Docstoc

Barracuda Load Balancer Administrator's Guide

Document Sample
Barracuda Load Balancer Administrator's Guide Powered By Docstoc
					   Barracuda Load Balancer Administrator’s Guide
   Version 3.3




Barracuda Networks Inc.
3175 S. Winchester Blvd.
Campbell, CA 95008
http://www.barracuda.com
Copyright Notice
Copyright 2004-2010, Barracuda Networks
www.barracuda.com
v3.3-100519

All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice.


Trademarks
Barracuda Load Balancer is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are registered
trademarks or trademarks of their respective holders.




ii   Barracuda Load Balancer Administrator’s Guide
                                                                                                              Contents

Chapter 1 – Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 7

               Overview . . . . . . . . . . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .8
                  Powerful Enterprise-Class Solution . . . . . . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .8
               Features of the Barracuda Load Balancer . . . . . .        .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .9
                  Load Balancing for all IP-based Applications . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .9
                  Easy to Use and Maintain . . . . . . . . . . . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .9
                  Intrusion Prevention System . . . . . . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   10
                  Auto-Discover Mode. . . . . . . . . . . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   11
                  Persistence . . . . . . . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   11
                  SSL Offloading . . . . . . . . . . . . . . . . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   11
                  Scheduling Policy . . . . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   11
                  Automated Service Monitor . . . . . . . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   11
                  Multiple Deployment Modes. . . . . . . . . . . .        .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   11
                  High Availability . . . . . . . . . . . . . . . . . .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   11
                  Easy Administration . . . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   12
                  Last Resort Server . . . . . . . . . . . . . . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   12
                  Content Routing . . . . . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   12
                  Removing Servers without Disrupting the Service         .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   12
                  HTTP Request and Response Rewrites . . . . .            .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   12
                  Support for Layer 2 VLANs . . . . . . . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   12
                  TCP Proxy. . . . . . . . . . . . . . . . . . . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   13
                  Global Server Load Balancing (GSLB) . . . . . .         .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   13

Chapter 2 – Load Balancing Deployment Options . . . . . . . . 15

               Barracuda Load Balancer Terminology . . . . . . . . . . . . . . . . . . . . . .                                    .   16
               Load Balancer Deployment Options . . . . . . . . . . . . . . . . . . . . . . .                                     .   18
                  Sample Network Situations . . . . . . . . . . . . . . . . . . . . . . . . . .                                   .   18
                  Route-Path (Recommended) . . . . . . . . . . . . . . . . . . . . . . . . .                                      .   19
                  Deploying Route-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                                  .   20
                  Route-Path One-Armed . . . . . . . . . . . . . . . . . . . . . . . . . . . .                                    .   21
                  Route-Path Two-Armed . . . . . . . . . . . . . . . . . . . . . . . . . . . .                                    .   22
                  Route-Path with TCP Proxy Service . . . . . . . . . . . . . . . . . . . . .                                     .   22
                  Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                                 .   24
                  Deploying Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . .                                   .   26
                  Direct Server Return . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                                  .   26
                      DSR with Route-Path or Bridge-Path . . . . . . . . . . . . . . . . . .                                      .   27
                  Deploying Direct Server Return . . . . . . . . . . . . . . . . . . . . . . . .                                  .   28
                      Deployment Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . .                                    .   28
                      Deployment in a Linux Environment . . . . . . . . . . . . . . . . . . .                                     .   28
                      Deployment in a Windows/XP Environment . . . . . . . . . . . . . . .                                        .   29
                      Deployment in a Microsoft Windows Server 2003 or 2008 Environment .                                         .   29
                      Verifying DSR Deployment . . . . . . . . . . . . . . . . . . . . . . . .                                    .   33




                                                                                                                                           iii
C h a p t e r 3 – G e t t i n g Sta r t e d . . . . . . . . . . . . . . . . . . . . . . . . 3 5

                      Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . .         .   .   .   .   .   .   .   .   .   .   .   36
                           Preparing for Installation . . . . . . . . . . . . . . . . .         .   .   .   .   .   .   .   .   .   .   .   36
                           Connecting the Barracuda Load Balancer to the Network                .   .   .   .   .   .   .   .   .   .   .   37
                           Configuring WAN IP Address and Network Settings . . .                .   .   .   .   .   .   .   .   .   .   .   37
                           Configuring Your Corporate Firewall . . . . . . . . . . .            .   .   .   .   .   .   .   .   .   .   .   38
                           Configuring the Barracuda Load Balancer . . . . . . . .              .   .   .   .   .   .   .   .   .   .   .   38
                           Verifying Your Subscription Status . . . . . . . . . . . .           .   .   .   .   .   .   .   .   .   .   .   40
                           Updating the Barracuda Load Balancer Firmware . . . .                .   .   .   .   .   .   .   .   .   .   .   40
                           Updating the IPS Definitions . . . . . . . . . . . . . . .           .   .   .   .   .   .   .   .   .   .   .   41

Chapter 4 – Configuring Services . . . . . . . . . . . . . . . . . . . 43

                      Creating Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                         .   .   .   .   44
                         Creating Load-Balanced Services. . . . . . . . . . . . . . . . . . . .                             .   .   .   .   44
                         Enabling Persistence . . . . . . . . . . . . . . . . . . . . . . . . . .                           .   .   .   .   45
                             Persistence Settings for a Service with type Layer 7 - RDP . . . .                             .   .   .   .   45
                             Persistence Settings for a Service with type Layer 7 - HTTP . . .                              .   .   .   .   46
                             Persistence Settings for a Service with type Layer 4 or TCP Proxy                              .   .   .   .   46
                         Terminal Services Load Balancing . . . . . . . . . . . . . . . . . . .                             .   .   .   .   46
                         TCP Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                           .   .   .   .   46
                         SSL Offloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                           .   .   .   .   47
                             Uploading SSL Certificates . . . . . . . . . . . . . . . . . . . . .                           .   .   .   .   47
                             Specifying SSL Offloading for a Service . . . . . . . . . . . . . .                            .   .   .   .   47
                             Updating Ports on the Real Servers . . . . . . . . . . . . . . . .                             .   .   .   .   47
                         Selecting a Scheduling Policy . . . . . . . . . . . . . . . . . . . . . .                          .   .   .   .   47
                             Adaptive Scheduling . . . . . . . . . . . . . . . . . . . . . . . .                            .   .   .   .   48
                             Pre-Assigned Weight . . . . . . . . . . . . . . . . . . . . . . . .                            .   .   .   .   48
                             Scheduling Policies . . . . . . . . . . . . . . . . . . . . . . . . .                          .   .   .   .   48
                             Scheduling for a Service with type Layer 7 - RDP . . . . . . . . .                             .   .   .   .   49
                         Configuring Intrusion Prevention . . . . . . . . . . . . . . . . . . . .                           .   .   .   .   49
                         Configuring a Last Resort Server . . . . . . . . . . . . . . . . . . . .                           .   .   .   .   50
                      Layer 7 - HTTP Services . . . . . . . . . . . . . . . . . . . . . . . . . .                           .   .   .   .   51
                         Directing HTTP Requests using Content Rules . . . . . . . . . . . . .                              .   .   .   .   51
                         Creating an HTTP Redirect Service. . . . . . . . . . . . . . . . . . .                             .   .   .   .   52
                         Modifying HTTP Requests and Responses . . . . . . . . . . . . . . .                                .   .   .   .   52

Chapter 5 – Network Configuration . . . . . . . . . . . . . . . . . . 53

                         VLAN Support . . . . . . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   54
                             Routing to Multiple VLANs over an Interface .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   54
                         Making Services Accessible from the LAN/WAN .          .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   54
                         Creating Static Routes . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   55
                         Allowing Real Servers to Connect to the Internet .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   55

C h a p t e r 6 – H i g h Av a i l a b i l i t y . . . . . . . . . . . . . . . . . . . . . . . 5 7

                      Creating a High Availability Environment . . . . . . . . . . . . . . . . . . . . . 58
                         Requirements for High Availability (HA) . . . . . . . . . . . . . . . . . . . . . 58
                         Operation of HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58


iv   Barracuda Load Balancer Administrator’s Guide
               Recovery of the Primary System . . . . . . . . . . . . . . . . . . . . . . . . 59
               Creating a Cluster and Removing the Cluster. . . . . . . . . . . . . . . . . . 59
               Data Propagated to Clustered Systems . . . . . . . . . . . . . . . . . . . . . 60

Chapter 7 – Global Server Load Balancing . . . . . . . . . . . . 61

            Introduction to Global Server Load Balancing (GSLB)         .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   62
                GSLB Examples. . . . . . . . . . . . . . . . . .        .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   62
                GSLB Definitions . . . . . . . . . . . . . . . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   62
                Site Selection Criteria . . . . . . . . . . . . . . .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   63
                How GSLB Works . . . . . . . . . . . . . . . . .        .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   63
                    Failover . . . . . . . . . . . . . . . . . . . .    .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   64
                Integrating with the Existing DNS Infrastructure .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   64
                Site Selection Algorithms . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   64
                    Failover IP Address . . . . . . . . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   64
                    IP Address and Location Database . . . . .          .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   64
                    Response Policy Options . . . . . . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   64
                Example Implementations . . . . . . . . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   65
                    Disaster Recovery - Two Sites in the World .        .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   65
                    Direct Clients to Closest Data Center . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   65
                    Direct Clients to Specific Region . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   65
                GSLB Regions . . . . . . . . . . . . . . . . . .        .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   66
                Configuring Multiple GSLB Controllers . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   66
            Steps to Install GSLB . . . . . . . . . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   67

Chapter 8 – Managing the Barracuda Load Balancer . . . . . 71

            Administrative Settings . . . . . . . . . . . . . . . . . . . . . . . .                     .   .   .   .   .   .   .   72
              Controlling Access to the Web Interface . . . . . . . . . . . . .                         .   .   .   .   .   .   .   72
              Customizing the Appearance of the Web Interface . . . . . . . .                           .   .   .   .   .   .   .   72
              Setting the Time Zone of the System . . . . . . . . . . . . . . .                         .   .   .   .   .   .   .   72
              Enabling SSL for Administration . . . . . . . . . . . . . . . . .                         .   .   .   .   .   .   .   72
            Monitoring the Barracuda Load Balancer. . . . . . . . . . . . . . .                         .   .   .   .   .   .   .   74
              Monitoring the Health of Services and Real Servers . . . . . . .                          .   .   .   .   .   .   .   74
              Enabling or Disabling Real Servers . . . . . . . . . . . . . . . .                        .   .   .   .   .   .   .   74
              Remotely Administering Real Servers . . . . . . . . . . . . . .                           .   .   .   .   .   .   .   74
              Viewing Performance Statistics . . . . . . . . . . . . . . . . . .                        .   .   .   .   .   .   .   75
              Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . .                        .   .   .   .   .   .   .   75
              Automating the Delivery of System Alerts and SNMP Traps . . .                             .   .   .   .   .   .   .   75
              SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . .                         .   .   .   .   .   .   .   75
              Viewing System Tasks . . . . . . . . . . . . . . . . . . . . . .                          .   .   .   .   .   .   .   76
            Maintaining the Barracuda Load Balancer . . . . . . . . . . . . . .                         .   .   .   .   .   .   .   77
              Backing up and Restoring Your System Configuration . . . . . .                            .   .   .   .   .   .   .   77
              Updating the Firmware of Your Barracuda Load Balancer . . . .                             .   .   .   .   .   .   .   77
              Updating the Intrusion Prevention Rules Using Energize Updates                            .   .   .   .   .   .   .   78
              Replacing a Failed System . . . . . . . . . . . . . . . . . . . .                         .   .   .   .   .   .   .   78
              Reloading, Restarting, and Shutting Down the System . . . . . .                           .   .   .   .   .   .   .   78
              Using the Built-in Troubleshooting Tools . . . . . . . . . . . . .                        .   .   .   .   .   .   .   79
              Rebooting the System in Recovery Mode. . . . . . . . . . . . .                            .   .   .   .   .   .   .   79
                   Reboot Options . . . . . . . . . . . . . . . . . . . . . . . .                       .   .   .   .   .   .   .   80




                                                                                                                                         v
Appendix A – Extended Match and Condition Expressions . 81

                         Quick reference . . . . . . . . . . . . . . . . . . . . . .               .   .   .   .   .   .   .   .   .   .   .   81
                         Structure of an Extended Match or Condition Expression.                   .   .   .   .   .   .   .   .   .   .   .   82
                         Operators . . . . . . . . . . . . . . . . . . . . . . . . .               .   .   .   .   .   .   .   .   .   .   .   82
                         Elements . . . . . . . . . . . . . . . . . . . . . . . . .                .   .   .   .   .   .   .   .   .   .   .   82
                         Joins. . . . . . . . . . . . . . . . . . . . . . . . . . . .              .   .   .   .   .   .   .   .   .   .   .   83
                         Combining . . . . . . . . . . . . . . . . . . . . . . . . .               .   .   .   .   .   .   .   .   .   .   .   83
                         Escaping . . . . . . . . . . . . . . . . . . . . . . . . .                .   .   .   .   .   .   .   .   .   .   .   84
                         Macro Definitions . . . . . . . . . . . . . . . . . . . . .               .   .   .   .   .   .   .   .   .   .   .   84
                         No Name Parameters . . . . . . . . . . . . . . . . . . .                  .   .   .   .   .   .   .   .   .   .   .   85

Appendix B – Barracuda Load Balancer Hardware . . . . . . . i

                      Front Panel of the Barracuda Load Balancer . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . ii
                         Barracuda Load Balancer 240, 340, and 440 .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . ii
                         Barracuda Load Balancer 640 . . . . . . . .       .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   . iii
                      Back Panel of the Barracuda Load Balancer . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .iv
                         Barracuda Load Balancer, all models . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .iv
                      Hardware Compliance . . . . . . . . . . . . . .      .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .v
                         Notice for the USA . . . . . . . . . . . . . .    .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .v
                         Notice for Canada . . . . . . . . . . . . . . .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .v
                         Notice for Europe (CE Mark) . . . . . . . . .     .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .v

Appendix C – Limited Warranty and License                                                                                                      vii

                         Barracuda Networks Limited Hardware Warranty (v 2.1) . . . . . . . .                                  .   .   .   .   vii
                         Exclusive Remedy. . . . . . . . . . . . . . . . . . . . . . . . . . . .                               .   .   .   .   vii
                         Exclusions and Restrictions . . . . . . . . . . . . . . . . . . . . . . .                             .   .   .   .   vii
                         Barracuda Networks Software License Agreement (v 2.1) . . . . . . .                                   .   .   .   .   viii
                         Barracuda Networks Energize Updates and Other Subscription Terms                                      .   .   .   .   xii
                             Barracuda Networks Software License Agreement Appendix . . .                                      .   .   .   .   xii




vi   Barracuda Load Balancer Administrator’s Guide
                                                                              Chapter 1
                                                                    Introduction

This chapter provides an overview of the Barracuda Load Balancer and includes the following topics:
•   Overview on page 8
•   Features of the Barracuda Load Balancer on page 9




                                                                                     Introduction 7
Overview
                  Organizations use load balancers to distribute traffic across a set of servers in their network. In the
                  event a server goes down, the load balancer automatically detects this failure and begins forwarding
                  traffic to the remaining functioning servers, maintaining high availability of the services provided by
                  the servers. The Barracuda Load Balancer is designed to help organizations achieve their high
                  availability objectives by providing:
                  •    Comprehensive failover capabilities in case of server failure,
                  •    Distribution of traffic across multiple servers, and
                  •    Integrated protection from network intrusions.


     Note
              The Barracuda Load Balancer is not designed for link balancing that distributes traffic across
              multiple Internet connections - try the Barracuda Link Balancer instead.




       Powerful Enterprise-Class Solution
                  The Barracuda Load Balancer uses a variety of factors to make load-balancing decisions. It is
                  designed to provide comprehensive IP load-balancing capabilities to any IP-based application,
                  including:
                  •    Internet sites with high traffic requirements, including Web, FTP, media streaming, and content
                       delivery networks
                  •    Hosted applications using thin-client architectures, such as Windows® Terminal Services
                  •    Other IP services requiring optimal performance, including SMTP, DNS, RADIUS, and TFTP
                  The Barracuda Load Balancer's integrated Service Monitor ensures that servers and their associated
                  applications are operational at all times. In the event of server or application failure, the Barracuda
                  Load Balancer facilitates automatic failover among servers to ensure continuous availability. The
                  Barracuda Load Balancer also assists in orchestrating scheduled windows on specific servers while
                  maintaining application availability through other servers in the server farm.
                  To minimize the risk associated with failures of the load balancers themselves, two Barracuda Load
                  Balancers can be deployed in an active/passive configuration. In the event a primary active Barracuda
                  Load Balancer fails, a backup Barracuda Load Balancer can quickly assume the identity of the
                  primary Barracuda Load Balancer. The switchover happens automatically to maintain application
                  availability.




8   Barracuda Load Balancer Administrator’s Guide
Features of the Barracuda Load Balancer
         The Barracuda Load Balancer is designed with the following features:
              Load Balancing for all IP-based Applications .................................... 9
              Easy to Use and Maintain ................................................................... 9
              Intrusion Prevention System .............................................................. 10
              Auto-Discover Mode .......................................................................... 11
              Persistence ......................................................................................... 11
              SSL Offloading................................................................................... 11
              Scheduling Policy .............................................................................. 11
              Automated Service Monitor ............................................................... 11
              Multiple Deployment Modes .............................................................. 11
              High Availability ................................................................................ 11
              Easy Administration........................................................................... 12
              Last Resort Server ............................................................................. 12
              Content Routing ................................................................................. 12
              Removing Servers without Disrupting the Service ............................ 12
              HTTP Request and Response Rewrites .............................................. 12
              Support for Layer 2 VLANs ............................................................... 12
              TCP Proxy.......................................................................................... 13
              Global Server Load Balancing (GSLB) ............................................. 13



   Load Balancing for all IP-based Applications
         The Barracuda Load Balancer is designed to provide fast and comprehensive IP load-balancing
         capabilities to any IP-based application, including:
         •   HTTP
         •   HTTPS (SSL)
         •   SSH
         •   SMTP
         •   IMAP
         •   RDP (Terminal Services)
         •   POP3
         •   NTP
         •   ASP
         •   Streaming Media
         •   DNS
         •   LDAP
         •   RADIUS
         •   TFTP
         •   Other TCP/UDP-based services



   Easy to Use and Maintain
         The Barracuda Load Balancer is extremely easy to deploy, featuring automatic discovery and
         configuration tools through an intuitive Web interface. To minimize ongoing administration

                                                                                                                         Introduction 9
                  associated with security, the Barracuda Load Balancer can automatically receive current intrusion
                  prevention and security updates from Barracuda Central, an advanced 24/7 security operations center
                  that works to continuously monitor and block the latest Internet threats.



       Intrusion Prevention System
                  Many security technologies are integrated into the Barracuda Load Balancer. The set-and-forget
                  Intrusion Prevention System (IPS) helps secure your network, even if you may have missed a patch
                  or if an exploit manages to get past your existing security. The Barracuda Load Balancer will
                  automatically block any exploits that are detected across any protocol; no configuration is required.
                  In addition to the Denial of Service (DDoS) protection provided for all load balanced servers by the
                  built-in IPS, the Barracuda Load Balancer will also automatically block any exploits that are detected
                  across multiple protocols, with no extra configuration required.
                  As with any security feature, IPS is designed to complement any existing security measures, not
                  replace them. The role of the Intrusion Prevention System is to eliminate any damage from an attack
                  that manages to penetrate the existing security architecture.
                  The Intrusion Prevention System protects your load-balanced services from the following common
                  threats:
                  •   Protocol-specific attacks. The Barracuda Load Balancer contains protocol-specific guards that
                      protect your Real Servers from attacks targeting the SMTP, DNS, and LDAP protocols.
                  •   Application-specific attacks. The Barracuda Load Balancer protects common applications that
                      are particularly vulnerable to external attacks. These applications include IIS, Websphere, Cold
                      Fusion, Exchange, and many more.
                  •   Operating system-specific attacks. The Barracuda Load Balancer contains Microsoft and UNIX-
                      specific detection capabilities that identify malicious activity against these operating systems.
                  Exploit signatures are regularly updated at Barracuda Central, and are automatically delivered to your
                  Barracuda Load Balancer via Energize Updates. The following figure shows how Barracuda Central
                  provides the latest updates through the Energize Update feature.

                  Figure 1.1: Barracuda Energize Updates




10   Barracuda Load Balancer Administrator’s Guide
Auto-Discover Mode
       All models of the Barracuda Load Balancer support Auto-Discovery of Real Servers and applications
       running on the servers to ensure quick and easy deployment of new servers. For common applications
       there is no need to manually configure each port.



Persistence
       The Barracuda Load Balancer supports technology that directs clients back to the same server,
       including client IP address and cookies. The length of time that session persistence is maintained
       during a time of inactivity can be enabled on a Service level.



SSL Offloading
       The Barracuda Load Balancer has the ability to handle SSL encryption and decryption locally, to help
       ease the burden on back end Real Servers. SSL offloading is not available if using the Direct Server
       Return mode of deployment or if the Service type is Layer 7 - RDP.



Scheduling Policy
       The Barracuda Load Balancer supports multiple scheduling policies that support server weighting
       including Weighted Least Connection and Weighted Round Robin. The Barracuda Load Balancer
       also supports adaptive scheduling, a resource based algorithm that assigns weights to servers based
       on factors such as the load reported by the servers. You can also specify that certain servers handle
       more traffic than others.



Automated Service Monitor
       Barracuda Load Balancer features a fully integrated Service Monitor which performs automated tests
       to determine the availability of your servers. Traffic is re-routed to other servers within seconds if a
       server becomes unavailable.



Multiple Deployment Modes
       The Barracuda Load Balancers support Route-Path, Bridge-Path, and Direct Server Return
       deployment modes. Route-Path offers increased flexibility, while Bridge-Path allows deployment
       without changes to existing IP infrastructure. Direct Server Return allows for maximum throughput
       and is ideal for content delivery networks.



High Availability
       With simple setup through the Web administrative interface, the Barracuda Load Balancer supports
       High Availability configurations. Just point the backup Barracuda Load Balancer to the primary



                                                                                                Introduction 11
                  Barracuda Load Balancer's management IP address to synchronize configurations and establish a
                  highly available network that brings your server farm to enterprise grade availability.



       Easy Administration
                  The SSL-secured Web interface of the Barracuda Load Balancer allows for convenient configuration
                  and monitoring.



       Last Resort Server
                  The Barracuda Load Balancer allows you to specify a Last Resort Server, which is the server to which
                  all traffic for a particular Service is routed in the event that all Real Servers associated with that
                  Service are not available. This Last Resort Server can be located on a different network, or even across
                  the Internet, so long as the WAN port of the Barracuda Load Balancer has a route to that server.



       Content Routing
                  The Barracuda Load Balancer can route application (Layer 7) traffic to different servers based on
                  content rules that examine incoming requests. This allows you to partition your servers by content and
                  process requests more efficiently by directing them to the relevant server. For example, image
                  requests can be directed to a server that hosts all of the images and has been optimized for image
                  delivery.



       Removing Servers without Disrupting the Service
                  You can remove a Real Server from the server farm for maintenance or other reasons by marking it
                  as disabled, which terminates all existing connections immediately, or by setting its status to
                  maintenance mode. In maintenance mode, the server maintains existing connections but does not
                  accept any new ones. When those connections are complete you can perform the server maintenance.
                  You can also add or delete a Real Server to the farm without disrupting the Service.



       HTTP Request and Response Rewrites
                  Powerful regular expression support allows you to create rules to match patterns in HTTP requests
                  and responses and to modify them.



       Support for Layer 2 VLANs
                  The Barracuda Load Balancer supports Layer 2 VLANs.




12   Barracuda Load Balancer Administrator’s Guide
TCP Proxy
      The Barracuda Load Balancer acts as a full TCP proxy for incoming and outgoing connections for
      Services with type TCP Proxy.



Global Server Load Balancing (GSLB)
      GSLB provides a variety of ways to specify how traffic is directed to various sites, including priority
      and geographical location. The Barracuda Load Balancer uses those parameters while monitoring the
      health of each data center to route requests to the optimal site.




                                                                                              Introduction 13
14   Barracuda Load Balancer Administrator’s Guide
                                                                              Chapter 2
        Load Balancing Deployment Options

This chapter provides an overview of the Barracuda Load Balancer and includes the following topics:
•   Barracuda Load Balancer Terminology on page 16
•   Load Balancer Deployment Options on page 18




                                                             Load Balancing Deployment Options 15
Barracuda Load Balancer Terminology
                  The following is a list of some of the terms used by the Barracuda Load Balancer.
                  Table 2.1: Barracuda Load Balancer terminology


                  Term                     Description
                  Service                  A combination of a Virtual IP (VIP) and one or more TCP/UDP ports that the
                                           Service is to listen on. Traffic arriving over the designated port(s) to the
                                           specified Virtual IP is directed to one of the Real Servers that are associated
                                           with a particular Service.

                  Service Monitor          The Service Monitor monitors the availability of the Real Servers. It can be
                                           configured either on a per-Service or per-Real Server basis to use one of
                                           several different methods to establish the availability of a Real Server. If the
                                           Service Monitor finds that no Real Servers are available, you can specify a
                                           Last Resort Server to which all traffic for the Service will be routed.

                  Virtual IP (VIP)         The IP address assigned to a specific Service. A client uses the Virtual IP
                                           address to connect to the load-balanced Service. The Virtual IP address must
                                           be different than the WAN IP address of the Barracuda Load Balancer.

                  Real Server              One of the systems that perform the actual work of the load-balanced Service.
                                           The Barracuda Load Balancer assigns new connections to it as determined by
                                           the scheduling policy in effect for the Service.

                  Server Farm              A collection of Real Servers.

                  Client                   The entity requesting connection to a load-balanced Service. It can be an
                                           external Web browser accessing your load-balanced Web site, or an internal
                                           user connecting to a load-balanced mail server.

                  Persistence              A returning connection is routed to the same Real Server that handled a
                                           previous request from the same client within a specified time. Examples of
                                           Services that may need persistence settings are Web sites that have shopping
                                           carts or require some sort of login. See Enabling Persistence on page 45 for
                                           more information.

                  Scheduling policy        Specifies how the Barracuda Load Balancer determines which Real Server is
                                           to receive the next connection request. Each Service can be configured with a
                                           different policy.
                                           More information can be found in Selecting a Scheduling Policy on page 47.

                  Route-Path               Deployment modes for the Barracuda Load Balancer. They differ in how the
                  Bridge-Path              Real Servers are connected. Details and benefits of each mode can be found
                                           in the sections Route-Path (Recommended) on page 19 and Bridge-Path on
                                           page 24.

                  Direct Server Return     Option that is enabled on individual Real Servers. However, because it can
                                           affect how a deployment is designed, it is often treated as a mode of its own.
                                           More details on this can be found in the section on Direct Server Return on
                                           page 26.

                  Logical Network          A collection of systems on an isolatable subnet. In Route-Path mode, for
                                           example, all systems associated with the LAN interface would be in one (or
                                           more) logical network(s) 10.1.1.x, and all systems connected to the WAN
                                           interface would be in another logical network of 192.168.1.x.

                  Physical Network         A group of systems that are physically connected to each other, usually over a
                                           switch or VLAN.




16   Barracuda Load Balancer Administrator’s Guide
Term                Description
WAN IP Address      The IP address associated with the port that connects the Barracuda Load
                    Balancer to the WAN. It may be used to access the Web administration
                    interface.
                    This address must be different than the Virtual IP addresses assigned to the
                    Services.

High Availability   Two Barracuda Load Balancers can be joined as an active-passive pair in a
                    cluster. The active system performs the load-balancing while the passive one
                    monitors it, ready to take over operations if the first one fails. For more
                    information, see Creating a High Availability Environment on page 58.

One-armed Mode      In one-armed mode, the WAN port is used for both external and internal traffic
                    that passes through the Barracuda Load Balancer.

Two-armed Mode      In two-armed mode, the Barracuda Load Balancer is deployed in-line, using
                    both the WAN and LAN ports. The Virtual IP addresses and the Real Servers
                    must be on different subnets.




                                                           Load Balancing Deployment Options 17
Load Balancer Deployment Options
                  Services on the Barracuda Load Balancer can be deployed in the following three modes:
                        Route-Path (Recommended)............................................................... 19
                        Bridge-Path........................................................................................ 24
                        Direct Server Return .......................................................................... 26
                  All of these deployment modes require specific network configurations. However, the Barracuda
                  Load Balancer must be in either Route-Path or Bridge-Path mode. Direct Server Return is an option
                  that you may choose for each Real Server.
                  Choose the deployment mode for the Barracuda Load Balancer based on the type of network
                  configuration that currently exists at your site as well as on the types of Services you wish to load
                  balance. Route-Path is usually recommended over Bridge-Path because it provides a more robust
                  deployment. Enabling the Direct Server Return option is recommended for Real Servers that generate
                  a high volume of outbound traffic.



       Sample Network Situations
                  To assist you in deciding how to deploy the Barracuda Load Balancer in your network, here are some
                  common cases with suggested deployments. All of these cases use the Route-Path deployment.
                  1.   You only want to use the Barracuda Load Balancer to provide Layer 4 load balancing of TCP/IP
                       traffic:
                           • Use two-armed Route-Path with one or more Layer 4 Services.
                  2.   The Real Servers are on the same subnet as the Barracuda Load Balancer and the configuration
                       cannot be changed:
                           • Use one-armed Route-Path with a TCP Proxy Service.
                           • Use Direct Server Return.
                  3.   If you have an existing IT infrastructure using Windows where the Web servers need to
                       communicate with systems such as Active Directory Domain Services, ISA Servers or domain
                       controllers, to avoid changing those network settings:
                           • Use one-armed Route-Path with a TCP Proxy Service.
                           • Use Direct Server Return.
                  4.   If the outbound traffic is far greater than the inbound traffic, for example, if the Real Servers are
                       providing streamed audio or visual media:
                           • Use Direct Server Return to increase throughput.
                  5.   If you need to remotely administer your Real Servers individually:
                           • Create new Services, each of which only load balances a single Real Server.
                           • Deploy the Real Servers in a one-armed mode where they are on the WAN side of the
                             Barracuda Load Balancer and serving a TCP Proxy Service.
                           • Deploy the Real Servers on the WAN side using Direct Server Return.
                  More deployment examples are presented in the rest of this chapter.




18   Barracuda Load Balancer Administrator’s Guide
Route-Path (Recommended)
     Route-Path is the most commonly used deployment method. With Route-Path:
     •   The WAN and LAN IP addresses of the Barracuda Load Balancer are not on the same subnet.
     •   When using two-armed Route-Path, the Barracuda Load Balancer is in the Layer 3 path of
         outbound server traffic.
     •   The Real Servers are reachable from the WAN or LAN IP addresses in only one way.
     Route-Path is flexible, easy to integrate into a network, and offers a number of different
     configurations, many of which are explained in this section.
     The following table describes the advantages and disadvantages of deploying your Barracuda Load
     Balancer in Route-Path mode.


     Advantages                                     Disadvantages
     In most cases, minimal network re-designing;   If a Service type of Layer 4 with SSL offloading not
     works with existing physical configurations    enabled is used, the Barracuda Load Balancer has to be
                                                    able to handle the responses to client requests that are
                                                    issued by the Real Servers. One way to ensure this is to
                                                    make the Barracuda Load Balancer the default gateway
                                                    for all downstream Real Servers. For all other Service
                                                    types, including Layer 4 with SSL offloading turned on,
                                                    the Real Servers and VIP addresses can be positioned
                                                    more flexibly.

     Fast High Availability failover




                                                                     Load Balancing Deployment Options 19
                  Figure 2.1: Sample Route-Path Two-Armed network layout




       Deploying Route-Path
                  There are multiple alternatives for configuration when using the Barracuda Load Balancer in the
                  Route-Path mode:
                  •   Some or all of the Real Servers are on the same subnet as the LAN IP address and using the
                      LAN IP address as their gateway;
                  •   Some or all of the Real Servers are on the same subnet as the WAN IP address and using the
                      WAN IP address as their gateway;
                  •   Some or all of the Real Servers are on the same VLAN as the Barracuda Load Balancer;
                  •   Some or all of the Real Servers are on a different subnet than either the WAN or LAN IP address
                      but accessible via static routes;
                  •   Some or all of the Real Servers are on a different subnet and responding to a TCP Proxy Service.
                  •   Virtual IP addresses are on the same subnet as the WAN interface of the Barracuda Load
                      Balancer, and Real Servers on a subnet separate from the VIPs.



20   Barracuda Load Balancer Administrator’s Guide
      •   Virtual IP addresses are on the same subnet as the LAN interface of the Barracuda Load
          Balancer and Real Servers on a subnet separate from the VIPs.
      Real Servers that are on multiple networks simultaneously may break the route path. If a Real Server
      has more than one network adapter enabled, which gives traffic an alternate route around the
      Barracuda Load Balancer, the deployment will not work properly even though it may appear to work
      initially. There are two exceptions where Real Servers may have multiple network adapters:
      •   The networks that the Real Servers are on are isolated from each other and cannot access the
          WAN network without going through the Barracuda Load Balancer.
      •   Static routes for incoming and outgoing traffic for each IP address of each Real Server have
          been defined.



Route-Path One-Armed
      One-armed Route-Path provides a quick way to insert the Barracuda Load Balancer into an existing
      infrastructure with minimal changes to the network topology.
      If the Service type is Layer 4 and not using SSL offloading or TCP Proxy, each Real Server must list
      the LAN IP address of the Barracuda Load Balancer as its gateway IP address. This restriction only
      applies to this one Service type. Otherwise, you are not required to change the IP addresses of the Real
      Servers. It is possible to connect the Barracuda Load Balancer to the same switch as the Real Servers.
      Another option with one-armed deployment is that you can keep an externally accessible IP address
      on a Real Server so external clients can still access that address (for example, for FTP) only on that
      one system. Because configuration changes are not required, only that traffic which needs to be load
      balanced passes through the Barracuda Load Balancer.
      This can be used as a way to temporarily insert the Barracuda Load Balancer into your network until
      network changes are possible.




                                                                      Load Balancing Deployment Options 21
                  Figure 2.2: One-armed Route-Path using TCP Proxy Service




       Route-Path Two-Armed
                  Two-armed Route-Path is the most common way to install the Barracuda Load Balancer into your
                  network. It provides separation between the LAN and WAN sides of your network. Deploying the
                  Barracuda Load Balancer in this way requires changing the IP addresses of all of the servers.
                  If you are planning to use the Barracuda Load Balancer to provide Layer 4 load balancing of TCP/IP
                  traffic, this is the best option for your situation.



       Route-Path with TCP Proxy Service
                  You can create a TCP Proxy Service to make the Barracuda Load Balancer act as a full TCP proxy.
                  Connections from the client are terminated at the Barracuda Load Balancer and new ones are
                  established between the Barracuda Load Balancer and the Real Servers. TCP Proxy allows more
                  flexibility as to how the packet is handled.
                  Using the TCP Proxy Service allows the Real Servers to be located anywhere, as long as they are
                  reachable by the Barracuda Load Balancer (e.g. on the same subnet or VLAN or static routes have
                  been configured). This can be used in one-armed configurations for protocols like OCS as well as for
                  custom applications. In two-armed configurations, Real Servers can access the VIPs on the same side
                  of the Load Balancer.


22   Barracuda Load Balancer Administrator’s Guide
As already mentioned, Real Servers can access the VIP address of any TCP Proxy Service on the same
side of the Barracuda Load Balancer. Figure 2.3 shows a network where there are Virtual IP addresses
available on both the WAN and LAN side. Clients coming from the Internet or intranet can access the
Database or Web Service. On the LAN side, the Web servers can access the Database Service.

Figure 2.3: Two-armed TCP Proxy Service




Figure 2.4 shows an example of a one-armed route path deployment using TCP Proxy Services. In
this case, the Services are provided by multiple Barracuda Spam & Virus Firewalls and Email servers.




                                                              Load Balancing Deployment Options 23
                  Figure 2.4: One-armed TCP Proxy Service with Barracuda Spam & Virus Firewalls




                  As shown in the diagram, email passes through this network in the following way:
                  1.   Email is sent to the VIP address for the TCP Proxy Service that represents the Barracuda Spam
                       & Virus Firewalls.
                  2.   It is directed to the appropriate Barracuda Spam & Virus Firewall for processing.
                  3.   After passing spam and virus checks, the email is sent to the VIP address for the email Service.
                  4.   The Barracuda Load Balancer load balances the email traffic and passes it to an email server.



       Bridge-Path
                  Bridge-Path deployment entails placing the Barracuda Load Balancer inline with your existing IP
                  infrastructure so that it can load balance servers without changing IP addresses. With Bridge-Path
                  deployment, the WAN and LAN interfaces must be on physically separate networks. The LAN
                  interface must be on the same logical switch as the servers being load-balanced.
                  Note that if you want to avoid changing the IP addresses of your servers, an alternative to Bridge-
                  Path would be to use a TCP Proxy Service and Route-Path.




24   Barracuda Load Balancer Administrator’s Guide
The following table describes the advantages and disadvantages of deploying your Barracuda Load
Balancer in Bridge-Path mode.


Advantages                                      Disadvantages
Minimal network changes since the existing IP If a Barracuda Load Balancer fails while in High
infrastructure is reused                      Availability mode, the network topology causes servers
                                              to take longer to realize that failover has occurred than if
                                              they were deployed using Route-Path.

Real Servers keep their existing IP addresses Separate physical networks required for downstream
                                              Real Servers

                                                Less resilient to network misconfigurations

                                                Improper configuration of a Bridge-Path network may
                                                result in a broadcast storm, resulting in network outages


Figure 2.5: Sample Bridge-Path network layout




                                                                   Load Balancing Deployment Options 25
       Deploying Bridge-Path
                  In Bridge-Path mode, the Real Servers must be physically isolated behind the Barracuda Load
                  Balancer. This means that each Real Server is no longer visible on the network if the Barracuda Load
                  Balancer becomes unavailable (a separate switch is required for models 440 and below). The Real
                  Servers must be on the same subnet and logical network as the Barracuda Load Balancer, the VIPs,
                  and the rest of the WAN, and they must specify the same gateway as the Barracuda Load Balancer.
                  Make sure that the Operating Mode of the Barracuda Load Balancer is set to Bridge-Path on the Basic
                  > IP Configuration page. The LAN IP Address on the same page is not used.



       Direct Server Return
                  Direct Server Return (DSR) is an option associated with a Real Server which allows for increased
                  outbound traffic throughput. In DSR, connection requests and incoming traffic go from the Barracuda
                  Load Balancer to the Real Server, but all outgoing traffic goes directly from the Real Server to the
                  client.
                  DSR is most useful if the outbound traffic is far greater than the inbound traffic. For example, if the
                  Real Servers are providing streamed audio or visual media, throughput will be increased by using
                  DSR.
                  Because the Barracuda Load Balancer does not process the outgoing traffic, Layer 7 applications
                  (HTTP, TCP Proxy and RDP), SSL offloading and cookie persistence are not supported with DSR.
                  Only configure DSR when the load balancing can be done at Layer 4.
                  With DSR, requests come through the WAN interface of the Barracuda Load Balancer and are handed
                  off to the Real Servers. The Real Servers must be configured with the IP address of the VIP, where
                  the VIP is bound to the loopback interface. The Real Servers then respond directly to the user with
                  the source address of the request through their own interfaces.
                  This implementation requires enabling a non-ARPing loopback adapter, a feature that can be found
                  on most server operating systems. Your applications may need to be explicitly bound to the loopback
                  adapter.
                  The following table describes the advantages and disadvantages of deploying your Barracuda Load
                  Balancer in Direct Server Return mode.


                  Advantages                                    Disadvantages
                  Ideal for high-bandwidth requirements such    Requires flat network topology
                  as content delivery networks

                  Keeps existing IP addresses of Real Servers   Requires non-ARPing loopback adapter on Real Servers

                                                                Client IP persistence only

                                                                Layer 7 load balancing is not supported


                  DSR is an option which is turned on for each Real Server. You may have DSR servers and non-DSR
                  servers running the same Service. Real Servers that are in DSR mode must be on the same subnet as
                  the WAN.
                  See Figure 2.6 for an example of a DSR deployment.




26   Barracuda Load Balancer Administrator’s Guide
Figure 2.6: Sample Direct Server Return, one-armed architecture




How Direct Server Return works:
1.   The request comes to the switch and is passed to the VIP on the Barracuda Load Balancer.
2.   A Real Server is selected, and the data frame of the packet is modified to be the MAC address of
     that Real Server.
3.   The packet is then placed back on the network.
4.   Normally the Real Server would drop the traffic since it doesn’t have the VIP’s IP address, but
     because the VIP is bound to the Real Server’s loopback interface, Real Server accepts the
     packet.
5.   When the Real Server responds and sends the traffic back out, the source IP address is the VIP
     address.


DSR with Route-Path or Bridge-Path
Direct Server Return in conjunction with Bridge-Path is not recommended. Please contact Technical
Support to discuss alternatives if you feel that your corporate network requires this configuration.




                                                               Load Balancing Deployment Options 27
       Deploying Direct Server Return
                  Direct Server Return uses a flat network topology at the Layer 2 (Switching) and Layer 3 (IP) levels,
                  which means that the Barracuda Load Balancer, all VIPs, and all Real Servers all must be within the
                  same IP network and connected on the same switch. Figure 2.6 above shows this topology. Each Real
                  Server must be one hop away from the Barracuda Load Balancer, but they use the WAN port. This
                  means their switch must be directly connected into the WAN port of the Load Balancer, or connected
                  to a series of switches that eventually reach the WAN port of the Load Balancer without going
                  through any other networking devices.
                  If you specify Route-Path deployment for the Barracuda Load Balancer, but only use Real Servers
                  with Direct Server Return enabled, the physical LAN port is not used by the Barracuda Load
                  Balancer.
                  On the Basic > Services page, each Real Server listed under each Service must individually be
                  configured for Direct Server Return mode. Edit each Real Server and select Enable for the Direct
                  Server Return option.


                  Deployment Notes
                  When deploying Real Servers in Direct Server Return mode, note the following:
                  •    The Barracuda Load Balancer needs to have the WAN adapter plugged into the same switch or
                       VLAN as all of the Real Servers.
                  •    The WAN IP, all VIPs, and all of the Real Servers that use Direct Server Return must be on the
                       same IP subnet.
                  •    Each Real Server needs to recognize the VIP as a local address. This requires enabling of a non-
                       ARPing virtual adapter such as a loopback adapter and binding it to the VIP address of the load-
                       balanced Service. Because this is not a true adapter, there should be no gateway defined in the
                       TCP/IP settings for this adapter.
                  •    Real Servers accepting traffic from multiple VIPs must have a loopback adapter enabled for
                       each VIP. Additionally, the applications on each Real Server must be aware of both the Virtual
                       IP address as well as the real IP addresses.


                  Deployment in a Linux Environment
                  To add a non-ARPing adapter to a Real Server running Linux, add an alias to the lo (loopback)
                  adapter. The following commands are examples of how to do this for some versions of Linux. Consult
                  your operating system vendor if you need more details about how to add a non-ARPing loopback
                  adapter.
                  1.   Edit your rc.local file (usually located at /etc/rc.d/rc.local)
                  2.   Add the following to your rc.local file:

                        sysctl -w net.ipv4.conf.lo.arp_ignore=1
                        sysctl -w net.ipv4.conf.lo.arp_announce=2
                        sysctl -w net.ipv4.conf.all.arp_ignore=1
                        sysctl -w net.ipv4.conf.all.arp_announce=2
                        ifconfig <interface_name> <ip_address> netmask 255.255.255.255
                        -arp up

                       where:




28   Barracuda Load Balancer Administrator’s Guide
     <interface_name> is lo:<number> (e.g. lo:0, lo:1, lo:2)
     <ip_address> is the Virtual IP Address for the Service

     For example:
      ifconfig lo:1 192.168.4.217 netmask 255.255.255.255 -arp up



3.   httpd.conf must have a VirtualHost entry for the VIPs. Edit the file to add these two lines:

      listen <virtual_ip_address>:80
      listen <real_ip_address>:80


     where:

     <virtual_ip_address> is the Virtual IP Address for the Service
     <real_ip_address> is the actual IP Address for the Real Server



4.   To check if the loopback adapter is working, make sure the Real Server is bound to the loopback
     adapter’s IP address. Output from the ifconfig command should show the presence of the
     loopback adapter.


Deployment in a Windows/XP Environment
For information on how to add a non-ARPing adapter in a Windows/XP environment, refer to
http://support.microsoft.com/kb/839013. Or, check the Microsoft Support Site for your operating system.

Applications running on Microsoft Real Servers must be configured to accept traffic received on the
VIP addresses (the loopback IP addresses). To do this, add the VIP addresses to IIS (Internet
Information Services) on each Real Server. The VIP addresses must be listed above the real IP address
of the Real Server. Associate the Web site or application with the VIP addresses.


Deployment in a Microsoft Windows Server 2003 or 2008 Environment
To make servers that are running Microsoft Windows Server 2003 and Windows Server 2008 ready
for DSR, there are several steps that you need to do on each server.

Table 2.2: Steps to make Microsoft Windows Server 2003 and 2008 ready for DSR

DSR in a Microsoft Windows Server 2003 or 2008 Environment
Disable the Windows firewall. Enable traffic to the loopback adapter.

Install the loopback adapter.

Configure the loopback adapter. In particular, stop the loopback adapter from responding to ARP
requests. Remember that the loopback adapter has the same IP address as the VIP address.

Make the Windows networking stack use the weak host model. This step is required to allow the
modified packet to be accepted by Windows Server 2008 servers.

If you are using IIS, add the loopback adapter to your site bindings. You need to ensure that the IP
address for the loopback adapter is included in the site bindings in IIS.



                                                                  Load Balancing Deployment Options 29
                  These detailed instructions describe how to deploy DSR in a Windows Server 2003 or 2008
                  environment. Perform these steps for each server.
                  1.   Disable the Windows firewall.
                  For Microsoft Windows Server 2003 and Windows Server 2008 you need to disable the built in
                  firewall or manually change the rules to enable traffic to and from the loopback adapter. By default,
                  the Windows firewall blocks all connections to the loopback adapter.


                  2.   Install the loopback adapter.
                           2a. For Windows Server 2003: to install the Microsoft loopback adapter refer to
                               http://support.microsoft.com/kb/842561. This note describes how to install the loopback
                               adapter. Follow the instructions in Method 1. When done, proceed to step 3.
                           2b. For Windows Server 2008 or Windows Server 2008 R2, follow these instructions to
                               install a loopback adapter on one server:
                               1. Open Device Manager. On the Start menu, click Run… and type devmgmt.msc at
                               the prompt.
                               2. Right-click on the server name and click Add legacy hardware.
                               3. When prompted by the wizard, choose to Install the hardware that I manually select
                               from a list (Advanced).
                               4. Find Network Adapter in the list and click Next.
                               5. From the listed manufacturers select Microsoft and then Microsoft Loopback
                               Adapter. See Figure 2.7.




30   Barracuda Load Balancer Administrator’s Guide
Figure 2.7: Adding a loopback adapter in Windows Server 2008




               6. This will add a new network interface to your server.


3.   Configure the loopback adapter.
After the loopback adapter is installed, follow these steps to configure it:
         3a. In Control Panel, double-click Network and Dial up Connections.
         3b. Right-click the newly installed loopback adapter and click Properties.
         3c. Click to clear the Client for Microsoft Networks check box.
         3d. Click to clear the File and Printer Sharing for Microsoft Networks check box.
         3e. Click TCP/IP properties.
         3f. Enter the VIP address and the subnet mask.
         3g. Click Advanced.
         3h. Change the Interface Metric to 254. This stops the adapter from responding to ARP
             requests.
         3i. Click OK.



4.   Make the Windows networking stack use the weak host model.



                                                                Load Balancing Deployment Options 31
                  If you are using Windows Server 2003, you can skip to the next step. If you are using Windows Server
                  2008 or Windows Server 2008 R2, this step tells you how to make the Windows networking stack use
                  the weak host model (which is the same model used in Windows Server 2003).
                  DSR works by modifying the destination MAC address of the incoming traffic to one of the Real
                  Servers behind your VIP. In versions of Windows prior to 2008, the Windows networking stack used
                  a weak host model which allowed the host to receive packets on an interface not assigned as the
                  destination IP address of the packet being received. With Windows Server 2008, Microsoft has
                  implemented a strong host model which breaks the method that DSR uses.
                  Open a command prompt with elevated permissions. To determine the interface ID for both the
                  loopback adapter and the main NIC on the server, type:
                    netsh interface ipv4 show interface

                  Note the IDX for both the main network interface and the loopback adapter you created. If you have
                  not changed the interface names for this server then usually the main NIC will display as Local Area
                  Connection and the loopback adapter will be named Local Area Connection 2.
                  An entry will be displayed that includes the IDX numbers for both your loopback adapter and your
                  Internet facing NIC. For each of these adapters enter these three commands:
                    netsh interface ipv4 set interface <IDX number for Server NIC>
                    weakhostsend=enabled
                    netsh interface ipv4 set interface <IDX number for loopback>
                    weakhostreceive=enabled
                    netsh interface ipv4 set interface <IDX number for loopback>
                    weakhostsend=enabled



                  For example:
                    netsh interface ipv4 set interface 23 weakhostsend=enabled
                    netsh interface ipv4 set interface 24 weakhostreceive=enabled
                    netsh interface ipv4 set interface 24 weakhostsend=enabled


                  To enable these changes, either restart the server or restart the Windows Firewall service on the
                  server.
                  5.   If you are using IIS, add the loopback adapter to your site bindings.
                  By default, IIS includes all interfaces, however, if you have configured a site to be bound to an
                  individual IP address, you need to ensure that the IP address for the loopback adapter (your VIP
                  address) is also included in the site bindings in IIS.
                  Follow these steps to bind the loopback adapter, referring to Figure 2.8:
                           5a. Open the Internet Information Services (IIS) Manager.
                           5b. Expand the Sites Folder.
                           5c. Click Default Web Site or the name of the site you are modifying.
                           5d. Click Bindings… on the Actions panel.
                           5e. Click Add... and click HTTP or HTTPS in the Type list. Enter the IP address of your
                               loopback adapter and the port. Click OK.
                           5f. On the Actions panel click Restart under Manage Web Site to ensure the new bindings
                               take effect.




32   Barracuda Load Balancer Administrator’s Guide
Figure 2.8: Add Site Binding using IIS




Verifying DSR Deployment
When you are done adding the loopback adapters, try to ping the Real Servers and the VIP, and telnet
to the Real Servers. If the ping doesn’t work or if in response to the telnet you get a connection refused
from the VIP, then the loopback adapter has not been configured correctly.
Try to verify that the loopback adapters are non-ARPing. On either Linux or Windows systems, use
the arp -a command. Also, check the systems event logs to check for IP address conflicts.
If, later, once the Service is set up, the client tries to connect but is unable to access the application,
then the IIS (Windows) or application has not been associated with the real IP address and the VIP.




                                                                  Load Balancing Deployment Options 33
34   Barracuda Load Balancer Administrator’s Guide
                                                                                                                 Chapter 3
                                                                                       Getting Started

This chapter provides instructions for installing the Barracuda Load Balancer. It includes the
following topics:
      Initial Setup ....................................................................................... 36

A similar process is described in the Barracuda Load Balancer Quick Start Guide.




                                                                                                                  Getting Started 35
Initial Setup
                  These are the general steps to set up your Barracuda Load Balancer. For more detailed instructions
                  for each step, see the following reference pages.
                        Preparing for Installation .................................................................. 36
                        Connecting the Barracuda Load Balancer to the Network ............... 37
                        Configuring WAN IP Address and Network Settings ......................... 37
                        Configuring Your Corporate Firewall ............................................... 38
                        Configuring the Barracuda Load Balancer....................................... 38
                        Updating the Barracuda Load Balancer Firmware .......................... 40
                        Verifying Your Subscription Status..................................................... 40
                        Updating the IPS Definitions............................................................. 41



       Preparing for Installation
                  Before installing your Barracuda Load Balancer, complete the following tasks:
                  •   Decide which type of deployment is most suitable to your network. For more information on the
                      deployment options, see Load Balancer Deployment Options on page 18.
                  •   Make any necessary changes to your network, according to your chosen method of deployment.
                  •   Identify the ports used by the services or applications that you want to load-balance.
                  •   Verify you have the necessary equipment:
                          • Barracuda Load Balancer (check that you have received the correct model)
                          • AC power cord
                          • Ethernet cables
                          • Mounting rails and screws
                          • VGA monitor (recommended)
                          • PS2 keyboard (recommended)




36   Barracuda Load Balancer Administrator’s Guide
   Connecting the Barracuda Load Balancer to the Network
              1.   Fasten the Barracuda Load Balancer to a standard 19-inch rack or other stable location.


Caution

          Do not block the cooling vents located on the front and rear of the unit.



              2.   If using Route-Path, then the network switch referenced in the following steps may be the same
                   physical switch. If using Bridge-Path, however, then separate switches on different Layer 2
                   networks must be used.
                       2a. Connect a CAT5 Ethernet cable from the WAN interface on the Barracuda Load
                           Balancer to the network switch where the VIPs reside.
                       2b. Connect a CAT5 Ethernet cable from the LAN interface on the Barracuda Load
                           Balancer to the network switch where the Real Servers reside.


Caution

          Do not connect any other cables to the unit. The connectors on the back panel are for diagnostic
          purposes only.



              3.   Connect the following to your Barracuda Load Balancer:
                       • Power cord
                       • VGA monitor
                       • PS2 keyboard
                   After you connect the AC power cord, you may hear the fan operate for a couple of seconds and
                   then power off. This behavior is normal.
              4.   Press the Power button located on the front of the unit.
                   The login prompt for the administrative console displays on the monitor, and the power light on
                   the front of the Barracuda Load Balancer turns on. For a description of each indicator light, refer
                   to the section that describes the model of your Barracuda Load Balancer in Front Panel of the
                   Barracuda Load Balancer on page ii.



   Configuring WAN IP Address and Network Settings
              The Barracuda Load Balancer is assigned a default WAN IP address of 192.168.200.200.

              To set a new WAN IP address from the administrative console:
              1.   Connect your keyboard and monitor directly to the Barracuda Load Balancer.
              2.   At the barracuda login prompt, enter admin for the login and admin for the password.
                   The User Confirmation Requested window displays the current IP configuration of the
                   Barracuda Load Balancer.
              3.   Using your Tab key, click Change and click Enter to change the WAN IP configuration.
              4.   Enter the new WAN IP address, netmask, and default gateway for your Barracuda Load
                   Balancer. Click Save to enter your changes. (The Primary and Secondary DNS fields are


                                                                                                    Getting Started 37
                        optional at this time, but if not entered at this step then they must be entered in Step 3c.) of To
                        configure the Barracuda Load Balancer: on page 38). Click Exit.
                        The new IP address and network settings are applied to your Barracuda Load Balancer.



       Configuring Your Corporate Firewall
                  If your Barracuda Load Balancer is located behind a corporate firewall, refer to Table 3.1 for the ports
                  that need to be opened on your corporate firewall to allow communication between the Barracuda
                  Load Balancer, Virtual IP addresses and remote servers.

                  Table 3.1: Ports to Open on Your Corporate Firewall

                  Port                   Direction          Protocol          Description
                  22                     Out                TCP               Remote diagnostics and technical support
                                                                              services

                  53                     Out                TCP/UDP           DNS (Domain Name Server)

                  80                     Out                TCP               IPS and firmware updates (unless
                                                                              configured to use a proxy)

                  123                    Out                UDP               NTP (Network Time Protocol)

                  8000                   Out                TCP               The default Web interface port. The
                                                                              firewall should not block any special
                                                                              content types, such as javascript.

                  any ports used by      as needed          as needed         1:1 NATs as needed, and any port
                  Services                                                    required to access the VIP of a load-
                                                                              balanced Service.


                  The Barracuda Load Balancer must be able to communicate with the mail server over the port
                  specified on the Basic > Administration page. This may require opening that port on the firewall.
                  Certain protocols require additional ports to be open. Examples include FTP and streaming media
                  protocols. When configuring Services using these protocols ensure that the additional ports required
                  are not blocked by the firewall.



       Configuring the Barracuda Load Balancer
                  After specifying the IP address of the Barracuda Load Balancer and opening the necessary ports on
                  your corporate firewall, configure the Barracuda Load Balancer from the Web interface. Make sure
                  the system being used to access the Web interface is connected to the same network as the Barracuda
                  Load Balancer, and that the appropriate routing is in place to allow connection to the Barracuda Load
                  Balancer’s IP address via a Web browser.

                  To configure the Barracuda Load Balancer:
                  1.    From a Web browser, enter the IP address of the Barracuda Load Balancer followed by a colon
                        and port 8000.
                        For example: http://192.168.200.200:8000.
                  2.    To log into the Web interface, enter admin for the username and admin for the password.
                  3.    Select Basic > IP Configuration, and perform the following steps:

38   Barracuda Load Balancer Administrator’s Guide
                    3a. Enter the following information in the WAN IP Configuration section:
                           • IP Address. The address associated with the port that connects the Barracuda Load
                              Balancer to the WAN.
                           • Subnet Mask. The subnet mask assigned to the WAN interface of the Barracuda
                              Load Balancer.
                           • Default Gateway. The default router for network traffic not destined for the local
                              subnet.
                           • Allow administration access. Set to Yes if you want to allow administration access
                              via this IP address. The port that is used is configured on the Basic > Administration
                              page.
                    3b.   If the Barracuda Load Balancer is in Bridge-Path mode, or if only Direct Server Return
                          mode is being employed, then go to Step 3c.)
                          If you are configuring a backup Barracuda Load Balancer do not complete the LAN IP
                          Address and LAN Netmask fields on the backup system. If the backup unit becomes
                          active and if it is in Route-Path mode, it uses the LAN IP Address and Netmask that are
                          configured on the primary Barracuda Load Balancer. For more information, see
                          Creating a High Availability Environment on page 58.
                          Enter the following information in the LAN IP Configuration section:
                           • LAN IP Address. The address that connects the Barracuda Load Balancer to the
                              LAN. This is only used for Route-Path mode.
                           • LAN Netmask. The subnet mask tied to the LAN. This is only used for Route-Path
                              mode.
                           • Allow administration access. Set to Yes if you want to allow administration access
                              via this IP address. The port that is used is configured on the Basic > Administration
                              page.
                    3c.   Enter the IP address of your primary and secondary DNS servers.
                    3d.   Enter the default hostname and default domain name of the Barracuda Load Balancer.
                    3e.   If the Barracuda Load Balancer is behind a proxy server, enter the relevant parameters.
                    3f.   Click Save Changes.


Note
       When the IP address of your Barracuda Load Balancer on the IP Configuration page is changed,
       you will be disconnected from the Web interface. Please log in again using the new IP address.



                    3g. If you want this Barracuda Load Balancer to operate in Bridge-Path mode, and this is
                        not a backup Barracuda Load Balancer in a cluster, click Convert to change the
                          operation from Route-Path to Bridge-Path.
           4.   Select Basic > Administration, and perform the following steps:
                    4a. Assign a new administration password to the Barracuda Load Balancer.
                    4b. Make sure the local time zone is set correctly.
                        Time on the Barracuda Load Balancer is automatically updated via NTP (Network
                        Time Protocol). It requires that port 123 is opened for outbound UDP (User Datagram
                        Protocol) traffic on your firewall (if the Barracuda Load Balancer is located behind
                        one).
                        It is important that the time zone is set correctly because this information is used to
                        coordinate traffic distribution and in all logs and reports.
                    4c. If desired, change the port number used to access the Barracuda Load Balancer user
                        interface. The default port is 8000.


                                                                                                  Getting Started 39
                           4d. Enter the amount of time, in minutes, for the length of your Web interface session
                                  before you are logged off due to inactivity.
                           4e. (Optional) Specify your local SMTP server. Enter the email address for your
                               administrator to receive system email alerts.
                           4f. Click Save Changes.



       Verifying Your Subscription Status
                  Your Energize Update and Instant Replacement subscriptions are most likely active. If not, it is
                  important for you to activate your subscriptions so that your Barracuda Load Balancer can continue
                  to receive the latest updates to the Intrusion Prevention System from Barracuda Central. The Energize
                  Update service is responsible for downloading these updates to your Barracuda Load Balancer.
                  If you see the following warning at the top of every page you must activate your subscriptions before
                  continuing.



                  Click on the link in the warning message or use the link on the Basic > Status page to open up the
                  Barracuda Networks Product Activation page in a new browser window. Fill in the required
                  fields and click Activate. A confirmation page opens to display the terms of your subscription.
                  On the Basic > Status page, you may need to enter the activation code from the Barracuda
                  Networks Product Activation page to activate your Barracuda Load Balancer


     Note
              If your subscription status does not change to Current, or if you have trouble filling out the Product
              Activation page, call your Barracuda Networks sales representative.




       Updating the Barracuda Load Balancer Firmware

                  To update the firmware on the Barracuda Load Balancer:
                  1.   Select Advanced > Firmware Update.
                  2.   Read the release notes to learn about the latest features and fixes provided in the new firmware
                       version.
                  3.   Click Download Now next to Latest General Release. Click OK on the download duration
                       window.
                       Updating the firmware may take several minutes. Do not turn off the unit during this process.
                       Download Now is disabled if the Barracuda Load Balancer is running the latest firmware
                       version.
                  4.   The Barracuda Load Balancer begins downloading the latest firmware version. Click Refresh to
                       view the download status, until you see a message stating that the download has completed.
                  5.   Click Apply Now when the download completes.
                  6.   Click OK when prompted to reboot the Barracuda Load Balancer.
                       A Status page displays the progress of the reboot. Once the reboot is complete, the login page
                       appears.


40   Barracuda Load Balancer Administrator’s Guide
Updating the IPS Definitions

      To apply the newest definitions for the Intrusion Prevention System:
      1.   Select Advanced > Energize Updates.
      2.   Select Hourly or Daily for Automatically Update. The recommended setting is Hourly for IPS
           definitions.
      3.   Check to see if the current version is the same as the latest general release. If the rules are up-to-
           date, proceed to the next section. If the rules are not up-to-date, continue to the next step.
      4.   Click Update to download and install the latest available IPS definitions onto the Barracuda
           Load Balancer.
      5.   Click Save Changes.




      Your Barracuda Load Balancer should be ready for operation. For more configuration tasks, including
      creating Services, refer to the next chapter, Configuring Services on page 43.




                                                                                              Getting Started 41
42   Barracuda Load Balancer Administrator’s Guide
                                                                                                             Chapter 4
                                                               Configuring Services

This chapter describes the configuration tasks you can perform from the Web interface after you have
completed the installation. The following topics are covered:
      Creating Services ............................................................................... 44
      Layer 7 - HTTP Services ................................................................... 51




For more detailed information about a specific page in the Web interface, view the online help by
clicking the question mark icon on the right side of the page.




                                                                                                       Configuring Services 43
Creating Services
                  This section describes the configuration tasks related to creating Services and associating Real
                  Servers with them. The following topics are covered:
                        Creating Load-Balanced Services...................................................... 44
                        Enabling Persistence ......................................................................... 45
                        Terminal Services Load Balancing .................................................... 46
                        SSL Offloading................................................................................... 47
                        Selecting a Scheduling Policy............................................................ 47
                        Configuring Intrusion Prevention ...................................................... 49
                        Configuring a Last Resort Server...................................................... 50




       Creating Load-Balanced Services
                  A Service is a combination of a Virtual IP (VIP) address and one or more TCP/UDP ports. Traffic
                  arriving at the designated port(s) for the specified Virtual IP address is directed to one of the Real
                  Servers that are associated with that particular Service. The Barracuda Load Balancer determines
                  which connections or requests are distributed to each Real Server based on the scheduling policy
                  selected for the Service.
                  This section describes how to create a Service and associate Real Servers with it.
                  The Basic > Services page lets you create Services by identifying a Virtual IP address, port and one
                  or more Real Servers.
                  As an aid to creating a Service, click Auto-Discover to show all Real Servers that are currently
                  available and responding to your Barracuda Load Balancer. When you click Auto-Discover, the
                  Barracuda Load Balancer pings all devices on the same class C network and displays a list of all
                  responding Real Servers. Select the Real Servers that you want to add to the Service, provide values
                  for the other fields described below, and click Create Service.

                  To create a Service without using the Auto-Discover feature:
                  1.   Specify values for the following fields:
                           • Service Name: Name used to identify this Service.
                           • Virtual IP: The IP address used to reach this Service. This can be a public address, a
                             private address, or a public address on a DMZ port.
                           • Protocol: The protocol (TCP or UDP) used for this Service.
                           • Port: The specific TCP/UDP port the Service listens on. Enter ALL to specify all ports.
                             If ALL is specified, then ports on the Virtual IP address will map to all the corresponding
                             ports on the Real Servers. Selecting ALL is useful when you want to load-balance an
                             application that uses a wide range of ports. Otherwise, you would have to configure a
                             Service for each port.
                           • Real Servers. The IP address(es) of the Real Servers that host the load-balanced
                             application or Service. Each IP address needs to be entered on a separate line.
                  2.   Click Add.
                  If the creation of the Service is successful, the Service name appears on the Basic > Services page
                  with a green, orange, or red health indicator next to it.




44   Barracuda Load Balancer Administrator’s Guide
      If you have a Service that uses SSL, a separate SSL Engine Listen Port is no longer required in
      firmware versions 3.0 and above. Encrypted traffic is sent to the port that you configure for the
      Service.
      Configure advanced settings for a Service by clicking the Edit graphic next to the Service. Advanced
      settings include:
               • Service Type. By default the Service Type is Layer 4.
               • Last Resort Server, which is the server to which all traffic for this Service is routed in the
                 event that none of the associated Real Servers are available.
               • Automatically reactivate a Real Server that was previously not available. If you set Auto-
                 Recover to No, then you will have to use the Basic > Health page to manually enable any
                 Real Server that goes offline.
               • Scheduling Policy.
               • Testing Method used by the Service Monitor to determine the availability of the Service.
               • Session Persistence.
               • SSL offloading.
               • Whether an alert is generated if the number of operating Real Servers for the Service falls
                 below a preset threshold.
               • Enabling the Intrusion Prevention System.
               • Limiting access to the Service to clients with IP addresses within a certain range.
           Detailed descriptions of the settings are available in the online help. Click Save Changes after
           making any modifications to the Service Detail.
      3.   To configure advanced settings for a Real Server, clicking the Edit graphic next to the Real
           Server. From this page, you can:
               • Enable the Real Server or disable it in one of two ways. You can select Disabled which
                 terminates all existing connections or Maintenance which allows existing connections to
                 terminate naturally. In either case, no new connections or request are accepted until the
                 Real Server is enabled again.
               • If this Real Server is associated with a Layer 7 - HTTP Service, specify whether this Real
                 Server accepts only HTTP requests that match a content rule.
               • Change the weight of this Real Server to be used when assigning client connections.
                 Values are applied as a ratio against weights of all other Real Servers for this Service. For
                 example, a Real Server with weight of 50 will get half the amount of traffic as a Real
                 Server with a weight of 100, but will get twice that of a Real Server with a weight of 25.
               • Specify if the Real Server is using Direct Server Return.
               • Change or execute the Testing Method for the Real Server.
      Click Save Changes after making any modifications to this page.



Enabling Persistence
      The Barracuda Load Balancer supports a variety of ways to direct clients back to the same Real
      Server.


      Persistence Settings for a Service with type Layer 7 - RDP
      Session persistence is maintained by Windows Server® 2003 Terminal Services Session Directory or
      Windows Server® 2008 Terminal Services Session Broker.


                                                                                      Configuring Services 45
                  Persistence Settings for a Service with type Layer 7 - HTTP
                  There are two supported persistence methods for HTTP sessions:
                  •    HTTP Cookie - When a new client initiates contact, the Barracuda Load Balancer inserts a
                       cookie into the outgoing response. This cookie is returned by the client with each subsequent
                       request but is never forwarded to the Real Server. The Barracuda Load Balancer uses the cookie
                       to direct multiple requests from the client to the same Real Server.
                  •    Client IP - The Barracuda Load Balancer can also maintain persistence based on client IP
                       address. An individual client IP address can be used or you can specify a subnet mask so that
                       subsequent connections from systems from the same subnet go to the same Real Server.


                  Persistence Settings for a Service with type Layer 4 or TCP Proxy
                  Only Client IP persistence is supported. Enter a subnet mask to make subsequent connections from
                  systems from the same subnet go to the same Real Server. 255.255.255.255 means that only the client
                  IP address is used.
                  The persistence time value is the maximum number of seconds during which a client is directed to the
                  same server after a period of inactivity.



        Terminal Services Load Balancing
                  The Barracuda Load Balancer may be deployed with a Terminal Server farm that is using Windows
                  Server 2003 Terminal Services Session Directory or Windows Server 2008 Terminal Services
                  Session Broker.

                  To create a Layer 7 - RDP Service:
                  1.   Using the Basic > Services page, create a Service on port 3389.
                  2.   Edit the Service and set the Service Type to Layer 7 - RDP.
                  The Barracuda Load Balancer supports the use of Session Directory and TS Session Broker routing
                  tokens. The Barracuda Load Balancer uses the routing token supplied by the Session Director or
                  Session Broker to determine which host to use. To make this work properly:
                  •    If the Real Server is running a version of Windows Server prior to Windows Server 2008 R2,
                       clear the Use IP address redirection check box when configuring the network adapter.
                  •    If the Real Server is running Windows Server 2008 R2, select Use token redirection when
                       configuring the network adapter.
                  For more information about Terminal Servers and the Barracuda Load Balancer, contact Barracuda
                  Networks Technical Support.



       TCP Proxy
                  You can create a Layer 4 TCP Proxy Service to make the Barracuda Load Balancer act as a full TCP
                  proxy. Using the TCP Proxy Service allows the Real Servers to be located anywhere, as long as they
                  are reachable by the Barracuda Load Balancer. See Load Balancer Deployment Options on page 18
                  for examples of deployments using TCP Proxy Services.




46   Barracuda Load Balancer Administrator’s Guide
SSL Offloading
      The Barracuda Load Balancer is able to perform decryption and encryption of SSL traffic to reduce
      the load on the Real Servers. It also keeps the associated SSL certificates in one location for easier
      management.
      SSL offloading is not compatible with Direct Server Return. It is also not available for Services with
      type Layer 7 - RDP.

      To set up SSL offloading, complete the following tasks:
      1.   Upload one SSL certificate for each Service to the Barracuda Load Balancer.
      2.   Identify the Services that are using SSL offloading.
      3.   Change the port used by the Real Servers, if necessary.
      These tasks are described in the following sections.


      Uploading SSL Certificates
      One SSL certificate for each Service to be offloaded must be stored on the Barracuda Load Balancer.
      If the Service has never used SSL before, then a certificate has to be ordered from a trusted Certificate
      Authority such as Verisign. If the Service has used SSL, then the certificate may be retrieved from a
      server providing that Service and loaded on the Barracuda Load Balancer.
      To view, edit or add SSL certificates, go to the Basic > Certificates page.


      Specifying SSL Offloading for a Service
      To configure SSL offloading for a Layer 4, TCP Proxy or Layer 7 - HTTP Service, go to the Basic >
      Services page. Click Edit for the Service to see the Service Detail window. Set Enable HTTPS/SSL to
      Yes. Select the SSL certificate you wish to use from the SSL Certificate list.

      For firmware versions 3.0 and up, there is no need to specify a separate SSL Engine Listen Port. Only
      encrypted traffic is directed to the VIP for the Service.
      The encrypted traffic received on the VIP is decrypted before reaching the Real Servers, and traffic
      coming from the Real Servers is encrypted before it leaves the Barracuda Load Balancer. Since the
      Real Servers send and receive decrypted traffic, no SSL configuration on any of the Real Servers is
      necessary.


      Updating Ports on the Real Servers
      If the Real Servers were using port 443 before, update their port setting on the Barracuda Load
      Balancer. Go to the Basic > Services page and click Edit for each Real Server for the Service. On the
      Real Server Detail page update the port. For example, the Service may use port 443 while the Real
      Servers use port 80.



Selecting a Scheduling Policy
      The Barracuda Load Balancer supports multiple scheduling methods to determine which Real Server
      that supports a Service gets the next new connection. Each Real Server is assigned a weight, which
      indicates the proportion of the load that this Real Server will bear relative to other Real Servers.
      Weights are either calculated dynamically using Adaptive Scheduling, or they are pre-assigned.



                                                                                      Configuring Services 47
                  These Real Server weights are used by the scheduling algorithm, which is either Weighted Round-
                  Robin or Weighted Least Connections, to determine which Real Server gets the next connection.


                  Adaptive Scheduling
                  The Adaptive Scheduling feature polls the Real Servers frequently and assigns weights to those Real
                  Servers using the information gathered. The parameter polled may be:
                  •    CPU Load, determined by an SNMP query. If you wish to use this and you have Real Servers
                       running a version of Windows, Knowledgebase Solution #00004306 in the Barracuda Networks
                       Support Center http://www.barracudanetworks.com/support describes the required OID. You can
                       view this solution by using this link: http://www.barracuda.com/kb?id=50160000000Hptb.
                  •    Number of Windows Terminal Server sessions, determined by an SNMP query. This option is
                       not available if the Service Type is Layer 7 - RDP.
                  •    A URL provided by each Real Server which specifies a load value. If this option is selected, the
                       Barracuda Load Balancer will poll the URL http://[Real Server IP Address]/barracuda_load/ and
                       expect the output to look like LOAD=23 (showing the load as an integer between 0 and 100).
                       Weights are assigned to each Real Server using the formula (100 - LOAD). For example, if the
                       Load URL value is 23, the Real Server will be assigned a weight of 77. In order for the URL
                       query to work, you must create a load determination script and make the results available by
                       running a Web server on the Real Server that responds to the poll at the Real Server’s IP address
                       and port 80.
                  If, for example, all Real Servers have the same value for CPU load, then the Real Servers will be
                  assigned the same weight. These weights will change as the value of the CPU Load for each Real
                  Server varies.

                  To configure Adaptive Scheduling for a Service:
                  1.   From the Basic > Services page, click Edit for the Service you wish to configure. The Service
                       Detail page will appear.
                  2.   Select the Adaptive Scheduling algorithm to use when making weight adjustments.


                  Pre-Assigned Weight
                  If Adaptive Scheduling is operational, then the pre-assigned weights are not used. Otherwise, if some
                  of the Real Servers are faster or have more capacity than others, you can tell the Barracuda Load
                  Balancer to direct more traffic to them. Do this by specifying weight values for the Real Servers
                  providing a Service. Varying weight values indicate that some Real Servers should receive more of
                  the traffic load.

                  To pre-assign weight for a Real Server:
                  1.   From the Basic > Services page, click Edit for the Real Server you wish to configure. The Real
                       Server Detail page will appear.
                  2.   Enter the weight for the Real Server. Values are applied as a ratio against weights of all other
                       Real Servers for this Service. For example, a Real Server with a weight of 50 will get half the
                       amount of traffic as a Real Server with a weight of 100, but will get twice that of a Real Server
                       with a weight of 25.


                  Scheduling Policies
                  The Barracuda Load Balancer considers the weight values for the Real Servers and then applies a
                  scheduling algorithm, either Weighted Round-Robin or Weighted Least Connections, to determine
                  which Real Server gets the next connection.


48   Barracuda Load Balancer Administrator’s Guide
      In Weighted Round-Robin, Real Servers with higher weights get more connections than those with
      lower weights and Real Servers with equal weights get equal connections. The scheduling sequence
      is generated according to the Real Server weights. New connections are directed to the different Real
      Servers based on the scheduling sequence in a round-robin manner. The shortcoming with this
      method is that a majority of long-lived connections may go to the same Real Server.
      In Weighted Least Connections, the Barracuda Load Balancer considers the number of live
      connections that each Real Server has, as well as the weight values. The Real Servers with higher
      weight values will receive a larger percentage of live connections at any one time. The Barracuda
      Load Balancer dynamically checks the number of live connections for each Real Server.
      Weighted Least Connections is the recommended choice.

      To configure the Default Scheduling Policy for a Service:
      1.   From the Basic > Services page, click Edit for the Service you wish to configure. The Service
           Detail page will appear.
      2.   Choose either Weighted Least Connections or Weighted Round-Robin as the Default
           Scheduling Policy.


      Scheduling for a Service with type Layer 7 - RDP
      If the Service Type is Layer 7 - RDP, the Barracuda Load Balancer keeps track of the number of RDP
      sessions on each Real Server. This number is used as input to the Weighted Round Robin or Weighted
      Least Connections algorithm. Because of this ongoing tracking, there is no need for the adaptive
      scheduling algorithm to issue an SNMP query to get the number of active Windows Terminal
      Sessions.
      If you want to consider the server load or capacity of the Real Servers as well as the number of active
      sessions, the Real Server weights can be determined by:
      •    Doing an SNMP get of the CPU load on the Real Servers;
      •    Polling a URL provided by each Real Server which specifies a load value; or
      •    Retrieving pre-configured static weights.



Configuring Intrusion Prevention
      You can enable or disable the Intrusion Prevention System (IPS) for the entire Barracuda Load
      Balancer from the Basic > Intrusion Prevention page. This page displays a list of all of the Services
      and whether IPS is enabled for each one.
      By default, IPS is disabled for a newly created Service. You can enable IPS for an individual Service
      by editing the Service and selecting the IPS option on the Service Detail page.
      To test if the IPS is working on the Barracuda Load Balancer, there is a simple URL that will generate
      a test IPS catch. To test with this URL, create or locate a Web Service (with at least one Real Server)
      on port 80 from the Basic > Services page. Then type the following address in your browser window:
            http://VIP/?Barracuda-IPS-Web

      where VIP is the VIP of the Web Service. If IPS is on, it will block this. Your browser will give an
      error because the connection will be immediately rejected. There should also be an IPS catch in the
      Intrusion Prevention Log on the Basic > Intrusion Prevention page.
      Refer to Intrusion Prevention System on page 10 for an overview of IPS and how the Energize
      Updates feature works.


                                                                                     Configuring Services 49
       Configuring a Last Resort Server
                  To increase the availability of the Services, specify a Last Resort Server for each Service. This is the
                  server to which all traffic for a particular Service is routed in the event that all Real Servers associated
                  with that Service are not available. The Last Resort Server does not need to be configured as a Real
                  Server for the Service, and the Barracuda Load Balancer will not perform any health checks on the
                  Last Resort Server.

                  The Last Resort Server can be located on a different network, or even across the Internet, so long as
                  the WAN port of the Barracuda Load Balancer has a route to that server. In the event that the Last
                  Resort Server is used, traffic will be sent to it on the port (or all ports) specified in the Service
                  configuration.

                  To configure the Last Resort Server for a Service:
                  1.   From the Basic > Services page, click Edit for the Service you wish to configure. The Service
                       Detail page will appear.
                  2.   Enter the Last Resort Server. An IP address is recommended, but a hostname will work if the
                       Barracuda Load Balancer's configured DNS servers are able to retrieve the IP address for that
                       hostname.




50   Barracuda Load Balancer Administrator’s Guide
Layer 7 - HTTP Services
          This section describes topics unique to Services with type Layer 7 - HTTP. The following topics are
          covered:
                Directing HTTP Requests using Content Rules ................................. 51
                Creating an HTTP Redirect Service .................................................. 52
                Modifying HTTP Requests and Responses ........................................ 52



    Directing HTTP Requests using Content Rules
          By creating content rules, you can direct HTTP requests to specific Real Servers rather than any Real
          Server associated with a Layer 7 - HTTP Service. A content rule is a collection of one or more rules
          that specify a pattern in the URL or header fields of the request. Content Rules are useful if you have
          Real Servers that deliver different types of data. If a content rule is present, the Barracuda Load
          Balancer examines the HTTP request and directs it according the rule specification.
          Content rules specify how an HTTP request is directed to one or more Real Servers based on an
          examination of the request. Content rules can be created only for a Service that has both type Layer
          7 - HTTP and at least one Real Server associated with it.
          Content rules can be useful if you have Real Servers that deliver different types of data. Some
          examples:
          •   A client that uses a mobile device may want the same content as a client using a PC, but with
              fewer graphics.
          •   A user may want to see content only in a particular language.
          •   There are a set of servers that have been optimized to deliver images.
          •   HR data is kept on a different server than IT data but you want to make it appear to have come
              from one source.
          A content rule consists of three patterns: host match, URL match, and extended match.
          If there are multiple rules for a Service, the most specific host and URL match will be executed. For
          example, if a Service has these two rules:
          •   rule A - host www.example.com, URL /images/*
          •   rule B - host www.example.com, URL /images/*.png
          and if the incoming request is for www.example.com/images/x.png then the most specific matching
          rule, which is rule B, is executed.
          If a rule has the most specific host and URL for a request, any Extended Match expressions for that
          rule are evaluated in the order established by the Extended Match Order field. If the request does not
          match any Extended Match expression for the rule then the request is considered to have failed to
          match any rule.
          For each content rule you can specify the load balancing algorithm used to direct request to the Real
          Servers.
          Create content rules by clicking Add Rule next to a Layer 7 - HTTP Service on the Basic > Services
          page. Edit content rules by clicking the Edit icon next to the rule name on the Basic > Services page.
          You can edit the Real Servers to accept only HTTP requests that match a content rule. Requests that
          fail to match any rule are directed to the Real Servers for the Service that are not configured to
          exclusively handle requests that match a content rule. For example, if there is a server which only


                                                                                                    Configuring Services 51
                  delivers images, it can be configured to accept only HTTP requests that match a content rule. The
                  other servers can process more general types of data.
                  A description of the allowed values for the content rules can be found in the online help. A detailed
                  description of the extended match syntax can be found in Extended Match and Condition Expressions
                  on page 81.



       Creating an HTTP Redirect Service
                  HTTP Redirect causes all HTTP traffic on the specified port on a virtual IP address to be redirected
                  to port 443 on the same virtual IP address. It allows client requests on the specified port when SSL
                  requests are only being served on port 443. HTTP requests that are addressed to http://VIP:port/ are
                  redirected to https://VIP/.
                  To create an HTTP Redirect Service, start by creating a Service with Service Type of Layer 7 - HTTP.
                  Because the only purpose of this Service is to redirect HTTP requests to another Service (the one at
                  port 443), no Real Servers can be added. In fact, only a couple of other options on the Service Detail
                  page are relevant. All of the other options are hidden (and the settings, if any, ignored).
                  Make sure to create a Service for the same VIP on port 443.



       Modifying HTTP Requests and Responses
                  You can set up rules to modify HTTP requests and responses that pass through the Barracuda Load
                  Balancer. These rules, which are associated with a Layer 7 - HTTP Service, are listed on the
                  Advanced > URL Rewrites page.

                  One HTTP request rewrite rule is created automatically. It sets the X-Forwarded-For header to the IP
                  address of the client. The Real Server can examine the X-Forwarded-For header to discover the true
                  identity of the requestor, rather than using the sending IP address, which is the IP address of the
                  Barracuda Load Balancer.
                  You can create response rewrite rules to remove server banners or other header or body information
                  which you do not want the clients to see.
                  The actions which can be performed by the request rewrite rules are:
                  •   Insert Header - Inserts a header in the request.
                  •   Remove Header - Removes the header from the request.
                  •   Rewrite Header - Rewrites the value of the header in the request
                  •   Rewrite URL - Rewrites the request URL to the URL specified in the rule.
                  •   Redirect the URL - Redirects the request to the URL specified in the rule and sends that redirect
                      back to the client.
                  Only the first three actions are valid for response header rewrite rules. Response body rules allow any
                  text string (content-type must begin with text/) in an outbound HTTP response body to be rewritten.
                  The online help for the Advanced > URL Rewrites page lists the syntax for the rules. In addition, a
                  detailed description of the condition expressions, which specify when the rewrite should occur, is
                  found in Extended Match and Condition Expressions on page 81.




52   Barracuda Load Balancer Administrator’s Guide
                                                                                                            Chapter 5
                                                        Network Configuration

This chapter describes the network configuration tasks you can perform from the Web interface. The
following topics are covered:
     Modifying LAN and WAN IP Addresses ............................................ 54
     VLAN Support .................................................................................... 54
     Making Services Accessible from the LAN/WAN ............................... 54
     Creating Static Routes ....................................................................... 55
For more detailed information about a specific page in the Web interface, view the online help by
clicking the question mark icon on the right side of the page.




                                                                                                    Network Configuration 53
       Modifying LAN and WAN IP Addresses
                  The Basic > IP Configuration page contains the basic network configuration for your Barracuda Load
                  Balancer. This page also contains the setting to specify whether this Barracuda Load Balancer
                  operates in Route-Path or Bridge-Path mode. Finally, if the Barracuda Load Balancer is behind a
                  proxy server, you can configure its location so that it can download firmware and Energize Updates.



       VLAN Support
                  The Barracuda Load Balancer supports Layer 2 VLANs to segment traffic. Use the Advanced >
                  Advanced IP Config page to identify VLANs on the Barracuda Load Balancer. You can then associate
                  Services or Real Servers with VLANs.
                  In Bridge mode, if VLANs are being used, both the LAN and WAN ports must be on the same VLAN.

                  To associate a Real Server with a VLAN:
                  1.   Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN
                       Configuration table.
                  2.   Go to the Basic > Services page and add the Real Server.
                  3.   Using the Advanced > Advanced IP Config page, in the Custom Virtual Interfaces table, create
                       an interface for the Real Server.
                  4.   Using the Advanced > Advanced IP Config page, add a static route to the Real Server if
                       necessary.

                  To associate a Service with a VLAN:
                  1.   Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN
                       Configuration table.
                  2.   Go to the Basic > Services page and add the Service.
                  3.   Using the Advanced > Advanced IP Config page, in the System Virtual Interfaces table, locate
                       the entry for the Service. Select the VLAN from the Port list and save your changes.


                  Routing to Multiple VLANs over an Interface
                  If any interface on the Barracuda Load Balancer has to route to multiple VLANs, it must be connected
                  to the VLAN switch via a trunk (or hybrid) link, since multiple VLAN traffic can onlybe transported
                  over trunk links. If the Real Servers are distributed across multiple VLANs, say 100, 105, and 111,
                  then the LAN port must be connected to a trunk port on the VLAN switch.



       Making Services Accessible from the LAN/WAN
                  You can add virtual interface(s) to the physical port (WAN or LAN or MGMT) used to communicate
                  with the Services.

                  To make a Service accessible from the LAN:
                  1.   Go to the Basic > Services page and add the Service.
                  2.   Using the Advanced > Advanced IP Config page, in the System Virtual Interfaces table, locate
                       the entry for the Service. Select LAN from the Port list and save your changes.



54   Barracuda Load Balancer Administrator’s Guide
      If you want to be able to access the Service from the WAN also, create another Service with a different
      VIP but the same Real Servers.



Creating Static Routes
      You can create static routes to specify the exact route to a remote network.

      To add a static route:
      1.   Using the Advanced > Advanced IP Config page, create an entry for the VLAN using the VLAN
           Configuration table, if necessary.
      2.   On the same page, fill in the fields in the Static Routes table.



Allowing Real Servers to Connect to the Internet
      If the Real Servers are on a private network on the LAN side of the Barracuda Load Balancer and the
      WAN is on a public network, Real Servers are not allowed by default to connect to the Internet. You
      can override this behavior if, for example, the Real Servers need to get operating system or application
      updates.

      To allow Real Servers to connect directly to the Internet:
      1.   Using the Advanced > Advanced IP Config page, create a source network address translation
           (NAT) rule to map the internal IP address of a Real Server to an external IP address or some
           other IP address on the WAN side of the Barracuda Load Balancer that is translated by the
           firewall to an external IP address.




                                                                                     Network Configuration 55
56   Barracuda Load Balancer Administrator’s Guide
                                                                                            Chapter 6
                                                                   High Availability

This chapter describes how to configure a high availability environment by clustering two Barracuda
Load Balancers.
The following topics are covered:
     Creating a High Availability Environment ........................................ 58
For more detailed information about a specific page in the Web interface, view the online help by
clicking the question mark icon on the right side of the page.




                                                                                             High Availability 57
Creating a High Availability Environment
                  In order to increase the robustness of your network, you can install and configure a second Barracuda
                  Load Balancer to act as a backup to your primary Barracuda Load Balancer. The backup Barracuda
                  Load Balancer monitors the primary Barracuda Load Balancer and takes over the load-balancing
                  operations automatically and quickly if the primary fails for some reason.



       Requirements for High Availability (HA)
                  Some network environments may be less suitable to clustering two Barracuda Load Balancers. For
                  example, if you have multiple network segments that each require different policies, it may be better
                  to provide a dedicated, unclustered Barracuda Load Balancer for each segment. This way, you can
                  configure each Barracuda Load Balancer separately without the configuration settings propagating to
                  the other systems.
                  Before joining two systems together, each Barracuda Load Balancer must meet the following
                  requirements:
                  •   Be Barracuda Load Balancer models 340 or higher.
                  •   Be the same model as the other Barracuda Load Balancer and on the same version of firmware.
                  •   Be able to access all Real Servers.
                  •   Be installed on a unique management IP address. The Barracuda Load Balancers use the
                      management IP address (over SNMP ports) to communicate for high availability.
                  •   Be able to ping each other on the WAN interface (i.e. no firewall between them).
                  •   The WAN interface on both Barracuda Load Balancers must be on the same switch (or physical
                      network).



       Operation of HA
                  The two Barracuda Load Balancers that you use for HA make up a cluster. When you create a cluster,
                  the configuration is copied from the primary to the backup system. The primary system performs the
                  load-balancing. The other waits in standby mode and polls the primary Barracuda Load Balancer to
                  ensure that it is operational. If the primarysystem does not reply to three consecutive polls, the backup
                  system determines that the primary is no longer operational. Then it takes over the VIP addresses and
                  starts load-balancing just as the primary had been doing.
                  The backup Barracuda Load Balancer does not do any load-balancing or monitoring of Services or
                  Real Servers unless the primary system fails. Because it does not do any health monitoring while in
                  standby mode, all of the Services and Real Servers on a page such as Basic > Services will have red
                  health indicators.
                  If the primary system fails and the neighboring switches, routers and other network devices are
                  caching ARP requests, then those devices will not immediately associate the MAC address of the
                  backup Barracuda Load Balancer with the VIP address. Because of this, the length of time it takes for
                  the switchover from primary to backup is:
                          (the lifetime of the ARP cache)
                        + (the time it takes for the backup Barracuda Load Balancer to determine
                        that the primary system is inactive)

                  One way to mitigate this is if you have the two Barracuda Load Balancers plugged into a single
                  switch, disable spanning tree protocol on the ports where their WAN ports are connected. If it is a

58   Barracuda Load Balancer Administrator’s Guide
      Cisco switch, enable Spanning Tree PortFast on the ports where the WAN ports of the Barracuda
      Load Balancers are connected. These settings will help the devices on the network recognize the
      backup Barracuda Load Balancer more quickly if it needs to take over.



Recovery of the Primary System
      If, after an outage, the primary system becomes available again, the backup will detect that the
      primary is operational and stop load-balancing. The primary will take over the Virtual IP addresses
      and the load-balancing. This switchover from backup to primary disrupts load-balancing only briefly.



Creating a Cluster and Removing the Cluster

      To create a cluster of two Barracuda Load Balancers:
      1.   Complete the installation process for each system as described in Chapter 3 Initial Setup. For
           Route-Path only, leave the LAN IP field blank on the backup Barracuda Load Balancer. To
           verify this, go to the Basic > IP Configuration page on the backup Barracuda Load Balancer.
           Leave the LAN IP Address and LAN Netmask blank. If the backup unit has to take over, it will
           use the LAN IP Address and Netmask from the primary system.
      2.   On the Advanced > Task Manager page on the primary Barracuda Load Balancer, verify that no
           processes are running. Complete this step on the backup Barracuda Load Balancer as well. No
           processes should be running when you add systems to the cluster.
      3.   On the Advanced > High Availability page on the primary Barracuda Load Balancer, enter the
           Cluster Shared Secret password, and click Save Changes.
      4.   On the Advanced > High Availability page on the backup Barracuda Load Balancer:
               4a. Enter the Cluster Shared Secret password. Click Save Changes.
               4b. In the Clustered Systems section, enter the WAN IP address of the primary Barracuda
                   Load Balancer, and click Join Cluster.
               4c. Click Save Changes.
      5.   Reboot the backup Barracuda Load Balancer. On the Basic > Administration page of the backup
           Barracuda Load Balancer, click Restart and confirm it. When the backup Barracuda Load
           Balancer becomes operational, continue to the next step.
      6.   Refresh the Advanced > High Availability page on both Barracuda Load Balancers, and verify
           that:
               • Each system’s WAN IP address appears in the Clustered Systems table.
               • The status of each system is green.
      The backup system is the one that joins the cluster. Specifically, it is the one in Step 4b.) above where
      you click Join Cluster on its Web interface.

      To remove a Barracuda Load Balancer from the cluster:
      1.   Decide which Barracuda Load Balancer will keep the configuration (including IP address). This
           could be the primary or backup system in the cluster.
      2.   On the Advanced > High Availability page on the system where the configuration is to be kept,
           delete or change the Cluster Shared Secret password, and click Save Changes.
      3.   Click the garbage can icon to delete the other system from the Clustered Systems table.
      4.   On the Barracuda Load Balancer that was just deleted from the cluster, perform the following
           steps:


                                                                                           High Availability 59
                           4a. Click the garbage can icon to delete the first system from the Clustered Systems table.
                           4b. If the systems are in Route-Path mode, go immediately to the Basic > IP Configuration
                               page. Change this system's LAN IP Address and Netmask to avoid collisions. Click
                               Save Changes.
                           4c. Review this system's other settings and make changes as necessary.



       Data Propagated to Clustered Systems
                  Most configuration data is propagated from the primary system to the backup on an ongoing basis.
                  Table 6.1 identifies what is copied and what is unique..

                  Table 6.1: Data Shared Between Clustered Systems

                  Propagated Data                         Data Not Propagated
                  • Global system settings configured     • All of the system IP configuration (WAN IP address,
                  through the Web interface.              operating mode, DNS servers and domain) configured on the
                  • Any SSL Certificates that have been   Basic > IP Configuration page except for the LAN IP
                  installed.                              configuration.

                  • LAN IP configuration (used only for   • System password, time zone and Web interface HTTP port
                  Route-Path).                            as configured on the Basic > Administration page.

                  • All of the static routes and VLANs,   • The parameters on the Advanced > Appearance page.
                  etc., configured on the Advanced >      • The HTTPS port and SSL certificate used to access the Web
                  Advanced IP Config page.                interface on the Advanced > Appearance page.




60   Barracuda Load Balancer Administrator’s Guide
                                                                                                          Chapter 7
                               Global Server Load Balancing

This chapter describes how to configure Global Server Load Balancing or GSLB.
The following topics are covered:
     Introduction to Global Server Load Balancing (GSLB) .................... 62
     Steps to Install GSLB ......................................................................... 67
For more detailed information about a specific page in the Web interface, view the online help by
clicking the question mark icon on the right side of the page.




                                                                                        Global Server Load Balancing 61
Introduction to Global Server Load Balancing (GSLB)
                  This section contains an introduction to GSLB and how it is implemented using the Barracuda Load
                  Balancer.
                  The following topics are covered:
                        GSLB Examples ................................................................................. 62
                        GSLB Definitions ............................................................................... 62
                        Site Selection Criteria........................................................................ 63
                        How GSLB Works .............................................................................. 63
                        Integrating with the Existing DNS Infrastructure.............................. 64
                        Site Selection Algorithms ................................................................... 64
                        Example Implementations .................................................................. 65
                        GSLB Regions .................................................................................... 66
                        Configuring Multiple GSLB Controllers............................................ 66


                  Global Server Load Balancing (GSLB) allows you to coordinate how traffic is processed among
                  multiple data. A Barracuda Load Balancer acts as a controller, selecting the location to which traffic
                  is directed based on the parameters that you configure and the health of the data centers. This allows
                  you to allocate the work among multiple data centers and to ensure that if one data center fails then
                  traffic is redirected automatically to a functioning data center.



       GSLB Examples
                  GSLB can be useful when:
                  •   You have a number of server farms that are physically located around the world and you want
                      incoming connections to be directed to the closest healthy server farm.
                  •   You have two data centers and you want one of them to be reserved for use in the event of a
                      disaster. You can assign the first with a high priority and have all traffic directed to it, while the
                      other is used only if the first data center fails.
                  •   You have multiple data centers and each has region-specific content. Depending on the location
                      of the client, requests can be directed to the data center most appropriate for that region.



       GSLB Definitions
                  •   A site is a network location that hosts data. It may be a Service on a Barracuda Load Balancer
                      with a server farm or one Real Server.
                  •   A GSLB Controller is the Barracuda Load Balancer which determines where traffic is directed.
                      It contains configuration information about the sites and it performs health checks on all sites in
                      regular intervals. Only one GSLB Controller is active at a time. It is recommended that you
                      configure one or more backup GSLB Controllers.
                  •   A region defines a geographical area, usually composed of one or more countries. You can
                      define custom regions or use the predefined regions.




62   Barracuda Load Balancer Administrator’s Guide
Site Selection Criteria
       The GSLB Service allows you to specify that traffic be directed to a site based on one of three
       parameters:
       •    Proximity of the system making the request to a site that can serve the request;
       •    The region of the system making the request; or
       •    The priority order of the sites.



How GSLB Works
       The GSLB Controller controls which IP address for a sub-domain is given to a client. These steps
       illustrate the process:
       1.   A client tries to connect to a domain name such as www.example.com. It asks its local DNS
            server for the IP address of the domain name, and the server issues a DNS request on its behalf.
       2.   This request is eventually directed to the GSLB Controller (Barracuda Load Balancer) that acts
            as an authoritative DNS server for the delegated sub-domain www. The GSLB Controller
            considers the site selection algorithm and the health of the sites and issues a DNS response that
            contains a list of one or more IP addresses of valid sites.
       3.   The client tries to connect to the first address in the list.
       In Figure 7.1 How GSLB Works, the selection algorithm is based on the region of the client. The
       GSLB Controller determines the region where the request originated. The US client is returned the
       address of the site which handles clients from the US region (207.77.188.166) while the client from
       Europe is given the address of the site which supports content for the European region
       (216.129.205.232).

       Figure 7.1: How GSLB Works




                                                                             Global Server Load Balancing 63
                  Failover
                  The record that is returned by the GSLB Controller in response to a DNS query has a time to live
                  (TTL) value of 10 seconds, meaning that the DNS servers across the Internet need to request the IP
                  address of site again if the record is older than 10 seconds. If a site becomes unavailable, it will be
                  removed from the list of IP addresses returned, the caches will be updated quickly and traffic will be
                  directed to a healthy site.



       Integrating with the Existing DNS Infrastructure
                  In a typical GSLB deployment of the Barracuda Load Balancer, the existing DNS domain nameserver
                  continues as the authoritative nameserver for the zone or domain, e.g. barracuda.com. But a
                  hostname or sub-domain, e.g. www, is delegated to the Barracuda Load Balancer that acts as the GSLB
                  Controller. When a DNS query for www.barracuda.com is received, it is forwarded to the GSLB
                  Controller.
                  The GSLB Controller acts as the authoritative DNS server for delegated sub-domains, returning
                  definitive answers to DNS queries about domain names installed in its configuration. On the GSLB
                  Controller you can identify one or more IP addresses of sites that serve a single domain name. When
                  asked to resolve a host, the GSLB Controller returns a list of IP addresses of the sites that are both
                  available and that match the site selection algorithm.



       Site Selection Algorithms
                  As already described, when the GSLB Controller receives a DNS request to resolve a sub-domain, it
                  replies with a list of one or more IP addresses of valid sites that are both available and that match the
                  site selection algorithm. This site selection algorithm is also called the Response Policy. Three
                  Response Policies are available: one is based on site priority and the other two are based on location.


                  Failover IP Address
                  If no sites match the Response Policy or if all sites that match the Response Policy fail the health
                  check, a pre-configured Failover IP address for the sub-domain is returned. This is the IP address of
                  a site that can accept the traffic if the other systems become unavailable.
                  The health of the site at the Failover IP address is not monitored.


                  IP Address and Location Database
                  In order to provide location-based Response Policies, the Barracuda Load Balancer uses a database
                  of IP addresses and geographical locations. This database is updated by the Location Definitions
                  which are part of the Energize Updates maintained by Barracuda Central.


                  Response Policy Options
                  Three Response Policies are supported: Geo IP, Region Only and By Priority. Geo IP and Region
                  Only are based on the location of the client. By Priority is based only on the configured priority of
                  the site.




64   Barracuda Load Balancer Administrator’s Guide
      •   Geo IP – The GSLB Controller determines the location of the system making the request based
          on the Location Definitions and compares that to the location of each site. It returns a list of site
          IP addresses ordered from closest to furthest.
          Geo IP does not consider site priority.
      •   Region Only – The GSLB Controller determines the region of the system making the request
          based on the Location Definitions.
              • If the originating system is in a region that is associated with one or more sites, a list of
                 the healthy site IP address(es) is returned. The most specific matches appear first in the
                 list; any sites that are associated with All Countries are last in the list.
              • If the location of the originating system cannot be determined then any healthy sites that
                 are associated with All Countries are returned.
              • If neither of the preceding cases identifies at least one site IP address, the Failover IP
                 address is returned.
          Region Only does not consider site priority.
      •   By Priority – The GSLB Controller returns a list of site IP addresses ordered from lowest to
          highest priority value. Location is not considered.



Example Implementations
      Following are some sample situations and how to configure the site selection algorithm for each one
      on the Barracuda Load Balancer that acts as the GSLB Controller.


      Disaster Recovery - Two Sites in the World
      You have two sites and you want all traffic directed to one of the sites while the other is on standby
      and used only in the case of the failure of the first site. Create an entry for each site giving the primary
      site priority 1 (highest) and the backup priority 2. Make the Response Policy By Priority so that only
      priority is considered when directing traffic.
      When a query for the address of the domain name is received, a response containing one or more IP
      addresses is returned. If it is operational, the primary site’s IP address will be returned first in the list
      and the backup site’s IP address will be second. If the primary site becomes unavailable, only the
      second site's IP address will be returned.
      The primary site will be monitored, even after failure, so that when it becomes available then its IP
      address will once again be first in the returned list.


      Direct Clients to Closest Data Center
      You have a number of server farms that are physically located around the world, and you want clients
      to be directed to the closest healthy server farm. Make the Response Policy Geo IP to send client
      requests to the geographically nearest site. If you have a backup site, set the Failover IP address to its
      IP address.


      Direct Clients to Specific Region
      You have multiple data centers, each with region-specific content, and you want client requests from
      a certain region to be directed to the data center that supports that region. Make the Response Policy
      Region Only to associate requests with a region based on the location of the client and direct traffic
      to the appropriate data center.



                                                                                Global Server Load Balancing 65
                  If you have a backup site, set the Failover IP address to its IP address. Content switching rules can be
                  used to direct HTTP traffic within the backup data center (see Directing HTTP Requests using
                  Content Rules on page 51).



       GSLB Regions
                  GSLB regions are used only if the Response Policy is Region Only, to direct traffic to data centers
                  with region-specific content. Add a region to a host on the Advanced > GSLB Services page so that
                  traffic that originates in that region is directed to the Site IP address.
                  A number of predefined regions are listed on the Advanced > GSLB Settings page. You can also
                  create a custom region by specifying a region name and then adding one or more regions from a list.



       Configuring Multiple GSLB Controllers
                  Only one GSLB Controller is active at any one time. However, you can configure multiple GSLB
                  Controllers to increase the availability of your infrastructure in these two ways:
                  •   Operate in High Availability mode, in which case all of the GSLB information is copied to the
                      passive system.
                  •   Configure one or more other Barracuda Load Balancers (or clustered pairs) as GSLB
                      Controllers where:
                          • Each system or clustered pair has a DNS entry pointing to it. The first available entry is
                             used by a client.
                          • The GSLB configuration is synchronized manually between all GSLB Controllers unless
                             they are passive systems in a cluster.
                  Figure 7.2 Multiple GSLB Controllers shows three clustered pairs of Barracuda Load Balancers, all
                  in different locations. Each of these six Barracuda Load Balancers can act as GSLB Controllers and
                  they share the same GSLB-specific configuration. The GSLB Controllers are listed in the order they
                  are to be used as name servers in the DNS entry for the domain (see Steps to Install GSLB on page
                  67). If     in the example becomes unavailable,       will take over as GSLB Controller. If both
                  and      become unavailable,       will take over operation as the GSLB Controller, and so on.
                  Check Steps to Install GSLB on page 67 for instructions on how to install multiple GSLB Controllers.




66   Barracuda Load Balancer Administrator’s Guide
         Figure 7.2: Multiple GSLB Controllers




Steps to Install GSLB
         Execute these tasks to design your GSLB network and to configure one or more GSLB Controllers.
         Each step is described in more detail in the following sections.
         Step 1: Define the layout of your GSLB network.
         Step 2: If you plan to use a location-based Response Policy:
                  Step 2a: Define Regions (Region Only).
                  Step 2b: Turn on Location Definitions updates.
         On each active GSLB Controller, complete Step 3.
         Step 3: Set the DNS Service IP Address.
         For each sub-domain to be hosted, complete Step 4.
         Step 4: Delegate a sub-domain to the GSLB Controller.
         For each GSLB Controller that may receive traffic for a given sub-domain and which is not the
         passive system for a cluster, complete Steps 5-7.
         Step 5: Configure the DNS records on the GSLB Controller to identify the sub-domains that are
             being hosted.
         Step 6: Choose the Response Policy.
         Step 7: Enter the Failover IP address.
         Step 8: Identify the rest of the sites that serve this sub-domain.




                                                                              Global Server Load Balancing 67
                  Step 1: Define the layout of your GSLB network
                  Decide which Barracuda Load Balancers will act as your active and passive GSLB Controllers. GSLB
                  Controllers must be externally accessible. They may also act as the load balancer for a server farm.
                  Decide whether the site selection should be based on region, geographical proximity or by pre-
                  configured priority. Determine what will happen in the case of a site failure. Gather the IP addresses
                  (IP addresses of Real Servers or VIP addresses of Services) of the sites.


                  Step 2: Perform Location Specific Tasks
                  Skip the two tasks in this step if you do not intend to use a geographically-based Response Policy
                  (Geo IP or Region Only).
                  If the Response Policy is Region Only, decide which site or sites are associated with each region
                  where requests originate.
                  In either case, make sure the Location Definitions are set to automatically update on every GSLB
                  Controller. This setting is on the Advanced > Energize Updates page.


                  Step 3: Set the DNS Service IP Address
                  For each active GSLB Controller, select the IP address to be used as the DNS Service IP address. DNS
                  requests will be send to this IP address. It must be reachable from the WAN, LAN or VLAN of the
                  GSLB Controller. If the GSLB Controller is in HA mode and a system failover occurs, the passive
                  system will assume this address and handle the requests directed to it. If the GSLB Controller is not
                  in HA mode, this address could be the externally reachable IP address of the GSLB Controller.
                  On each active GSLB Controller, go to the Advanced > GSLB Services page and enter the DNS
                  Service IP Address. If this is a clustered system, the passive system will be updated automatically.


                  Step 4: Delegate a Sub-Domain to the GSLB Controller
                  This step needs to be done at your domain registrar or wherever your domains are hosted.
                  In order to delegate a sub-domain to be resolved by the GSLB Controller, records must be added to
                  the zone file of the domain so that DNS requests for the sub-domain will be forwarded to the GSLB
                  Controller for resolution.
                  For example, if the domain is example.com, and you want to host www.example.com behind the
                  GSLB Controller, you will need to add a DNS NS (nameserver) record to associate
                  www.example.com with each GSLB Controller. If there are four GSLB Controllers (two active, two
                  passive) there are two records, one for each clustered pair:
                          www.example.com. IN NS ns1.www.example.com.
                          www.example.com. IN NS ns2.www.example.com.


                  Add an A (host) record for each GSLB Controller with its IP address and the domain www:

                          ns1.www.example.com. IN A <DNS Service IP address of first cluster>
                          ns2.www.example.com. IN A <DNS Service IP address of second cluster>


                  where <DNS Service IP address...> is the DNS Service IP address assigned to each clustered
                  pair. Do not enter the <>’s. Do add the dot at the end of the nameserver.




68   Barracuda Load Balancer Administrator’s Guide
       The remainder of the steps are performed on the Barracuda Load Balancer(s) that may act as the
Note
       GSLB Controller. If you have a clustered GSLB Controller, you only need to do these steps on the
       active system because the configuration between two clustered Barracuda Load Balancers are
       synchronized automatically. If you have one or more GSLB Controllers at different locations that
       are acting as backups, you will need to do these steps on those GSLB Controllers as well. You must
       keep the GSLB configuration synchronized between the active GSLB Controller and the backups,
       but not on the passive system in any cluster.


           Step 5: Create the Host DNS Record on each GSLB Controller
           This step must be done on each GSLB Controller that is not a passive system in the cluster. Using the
           Web interface of the Barracuda Load Balancer, create the records that describe the domain or domains
           that are available to the GSLB Controller.
           The following example generates the A (host) record for www.example.com on the GSLB
           Controller. The domain name is example.com and the host is www. This A record is initially
           associated with one site IP address but more site IP addresses can be added later.

           To create the DNS records on the GSLB Controller:
           1.   Navigate to the Advanced > GSLB Services page.
           2.   In the Add New GSLB Service section, supply the following information:
                    • Zone Name – the zone maintained by your existing DNS server, e.g. example.com
                    • Host – The host name (or sub-domain) to be resolved, e.g. www
                    • Site IP – The IP address that is to receive the traffic. This may be a Service on a
                      Barracuda Load Balancer, or a server.
                    • Region – This associates a region with the Site IP address.
                         • If you want the GSLB Controller to select the site based on region, select the region
                           from the list. If the region you want is not already defined, add a custom region using
                           the Advanced > GSLB Settings page.
                         • Otherwise, select All Countries from the list.
           A DNS record will be created for www.example.com. Some of the fields in the record will contain
           default values for settings such as the Response Policy, which you can customize by editing the entry
           in the table.


           Step 6: Choose the Response Policy
           Response Policies are described in the section Response Policy Options on page 64.
           The Response Policy is defined for a host e.g. www.example.com. Edit the Host record on the
           Advanced > GSLB Services page to modify the Response Policy.


           Step 7: Set the Failover IP Address
           If you have a site that can handle the traffic in the case of failure of all sites that match the Response
           Policy, enter its IP address as the Failover IP address in the Host record on the Advanced > GSLB
           Services page.




                                                                                   Global Server Load Balancing 69
                  Step 8: Identify the rest of the sites that serve this host
                  To configure all of the sites that can process the traffic for this host (e.g. www.example.com), go to
                  the Advanced > GSLB Services page and click Add New Site.
                  You may want to associate a new site with a region or assign a priority to it. Remember that regions
                  are only relevant if the Response Policy is Region Only. Similarly, priority is only considered by the
                  By Priority Response Policy.




70   Barracuda Load Balancer Administrator’s Guide
                                                                                                         Chapter 8
 Managing the Barracuda Load Balancer

This chapter describes the monitoring and maintenance tasks you can do to check on performance and
to maintain the Barracuda Load Balancer. The following topics are covered:
     Administrative Settings ...................................................................... 72
     Monitoring the Barracuda Load Balancer ........................................ 74
     Maintaining the Barracuda Load Balancer....................................... 77
For more detailed information about a specific page in the Web interface, view the online help by
clicking the question mark icon on the right side of the page.




                                                                           Managing the Barracuda Load Balancer 71
Administrative Settings
                  This section covers the basic administrative settings for your Barracuda Load Balancer.

                        Controlling Access to the Web Interface...............................................72
                        Customizing the Appearance of the Web Interface............................ 72
                        Setting the Time Zone of the System .................................................. 72
                        Enabling SSL for Administration....................................................... 72



       Controlling Access to the Web Interface
                  Use the Basic > Administration page to perform the following tasks related to controlling access to
                  the Web interface such as:
                  •   Change the password of the administration account.
                  •   Specify the IP addresses or subnet mask of the systems that can access the Web interface. All
                      other systems will be denied access.
                  •   Change the port used to access the Web interface.
                  •   Change the length of time of inactivity allowed until the administrator is logged out of the Web
                      interface.
                  Use the Basic > IP Configuration page to allow or deny access to the Web interface from the WAN
                  and LAN IP addresses.



       Customizing the Appearance of the Web Interface
                  The Advanced > Appearance page allows you to customize the images used on the Web interface.
                  Available only for Barracuda Load Balancers model 440 and above.



       Setting the Time Zone of the System
                  The Basic > Administration page allows you to set the time zone of your Barracuda Load Balancer.
                  The current time on the system is automatically updated via Network Time Protocol (NTP). When the
                  Barracuda Load Balancer resides behind a firewall, NTP requires port 123 to be opened for outbound
                  UDP traffic.
                  It is important that the time zone is set correctly because this information is used to coordinate traffic
                  distribution and in all logs and reports.
                  Note: The Barracuda Load Balancer automatically reboots when you change the time zone.



       Enabling SSL for Administration
                  The Advanced > Secure Administration page allows you to configure SSL for the Web interface for
                  your Barracuda Load Balancer.




72   Barracuda Load Balancer Administrator’s Guide
           SSL ensures that your passwords and the rest of the data transmitted to and received from the Web
           interface is encrypted as well. You can require HTTPS to be used for secure access, and you can
           specify the certificate to be used.




Note
       The SSL configuration referred to here is only related to the Web interface. To enable SSL
       offloading for a Service, refer to SSL Offloading on page 47.



           In order to only allow secured connections when accessing the Web interface, you need to supply a
           digital SSL certificate which will be stored on the Barracuda Load Balancer. This certificate is used
           as part of the connection process between client and server (in this case, a browser and the Web
           interface on the Barracuda Load Balancer). The certificate contains the server name, the trusted
           certificate authority, and the server’s public encryption key.
           The SSL certificate which you supply may be either private or trusted. A private, or self-signed,
           certificate provides strong encryption without the cost of purchasing a certificate from a trusted
           certificate authority (CA). However, the client Web browser will be unable to verify the authenticity
           of the certificate and a warning will be sent about the unverified certificate. To avoid this warning,
           download the Private Root Certificate and import it into each browser that accesses the Barracuda
           Load Balancer Web interface. You may create your own private certificate using the Advanced >
           Secure Administration page.

           You may also use the default pre-loaded Barracuda Networks certificate. The client Web browser will
           display a warning because the hostname of this certificate is “barracuda.barracudanetworks.com” and
           it is not a trusted certificate. Access to the Web interface using the default certificate may be less
           secure.
           A trusted certificate is a certificate signed by a trusted certificate authority (CA). The benefit of this
           certificate type is that the signed certificate is recognized by the browser as trusted, thus preventing
           the need for manual download of the Private Root Certificate.




                                                                         Managing the Barracuda Load Balancer 73
Monitoring the Barracuda Load Balancer
                  This section describes the monitoring tasks you can perform from the Web interface of the Barracuda
                  Load Balancer. This section covers the following topics:
                        Monitoring the Health of Services and Real Servers ........................ 74
                        Enabling or Disabling Real Servers .................................................. 74
                        Viewing Performance Statistics ......................................................... 75
                        Viewing Logs...................................................................................... 75
                        Automating the Delivery of System Alerts and SNMP Traps ............ 75
                        Viewing System Tasks......................................................................... 76



       Monitoring the Health of Services and Real Servers
                  The Service Monitor checks the health of each Service and Real Server on an ongoing basis. Specify
                  which test to perform and how frequently to do the test by editing the Service or Real Server on the
                  Basic > Services page. The Basic > Services and Basic > Health pages display the health of all load-
                  balanced Services and associated Real Servers.
                  There are many different methods available to establish the availability of a Service or Real Server.
                  These include TCP port check, HTTP GET request, DNS query and RADIUS test. The various tests
                  are fully documented in the online help.
                  The tests always try to use the configured Real Server port for the Service unless the Real Server port
                  is set to ALL. In that case, the tests use the default port for the test type (e.g. SMTP = 25, HTTP = 80,
                  DNS = 53, HTTPS = 443, IMAP = 143, POP = 110 and SNMP = 161).
                  If a Real Server is associated with more than one Service it will be checked more frequently than the
                  Test Delay interval. The Service Monitor performs its health checks for each Services' set of Real
                  Servers independently.



       Enabling or Disabling Real Servers
                  You can change the status of your Real Servers by going to the Basic > Health page. For example,
                  you can disable your Real Servers to perform maintenance or to temporarily disassociate them from
                  a Service.
                  There are three status modes: enabled, disabled and maintenance. Click Enable to make a Real Server
                  be part of the pool of servers handling requests or connections. Select Disable to terminate all existing
                  connections or Maintenance to allow existing connections to terminate naturally. In either case, no
                  new connections or request are accepted until the Real Server is enabled again.



       Remotely Administering Real Servers
                  If you need to remotely administer Real Servers that are located behind the Barracuda Load Balancer,
                  then for each Real Server, create a Service which load balances only that one Real Server. Use the
                  VIP for that administration Service whenever you need to ssh to or perform RDP administration on
                  that Real Server.




74   Barracuda Load Balancer Administrator’s Guide
Viewing Performance Statistics
      The Basic > Status page provides an overview of the health and performance of your Barracuda Load
      Balancer, including:
      •   Traffic statistics, which shows the number of connections or requests for various types of traffic
          since the last system reset for up to five Services.
      •   The subscription status of Energize Updates.
      •   Performance statistics, such as CPU temperature and system load. Performance statistics
          displayed in red signify that the value exceeds the normal threshold.
      •   Hourly and daily traffic statistics.



Viewing Logs
      The Basic > Event Log page maintains a list of all noteworthy events that affect the operation of the
      Barracuda Load Balancer, such as attacks upon various Services and status changes for a Real Server.
      You can view the Syslog, which contains administrative updates such as logins and configuration
      changes as well as all of the system events contained in the Event Log, using the Advanced > Syslog
      page. You can also enter an IP address where the syslog output can be directed.
      If Intrusion Prevention System is enabled, you can look at messages related to IPS in the Intrusion
      Prevention Log on the Basic > Intrusion Prevention page.



Automating the Delivery of System Alerts and SNMP Traps
      The Basic > Administration page allows you to configure the Barracuda Load Balancer to
      automatically email notifications to the addresses you specify. To enter multiple addresses, separate
      each address with a comma. An email notification is generated if the number of operating Real
      Servers for a Service falls below a preset threshold.
      You can also configure SNMP traps to be generated when certain events occur. Go to the Advanced
      > SNMP Configuration page to see the list of possible traps.



SNMP Monitoring
      Using the Barracuda Load Balancer SNMP agent, you can use an SNMP monitor to query the system
      for a variety of statistics such as the number of current connections, bandwidth, and system CPU
      temperature.
      SNMP v2c and SNMP v3 are both supported by the SNMP agent. SNMP v2c queries and responses
      are not encrypted, so it is less secure. When using SNMP v3, traffic is encrypted and you can allow
      access only by specified users with passwords.
      For more information about monitoring the Barracuda Load Balancer using SNMP, see the technical
      paper SNMP Monitoring for the Barracuda Load Balancer located at
      http://www.barracudanetworks.com/documentation.




                                                                  Managing the Barracuda Load Balancer 75
       Viewing System Tasks
                  The Advanced > Task Manager page provides a list of tasks that are in the process of being performed
                  and also displays any errors encountered when performing these tasks.
                  Some of the tasks that the Barracuda Load Balancer tracks include:
                  •   Cluster setup
                  •   Configuration restoration
                  If a task takes a long time to complete, you can click the Cancel link next to the task name and then
                  run the task at a later time when the system is less busy.
                  The Task Errors section lists an error until you manually remove it from the list.




76   Barracuda Load Balancer Administrator’s Guide
Maintaining the Barracuda Load Balancer
         This section describes how to manage and maintain your Barracuda Load Balancer using the Web
         interface. This section covers the following topics:
               Backing up and Restoring Your System Configuration ..................... 77
               Updating the Firmware of Your Barracuda Load Balancer.............. 77
               Updating the Intrusion Prevention Rules Using Energize Updates .. 78
               Replacing a Failed System ................................................................ 78
               Reloading, Restarting, and Shutting Down the System ..................... 78
               Using the Built-in Troubleshooting Tools .......................................... 79
               Rebooting the System in Recovery Mode........................................... 79



   Backing up and Restoring Your System Configuration
         The Advanced > Backup page lets you back up and restore the configuration of your Barracuda Load
         Balancer. You should back up your system on a regular basis in case you need to restore this
         information on a replacement Barracuda Load Balancer or in the event your current system data
         becomes corrupt.
         If you are restoring a backup file on a new Barracuda Load Balancer that is not configured, you need
         to assign your new system an IP address and DNS information on the Basic > IP Configuration page.
         Note the following about the backup file:
         •   Do not edit backup files. Any configuration changes you want to make need to be done through
             the Web interface. The configuration backup file contains a checksum that prevents the file from
             being uploaded to the system if any changes are made.
         •   You can safely view a backup file in Windows WordPad or Microsoft Word. You should avoid
             viewing backup files in Windows Notepad because the file can become corrupted if you save the
             file from this application.
         •   The following information is not included in the backup file:
                  • System password
                  • System IP information
                  • DNS information



   Updating the Firmware of Your Barracuda Load Balancer
         The Advanced > Firmware Update page allows you to manually update the firmware version of the
         system or revert to a previous version. The only time you should revert back to an old firmware
         version is if you recently downloaded a new version that is causing unexpected problems. In this case,
         call Barracuda Networks Technical Support before reverting back to a previous firmware version.
         If you have the latest firmware version already installed, the Download Now button will be disabled.
         If you have two Barracuda Load Balancers configured in High Availability mode, update the
         firmware on the backup Barracuda Load Balancer first. Then update the firmware on the primary
         Barracuda Load Balancer. The backup Barracuda Load Balancer becomes operational when the
         primary is rebooted, thus maintaining availability.




                                                                                  Managing the Barracuda Load Balancer 77
                  If your Barracuda Load Balancers are not in High Availability mode, applying a new firmware
                  version results in a temporary loss of service. For this reason, you should apply new firmware versions
                  during non-busy hours.



       Updating the Intrusion Prevention Rules Using Energize Updates
                  The Advanced > Energize Updates page allows you to manually update the Intrusion Prevention
                  System rules, as well as change the interval at which the Barracuda Load Balancer checks for updates.
                  We recommend that the Automatically Update setting be set to Hourly so your Barracuda Load
                  Balancer receives the latest rules as soon as new threats are identified by Barracuda Central.



       Replacing a Failed System
                  Before you replace your Barracuda Load Balancer, use the tools provided on the Advanced >
                  Troubleshooting page to try to resolve the problem.

                  In the event that a Barracuda Load Balancer fails and you cannot resolve the issue, customers that
                  have purchased the Instant Replacement service can call Technical Support and arrange for a new unit
                  to be shipped out within 24 hours.
                  After receiving the new system, ship the old Barracuda Load Balancer back to Barracuda Networks
                  at the address below with an RMA number marked clearly on the package. Barracuda Networks
                  Technical Support can provide details on the best way to return the unit.
                             Barracuda Networks
                             3175 S. Winchester Blvd
                             Campbell, CA 95008


     Note     To set up the new Barracuda Load Balancer so it has the same configuration as your old failed
              system, restore the backup file from the old system onto the new system, and then manually
              configure the new system’s IP information on the Basic > IP Configuration page. For information
              on restoring data, refer to Backing up and Restoring Your System Configuration on page 77.




       Reloading, Restarting, and Shutting Down the System
                  The System Reload/Shutdown section on the Basic > Administration page allows you to shutdown,
                  restart, and reload system configuration on the Barracuda Load Balancer.
                  Shutting down the system powers off the unit. Restarting the system reboots the unit. Reloading the
                  system re-applies the system configuration.
                  You can also reboot the Barracuda Load Balancer by pressing RESET on the front panel of the
                  Barracuda Load Balancer.
                  Do not press and hold the RESET button for more than a couple of seconds. Holding it for five
                  seconds or longer changes the IP address of the system. Pressing RESET for five seconds sets the




78   Barracuda Load Balancer Administrator’s Guide
      WAN IP address to 192.168.200.200. Pressing RESET eight seconds changes the WAN IP address
      to 192.168.1.200. Pressing the button for 12 seconds changes the WAN IP address to 10.1.1.200.



Using the Built-in Troubleshooting Tools
      The Advanced > Troubleshooting page provides various tools that help troubleshoot network
      connectivity issues that may be impacting the performance of your Barracuda Load Balancer.
      You can ping other devices from the Barracuda Load Balancer, perform a traceroute from the
      Barracuda Load Balancer to any another system, and execute other tests.



Rebooting the System in Recovery Mode
      If your Barracuda Load Balancer experiences a serious issue that impacts its core functionality, you
      can use diagnostic and recovery tools that are available at the reboot menu to return your system to
      an operational state.
      Before you use the diagnostic and recovery tools, do the following:
      •    Use the built-in troubleshooting tools on the Advanced > Troubleshooting page to help diagnose
           the problem.
      •    Perform a system restore from the last known good backup file.
      •    Contact Barracuda Networks Technical Support for additional troubleshooting tips.
      As a last resort, you can reboot your Barracuda Load Balancer and run a memory test or perform a
      complete system recovery, as described in this section.

      To perform a system recovery or hardware test:
      1.   Connect a monitor and keyboard directly to your Barracuda Load Balancer.
      2.   Reboot the system by doing one of the following:
               • Click Restart on the Basic > Administration page.
               • Press the Power button on the front panel to turn off the system, and then press the Power
                 button again to turn the system back on.
           The Barracuda splash screen displays with the following three boot options:
            Barracuda
            Recovery
            Hardware_Test
      3.   Use your keyboard to select the desired boot option, and click Enter.
           You must select the boot option within three seconds of the splash screen appearing. If you do
           not select an option within three seconds, the Barracuda Load Balancer defaults to starting up in
           the normal mode (first option).
           For a description of each boot option, refer to Reboot Options on page 80.




                                                                  Managing the Barracuda Load Balancer 79
                  Reboot Options
                  Table 8.1 describes the options available at the reboot menu.

                  Table 8.1: Reboot Options

                  Reboot Options                 Description
                  Barracuda                      Starts the Barracuda Load Balancer in the normal (default) mode. This
                                                 option is automatically selected if no other option is specified within the
                                                 first three (3) seconds of the splash screen appearing.

                  Recovery                       Displays the Recovery Console where you can select the following
                                                 options:
                                                 • Perform file system repair—Repairs the file system on the
                                                   Barracuda Load Balancer.
                                                 • Perform full system re-image—Restores the factory settings on
                                                   your Barracuda Load Balancer and clears out all configuration
                                                   information.
                                                 • Enable remote administration—Initiates a connection to Barracuda
                                                   Central that allows Barracuda Networks Technical Support to access
                                                   the system. Another method for enabling this troubleshooting
                                                   connection is to click Establish Connection to Barracuda Central
                                                   on the Advanced>Troubleshooting page.
                                                 • Run diagnostic memory test—Runs a diagnostic memory test from
                                                   the operating system. If problems are reported when running this
                                                   option, we recommend running the Hardware_Test option next.

                  Hardware_Test                  Performs a thorough memory test that shows most memory related
                                                 errors within a two-hour time period. The memory test is performed
                                                 outside of the operating system and can take a long time to complete.
                                                 Reboot your Barracuda Load Balancer to stop the hardware test. You
                                                 may do this by pressing Ctrl-Alt-Del on the keyboard, or by pressing
                                                 the RESET button on the Barracuda Load Balancer.




80   Barracuda Load Balancer Administrator’s Guide
                                                                                 Appendix A
 Extended Match and Condition Expressions

      Extended Match and Condition expressions can used in content rules, HTTP request rewrite rules and
      HTTP response rewrite rules. To learn more about these rules, all of which only apply to Layer 7
      Services, see the following:
      •   Directing HTTP Requests using Content Rules on page 51
      •   Modifying HTTP Requests and Responses on page 52.
      This appendix documents the syntax of the extended match and condition expressions.
      A few examples:
      • Header Host co example.com - match a request whose Host header contains example.com
      • Parameter userid ex - match any request in which the parameter 'userid' is present
      • (Header Host eq www.example.com) && (Client-IP eq 10.0.0.0/24) - match a request whose
          host header is www.example.com and the request client's IP address is in the 10.0.0.* subnet.



Quick reference
      •    Expression:
              • Element Match
              • (Expression) [Join (Expression) ...]
      •   Join:
              • &&, ||
      •   Element Match:
              • Element [Element Name] Operator [Value]
      •   Element:
              • Request Elements: Method, HTTP-Version, Client-IP, URI, URI-Path, Header
              • Request Parameters: Parameter, Pathinfo
              • Response Elements: Status-code, Response-Header
      •   Operator:
              • Matching: eq, neq, req, nreq
              • Containing: co, nco, rco, nrco
              • Existence: ex, nex




                                                             Extended Match and Condition Expressions 81
       Structure of an Extended Match or Condition Expression
                  The following explains the components of an Extended Match or Condition expression.
                  An expression consists of one or more Element Matches, combined using Join operators to indicate
                  AND and OR operations to combine the Element Matches. Parentheses must be used to delimit
                  individual Element Matches when using join operators. Parentheses can be nested.
                  An Element Match consists of an Element, an optional Element Name, an Operator followed by an
                  optional Value. Some elements like "Header" require an Element Name like "User-Agent", whereas
                  some elements like "HTTP-Version" require no further qualification. Also, some operators like "eq"
                  (stands for "equals") require a value, whereas some operators like "ex" (stands for "exists") require
                  no value.
                  Tokens are delimited by space and the parenthesis characters. Double quotes (") can be used to
                  enclose single tokens which contain parenthesis characters or spaces. The back-slash character can
                  also be used to escape, that is, remove the special meaning of the special characters (space and
                  parentheses).



       Operators
                  The following are the possible operators in an Element Match. The operators are case insensitive, for
                  example "eq", "Eq" and "EQ" are all treated the same.
                  •   eq - true if the operand is equal to the given value. A case insensitive string comparison is
                      performed. Thus, a value of "01" is not the same as a value of "1", whereas values "one" and
                      "ONE" are treated the same.
                  •   neq - true if the operand is not equal to the given value. A case insensitive string comparison is
                      performed.
                  •   co - true if the operand contains the given value.
                  •   nco - true if the operand does not contain the given value.
                  •   rco - true if the operand contains the given value, which is treated as a regular expression.
                  •   nrco - true if the operand does not contain the given value, which is treated as a regular
                      expression.
                  •   req - true if the operand matches the given value, which is treated as a regular expression.
                  •   nreq - true if the operand does not match the given value, which is treated as a regular
                      expression.
                  •   ex - true if the operand exists. A value is not required
                  •   nex - true if the operand does not exist. A value is not required



       Elements
                  The following are the different Elements allowed in the expression. Elements and Element Names are
                  case insensitive, so "Method" and "METHOD" are treated the same.
                  •   Method - The HTTP Method that was received in the request. Example: (Method eq GET)
                  •   HTTP-Version - This refers to the version of the HTTP protocol of the request. Example:
                      (HTTP-Version eq HTTP/1.1)




82   Barracuda Load Balancer Administrator’s Guide
        •   Header - An HTTP header in the request. An Element Name to identify which header is
            required to follow the word "Header". Example: (Header Accept co gzip). This will check if the
            "Accept:" header contains the string "gzip".
        •   Client-IP - This refers to the IP address of the client sending the request. The IP address can be
            either host IP address or subnet IP address specified by a mask. Only "eq" and "neq" operations
            are possible for this element. Examples: (client-ip eq 192.168.1.0/24), (Client-IP eq
            192.168.1.10)
        •   URI - The URI is the Uniform Resource Identifier in the request. This includes any query
            parameters in the request. Example: (URI rco /abc.*html?userid=b)
        •   URI-path - This refers to the path portion of the URI, which excludes any query parameters.
            Example: (URI-path req \/.*copy%20[^/]*)
        •   Pathinfo - This refers to the portion of URL which is interpreted as PATH_INFO on the server.
            The Barracuda Load Balancer uses a set of known extensions to determine whether a portion of
            the URL is a Pathinfo or not. For example, if the request URL is /twiki/view.cgi/Engineering,
            then, "/Engineering" is considered to be the pathinfo rather than part of the URL. Example:
            (PathInfo rco abc*)
        •   Parameter - This refers to a parameter in the query string part of the URL. the servers as a
            name-value pair. The special parameter "$NONAME_PARAM" is used to refer to the case
            where the parameter name is absent. Examples: (Parameter sid eq 1234), (Parameter
            $NONAME_PARAM co abcd)
        •   Status-code - This refers to the status code of the response returned by the servers. Example:
            (status-code eq 302)
        •   Response-header - This refers to the HTTP response header in the response. The term
            "Response-header" should be followed by the name of the header on which the action is to be
            applied. Example: (Response-Header Set-Cookie co sessionid)
        Each expression may use only some of these elements. The following restrictions apply:
        •   The Extended Match expression in the Content Rules can use these elements: Method, HTTP-
            Version, Header, Client-IP, URI, URI-Path, Pathinfo and Parameters.
        •   Request Rewrite Condition allows these elements: Method, HTTP-Version, Header, Client-IP,
            Parameter, Pathinfo and URI.
        •   Response Rewrite Condition allows these elements: Header, Status-code and Response-Header.



Joins
        Each expression can be joined with another expression by one of the following:
        •   || - This checks if either of the expressions are true.
        •   && - This checks if both the expressions are true.



Combining
        More than one Element Match can be combined together by using the join operators || and &&
        provided the Element Matches are enclosed in parentheses. Combining Element Matches without
        parentheses is not allowed. Example: (Header cookie ex) && (URI rco .*\.html) && (Method eq
        GET)




                                                                  Extended Match and Condition Expressions 83
                  Nested sub-expressions can be created by enclosing parentheses within expressions. This makes the
                  expression more readable as well as unambiguous. Example: (HTTP-Version eq HTTP/1.1) &&
                  ((Header Host eq www.example.com) || (Header Host eq website.example.com))



       Escaping
                  The space character and the parentheses characters are special characters since they cause the parser
                  to split the string into tokens at these separators. In some cases, it is required to specify these
                  characters as part of the value itself. For example, the User-Agent header typically contains both
                  spaces and parentheses, as in:
                  User-Agent: Mozilla/5.0 (Linux i686; en-US; rv:1.8.1.3) Firefox/2.0.0.3
                  The spaces and parenthesis characters in such cases must be escaped by prefixing these characters
                  with a back-slash (\), or the entire value can be enclosed in double-quotes ("). Examples:
                  •     Header User-Agent eq "Mozilla/5.0 (Linux i686; en-US; rv:1.8.1.3) Firefox/2.0.0.3"
                  •     Header User-Agent eq Mozilla/5.0\ \(Linux\ i686;\ en-US;\ rv:1.8.1.3\)\ Firefox/2.0.0.3
                  To specify the double-quote character itself, it must be escaped with a back-slash. This is true inside
                  a quoted string, or a non-quoted string. Note that the single quote character has no special meaning,
                  and is treated as any other character.
                  To specify the back-slash character itself, it must be escaped as "\\". This is true within quoted strings
                  or non-quoted strings.
                  The back-slash character escapes all characters, not just the special characters. Thus, "\c" stands for
                  the character "c" etc. In other words, back-slash followed by any character stands for the character,
                  whether or not that character has a special meaning in the syntax.



       Macro Definitions
                  The Barracuda Load Balancer supports several macros to assist in configuring policies. The following
                  table describes these macros arranged by the areas where they can be used. The URI in these cases
                  does not include the host.
                  Table A.1: Macro Definitions


                 Name                           Description

                                                  Request Rewrites
                 $SRC_ADDR                      Inserts the source (client) IP address. You can use it
                                                for the new value (Rewrite Value parameter) when
                                                inserting or rewriting a header.
                 $URI                           Should be specified in the new value, if you are
                                                rewriting or redirecting the URI. $URI specifies the
                                                complete request URI including the query string.
                 $AUTH_USER                     Adds the username.*
                 $AUTH_PASSWD                   Adds the password.*




84   Barracuda Load Balancer Administrator’s Guide
          Name                         Description

          $AUTH_GROUPS                 Adds the user roles.*
                                       *Note:
                                       (1) The URL is not protected, i.e. access-control or
                                       authentication is off. The value substituted for the
                                       above three macros will be the special string
                                       "NCURLNotProtected".
                                       (2) The client has not logged in. The value
                                       substituted for the above three macros will be the
                                       special string "NCNoUserSession".
                                       (3) The user does not belong to any groups. The
                                       value substituted for $AUTH_GROUPS will be the
                                       special string "NCNOUserRoles".
                                            URL ACLs
          $NONAME_PARAM                Inserts a parameter with no name (see No Name
                                       Parameters on page 85)



 No Name Parameters
           There might be times when you want to configure a parameter without a name. For example, consider
           a site that pops up an advertising window when a user lands there. A Javascript adds a query string
           that results in the following GET request:
            GET /ad?xxx


Note
       The Barracuda Load Balancer does not learn “no name” parameters such as query strings like
       "GET /ad?0" added by a Javascript. Workaround: Add a null value URL ACL.



           The Barracuda Load Balancer treats xxx as the value of a parameter. In this case, you cannot create
           an exception rule based on the xxx value because there is no way to associate it with a named
           parameter.
           To address such situations (that is, requests with parameter name-value pairs of the type ?xxx or
           ?=xxx where xxx is the value), you can use a special token: $NONAME_PARAM (case insensitive).
           This token allows you to create an expression for a parameter without a name as in the following
           examples:
            set    = parameter $NONAME_PARAM ex
            set    = parameter $NONAME_PARAM eq 0
            set    = parameter $noname_param co xxx




                                                                 Extended Match and Condition Expressions 85
86   Barracuda Load Balancer Administrator’s Guide
                                                                                                Appendix B
            Barracuda Load Balancer Hardware

This appendix provides hardware information for the Barracuda Load Balancer. The following topics
are covered:
     Front Panel of the Barracuda Load Balancer.....................................ii
     Back Panel of the Barracuda Load Balancer..................................... iv
     Hardware Compliance ......................................................................... v




                                                                                 Barracuda Load Balancer Hardware i
Front Panel of the Barracuda Load Balancer
                    Figure B.1 and Figure B.2 illustrate the front panels for each model.



         Barracuda Load Balancer 240, 340, and 440
                    Figure B.1 shows the front components as described in Table B.1.

                    Figure B.1: Barracuda Load Balancer Front Panel for models 240, 340, and 440




                                          1   2                                                    3 4 567 8 9




                    Table B.1 describes the front components on the Barracuda Load Balancer 240, 340, and 440.

                    Table B.1: Front Panel Descriptions for Barracuda Load Balancer 240, 340, and 440

                    Diagram Location                 Component Name                  Description

                                 1                   WAN port                        Port for WAN connection
                                 2                   LAN port                        Port for LAN connection
                                 3                   System indicator                Red at power on; if this stays red
                                                                                     it indicates a problem.
                                 4                   Reserved for future use
                                 5                   Reserved for future use
                                 6                   Data I/O                        Blinks during data transfer
                                 7                   System Power                    Displays system power
                                 8                   Reset Button                    Resets the Barracuda Load
                                                                                     Balancer
                                 9                   Power Button                    Powers on/off the Barracuda
                                                                                     Load Balancer




ii   Barracuda Load Balancer Administrator’s Guide
Barracuda Load Balancer 640
      Figure B.2 shows the front components as described in Table B.2.

      Figure B.2: Barracuda Load Balancer Front Panel for model 640

                                                                                345678 9




         ]                        10


      Table B.2 describes the front components on the Barracuda Load Balancer 640.
                                                                                     1   2




      Table B.2: Front Panel Descriptions for Barracuda Load Balancer 640

      Diagram Location             Component Name                   Description

                   1               WAN port                         Port for WAN connection
                   2               LAN port                         Port for LAN connection
                   3               System indicator                 Red at power on; if this stays red
                                                                    it indicates a problem.
                   4               Reserved for future use
                   5               Reserved for future use
                   6               Data I/O                         Blinks during data transfer
                   7               System Power                     Displays system power
                   8               Reset Button                     Resets the Barracuda Load
                                                                    Balancer
                   9               Power Button                     Powers on/off the Barracuda
                                                                    Load Balancer
                  10               LAN ports                        Twelve (12) additional LAN
                                                                    switches, available to connect to
                                                                    Real Servers




                                                                   Barracuda Load Balancer Hardware iii
Back Panel of the Barracuda Load Balancer
                   Figure B.3 illustrates the back panel for all models.



        Barracuda Load Balancer, all models
                   Figure B.3 shows the back components as described in Table B.3.

                   Figure B.3: Barracuda Load Balancer Back Panel




                        1         2            34      5    6   7     8    9


                   Table B.3 describes the back components on all models of the Barracuda Load Balancer.

                   Table B.3: Barracuda Load Balancer Back Component Descriptions

                   Diagram Location         Component Name             Description

                              1             Power Supply               Connection for the AC power cord; standard
                                                                       power supply
                              2             Fan                        Location of the fan
                              3             Mouse Port                 Connection for the mouse
                              4             Keyboard Port              Connection for the keyboard
                              5             Serial Port                Connection for the serial console cable
                              6             Parallel Port              Connection for the parallel cable
                              7             Monitor Port               Connection for the monitor
                              8             USB Ports (4)              Connection for USB devices
                              9             Ethernet Port              Not used




iv   Barracuda Load Balancer Administrator’s Guide
Hardware Compliance
         This section contains compliance information for the Barracuda Load Balancer hardware.




   Notice for the USA
         Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This
         device complies with part 15 of the FCC Rules.
         Operation is subject to the following conditions:
         1.   This device may not cause harmful interference, and
         2.   This device must accept any interference received including interference that may cause
              undesired operation. If this equipment does cause harmful interference to radio or television
              reception, which can be determined by turning the equipment off and on, the user in encouraged
              to try one or more of the following measures:
                  •   Reorient or relocate the receiving antenna.
                  •   Increase the separation between the equipment and the receiver.
                  •   Plug the equipment into an outlet on a circuit different from that of the receiver.
                  •   Consult the dealer on an experienced radio/ television technician for help.



   Notice for Canada
         This apparatus compiles with the Class B limits for radio interference as specified in the Canadian
         Department of Communication Radio Interference Regulations.




   Notice for Europe (CE Mark)
         This product is in conformity with the Council Directive 89/336/EEC, 92/31/EEC (EMC).




                                                                            Barracuda Load Balancer Hardware v
vi   Barracuda Load Balancer Administrator’s Guide
                                                                                    Appendix C
                                 Limited Warranty and License

Barracuda Networks Limited Hardware Warranty (v 2.1)
      Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or authorized Distributor
      selling the Barracuda Networks product, if sale is not directly by Barracuda Networks, Inc.,
      ("Barracuda Networks") warrants that commencing from the date of delivery to Customer (but in case
      of resale by a Barracuda Networks reseller, commencing not more than sixty (60) days after original
      shipment by Barracuda Networks, Inc.), and continuing for a period of one (1) year: (a) its products
      (excluding any software) will be free from material defects in materials and workmanship under
      normal use; and (b) the software provided in connection with its products, including any software
      contained or embedded in such products will substantially conform to Barracuda Networks published
      specifications in effect as of the date of manufacture. Except for the foregoing, the software is
      provided as is. In no event does Barracuda Networks warrant that the software is error free or that
      Customer will be able to operate the software without problems or interruptions. In addition, due to
      the continual development of new techniques for intruding upon and attacking networks, Barracuda
      Networks does not warrant that the software or any equipment, system or network on which the
      software is used will be free of vulnerability to intrusion or attack. The limited warranty extends only
      to you the original buyer of the Barracuda Networks product and is non-transferable.



Exclusive Remedy
      Your sole and exclusive remedy and the entire liability of Barracuda Networks under this limited
      warranty shall be, at Barracuda Networks or its service centers option and expense, the repair,
      replacement or refund of the purchase price of any products sold which do not comply with this
      warranty. Hardware replaced under the terms of this limited warranty may be refurbished or new
      equipment substituted at Barracuda Networks’ option. Barracuda Networks obligations hereunder are
      conditioned upon the return of affected articles in accordance with Barracuda Networks then-current
      Return Material Authorization ("RMA") procedures. All parts will be new or refurbished, at
      Barracuda Networks’ discretion, and shall be furnished on an exchange basis. All parts removed for
      replacement will become the property of Barracuda Networks. In connection with warranty services
      hereunder, Barracuda Networks may at its discretion modify the hardware of the product at no cost to
      you to improve its reliability or performance. The warranty period is not extended if Barracuda
      Networks repairs or replaces a warranted product or any parts. Barracuda Networks may change the
      availability of limited warranties, at its discretion, but any changes will not be retroactive. IN NO
      EVENT SHALL BARRACUDA NETWORKS LIABILITY EXCEED THE PRICE PAID FOR THE
      PRODUCT FROM DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
      DAMAGES RESULTING FROM THE USE OF THE PRODUCT, ITS ACCOMPANYING
      SOFTWARE, OR ITS DOCUMENTATION.



Exclusions and Restrictions
      This limited warranty does not apply to Barracuda Networks products that are or have been (a)
      marked or identified as "sample" or "beta," (b) loaned or provided to you at no cost, (c) sold "as is,"
      (d) repaired, altered or modified except by Barracuda Networks, (e) not installed, operated or


                                                                                                            vii
                    maintained in accordance with instructions supplied by Barracuda Networks, or (f) subjected to
                    abnormal physical or electrical stress, misuse, negligence or to an accident.
                    EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS MAKES NO OTHER
                    WARRANTY, EXPRESS, IMPLIED OR STATUTORY, WITH RESPECT TO BARRACUDA
                    NETWORKS PRODUCTS, INCLUDING WITHOUT LIMITATION ANY IMPLIED
                    WARRANTY OF TITLE, AVAILABILITY, RELIABILITY, USEFULNESS,
                    MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR
                    ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. EXCEPT
                    FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS' PRODUCTS AND THE
                    SOFTWARE ARE PROVIDED "AS-IS" AND BARRACUDA NETWORKS DOES NOT
                    WARRANT THAT ITS PRODUCTS WILL MEET YOUR REQUIREMENTS OR BE
                    UNINTERRUPTED, TIMELY, AVAILABLE, SECURE OR ERROR FREE, OR THAT ANY
                    ERRORS IN ITS PRODUCTS OR THE SOFTWARE WILL BE CORRECTED. FURTHERMORE,
                    BARRACUDA NETWORKS DOES NOT WARRANT THAT BARRACUDA NETWORKS
                    PRODUCTS, THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON WHICH
                    BARRACUDA NETWORKS PRODUCTS WILL BE USED WILL BE FREE OF
                    VULNERABILITY TO INTRUSION OR ATTACK.



         Barracuda Networks Software License Agreement (v 2.1)
                    PLEASE READ THIS SOFTWARE LICENSE AGREEMENT ("AGREEMENT") CAREFULLY
                    BEFORE USING THE BARRACUDA NETWORKS SOFTWARE. BY USING THE
                    BARRACUDA SOFTWARE YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS
                    LICENSE. IF YOU ARE A CORPORATION, PARTNERSHIP OR SIMILAR ENTITY, THEN
                    THE SOFTWARE LICENSE GRANTED UNDER THIS AGREEMENT IS EXPRESSLY
                    CONDITIONED UPON ACCEPTANCE BY A PERSON WHO IS AUTHORIZED TO SIGN FOR
                    AND BIND THE ENTITY. IF YOU ARE NOT AUTHORIZED TO SIGN FOR AND BIND THE
                    ENTITY OR DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, DO NOT USE
                    THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE YOU MAY
                    RETURN THE SOFTWARE OR HARDWARE CONTAINING THE SOFTWARE FOR A FULL
                    REFUND TO YOUR PLACE OF PURCHASE.
                    1. The software and documentation, whether on disk, in flash memory, in read only memory, or on
                    any other media or in any other form (collectively "Barracuda Software") is licensed, not sold, to you
                    by Barracuda Networks, Inc. ("Barracuda") for use only under the terms of this Agreement, and
                    Barracuda reserves all rights not expressly granted to you. The rights granted are limited to
                    Barracuda's intellectual property rights in the Barracuda Software and do not include any other patent
                    or intellectual property rights. You own the media on which the Software is recorded but Barracuda
                    retains ownership of the Software itself. If you have not completed a purchase of the Software and
                    made payment for the purchase, the Software may only be used for evaluation purposes and may not
                    be used in any production capacity. Furthermore the Software, when used for evaluation, may not be
                    secure and may use publically available passwords.
                    2. Permitted License Uses and Restrictions. If you have purchased a Barracuda Networks hardware
                    product, this Agreement allows you to use the Software only on the single Barracuda labeled
                    hardware device on which the software was delivered. You may not make copies of the Software.
                    You may not make a backup copy of the Software. If you have purchased a Barracuda Networks
                    Virtual Machine you may use the software only in the licensed number of instances of the licensed
                    sizes and you may not exceed the licensed capacities. You may make a reasonable number of backup
                    copies of the Software. If you have purchased client software you may install the software only on
                    the number of licensed clients. You may make a reasonable number of backup copies of the Software.
                    For all purchases you may not modify or create derivative works of the Software except as provided
                    by the Open Source Licenses included below. You may not make the Software available over a


viii   Barracuda Load Balancer Administrator’s Guide
network where it could be utilized by multiple devices or copied. Unless otherwise expressly provided
in the documentation, your use of the Software shall be limited to use on a single hardware chassis,
on a single central processing unit, as applicable, or use on such greater number of chassis or central
processing units as you may have paid Barracuda Networks the required license fee; and your use of
the Software shall also be limited, as applicable and set forth in your purchase order or in Barracuda
Networks' product catalog, user documentation, or web site, to a maximum number of (a) seats (i.e.
users with access to install Software), (b) concurrent users, sessions, ports, and/or issued and
outstanding IP addresses, and/or (c) central processing unit cycles or instructions per second. Your
use of the Software shall also be limited by any other restrictions set forth in your purchase order or
in Barracuda Networks' product catalog, user documentation or Web site for the Software. The
BARRACUDA SOFTWARE IS NOT INTENDED FOR USE IN THE OPERATION OF
NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, LIFE
SUPPORT MACHINES, OR OTHER EQUIPEMENT IN WHICH FAILURE COULD LEAD TO
DEATH, PERSONAL INJURY, OR ENVIRONMENTAL DAMAGE. YOU EXPRESSLY AGREE
NOT TO USE IT IN ANY OF THESE OPERATIONS.
3. You may not transfer, rent, lease, lend, or sublicense the Software or allow a third party to do so.
YOU MAY NOT OTHERWISE TRANSFER THE SOFTWARE OR ANY OF YOUR RIGHTS
AND OBLIGATIONS UNDER THIS AGREEMENT. You agree that you will have no right and will
not, nor will it assist others to: (i) make unauthorized copies of all or any portion of the Software; (ii)
sell, sublicense, distribute, rent or lease the Software; (iii) use the Software on a service bureau, time
sharing basis or other remote access system whereby third parties other than you can use or benefit
from the use of the Software; (iv) disassemble, reverse engineer, modify, translate, alter, decompile
or otherwise attempt to discern the source code of all or any portion of the Software; (v) utilize or run
the Software on more computers than you have purchased license to; (vi) operate the Software in a
fashion that exceeds the capacity or capabilities that were purchased by you.
4. THIS AGREEMENT SHALL BE EFFECTIVE UPON INSTALLATION OF THE SOFTWARE
OR PRODUCT AND SHALL TERMINATE UPON THE EARLIER OF: (A) YOUR FAILURE TO
COMPLY WITH ANY TERM OF THIS AGREEMENT OR (B) RETURN, DESTRUCTION OR
DELETION OF ALL COPIES OF THE SOFTWARE IN YOUR POSSESSION. Rights of Barracuda
Networks and your obligations shall survive any termination of this Agreement. Upon termination of
this Agreement by Barracuda Networks, You shall certify in writing to Barracuda Networks that all
copies of the Software have been destroyed or deleted from any of your computer libraries, storage
devices, or any other location.
5. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT THE USE OF THE BARRACUDA
SOFTWARE IS AT YOUR OWN RISK AND THAT THE ENTIRE RISK AS TO
SATISFACTION, QUALITY, PERFORMANCE, AND ACCURACY IS WITH YOU. THE
BARRACUDA SOFTWARE IS PROVIDED "AS IS" WITH ALL FAULTS AND WITHOUT
WARRANTY OF ANY KIND, AND BARRACUDA HEREBY DISCLAIMS ALL WARRANTIES
AND CONDITIONS WITH RESPECT TO THE BARRACUDA SOFTWARE, EITHER
EXPRESSED OR IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTIBILITY, OF
SATISFACTORY QUALITY, OF FITNESS FOR ANY APPLICATION, OF ACCURACY, AND
OF NON-INFRINGEMENT OF THIRD PARTY RIGHTS. BARRACUDA DOES NOT
WARRANT THE CONTINUED OPERATION OF THE SOFTWARE, THAT THE
PERFORMANCE WILL MEET YOUR EXPECTATIONS, THAT THE FUNCTIONS WILL
MEET YOUR REQUIREMENTS, THAT THE OPERATION WILL BE ERROR FREE OR
CONTINUOUS, THAT CURRENT OR FUTURE VERSIONS OF ANY OPERATING SYSTEM
WILL BE SUPPORTED, OR THAT DEFECTS WILL BE CORRECTED. NO ORAL OR
WRITTEN INFORMATION GIVEN BY BARRACUDA OR AUTHORIZED BARRACUDA
REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE BARRACUDA
SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY
SERVICING, REPAIR, OR CORRECTION. FURTHERMORE BARRACUDA NETWORKS
SHALL ASSUME NO WARRANTY FOR ERRORS/BUGS, FAILURES OR DAMAGE WHICH

                                                                                                         ix
                  WERE CAUSED BY IMPROPER OPERATION, USE OF UNSUITABLE RESOURCES,
                  ABNORMAL OPERATING CONDITIONS (IN PARTICULAR DEVIATIONS FROM THE
                  INSTALLATION CONDITIONS) AS WELL AS BY TRANSPORTATION DAMAGE. IN
                  ADDITION, DUE TO THE CONTINUAL DEVELOPMENT OF NEW TECHNIQUES FOR
                  INTRUDING UPON AND ATTACKING NETWORKS, BARRACUDA NETWORKS DOES NOT
                  WARRANT THAT THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR NETWORK ON
                  WHICH THE SOFTWARE IS USED WILL BE FREE OF VULNERABILITY TO INTRUSION
                  OR ATTACK. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL
                  PROVIDE AN UNLIMITED PERPETUAL ZERO COST LICENSE TO BARRACUDA FOR ANY
                  PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS WHICH YOU EITHER OWN OR
                  CONTROL THAT ARE UTILIZED IN ANY BARRACUDA PRODUCT.
                  6. Termination and Fair Use Policy. BARRACUDA SHALL HAVE THE ABSOLUTE AND
                  UNILATERAL RIGHT AT ITS SOLE DISCRETION TO DENY USE OF, OR ACCESS TO
                  BARRACUDA SOFTWARE, IF YOU ARE DEEMED BY BARRACUDA TO BE USING THE
                  SOFTWARE IN A MANNER NOT REASONABLY INTENDED BY BARRACUDA OR IN
                  VIOLATION OF ANY LAW.
                  7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT
                  SHALL BARRACUDA BE LIABLE FOR PERSONAL INJURY OR ANY INCIDENTAL
                  SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING,
                  WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS
                  INTERRUPTION, OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT
                  OF OR RELATED TO YOUR ABILITY TO USE OR INABILITY TO USE THE BARRACUDA
                  SOFTWARE HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY AND
                  EVEN IF BARRACUDA HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. In no
                  event shall Barracuda's total liability to you for all damages exceed the amount of one hundred
                  dollars.The following terms govern your use of the Energize Update Software except to the extent a
                  particular program (a) is the subject of a separate written agreement with Barracuda Networks or (b)
                  includes a separate "click-on" license agreement as part of the installation and/or download process.
                  To the extent of a conflict between the provisions of the foregoing documents, the order of precedence
                  shall be (1) the written agreement, (2) the click-on agreement, and (3) this Energize Update Software
                  License.
                  8. Content Restrictions. YOU MAY NOT (AND MAY NOT ALLOW A THIRD PARTY TO)
                  COPY, REPRODUCE, CAPTURE, STORE, RETRANSMIT, DISTRIBUTE, OR BURN TO CD
                  (OR ANY OTHER MEDIUM) ANY COPYRIGHTED CONTENT THAT YOU ACCESS OR
                  RECEIVE THROUGH USE OF THE PRODUCT CONTAINING THE SOFTWARE. YOU
                  ASSUME ALL RISK AND LIABILITY FOR ANY SUCH PROHIBITED USE OF
                  COPYRIGHTED CONTENT. You agree not to publish any benchmarks, measurements, or reports
                  on the product without Barracuda Networks’ written express approval.
                  9. Third Party Software. Some Software which supports Bare Metal Disaster Recovery of Microsoft
                  Windows Vista and Microsoft Windows 2008 Operating Systems (DR6) contains and uses
                  components of the Microsoft Windows Pre-Installation Environment (WINPE) with the following
                  restrictions: (i) the WINPE components in the DR6 product are licensed and not sold and may only
                  be used with the DR6 product; (ii) DR6 is provided "as is"; (iii) Barracuda and its suppliers reserve
                  all rights not expressly granted; (iv) license to use DR6 and the WINPE components is limited to use
                  of the product as a recovery utility program only and not for use as a general purpose operating
                  system; (v) Reverse engineering, decompiling or disassembly of the WINPE components, except to
                  the extent expressly permitted by applicable law, is prohibited; (vi) DR6 contains a security feature
                  from Microsoft that will automatically reboot the system without warning after 24 hours of
                  continuous use; (vii) Barracuda alone will provide support for customer issues with DR6 and
                  Microsoft and its Affiliates are released of all liability related to its use and operation; and, (viii) DR6
                  is subject to U.S. export jurisdiction.



x   Barracuda Load Balancer Administrator’s Guide
10. Trademarks. Certain portions of the product and names used in this Agreement, the Software and
the documentation may constitute trademarks of Barracuda Networks. You are not authorized to use
any such trademarks for any purpose.


11. Export Restrictions. You may not export or re-export the Software without: (a) the prior written
consent of Barracuda Networks, (b) complying with applicable export control laws, including, but not
limited to, restrictions and regulations of the Department of Commerce or other United States agency
or authority and the applicable EU directives, and (c) obtaining any necessary permits and licenses.
In any event, you may not transfer or authorize the transfer of the Software to a prohibited territory
or country or otherwise in violation of any applicable restrictions or regulations. If you are a United
States Government agency the Software and documentation qualify as "commercial items", as that
term is defined at Federal Acquisition Regulation ("FAR") (48 C.F.R.) 2.101, consisting of
"commercial computer software" and "commercial computer software documentation" as such terms
are used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through
227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any
agreement into which this Agreement may be incorporated, Government end user will acquire the
Software and documentation with only those rights set forth in this Agreement. Use of either the
Software or documentation or both constitutes agreement by the Government that the Software and
documentation are "commercial computer software" and "commercial computer software
documentation", and constitutes acceptance of the rights and restrictions herein.
12. General. THIS AGREEMENT IS GOVERNED BY THE LAWS OF THE STATE OF
CALIFORNIA, USA WITH JURISDICTION OF SANTA CLARA COUNTY, CALIFORNIA,
UNLESS YOUR HEADQUARTERS IS LOCATED IN SWITZERLAND, THE EU, OR JAPAN. IF
YOUR HEADQUARTERS IS LOCATED IN SWITZERLAND THE SWISS MATERIAL LAW
SHALL BE USED AND THE JURISDICTION SHALL BE ZURICH. IF YOUR
HEADQUARTERS IS LOCATED IN THE EU, AUSTRIAN LAW SHALL BE USED AND
JURISDICTION SHALL BE INNSBRUCK. IF YOUR HEADQUARTERS IS LOCATED IN
JAPAN, JAPANESE LAW SHALL BE USED AND JURISDICTION SHALL BE TOKYO. THIS
AGREEMENT WILL NOT BE SUBJECT TO ANY CONFLICT-OF-LAWS PRINCIPLES IN ANY
JURISDICTION. THIS AGREEMENT WILL NOT BE GOVERNED BY THE U.N.
CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALES OF GOODS. This
Agreement is the entire agreement between You and Barracuda Networks regarding the subject
matter herein and supersedes any other communications with respect to the Software. If any provision
of this Agreement is held invalid or unenforceable, the remainder of this Agreement will continue in
full force and effect. Failure to prosecute a party's rights with respect to a default hereunder will not
constitute a waiver of the right to enforce rights with respect to the same or any other breach.
13. Assignability. You may not assign any rights or obligations hereunder without prior written
consent from Barracuda Networks.
14. Billing Issues. You must notify Barracuda of any billing problems or discrepancies within sixty
(60) days after they first appear on the statement you receive from your bank, Credit Card Company,
other billing company or Barracuda Networks. If you do not bring such problems or discrepancies to
Barracuda Networks attention within the sixty (60) day period, you agree that you waive the right to
dispute such problems or discrepancies.
15. Collection of Data. You agree to allow Barracuda Networks to collect information ("Statistics")
from the Software in order to fight spam, virus, and other threats as well as optimize and monitor the
Software. Information will be collected electronically and automatically. Statistics include, but are
not limited to, the number of messages processed, the number of messages that are categorized as
spam, the number of virus and types, IP addresses of the largest spam senders, the number of emails
classified for Bayesian analysis, capacity and usage, and other statistics. Your data will be kept private
and will only be reported in aggregate by Barracuda Networks.



                                                                                                        xi
                    16. Subscriptions. Software updates and subscription information provided by Barracuda Energize
                    Updates or other services may be necessary for the continued operation of the Software. You
                    acknowledge that such a subscription may be necessary. Furthermore some functionality may only
                    be available with additional subscription purchases. Obtaining Software updates on systems where
                    no valid subscription has been purchased or obtaining functionality where subscription has not been
                    purchased is strictly forbidden and in violation of this Agreement. All initial subscriptions commence
                    at the time of activation and all renewals commence at the expiration of the previous valid
                    subscription. Unless otherwise expressly provided in the documentation, you shall use the Energize
                    Updates Service and other subscriptions solely as embedded in, for execution on, or (where the
                    applicable documentation permits installation on non-Barracuda Networks equipment) for
                    communication with Barracuda Networks equipment owned or leased by you. All subscriptions are
                    non-transferrable. Barracuda Networks makes no warranty that subscriptions will continue un-
                    interrupted. Subscription may be terminated without notice by Barracuda Networks for lack of full
                    payment.
                    17. Auto Renewals. If your Software purchase is a time based license, includes software
                    maintenance, or includes a subscription, you hereby agree to automatically renew this purchase when
                    it expires unless you notify Barracuda 15 days before the renewal date. Barracuda Networks will
                    automatically bill you or charge you unless notified 15 days before the renewal date.
                    18. Time Base License. If your Software purchase is a time based license you expressly acknowledge
                    that the Software will stop functioning at the time the license expires. You expressly indemnify and
                    hold harmless Barracuda Networks for any and all damages that may occur because of this.
                    19. Support. Telephone, email and other forms of support will be provided to you if you have
                    purchased a product that includes support. The hours of support vary based on country and the type
                    of support purchased. Barracuda Networks Energize Updates typically include Basic support.
                    20. Changes. Barracuda Networks reserves the right at any time not to release or to discontinue release
                    of any Software or Subscription and to alter prices, features, specifications, capabilities, functions,
                    licensing terms, release dates, general availability or other characteristics of any future releases of the
                    Software or Subscriptions.
                    21. Open Source Licensing. Barracuda Networks products may include programs that are covered
                    by the GNU General Public License (GPL) or other Open Source license agreements, in particular the
                    Linux operating system. It is expressly put on record that the Software does not constitute an edited
                    version or further development of the operating system. These programs are copyrighted by their
                    authors or other parties, and the authors and copyright holders disclaim any warranty for such
                    programs. Other programs are copyright by Barracuda Networks. Further details may be provided in
                    an appendix to this agreement where the licenses are re-printed. Barracuda Networks makes available
                    the source code used to build Barracuda products available at source.barracuda.com. This directory
                    includes all the programs that are distributed on the Barracuda products. Obviously not all of these
                    programs are utilized, but since they are distributed on the Barracuda product we are required to make
                    the source code available.




        Barracuda Networks Energize Updates and Other Subscription Terms

                    Barracuda Networks Software License Agreement Appendix
                    The GNU General Public License (GPL) Version 2, June 1991
                    Copyright (C) 1989, 1991 Free Software Foundation, Inc.


xii   Barracuda Load Balancer Administrator’s Guide
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


Everyone is permitted to copy and distribute verbatim copies of this license document, but changing
it is not allowed.


Preamble
The licenses for most software are designed to take away your freedom to share and change it. By
contrast, the GNU General Public License is intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users. This General Public License applies
to most of the Free Software Foundation's software and to any other program whose authors commit
to using it. (Some other Free Software Foundation software is covered by the GNU Library General
Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses
are designed to make sure that you have the freedom to distribute copies of free software (and charge
for this service if you wish), that you receive source code or can get it if you want it, that you can
change the software or use pieces of it in new free programs; and that you know you can do these
things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to
ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the
recipients all the rights that you have. You must make sure that they, too, receive or can get the source
code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which
gives you legal permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that
there is no warranty for this free software. If the software is modified by someone else and passed on,
we want its recipients to know that what they have is not the original, so that any problems introduced
by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger
that redistributors of a free program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any patent must be licensed for
everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.


TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains a notice placed by the copyright
holder saying it may be distributed under the terms of this General Public License. The "Program",
below, refers to any such program or work, and a "work based on the Program" means either the
Program or any derivative work under copyright law: that is to say, a work containing the Program or
a portion of it, either verbatim or with modifications and/or translated into another language.
(Hereinafter, translation is included without limitation in the term "modification".) Each licensee is
addressed as "you".
Activities other than copying, distribution and modification are not covered by this License; they are
outside its scope. The act of running the Program is not restricted, and the output from the Program


                                                                                                      xiii
                   is covered only if its contents constitute a work based on the Program (independent of having been
                   made by running the Program). Whether that is true depends on what the Program does.
                   1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any
                   medium, provided that you conspicuously and appropriately publish on each copy an appropriate
                   copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and
                   to the absence of any warranty; and give any other recipients of the Program a copy of this License
                   along with the Program.
                   You may charge a fee for the physical act of transferring a copy, and you may at your option offer
                   warranty protection in exchange for a fee.
                   2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based
                   on the Program, and copy and distribute such modifications or work under the terms of Section 1
                   above, provided that you also meet all of these conditions:
                   a) You must cause the modified files to carry prominent notices stating that you changed the files and
                   the date of any change.
                   b) You must cause any work that you distribute or publish, that in whole or in part contains or is
                   derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties
                   under the terms of this License.
                   c) If the modified program normally reads commands interactively when run, you must cause it, when
                   started running for such interactive use in the most ordinary way, to print or display an announcement
                   including an appropriate copyright notice and a notice that there is no warranty (or else, saying that
                   you provide a warranty) and that users may redistribute the program under these conditions, and
                   telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but
                   does not normally print such an announcement, your work based on the Program is not required to
                   print an announcement).
                   These requirements apply to the modified work as a whole. If identifiable sections of that work are
                   not derived from the Program, and can be reasonably considered independent and separate works in
                   themselves, then this License, and its terms, do not apply to those sections when you distribute them
                   as separate works. But when you distribute the same sections as part of a whole which is a work based
                   on the Program, the distribution of the whole must be on the terms of this License, whose permissions
                   for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote
                   it.
                   Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely
                   by you; rather, the intent is to exercise the right to control the distribution of derivative or collective
                   works based on the Program.
                   In addition, mere aggregation of another work not based on the Program with the Program (or with a
                   work based on the Program) on a volume of a storage or distribution medium does not bring the other
                   work under the scope of this License.
                   3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code
                   or executable form under the terms of Sections 1 and 2 above provided that you also do one of the
                   following:
                   a) Accompany it with the complete corresponding machine-readable source code, which must be
                   distributed under the terms of Sections 1 and 2 above on a medium customarily used for software
                   interchange; or,
                   b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge
                   no more than your cost of physically performing source distribution, a complete machine-readable
                   copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on
                   a medium customarily used for software interchange; or,


xiv   Barracuda Load Balancer Administrator’s Guide
c) Accompany it with the information you received as to the offer to distribute corresponding source
code. (This alternative is allowed only for noncommercial distribution and only if you received the
program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For
an executable work, complete source code means all the source code for all modules it contains, plus
any associated interface definition files, plus the scripts used to control compilation and installation
of the executable. However, as a special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary form) with the major components
(compiler, kernel, and so on) of the operating system on which the executable runs, unless that
component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place,
then offering equivalent access to copy the source code from the same place counts as distribution of
the source code, even though third parties are not compelled to copy the source along with the object
code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided
under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License. However, parties who have
received copies, or rights, from you under this License will not have their licenses terminated so long
as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else
grants you permission to modify or distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by modifying or distributing the
Program (or any work based on the Program), you indicate your acceptance of this License to do so,
and all its terms and conditions for copying, distributing or modifying the Program or works based on
it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient
automatically receives a license from the original licensor to copy, distribute or modify the Program
subject to these terms and conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties
to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not excuse you from the conditions
of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may not distribute the
Program at all. For example, if a patent license would not permit royalty-free redistribution of the
Program by all those who receive copies directly or indirectly through you, then the only way you
could satisfy both it and this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the
balance of the section is intended to apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims
or to contest validity of any such claims; this section has the sole purpose of protecting the integrity
of the free software distribution system, which is implemented by public license practices. Many
people have made generous contributions to the wide range of software distributed through that
system in reliance on consistent application of that system; it is up to the author/donor to decide if he
or she is willing to distribute software through any other system and a licensee cannot impose that
choice.




                                                                                                        xv
                   This section is intended to make thoroughly clear what is believed to be a consequence of the rest of
                   this License.
                   8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by
                   copyrighted interfaces, the original copyright holder who places the Program under this License may
                   add an explicit geographical distribution limitation excluding those countries, so that distribution is
                   permitted only in or among countries not thus excluded. In such case, this License incorporates the
                   limitation as if written in the body of this License.


                   9. The Free Software Foundation may publish revised and/or new versions of the General Public
                   License from time to time. Such new versions will be similar in spirit to the present version, but may
                   differ in detail to address new problems or concerns.
                   Each version is given a distinguishing version number. If the Program specifies a version number of
                   this License which applies to it and "any later version", you have the option of following the terms
                   and conditions either of that version or of any later version published by the Free Software
                   Foundation. If the Program does not specify a version number of this License, you may choose any
                   version ever published by the Free Software Foundation.
                   10. If you wish to incorporate parts of the Program into other free programs whose distribution
                   conditions are different, write to the author to ask for permission. For software which is copyrighted
                   by the Free Software Foundation, write to the Free Software Foundation; we sometimes make
                   exceptions for this. Our decision will be guided by the two goals of preserving the free status of all
                   derivatives of our free software and of promoting the sharing and reuse of software generally.
                   NO WARRANTY
                   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
                   FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT
                   WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER
                   PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND,
                   EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
                   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
                   THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS
                   WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
                   ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
                   12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
                   WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
                   AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU
                   FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
                   CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
                   PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
                   RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
                   FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF
                   SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
                   DAMAGES.
                   END OF GNU TERMS AND CONDITIONS
                   Barracuda Networks Products may contain programs that are copyright (c)1995-2005 International
                   Business Machines Corporation and others. All rights reserved. These programs are covered by the
                   following License: "Permission is hereby granted, free of charge, to any person obtaining a copy of
                   this software and associated documentation files (the "Software"), to deal in the Software without
                   restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute,
                   and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
                   provided that the above copyright notice(s) and this permission notice appear in all copies of the

xvi   Barracuda Load Balancer Administrator’s Guide
Software and that both the above copyright notice(s) and this permission notice appear in supporting
documentation."
Barracuda Networks Products may include programs that are covered by the BSD License:
"Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
The names of the authors may not be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED ''AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE."
Barracuda Networks Products may include the libspf library which is Copyright (c) 2004 James
Couzens & Sean Comeau, All rights reserved. It is covered by the following agreement:
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met: 1. Redistributions of source code must retain the
above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in
binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution. THIS
SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Barracuda Networks Products may contain programs that are Copyright (c) 1998-2003 Carnegie
Mellon University. All rights reserved. Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following conditions are met: 1. Redistributions
of source code must retain the above copyright notice, this list of conditions and the following
disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials provided with
the distribution. The name "Carnegie Mellon University" must not be used to endorse or promote
products derived from this software without prior written permission. For permission or any other
legal details, please contact Office of Technology Transfer, Carnegie Mellon University, 5000
Forbes Avenue, Pittsburgh, PA 15213-3890 (412) 268-4387, fax: (412) 268-7395, tech-
transfer@andrew.cmu.edu . Redistributions of any form whatsoever must retain the following
acknowledgment: "This product includes software developed by Computing Services at Carnegie
Mellon University (http://www.cmu.edu/computing/)." CARNEGIE MELLON UNIVERSITY
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, AND IN NO EVENT
SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,


                                                                                                   xvii
                    NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
                    WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
                    Barracuda Networks Software may include programs that are covered by the Apache License or other
                    Open Source license agreements. The Apache license is re-printed below for you reference. These
                    programs are copyrighted by their authors or other parties, and the authors and copyright holders
                    disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks.




                                           Apache License
                                       Version 2.0, January 2004
                                      http://www.apache.org/licenses/
                    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
                    1. Definitions.
                    "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by
                    Sections 1 through 9 of this document.
                    "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is
                    granting the License.
                    "Legal Entity" shall mean the union of the acting entity and all other entities that control, are
                    controlled by, or are under common control with that entity. For the purposes of this definition,
                    "control" means (i) the power, direct or indirect, to cause the direction or management of such entity,
                    whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding
                    shares, or (iii) beneficial ownership of such entity.
                    "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this
                    License.
                    "Source" form shall mean the preferred form for making modifications, including but not limited to
                    software source code, documentation source, and configuration files.
                    "Object" form shall mean any form resulting from mechanical transformation or translation of a
                    Source form, including but not limited to compiled object code, generated documentation, and
                    conversions to other media types.
                    "Work" shall mean the work of authorship, whether in Source or Object form, made available under
                    the License, as indicated by a copyright notice that is included in or attached to the work (an example
                    is provided in the Appendix below).
                    "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or
                    derived from) the Work and for which the editorial revisions, annotations, elaborations, or other
                    modifications represent, as a whole, an original work of authorship. For the purposes of this License,
                    Derivative Works shall not include works that remain separable from, or merely link (or bind by
                    name) to the interfaces of, the Work and Derivative Works thereof.
                    "Contribution" shall mean any work of authorship, including the original version of the Work and any
                    modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted
                    to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity
                    authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted"
                    means any form of electronic, verbal, or written communication sent to the Licensor or its
                    representatives, including but not limited to communication on electronic mailing lists, source code
                    control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the



xviii   Barracuda Load Balancer Administrator’s Guide
purpose of discussing and improving the Work, but excluding communication that is conspicuously
marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a
Contribution has been received by Licensor and subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform,
sublicense, and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and
otherwise transfer the Work, where such license applies only to those patent claims licensable by such
Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their
Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent
litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the
Work or a Contribution incorporated within the Work constitutes direct or contributory patent
infringement, then any patent licenses granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof
in any medium, with or without modifications, and in Source or Object form, provided that You meet
the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices stating that You changed the files;
and
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright,
patent, trademark, and attribution notices from the Source form of the Work, excluding those notices
that do not pertain to any part of the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works
that You distribute must include a readable copy of the attribution notices contained within such
NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at
least one of the following places: within a NOTICE text file distributed as part of the Derivative
Works; within the Source form or documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and wherever such third-party notices normally
appear. The contents of the NOTICE file are for informational purposes only and do not modify the
License. You may add Your own attribution notices within Derivative Works that You distribute,
alongside or as an addendum to the NOTICE text from the Work, provided that such additional
attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or
different license terms and conditions for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally
submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions
of this License, without any additional terms or conditions. Notwithstanding the above, nothing
herein shall supersede or modify the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.




                                                                                                        xix
                  6. Trademarks. This License does not grant permission to use the trade names, trademarks, service
                  marks, or product names of the Licensor, except as required for reasonable and customary use in
                  describing the origin of the Work and reproducing the content of the NOTICE file.
                  7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor
                  provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
                  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
                  including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT,
                  MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible
                  for determining the appropriateness of using or redistributing the Work and assume any risks
                  associated with Your exercise of permissions under this License.
                  8. Limitation of Liability. In no event and under no legal theory, whether in tort (including
                  negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly
                  negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including
                  any direct, indirect, special, incidental, or consequential damages of any character arising as a result
                  of this License or out of the use or inability to use the Work (including but not limited to damages for
                  loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial
                  damages or losses), even if such Contributor has been advised of the possibility of such damages.
                  9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works
                  thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity,
                  or other liability obligations and/or rights consistent with this License. However, in accepting such
                  obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of
                  any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor
                  harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your
                  accepting any such warranty or additional liability.
                  END OF TERMS AND CONDITIONS
                  Barracuda Networks makes available the source code used to build Barracuda products available at
                  source.barracuda.com. This directory includes all the programs that are distributed on the Barracuda
                  products. Obviously not all of these programs are utilized, but since they are distributed on the
                  Barracuda product we are required to make the source code available.




xx   Barracuda Load Balancer Administrator’s Guide
    Index


A                                                     E
Adaptive Scheduling 47, 48                            Enable, Real Server 74
administration interface                              Energize Updates 78
     logging in 38
Administration page 72, 75, 78                        F
Advanced IP Config page 54, 55                        failed system, replacing 78
alerts 75                                             Failover IP Address 64
                                                      firewall, configuring 38
B                                                     Firmware Update page 77
back panel details iv                                 front panel details ii
backing up configuration 77
Backup page 77                                        G
Barracuda Load Balancer                               Geo IP 65
    configuring 38, 44, 53                            GSLB Response Policies 64
    managing 77
    monitoring 74                                     H
Barracuda Load Balancer Terminology 16
                                                      hardware compliance information v
Barracuda Spam & Virus Firewall, deploying with the
                                                      hardware test 80
         Barracuda Load Balancer 23
                                                      Health page 74
Bridge mode with VLANs 54
                                                      High Availability 17
Bridge-Path 16, 26
                                                          updating firmware 77
By Priority 65
                                                      I
C
                                                      IP address
caching ARP requests 58                                   setting 37
character tags 81, i, vii                             IP Configuration page 54
cluster 58
configuring, Barracuda Load Balancer 38               L
Content rules 51
                                                      Last Resort Server 12, 16, 45, 50, 52
Content rules, extended match 51
                                                      Layer 7 - RDP Service, scheduling 49
Content rules, host match 51
                                                      Logical Network 16
content rules, how to create 51
content rules, how to edit 51                         M
Content rules, URL match 51
                                                      Maintenance, Real Server 45, 74
D                                                     modify HTTP request or response headers 52
                                                      monitoring
definitions, updating 41, 78                             Services 74
diagnostic memory test 80
Direct Server Return 16, 26, 28
Disabled, Real Server 45, 74

Index - xxi
N                                   updating
                                        definitions 41, 78
network time protocol 39                firmware 77
notifications 75                    updating firmware 77
NTP 39
                                    V
P
                                    Virtual IP (VIP) 16
Persistence 16
Physical Network 16                 W
proxy server 54
                                    WAN IP Address 17
                                    Weighted Least Connections 49
R
                                    Weighted Round-Robin 49
Real Server 16
Real Server weight, pre-assign 48   X
reboot options 79                   X-Forwarded-For 52
recovery mode 79
Region Only 65
re-imaging system 80
reloading the system 78
remote administration 80
repairing, file system 80
replacing failed system 78
RESET button, using 78
restarting the system 78
restoring configuration 77
Route-Path 16

S
Scheduling policy 16
Server Farm 16
Service 16
Service Monitor 16, 45, 74
Services, monitoring 74
shutting down the system 78
SNMP traps 75
SSL Certificates 47
SSL Offloading 47
SSL offloading 47
SSL Offloading, configuring 47
Status page 75

T
Task Manager page 76
TCP ports 38
testing memory 80
time zone, setting 72
Troubleshooting page 79

U
UDP ports 38

xxii - Index

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:2/8/2012
language:
pages:108