessions and the Real Server weights are used as input to the Weighted Round Robin or Weighted Least Connections algorithm. On the Service Detail page the Terminal Sessions adaptive scheduling option is disabled for Layer 7 - RDP Services. Because the number of RDP sessions on each Real Server is maintained internally, there is no need for the adaptive scheduling algorithm to issue an SNMP query to get the number of active Windows Terminal Sessions.
where VIP is the VIP address of the Web Service. If IPS is on, it will block this. Your browser will give an error because the connection will be immediately rejected. There should also be an IPS catch in the Intrusion Prevention Log on the Basic > Intrusion Prevention page. Refer to Intrusion Prevention System on page 10 for an overview of IPS and how the Energize Updates feature works.
52
The connection is closed (TCP) or an ICMP port unreachable error returned (UDP). All traffic is directed to a Last Resort Server.
To increase the availability of the Services, specify a Last Resort Server for each Service. This is the server to which all traffic for a particular Service is routed in the event that all Real Servers associated with that Service are not available. The Barracuda Load Balancer does not perform any health checks on the Last Resort Server. The Last Resort Server can be located anywhere, so long as it is reachable by the Barracuda Load Balancer. It has the same deployments options available as any Real Server. If it is associated with a Layer 7 Service, any policies configured for the Service will also be applied to the Last Resort Server.
Client Impersonation
By default, for TCP Proxy and Layer 7 - HTTP Services, the Barracuda Load Balancers IP address is used when a client connects to the Real Server. You can enable the Client Impersonation option on the Service Detail page to use the clients IP address instead. Alternatively, for Layer 7 - HTTP Services only, if you wish to enable connection pooling, you can identify an HTTP header that has the client IP address as its value.
Configuring Services 53
Use these rules to partition requests to Real Servers that deliver different types of data, such as: Content optimized for a mobile device Content in a particular language Images or video Data that is maintained on different servers but you want to make it appear to have come from one source.
Create a content rule by clicking Add Rule next to a Layer 7 - HTTP Service on the Basic > Services page. This option only appears next to a Service that has at least one Real Server associated with it. Edit an existing content rule by clicking the Edit icon next to the rule name on the Basic > Services page. You can edit one or more Real Servers from the Basic > Services page to accept only HTTP requests that match a content rule. Requests that fail to match any rule are directed to the Real Servers for the Service that are not configured to exclusively handle requests that match a content rule. For example, a Real Server which only delivers images can be configured to accept only HTTP requests that match a content rule.
and if the incoming request is for www.example.com/images/x.png then the most specific matching rule, which is Rule B, is executed.
54 Barracuda Load Balancer Administrators Guide
If a rule has the most specific host and URL for a request, any extended match expressions for that rule are evaluated in the order established by the Extended Match Order field. If the request does not match any extended match expression for the rule then the request is considered to have failed to match any rule. The possible values for the content rules can be found in the online help. A detailed description of the extended match syntax can be found in Extended Match and Condition Expressions on page 85.
To create an HTTP Redirect Service, start by creating a Service with Service Type of Layer 7 - HTTP. Because the only purpose of this Service is to redirect HTTP requests to another Service (the one at port 443), no Real Servers can be added. In fact, only a couple of other options on the Service Detail page are relevant. All of the other options are hidden (and the settings, if any, ignored). Make sure to create a Service for the same VIP on port 443.
Only the first three actions are valid for response header rewrite rules. Response body rules allow any text string (content-type must begin with text/) in an outbound HTTP response body to be rewritten. The online help for the Advanced > URL Rewrites page lists the syntax for the rules. In addition, a detailed description of the condition expressions, which specify when the rewrite should occur, is found in Extended Match and Condition Expressions on page 85.
Configuring Services 55
Configuring Caching
Caching is a process of storing commonly used information in local memory for quick retrieval rather than sending repeated requests to the Web server for the same information. This can improve performance (sometimes dramatically) and reliability. It also reduces the resource utilization on the Web servers. Caching can store Web pages and commonly used objects such as graphics files. Caching provides the following benefits: Reduced latency when retrieving Web content. An overall reduction in bandwidth and server load. Automatic identification and replication of site content.
Configuring Compression
Compression improves the response time for clients accessing the service through dial-up or other slow methods. Enabling this feature compresses web pages that use HTML, JavaScript, Java and other text-based languages, resulting in a reduction in download time. You can enable compression on any Layer 7 - HTTP Service. We recommend enabling compression for text based content-types like text/plain, text/html, etc.
56
Network Configuration 57
VLAN Support
The Barracuda Load Balancer supports Layer 2 VLANs to segment traffic. Use the Advanced > Advanced IP Config page to identify VLANs on the Barracuda Load Balancer. You can then associate Services or Real Servers with VLANs. In Bridge mode, if VLANs are being used, both the LAN and WAN ports must be on the same VLAN.
To associate a Real Server with a VLAN:
1. 2. 3. 4.
Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN Configuration table. Go to the Basic > Services page and add the Real Server. Using the Advanced > Advanced IP Config page, in the Custom Virtual Interfaces table, create an interface for the Real Server. Using the Advanced > Advanced IP Config page, add a static route to the Real Server if necessary.
Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN Configuration table. Go to the Basic > Services page and add the Service. Using the Advanced > Advanced IP Config page, in the System Virtual Interfaces table, locate the entry for the Service. Select the VLAN from the Port list and save your changes.
Go to the Basic > Services page and add the Service. Using the Advanced > Advanced IP Config page, in the System Virtual Interfaces table, locate the entry for the Service. Select LAN from the Port list and save your changes.
58
If you want to be able to access the Service from the WAN also, create another Service with a different VIP but the same Real Servers.
Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN Configuration table, if necessary. On the same page, fill in the fields in the Static Routes table.
Using the Advanced > Advanced IP Config page, create a source network address translation (source NAT) rule to map the internal IP address of a Real Server to an external IP address or some other IP address on the WAN side of the Barracuda Load Balancer that is translated by the firewall to an external IP address.
See also Source IP Address in a Clustered Environment on page 64 for information about the source IP address of incoming traffic.
Network Configuration 59
60
High Availability 61
If any of these conditions occur, the passive system becomes active, assumes all of the Virtual IP addresses of the Services and the LAN IP address of the other Barracuda Load Balancer, and performs the load balancing. Clustered Barracuda Load Balancers negotiate which is the active one according to the Virtual Router Redundancy Protocol (VRRP) specification. The two systems must be configured with the same cluster shared secret and group ID. If other systems on the same subnet are also using VRRP, the cluster group ID must be unique. The passive Barracuda Load Balancer does not do any load-balancing or monitoring of Services or Real Servers. If you look at the Web interface of the passive system, you will see that all of the Services and Real Servers on a page such as Basic > Services have red health indicators.
Requirements for HA
Before joining two systems together, each Barracuda Load Balancer must meet the following requirements: Barracuda Load Balancer models 340 or higher Same model Activated and on the same version of firmware Able to access all Real Servers Able to reach the other Barracuda Load Balancer on the WAN interface Both WAN interfaces are connected to the same switch (physical network)
To speed up recognition of a newly active Barracuda Load Balancer, disable spanning tree protocol on the ports of the switch where the WAN ports of the two Barracuda Load Balancers are connected. If it is a Cisco switch, enable Spanning Tree PortFast on the ports connected to the WAN ports of the Barracuda Load Balancers. When the Barracuda Load Balancer becomes active it sends out a gratuitous ARP. It continues to send a gratuitous ARP every minute. The passive system does not issue any ARPs.
62
Failback
There is an automatic failback option that can be configured if you want the originally active (primary) system to take over the Virtual IP addresses and resume load balancing upon its recovery after a failover. This option can be found on the Advanced > High Availability page. You can manually switch to the primary system using the Failback command that is available on the same page. It may be better to opt for manual failback, as it can minimize the number of times that service is interrupted. For example, if the primary system suffers an outage, the backup system takes over. When the primary system recovers, if automatic failback is selected, then it will once again become the active system. This means two interruptions of service. If manual failback is selected, then the backup system will continue processing traffic even after the recovery of the primary system.
High Availability 63
Unique Data
All of the system IP configuration (WAN IP address, operating mode, DNS servers and domain) configured on the Basic > IP Configuration page except for the LAN IP address. System password, time zone and Web interface HTTP port as configured on the Basic > Administration page. The parameters on the Advanced > Appearance page. The HTTPS port and SSL certificate used to access the Web interface as configured on the Advanced > Secure Administration page.
Option 1
On the active system, create a custom virtual interface that associates an externally-accessible IP address with the WAN port. Use this IP address to create a source NAT rule. This interface will be used by the backup system if failover occurs.
Option 2
On the active system, remove the default rule that uses the WAN IP address as the source IP address, and turn on IP masquerading for the Real Servers.
64
Global Server Load Balancing (GSLB) allows you to coordinate how traffic is processed among multiple data. A Barracuda Load Balancer acts as a controller, selecting the location to which traffic is directed based on the parameters that you configure and the health of the data centers. This allows you to allocate the work among multiple data centers and to ensure that if one data center fails then traffic is redirected automatically to a functioning data center.
GSLB Examples
GSLB can be useful when: You have a number of server farms that are physically located around the world and you want incoming connections to be directed to the closest healthy server farm. You have two data centers and you want one of them to be reserved for use in the event of a disaster. You can assign the first with a high priority and have all traffic directed to it, while the other is used only if the first data center fails. You have multiple data centers and each has region-specific content. Depending on the location of the client, requests can be directed to the data center most appropriate for that region.
GSLB Definitions
A site is a network location that hosts data. It may be a Service on a Barracuda Load Balancer with a server farm or one Real Server. A GSLB Controller is the Barracuda Load Balancer which determines where traffic is directed. It contains configuration information about the sites and it performs health checks on all sites in regular intervals. Only one GSLB Controller is active at a time. It is recommended that you configure one or more backup GSLB Controllers. A region defines a geographical area, usually composed of one or more countries. You can define custom regions or use the predefined regions.
66
A client tries to connect to a domain name such as www.example.com. It asks its local DNS server for the IP address of the domain name, and the server issues a DNS request on its behalf. This request is eventually directed to the GSLB Controller (Barracuda Load Balancer) that acts as an authoritative DNS server for the delegated sub-domain www. The GSLB Controller considers the site selection algorithm and the health of the sites and issues a DNS response that contains a list of one or more IP addresses of valid sites. The client tries to connect to the first address in the list.
3.
In Figure 7.1 How GSLB Works, the selection algorithm is based on the region of the client. The GSLB Controller determines the region where the request originated. The US client is returned the address of the site which handles clients from the US region (207.77.188.166) while the client from Europe is given the address of the site which supports content for the European region (216.129.205.232).
Failover
The record that is returned by the GSLB Controller in response to a DNS query has a time to live (TTL) value of 10 seconds, meaning that the DNS servers across the Internet need to request the IP address of site again if the record is older than 10 seconds. If a site becomes unavailable, it will be removed from the list of IP addresses returned, the caches will be updated quickly and traffic will be directed to a healthy site.
Failover IP Address
If no sites match the Response Policy or if all sites that match the Response Policy fail the health check, a pre-configured Failover IP address for the sub-domain is returned. This is the IP address of a site that can accept the traffic if the other systems become unavailable. The health of the site at the Failover IP address is not monitored.
68
Geo IP The GSLB Controller determines the location of the system making the request based on the Location Definitions and compares that to the location of each site. It returns a list of site IP addresses ordered from closest to furthest. Geo IP does not consider site priority. Region Only The GSLB Controller determines the region of the system making the request based on the Location Definitions. If the originating system is in a region that is associated with one or more sites, a list of the healthy site IP address(es) is returned. The most specific matches appear first in the list; any sites that are associated with All Countries are last in the list. If the location of the originating system cannot be determined then any healthy sites that are associated with All Countries are returned. If neither of the preceding cases identifies at least one site IP address, the Failover IP address is returned. Region Only does not consider site priority. By Priority The GSLB Controller returns a list of site IP addresses ordered from lowest to highest priority value. Location is not considered.
Example Implementations
Following are some sample situations and how to configure the site selection algorithm for each one on the Barracuda Load Balancer that acts as the GSLB Controller.
If you have a backup site, set the Failover IP address to its IP address. Content switching rules can be used to direct HTTP traffic within the backup data center (see Directing HTTP Requests based on Content Rules on page 54).
GSLB Regions
GSLB regions are used only if the Response Policy is Region Only, to direct traffic to data centers with region-specific content. Add a region to a host on the Advanced > GSLB Services page so that traffic that originates in that region is directed to the Site IP address. A number of predefined regions are listed on the Advanced > GSLB Settings page. You can also create a custom region by specifying a region name and then adding one or more regions from a list.
Figure 7.2 Multiple GSLB Controllers shows three clustered pairs of Barracuda Load Balancers, all in different locations. Each of these six Barracuda Load Balancers can act as GSLB Controllers and they share the same GSLB-specific configuration. The GSLB Controllers are listed in the order they are to be used as name servers in the DNS entry for the domain (see Steps to Install GSLB on page 71). If in the example becomes unavailable, will take over as GSLB Controller. If both and become unavailable, will take over operation as the GSLB Controller, and so on. Check Steps to Install GSLB on page 71 for instructions on how to install multiple GSLB Controllers.
70
Add an A (host) record for each GSLB Controller with its IP address and the domain www:
ns1.www.example.com. IN A <DNS Service IP address of first cluster> ns2.www.example.com. IN A <DNS Service IP address of second cluster>
where <DNS Service IP address...> is the DNS Service IP address assigned to each clustered pair. Do not enter the <>s. Do add the dot at the end of the nameserver.
72
Note
The remainder of the steps are performed on the Barracuda Load Balancer(s) that may act as the GSLB Controller. If you have a clustered GSLB Controller, you only need to do these steps on the active system because the configuration between two clustered Barracuda Load Balancers are synchronized automatically. If you have one or more GSLB Controllers at different locations that are acting as backups, you will need to do these steps on those GSLB Controllers as well. You must keep the GSLB configuration synchronized between the active GSLB Controller and the backups, but not on the passive system in any cluster.
Navigate to the Advanced > GSLB Services page. In the Add New GSLB Service section, supply the following information: Zone Name the zone maintained by your existing DNS server, e.g. example.com Host The host name (or sub-domain) to be resolved, e.g. www Site IP The IP address that is to receive the traffic. This may be a Service on a Barracuda Load Balancer, or a server. Region This associates a region with the Site IP address. If you want the GSLB Controller to select the site based on region, select the region from the list. If the region you want is not already defined, add a custom region using the Advanced > GSLB Settings page. Otherwise, select All Countries from the list.
A DNS record will be created for www.example.com. Some of the fields in the record will contain default values for settings such as the Response Policy, which you can customize by editing the entry in the table.
Step 8: Identify the rest of the sites that serve this host
To configure all of the sites that can process the traffic for this host (e.g. www.example.com), go to the Advanced > GSLB Services page and click Add New Site. You may want to associate a new site with a region or assign a priority to it. Remember that regions are only relevant if the Response Policy is Region Only. Similarly, priority is only considered by the By Priority Response Policy.
74
Administrative Settings
This section covers the basic administrative settings for your Barracuda Load Balancer. Controlling Access to the Web Interface...............................................76 Customizing the Appearance of the Web Interface............................ 76 Setting the Time Zone of the System .................................................. 76 Enabling SSL for Administration....................................................... 76
Use the Basic > IP Configuration page to allow or deny access to the Web interface from the WAN and LAN IP addresses.
76
SSL ensures that your passwords and the rest of the data transmitted to and received from the Web interface is encrypted as well. You can require HTTPS to be used for secure access, and you can specify the certificate to be used.
Note
The SSL configuration referred to here is only related to the Web interface. To enable SSL offloading for a Service, refer to SSL Offloading on page 49.
In order to only allow secured connections when accessing the Web interface, you need to supply a digital SSL certificate which will be stored on the Barracuda Load Balancer. This certificate is used as part of the connection process between client and server (in this case, a browser and the Web interface on the Barracuda Load Balancer). The certificate contains the server name, the trusted certificate authority, and the servers public encryption key. The SSL certificate which you supply may be either private or trusted. A private, or self-signed, certificate provides strong encryption without the cost of purchasing a certificate from a trusted certificate authority (CA). However, the client Web browser will be unable to verify the authenticity of the certificate and a warning will be sent about the unverified certificate. To avoid this warning, download the Private Root Certificate and import it into each browser that accesses the Barracuda Load Balancer Web interface. You may create your own private certificate using the Advanced > Secure Administration page. You may also use the default pre-loaded Barracuda Networks certificate. The client Web browser will display a warning because the hostname of this certificate is barracuda.barracudanetworks.com and it is not a trusted certificate. Access to the Web interface using the default certificate may be less secure. A trusted certificate is a certificate signed by a trusted certificate authority (CA). The benefit of this certificate type is that the signed certificate is recognized by the browser as trusted, thus preventing the need for manual download of the Private Root Certificate.
78
Viewing Logs
The Basic > Event Log page maintains a list of all noteworthy events that affect the operation of the Barracuda Load Balancer, such as attacks upon various Services and status changes for a Real Server. You can view the Syslog, which contains administrative updates such as logins and configuration changes as well as all of the system events contained in the Event Log, using the Advanced > Syslog page. You can also enter an IP address where the syslog output can be directed. If Intrusion Prevention System is enabled, you can look at messages related to it in the Intrusion Prevention Log on the Basic > Intrusion Prevention page.
SNMP Monitoring
Using the Barracuda Load Balancer SNMP agent, you can use an SNMP monitor to query the system for a variety of statistics such as the number of current connections, bandwidth, and system CPU temperature. SNMP v2c and SNMP v3 are both supported by the SNMP agent. SNMP v2c queries and responses are not encrypted, so it is less secure. When using SNMP v3, traffic is encrypted and you can allow access only by specified users with passwords. For more information about monitoring the Barracuda Load Balancer using SNMP, see the technical paper SNMP Monitoring for the Barracuda Load Balancer located at
http://www.barracudanetworks.com/documentation.
If you don't already have an account with Barracuda Networks, visit http://login.barracudanetworks.com to create one. Make a note of your username (email address) and password. Log into your Barracuda Load Balancer as the administrator. On the Advanced > Firmware Upgrade page, check to make sure you have the latest firmware installed. If not, download and install it now. From the Advanced > Control Center page, enter the Barracuda Networks username and password you created and click Yes to connect to the BCC. Note that your Barracuda Load Balancer can connect with only one BCC account at a time. Log into the BCC with your username and password and you will see your Barracuda Load Balancer statistics displayed on the Basic > Status page. To access the Web interface of your Barracuda Load Balancer, click on the link in the Products column in the Control Center pane on the left side of the page. Or you can click on the product name in the Product column of the Unit Health pane on the right side of the page. Follow steps 3 and 4 to connect every subsequent Barracuda Load Balancer to the BCC.
4.
5.
6.
To disconnect your Barracuda Load Balancer and the BCC, from the Advanced > Control Center page, enter the BCC username and password and click No for Connect to Barracuda Control Center. Do this when you know that there will be a loss of connectivity between the appliance and the BCC due to the appliance being physically moved or other network connectivity issues.
If a task takes a long time to complete, you can click the Cancel link next to the task name and then run the task at a later time when the system is less busy. The Task Errors section lists an error until you manually remove it from the list.
80
If your Barracuda Load Balancers are not in High Availability mode, applying a new firmware version results in a temporary loss of service. For this reason, you should apply new firmware versions during non-busy hours.
To set up the new Barracuda Load Balancer so it has the same configuration as your old failed system, restore the backup file from the old system onto the new system, and then manually configure the new systems IP information on the Basic > IP Configuration page. For information on restoring data, refer to Backing up and Restoring Your System Configuration on page 81.
82
WAN IP address to 192.168.200.200. Pressing RESET eight seconds changes the WAN IP address to 192.168.1.200. Pressing the button for 12 seconds changes the WAN IP address to 10.1.1.200.
As a last resort, you can reboot your Barracuda Load Balancer and run a memory test or perform a complete system recovery, as described in this section.
To perform a system recovery or hardware test:
1. 2.
Connect a monitor and keyboard directly to your Barracuda Load Balancer. Reboot the system by doing one of the following: Click Restart on the Basic > Administration page. Press the Power button on the front panel to turn off the system, and then press the Power button again to turn the system back on. The Barracuda splash screen displays with the following three boot options:
Barracuda Recovery Hardware_Test
3.
Use your keyboard to select the desired boot option, and click Enter. You must select the boot option within three seconds of the splash screen appearing. If you do not select an option within three seconds, the Barracuda Load Balancer defaults to starting up in the normal mode (first option). For a description of each boot option, refer to Reboot Options on page 84.
Reboot Options
Table 8.1 describes the options available at the reboot menu.
Description
Starts the Barracuda Load Balancer in the normal (default) mode. This option is automatically selected if no other option is specified within the first three (3) seconds of the splash screen appearing. Displays the Recovery Console where you can select the following options: Perform file system repairRepairs the file system on the Barracuda Load Balancer. Perform full system re-imageRestores the factory settings on your Barracuda Load Balancer and clears out all configuration information. Enable remote administrationInitiates a connection to Barracuda Central that allows Barracuda Networks Technical Support to access the system. Another method for enabling this troubleshooting connection is to click Establish Connection to Barracuda Central on the Advanced>Troubleshooting page. Run diagnostic memory testRuns a diagnostic memory test from the operating system. If problems are reported when running this option, we recommend running the Hardware_Test option next.
Recovery
Hardware_Test
Performs a thorough memory test that shows most memory related errors within a two-hour time period. The memory test is performed outside of the operating system and can take a long time to complete. Reboot your Barracuda Load Balancer to stop the hardware test. You may do this by pressing Ctrl-Alt-Del on the keyboard, or by pressing the RESET button on the Barracuda Load Balancer.
84
This appendix documents the syntax of the extended match and condition expressions. A few examples: Header Host co example.com - match a request whose Host header contains example.com Parameter userid ex - match any request in which the parameter 'userid' is present (Header Host eq www.example.com) && (Client-IP eq 10.0.0.0/24) - match a request whose host header is www.example.com and the request client's IP address is in the 10.0.0.* subnet.
Quick reference
Expression: Element Match (Expression) [Join (Expression) ...] Join: &&, || Element Match: Element [Element Name] Operator [Value] Element: Request Elements: Method, HTTP-Version, Client-IP, URI, URI-Path, Header Request Parameters: Parameter, Pathinfo Response Elements: Status-code, Response-Header Operator: Matching: eq, neq, req, nreq Containing: co, nco, rco, nrco Existence: ex, nex
Operators
The following are the possible operators in an Element Match. The operators are case insensitive, for example "eq", "Eq" and "EQ" are all treated the same. eq - true if the operand is equal to the given value. A case insensitive string comparison is performed. Thus, a value of "01" is not the same as a value of "1", whereas values "one" and "ONE" are treated the same. neq - true if the operand is not equal to the given value. A case insensitive string comparison is performed. co - true if the operand contains the given value. nco - true if the operand does not contain the given value. rco - true if the operand contains the given value, which is treated as a regular expression. nrco - true if the operand does not contain the given value, which is treated as a regular expression. req - true if the operand matches the given value, which is treated as a regular expression. nreq - true if the operand does not match the given value, which is treated as a regular expression. ex - true if the operand exists. A value is not required nex - true if the operand does not exist. A value is not required
Elements
The following are the different Elements allowed in the expression. Elements and Element Names are case insensitive, so "Method" and "METHOD" are treated the same. Method - The HTTP Method that was received in the request. Example: (Method eq GET) HTTP-Version - This refers to the version of the HTTP protocol of the request. Example: (HTTP-Version eq HTTP/1.1)
86
Header - An HTTP header in the request. An Element Name to identify which header is required to follow the word "Header". Example: (Header Accept co gzip). This will check if the "Accept:" header contains the string "gzip". Client-IP - This refers to the IP address of the client sending the request. The IP address can be either host IP address or subnet IP address specified by a mask. Only "eq" and "neq" operations are possible for this element. Examples: (client-ip eq 192.168.1.0/24), (Client-IP eq 192.168.1.10) URI - The URI is the Uniform Resource Identifier in the request. This includes any query parameters in the request. Example: (URI rco /abc.*html?userid=b) URI-path - This refers to the path portion of the URI, which excludes any query parameters. Example: (URI-path req \/.*copy%20[^/]*) Pathinfo - This refers to the portion of URL which is interpreted as PATH_INFO on the server. The Barracuda Load Balancer uses a set of known extensions to determine whether a portion of the URL is a Pathinfo or not. For example, if the request URL is /twiki/view.cgi/Engineering, then, "/Engineering" is considered to be the pathinfo rather than part of the URL. Example: (PathInfo rco abc*) Parameter - This refers to a parameter in the query string part of the URL. the servers as a name-value pair. The special parameter "$NONAME_PARAM" is used to refer to the case where the parameter name is absent. Examples: (Parameter sid eq 1234), (Parameter $NONAME_PARAM co abcd) Status-code - This refers to the status code of the response returned by the servers. Example: (status-code eq 302) Response-header - This refers to the HTTP response header in the response. The term "Response-header" should be followed by the name of the header on which the action is to be applied. Example: (Response-Header Set-Cookie co sessionid)
Each expression may use only some of these elements. The following restrictions apply: The Extended Match expression in the Content Rules can use these elements: Method, HTTPVersion, Header, Client-IP, URI, URI-Path, Pathinfo and Parameters. Request Rewrite Condition allows these elements: Method, HTTP-Version, Header, Client-IP, Parameter, Pathinfo and URI. Response Rewrite Condition allows these elements: Header, Status-code and Response-Header.
Joins
Each expression can be joined with another expression by one of the following: || - This checks if either of the expressions are true. && - This checks if both the expressions are true.
Combining
More than one Element Match can be combined together by using the join operators || and && provided the Element Matches are enclosed in parentheses. Combining Element Matches without parentheses is not allowed. Example: (Header cookie ex) && (URI rco .*\.html) && (Method eq GET)
Nested sub-expressions can be created by enclosing parentheses within expressions. This makes the expression more readable as well as unambiguous. Example: (HTTP-Version eq HTTP/1.1) && ((Header Host eq www.example.com) || (Header Host eq website.example.com))
Escaping
The space character and the parentheses characters are special characters since they cause the parser to split the string into tokens at these separators. In some cases, it is required to specify these characters as part of the value itself. For example, the User-Agent header typically contains both spaces and parentheses, as in: User-Agent: Mozilla/5.0 (Linux i686; en-US; rv:1.8.1.3) Firefox/2.0.0.3 The spaces and parenthesis characters in such cases must be escaped by prefixing these characters with a back-slash (\), or the entire value can be enclosed in double-quotes ("). Examples: Header User-Agent eq "Mozilla/5.0 (Linux i686; en-US; rv:1.8.1.3) Firefox/2.0.0.3" Header User-Agent eq Mozilla/5.0\ \(Linux\ i686;\ en-US;\ rv:1.8.1.3\)\ Firefox/2.0.0.3
To specify the double-quote character itself, it must be escaped with a back-slash. This is true inside a quoted string, or a non-quoted string. Note that the single quote character has no special meaning, and is treated as any other character. To specify the back-slash character itself, it must be escaped as "\\". This is true within quoted strings or non-quoted strings. The back-slash character escapes all characters, not just the special characters. Thus, "\c" stands for the character "c" etc. In other words, back-slash followed by any character stands for the character, whether or not that character has a special meaning in the syntax.
Macro Definitions
The Barracuda Load Balancer supports several macros to assist in configuring policies. The following table describes these macros arranged by the areas where they can be used. The URI in these cases does not include the host.
Inserts the source (client) IP address. You can use it for the new value (Rewrite Value parameter) when inserting or rewriting a header. Should be specified in the new value, if you are rewriting or redirecting the URI. $URI specifies the complete request URI including the query string. Adds the username.* Adds the password.*
$URI
$AUTH_USER $AUTH_PASSWD
88
Name
$AUTH_GROUPS
Description
Adds the user roles.* *Note: (1) The URL is not protected, i.e. access-control or authentication is off. The value substituted for the above three macros will be the special string "NCURLNotProtected". (2) The client has not logged in. The value substituted for the above three macros will be the special string "NCNoUserSession". (3) The user does not belong to any groups. The value substituted for $AUTH_GROUPS will be the special string "NCNOUserRoles". URL ACLs
$NONAME_PARAM
No Name Parameters
There might be times when you want to configure a parameter without a name. For example, consider a site that pops up an advertising window when a user lands there. A Javascript adds a query string that results in the following GET request:
GET /ad?xxx
Note
The Barracuda Load Balancer does not learn no name parameters such as query strings like "GET /ad?0" added by a Javascript. Workaround: Add a null value URL ACL.
The Barracuda Load Balancer treats xxx as the value of a parameter. In this case, you cannot create an exception rule based on the xxx value because there is no way to associate it with a named parameter. To address such situations (that is, requests with parameter name-value pairs of the type ?xxx or ?=xxx where xxx is the value), you can use a special token: $NONAME_PARAM (case insensitive). This token allows you to create an expression for a parameter without a name as in the following examples:
set set set = parameter $NONAME_PARAM ex = parameter $NONAME_PARAM eq 0 = parameter $noname_param co xxx
90
Figure B.1: Barracuda Load Balancer Front Panel for models 240, 340, and 440
3 4 567 8 9
Table B.1 describes the front components on the Barracuda Load Balancer 240, 340, and 440.
Table B.1: Front Panel Descriptions for Barracuda Load Balancer 240, 340, and 440 Diagram Location
1 2 3 4 5 6 7 8 9
Component Name
WAN port LAN port System indicator Reserved for future use Reserved for future use Data I/O System Power Reset Button Power Button
Description
Port for WAN connection Port for LAN connection Red at power on; if this stays red it indicates a problem.
Blinks during data transfer Displays system power Resets the Barracuda Load Balancer Powers on/off the Barracuda Load Balancer
ii
Figure B.2: Barracuda Load Balancer Front Panel for model 640
345678 9
Table B.2 describes the front components on the Barracuda Load Balancer 640.
Table B.2: Front Panel Descriptions for Barracuda Load Balancer 640 Diagram Location
1 2 3 4 5 6 7 8 9 10
]
10 1 2
Component Name
WAN port LAN port System indicator Reserved for future use Reserved for future use Data I/O System Power Reset Button Power Button LAN ports Blinks during data transfer Displays system power Resets the Barracuda Load Balancer Powers on/off the Barracuda Load Balancer Twelve (12) additional LAN switches, available to connect to Real Servers
Description
Port for WAN connection Port for LAN connection Red at power on; if this stays red it indicates a problem.
34
Table B.3 describes the back components on all models of the Barracuda Load Balancer.
Table B.3: Barracuda Load Balancer Back Component Descriptions Diagram Location
1 2 3 4 5 6 7 8 9
Component Name
Power Supply Fan Mouse Port Keyboard Port Serial Port Parallel Port Monitor Port USB Ports (4) Ethernet Port
Description
Connection for the AC power cord; standard power supply Location of the fan Connection for the mouse Connection for the keyboard Connection for the serial console cable Connection for the parallel cable Connection for the monitor Connection for USB devices Not used
iv
Hardware Compliance
This section contains compliance information for the Barracuda Load Balancer hardware.
This device may not cause harmful interference, and This device must accept any interference received including interference that may cause undesired operation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user in encouraged to try one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and the receiver. Plug the equipment into an outlet on a circuit different from that of the receiver. Consult the dealer on an experienced radio/ television technician for help.
vi
Exclusive Remedy
Your sole and exclusive remedy and the entire liability of Barracuda Networks under this limited warranty shall be, at Barracuda Networks or its service centers option and expense, the repair, replacement or refund of the purchase price of any products sold which do not comply with this warranty. Hardware replaced under the terms of this limited warranty may be refurbished or new equipment substituted at Barracuda Networks option. Barracuda Networks obligations hereunder are conditioned upon the return of affected articles in accordance with Barracuda Networks then-current Return Material Authorization ("RMA") procedures. All parts will be new or refurbished, at Barracuda Networks discretion, and shall be furnished on an exchange basis. All parts removed for replacement will become the property of Barracuda Networks. In connection with warranty services hereunder, Barracuda Networks may at its discretion modify the hardware of the product at no cost to you to improve its reliability or performance. The warranty period is not extended if Barracuda Networks repairs or replaces a warranted product or any parts. Barracuda Networks may change the availability of limited warranties, at its discretion, but any changes will not be retroactive. IN NO EVENT SHALL BARRACUDA NETWORKS LIABILITY EXCEED THE PRICE PAID FOR THE PRODUCT FROM DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THE PRODUCT, ITS ACCOMPANYING SOFTWARE, OR ITS DOCUMENTATION.
maintained in accordance with instructions supplied by Barracuda Networks, or (f) subjected to abnormal physical or electrical stress, misuse, negligence or to an accident. EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS MAKES NO OTHER WARRANTY, EXPRESS, IMPLIED OR STATUTORY, WITH RESPECT TO BARRACUDA NETWORKS PRODUCTS, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF TITLE, AVAILABILITY, RELIABILITY, USEFULNESS, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS' PRODUCTS AND THE SOFTWARE ARE PROVIDED "AS-IS" AND BARRACUDA NETWORKS DOES NOT WARRANT THAT ITS PRODUCTS WILL MEET YOUR REQUIREMENTS OR BE UNINTERRUPTED, TIMELY, AVAILABLE, SECURE OR ERROR FREE, OR THAT ANY ERRORS IN ITS PRODUCTS OR THE SOFTWARE WILL BE CORRECTED. FURTHERMORE, BARRACUDA NETWORKS DOES NOT WARRANT THAT BARRACUDA NETWORKS PRODUCTS, THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH BARRACUDA NETWORKS PRODUCTS WILL BE USED WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK.
network where it could be utilized by multiple devices or copied. Unless otherwise expressly provided in the documentation, your use of the Software shall be limited to use on a single hardware chassis, on a single central processing unit, as applicable, or use on such greater number of chassis or central processing units as you may have paid Barracuda Networks the required license fee; and your use of the Software shall also be limited, as applicable and set forth in your purchase order or in Barracuda Networks' product catalog, user documentation, or web site, to a maximum number of (a) seats (i.e. users with access to install Software), (b) concurrent users, sessions, ports, and/or issued and outstanding IP addresses, and/or (c) central processing unit cycles or instructions per second. Your use of the Software shall also be limited by any other restrictions set forth in your purchase order or in Barracuda Networks' product catalog, user documentation or Web site for the Software. The BARRACUDA SOFTWARE IS NOT INTENDED FOR USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, LIFE SUPPORT MACHINES, OR OTHER EQUIPEMENT IN WHICH FAILURE COULD LEAD TO DEATH, PERSONAL INJURY, OR ENVIRONMENTAL DAMAGE. YOU EXPRESSLY AGREE NOT TO USE IT IN ANY OF THESE OPERATIONS. 3. You may not transfer, rent, lease, lend, or sublicense the Software or allow a third party to do so. YOU MAY NOT OTHERWISE TRANSFER THE SOFTWARE OR ANY OF YOUR RIGHTS AND OBLIGATIONS UNDER THIS AGREEMENT. You agree that you will have no right and will not, nor will it assist others to: (i) make unauthorized copies of all or any portion of the Software; (ii) sell, sublicense, distribute, rent or lease the Software; (iii) use the Software on a service bureau, time sharing basis or other remote access system whereby third parties other than you can use or benefit from the use of the Software; (iv) disassemble, reverse engineer, modify, translate, alter, decompile or otherwise attempt to discern the source code of all or any portion of the Software; (v) utilize or run the Software on more computers than you have purchased license to; (vi) operate the Software in a fashion that exceeds the capacity or capabilities that were purchased by you. 4. THIS AGREEMENT SHALL BE EFFECTIVE UPON INSTALLATION OF THE SOFTWARE OR PRODUCT AND SHALL TERMINATE UPON THE EARLIER OF: (A) YOUR FAILURE TO COMPLY WITH ANY TERM OF THIS AGREEMENT OR (B) RETURN, DESTRUCTION OR DELETION OF ALL COPIES OF THE SOFTWARE IN YOUR POSSESSION. Rights of Barracuda Networks and your obligations shall survive any termination of this Agreement. Upon termination of this Agreement by Barracuda Networks, You shall certify in writing to Barracuda Networks that all copies of the Software have been destroyed or deleted from any of your computer libraries, storage devices, or any other location. 5. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT THE USE OF THE BARRACUDA SOFTWARE IS AT YOUR OWN RISK AND THAT THE ENTIRE RISK AS TO SATISFACTION, QUALITY, PERFORMANCE, AND ACCURACY IS WITH YOU. THE BARRACUDA SOFTWARE IS PROVIDED "AS IS" WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND BARRACUDA HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE BARRACUDA SOFTWARE, EITHER EXPRESSED OR IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTIBILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR ANY APPLICATION, OF ACCURACY, AND OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS. BARRACUDA DOES NOT WARRANT THE CONTINUED OPERATION OF THE SOFTWARE, THAT THE PERFORMANCE WILL MEET YOUR EXPECTATIONS, THAT THE FUNCTIONS WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION WILL BE ERROR FREE OR CONTINUOUS, THAT CURRENT OR FUTURE VERSIONS OF ANY OPERATING SYSTEM WILL BE SUPPORTED, OR THAT DEFECTS WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION GIVEN BY BARRACUDA OR AUTHORIZED BARRACUDA REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE BARRACUDA SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION. FURTHERMORE BARRACUDA NETWORKS SHALL ASSUME NO WARRANTY FOR ERRORS/BUGS, FAILURES OR DAMAGE WHICH
ix
WERE CAUSED BY IMPROPER OPERATION, USE OF UNSUITABLE RESOURCES, ABNORMAL OPERATING CONDITIONS (IN PARTICULAR DEVIATIONS FROM THE INSTALLATION CONDITIONS) AS WELL AS BY TRANSPORTATION DAMAGE. IN ADDITION, DUE TO THE CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR INTRUDING UPON AND ATTACKING NETWORKS, BARRACUDA NETWORKS DOES NOT WARRANT THAT THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH THE SOFTWARE IS USED WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED PERPETUAL ZERO COST LICENSE TO BARRACUDA FOR ANY PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS WHICH YOU EITHER OWN OR CONTROL THAT ARE UTILIZED IN ANY BARRACUDA PRODUCT. 6. Termination and Fair Use Policy. BARRACUDA SHALL HAVE THE ABSOLUTE AND UNILATERAL RIGHT AT ITS SOLE DISCRETION TO DENY USE OF, OR ACCESS TO BARRACUDA SOFTWARE, IF YOU ARE DEEMED BY BARRACUDA TO BE USING THE SOFTWARE IN A MANNER NOT REASONABLY INTENDED BY BARRACUDA OR IN VIOLATION OF ANY LAW. 7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL BARRACUDA BE LIABLE FOR PERSONAL INJURY OR ANY INCIDENTAL SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR ABILITY TO USE OR INABILITY TO USE THE BARRACUDA SOFTWARE HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF BARRACUDA HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. In no event shall Barracuda's total liability to you for all damages exceed the amount of one hundred dollars.The following terms govern your use of the Energize Update Software except to the extent a particular program (a) is the subject of a separate written agreement with Barracuda Networks or (b) includes a separate "click-on" license agreement as part of the installation and/or download process. To the extent of a conflict between the provisions of the foregoing documents, the order of precedence shall be (1) the written agreement, (2) the click-on agreement, and (3) this Energize Update Software License. 8. Content Restrictions. YOU MAY NOT (AND MAY NOT ALLOW A THIRD PARTY TO) COPY, REPRODUCE, CAPTURE, STORE, RETRANSMIT, DISTRIBUTE, OR BURN TO CD (OR ANY OTHER MEDIUM) ANY COPYRIGHTED CONTENT THAT YOU ACCESS OR RECEIVE THROUGH USE OF THE PRODUCT CONTAINING THE SOFTWARE. YOU ASSUME ALL RISK AND LIABILITY FOR ANY SUCH PROHIBITED USE OF COPYRIGHTED CONTENT. You agree not to publish any benchmarks, measurements, or reports on the product without Barracuda Networks written express approval. 9. Third Party Software. Some Software which supports Bare Metal Disaster Recovery of Microsoft Windows Vista and Microsoft Windows 2008 Operating Systems (DR6) contains and uses components of the Microsoft Windows Pre-Installation Environment (WINPE) with the following restrictions: (i) the WINPE components in the DR6 product are licensed and not sold and may only be used with the DR6 product; (ii) DR6 is provided "as is"; (iii) Barracuda and its suppliers reserve all rights not expressly granted; (iv) license to use DR6 and the WINPE components is limited to use of the product as a recovery utility program only and not for use as a general purpose operating system; (v) Reverse engineering, decompiling or disassembly of the WINPE components, except to the extent expressly permitted by applicable law, is prohibited; (vi) DR6 contains a security feature from Microsoft that will automatically reboot the system without warning after 24 hours of continuous use; (vii) Barracuda alone will provide support for customer issues with DR6 and Microsoft and its Affiliates are released of all liability related to its use and operation; and, (viii) DR6 is subject to U.S. export jurisdiction.
10. Trademarks. Certain portions of the product and names used in this Agreement, the Software and the documentation may constitute trademarks of Barracuda Networks. You are not authorized to use any such trademarks for any purpose.
11. Export Restrictions. You may not export or re-export the Software without: (a) the prior written consent of Barracuda Networks, (b) complying with applicable export control laws, including, but not limited to, restrictions and regulations of the Department of Commerce or other United States agency or authority and the applicable EU directives, and (c) obtaining any necessary permits and licenses. In any event, you may not transfer or authorize the transfer of the Software to a prohibited territory or country or otherwise in violation of any applicable restrictions or regulations. If you are a United States Government agency the Software and documentation qualify as "commercial items", as that term is defined at Federal Acquisition Regulation ("FAR") (48 C.F.R.) 2.101, consisting of "commercial computer software" and "commercial computer software documentation" as such terms are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which this Agreement may be incorporated, Government end user will acquire the Software and documentation with only those rights set forth in this Agreement. Use of either the Software or documentation or both constitutes agreement by the Government that the Software and documentation are "commercial computer software" and "commercial computer software documentation", and constitutes acceptance of the rights and restrictions herein. 12. General. THIS AGREEMENT IS GOVERNED BY THE LAWS OF THE STATE OF CALIFORNIA, USA WITH JURISDICTION OF SANTA CLARA COUNTY, CALIFORNIA, UNLESS YOUR HEADQUARTERS IS LOCATED IN SWITZERLAND, THE EU, OR JAPAN. IF YOUR HEADQUARTERS IS LOCATED IN SWITZERLAND THE SWISS MATERIAL LAW SHALL BE USED AND THE JURISDICTION SHALL BE ZURICH. IF YOUR HEADQUARTERS IS LOCATED IN THE EU, AUSTRIAN LAW SHALL BE USED AND JURISDICTION SHALL BE INNSBRUCK. IF YOUR HEADQUARTERS IS LOCATED IN JAPAN, JAPANESE LAW SHALL BE USED AND JURISDICTION SHALL BE TOKYO. THIS AGREEMENT WILL NOT BE SUBJECT TO ANY CONFLICT-OF-LAWS PRINCIPLES IN ANY JURISDICTION. THIS AGREEMENT WILL NOT BE GOVERNED BY THE U.N. CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALES OF GOODS. This Agreement is the entire agreement between You and Barracuda Networks regarding the subject matter herein and supersedes any other communications with respect to the Software. If any provision of this Agreement is held invalid or unenforceable, the remainder of this Agreement will continue in full force and effect. Failure to prosecute a party's rights with respect to a default hereunder will not constitute a waiver of the right to enforce rights with respect to the same or any other breach. 13. Assignability. You may not assign any rights or obligations hereunder without prior written consent from Barracuda Networks. 14. Billing Issues. You must notify Barracuda of any billing problems or discrepancies within sixty (60) days after they first appear on the statement you receive from your bank, Credit Card Company, other billing company or Barracuda Networks. If you do not bring such problems or discrepancies to Barracuda Networks attention within the sixty (60) day period, you agree that you waive the right to dispute such problems or discrepancies. 15. Collection of Data. You agree to allow Barracuda Networks to collect information ("Statistics") from the Software in order to fight spam, virus, and other threats as well as optimize and monitor the Software. Information will be collected electronically and automatically. Statistics include, but are not limited to, the number of messages processed, the number of messages that are categorized as spam, the number of virus and types, IP addresses of the largest spam senders, the number of emails classified for Bayesian analysis, capacity and usage, and other statistics. Your data will be kept private and will only be reported in aggregate by Barracuda Networks.
xi
16. Subscriptions. Software updates and subscription information provided by Barracuda Energize Updates or other services may be necessary for the continued operation of the Software. You acknowledge that such a subscription may be necessary. Furthermore some functionality may only be available with additional subscription purchases. Obtaining Software updates on systems where no valid subscription has been purchased or obtaining functionality where subscription has not been purchased is strictly forbidden and in violation of this Agreement. All initial subscriptions commence at the time of activation and all renewals commence at the expiration of the previous valid subscription. Unless otherwise expressly provided in the documentation, you shall use the Energize Updates Service and other subscriptions solely as embedded in, for execution on, or (where the applicable documentation permits installation on non-Barracuda Networks equipment) for communication with Barracuda Networks equipment owned or leased by you. All subscriptions are non-transferrable. Barracuda Networks makes no warranty that subscriptions will continue uninterrupted. Subscription may be terminated without notice by Barracuda Networks for lack of full payment. 17. Auto Renewals. If your Software purchase is a time based license, includes software maintenance, or includes a subscription, you hereby agree to automatically renew this purchase when it expires unless you notify Barracuda 15 days before the renewal date. Barracuda Networks will automatically bill you or charge you unless notified 15 days before the renewal date. 18. Time Base License. If your Software purchase is a time based license you expressly acknowledge that the Software will stop functioning at the time the license expires. You expressly indemnify and hold harmless Barracuda Networks for any and all damages that may occur because of this. 19. Support. Telephone, email and other forms of support will be provided to you if you have purchased a product that includes support. The hours of support vary based on country and the type of support purchased. Barracuda Networks Energize Updates typically include Basic support. 20. Changes. Barracuda Networks reserves the right at any time not to release or to discontinue release of any Software or Subscription and to alter prices, features, specifications, capabilities, functions, licensing terms, release dates, general availability or other characteristics of any future releases of the Software or Subscriptions. 21. Open Source Licensing. Barracuda Networks products may include programs that are covered by the GNU General Public License (GPL) or other Open Source license agreements, in particular the Linux operating system. It is expressly put on record that the Software does not constitute an edited version or further development of the operating system. These programs are copyrighted by their authors or other parties, and the authors and copyright holders disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks. Further details may be provided in an appendix to this agreement where the licenses are re-printed. Barracuda Networks makes available the source code used to build Barracuda products available at source.barracuda.com. This directory includes all the programs that are distributed on the Barracuda products. Obviously not all of these programs are utilized, but since they are distributed on the Barracuda product we are required to make the source code available.
xii
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program
xiii
is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement). These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
xiv
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
xv
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF GNU TERMS AND CONDITIONS Barracuda Networks Products may contain programs that are copyright (c)1995-2005 International Business Machines Corporation and others. All rights reserved. These programs are covered by the following License: "Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the
xvi Barracuda Load Balancer Administrators Guide
Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation." Barracuda Networks Products may include programs that are covered by the BSD License: "Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE." Barracuda Networks Products may include the libspf library which is Copyright (c) 2004 James Couzens & Sean Comeau, All rights reserved. It is covered by the following agreement: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Barracuda Networks Products may contain programs that are Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The name "Carnegie Mellon University" must not be used to endorse or promote products derived from this software without prior written permission. For permission or any other legal details, please contact Office of Technology Transfer, Carnegie Mellon University, 5000 Forbes Avenue, Pittsburgh, PA 15213-3890 (412) 268-4387, fax: (412) 268-7395, techtransfer@andrew.cmu.edu . Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/)." CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, AND IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
xvii
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Barracuda Networks Software may include programs that are covered by the Apache License or other Open Source license agreements. The Apache license is re-printed below for you reference. These programs are copyrighted by their authors or other parties, and the authors and copyright holders disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks.
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the
xviii
purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.
xix
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS Barracuda Networks makes available the source code used to build Barracuda products available at source.barracuda.com. This directory includes all the programs that are distributed on the Barracuda products. Obviously not all of these programs are utilized, but since they are distributed on the Barracuda product we are required to make the source code available.
xx
Index
A
Adaptive Scheduling 50, 51 administration interface logging in 40 Administration page 76, 79, 82 Advanced IP Config page 58, 59 alerts 79
E
Enable, Real Server 78 Energize Updates 82
F
failed system, replacing 82 Failover IP Address 68 Figure 2.3 25 firewall, configuring 40 Firmware Update page 81 front panel details ii
B
back panel details iv backing up configuration 81 Backup page 81 Barracuda Load Balancer configuring 40, 47, 57 managing 81 monitoring 78 Barracuda Load Balancer Terminology 16 Barracuda Spam & Virus Firewall, deploying with the Barracuda Load Balancer 24 Basic > Server Health 52 Bridge mode with VLANs 58 Bridge-Path 16, 28 By Priority 69
G
Geo IP 69 GSLB Response Policies 68
H
hardware compliance information v hardware test 84 Health page 78 High Availability 17 updating firmware 81
C
character tags 85, i, vii configuring, Barracuda Load Balancer 40 content rules extended match 54 host match 54 how to create 54 how to edit 54 URL match 54
I
IP address setting 39 IP Configuration page 58
L
Last Resort Action 52 Last Resort Server 12, 16, 52, 53, 55, 56 Layer 7 - RDP Service, scheduling 51 Logical Network 16
D
definitions, updating 43, 82 diagnostic memory test 84 Direct Server Return 16, 29, 31 Directing HTTP requests - content rules 54 disabled mode, Real Server 47 Disabled, Real Server 78
Index - xxi
M
maintenance mode, Real Server 47 Maintenance, Real Server 78 modify HTTP request or response headers 55
monitoring Services 78
U
UDP ports 40 updating definitions 43, 82 firmware 81 updating firmware 81
N
network time protocol 41 notifications 79 NTP 41
V
Virtual IP (VIP) 16, 18
P
Persistence 16 Physical Network 16 proxy server 58
W
WAN IP Address 17 Weighted Least Connections 51 Weighted Round-Robin 51
R
Real Server 16 reboot options 83 recovery mode 83 Region Only 69 re-imaging system 84 reloading the system 82 remote administration 84 repairing, file system 84 replacing failed system 82 RESET button, using 82 restarting the system 82 restoring configuration 81 Route-Path 16
X
X-Forwarded-For 55
S
Scheduling policy 16 Server Farm 16 Service 16, 18 Service Monitor 16, 18, 78 Services, monitoring 78 shutting down the system 82 SNMP traps 79 source IP address 64 source NAT 59, 64 SSL Certificates 50 SSL Offloading 49 SSL offloading 49 SSL Offloading, configuring 50 Status page 79
T
Task Manager page 80 TCP ports 40 testing memory 84 time zone, setting 76 Troubleshooting page 83
xxii - Index