1. Barracuda Link Balancer

1. Barracuda Link Balancer
1. Barracuda Link Balancer - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1 What's New in the Barracuda Link Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Capabilities of the Barracuda Link Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.1 Barracuda Link Balancer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.2 Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.3 Installation in Front of Your Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.3.1 How to Add an Additional ISP Link in Firewall Disabled Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.3.2 Configuring the Barracuda Link Balancer for Two Independent ISP Links and Firewalls . . . . . . . . . . . . . . . . . . . . . . .
1.3.4 Installation Replacing Your Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3.5 Hardware Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.1 Step 1: Configure Administrative Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4.2 Step 2: Configure Networking Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.1 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.1.1 DNS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.1.2 How to Configure the DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.2 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.2.1 Routing Outbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.2.2 How To Create IP/Application Routing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.2.3 How to Create Outbound Source NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.2.4 Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.3 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.3.1 Firewall Rules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.3.2 How to Create Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.3.3 How to Create Outbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.3.4 How to Create Custom Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.3.5 How to Create NAT Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.3.6 How to Create Port Forwarding Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.4 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.4.1 Site-to-Site VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.4.2 How to Create a Site-to-Site VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5.4.3 Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.1 High Availability Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.2 Planning Your High Availability Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.3 How to Create a High Availability Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.4 How to Remove a System from a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6.5 How to Update the Firmware on Clustered Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.1 Basic Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.2 SNMP Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.3 System Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7.4 Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.1 Reloading, Restarting, and Shutting Down the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.2 How to Backup and Restore Your System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.3 How to Update the Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8.4 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.9 Limited Warranty and License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2
3
6
7
8
11
15
18
19
21
24
25
26
28
30
31
33
34
37
38
39
40
41
42
43
44
45
46
47
48
50
51
53
55
61
62
64
66
67
68
69
70
72
73
74
75
76
78
80
81
82
Barracuda Link Balancer Administrator's Guide - Page
2
Barracuda Link Balancer - Overview
en
The Barracuda Link Balancer routes and manages traffic across multiple Internet connections or WAN links. By using multiple inexpensive
connections from one or more Internet service providers, you can reduce the need to purchase high speed and high cost links. Supported links
include T1, T3, E1, DSL, cable, fiber optic, MPLS, and VLAN.
Getting Started
Step 1: Configure Administrative Settings
Step 2: Configure Networking Settings
Download the Barracuda Link Balancer Quick Start Guide
Barracuda Link Balancer Quick Start Guide
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
3
What's New in the Barracuda Link Balancer
en
Before installing any firmware version, back up your configuration and read all release notes that apply to versions more recent than
the one currently running on your system.
Do not manually reboot your system at any time during an update unless otherwise instructed by Barracuda Technical Support.
Depending on your current firmware version and other system factors, updating can take up to 10 minutes. If the process takes longer,
contact Barracuda Technical Support for further assistance.
Firmware Version 2.6
New Features
DNS Security Extension is available on ADNS.
NAT-T supported on MPLS to VPN Failover.
Now supports two DHCP Working Modes: DHCP Server or DHCP Relay Agent.
VLAN tags can be set for PPPoE WAN links.
TLS Protocol option for SRV Records.
Static ARP table allows VLAN interfaces.
Fixes
VPN tunnel traffic and bandwidth reports generate. (BNWB-3679)
Alerts email from address appears as hostname@domain.name. (BNWB-3637)
ADNS responds to queries even when set to BACKUP > Inbound. (BNWB-3373)
Firmware Version 2.5.2
Fixes
NTP Security Vulnerability CVE-2014-9295
SSLv3 has been disabled in the web interface to mitigate CVE-2014-3566 (SSL POODLE).(BNWB-3845)
Web page error while uploading the VPN Certificate.(BNWB-3817)
Routes deleted based on interface for Same Gateway Deployments. (BNWB-3801)
Firmware Version 2.5.1
Fixes
Static DHCP leases are no longer removed after upgrading to firmware version 2.5 (BNWB-3745).
Assigning static DHCP leases now works as expected. (BNWB-3626)
Assigning DHCP leases to machines tranferred from LANs to VLANs now works as expected. (BNWB-3614)
DHCP server now correctly assigns IP addresses on VLAN interfaces directly after a reboot of the unit. (BNWB-3655)
Reports now correctly include selected WAN links. (BNWB-3684)
VPN tunnels are now correctly re-established if the remote gateway IP address is temporarily unavailable. (BNWB-3681)
The @ character is no longer allowed in host names of VPN remote gateways. (BNWB-3678)
Input validation for Upstream Speed and Downstream Speed of configured links now works correctly. (BNWB-3651)
The DH Group configuration setting title is now correctly displayed. (BNWB-2630)
Changing configuration settings in ADVANCED > High Availability now works as expected. (BNWB-36214)
NAT/Port Forwarding rules are no longer removed if a VPN tunnel with the same name is deleted. (BNWB-3565)
NAT/Port Forwarding rules can now be introduced correctly if rules contain overlapping criteria. (BNWB-3549)
NAT/Port Forwarding rules with identical rule names no longer disappear when updating from older firmware versions . (BNWB-3186)
Outbound routing rules are now processed correctly. (BNWB-3554)
WAN IP addresses no longer get swapped when upgrading from older firmware versions.(BNWB-3404)
OpenSSL Vulnerability fix for CVE-2014-0224,CVE-2014-0160.
Rare Out of Memory condition on few deployments now fixed.
Firmware Version 2.5
New Features
Expiry time of a DNS record is now configurable per-domain using the SERVICES > Authoritative DNS > Domain > TTL field.
High-Availability failover now optionally also kicks in when individual WAN links are down. Use the new ADVANCED > High Availability
> Cluster Settings > Failover if all WAN links are down option to configure.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
4
VLAN interfaces are now configurable as WAN links.
Traffic shaping over multiple WAN links is now available. Configure the traffic shaping on the POLICY > Bandwidth Mgmt page.
Built-in DHCP server now provides different IP addresses to different VLANs. Configure the DHCP server subnets on the SERVICES >
DHCP Server page.
Driver updates for new hardware.
ADNS support to Delegate subdomains on the Link Balancer
Fixes
Connection to Barracuda Cloud Control had issues under some circumstances (BNWB-2742)
System QoS rules do not impact upload speed anymore (BNWB-3599)
Log partition is now prevented from filling up (BNWB-3513)
Uploading an image under the Appearance tab does not cause a temporarily unavailable page anymore (BNWB-3595)
Listen IP address in WAN1 Port forwarding rules does not change anymore to the WAN1 IP address on upgrading firmware to 2.5 with
WAN1 disabled (BNWB-3603)
High-Availablity deployments which had fluctuations in Firewall Disabled Mode (BNWB-3050)
Firmware Version 2.4
New Features
Live Reporting dashboard displaying Total Traffic, Top Ten Users and Top Ten Applications.
Support for 3G/4G USB modems.
Firmware Version 2.3
New Features
Replaced Inbound and Outbound Access Firewall Rules pages by new FIREWALL > Access Rules page. Rules editing has been
simplified as they can now be re-sorted using drag-and-drop. A new per-rule Exclude field has been added to exclude specific IP
addresses. New icon graphics further improve the rule list's usability.
Added application based configuration options to POLICY > Bandwidth Mgmt > Quality of Service Rules. It is now possible to simply
pick predefined application types within the Available Applications section and combine them to application bundles.
Added the option to configure static ARP entries on the ADVANCED > Advanced IP Config page.
Added time controls to Access Firewall rules.
Added integration with Barracuda Control Center for collective monitoring.
Firmware Version 2.3.1.003
Fixes
VPN Stabilty fixes.
Administration access settings through the WAN interface are now always retained on firmware upgrades. [BNWB-2917]
Diskspace no longer running low on upgrades.
Stale route cache issue no longer can prevent Internet access on failover/failback. [BNWB-3032]
Firmware Version 2.3, 2.3.0.035
Fixes
WAN2 interface no longer stops working, nor requires manual intervention. [BNWB-1918]
Firmware Version 2.2
New Features
Added an extensive set of reports that can be found on the BASIC > Reports page. Traffic reports and logs can be viewed on-demand
or scheduled for delivery to an FTP or SMB server or to an email address. These new reports are only available on models 330 and
above.
Added ability for any WAN link (e.g. MPLS link) to fail over to a VPN tunnel. This feature is available in firewall disabled mode.
An SNMP trap is now generated when a link that had been down becomes operational again.
Firmware Version 2.1
New Features
Advanced Bandwidth Management through Diffserv compliant Quality of Service Rules.Ability to specify policy based Bandwidth
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
5
Management controls.
Ability to specify policy based Bandwidth Management controls.
Ability to create VLAN interfaces.
Improved Outbound Routing functionality.
NAT-Traversal support for VPN tunnels.
Firmware Version 2.1.2.003
Fixes
Resolved PPPoE negotiation issues.
CNAME records that use the character @ in the canonical name can now be created. [BNWB-1939].
Time zone changes are now reflected in the logs.
Firmware Version 2.1.1.010
Known Issue
Due to an increase in firmware size, some customers may experience a problem when installing this version. In particular, an error may
occur if three unique firmware versions have already been installed (Factory Installed, Previously Installed and Currently Installed are all
different versions). If the Apply Firmware step does not complete successfully, call Barracuda Networks Technical Support for
assistance. This issue affects only the installation of the firmware.
Fixes
The issue where multiple links being configured at the same time caused the interfaces not to be brought up correctly has been fixed.
An issue with PPPoE connection management is now fixed.
Multiple issues with firewall port forwarding rules that occurred when an application was specified in the rules are now fixed.
Firewall inbound rules are now honored for traffic that is 1:1 NAT'ed to static routes on the LAN side.
Firmware Version 2.1.0.018
Features
Improved presentation and usability of Bandwidth Management UI.
Known issue
Updating the configuration for multiple links at the same time on the BASIC > Links page may cause the interfaces to be not brought up
correctly. As a workaround, update only one link at a time.
Firmware Version 2.1.0.017
Fixes
Fixed a number of issues with IP/Application Routing.
If all the WAN links are down, the active Barracuda Link Balancer no longer fails over to the backup system in an HA environment.
Firmware Version 2.1.0.012
Features
Added ability to use dynamic WAN links such as DHCP and PPPoE as Authoritative DNS Servers.
Added support for bulk edit on a number of UI screens.
Improved troubleshooting options.
Increased robustness of link health monitoring.
Can now support IP addresses in the same WAN subnet on both LAN and WAN side in firewall disabled mode.
Private self signed certificates can now be downloaded to Link Balancer on ADVANCED > Secure Administration page.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
6
Capabilities of the Barracuda Link Balancer
en
The Barracuda Link Balancer routes and manages traffic across multiple Internet connections or WAN links. By using multiple inexpensive
connections from one or more Internet service providers, you can reduce the need to purchase high speed and high cost links. Supported links
include T1, T3, E1, DSL, cable, fiber optic, MPLS, and VLAN.
The Barracuda Link Balancer includes the following key features:
Balances incoming and outgoing network traffic across multiple links.
Provides automated failover in case of link failure.
Manages bandwidth.
Performs Quality of Service (QoS) for Internet applications.
Includes a DHCP server, an Authoritative DNS (ADNS) server, and DNS caching server functionality.
Can act as a traditional firewall or can be installed in front of your existing firewall.
Provides site-to-site VPNs with link failover and failback.
Supports USB 3G devices.
Provides extensive logging and live reporting functionalities.
The Barracuda Link Balancer is not specifically designed for load balancing that distributes incoming traffic across servers. The Barracuda Load
Balancer much better meets those needs. As shown in the figure below, the Barracuda Link Balancer provides an interface between multiple
Internet connections and your clients and servers.
To install and configure, continue with the Deployment section.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
7
Deployment
en
The Barracuda Link Balancer can operate in two different modes. Choose an operation mode before installing. The two most common
deployment methods are:
Deployment in front of your firewall - Keep your existing firewall, and insert the Barracuda Link Balancer between your firewall and the
Internet.
Deployment replacing your firewall - Replace your firewall with the Barracuda Link Balancer.
Barracuda Networks recommends that you read the overview section before installation.
In this Section:
Barracuda Link Balancer Overview
Deployment Options
Installation in Front of Your Firewall
Installation Replacing Your Firewall
Hardware Compliance
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
8
Barracuda Link Balancer Overview
en
This article provides an overview of the key features of the Barracuda Barracuda Link Balancer. Before deploying the Barracuda Link Balancer,
you need to understand the following concepts:
In this article:
en
Link Management
Aggregating Link Bandwidth
Link Failover
Outbound Link Load Balancing
Inbound Link Balancing and Failover
VLAN Support
High Availability
Persistence
Bandwidth Management and Quality of Service (QoS)
Traditional Firewall
Site-to-Site VPN and Link Failover
Ability to Deploy with Your Network Firewall
Local Network Services
Reporting
Web Interface
Link Management
The Barracuda Link Balancer can manage links that have static or dynamic (DHCP) IP addresses and can authenticate using PPPoE.
Aggregating Link Bandwidth
The Barracuda Link Balancer automatically aggregates Internet bandwidth from multiple links. Administrators can choose multiple links from one
or more ISPs to consolidate access to affordable Internet bandwidth. Any single session (e.g. a TCP stream) has only the bandwidth from a
single WAN link. A computer connected to more than one remote site may have more than one session.
Link Failover
The Barracuda Link Balancer continually monitors the health of each Internet link, only using healthy links. If it detects a link failure, the failed link
is removed from link balancing. When a failed link becomes available again, the Barracuda Link Balancer detects that, and resumes using it. This
does not require any administrator intervention. If a link fails, existing sessions on that link will be disconnected. Clients connected to the failed
link can reconnect quickly to their destination using another available link, rather than waiting for the original link to be restored.
Outbound Link Load Balancing
When the Barracuda Link Balancer detects traffic from a client IP address going to a new destination IP address, a link is selected by calculating
the available capacity for each link based on uplink speed and current usage, and using the link with the largest available capacity. If needed, you
can create outbound routing rules to override this selection process.
Inbound Link Balancing and Failover
The Barracuda Link Balancer uses authoritative DNS to direct incoming connections to a WAN link. When an external user accesses a website
hosted behind the Barracuda Link Balancer, for example, the Barracuda Link Balancer receives a DNS request for the IP address of that website.
The Barracuda Link Balancer responds with the IP address, which directs the traffic to a WAN link. When determining which IP address to return,
the available capacity is calculated for each link based on configured speed and current usage. The link with the largest available capacity is
returned so that adaptive inbound load balancing is achieved. Also, failed link addresses are not returned. To accomplish this, the Barracuda Link
Balancer acts as an authoritative DNS server for the domains or sub-domains that you host. You can create DNS records on the Barracuda Link
Balancer to identify your domain and to map that domain to multiple externally accessible IP addresses.
VLAN Support
The Barracuda Link Balancer supports Layer 2 VLANs.
High Availability
The Barracuda Link Balancer supports High Availability configurations where two Barracuda Link Balancers are deployed as an active-passive
pair.
Persistence
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
9
The Barracuda Link Balancer automatically tracks the IP addresses of each client / source and corresponding server / destination. As long as the
source and destination IP address pair are the same, traffic between them uses the same link. In addition, any one source and destination IP
address pair is tied to a specific link for up tot 15 minutes of inactivity. Already tracked source IP address traffic may be sent on a different link if
the destination IP address is unique.
Bandwidth Management and Quality of Service (QoS)
The Barracuda Link Balancer includes software that can automatically prioritize critical Internet applications. For example, you can assign priority
to web browsing and email while giving peer-to peer applications and media streaming a lower priority. In this way, you can ensure that
bandwidth-intensive applications do not interfere with business-critical operations.
Traditional Firewall
The Barracuda Link Balancer incorporates standard firewall functions, including:
Network Address Translation (NAT).
IP masquerading - Clients in the internal network are protected from the Internet. All Internet services appear to be provided by the
Barracuda Link Balancer firewall, while the internal clients remain invisible.
1:1 NAT - You can directly assign external addresses to internal servers. Ideal for hosting internal applications or services requiring
regular outbound requests such as SMTP, 1:1 NAT provides a secure method to match additional external addresses with a single
internal server for inbound and outbound traffic.
Port forwarding (or Port Address Translation) - Traffic to the same port across one or more multiple links is directed to an internal client.
Many to 1 NAT - One internal server may receive traffic from more than one WAN link. You can achieve this by creating 1:1 NAT rules or
port forwarding rules.
IP access lists - Use IP access lists to allow or deny access, either inbound or outbound, to remote networks, clients, applications,
services and ports.
Port blocking.
Assistance in preventing and mitigating distributed denial of service attacks (DDoS).
Site-to-Site VPN and Link Failover
You can create a site-to-site VPN tunnel between two Barracuda Link Balancers or between a Barracuda Link Balancer and another device that
supports IPsec. Networks connected via a tunnel communicate as if they are on the same network, even though they are separated by the
Internet. This functionality allows your site-to-site VPN tunnel to automatically failover to a secondary link in case the primary link fails.
Ability to Deploy with Your Network Firewall
If you already have a firewall that meets your requirements, you can use the link balancing, failover and bandwidth management capabilities of
the Barracuda Link Balancer and disable its firewall functionality. As you can see in the figure below, you can add the Barracuda Link Balancer to
your network without removing your firewall, with minimal disruption to your existing network.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
10
Local Network Services
The Barracuda Link Balancer includes the following local network services:
DHCP server - The Barracuda Link Balancer can automatically provision client IP addresses using the DHCP protocol. Along with
defining traditional DHCP options, administrators may view active leases in real time.
DNS caching server - The Barracuda Link Balancer caches responses to DNS queries so that repetitive DNS requests are served quickly
and locally.
Reporting
A variety of trend and activity reports for the WAN links, VPNs and other system components can be generated on-demand or scheduled.
Reporting is only available on models 330 and above.
Web Interface
The Barracuda Link Balancer configuration can be administered through an SSL-secured web interface. Access can be through the LAN or, if
configured, any WAN interface. The web interface also allows you to view traffic statistics, monitor network component health, and troubleshoot.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
11
Deployment Options
en
The Barracuda Link Balancer can operate in two different modes:
Deployment replacing your firewall.
Deployment
in front of your firewall, with the Barracuda Link Balancer between your firewall and the
Internet.
The Barracuda Link Balancer firewall provides full firewall functionality. You need to decide whether you want
to keep or replace your existing firewall. If you decide to keep your existing firewall, you can disable the
Barracuda Link Balancer firewall while still making use of the Barracuda Link Balancer link balancing, failover,
and bandwidth management capabilities.
In this article:
en
Deployment In Front of Your Firewall
Deployment Replacing Your Firewall
Overview of the Installation Steps
The following table describes considerations when choosing a deployment method.
Criterion
Barracuda Link Balancer In Front of Your
Firewall
Barracuda Link Balancer Replacing Your
Firewall
Network Location
The Barracuda Link Balancer is deployed
between your existing firewall and the
Internet.
The Barracuda Link Balancer acts as your
firewall.
Barracuda Link Balancer LAN IP Address
Used only for management. Can be any
internal or public address that can be
reached through your existing firewall from
the LAN.
The default gateway for your network.
Firewall Rules
No changes to your existing firewall.
You will need to recreate any existing firewall
rules on the Barracuda Link Balancer.
WAN Link
If you are enabling inbound access to
resources behind the Barracuda Link
Balancer, such as a web server, at least one
WAN link must have a static IP address.
The Barracuda Link Balancer may use the
same IP address that had been used by your
firewall.
Site to Site VPN
If you already have a site-to-site VPN, it
should be terminated on your existing
firewall. VPN traffic has one source IP
address so it goes out on only one WAN link.
It is recognized as VPN traffic so it will not be
NAT’d by the Barracuda Link Balancer. No
failover or failback is available. Alternatively,
make the Barracuda Link Balancer a VPN
endpoint to achieve failover and failback to
and from a secondary link.
Failover and failback to and from a
secondary link.
Deployment In Front of Your Firewall
Figure 1: Example network that has both client and server traffic.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
12
The next figure shows the same network with a Barracuda Link Balancer installed with no changes to the configuration of the existing firewall. A
new WAN link has been added.
In this network:
The Barracuda Link Balancer has a static IP address on WAN1 that is on the same network as the firewall and the externally visible
servers.
The clients are on a different subnet from all WAN links.
The external IP address and gateway of the firewall remain the same.
The gateway IP addresses of the Barracuda Link Balancer and the firewall are provided by the ISPs. The firewall provides the gateway
for the LAN devices.
The Barracuda Link Balancer LAN IP address can be any internal or public address that can be reached through your existing firewall
from the LAN. You may allocate an external IP address for it, or choose a non-routable IP address. If the latter, it should be on a
different subnet than the LAN devices already on the network. Remember that if the firewall does not recognize an address as local, it
will pass it to the Barracuda Link Balancer.
Figure 2: Barracuda Link Balancer installed with no changes to the configuration of the existing firewall.
For detailed instructions on how to setup your Barracuda Link Balancer in front of your firewall, see: Installation in Front of Your Firewall.
Deployment Replacing Your Firewall
Figure 3: Another example of a network that has both client and server traffic.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
13
The next figure shows a sample network with a Barracuda Link Balancer installed and replacing the customer firewall. A new WAN link has been
added.
In this network:
The Barracuda Link Balancer uses the same IP address for WAN1 that the firewall had used.
The LAN devices and the LAN interface of the Barracuda Link Balancer must be on a different subnet than all WAN links.
The Barracuda Link Balancer gateway IP addresses are provided by the ISPs.
The gateway of the LAN devices is the LAN IP address of the Barracuda Link Balancer.
Traffic to the servers is passed using port forwarding rules on the Barracuda Link Balancer.
If your servers are externally accessible, reconfigure those servers with private IP addresses. Then create 1:1 NAT rules to map the external IP
addresses to the respective private IP addresses of the servers.
Figure 4: Example network with a Barracuda Link Balancer installed and acting as a firewall, replacing the existing firewall.
For detailed instructions on how to setup your Barracuda Link Balancer to replace your firewall, see: Installation Replacing Your Firewall.
Overview of the Installation Steps
The following table provides an overview of the steps required to deploy the Barracuda Link Balancer in your network.
In Front of Your Firewall
Replacing Your Firewall
Prepare to install, including getting a WAN link with a static IP
address.
Prepare to install.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
14
Activate the Barracuda Link Balancer with Temporary Network
Settings.
Activate the Barracuda Link Balancer with Temporary Network
Settings.
Get Latest Firmware Version.
Get Latest Firmware Version.
Disable the Barracuda Link Balancer Firewall.
Configure Permanent WAN Settings.
Configure WAN and LAN Permanent Settings.
Configure the Barracuda Link Balancer Firewall.
Permanently Install the Barracuda Link Balancer.
Configure Permanent LAN IP Address.
Test Connectivity.
Permanently Install the Barracuda Link Balancer.
Continue with: Installation in Front of Your Firewall.
Continue with Installation Replacing of Your Firewall
In transparent mode (Firewall disabled mode, "In Front of your Firewall"), the IP addresses of LAN (Ethernet) and WAN1 ports must
NOT reside within the same subnet in order to allow transparent mode to work as intended.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
15
Installation in Front of Your Firewall
en
Use these detailed instructions to deploy the Barracuda Link Balancer between the Internet and your firewall, completely configuring the
Barracuda Link Balancer before connecting it to your production system.
In this mode, with the Barracuda Link Balancer firewall disabled, you need an additional static IP address to deploy the Barracuda Link
Balancer. If you do not have an extra static IP address, you may need to order one from your ISP.
In this article:
en
Step 1. Prepare for the Installation
Step 2. Activate the Barracuda Link Balancer with Temporary Network Settings
Step 3. Update Firmware
Step 4. Disable the Barracuda Link Balancer Firewall
Step 5. Configure WAN and LAN Permanent Settings
Step 6. Install in the Production Network
Step 7. Test Connectivity
Step 8. Configure your Local Network
Step 1. Prepare for the Installation
Do the following before installing your Barracuda Link Balancer:
1. Verify that you have the necessary equipment: Barracuda Link Balancer, AC power cord (included), Ethernet cables, a PC with a web
browser.
2. Plug in the Barracuda Link Balancer and power it on.
To enable inbound access to resources behind the Barracuda Link Balancer, such as a web server, you must provide at least one WAN link with
a static IP address for receiving incoming traffic.
Step 2. Activate the Barracuda Link Balancer with Temporary Network Settings
Follow these steps to configure the Barracuda Link Balancer with temporary settings and activate it:
1. Change the network settings of a PC with a web browser installed to use an IP address of 192.168.200.10, subnet mask of
255.255.255.0, and gateway of 192.168.200.200.
2. Depending on the model, there may be a LAN port on the front or back side of the Barracuda Link Balancer. Connect an Ethernet cable
from the PC to that port.
3.
4.
5.
6.
7.
8.
9.
10.
Start the web browser and access the web interface by typing http://192.168.200.200:8000 .
Login with the default username admin and the default password admin .
Go to the BASIC > Links page and click on one of the WAN ports displayed in the graphic.
In the Links Configuration section, set the Type of the WAN link to DHCP to acquire an address in the
office network. Alternatively, set the link Type to Static and enter a specific IP address.
Click Save Changes .
Connect an Ethernet cable from the corresponding WAN port on the front of the Barracuda Link
Balancer into your office network. You should now have Internet connectivity from your PC.
At the top of every page, you may see an activation warning message. Click on the link in the warning
message or use the link on the BASIC > Status page to open up the Barracuda Networks Product
Activation page in a new browser window.
Fill in the required fields and click Activate . A confirmation page opens to display the terms of your
subscription. On the BASIC > Status page, you may need to enter the activation code from the Barracu
Copyright © 2015, Barracuda Networks Inc.
10.
Barracuda Link Balancer Administrator's Guide - Page
16
da Networks Product Activation page to activate your Barracuda Link Balancer.
If your subscription status does not change to Current, or if you have trouble filling out the Product Activation page, call your Barracuda
Networks sales representative.
Step 3. Update Firmware
You should read the release notes to learn about the features of a firmware update before applying it.
1. Go to the ADVANCED > Firmware Update page. If there is a new Latest General Release available (the Download Now function is
enabled), perform the following steps to update the system firmware:
2. Click Download Now next to the Latest General Release firmware version.
3. Click OK to acknowledge the download duration message. To avoid damaging the Barracuda Link Balancer, do not power off during an
update or download. To view the progress of the download, click Refresh. You will be notified when the download is complete.
4. Click Apply Now to apply the firmware.
5. Click OK to acknowledge the reboot message. Applying the firmware takes a few minutes to complete.
After the firmware has been applied, the Barracuda Link Balancer automatically reboots. When the system comes back up, the login page is
displayed. Log in again.
Step 4. Disable the Barracuda Link Balancer Firewall
To use your existing firewall, you must disable the Barracuda Link Balancer firewall:
1. Go to the BASIC > IP Configuration page and disable the Network Firewall.
2. Click OK to acknowledge the reboot message.
The Barracuda Link Balancer will reboot.
Step 5. Configure WAN and LAN Permanent Settings
Configure the permanent settings for the WAN links that will be connected to the Barracuda Link Balancer. Some of the configuration information
for the WAN links is provided by your ISP. Be sure to enter these values correctly.
1. Unplug the Ethernet cable connecting the WAN port to your office network.
2. After the Barracuda Link Balancer has rebooted, log into the web interface and go to the BASIC > Links page.
3. For each link that will be connected to this unit:
a. Click the relevant WAN port displayed in the graphic.
b. In the Links Configuration section, enter the details for the link to be connected to the WAN port.
c. If the interface uses a static IP address, then you will see the Additional IP Addresses list. These are the public IP addresses
that can be reached via the Internet behind the Barracuda Link Balancer, including the address of your firewall. These need to
be identified so that traffic can be accepted and directed to them. The Barracuda Link Balancer is able to locate these addresses
automatically, so creating this list is optional but may slightly improve efficiency. To manually create the list, enter the IP
addresses or click Discover to populate a list of IP addresses of live systems that are on the same Class C network as this
WAN interface. The Discover button is only visible if there are no entries in the Additional IP Addresses list and if the built-in
firewall is disabled.
If you are enabling inbound access to resources behind the Barracuda Link Balancer, such as a web server, you must
provide at least one WAN link with a static IP address for receiving the incoming traffic.
4. Click Save Changes.
5.
If desired, change the LAN/Management IP address of the Barracuda Link Balancer to its permanent
setting.
The LAN IP address is only used for management of the Barracuda Link Balancer. (The WAN IP
addresses can also be used to access the management interface). The LAN IP address can be any
private or public address reachable through your existing firewall from the LAN. If the default address of
192.168.200.200 meets this criteria, there is no need to change it.
To change the LAN/Management IP address,
a. Go to the BASIC > IP Configuration page.
b. Change the IP Address and Subnet Mask .
c. Click Save Changes . If the address is on a different subnet, your connection will terminate.
Copyright © 2015, Barracuda Networks Inc.
c.
Barracuda Link Balancer Administrator's Guide - Page
17
In Firewall disabled mode, the IP addresses of LAN (Ethernet) and WAN1 ports must NOT reside within the same
subnet.
6.
Power down your Barracuda Link Balancer using the power button on the front of the unit.
If you connect more than one ISP link to your Barracuda Link Balancer, you need to perform a few additional configuration steps.
Please refer to How to Add an Additional ISP Link in Firewall Disabled Mode.
Step 6. Install in the Production Network
Now that the Barracuda Link Balancer is configured, install it in its permanent location and connect it to your WAN links:
1. Mount the Barracuda Link Balancer in a 19-inch rack or place it in a stable location. To ensure proper ventilation, do not block the cooling
vents on the front and back of the unit.
2.
3.
Connect each of the cables from the Internet links into a WAN port on the front of the Barracuda Link
Balancer. The ports are labeled WAN1, WAN2, etc. These ports correspond to the WAN ports that you
configured in the web interface. Be sure to connect them according to your configuration.
If there is a LAN port on the front of the Barracuda Link Balancer, connect an Ethernet cable from the
outside interface of your existing network firewall to that LAN port. If there is no LAN port on the front,
connect the outside interface of your existing network firewall to the LAN Ethernet port on the back
panel of the Barracuda Link Balancer. You should see some activity on both the yellow and green lights
on the LAN port. If not, you may need to use a crossover cable.
Step 7. Test Connectivity
Now you are ready to test the connectivity to your existing firewall and the systems connected to it. There is no need to change your firewall
network configuration - your network firewall should continue to use the ISP-provided gateway address.
1. Confirm that you can access the Internet from a client computer on your LAN. If this works, continue.
2. On the test system, log into the web interface using the permanent LAN IP address.
3. Go to the BASIC > Links page. The status of each link should appear as Connected. You can see the utilization of each link by moving
the mouse over the graphic.
4. On the test system, generate some traffic, by, for example, opening more tabs in the browser of the test system and downloading files
from the internet. You can FTP files from a number of different sites or use torrent to get the traffic to flow on multiple links.
5. Go to the BASIC > Status page to view graphs that show the incoming and outgoing traffic for each link.
If you have connectivity issues, clear the ARP caches of your existing network components such as the firewall, routers and modems.
In some cases, you may need to reboot these devices.
You do not need to update your existing firewall configuration unless you want to make it aware of the new WAN link(s). To do so:
Add firewall rules so that traffic from the new links is handled correctly.
If you want to be able to manage your existing firewall remotely, add an alias on your firewall for the other links in case the first link is
unavailable.
Your Barracuda Link Balancer should be ready for operation. There are a number of other configuration options available referred to on the
following pages.
Step 8. Configure your Local Network
If you have disabled the firewall for the Barracuda Link Balancer, you must configure your local network to meet certain prerequisites before
adding new ISP links in addition to your existing ISP. To do so, follow the instructions given in How to Add an Additional ISP Link in Firewall
Disabled Mode.
After completing all installation instructions, continue with the basic configuration Step 1: Configure Administrative Settings.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
18
How to Add an Additional ISP Link in Firewall Disabled Mode
en
This article provides step-by-step instructions for adding an additional ISP link (ISP #2) that will be connected
to WAN2, while the existing ISP (ISP #1) remains connected to WAN1. Adding more than one additional ISP
works identically.
To add a secondary ISP link, complete the following steps:
en
Step 1: Add the DNS of the Secondary ISP to the Local Network Configuration
Step 2: Assign a New IP Address from ISP #2 to WAN2
Step 3: Clear the ARP Cache on the Router for ISP #2
Step 1: Add the DNS of the Secondary ISP to the Local Network Configuration
You must make the DNS settings of the new ISP available to hosts within the local network. Otherwise, DNS queries will be routed to ISP #1
where they will be rejected due to access and flood control protection. DNS resolution would be impossible and the Internet would be
unreachable from the local network.
Add the DNS servers for ISP #2 to the configuration of your internal network. For backup, you may also add the IP addresses of open domain
name servers at the end of the list.
Step 2: Assign a New IP Address from ISP #2 to WAN2
Do not change the network configuration for the existing firewall. Assign an additional IP address from ISP #2 to WAN2.
The Barracuda Link Balancer does not do address translations on this link. At the IP layer, the firewall and the ISP devices ignore the
Barracuda Link Balancer. However, at the MAC layer, this may not be the case.
Step 3: Clear the ARP Cache on the Router for ISP #2
The Barracuda Link Balancer will use the MAC address of WAN2 for packets sent to the router (while using the respective source IP address of
the firewall) and packets going into the local network. To make sure that neighboring devices use the correct MAC address, you must reboot the
router for ISP #2 to clear its ARP cache.
For help with rebooting the router, contact Barracuda Networks Technical Support to help you configure the Barracuda Link Balancer to
use the MAC address for the firewall interface when communicating with the router for PoC situations.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
19
Configuring the Barracuda Link Balancer for Two Independent ISP Links and Firewalls
en
This article provides steps for inserting a Barracuda Link Balancer into an existing network so that the LAN is fed by two independent Internet
links through two independent firewalls.
In this article:
en
Example Setup and IP Addresses
Step 1. Connect and Configure the LAN and WAN Links on the Barracuda Link Balancer
Step 2. Connect and Configure the Firewalls
Usage Modes
Example Setup and IP Addresses
The following diagram shows the example configuration used in this article:
This example uses these IP addresses and subnets:
WAN 1
1
Internet Router #1
50.200.128.1
2
Internet Router #2
63.226.87.81
2
Firewall #1 external
50.200.128.2
3
Firewall #1 internal
10.1.1.10
5
Firewall #2 external
63.226.87.82
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
20
6
Firewall #2 internal
10.1.1.9
7
Core Switch
10.1.1.210
Step 1. Connect and Configure the LAN and WAN Links on the Barracuda Link Balancer
1. On the Barracuda Link Balancer connect Switch #1 to the LAN port.
2. On the Barracuda Link Balancer, connect router #1 to the WAN1 port, and router #2 to the WAN2 port.
3. Go to the BASIC > Links page, and configure the IP address, netmask, gateway, DNS, and health check settings for both WAN links.
Step 2. Connect and Configure the Firewalls
Connect Switch #1 to firewall #1 and firewall #2.
In this example, the external IP addresses are 50.200.128.2 for firewall #1 and 63.226.87.81 for firewall #2. The internal IP addresses are 1
0.1.1.10 for firewall #1 and 10.1.1.9 for firewall #2.
Usage Modes
This setup provides the following gateway IP addresses:
10.1.1.210 for clients to access a cumulative Internet uplink using both ISPs filtered separately through both firewalls.
10.1.1.10 for clients to access ISP #1 filtered by firewall #1.
10.1.1.9 for clients to access ISP #2 filtered by firewall #2.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
21
Installation Replacing Your Firewall
en
These instructions describe how to deploy the Barracuda Link Balancer as the default gateway for your network, replacing your existing firewall or
router. These steps allow you to configure the Barracuda Link Balancer completely before connecting it to your production system copying the
firewall configuration of your existing firewall to the Barracuda Link Balancer. (A similar process is described in the Barracuda Link Balancer
Quick Start Guide.)
In this article:
en
Step 1. Prepare for the Installation
Step 2. Activate the Barracuda Link Balancer with Temporary Network Settings
Step 3. Update the Firmware
Step 4. Configure Permanent WAN Settings
Step 5. Configure the Barracuda Link Balancer Firewall
Step 6. Configure Permanent LAN IP Address
Step 7. Install in the Production Network
Step 8. Test Connectivity
Step 1. Prepare for the Installation
Before installing your Barracuda Link Balancer, verify that you have the necessary equipment:
Barracuda Link Balancer and AC power cord (included)
Ethernet cables
PC with a web browser
Plug in the Barracuda Link Balancer and power it on.
Step 2. Activate the Barracuda Link Balancer with Temporary Network Settings
Follow these steps to configure the Barracuda Link Balancer with temporary settings and activate it:
1. Change the network settings of a PC with a web browser installed to use an IP address of 192.168.200.10, subnet mask of
255.255.255.0 and gateway of 192.168.200.200. Depending on the model, there may be a LAN port on the front or back side of the
Barracuda Link Balancer. Connect an Ethernet cable from the PC to that LAN port.
2.
3.
4.
5.
6.
7.
8.
9.
Start the web browser and access the web interface by typing http://192.168.200.200:8000.
Log in with the username admin and the password admin.
Go to the Basic > Links page and double-click one of the WAN ports in the graphic.
In the Links Configuration section, set the Type of the WAN link to DHCP to acquire an address in the
office network. Alternatively, set the link Type to Static and enter a specific IP address.
Click Save Changes.
Connect an Ethernet cable from the corresponding WAN port on the front of the Barracuda Link
Balancer into your office network. You should now have Internet connectivity from your PC.
At the top of every page, you may see an activation warning message. Click the link in that message or
use the link on the Basic > Status page to open up the Barracuda Networks Product Activation page
in a new browser window.
Fill in the required fields and click Activate. A confirmation page opens to display the terms of your
subscription. On the Basic > Status page, you may need to enter the activation code from the Barracu
da Networks Product Activation page to activate your Barracuda Link Balancer.
If your subscription status does not change to Current, or if you have trouble filling out the Product Activation page, call your Barracuda
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
22
Networks sales representative.
Step 3. Update the Firmware
Go to the Advanced > Firmware Update page. If there is a new Latest General Release available (the Download Now button is enabled), do
the following to update the system firmware:
1. Read the release notes to learn about the features of this firmware update.
2. Click Download Now next to the Latest General Release firmware version.
3. Click OK to acknowledge the download duration message. To avoid damaging the Barracuda Link Balancer, do not power off during an
update or download. To view the progress of the download, click Refresh. You will be notified when the download is complete.
4. Click Apply Now to apply the firmware.
5. Click OK to acknowledge the reboot message. Applying the firmware takes a few minutes to complete.
After the firmware has been applied, the Barracuda Link Balancer automatically reboots. When the system comes back up, the login page is
displayed. Log in again.
Step 4. Configure Permanent WAN Settings
After the Barracuda Link Balancer has rebooted, log into the web interface and go to the Basic > Links page.
For each link to connect to this unit:
1. Click the relevant WAN port in the graphic.
2. In the Links Configuration section, enter the details for the link to be connected to the WAN port. Some of the configuration information
is provided by your ISP - be sure to enter it correctly.
3.
When done, click Save Changes.
For each WAN interface that has a static IP address, enter all of your externally accessible servers in the Additional IP Addresses fiel
d. These need to be identified so that traffic can be accepted for them. You also need to reconfigure the servers with private IP
addresses. In the next step, you can create firewall 1:1 NAT rules to direct traffic to those systems.
Step 5. Configure the Barracuda Link Balancer Firewall
Create firewall rules on the Barracuda Link Balancer to match the settings of your current firewall.
Go to the Firewall > Access Rules page to add incoming and outgoing rules.
Go to the Firewall > NAT page to add 1:1 NAT and port forwarding rules.
Step 6. Configure Permanent LAN IP Address
1. Change the LAN IP address of the Barracuda Link Balancer to its permanent setting as the default gateway for your network. To change
the LAN IP address, go to the Basic > IP Configuration page and change IP address and subnet mask.
2. Click Save Changes. The connection to the PC that you were using will terminate.
3. Unplug the cable connecting your PC to the Barracuda Link Balancer.
4. Power down your Barracuda Link Balancer using the power button on the front of the unit.
Step 7. Install in the Production Network
Now that the Barracuda Link Balancer is configured, install it in its permanent location and make it part of your production network:
1. Mount the Barracuda Link Balancer in a 19-inch rack or place it in a stable location. To ensure proper ventilation, do not block the cooling
vents on the front and back of the unit.
2. Connect each of the cables from the Internet links into a WAN port on the front of the Barracuda Link Balancer. The ports are labeled
WAN1, WAN2, etc. These ports correspond to the WAN ports that you configured in the web interface. Be sure to connect them
according to your configuration.
3. Unplug your firewall from the network and plug its LAN connection into the LAN port on the front of the Barracuda Link Balancer, if there
is one. If there is no LAN port on the front, plug that connection into the LAN ethernet port on the back panel of the Barracuda Link
Balancer. You should see some activity on both the yellow and green lights on the LAN port. If not, you may need to use a crossover
cable.
4. If the IP address of the Barracuda Link Balancer is the same as the IP address of the firewall that you removed, you can ignore this step.
Otherwise, make the Barracuda Link Balancer the default gateway for the clients by updating the configuration of the DHCP server for
the clients to give out the LAN IP address of the Barracuda Link Balancer as the default gateway. As the leases are renewed, each client
will gain access to the new Internet links. Furthermore, change the default gateway of any clients with static IP addresses to the LAN IP
address of the Barracuda Link Balancer.
Step 8. Test Connectivity
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
23
Test the connectivity to a client system:
1. If needed, change the gateway IP address of a test system to the LAN IP address of the Barracuda Link Balancer.
2. Confirm that you can access the Internet from the test system. If this works, continue.
3. On the test system, log into the web interface using the permanent LAN IP address and go to the Basic > Links page. The status of
each link should display as Connected. You can see the utilization of each link by moving the mouse over the graphic.
4. On the test system, generate some traffic, by, for example, opening more tabs in the browser of the test system and downloading files
from the Internet. FTP files from a number of different sites or use BitTorrent to get the traffic to flow on multiple links.
5. Go to the Basic > Status page to view graphs that show the incoming and outgoing traffic for each link.
If you have connectivity issues, clear the ARP caches of your existing network components such as routers and modems. In some
cases, you may need to reboot these devices.
Continue with Step 1: Configure Administrative Settings.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
24
Hardware Compliance
en
Hardware Compliance
This section contains compliance information for the appliance.
Notice for the USA
Compliance Information Statement (Declaration of Conformity Procedure) DoC FCC Part 15: This device complies with part 15 of the FCC Rules.
Operation is subject to the following conditions:
1. This device may not cause harmful interference, and
2. This device must accept any interference received including interference that may cause undesired operation. If this equipment does
cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user in
encouraged to try one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and the receiver.
Plug the equipment into an outlet on a circuit different from that of the receiver.
Consult the dealer or an experienced radio/television technician for help
Notice for Canada
This apparatus complies with the Class B limits for radio interference as specified in the Canadian Department of Communication Radio
Interference Regulations.
Notice for Europe (CE Mark)
This product is in conformity with the Council Directive 89/336/EEC, 92/31/EEC (EMC).
Power Requirements
AC input voltage 100-240 volts; frequency 50/60 Hz.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
Getting Started
en
After successful deployment, follow the steps below to configure your Barracuda Link Balancer.
In this Section:
Step 1: Configure Administrative Settings
Step 2: Configure Networking Settings
Copyright © 2015, Barracuda Networks Inc.
25
Barracuda Link Balancer Administrator's Guide - Page
26
Step 1: Configure Administrative Settings
en
The BASIC > Administration page allows you to configure the following access restrictions to the web interface:
Allow or deny administration access through the WAN interfaces. Denying access from the WAN interfaces is one way to prevent brute
force log in attacks. (You cannot disable administration access via the LAN.)
Specify the IP addresses or subnet masks of systems allowed to access the web interface. Attempts to log in from other IP addresses
will be denied.
Change the HTTP port used to access the web interface (default is port 8000).
Change the maximum idle time allowed before an administrator is logged out of the web interface.
In this article:
en
Change the Default Password
Set the Time Zone of the System
Specify Email Addresses for Alerts
Customize the Appearance of the Web Interface
Enabling SSL for Administration
Change the Default Password
To prevent unauthorized use, change the default administrator password for the web interface to a secure password.
1.
2.
3.
4.
Log into the Barracuda Link Balancer interface.
Navigate to the BASIC > Administration page.
In the Password Change section, change the default administrator password.
Click Save Password.
Set the Time Zone of the System
The current time on the system is automatically updated via Network Time Protocol (NTP). The time zone must be set correctly to coordinate
traffic distribution and to record correctly in all logs and reports. If two or more Barracuda Link Balancers are clustered, the time zone must be the
same for both before the cluster can be created.
1. Open the BASIC > Administration page.
2. In the Time section, set the time zone of your Barracuda Link Balancer.
3. Click Save Changes.
The Barracuda Link Balancer automatically reboots when you change the timezone.
Specify Email Addresses for Alerts
Alert emails are generated automatically by the Barracuda Link Balancer to notify you of system warnings, for example, when a link is down or
your system is low on disk space. Generated alert emails are sent hourly. Every SNMP trap (except for the WANx saturated trap) results in an
alert email. To specify email addresses for alerts:
1. Navigate to the BASIC > Administration page.
2. In the Email Notifications section, enter the email address that sends alerts from the Barracuda Link Balancer. To enter multiple
addresses, separate each address with a comma.
3. Click Save Changes.
4. Open the BASIC > IP Configuration page.
5. Enter the Default Host Name and Default Domain of the Barracuda Link Balancer.
6. Click Save Changes.
The default host name and the default domain name are in all alert emails sent by the Barracuda Link Balancer.
Customize the Appearance of the Web Interface
Use the ADVANCED > Appearance page to customize the default images used on the web interface. This tab is only displayed on certain
Barracuda Link Balancer models.
Enabling SSL for Administration
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
27
You can require that only secure SSL connections can access the web interface. SSL ensures that your passwords and transmitted and received
data are encrypted.
Configure SSL on the ADVANCED > Secure Administration page. To allow only secure connections when accessing the web interface, you
must supply a digital SSL certificate which is stored on the Barracuda Link Balancer. This certificate bcomes part of the connection process
between client and server (in this case, a browser and the web interface on the Barracuda Link Balancer). The certificate contains the server
name, the trusted certificate authority, and the server’s public encryption key.
The supplied SSL certificate may be either private or trusted. A private, or self-signed, certificate provides strong encryption without the cost of
purchasing a certificate from a trusted certificate authority (CA). However, the client (browser), unable to verify the authenticity of a self-signed
certificate, will send a warning indicating an unverified certificate. To avoid this warning, download the private root certificate and import it into
each browser that accesses the Barracuda Link Balancer web interface. You may create your own private certificate using the ADVANCED >
Secure Administration page.
Instead of a private certificate, you may use the default pre-loaded Barracuda Networks certificate. A client web browser warning will result
because the certificate hostname is “barracuda.barracudanetworks.com” , which is not a trusted certificate. Thus, access to the web interface
using the default certificate may be less secure.
A trusted certificate is a certificate signed by a trusted certificate authority (CA). The benefit of using a trusted certificate is that the browser
recognizes it as trusted, so you need not manually download the private root certificate. Use the ADVANCED > Secure Administration page to
create a Certificate Signing Request which you can submit to a certificate authority to purchase a trusted certificate.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
28
Step 2: Configure Networking Settings
en
This article describes the main networking settings that you can configure using the Barracuda Link Balancer web interface.
In this article:
en
Viewing and Updating the WAN Link Configuration
Adding a New WAN Link
WAN IP Impersonation
Authoritative DNS
Adding Static Routes
Configuring VLANs
Creating IP Aliases
Configuring DNS Servers
Configuring Per Interface Health Checks
Configuring the DHCP Server
Viewing and Updating the WAN Link Configuration
Every WAN link that connects to the Barracuda Link Balancer must be manually identified. The information is provided by your internet service
provider.
1. Log into the Barracuda Link Balancer Web Interface.
2. Go to the BASIC > Links page.
3. To identify links, move the mouse over the corresponding WAN port displayed in the upper section of the page. To change or add
configuration information, click on the port or expand the link in the Configure column under the Links Configuration section.
Adding a New WAN Link
Remember, if you are adding one or more new WAN links to an already configured Barracuda Link Balancer, all links must be configured on the
BASIC > Links page. Correctly configured WAN links are automatically used for outbound link balancing. For inbound traffic, if the Barracuda
Link Balancer firewall is enabled, you can add a NAT rule on the FIREWALL > NAT page to map the destination IP address of traffic on the new
link to an internal service.
WAN IP Impersonation
If the Barracuda Link Balancer firewall is disabled, you can avoid the need to update rules on your network firewall with the new WAN link by
mapping the destination IP address of traffic on the new link to an existing WAN IP address (usually, an address on WAN1). To do this:
1.
2.
3.
4.
Select the NAT/Port Forwarding option on the BASIC > Links page.
Click Save Changes. The Barracuda Link Balancer will automatically perform a system Reload.
After the reload is complete, log back into the Barracuda Link Balancer.
Make sure to enter all IP addresses you own under their respective WAN links in the Additional IPs section of the BASIC > Links page.
These IP addresses will be used to create NAT or Port Forward rules for WAN IP impersonation.
5. Create a NAT or Port Forward rule on the Firewall > NAT page to map the destination IP address of traffic on the new link to an external
IP address on an existing link.
Authoritative DNS
The Barracuda Link Balancer can act as an authoritative DNS server, returning definitive answers to DNS queries about domain names in its
configuration. This allows you to define one or more domains that are accessible via more than one WAN link. When asked to resolve a host, the
Barracuda Link Balancer will return an IP address of one of the available WAN links.
However, before your servers can be accessed from the Internet by name, you must:
Register your domains with a domain name registrar. Without this, the domain names will fail to resolve when accessed from the
Internet.
Once your domains are registered, you can configure authoritative DNS on the SERVICES > Authoritative DNS page.
Also, see If You Add a WAN Link After the Domains are Created for more information.
Adding Static Routes
If a separate subnet needs to use the Internet links accessible only through the Barracuda Link Balancer, add a static route to specify a gateway
for that subnet so that return traffic takes the correct path. If you have disabled the Barracuda Link Balancer firewall, then static routes can be
added to your network firewall. Otherwise, follow these instructions to add static routes to the Barracuda Link Balancer:
1.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
29
1. On the Barracuda Link Balancer web interface, go to ADVANCED > Advanced Networking.
2. Add the static routes.
3. Test connectivity from each internal network by changing the gateway IP address of a computer on each subnet to the LAN IP address of
the Barracuda Link Balancer. Verify you can access the internet from each subnet.
4. Once verified, update the configuration of the DHCP server for clients to be the LAN IP address of the Barracuda Link Balancer as the
default gateway. As leases are renewed, each client will gain access to the new Internet links.
5. Change the default gateway of any client with configured static IP addresses to the LAN IP address of the Barracuda Link Balancer.
Configuring VLANs
The Barracuda Link Balancer supports the IEEE 802.1Q standard for explicitly tagging Ethernet frames with VLAN information. Do the following
to configure VLANS:
1. On the ADVANCED > Advanced Networking page, identify your VLANs.
2. Create a virtual interface associating an IP address and netmask with each VLAN.
Traffic sent to a virtual interface associated with a VLAN will be tagged with the VLAN ID and delivered correctly. VLANs cannot be on the same
subnet.
Starting from firmware version 2.5, you can configure VLAN ID tagging for each link on the BASIC > Links page.
Creating IP Aliases
You can create virtual interfaces or IP address aliases by associating an IP address or subnet with a WAN, LAN or VLAN. Each IP address and
netmask associate with only one WAN, LAN or VLAN. Virtual interfaces are used:
To associate an IP address range with a VLAN
To associate an externally accessible IP address on a subnet with no WAN link with a WAN link.
Create IP aliases on the ADVANCED > Advanced Networking page.
Configuring DNS Servers
On the BASIC > Links page, set the primary and secondary DNS servers for each WAN link. Your ISP provides you with these settings.
Configuring Per Interface Health Checks
On the BASIC > Links page, configure health checks for each link. Multiple methods are supported. You can enter more than one test target
(e.g. resolve the DNS domain names of multiple websites) to be sure that the link is actually down. Link failure is shown on the BASIC > Links an
d on the BASIC > Status page. Also, if a link fails, an SNMP trap is generated, an email ise sent, and an event is logged.
Configuring the DHCP Server
The Barracuda Link Balancer can act as a DHCP server. On the SERVICES > DHCP Server page, enable and configure the DHCP server.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
30
Configuration
en
These articles describe how to configure the Barracuda Link Balancer for inbound load balancing, networking and firewalling.
In this Section
DNS
Networking
Firewall
VPN
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
31
DNS
en
Configure your Barracuda Link Balancer to act as an authoritative DNS server. These articles provide an overview of DNS functionality and
describe configuration of the Barracuda as a
DNS server for inbound load balancing.
In this Section:
DNS Overview
How to Configure the DNS Server
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
Copyright © 2015, Barracuda Networks Inc.
32
Barracuda Link Balancer Administrator's Guide - Page
33
DNS Overview
en
The Barracuda Link Balancer can act as an authoritative DNS server, returning definitive domain names to DNS queries about its configuration.
This allows you to define one or more domains that are accessible via more than one WAN link. When asked to resolve a host, the Barracuda
Link Balancer returns an IP address from an available WAN link. This provides two benefits:
Failover - If a WAN link goes down, the domain is still available via another WAN link.
Incoming link balancing - Incoming traffic to the domain is spread across all links configured for that domain.
Only WAN links with static IP addresses can be advertised to respond to DNS queries. However, you can accept traffic on any of your WAN links
for a domain configured on the Barracuda Link Balancer. DNS resource records describe the hosts, name servers and other attributes of the
domain. Following these instructions, and using the web interface of the Barracuda Link Balancer, you can create records that describe the
domain or domains hosted on the LAN side of the Barracuda Link Balancer. The supported DNS resource records are described in How to
Configure the DNS Server.
DNS Records Time to Live
Configuring the Barracuda Link Balancer as an authoritative DNS server for the domains behind it increases the availability of your hosted
servers. When asked for the IP address of a host name, the Barracuda Link Balancer returns a DNS A record containing the IP address of a
WAN link. Every DNS record has a Time to Live (TTL) value. TTL is the length of time that a DNS record may be cached. For most DNS records,
two days is a typical TTL. However, A records should have a much shorter TTL, such as 30 seconds. If a WAN link fails, its address will no longer
be returned, so inbound traffic to this host will not be disrupted. A short TTL value for this record ensures that cached addresses for failed links
time out quickly. Specifying a short TTL for A records also assists in link balancing. Because the returned address for a host varies among the
available links, the short TTL guarantees that the link used for incoming traffic to that host also varies frequently.
Recommended Deployment
Use this feature if you are hosting services such as web servers, VPNs and email that are name-based. This increases the availability of your
services and provides a way to do inbound link balancing.
Split DNS
The Barracuda Link Balancer supports a split DNS infrastructure. If the same host name is used for a resource accessible both internally and
externally, internal network clients receive the internal IP address and external clients receive the external IP address when they request the
address of that host name. Specifically, the A record for the host name includes two views, one with the internal IP address and one with the
external IP address. So, clients only see the address that they should use.
The split DNS infrastructure handles accessing resources using a host name. What about accessing externally accessible resources using an IP
address? If local clients use external IP addresses to access internal servers, the Barracuda Link Balancer translates the address and properly
forwards those requests back to internal servers.
DNS Zone Transfer Blocking
The Barracuda Link Balancer can be configured to block zone transfers on some or all of the domains that it hosts. An AXFR/IXFR query sent
from another DNS server to the Barracuda Link Balancer (to request a copy of the DNS records) is rejected if zone transfers are disabled for that
domain. By default, zone transfers are enabled for all domains created.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
34
How to Configure the DNS Server
en
Make the Barracuda Link Balancer an Authoritative DNS host and configure the DNS Server for inbound load balancing.
In this article:
Step 1. Enable Authoritative DNS
Step 2. Create One or More Domains
Step 3. Set up DNS for Internal Clients
Step 4. Add More DNS Records
Step 5. Update Your Domain Registrar
Step 6. Test External Access
Adding a New WAN Link
Zones and Domains
DNS Records
Step 1. Enable Authoritative DNS
Enable Authoritative DNS on
the Barracuda Link Balancer to identify which WAN links are to be used as name
servers.
1. Log into the Barracuda Link Balancer web Interface.
2. Go to the Services > Authoritative DNS page.
3.
4.
Select Enabled for Authoritative DNS and for each of the WAN links in the table of DNS Server listen links.
This table includes all WAN links with static IP addresses (configured on the Basic > Links page). You
can change the value for the Name Server for each link or keep the default. The Name Server value is
used as a label for NS records for all domains. Enter an unqualified name, for example, ns1.
Click Save Changes.
Step 2. Create One or More Domains
To define one or more domains on the Barracuda Link Balancer,
1. Check that the value for Default Domain specified on the Basic > IP Configuration page is accurate. If the built-in firewall is enabled,
and if you have created 1:1 NAT rules and/or port forwarding rules, make sure that they use the correct host name. You can look at
those rules on the Firewall page.
2. Go to the Services > Authoritative DNS page.
3. In the Domain section, enter the domain and click Create.
You should see that the following records are created:
Start of Authority (SOA)
Name Server (NS) - One NS record for each name server in the DNS Server Listen Links table is
generated.
Address (A) - One A record is created for each name server in the DNS Server Listen Links table. An
A record is also created for each matching host name found in 1:1 NAT and Port Forwarding rules, as
described in the next section.
If the Barracuda Link Balancer has the firewall enabled:
When you create a new domain, the Barracuda Link Balancer looks for existing 1:1 NAT and port forwarding rules that include names in
the Hostname field that have a domain suffix that is the same as the newly created domain name.
Or, if you create a domain that is the same as your default domain (as specified on the Basic > IP Configuration page), the Barracuda
Link Balancer looks for rules that have host names that do not appear to be fully qualified domain names.
In either case, an A record for each matching rule, including both external and internal addresses, will be automatically created for each
host name.
The DNS records are created with typical default values. You can see all values for each record and modify them by clicking Edit next to the
record in the DNS Records section.
Step 3. Set up DNS for Internal Clients
If you have an internal DNS server, configure it to forward queries to the LAN IP address of the Barracuda Link Balancer.
If the built-in firewall of the Barracuda Link Balancer is enabled:
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
35
As already described, when you create a new domain, the Barracuda Link Balancer looks for existing 1:1 NAT and port forwarding rules that
include names in the Hostname field appearing relevant and creates an A record for each matching rule, including both external and internal
addresses. In some cases, this mapping will not reflect your configuration.
1. Using an internal network client, try to access a host name for a resource that is available both internally and externally.
2. If the test fails, edit the A record for the unresolved host name. The DNS Record page opens.
3. In the IP Addresses table, add addresses to the Local Network column to be used in response to internal DNS queries.
If the built-in firewall of the Barracuda Link Balancer is disabled:
The Barracuda Link Balancer is not able to map external to internal IP addresses if the firewall is disabled. If you want internal addresses to be
served,
1. Edit the A record for the host name of each resource that is available both internally and externally. The DNS Record page opens.
2. In the IP Addresses table, add IP addresses to the Local Network column to use in response to internal DNS queries.
3. Using an internal network client, test your changes by trying to access the resource using its host name.
Step 4. Add More DNS Records
Add more DNS records to your domain(s) to match your configuration. For example, each email server needs an MX record and a corresponding
A record. Each web server needs an A record.
If you have externally reachable IP addresses that are not tied to any interface, such as ARIN networks, create an A record for each one:
If the address is not routed through the Barracuda Link Balancer, select CUSTOM in the Links list.
If the address is routed through the Barracuda Link Balancer, select ANY in the Links list.
Step 5. Update Your Domain Registrar
If you haven't already registered your domain name, register it with a domain name registrar like GoDaddy.com or register.com. Make the NS
records of the domain point to your static WAN IP addresses. If your domain name is already registered, contact your registrar to update the NS
records so the domain points to your static WAN IP addresses. Remove records that reference the domain or domains that are now delegated to
the Barracuda Link Balancer.
Hosting a Sub-Domain
If your domain is hosted at your ISP or elsewhere, and you want to delegate a sub-domain to be resolved by the Barracuda Link Balancer, you
must add some records to the zone file of the domain where it is stored at the registrar. If the domain is example.com, and you want to host my.e
xample.com and you have two name servers ns1 and ns2, add these lines, using the actual IP addresses of your name servers:
my
my
ns1
ns2
IN
IN
IN
IN
NS
NS
A
A
ns1
ns2
216.101.241.181
192.0.2.2
Then you can create the my.example.com domain on the Barracuda Link Balancer.
Step 6. Test External Access
From a host on the Internet, run nslookup on your domain name(s). The returned IP addresses should be the IP addresses of your WAN listen
links. Depending on the change, it may take some time for your changes to propagate throughout the Internet, depending upon the time various
resolvers cache DNS responses. For example, it may take a day before a new domain name is accessible via the Internet. If a domain name was
previously registered and the DNS record is modified, any server on the Internet with the previous information will not get the update until the TTL
of the original record has passed.
Adding a New WAN Link
If, after creating your domains, you add a new WAN link, complete these steps to use the new link for DNS queries (static links only) and inbound
link balancing:
1. Go to the Services > Authoritative DNS page.
2. If this is a static link and you want to use it to respond to DNS queries:
a. Identify the new link as a DNS Server Listen Link and assign it a Name Server label.
b. For each already defined domain, add a new NS record and a new A record to the domain for the new link.
3. Edit the A records of your servers to enable reception of inbound traffic on the new link for the corresponding internal servers.
Specifically, when you edit the A record on the DNS Record page, you can select the new WAN link from the Links list and add it to the
A record.
Zones and Domains
A domain name server stores information about part of the domain name space called a zone. All names in a given zone share the same domain
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
36
suffix. For example, if barracuda.com is the domain suffix, mail.barracuda.com and eng.barracuda.com are possible sub-domains. These may be
all served by one domain name server or some of the sub-domains may be delegated to other domain name servers. Every domain or
sub-domain is in exactly one zone. Rather than make a distinction between a zone and a domain, the web interface of the Barracuda Link
Balancer simply asks you to create a domain.
Zone transfers serve to replicate DNS databases across a set of DNS servers. On the Barracuda Link Balancer, zone transfers can be enabled
or disabled per domain. Also, the TTL (Time To Live) for clients to cache DNS records can as of Barracuda Link Balancer firmware version 2.5 be
defined per domain.
DNS Records
DNS Records Generated when Creating a Domain
When you create a domain on the Barracuda Link Balancer the following records are automatically generated:
Start of Authority (SOA) - The SOA record defines the global parameters for the hosted domain or zone. Only one SOA record is
allowed per hosted domain or zone.
Name Server (NS) - NS records specify the authoritative name servers for this domain. One NS record for each name server in the DNS
Server Listen Links table is generated.
Address (A) - A records map a host name to an IP address. Each host inside the domain should be represented by an A record. One A
record is created for each name server in the DNS Server Listen Links table. An A record is also created for each matching domain
name found in 1:1 NAT and Port Forwarding rules.
Additional DNS Records
Once a zone has been created, you can edit the above records or add NS, A, and any of the following records to a zone:
Mail Exchanger (MX) - MX records point to the email servers that are responsible for handling email for a given domain. There should
be an MX record for each email server, including backup email servers if they exist. If an email server lies within the domain it requires
an A record for each name server. If the email server is outside the domain, specify the FQDN of the server, ending with a dot.
Example: mail.my-isp.net.
Text (TXT) - Text records allow text to be associated with a name. This can be used to specify Sender Policy Framework (SPF) or
DomainKeys records for the domain.
Canonical Name (CNAME) - A CNAME record provides a mapping between this alias and the true, or canonical, hostname of the
computer. It is commonly used to hide changes to the internal DNS structure. External users can use an unchanging alias while the
internal names are updated. If the real server is outside the domain, specify the FQDN of the server, ending with a dot.
Example: server1.my-isp.net.
If a domain name has a CNAME record associated with it, then it cannot have any other record types. Do not use CNAME defined
hostnames in MX records.
Service (SRV) - Service records are used to store the location of newer protocols, such as SIP, LDAP, IMAP and HTTP.
Pointer (PTR) - PTR records point to a canonical name. The most common use is to provide a way to associate a domain name with an
IP address.
Other (OTHER) - Use an OTHER record to add a type of DNS record that is not supported, such as NAPTR.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
37
Networking
en
The following articles describe how to configure networking, including the application of routing rules, and how to accomplish traffic shaping on
the Barracuda Link Balancer.
In this Section:
Routing Outbound Traffic
How To Create IP/Application Routing Rules
How to Create Outbound Source NAT Rules
Traffic Shaping
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
38
Routing Outbound Traffic
en
By default, all outgoing traffic is link balanced and NAT'd. Also, the source IP address of outgoing traffic is the WAN link used by the traffic. You
can create outbound routing rules to modify these defaults.
In this article:
en
Specifying the Link Used by Outgoing Traffic
Ping Traffic
VPN and Email Rules
Externally Accessible IP Addresses
Changing the Source IP Address of Outgoing Traffic
Specifying the Link Used by Outgoing Traffic
To exempt outgoing traffic from link balancing and/or NAT'ing, create IP/application rules on the Policy > Outbound Routing page.
IP/application routing rules are based on the source IP address, application, and/or destination IP address. The IP/application routing rules are
executed before the link load balancing algorithm. Traffic that matches no rule is both link balanced and NAT'd. These rules are executed
regardless of the firewall operating mode.
Examples where IP/application routing rules may be useful include:
If you are an ISP with externally accessible IP addresses (ARIN networks) behind the Barracuda Link Balancer that are not on the same
subnet as your WAN interfaces.
If you have subnets that you want to exempt from link balancing.
If you have systems such as mail servers or VPN endpoints that send traffic that must maintain the original source IP address.
If you have applications that you want to exclude from outgoing link balancing and NAT'ing.
Ping Traffic
To direct ping (ICMP) traffic that originates from behind the Barracuda Link Balancer to use a specific WAN link:
Create a ping application on the POLICY > Applications page (select ICMP as the protocol, no port range).
Create one or more IP/application routing rules for the ping application.
For example, if WAN1 is a private link to an office and WAN2 is a primary link used for other Internet traffic, make two rules: one that directs ping
traffic to the office to use WAN1 and one that allows all other ping traffic to use WAN2. (Remember that private links are only used if the link is
explicitly referenced.)
VPN and Email Rules
During installation, sample disabled IP/application routing rules are automatically created for outgoing VPN and email traffic to prevent it from
being link balanced or NAT'd. To enable those rules, select the WAN link to be used for that traffic. If you would like to link balance outgoing email
or VPN traffic because that is acceptable to the receiver, you can leave the rules in their disabled state or delete them. (For example, you may
have created multiple SPF or DNS records for the WAN IP addresses).
Externally Accessible IP Addresses
If you would like to direct traffic from externally accessible IP addresses behind the Barracuda Link Balancer to the WAN link on the same subnet,
create one or more rules where those addresses are the source IP addresses, link balancing and NAT are turned off, and Primary Link is set to
Auto.
If you have a network where the externally accessible IP addresses (ARIN networks that are not in any WAN subnets) can send traffic on any
WAN link, you can create rules so that traffic originating from those addresses goes out without being NAT'ed. Depending on how the ISP routers
are set up, traffic from these networks may be link balanced or may be bound to one WAN link. For the latter case, select specific primary and
backup links.
Changing the Source IP Address of Outgoing Traffic
To set the source IP address of outgoing traffic to a masquerade IP address other than the IP address of the WAN link, create outbound source
NAT rules on the POLICY > Outbound Routing page. Outbound source NAT rules consider source IP address (or range) and, optionally,
application and WAN link. If a rule match occurs, the specified external IP address is used as the source IP address of the traffic. The outbound
source NAT rules are executed after the WAN link has been determined by the link load balancing algorithm. They are executed regardless of the
firewall operating mode. The rules are arranged in a table on the POLICY > Outbound Routing page in order of precedence from top to bottom.
Only the first matching rule to the profile of the traffic is executed. If the traffic matches a 1:1 NAT rule, the outbound source NAT rules are
ignored.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
39
How To Create IP/Application Routing Rules
en
The IP/Application
Routing section lets you create rules based on source IP address, application, and/or
destination IP address that exempt outgoing traffic from link balancing and/or NAT'ing. Traffic matching no rule
continues through link balancing and NAT'ing. These rules are executed regardless of the firewall operating
mode.
Create an IP/Application Routing Rule
1. Log into the Barracuda Link Balancer Interface.
2. Go to the POLICY > Outbound Routing page.
3. In the IP/Application Routing section, enter
4.
5.
6.
a unique Rule Name.
In the Source IP Address field, enter the IP address (e.g. 10.0.0.1) to be NAT'd.
In the Source Netmask field, enter a netmask (e.g. 255.255.255.255) or leave this field blank.
From the Application list, select * for any protocol or port combination or select an application.
7. Complete the action fields to specify what happens to traffic matching the condition:
Link Balance - Select Yes to link balance outgoing traffic across any available WAN interfaces.
Or, select No and then select a Primary and a Backup link:
Primary Link:
Default - Outgoing traffic is directed to the WAN link on the same subnet.
Or, select a specific link from the list to bind traffic to that link.
Backup Link:
None - Drop traffic if the primary link is not available.
Or, select a specific link from the list to bind traffic to that link.
Clear the NAT check box to maintain the original source IP address.
8. Click Add.
The new rule is now added to the bottom of the IP/Application Routing table.
Rules in the IP/Application Routing table appear in execution order, from top to bottom. Only the first matching rule is executed. To
change the order of rules, drag and drop them towards the top or bottom of the list.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
40
How to Create Outbound Source NAT Rules
en
Create outbound source NAT rules to set the source IP address of outgoing traffic to an address other than the WAN link or the original source IP
address. This policy is applied after the WAN link has been determined by the link balancing algorithm. These rules are executed regardless of
the firewall operating mode.
Create an Outbound Source NAT Rule
1. Log into the Barracuda Link Balancer Interface.
2. Go to the POLICY > Outbound Routing page.
3. In the Outbound
Source NAT section, enter a unique Rule Name.
4. In the Source IP Address field, enter the IP address (e.g. 10.0.0.1) to be NAT'd. Alternatively, enter an IP address range (e.g. 10.0.0.1-1
0.0.0.10) where two IP addresses separated by a hyphen "-" define a range .
5. In the Source Netmask field, enter a netmask (e.g. 255.255.255.255) or leave this field blank.
6. From the Application list, select * for any protocol or port combination or select an application.
7. From the Link list, select
8.
a link to apply the rule only to traffic directed to that link. Or, select ANY to apply
the rule regardless of the WAN link.
In the Masquerade IP Address/Range field, enter the address or range to be used as the source IP
address.
9. Click Add.
The new rule now appears at the bottom of the Outbound Source NAT table.
Rules in the Outbound Source NAT table appear in execution order, from top to bottom. Only the first matching rule to the traffic is
executed. To change the order of rules, drag and drop them towards the top or bottom of the list.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
41
Traffic Shaping
en
The Barracuda Link Balancer allows you to shape incoming and outgoing traffic and link usage in a variety of ways.
To achieve optimum bandwidth management, ensure that the configuration of your WAN links matches your ISP specifications, such as
upstream and downstream speeds. The links can be configured in BASIC > Links > Link Configuration (see Step 2: Configure
Networking Settings).
In this article:
Link Usage for Inbound and Outbound Traffic
Grouping WAN Links for Inbound and Outbound Traffic
Creating Quality of Service (QoS) Pipes, Subpipes and Rules
Link Usage for Inbound and Outbound Traffic
Outbound Link Balancing
By default, outbound traffic from a client IP address to a new destination IP address inspires comparison of link weights and uses the link with the
highest weight. The link weight is the available capacity based on configured link speed and current usage. The weight for each primary and
backup WAN link updates on an a continual basis.
Inbound Link Balancing
Inbound link balancing and failover are available only when the Barracuda Link Balancer acts as an authoritative DNS server for domains behind
it. When the Barracuda Link Balancer receives a DNS query for a hosted domain, it returns the IP address of a WAN link which the client then
uses to reach the hosted domain. The same algorithm is used to select the returned WAN link as is used for outbound link balancing.
Grouping WAN Links for Inbound and Outbound Traffic
You can change how frequently WAN links are used by assigning each link to one of three groups for both inbound and outbound traffic. This
feature allows you to reserve links for certain types of traffic or to use higher cost links only if lower cost links fail or become saturated. The
supported usage groups are:
Primary links - Used first for link balancing.
Backup links - Used only if the primary links are down or if they become saturated. If all primary links are down or saturated, then traffic is
distributed across all available backup links until the primary links become available.
Private links - Used only for traffic matching IP/Application routing rules or if specified explicitly in the configuration of a VPN. Private links
are not used at all for default outbound or inbound link balancing. They are used only if explicitly referenced.
If you want to employ default link balancing policy, where the link with the greatest available capacity is used, set the usage group for each link to
Primary. To assign each link a usage group, edit the link on the Basic > Links page.
Specifying WAN Link for Outbound Traffic
You can override the link balancing algorithm by creating rules that determine which WAN link certain kinds of outbound traffic use. See Specifyin
g the Link Used by Outgoing Traffic.
Creating Quality of Service (QoS) Pipes, Subpipes and Rules
You can control traffic shaping in hierarchical structures of pipes, subpipes and rules. Traffic shaping is executed after determination of the WAN
link the traffic will use and applies to all traffic, including VPN traffic, regardless of whether the Barracuda Link Balancer firewall is enabled. Each
rule describes a set of traffic based on one or more parameters: source IP address or range, destination IP address or range, application or
applications, time, day of the week, and WAN link. Three different hierarchy levels control different aspects of the traffic. If the defined conditions
are met, the pipe, subpipe or rule assigns bandwidth shaping and contention shaping. If the traffic on the network exceeds capacity, traffic from
high priority applications is allocated a greater share of the bandwidth. The contention shaping subdivides traffic that has the same bandwidth
shaping level.
Some examples of traffic shaping:
Give higher priority to traffic originating from a set of IP addresses.
Assign lower priority to FTP traffic so that file uploading and downloading does not affect other applications.
Increase the priority of SIP traffic so that calls are not dropped.
Give VPN traffic a high priority. You can create a rule with the source IP address of the local VPN endpoint and the destination IP
address of the remote VPN endpoint.
Configure QoS on the POLICY > Bandwidth Mgmt page.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
42
Firewall
en
The Barracuda Link Balancer can act as a firewall, inspecting arriving network traffic and allowing or denying passage based on inbound,
outbound, 1:1 NAT, and port forwarding rules. Some of these functions are available even if the firewall function is disabled.
Using 1:1 NAT and port forwarding rules, the Barracuda Link Balancer can perform:
1:1 NAT - Assign external addresses to internal clients.
Port forwarding (or Port Address Translation) - The traffic to a port across one or multiple links is directed to an internal client.
Many to 1 NAT - One internal server may receive traffic from more than one WAN link. You can achieve this by creating 1:1 NAT rules or
port forwarding rules.
Port blocking and unblocking.
Inbound and outbound firewall rules are executed regardless of firewall status. Port
forwarding and 1:1 NAT rules are executed
only if the Barracuda Link Balancer firewall is enabled or, for any WAN link with the NAT/Port Forwarding opti
on enabled (even if the Barracuda Link Balancer firewall is disabled). Rules can always be created and saved
even when they cannot be executed. This allows you to configure the built-in firewall with minimal disruption to
your network.
In this Section:
Firewall Rules Overview
How to Create Inbound Firewall Rules
How to Create Outbound Firewall Rules
How to Create Custom Applications
How to Create NAT Rules
How to Create Port Forwarding Rules
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
43
Firewall Rules Overview
en
Inbound and outbound firewall rules allow or deny access to remote networks, clients, services and ports. The Barracuda Link Balancer firewall
helps prevent or mitigates distributed denial of service attacks by rate limiting the number of requests coming into your network. Firewall rules are
arranged in tables from top to bottom in order of precedence. Only the first matching rule is executed.
In this article:
en
Inbound Firewall Rules
Inbound 1:1 NAT Rules
Port Forwarding Rules
Outbound Firewall Rules
Firewall Logging
Inbound Firewall Rules
By default, all connections initiated from outside are denied. Add inbound firewall rules to allow exceptions for specific IP addresses, ports and
applications. Applications let you define rules that apply to more than one port. Use the FIREWALL > Access Rules page to create firewall rules
for incoming packets. To create an inbound rule for an application that is not in the list presented when you add the rule, first go to the POLICY >
Applications page and define a new application.
Inbound 1:1 NAT Rules
When the Barracuda Link Balancer firewall is enabled, externally reachable servers cannot have public IP addresses. You need to reconfigure
these servers with private IP addresses. Identify the public IP addresses as Additional IP Addresses for a WAN interface with a static IP address.
Then you can create 1:1 NAT rules to direct traffic to your servers. You can add the public IP addresses as Additional IP Addresses to more than
one WAN interface with a static IP address. All incoming traffic will be forwarded according to the rules you create. This allows traffic from more
than one WAN link to go to same internal server. 1:1 NAT applies to the IP address only, leaving ports the same on both IP addresses. 1:1 NAT
is bidirectional – outbound traffic will include the servers' public IP addresses.
If the Barracuda Link Balancer firewall is disabled, you can create a NAT rule to map the destination IP address of the inbound traffic on one
WAN link to another WAN link's IP address. This allows you to add a new WAN link without requiring an update to rules on your network firewall.
See Adding, Updating or Viewing WAN Link Configuration for more details. When a 1:1 NAT rule is created, an inbound firewall rule to accept
traffic for the external IP address is automatically generated. Without this rule, all connections initiated from outside are denied.
You can view and change this rule – it has a similar Rule Name – on the FIREWALL > Access Rules page. You may want to modify the rule to
restrict access to only those ports or applications that you want to be publicly accessible. On the FIREWALL > NAT page, create 1:1 NAT rules
and port forwarding rules. If you create a 1:1 NAT rule for an address, there is no need to also create a port forwarding rule.
Port Forwarding Rules
Create port forwarding rules to direct traffic on an external port to a port on an internal IP address. You must specify which WAN link to use to
listen for incoming packets on the port. The return path is handled automatically. The listen IP address on a specific WAN interface could either
be the WAN IP address or any other IP address on the same WAN interface. A WAN IP address used in any port forwarding rule can not also be
used in a 1:1 NAT rule. You can forward traffic from a port on multiple WAN links to a port on a single internal IP address by creating a rule for
each WAN link. When you add a port forwarding rule, an inbound firewall rule is created automatically to accept traffic on the listen link and port
for the private IP address of the server. Without this rule, all connections initiated from outside are denied.
You can view and change this rule – it has a similar Rule Name – on the FIREWALL > Access Rules page. To add a new port forwarding rule,
go to the FIREWALL > NAT page.
Outbound Firewall Rules
By default, all outbound connections are allowed. You can create outbound firewall rules to restrict outbound connectivity. For example, you may
want to block access to certain online gaming sites that use specific ports. On the FIREWALL > Access Rules page, create, modify, or delete
outbound firewall rules. The rules are arranged in the table from top to bottom in order of precedence. Only the first rule that matches the profile
of the traffic is executed. If you want to create an outbound rule for an application that is not in the list presented when you add the rule, go to the
POLICY > Applications page and define a Custom Application.
Firewall Logging
You can view executed rules and the impact on traffic (dropped or allowed) on the firewall log displayed on the LOGS > Firewall Log page. Only
rules with Log selected in their rule entry (under the Firewall tab) are logged.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
44
How to Create Inbound Firewall Rules
en
The Access Rules page allows you to create and edit firewall rules on the Barracuda
Link Balancer. By default, all connections initiated from outside are denied. Add
inbound firewall rules to allow exceptions for specific IP addresses, ports and
applications.
Create an Inbound Firewall Rule
Related Article
Firewall Rules Overview
1.
2.
3.
4.
5.
Log into the Barracuda Link Balancer web interface.
Go to the FIREWALL > Access Rules page.
To create a new firewall rule, click Add Access Rule.
Enter a Name. To better identify a rule, you may enter a comment.
Select Allow as the Action to allow traffic that matches this rule.
6. From the Source
field, select Internet.
7. From the Destination field, select the destination, for example: LAN.
You may also select Explicit for one or both of them so you can configure explicit IP addresses where the rule is valid.
8. From the Link field, select whether this rule applies to any link or only one.
9. From the Protocol field, select whether this rule applies to any protocol or only one.
10. Select either an application or a port for the rule:
a. When choosing the application option, select whether this rule should apply to any (*) application or only one from the Applicati
on list.
Applications let you define rules that apply to more than one port. You can define an application using the Policy >
Applications page (see How to Create Custom Applications).
b. When choosing the port option, enter a single port, a list of comma-separated ports, or a hyphenated range in the Port field.
11. In the Start Time and End Time fields, define a time interval in HH:MM (24 hour format) during which the rule is active. Select days of
the week to narrow that time interval, if desired.
12. Click Add Rule.
The inbound firewall rule is now created and appears in the Inbound/Outbound Firewall Rules list. To change an existing firewall rule, click the
Edit icon under the Actions column, modify the rule and click Save Changes.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
45
How to Create Outbound Firewall Rules
en
By default, all connections initiated from addresses inside the Barracuda Link Balancer
are allowed. You can define firewall rules restrict outbound connectivity based on
protocol, port, application, destination and/or source IP address.
Create an Outbound Firewall Rule
Related Article
Firewall Rules Overview
1.
2.
3.
4.
5.
6.
7.
Log into the Barracuda Link Balancer web interface.
Go to the FIREWALL > Access Rules page.
To create a new firewall rule, click Add Access Rule.
Enter a Name. Use the comment field to better identify a rule in the list, if desired.
Select Block as the Action to block traffic that matches this rule.
From the Source field, select LAN.
From the Destination field, select the destination, for example: Internet.
You may also select Explicit for one or both of them so you can configure explicit IP addresses where the rule is valid.
8. From the Link field, select whether the rule applies to any link or only one.
9. From the Protocol field, select whether the rule applies to any protocol or only one.
10. Select either an application or a port for the rule:
a. When choosing the application option, select whether the rule should apply to any (*) application or only one from the Applicatio
n list.
Applications let you define rules that apply to more than one port. You can define an application using the Policy >
Applications page (see How to Create Custom Applications).
b. When choosing the port option, enter one port, a list of comma-separated ports, or a hyphenated range in the Port field.
11. In the Start Time and End Time fields, define a time interval in HH:MM (24 hour format) during which the rule is active. If desired,
narrow the time span to certain days of the week.
12. Click Add Rule.
The outbound firewall rule is now created and appears in the Inbound/Outbound Firewall Rules list. To change an existing firewall rule, click
the Edit icon under the Actions column, modify the rule and click Save Changes.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
46
How to Create Custom Applications
en
On the Applications page, view and define applications that can be used in firewall and Quality of Service rules. An application is a combination
of a protocol and one or more ports. You can create new applications or use the predefined ones, such as DNS, Email, and HTTP. The Custom
Applications table displays any applications that you have defined.
Create an Application
To create an application, complete the following steps:
1.
2.
3.
4.
5.
6.
7.
Log into the Barracuda Link Balancer web interface.
Go to the POLICY > Applications page.
In the Application field, enter a descriptive name for the application.
Select the desired protocol from the Protocol list.
In the Port Range field, enter one port, a list of comma-separated ports or a hyphenated range.
Click Add.
Click Save Changes.
As soon as the application is created it will show up in the Application list.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
47
How to Create NAT Rules
en
1:1 NAT rules are executed only if the Barracuda Link Balancer firewall is enabled or if a WAN link has the NAT setting enabled.
If an internal server needs to receive traffic from more than one WAN link, create a 1:1 NAT or port forwarding rule (see: How to Create Port
Forwarding Rules) for each WAN link. If you then create a DNS domain, the Barracuda Link Balancer will automatically generate A records based
on the Port Forwarding and 1:1 NAT rules.
In this article:
en
Before you Begin:
Create a 1:1 NAT Rule
Before you Begin:
The WAN IP address is the IP address used for general purpose NAT. If necessary, add the publicly accessible IP addresses to the configuration.
1. Log into the Barracuda Link Balancer Web Interface.
2. Go to the Basic > Links page.
3. Click the + sign to expand and edit the WAN link.
4.
5.
Add Additional IP Addresses which are the external IP addresses that are eligible to be used for 1:1
NAT.
Click Save Changes.
Create a 1:1 NAT Rule
1. Go to the FIREWALL > NAT page.
2. Enter a descriptive name in the Rule Name field.
3. From the Listen Link drop down field, select the WAN link to use.
4. If desired, enter the hostname or the fully qualified domain name associated with the IP addresses in the Hostname
field.
If you create a domain on the Services > Authoritative DNS page the Barracuda Link Balancer searches for matching domain
names in the Port Forwarding and 1:1 NAT rules. For every match, a DNS A record is created linking this hostname to its
external and internal IP addresses. You can enter a fully qualified domain name (e.g. www.example.com. with or without the
ending dot) or a hostname (e.g. www.example.com). If a hostname is entered, it is considered to be part of the default domain
that is specified on the Basic > IP Configuration page.
5. In the Forward IP field, type the private static IP address of the server which must be reachable from the LAN of the Barracuda Link
Balancer. Or, if creating a DNAT rule for a link, type a static IP address reachable through a WAN link (usually, the firewall IP address
reachable through WAN1).
6. Make sure that you clear the Disable check box to enable the rule.
7. To write an entry in the Firewall Log whenever this rule is executed, select the Log check box.
8. Select the Auto-create firewall rule check box to automatically create an inbound firewall rule to accept traffic for the external IP
address.
9. Click Add.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
48
How to Create Port Forwarding Rules
en
Port forwarding rules are executed only if the Barracuda Link Balancer firewall is enabled or if a WAN link has Port Forwarding enable
d (see: When the Firewall is Disabled).
Create port forwarding rules to direct traffic on an external port to a port on a private IP address. The return path is handled automatically. The
listen IP address on a specific WAN interface could be either the WAN IP address or one of the Additional IP Addresses on the same WAN
interface. If an internal server needs to receive traffic from more than one WAN link, create a 1:1 NAT or port forwarding rule for each WAN link. If
you then create a DNS domain, the Barracuda Link Balancer will automatically generate A records based on the Port Forwarding and 1:1 NAT
rules.
In this article:
en
Before you Begin:
Create an Inbound Port Forwarding Rule
When the Firewall is Disabled
Before you Begin:
The WAN IP address is the IP address used for general purpose NAT. If necessary, add the publicly accessible IP addresses to the configuration.
1.
2.
3.
4.
Log into the Barracuda Link Balancer web interface.
Go to the Basic > Links page.
Click the + sign to expand and edit the WAN link.
Add Additional IP Addresses, the external IP addresses that are eligible to be used.
An Additional IP Address used for port forwarding rules can NOT be used for 1:1 NAT rules.
5. Click Save Changes.
Create an Inbound Port Forwarding Rule
1.
2.
3.
4.
5.
Log into the Barracuda Link Balancer web interface.
Go to the FIREWALL > NAT page.
In the Port Forwarding Rules table, enter a descriptive name in the Rule Name field.
From the Listen Link field, select the WAN link to use to listen for incoming packets on the port.
If desired, enter the hostname or the fully qualified domain name associated with the IP addresses in the Hostname field.
If you create a domain on the Services > Authoritative DNS page the Barracuda Link Balancer searches for matching domain
names in the Port Forwarding and 1:1 NAT rules. For every match, a DNS A record is created linking this hostname to its
external and internal IP addresses. You can enter a fully qualified domain name (e.g. www.example.com. with or without the
ending dot) or a hostname (e.g. www). If a hostname is entered, it is considered to be part of the default domain specified on
the Basic > IP Configuration page.
6. In the Listen IP field, type the WAN IP address of this link and all of the Additional IP Addresses on the same WAN interface from the Ba
sic > Links page. Select the address to use.
7. Select either an application or a port for the rule:
a. When choosing the application option, select whether this rule should apply to any (*) application or only one from the Applicati
on list,
Applications let you define rules that apply to more than one port. You can define an application using the Policy >
Applications page (see How to Create Custom Applications).
b. When choosing the port option, enter one port, a list of comma-separated ports, or a hyphenated range in the Port field.
If multiple ports are being forwarded, then each port listed in the Listen IP Ports corresponds one-to-one with the
entries in the Forward IP Ports list. If there are no Forward IP Ports, traffic is forwarded to the same port from which it
was received.
8. Specify one or any protocol from the Protocol list.
9. In the Forward IP field, enter the private static IP address of the server which must be reachable from the LAN of the Barracuda Link
Balancer. Or, if creating a DNAT rule for a link, type a static IP address reachable through a WAN link (usually, the firewall IP address
reachable through WAN1).
10. In the Ports field, enter one port, a list of comma-separated ports, or a hyphenated range. If multiple ports are being forwarded, then
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
49
10.
11.
12.
13.
14.
each port in the Listen IP Ports list corresponds one-to-one with the the Forward IP Ports list. If there are no Forward IP Ports, traffic is
forwarded to the same port from which it was received.
Make sure that you deselect Disable to enable the rule.
Select Log to write an entry in the Firewall Log whenever this rule is executed.
Select Auto-create firewall rule to enable auto-creating an accompanying inbound Access Firewall Rule to accept traffic on the listen
link and port for the private IP address of the server.
Click Add.
When the Firewall is Disabled
If the Barracuda Link Balancer firewall is disabled, you can create a NAT rule to map the destination IP address of the inbound traffic on one
WAN link to an IP address on another WAN link.
This option is also known as WAN IP impersonation. It is not available for WAN1.
The NAT/Port Forwarding feature allows you to add a new link without requiring an update to rules on your network firewall.
1.
2.
3.
4.
Go to the Basic > Links page.
Click the WAN link to open the configuration.
Select Yes to enable the NAT/Port Forwarding setting.
Click Save Changes.
After saving your changes here, create a Port Forwarding rule using the Firewall > NAT page.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
50
VPN
en
These articles describe how to configure Site-to-Site VPN on the Barracuda Link Balancer. The configuration example provided demonstrates a
deployment of the Barracuda Link Balancer in context with the configuration of Cisco ASA VPN tunnels.
In this Section:
Site-to-Site VPN Overview
How to Create a Site-to-Site VPN Tunnel
Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
51
Site-to-Site VPN Overview
en
The Barracuda Link Balancer can act as an endpoint in a site-to-site VPN tunnel. The following sections describe the VPN capabilities and
explain the configuration steps.
In this article:
en
Site-to-Site VPN Tunnels
Creating VPN Tunnels
Creating a VPN in a NAT'd Environment
Failover and Failback
VPN Tunnel as Failover Link for a Broken Site-to-Site WAN Link
Troubleshooting a VPN Tunnel
Site-to-Site VPN Tunnels
You can create a site-to-site VPN tunnel between two Barracuda Link Balancers or between a Barracuda Link Balancer and another device that
supports IPsec. Networks connected via a tunnel will communicate as if they are on the same network, even though they are separated by the
Internet.
The Services > VPN page displays all tunnels and their status. You can add, disable, edit or delete a tunnel from this page.
Creating VPN Tunnels
When creating a tunnel, make sure that the relevant tunnel parameters on both ends are in sync. If needed, record the settings on the other
endpoint and compare them to the local endpoint. If the settings of the tunnel endpoints do not match, you may fail to establish a tunnel
successfully. Many tunnel security parameters are advanced settings and have been given reasonable defaults. If both endpoints are Barracuda
Link Balancers, use the defaults provided unless you have a specific reason for changing these settings.
For testing purposes, you may choose to start with a shared secret on both endpoints, but using SSL certificates is recommended in a production
environment. On the ADVANCED > Certificates page, upload the local and remote certificates.
Creating a VPN in a NAT'd Environment
If either the Barracuda Link Balancer or the remote endpoint is behind a device such as a firewall which is NAT'ing traffic, you must enable the
NAT-Traversal (NAT-T) option when creating the VPN tunnel. NAT-T is required to make IPsec and NAT work together. If the option is not
enabled, packets will be dropped on the receiving end. If the remote endpoint for the VPN is behind a NAT’ing device, enter the IP address for
the remote endpoint in the Remote NAT-T IP field. In this case, the Primary Remote Gateway IP address is the NAT’ing device. If only the local
Barracuda Link Balancer is behind a NAT’ing device, the Primary Remote Gateway IP address is the remote endpoint and the Remote NAT-T IP
field should be left blank.
In order for NAT-T to work, open UDP port 4500 on the firewall.The VPN log (on the LOGS > VPN Log page) will display which VPN endpoint is
NAT’d.
Failover and Failback
When configuring a tunnel you can specify a primary and a backup link. If the primary link fails, the tunnel will be re-established using the backup
link. When the primary link is restored, the tunnel will automatically fail back to using the primary link.
To configure VPN failover:
In New/Edit VPN Tunnel, select a working secondary WAN link in the Backup Local Link field. This WAN link must not be identical with
the Primary Local Link.
Enter a hostname or external IP address of a secondary WAN link on the remote VPN gateway into the Backup Remote Gateway field.
Note that just as the backup local link, the backup remote link must be an independent second Internet connection on the remote
gateway. VPN failover will not work if either endpoint uses the same WAN link for primary and backup.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
52
VPN Tunnel as Failover Link for a Broken Site-to-Site WAN Link
A VPN tunnel can be configured as a failover link replacing a temporarily broken WAN link. To make use of this feature, you must have
Barracuda Link Balancer with disabled firewall in each network which are connected through the failover tunnel. Both Barracuda Link Balancers
need to be configured to act as failover WAN endpoints. To activate the WAN failover, you must select the respective option in the VPN Status
configuration item of a VPN connection on each Barracuda Link Balancer in order to enable the failover tunnel for WAN1 (or, respectively, one of
the other interfaces). If the WAN link fails, the VPN connection will then be activated. When the WAN link is restored, the VPN connection will no
longer be used.
External firewalls must be configured properly to allow the VPN failover tunnel.
To make use this feature, please perform the following configuration tasks:
Add an IP/APP rule to send all site-to-site traffic via the WAN link and use the VPN as failover for this traffic.
Add an IP/APP rule to send all remaining traffic via any WAN link but do not expect this traffic to failover to the VPN.
IP/APP rules should be configured as described below to allow this to happen:
IP/APP rule #1: Src 192.168.17.0/24, App *, Dst 172.16.1.0/24, LB No, use MPLS, no Backup, no NAT
IP/APP rule #2: Src 192.168.17.0/24, App Ping, Dst 172.16.1.0/24, LB No, use MPLS, no Backup, no NAT
IP/APP rule #3: Src 0.0.0.0/0, App *, Dst 0.0.0.0/0, LB No, use DSL, no Backup, NAT yes
IP/APP rule #4: Src 0.0.0.0/0, App Ping, Dst 0.0.0.0/0, LB No, use DSL, no Backup, NAT yes
Troubleshooting a VPN Tunnel
If the Barracuda Link Balancer is unable to establish a tunnel then you may discover the problem by doing the following:
On the LOGS > VPN Log page, check the VPN Log to see if anything has been logged about the cause of failure.
On the SERVICES > VPN page, click Edit next to the tunnel entry to view the tunnel parameters. Check that the security and
authentication values match the tunnel parameters of the other end of the tunnel.
Check the link status using the BASIC > Status page.
External firewalls must be configured properly to allow the VPN failover tunnel.
Use the tools on the Advanced > Troubleshooting page to ping the remote gateway and perform other diagnostics on the network
connection. (For more information, see Troubleshooting.)
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
53
How to Create a Site-to-Site VPN Tunnel
en
You can create a VPN tunnel between two Barracuda Link Balancers or between a
Barracuda Link Balancer and another device that supports IPsec. When creating the
tunnel or modifying its parameters, ensure that the settings are correct and in sync on
both ends. If possible, display the configuration settings of the remote endpoint in
another browser window so that you can ensure that you enter them correctly here.
Related Article
Site-to-Site VPN Overview
In this article:
en
Step 1. Create the VPN Tunnel
Step 2. Specify the Security Policies
Step 3. Verify the IPsec Key Exchange Policy
Step 1. Create the VPN Tunnel
To configure the VPN tunnel settings on the Barracuda Link Balancer,
1.
2.
3.
4.
5.
6.
Log into the Barracuda Link Balancer web interface.
Go to the SERVICES > VPN page.
To create a new VPN tunnel, click ADD New VPN Tunnel.
Enter a descriptive Name for the tunnel. (The tunnel name does not have to match the name of the endpoint.)
From the Primary Local Link list, select the link that this tunnel will use.
From the Backup Local Link list, select a backup link. If the primary link fails, the tunnel will be reestablished using the backup link on
both ends. Thus, you must specify a backup link on both ends of the tunnel.
7. In the Primary Remote Gateway field, enter the hostname or IP address for the remote gateway.
8. In the Backup Remote Gateway field, enter the hostname or IP address for the backup remote gateway. If there is a failover, this
remote gateway will be used.
9. If either this Barracuda Link Balancer or the remote endpoint is behind a device such as a firewall which is NATting traffic, set Enable
NAT-Traversal to Yes and enter the IP address of the remote endpoint in the Remote
NAT-T IP field.
10. In the Local Network section, select the local subnets that can communicate using this VPN. This list includes the subnet local to the
Barracuda Link Balancer and the static routes listed on the Advanced > Advanced Networking page.
11. In the Remote Network field, enter the network addresses and subnet masks of any remote subnets you want accessible to local clients.
These addresses must exactly match the addresses specified on the remote endpoint. If the remote endpoint is a Barracuda
Link Balancer, the local subnets must be listed on this same page in the the remote endpoint Local Network list. You do not
need to include all possible remote subnets in this list.
12. Set Enable VPN to Yes to open the tunnel. (No closes the tunnel.)
Step 2. Specify the Security Policies
For testing purposes, start with a shared secret on both endpoints. In a production environment, you should
use certificates.
1. In the Security Policies section, select the IPsec
Keying Mode used for encrypting data:
If you choose Shared Secret, enter a password in the Shared Secret field. Be sure to enter this same
password on the device on the other end of the tunnel.
If you choose Trusted Certificates to use SSL certificates for authentication, proceed as follows:
a. If you have not already uploaded the local and remote certificates to the Barracuda Link Balancer
using the Advanced > VPN Certificates page:
i. Save your changes here first.
ii. Navigate to the Advanced > VPN Certificates page.
iii. Upload local and remote certificates.
iv. Navigate back to this page.
b. Uploaded signed certificates appear in the Local Certificate list. Select the correct one.
i. Saved CA certificates appear in the Remote Certificate list. Select the uploaded certificate
Copyright © 2015, Barracuda Networks Inc.
b.
i.
ii.
Barracuda Link Balancer Administrator's Guide - Page
54
for the remote endpoint.
Enter the distinguished name (e.g. my.domain.com) for the remote endpoint.
Step 3. Verify the IPsec Key Exchange Policy
IPsec Key Exchange is a protocol that allows devices to exchange information required for secure communication. If the endpoint is also a
Barracuda Link Balancer, then unless you have a specific reason for changing these settings, use the defaults provided. Otherwise, make sure
the settings here are in sync with those on the other end of the tunnel. Any matches whatever the endpoint uses.
If you choose one of the other options, make sure the endpoint is using the same options. Do not choose Any on both endpoints for
any of the values here because the negotiation required slows the creation of the tunnel.
Specify the following settings for Phase 1 and Phase 2:
1. In the Encryption and Authentication field, choose the encryption and authentication algorithms.
2. Select the Diffie-Hellman group to use from the DH Group list. Recommended: DH Group 2 (1,024 bits of keying strength). DH Group 5
uses 1536-bit encryption. DH Group 14 (2,048 bits of keying strength) may be used for maximum security.
3. In the Lifetime fields, enter how long, in seconds, this key exchange policy exists before it needs to be renegotiated.
Perfect Forward Secrecy or PFS (IPsec Key Exchange Policy Phase 2 only) ensures that even if your current private key is compromised, all
past and future communication cannot be decrypted with this private key. This setting must match the PFS setting on the remote endpoint.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
55
Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels
en
This article provides a reference for deploying a Barracuda Link Balancer under the
following conditions:
1. In transparent (firewall-disabled) mode in front of a Cisco ASA firewall that is
an endpoint for a site-to-site VPN tunnel.
2. In firewall-enabled mode as a remote VPN endpoint with the Cisco ASA on the
other end.
Related Article
Site-to-Site VPN Overview
How to Create a Site-to-Site VPN
Tunnel
This example combines both scenarios. That is, assume a corporate headquarters with an existing Cisco ASA device and a branch office in
Michigan. To improve the network uptime and resilience, the company installs a Barracuda Link Balancer at both sites. At headquarters it is
deployed in transparent (firewall-disabled) mode upstream of the Cisco ASA device. In Michigan, it is deployed in firewall-enabled mode.
In this article:
Before You Begin
Configuring Cisco ASA
Configuring the Barracuda Link Balancer (at Corporate Headquarters) for VPN Passthrough
Configuring the Remote Barracuda Link Balancer (at Michigan)
Verify Whether the Tunnel Works
Troubleshooting
Both the Barracuda and the Cisco devices must have static WAN IP addresses in order to set up a VPN tunnel between them.
Barracuda Labs has tested and validated the settings described in this document. All settings and screenshots contained in this
document are taken from a Barracuda Link Balancer version 2.4.1, and a Cisco device running Cisco Adaptive Security Appliance
Software version 8.2 and Cisco Device Manager version 6.2.
Before You Begin
Barracuda recommends using release version 2.4.1 or newer on the Barracuda Link Balancer. To update your Barracuda Link Balancer
units, you can install the newest firmware from the ADVANCED > Firmware Updates page. For more information, see How to Update
the Firmware.
Before proceeding, please collect all information in the table below that is valid for your setup. The example values in the table are used in this
article.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
56
Corporate Headquarters (uses Cisco ASA)
1
Unused Public IP from ISP*
111.1.1.100/24
2
Local network behind Cisco ASA
192.168.1.0/24
3
Management IP of the Cisco ASA
10.11.23.33
4
Outside interface for VPN endpoint on Cisco
ASA
111.1.1.100/24
5
Mgmt IP of Barracuda Link Balancer at
Headquarters
10.11.23.157
6
Mgmt IP of Cisco ASA
10.11.23.33
7
Mgmt IP of Barracuda Link Balancer
(Michigan branch)
10.11.23.165
8
Remote network
172.24.0.0/16
9
WAN IP for Barracuda Link Balancer for
tunnel endpoint
109.1.1.1/24
Remote Site – Michigan
* To avoid changing the existing configuration on the Cisco ASA, provision an additional public IP address from your ISP on the WAN
port of the Barracuda Link Balancer and retain the WAN IP address on the Cisco ASA. If necessary, contact your ISP in order to obtain
a new IP address.
The network diagram below shows the headquarters on the left and the Michigan branch office on the right.
The headquarters has an existing Cisco ASA firewall which forms an IPsec tunnel with a Barracuda Link
Balancer at the branch office. A Barracuda Link Balancer is deployed at the headquarters in front of the Cisco
ASA in transparent mode. In this mode, it does not terminate the VPN but just passes the VPN traffic through
to the Cisco ASA.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
57
Configuring Cisco ASA
To configure an IPsec VPN on the Cisco device requires the following configuration steps:
1. Configure Interfaces and ACL for the Tunnel
2. Configure Phase 1
3. Configure Phase 2
Step 1. Configure Interfaces and ACL for the Tunnel
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 111.1.1.100 255.255.255.0
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 0
ip address 192.168.1.254 255.255.255.0
# this will be the tunnel endpoint
This access list (MI_Tunnel) is used with the crypto map (MI_Map) to determine which traffic needs to be encrypted and sent across the tunnel:
access-list MI_Tunnel extended permit ip 192.168.1.0 255.255.255.0 172.24.0.0 255.255.0.0
Step 2. Configure Phase 1
The following configuration commands define the Phase 1 policy parameters to be used. A policy is created with priority=1 used to negotiate the
IKE SA.
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
#
#
#
#
#
Priority = 1
Use pre-shared keys
3des is more secure for encryption than des
use sha-1 for max protection (though less throughput)
group 2 provides adequate security; avoid group 1
Now, enable ISAKMP on the interface that terminates the VPN tunnel:
crypto isakmp enable outside
Step 3. Configure Phase 2
1. Define the transformation set for Phase 2. It will be used in the crypto map entry.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
2. Define a crypto map and specify which traffic should be sent to the IPsec peer with the access list defined above.
crypto map MI_Map 1 match address MI_Tunnel
3. Set the IPsec peer (remote endpoint) to the appropriate WAN port on the Barracuda Link Balancer:
crypto map MI_Map 1 set peer 109.1.1.1
4. Configure the IPsec transform set ESP-3DES-MD5 to be used with the crypto map entry:
crypto map MI_Map 1 set transform-set ESP-3DES-MD5
5. Specify the interface to be used with the settings defined in this configuration:
crypto map MI_Map interface Outside
6. Disable NAT-T and set the Phase 2 lifetime:
crypto map MI_Map 1 set nat-t-disable
crypto map MI_Map 1 set security-association lifetime seconds 3600
7. Create the tunnel group and assign the preshared key for authentication:
tunnel-group 109.1.1.1 type ipsec-l2l
tunnel-group 109.1.1.1 ipsec-attributes
pre-shared-key my_secret_key
# must be identical to the key on the remote peer
ICMP must be enabled on the IP address of the Cisco device to allow the Barracuda Link Balancer at headquarters to perform health
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
58
checks for the remote VPN endpoint.
Configuring the Barracuda Link Balancer (at Corporate Headquarters) for VPN Passthrough
To configure the Barracuda Link Balancer at headquarters, complete the following major steps:
1. Add Missing Applications
2. Configure the IP / Application Routing
3. Define Actions to be Taken
To allow the VPN traffic to pass through, outbound routing rules for the following applications must be configured:
ESP
IKE
NAT-T
GRE
PPTP
AH
GRE, PPTP, AH and NAT-T are not really required in this deployment. However, they are mentioned here for completeness, and are
useful when you want to allow other tunnels to pass through the Barracuda Link Balancer.
Step 1. Add Missing Applications
IKE, GRE, and PPTP are included in the Predefined Applications by default. Navigate to POLICY > Applications > Custom Applications and
create custom applications for ESP, AH, and NAT-T with the following settings:
Application
Settings
ESP
Application Name: ESP
Protocol Type: ESP
AH
Application Name: AH
Protocol Type: AH
NAT-T
Application Name: NAT-T
Protocol Type: UDP
Port Number: 4500
Step 2. Create a New IP / Application Routing Rule
Navigate to POLICY > Outbound Routing > IP/Application Routing and add a new rule with a unique Rule Name. Configure the following
condition fields:
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
59
Setting
Description
Source IP Address
The IP address (e.g. 111.1.1.100) being NAT’d on the Cisco ASA
Source Netmask
The netmask (e.g. 255.255.255.255 if it is a single host, or, if it is a
set of IP addresses, the subnet mask must reflect that accordingly).
Application
Create rules here for each protocol.
Destination IP Address
The IP address of the VPN remote gateway (e.g. 114.1.1.21).
Destination Netmask
The netmask (e.g. 255.255.255.255 if it is a single host, or, if it is a
set of IP addresses, the subnet mask must reflect that accordingly).
Link Balance
Select No and then select a Primary and a Backup link:
Primary Link — Select Default to direct the outgoing traffic
to the WAN link on the same subnet. Alternatively, select a
specific link from the list to bind traffic to that link.
Backup Link — Select None to drop traffic if the primary
link is not available. Or, select a specific link from the list to
bind traffic to that link.
To maintain the original source IP address if there is no backup link,
clear this check box. If there is a backup link, select the NAT check
box and add Source Network Translation rules to retain the original
source IP address(the NAT'd IP address on the firewall behind the
Barracuda Link Balancer) for the five applications.
NAT
The rules in the IP/Application Routing table are processed from top to bottom, in the order listed in the table. Only the first matching
rule is executed. New rules are added to the bottom of the table. To change the order of rules, use the arrows on the right side of the
table. Also, if you have a large number of tunnels with varying peer addresses, it might be more convenient to relax the Source and De
stination fields and use only the Application field for rules.
Configuring the Remote Barracuda Link Balancer (at Michigan)
Create a new tunnel at the remote Barracuda Link Balancer (running in firewall-enabled mode) to connect with the Cisco ASA. Make sure that the
Security Policies > Phase 1 and Phase 2 settings are identical to the Cisco settings.
The following table provides the reference settings for adding the new VPN tunnel:
Section
Settings
Edit VPN Tunnel
Enable NAT-Traversal: No
Remote NAT-T IP: No
Security Policies
IPsec Keying Mode: Shared Secret
Shared Secret: my_secret_key
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
60
IPsec Key Exchange Policy Phase 1
Encryption: 3DES
Authentication: MD5
DH Group: Group 2
Lifetime: 86400
IPsec Key Exchange Policy Phase 2
Encryption: 3DES
Authentication: MD5
Enable Perfect Forward Secrecy: No
DH Group: Group 2
Lifetime: 3600
Verify Whether the Tunnel Works
After the tunnel has been established successfully, a green check mark displays next to it on the VPN page on the Barracuda Link Balancer at
both corporate headquarters and Michigan. Both private IP addresses should now be accessible using the ping command.
Troubleshooting
A yellow triangle next to the VPN tunnel on the VPN page of the Barracuda Link Balancer indicates that something does not work as intended.
To troubleshoot:
Check the LOGS > VPN Log page on the Barracuda Link Balancer.
You can also refer to the logs generated by the Cisco ASDM web interface.
Make sure that routing is correctly configured on the client networks and on the Cisco device. Cisco ASDM provides network logs.
You may also use the TCP Dump command on the ADVANCED > Troubleshooting page on the Barracuda Link Balancer.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
61
High Availability
en
The High Availability option allows you to link two Barracuda Link Balancers as a clustered active/passive pair. Both systems connect to the WAN
links, but only one actively processes traffic at any time. The two systems continuously share most configuration settings and monitor one
another’s health. If clustering two Barracuda Link Balancers is not an option, as an alternative, consider configuring Ethernet Passthrough. (This
feature is only available on certain models.)
In this Section
High Availability Overview
Planning Your High Availability Deployment
How to Create a High Availability Cluster
How to Remove a System from a Cluster
How to Update the Firmware on Clustered Systems
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
62
High Availability Overview
en
This article provides a general overview of the requirements for a High Availabilty configuration with two Barracuda Link Balancers and explains
available deployment options.
In this article:
en
Operation of High Availability (HA)
Requirements for Clustered Systems
Ethernet Passthrough
Physical Connectivity of Clustered Systems
Synchronizing Data on Clustered Systems
Failover and Failback
Operation of High Availability (HA)
High Availability configuration results in an active-passive pair of Barracuda Link Balancers. The active system handles all traffic until one of the
following components experiences a failure or an outage:
The LAN connection.
All WAN links (administrator configurable option).
The Barracuda Link Balancer appliance.
If any of the above conditions is detected, the passive system becomes active and link balances all traffic from the WAN links. Clustered
Barracuda Link Balancers communicate according to the Virtual Router Redundancy Protocol (VRRP) specification. Both are configured with a
single virtual IP address called the VRRP virtual IP address. This address is serviced only by the active system. If the Barracuda Link Balancer
firewall is enabled, then the VRRP virtual IP address is the default gateway for devices on the LAN. In the event of a system failure, the other
system in the cluster assumes the VRRP virtual IP address and becomes the active system in the cluster. An alert message is sent to the
administrator.
You should use the VRRP virtual IP address to manage the Barracuda Link Balancer since that always points to the active system. Changes will
automatically be propagated to the passive system.
Requirements for Clustered Systems
Before joining two systems together, each Barracuda Link Balancer must meet the following requirements:
Model 330 or higher.
Exact same model as the other Barracuda Link Balancer.
Activated and on the same firmware version. The High Availability capability is only available on firmware 2.x and later.
Accessible to the other Barracuda Link Balancer on the LAN interface. This applies only if you do not plan to use the LAN2 port for
clustering.
Ethernet Passthrough
If clustering two Barracuda Link Balancers is not an option, as an alternative, consider configuring Ethernet Passthrough. If Ethernet
Passthrough is configured and the Barracuda Link Balancer fails, all traffic from WAN1 will be passed directly to the LAN.
Do NOT enable this feature under the following conditions:
Your network relies on the Barracuda Link Balancer firewall to perform IP or port address translation for internal IP addresses.
You have clustered systems and the passive system will take over if this system fails.
Physical Connectivity of Clustered Systems
All Barracuda Link Balancer cluster pairs may be linked using the LAN interface. Certain models also support a LAN2 interface: if there is a
physical LAN port on the front panel, the Ethernet port on the back is the LAN2 port.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
63
Linking two systems using the LAN2 port ensures that communication between the two is not delayed or compromised by other traffic on the
LAN. Thsi increases the reliability of the connection and may reduce the time required to fail over. Use a crossover cable between the LAN2 ports
to connect the two systems. The LAN2 IP addresses must be on the same subnet.
Synchronizing Data on Clustered Systems
When two Barracuda Link Balancers are initially joined, most configuration data, such as WAN settings, firewall rules, VPN settings and operating
mode, is copied from the primary system of the cluster to the backup system (the system that joins the cluster). This configuration data is
synchronized between the systems on an ongoing basis. However, the following configuration data are unique and are not synchronized between
the two systems:
LAN IP address, LAN2 IP address, DNS servers, default domain and time zone.
System password, time zone and web interface HTTP port, as configured on the BASIC > Administration page.
All parameters on the ADVANCED > Appearance page.
The HTTPS port and SSL certificate used to access the web interface, as configured on the ADVANCED > Secure Administration pag
e.
Failover and Failback
There is an automatic failback option you can configure if you want the original active (primary) system to resume link balancing upon its recovery
after failover. Configure this on the ADVANCED > High Availability page. Alternatively, you can manually switch to the primary system using the
Failback command available on the same page.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
64
Planning Your High Availability Deployment
en
Clustered Barracuda Link Balancers may require extra equipment.You may need to add switches so that the WAN links can connect to two
systems. To deploy in front of an existing firewall, you will need to add a switch between the Barracuda Link Balancers and the firewall (or two
switches for dual firewalls).
In this article:
en
In Front of a Single Network Firewall
In Front of Dual Network Firewalls
No External Firewalls
Best Practices for Setting Up HA on Models 330 and 430
The following figures show sample deployments of a pair of clustered Barracuda Link Balancers with: a single firewall; two clustered firewalls; and
with no external firewall.
In Front of a Single Network Firewall
The figure below shows two Barracuda Link Balancers deployed with one network firewall. The LAN IP addresses of the two Barracuda Link
Balancers and the VRRP virtual IP address must all be on the same subnet.
In Front of Dual Network Firewalls
The following figure shows two Barracuda Link Balancers and two clustered firewalls. The LAN IP addresses of the two Barracuda Link Balancers
and the VRRP virtual IP address must all be on the same subnet.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
65
No External Firewalls
The following figure shows two Barracuda Link Balancers with the firewall enabled. As in the other deployment examples, the LAN IP addresses
of the two Barracuda Link Balancers and the VRRP virtual IP address must all be on the same subnet. Note that only in this example, the VRRP
virtual IP address is the default gateway for devices on the LAN. If you add a second Barracuda Link Balancer to a network where the gateway of
the client devices was already configured to use the LAN IP address of the first Barracuda Link Balancer, you could assign a new LAN IP address
to that Barracuda Link Balancer and use its original LAN IP address as the VRRP virtual IP address.
Best Practices for Setting Up HA on Models 330 and 430
Use switches (resulting in multiple collision domains) instead of hubs (resulting in a single collision domain).
Make sure the ARP cache timeout on the switches is not set too high. Typically, 60 to 180 seconds is a good range.
You should use different switches for the various WAN links instead of one common switch for all of them. However, if only a single
common switch is used, make sure to use a manageable switch and configure your VLANs to create multiple broadcast domains for
each WAN link respectively.
Make sure your network architecture logically matches the respective figure on this page.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
66
How to Create a High Availability Cluster
en
The following instructions describe how to deploy a pair of Barracuda Link Balancers in a cluster. Prior to clustering Barracuda Link Balancers,
you should place the systems into their production IP address range. This will save you from reconfiguring the cluster later because of an IP
address change.
In this article:
en
Step 1. Complete the Installation Process for Both Systems
Step 2. Create the Cluster
Step 3. Connect WAN Links and Test
Step 4. Put in Production
Step 1. Complete the Installation Process for Both Systems
To prepare the Barracuda Link Balancers for clustering, put both systems into the production location on the network.
Complete the following steps:
1. If the primary system is a brand new unconfigured system, then you need to install, configure and test the primary system as described
in the installation articles. If the primary system is already configured and operational, update its firmware. If the firewall is enabled,
change its LAN IP address to a new value. Use its original LAN IP address as the VRRP virtual IP address.
2. On the backup system, configure a WAN link, connect to the Internet, and activate the system (BASIC > Status). Then configure the
LAN IP address, LAN2 IP address (optional), and the default domain (BASIC > IP Configuration). Set the time zone to be the same as
the primary system (BASIC > Administration). Then update the firmware (ADVANCED > Firmware Update). Connect to the LAN. To
use the LAN2 ports, connect them with a crossover cable.
Step 2. Create the Cluster
Navigate to the ADVANCED > High Availability page on each system to be clustered, and perform the following steps:
1. On the primary system, enter values into the fields in the Cluster Settings section, and save your changes.
2. On the backup system, enter the same values for the cluster settings and save your changes. In the Clustered Systems section, enter
the LAN2 IP address of the primary system (if it is to be used) or the LAN IP address of the primary system and click Join Cluster. The
backup system will reboot.
3. When the backup system comes back up, refresh the Advanced > High Availability page on both systems and verify that each
system’s LAN or LAN2 IP address appears in the Clustered Systems table and the Status of each system is green.
The systems are now joined. The shared configuration settings of the primary system (as listed in Synchronization of Data Between Clustered
Systems) will be copied to the secondary system, and each system will begin monitoring the health of the other system.
Step 3. Connect WAN Links and Test
Connect all WAN links to the backup Barracuda Link Balancer. To test the clustering capability, power off the active system. The backup system
should take over the link balancing function. Power the system back on to test automatic failback. If you chose the option to failover if all WAN
links are down, then test this by removing the WAN links from the active system. You can also configure specific WAN links to trigger the failover.
Step 4. Put in Production
From now on, always use the VRRP virtual IP address to manage the Barracuda Link Balancer to be sure that any changes you make occur
immediately on the active system.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
67
How to Remove a System from a Cluster
en
To remove a Barracuda Link Balancer system from a High Availability cluster you must erase its cluster settings and disconnect its network links.
If the remaining system will no longer be in a cluster, it should have its cluster settings removed, and possibly should have its LAN IP address
changed to the VRRP virtual IP address of the cluster.
Use the LAN IP addresses of the Barracuda Link Balancers to access their web interfaces while separating them. As soon as one system is
removed from the cluster, the VRRP virtual IP address will no longer be usable.
Remove a Barracuda Link Balancer from a Cluster
On the Barracuda Link Balancer you want to remove from the cluster, perform the following steps:
1.
2.
3.
4.
Navigate to the Advanced > High Availability page.
Click the garbage can icon to delete the other system from the Clustered Systems table.
Remove the WAN, LAN and LAN2 links connected to this system.
Review this system's other settings and make changes as necessary.
If you want to replace the removed system with another Barracuda Link Balancer, go to the Advanced > High Availability page on the
remaining system and click the garbage can icon to delete the removed system from the Clustered Systems table. Then add the new system to
the cluster.
Remove Cluster Parameters
To remove all cluster parameters from the remaining system:
1.
2.
3.
4.
5.
6.
Go to the Advanced > High Availability page.
Clear the Cluster Shared Secret password.
Click Save Changes. The login screen will appear.
Sign in and navigate to the Advanced > High Availability page.
Click the garbage can icon to delete the other system from the Clustered Systems table.
Set Enable Ethernet Passthrough to Enable if applicable.
If the Barracuda Link Balancer firewall is enabled, the VRRP virtual IP address is the default gateway for devices on the LAN. Configure that
address as the LAN IP address of this system on the Basic > IP Configuration page. The system will reboot.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
68
How to Update the Firmware on Clustered Systems
en
To prevent a transfer of control from one system to the other while a firmware update is in progress, you must disable automatic failback on the H
igh Availability page before attempting to update the firmware on either system.
Do not manually power-cycle the Barracuda Link Balancer at any time during the update process, because power cycling may cause
firmware corruption.
Update the Firmware
You should update the firmware on the passive system first, and then update the firmware on the active system.
On each system (passive then active), perform the following steps:
1.
2.
3.
4.
Go to the ADVANCED > High Availability page.
In the Cluster Settings section, set the Failback Mode to Manual.
Click Save Changes.
Go to the ADVANCED > Firmware Update page. If a more recent firmware version is available, the Download Now button will be
enabled.
5. Click Download Now. Click Refresh to update the download progress display at any time.
6. To update the firmware, click Apply Now.
Enable automatic failback, if desired, after both systems have been updated and are back online.
1. Go to the ADVANCED > High Availability page.
2. In the Cluster Settings section, set the Failback Mode back to Automatic.
3. Click Save Changes.
Revert the Firmware
The Firmware Update page allows you also to revert to a previous firmware version. You should only revert to an old firmware version if your
recently downloaded version causes unexpected problems. Always contact Barracuda Networks Technical Support before reverting to a previous
firmware version.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
69
Monitoring
en
The following article explains the monitoring processes of the Barracuda Link Balancer. Models 330 and above provide a variety of reporting
features for WAN links, VPNs and other system components.
In this Section
Basic Monitoring
SNMP Monitoring
System Reports
Viewing Logs
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
70
Basic Monitoring
en
On the basic monitoring pages you can access information about system performance and traffic throughput of your Barracuda Link Balancer.
In this article:
en
Status Overview
Live Report
Status Overview
The Basic > Status page provides an overview of health and performance of your Barracuda Link Balancer, including utilization and status of
links, the subscription status of Energize Updates and system and hardware statistics including CPU temperature and system load. Performance
statistics display in red to signify that the value exceeds the normal threshold.
The Status page shows incoming and outgoing traffic statistics for each WAN link. You can also view WAN link utilization and connection status
by scrolling over the WAN port graphic on the BASIC > Links page. View the status of VPN tunnels on the SERVICES > VPN page.
Live Report
To view real-time traffic throughput on your Barracuda Link Balancer, go to the BASIC > Live Report page. The Dashboard section displays live
traffic throughput. By default, it shows all traffic passing through the WAN ports in each direction. You can filter this information by Link, Directio
n, or Time.
The Top Ten Users section limits the displayed real-time data to the top ten IP addresses. By default, data reflecting all WAN ports within the last
30 seconds is displayed. You can filter this data by Link and Time.
In transparent mode, all traffic comes from the firewall IP address, so this diagram is not useful in transparent mode.
The Top Ten Application section limits the displayed real-time data to the top ten applications. By default, data reflecting all WAN ports within
the last 30 seconds is displayed. You can filter this data by Link and Time. Only the following applications are displayed in the Top Ten
Application diagram:
HTTP
FTP
SSH
Telnet
SIP
Skype
BitTorrent
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
71
Kazaa
AIM
MSN Messenger
More applications are known and available on the POLICY > Bandwidth Mgmt page in the Quality of Service section.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
72
SNMP Monitoring
en
Your SNMP monitor or other network management program can query the Barracuda Link Balancer SNMP agent for WAN link traffic statistics,
volume of traffic going to and from the LAN, and hardware status. You can also receive SNMP traps generated if the WAN links become
unavailable or if the Barracuda Link Balancer exceeds certain thresholds such as disk space usage.
Configure SNMP
To allow and configure SNMP access to the Barracuda Link Balancer,
1.
2.
3.
4.
5.
6.
7.
8.
Log into the Barracuda Link Balancer web interface.
Navigate to the BASIC > Administration page.
In the SNMP section, enable the Barracuda Link Balancer to accept and respond to SNMP queries.
Set the SNMP version to v2c or v3 depending on your requirements.
Update the SNMP community string.
In the Allowed SNMP IP/Range field, enter a range of IP addresses allowed to connect to the Barracuda Link Balancer using SNMP.
In the SNMP Traps section, configure IP addresses to send SNMP traps.
Click Save Changes.
An SNMP monitor can access the Barracuda Link Balancer via any of the WAN or LAN IP addresses, although you should use the LAN in case
one of the WAN links goes down. Obtain and import these two MIB files to your SNMP monitor:
The Barracuda Link Balancer MIB
The Barracuda Reference MIB (standard across all Barracuda Networks products).
The MIB files are located on the Barracuda Link Balancer and can be obtained by replacing [LB IP] in the following URLs with the management IP
address of your Barracuda Link Balancer:
http://[LB IP]:8000/Barracuda-BWB-MIB.txt
http://[LB IP]:8000/Barracuda-REF-MIB.txt
SNMP Traps
An SNMP trap is generated by the Barracuda Link Balancer SNMP agent every five minutes under any of the following conditions:
CPU temperature exceeds its threshold.
System temperature exceeds its threshold.
CPU fan is dead.
System fan is dead.
Firmware storage exceeds its threshold.
Log storage utilization exceeds its threshold.
WANx is down.
WANx is up.
WANx reaches configured saturation threshold.
A high availability state change occurred.
Traps are sent to the SNMP trap receivers specified on the BASIC > Administration page. When any event is first noted, an email alert is sent
to the system alerts email address specified on the BASIC > Administration page. If an error condition continues to be detected, an email is
sent every hour to the same email address.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
73
System Reports
en
Reporting is only available on the Barracuda Link Balancer 330 and above.
Choose from various reports to track Barracuda Link Balancer activity. You can either instantly view an on-demand report, or automatically
generate scheduled reports for later viewing.
Reports capture the following:
The average bandwidth usage by hour.
The total traffic by date.
The total link uptime by date.
The average VPN bandwidth usage by hour.
The VPN traffic by date.
The average TCP connections per hour.
The TCP connections by date.
Reports can also include any of the following logs:
Inbound link balancing
Firewall activity
VPN activity
Link failover events
Device failover events
Create a Report
The Reports page allows you to select criteria for compiling the report, and define layout and output options. To create a report,
1.
2.
3.
4.
5.
Log into the Barracuda Link Balancer web interface.
Go to the BASIC > Reports page.
In the Report Options section, define a time frame for the report.
In the Links section, select the interface links to use in the report.
In the VPN section, select the VPN tunnels to include.
If any VPN information is included in the report, it cannot be scheduled or executed without at least one VPN tunnel.
6. Choose whether to analyze inbound traffic, outbound traffic, or both.
7. In the Formatting section, specify desired layout and output options. The Trends and Logs/Summary sections provided below allow
specification of Trend graphs and a selection of activity log summaries which can be included in the report.
After making your selection, you may either execute report generation immediately by saving the changes, or you may schedule it for later and/or
repeating execution.
Schedule a Report
1. Complete the steps to create a report as described in Create a Report.
2. In the Schedule Report section, fill in Report Group Name.
3. Select your delivery options. Choose Email or External Server (for FTPing or SMBing it) as the transport method. External Server requir
es you to provide the external server’s IP address or hostname and user credentials.
4. Click Schedule Report.
Once a report is scheduled, it appears in the Scheduled Reports section below the edit, disable, or delete section.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
74
Viewing Logs
en
The Barracuda Link Balancer provides three types of logs under the LOGS tab:
Event Log - General system events.
Firewall Log - Firewall events.
VPN Log - Information about VPN tunnels.
Using the web interface, you can delete the log, filter the log entries that are displayed or export them to a CSV file.
View the system log displayed on the LOGS > Event Log page to see events that have occurred. These include:
Link Status - A WAN link has become active or gone down; a link could not be detected.
DHCP Events - An IP address was handed out.
Failed Login Attempts - If the Barracuda Link Balancer firewall is enabled, you can view the firewall log on the LOGS > Firewall Log p
age to see rules that have been executed and whether the traffic was dropped or allowed. Only rules that have the Log check box
selected in their rule entry (under the Firewall tab) are logged in this way. Check recent VPN tunnel activity on the LOGS > VPN Log pa
ge. When any of these logs reaches their predetermined size a new log is started. To have these logs emailed or sent to an FTP or SMB
server on a regular basis, use the BASIC > Reports page (for the Barracuda Link Balancer 330 and above).
Using a Syslog Server
Only Barracuda Link Balancer Model 430 allows Syslog Server functionality.
Syslog is a standard UNIX/Linux tool for logging messages and is available on all UNIX/Linux systems. The Barracuda Link Balancer writes to the
syslog for link and system events. To configure a Syslog Server to centrally monitor system logs, go to the ADVANCED > Syslog page and
specify the servers to which syslog data is sent.
Viewing System Tasks
Go to the ADVANCED > Task Manager page to see a list of tasks that are in the process of being performed and any errors encountered when
performing these tasks. Background tasks include firmware download and configuration restoration.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
75
Maintenance
en
The following section shows how to perform backup tasks for your system configuration, update the firmware of your Barracuda Link Balancer,
and use built-in troubleshooting tools.
In this Section
Reloading, Restarting, and Shutting Down the System
How to Backup and Restore Your System Configuration
How to Update the Firmware
Troubleshooting
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
76
Reloading, Restarting, and Shutting Down the System
en
This article describes the shutdown, reboot and reload functions of the Barracuda Link Balancer and explains how to use the recovery console in
case of system failure.
CAUTION! Use
of these controls temporarily interrupts all Barracuda Link Balancer operations.
In this article:
en
Shutting Down and Restarting the System
Rebooting the System in Recovery Mode
Reboot Options
Using the RESET Button to Reset the LAN IP Address
Shutting Down and Restarting the System
To shut down, restart, or reload the system configuration of your Barracuda Link Balancer:
1. Go to the BASIC > Administration page.
2. In the System Reload/Shutdown section at the bottom, select the desired option:
Shutdown - Shuts down and powers OFF the Barracuda Link Balancer.
Restart - Reboots the Barracuda Link Balancer.
Reload - Reapplies the system configuration.
You can also reboot the Barracuda Link Balancer by pressing RESET on the front panel of the Barracuda Link Balancer. Do not press and hold
the RESET button for more than a couple of seconds. Holding it for five seconds or longer changes the IP address of the system. For more
information, see Using the RESET Button to Reset the LAN IP Address.
Rebooting the System in Recovery Mode
If your Barracuda Link Balancer experiences a serious issue that impacts its core functionality, you can use diagnostic and recovery tools,
available at the reboot menu, to return your system to an operational state. Before you use the diagnostic and recovery tools, do the following:
Use the built-in troubleshooting tools on the Troubleshooting page to help diagnose the problem (see: Troubleshooting).
Perform a system restore from the last known good backup file (see: How to Backup and Restore Your System Configuration).
Contact Barracuda Networks Technical Support for additional troubleshooting tips (see: Contacting Barracuda Networks Technical
Support).
As a last resort, you can reboot your Barracuda Link Balancer and run a memory test or perform a complete system recovery, as described in this
section. To perform a system recovery or hardware test:
1. Connect a monitor and keyboard directly to your Barracuda Link Balancer.
2. Reboot the system by clicking Restart on the BASIC > Administration page.
3. Press the Power button on the front panel to power the system off, and then press Power again to power the system back on. The
Barracuda splash screen displays with three reboot options explained below.
4. Use your keyboard to select the desired boot option, and click Enter. You must select the boot option within three seconds of the splash
screen appearing or the Barracuda Link Balancer defaults starts up in the normal mode (first option).
Reboot Options
The following table describes the reboot menu options.
Reboot Option
Barracuda
Description
Starts the Barracuda Link Balancer in the normal (default) mode. This
option is the default unless another option is specified within the first
three (3) seconds of the splash screen appearing.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
Recovery
77
Displays the Recovery Console where you can choose among the
following options:
Perform file system repair - Repairs the file system on the
Barracuda Link Balancer.
Perform full system re-image - Restores the factory settings
on your Barracuda Link Balancer and clears out all configuration
information.
Enable remote administration - Initiates a connection to
Barracuda Central that allows Barracuda Networks Technical
Support to access the system. Another method for enabling this
troubleshooting connection is to click Establish Connection to
Barracuda Central on the ADVANCED > Troubleshooting pag
e.
Run diagnostic memory test - Runs a diagnostic memory test
from the operating system. If problems are reported when
running this option, we recommend running the Hardware_Test
option next.
Performs a thorough memory test that uncovers most memory
related errors within a two-hour time period. The memory test is
performed outside of the operating system and can take a long time
to complete. Reboot your Barracuda Link Balancer to stop the
hardware test. You may do this by pressing Ctrl-Alt-Del on the
keyboard, or by pressing the RESET button on the Barracuda Link
Balancer.
Hardware_Test
Using the RESET Button to Reset the LAN IP Address
The Barracuda Link Balancer is assigned a default LAN IP address of 192.168.200.200. You can change this IP address in one of three ways:
In the web interface, go to the BASIC > IP Configuration page.
Connect a VGA monitor and a keyboard to the back of the Barracuda Link Balancer. Use the serial console. (username admin,
password admin)
Press the RESET button on the front panel.
Pressing RESET for five seconds sets the LAN IP address to 192.168.200.200. Pressing RESET for eight seconds changes the LAN IP address
to 192.168.1.200. Pressing the button for 12 seconds changes the LAN IP address to 10.1.1.200. You will notice the three LEDs on the front
panel flash at the same time intervals.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
78
How to Backup and Restore Your System Configuration
en
You should back up your system regularly so, if necessary, you can restore your configuration on a Barracuda Link Balancer. To restore a backup
file on a new Barracuda Link Balancer that is not configured, first enter the IP address and DNS information for the new system on the BASIC >
IP Configuration page.
In this article:
en
Backup Your System Configuration
Configure Automatic Backups
Restore Your System Configuration
Backup Your System Configuration
This section describes how to create a single backup of the current system configuration and download the backup file (*.bak) to your local
computer. To back up and restore the current system configuration of your Barracuda Link Balancer,
1. Log into the Barracuda Link Balancer web interface.
2. Go to the ADVANCED > Backups page.
3. To back up the current system configuration, click Backup.
The following information is not included in the backup file:
System password
System IP information
DNS information
Configure Automatic Backups
To schedule automated backups of the current system configuration, use the Automated Backups section. Store the backup files on a remote
server.
1. Log into the Barracuda Link Balancer web interface.
2. Go to the ADVANCED > Backups page.
3. In the Automated Backups section, specify the remote server that stores the backup files:
a. From the Server Type list, select the type of remote server that stores the backup files.
FTP - An FTP server.
SMB- A Windows shared drive on an SMB server.
b. In the Server Name/IP field, enter the server IP address or fully qualified domain name (FQDN). A FQDN consists of a host
name and domain name, including the top-level domain.
c. In the Port field, enter the server port number to use.
i. For an FTP server, the default port number is 21.
ii. For an SMB server, the recommended port number depends on the version of the Windows® operating system running
on the remote backup server.
iii. Port 139 is recommended for Windows 3.x and Windows NT Server 4.0.
iv. Port 445 is recommended for Windows Server 2000, Windows Server 2003 and Windows XP.
4. Enter the Username and Password for user authentication on the FTP or SMB server.
5. In the Folder/Path field, enter the folder, path, or share name of the location on the FTP or SMB server that stores the backup files.
You should click Test Backup Server to verify that the remote server is capable of storing backup files.
6. Select the box next to System Configuration to schedule the backup and select a day of the week (or Daily) and the time of day to
perform backup.
7. In the Backups to Keep field, specify the maximum number of backup files to keep on the remote server.
8. Click Save Changes to schedule the backup.
Restore Your System Configuration
Before restoring the contents of an automatic backup file, verify the Automated Backups section to ensure the remote server is
working and reachable and click Test Backup Server.
1. Click Browse to open the file location or Browse Auto Backups window.
2. Specify the backup file to be retrieved and restored, and select it.
3. Click Upload.
4.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
79
4. To restore the selected backup file, click Apply Now.
If you are restoring settings on a new (unconfigured) Barracuda Link Balancer, go to the Basic > IP Configuration page to configure the IP
address and DNS information for the device.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
80
How to Update the Firmware
en
Applying a new firmware version results in a short service outage.
The Firmware Update page allows you to manually update the firmware version of the system or revert to a previous version. You should only
revert to an old firmware version if your recently downloaded new version causes unexpected problems. Always contact Barracuda Networks
Technical Support before reverting to a previous firmware version.
Do not manually power-cycle the Barracuda Link Balancer at any time during the update process because it can cause firmware
corruption.
Update the Firmware
1.
2.
3.
4.
Log into the Barracuda Link Balancer web interface.
Go to the ADVANCED > Firmware Update page. A newer firmware version is available if the Download Now button is enabled.
Click Download Now. Update the download progress displayed by the bar at any time by clicking Refresh.
To update the firmware, click Apply Now.
Revert the Firmware
To revert the Barracuda Link Balancer to a previous version,
1. Log into the Barracuda Link Balancer web interface.
2. Go to the ADVANCED > Firmware Update page.
3. Click Revert next to the desired firmware version.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
81
Troubleshooting
en
The ADVANCED > Troubleshooting page provides tools that help troubleshoot network connectivity issues which may affect the performance of
your Barracuda Link Balancer. You can perform a number of connectivity tests such as ping, telnet, dig/nslookup, TCP dump, and traceroute.
In this article:
en
Built-In Troubleshooting Tools
Support Connection
Network Connectivity Tests
TCP Dump
Network Information
Replacing a Failed System
Built-In Troubleshooting Tools
Support Connection
Barracuda Networks Technical Support may ask you to make a connection to Barracuda Central to help them diagnose problems on your
system. To open a troubleshooting connection to your Barracuda Link Balancer:
1. Click Establish Connection to Barracuda Support Center.
2. Provide the support engineer with the serial number displayed.
3. After the issue is resolved, click Terminate connection to Barracuda Central to close the connection between your Barracuda Link
Balancer and Barracuda Central.
Network Connectivity Tests
This section allows you to diagnose potential network problems on the Barracuda Link Balancer. Fill in the required fields click the associated
command.
TCP Dump
This section allows you to capture large amounts of TCP traffic data in a file, while providing IP filtering and other configuration options. To
capture traffic, perform the following steps:
1.
2.
3.
4.
Configure the options in the TCP Dump section as needed.
Click Start Capture.
Wait while data is collected. Then click Stop Capture.
Click Download to download the captured data from the Barracuda Link Balancer. You can also click Remove Capture File afterwards
to free some HDD space on the unit.
Network Information
This section allows you to show currently valid network status information.
Show ARPs - displays the currently valid ARP entries.
Show Routes - displays the currently active routes.
Replacing a Failed System
If a Barracuda Link Balancer fails and the issue can not be resolved, you can use the tools provided on the ADVANCED > Troubleshooting pag
e. Customers who have purchased the Instant Replacement service can call Barracuda Networks Technical Support to arrange for a new unit to
be shipped out within 24 hours.
After receiving the new system, ship the old Barracuda Link Balancer back to Barracuda Networks. Barracuda Networks Technical Support will
provide details on the best way to return the unit.
To set up the new Barracuda Link Balancer with the same configuration as the old system, restore the backup file from the old system
onto the new one. Manually configure the new system’s IP information on the BASIC > IP Configuration page. For information on
restoring data, refer to Backing Up and Restoring Your System Configuration.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
82
Limited Warranty and License
en
Limited Warranty
Barracuda Networks, Inc., or the Barracuda Networks, Inc. subsidiary or authorized Distributor selling the Barracuda Networks product, if sale is
not directly by Barracuda Networks, Inc., (“Barracuda Networks”) warrants that commencing from the date of delivery to Customer (but in case of
resale by a Barracuda Networks reseller, commencing not more than sixty (60) days after original shipment by Barracuda Networks, Inc.), and
continuing for a period of one (1) year: (a) its products (excluding any software) will be free from material defects in materials and workmanship
under normal use; and (b) the software provided in connection with its products, including any software contained or embedded in such products
will substantially conform to Barracuda Networks published specifications in effect as of the date of manufacture. Except for the foregoing, the
software is provided as is. In no event does Barracuda Networks warrant that the software is error free or that Customer will be able to operate
the software without problems or interruptions. In addition, due to the continual development of new techniques for intruding upon and attacking
networks, Barracuda Networks does not warrant that the software or any equipment, system or network on which the software is used will be free
of vulnerability to intrusion or attack. The limited warranty extends only to you the original buyer of the Barracuda Networks product and is
non-transferable.
Exclusive Remedy
Your sole and exclusive remedy and the entire liability of Barracuda Networks under this limited warranty shall be, at Barracuda Networks or its
service centers option and expense, the repair, replacement or refund of the purchase price of any products sold which do not comply with this
warranty. Hardware replaced under the terms of this limited warranty may be refurbished or new equipment substituted at Barracuda Networks
option. Barracuda Networks obligations hereunder are conditioned upon the return of affected articles in accordance with Barracuda Networks
then-current Return Material Authorization (“RMA”) procedures. All parts will be new or refurbished, at Barracuda Networks discretion, and shall
be furnished on an exchange basis. All parts removed for replacement will become the property of the Barracuda Networks. In connection with
warranty services hereunder, Barracuda Networks may at its discretion modify the hardware of the product at no cost to you to improve its
reliability or performance. The warranty period is not extended if Barracuda Networks repairs or replaces a warranted product or any parts.
Barracuda Networks may change the availability of limited warranties, at its discretion, but any changes will not be retroactive. IN NO EVENT
SHALL BARRACUDA NETWORKS LIABILITY EXCEED THE PRICE PAID FOR THE PRODUCT FROM DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OF THE PRODUCT, ITS ACCOMPANYING SOFTWARE, OR
ITS DOCUMENTATION.
Exclusions and Restrictions
This limited warranty does not apply to Barracuda Networks products that are or have been (a) marked or identified as “sample” or “beta,” (b)
loaned or provided to you at no cost, (c) sold “as is,” (d) repaired, altered or modified except by Barracuda Networks, (e) not installed, operated or
maintained in accordance with instructions supplied by Barracuda Networks, or (f) subjected to abnormal physical or electrical stress, misuse,
negligence or to an accident.
EXCEPT FOR THE ABOVE WARRANTY, BARRACUDA NETWORKS MAKES NO OTHER WARRANTY, EXPRESS, IMPLIED OR
STATUTORY, WITH RESPECT TO BARRACUDA NETWORKS PRODUCTS, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY
OF TITLE, AVAILABILITY, RELIABILITY, USEFULNESS, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. EXCEPT FOR THE ABOVE
WARRANTY, BARRACUDA NETWORKS PRODUCTS AND THE SOFTWARE IS PROVIDED “AS IS” AND BARRACUDA NETWORKS DOES
NOT WARRANT THAT ITS PRODUCTS WILL MEET YOUR REQUIREMENTS OR BE UNINTERRUPTED, TIMELY, AVAILABLE, SECURE OR
ERROR-FREE, OR THAT ANY ERRORS IN ITS PRODUCTS OR THE SOFTWARE WILL BE CORRECTED. FURTHERMORE, BARRACUDA
NETWORKS DOES NOT WARRANT THAT BARRACUDA NETWORKS PRODUCTS, THE SOFTWARE OR ANY EQUIPMENT, SYSTEM OR
NETWORK ON WHICH BARRACUDA NETWORKS PRODUCTS WILL BE USED WILL BE FREE OF VULNERABILITY TO INTRUSION OR
ATTACK.
Software License
PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (“AGREEMENT”) CAREFULLY BEFORE USING THE BARRACUDA SOFTWARE.
BY USING THE BARRACUDA SOFTWARE YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE. IF YOU DO NOT
AGREE TO THE TERMS OF THIS LICENSE DO NOT USE THE SOFTWARE. IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE
YOU MAY RETURN THE SOFTWARE OR HARDWARE CONTAINING THE SOFTWARE FOR A FULL REFUND TO YOUR PLACE OF
PURCHASE.
1. The software, documentation, whether on disk, in read only memory, or on any other media or in any other form (collectively “Barracuda
Software”) is licensed, not sold, to you by Barracuda Networks, Inc. (“Barracuda”) for use only under the terms of this License and Barracuda
reserves all rights not expressly granted to you. The rights granted are limited to Barracuda's intellectual property rights in the Barracuda
Software and do not include any other patent or intellectual property rights. You own the media on which the Barracuda Software is recorded but
Barracuda retains ownership of the Barracuda Software itself.
2. Permitted License Uses and Restrictions. This License allows you to use the Software only on the single Barracuda labeled hardware device
on which the software was delivered. You may not make copies of the Software and you may not make the Software available over a network
where it could be utilized by multiple devices or copied. You may not make a backup copy of the Software. You may not modify or create
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
83
derivative works of the Software except as provided by the Open Source Licenses included below. The BARRACUDA SOFTWARE IS NOT
INTENDED FOR USE IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, LIFE
SUPPORT MACHINES, OR OTHER EQUIPEMENT IN WHICH FAILURE COULD LEAD TO DEATH, PERSONAL INJURY, OR
ENVIRONMENTAL DAMAGE.
3. You may not transfer, rent, lease, lend, or sublicense the Barracuda Software.
4. This License is effective until terminated. This License is automatically terminated without notice if you fail to comply with any term of the
License. Upon termination you must destroy or return all copies of the Barracuda Software.
5. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT THE USE OF THE BARRACUDA SOFTWARE IS AT YOUR OWN RISK AND THAT
THE ENTIRE RISK AS TO SATISFACTION, QUALITY, PERFORMANCE, AND ACCURACY IS WITH YOU. THE BARRACUDA SOFTWARE IS
PROVIDED “AS IS” WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND BARRACUDA HEREBY DISCLAIMS ALL
WARRANTIES AND CONDITIONS WITH RESPECT TO THE BARRACUDA SOFTWARE, EITHER EXPRESSED OR IMPLIED OR
STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTIBILITY, OF
SATISFACTORY QUALITY, OF FITNESS FOR ANY APPLICATION, OF ACCURACY, AND OF NON-INFRINGEMENT OF THIRD PARTY
RIGHTS. BARRACUDA DOES NOT WARRANT THE CONTINUED OPERATION OF THE SOFTWARE, THAT THE PERFORMANCE WILL
MEET YOUR EXPECTATIONS, THAT THE FUNCTIONS WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION WILL BE ERROR
FREE OR CONTINUOUS, OR THAT DEFECTS WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION GIVEN BY BARRACUDA
OR AUTHORIZED BARRACUDA REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE BARRACUDA SOFTWARE PROVE
DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION.
6. License. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED ZERO COST LICENSE TO
BARRACUDA FOR ANY PATENTS OR OTHER INTELLECTUAL PROPERTY RIGHTS UTILIZED IN THE BARRACUDA SOFTWARE WHICH
YOU EITHER OWN OR CONTROL.
7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL BARRACUDA BE LIABLE FOR PERSONAL
INJURY OR ANY INCIDENTAL SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, OR ANY OTHER COMMERCIAL
DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR ABILITY TO USE OR INABILITY TO USE THE BARRACUDA
SOFTWARE HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF BARRACUDA HAS BEEN ADVISED OF
THE POSSIBILITY OF DAMAGES. In no event shall Barracuda's total liability to you for all damages exceed the amount of one hundred dollars.
8. Export Control. You may not use or otherwise export or re-export Barracuda Software except as authorized by the United States law and the
laws of the jurisdiction where the Barracuda Software was obtained.
Energize Update Software License
PLEASE READ THIS ENERGIZE UPDATE SOFTWARE LICENSE CAREFULLY BEFORE DOWNLOADING, INSTALLING OR USING
BARRACUDA NETWORKS OR BARRACUDA NETWORKS-SUPPLIED ENERGIZE UPDATE SOFTWARE.
BY DOWNLOADING OR INSTALLING THE ENERGIZE UPDATE SOFTWARE, OR USING THE EQUIPMENT THAT CONTAINS THIS
SOFTWARE, YOU ARE CONSENTING TO BE BOUND BY THIS LICENSE. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
LICENSE, THEN (A) DO NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE, AND (B) YOU MAY RETURN THE SOFTWARE FOR A FULL
REFUND, OR, IF THE SOFTWARE IS SUPPLIED AS PART OF ANOTHER PRODUCT, YOU MAY RETURN THE ENTIRE PRODUCT FOR A
FULL REFUND. YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM BARRACUDA NETWORKS OR AN
AUTHORIZED BARRACUDA NETWORKS RESELLER, AND APPLIES ONLY IF YOU ARE THE ORIGINAL PURCHASER.
The following terms govern your use of the Energize Update Software except to the extent a particular program (a) is the subject of a separate
written agreement with Barracuda Networks or (b) includes a separate “click-on” license agreement as part of the installation and/or download
process. To the extent of a conflict between the provisions of the foregoing documents, the order of precedence shall be (1) the written
agreement, (2) the click-on agreement, and (3) this Energize Update Software License.
License. Subject to the terms and conditions of and except as otherwise provided in this Agreement, Barracuda Networks, Inc., or a Barracuda
Networks, Inc. subsidiary (collectively “Barracuda Networks”), grants to the end-user (“Customer”) a nonexclusive and nontransferable license to
use the Barracuda Networks Energize Update program modules and data files for which Customer has paid the required license fees (the
“Energize Update Software”). In addition, the foregoing license shall also be subject to the following limitations, as applicable:
Unless otherwise expressly provided in the documentation, Customer shall use the Energize Update Software solely as embedded in, for
execution on, or (where the applicable documentation permits installation on non-Barracuda Networks equipment) for communication with
Barracuda Networks equipment owned or leased by Customer; Customer's use of the Energize Update Software shall be limited to use on a
single hardware chassis, on a single central processing unit, as applicable, or use on such greater number of chassis or central processing units
as Customer may have paid Barracuda Networks the required license fee; and Customer's use of the Energize Update Software shall also be
limited, as applicable and set forth in Customer's purchase order or in Barracuda Networks' product catalog, user documentation, or web site, to a
maximum number of (a) seats (i.e. users with access to the installed Energize Update Software), (b) concurrent users, sessions, ports, and/or
issued and outstanding IP addresses, and/or (c) central processing unit cycles or instructions per second. Customer's use of the Energize Update
Software shall also be limited by any other restrictions set forth in Customer's purchase order or in Barracuda Networks' product catalog, user
documentation or web site for the Energize Update Software.
General Limitations. Except as otherwise expressly provided under this Agreement, Customer shall have no right, and Customer specifically
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
84
agrees not to:
i. transfer, assign or sublicense its license rights to any other person, or use the Energize Update Software on
unauthorized or secondhand Barracuda Networks equipment, and any such attempted transfer, assignment or
sublicense shall be void;
ii. make error corrections to or otherwise modify or adapt the Energize Update Software or create derivative works based
upon the Energize Update Software, or to permit third parties to do the same; or
iii. decompile, decrypt, reverse engineer, disassemble or otherwise reduce the Energize Update Software to
human-readable form to gain access to trade secrets or confidential information in the Energize Update Software.
Upgrades and Additional Copies. For purposes of this Agreement, “Energize Update Software” shall include (and the terms and conditions of this
Agreement shall apply to) any Energize Update upgrades, updates, bug fixes or modified versions (collectively, “Upgrades”) or backup copies of
the Energize Update Software licensed or provided to Customer by Barracuda Networks or an authorized distributor/reseller for which Customer
has paid the applicable license fees. NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT: (1) CUSTOMER HAS NO
LICENSE OR RIGHT TO USE ANY SUCH ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING
SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL ENERGIZE UPDATE SOFTWARE AND HAS PAID
THE APPLICABLE FEE FOR THE UPGRADE; (2) USE OF UPGRADES IS LIMITED TO BARRACUDA NETWORKS EQUIPMENT FOR WHICH
CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LESSEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE
ENERGIZE UPDATE SOFTWARE WHICH IS BEING UPGRADED; AND (3) USE OF ADDITIONAL COPIES IS LIMITED TO BACKUP
PURPOSES ONLY.
Energize Update Changes. Barracuda Networks reserves the right at any time not to release or to discontinue release of any Energize Update
Software and to alter prices, features, specifications, capabilities, functions, licensing terms, release dates, general availability or other
characteristics of any future releases of the Energize Update Software.
Proprietary Notices. Customer agrees to maintain and reproduce all copyright and other proprietary notices on all copies, in any form, of the
Energize Update Software in the same form and manner that such copyright and other proprietary notices are included on the Energize Update
Software. Except as expressly authorized in this Agreement, Customer shall not make any copies or duplicates of any Energize Update Software
without the prior written permission of Barracuda Networks. Customer may make such backup copies of the Energize Update Software as may be
necessary for Customer's lawful use, provided Customer affixes to such copies all copyright, confidentiality, and proprietary notices that appear
on the original.
Protection of Information. Customer agrees that aspects of the Energize Update Software and associated documentation, including the specific
design and structure of individual programs, constitute trade secrets and/or copyrighted material of Barracuda Networks. Customer shall not
disclose, provide, or otherwise make available such trade secrets or copyrighted material in any form to any third party without the prior written
consent of Barracuda Networks. Customer shall implement reasonable security measures to protect and maintain the confidentiality of such trade
secrets and copyrighted material. Title to Energize Update Software and documentation shall remain solely with Barracuda Networks.
Indemnity. Customer agrees to indemnify, hold harmless and defend Barracuda Networks and its affiliates, subsidiaries, officers, directors,
employees and agents at Customers expense, against any and all third-party claims, actions, proceedings, and suits and all related liabilities,
damages, settlements, penalties, fines, costs and expenses (including, without limitation, reasonable attorneys fees and other dispute resolution
expenses) incurred by Barracuda Networks arising out of or relating to Customers (a) violation or breach of any term of this Agreement or any
policy or guidelines referenced herein, or (b) use or misuse of the Barracuda Networks Energize Update Software.
Term and Termination. This License is effective upon date of delivery to Customer of the initial Energize Update Software (but in case of resale
by a Barracuda Networks distributor or reseller, commencing not more than sixty (60) days after original Energize Update Software purchase
from Barracuda Networks) and continues for the period for which Customer has paid the required license fees. Customer may terminate this
License at any time by notifying Barracuda Networks and ceasing all use of the Energize Update Software. By terminating this License, Customer
forfeits any refund of license fees paid and is responsible for paying any and all outstanding invoices. Customer's rights under this License will
terminate immediately without notice from Barracuda Networks if Customer fails to comply with any provision of this License. Upon termination,
Customer must cease use of all copies of Energize Update Software in its possession or control.
Export. Software, including technical data, may be subject to U.S. export control laws, including the U.S. Export Administration Act and its
associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such
regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import Energize Update Software.
Restricted Rights. Barracuda Networks' commercial software and commercial computer software documentation is provided to United States
Government agencies in accordance with the terms of this Agreement, and per subparagraph “(c)” of the “Commercial Computer Software Restricted Rights” clause at FAR 52.227-19 (June 1987). For DOD agencies, the restrictions set forth in the “Technical Data-Commercial Items”
clause at DFARS 252.227-7015 (Nov 1995) shall also apply.
No Warranty. The Energize Update Software is provided AS IS. Customer's sole and exclusive remedy and the entire liability of Barracuda
Networks under this Energize Update Software License Agreement will be, at Barracuda Networks option, repair, replacement, or refund of the
Energize Update Software.
Renewal. At the end of the Energize Update Service Period, Customer may have the option to renew the Energize Update Service at the current
list price, provided such Energize Update Service is available. All initial subscriptions commence at the time of sale of the unit and all renewals
commence at the expiration of the previous valid subscription.
In no event does Barracuda Networks warrant that the Energize Update Software is error free or that Customer will be able to operate the
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
85
Energize Update Software without problems or interruptions. In addition, due to the continual development of new techniques for intruding upon
and attacking networks, Barracuda Networks does not warrant that the Energize Update Software or any equipment, system or network on which
the Energize Update Software is used will be free of vulnerability to intrusion or attack.
DISCLAIMER OF WARRANTY. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE
HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE
EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS
DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM
JURISDICTION TO JURISDICTION.
General Terms Applicable to the Energize Update Software License Disclaimer of Liabilities. IN NO EVENT WILL BARRACUDA NETWORKS BE
LIABLE FOR ANY LOST REVENUE, PROFIT, OR DATA, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE
DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO
USE THE ENERGIZE UPDATE SOFTWARE EVEN IF BARRACUDA NETWORKS OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. In no event shall Barracuda Networks' liability to Customer, whether in contract, tort (including negligence),
or otherwise, exceed the price paid by Customer. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR
EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
This Energize Update Software License shall be governed by and construed in accordance with the laws of the State of California, without
reference to principles of conflict of laws, provided that for Customers located in a member state of the European Union, Norway or Switzerland,
English law shall apply. The United Nations Convention on the International Sale of Goods shall not apply. If any portion hereof is found to be
void or unenforceable, the remaining provisions of the Energize Update Software License shall remain in full force and effect. Except as expressly
provided herein, the Energize Update Software License constitutes the entire agreement between the parties with respect to the license of the
Energize Update Software and supersedes any conflicting or additional terms contained in the purchase order.
Open Source Licensing
Barracuda products may include programs that are covered by the GNU General Public License (GPL) or other “open source” license
agreements. The GNU license is re-printed below for you reference. These programs are copyrighted by their authors or other parties, and the
authors and copyright holders disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks.
GNU GENERAL PUBLIC LICENSE, (GPL) Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General
Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some
other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have
the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it,
that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These
restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whethergratis or for a fee, you must give the recipients all the rights that you have. You
must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute
and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If
the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any
problems introduced by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will
individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be
licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
86
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under
the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means
either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or
with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each
licensee is addressed as "you".
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the
Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of
having been made by running the Program). Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously
and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this
License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute
such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part
thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive
use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no
warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the
user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement,
your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be
reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you
distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the
distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each
and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right
to control the distribution of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1
and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically
performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of
Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only
for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with
Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code
means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and
installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed
(in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs,
unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy
the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source
along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to
copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who
have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full
compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
87
the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing
the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for
copying, distributing or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original
licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the
recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions
are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from
the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent
obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free
redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this
License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and
the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this
section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices.
Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent
application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a
licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original
copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so
that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the
body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later
version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask
for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make
exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of
promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT
PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER
PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK
AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU
ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY
OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free
software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the
exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.
one line to give the program's name and an idea of what it does.
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
88
Copyright (C) yyyy name of author
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc.,
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands
you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your
program.
You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James
Hacker.
signature of Ty Coon, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General
Public License instead of this License.
Barracuda Products may contain programs that are copyright (c)1995-2005 International Business Machines Corporation and others. All rights
reserved. These programs are covered by the following License:
"Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute,
and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s)
and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in
supporting documentation."
Barracuda Products may include programs that are covered by the BSD License: "Redistribution and use in source and binary forms, with or
without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE."
Barracuda Products may include the libspf library which is Copyright (c) 2004 James Couzens & Sean Comeau All rights reserved. It is covered
by the following agreement: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS MAKING USE OF THIS LICENSE OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
Barracuda Products may contain programs that are Copyright (c) 1998-2003 Carnegie Mellon University. All rights reserved. Redistribution and
use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of
source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
89
reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with
the distribution. The name "Carnegie Mellon University" must not be used to endorse or promote products derived from this software without prior
written permission. For permission or any other legal details, please contact Office of Technology Transfer Carnegie Mellon University 5000
Forbes Avenue Pittsburgh, PA 15213-3890 (412) 268-4387, fax: (412) 268-7395 tech-transfer@andrew.cmu.edu .Redistributions of any form
whatsoever must retain the following acknowledgment: "This product includes software developed by Computing Services at Carnegie Mellon
University (http://www.cmu.edu/computing/)." CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON
UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Barracuda products may include programs that are covered by the Apache License or other Open Source license agreements. The Apache
license is re-printed below for you reference. These programs are copyrighted by their authors or other parties, and the authors and copyright
holders disclaim any warranty for such programs. Other programs are copyright by Barracuda Networks.
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that
entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity,
whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such
entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source,
and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled
object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice
that is included in or attached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial
revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License,
Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and
Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or
Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal
Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal,
or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source
code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving
the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a
Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide,
non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform,
sublicense, and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide,
non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell,
import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are
necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was
submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a
Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under
this License for that Work shall terminate as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications,
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
90
and in Source or Object form, provided that You meet the following conditions:
(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from
the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy
of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at
least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if
provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices
normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License.
You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the
Work, provided that such additional attribution notices cannot be construed as modifying the License.
You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use,
reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution
of the Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to
the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above,
nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such
Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides
its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without
limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your
exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by
applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including
any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability
to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other
commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a
fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting
such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You
agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by
reason of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own
identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also
recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and
limitations under the License.
Source Code Availability
Per the GPL and other “open source” license agreements the complete machine readable source code for programs covered by the GPL or other
“open source” license agreements is available from Barracuda Networks at no charge. If you would like a copy of the source code or the changes
to a particular program we will gladly provide them, on a CD, for a fee of $100.00. This fee is to pay for the time for a Barracuda Networks
Copyright © 2015, Barracuda Networks Inc.
Barracuda Link Balancer Administrator's Guide - Page
91
engineer to assemble the changes and source code, create the media, package the media, and mail the media. Please send a check payable in
USA funds and include the program name. We mail the packaged source code for any program covered under the GPL or other "open source"
license.
Copyright © 2015, Barracuda Networks Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising