1. Barracuda Link Balancer - Overview Capabilities of the Barracuda Link Balancer Deployment Barracuda Link Balancer

Transcription

1 Barracuda Link Balancer - Overview Capabilities of the Barracuda Link Balancer Deploymt Barracuda Link Balancer Overview Deploymt Options Installation in Front of Your Firewall How to Add an Additional ISP Link in Firewall Disabled Mode Configuring the Barracuda Link Balancer for Two Indepdt ISP Links and Firewalls Installation Replacing Your Firewall Hardware Compliance Getting Started Step 1: Configure Administrative Settings Step 2: Configure Networking Settings Configuration DNS DNS Overview How to Configure the DNS Server Networking Routing Outbound Traffic How To Create IP/Application Routing Rules How to Create Outbound Source NAT Rules Traffic Shaping Firewall Firewall Rules Overview How to Create Inbound Firewall Rules How to Create Outbound Firewall Rules How to Create Custom Applications How to Create NAT Rules How to Create Port Forwarding Rules VPN Site-to-Site VPN Overview How to Create a Site-to-Site VPN Tunnel Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels High Availability High Availability Overview Planning Your High Availability Deploymt How to Create a High Availability Cluster How to Remove a System from a Cluster How to Update the Firmware on Clustered Systems Monitoring Basic Monitoring SNMP Monitoring System Reports Viewing Logs Maintance Reloading, Restarting, and Shutting Down the System How to Backup and Restore Your System Configuration How to Update the Firmware Troubleshooting Limited Warranty and Licse

2 Barracuda Link Balancer - Overview The Barracuda Link Balancer routes and manages traffic across multiple Internet connections or WAN links. By using multiple inexpsive connections from one or more Internet service providers, you can reduce the need to purchase high speed and high cost links. Supported links include T1, T3, E1, DSL, cable, fiber optic and MPLS. Capabilities of the Barracuda Link Balancer Getting Started Step 1: Configure Administrative Settings Step 2: Configure Networking Settings Downloads Barracuda Link Balancer Quick Start Guide Get to Know Your Barracuda Link Balancer Capabilities of the Barracuda Link Balancer The Barracuda Link Balancer routes and manages traffic across multiple Internet connections or WAN links. By using multiple inexpsive connections from one or more Internet service providers, you can reduce the need to purchase high speed and high cost links. Supported links include T1, T3, E1, DSL, cable, fiber optic, MPLS, and VLAN. Key features of the Barracuda Link Balancer include the following functionalities: Balances incoming and outgoing network traffic across multiple links. Provides automated failover in case of link failure. Manages bandwidth. Performs Quality of Service (QoS) for Internet applications. Includes a DHCP server, an Authoritative DNS (ADNS) server, as well as DNS caching server functionality. Can act as a traditional firewall or can be installed in front of your existing firewall. Provides site-to-site VPNs with link failover and failback. Supports USB 3G devices. Provides extsive logging and live reporting functionalities. The Barracuda Link Balancer is not specifically designed for load balancing that distributes incoming traffic across servers. The Barracuda Load Balancer much better meets those needs. As shown in the figure below, the Barracuda Link Balancer provides an interface betwe multiple Internet connections and your clits and servers. To install and configure, continue with the Deploymt section. Video Link To learn more about the Barracuda Link Balancer's capabilities, see this video on DemosOnDemand. Deploymt 2

3 The Barracuda Link Balancer can operate in two differt modes. Prior to installing, you need to choose an operation mode. The two most typical deploymt methods are: Deploymt in front of your firewall - Keep your existing firewall, and insert the Barracuda Link Balancer in betwe your firewall and the Internet. Deploymt replacing your firewall - Replace your firewall with the Barracuda Link Balancer. Barracuda Networks recommds that you read the overview section before installation. In this Section: Barracuda Link Balancer Overview Deploymt Options Installation in Front of Your Firewall Installation Replacing Your Firewall Hardware Compliance Barracuda Link Balancer Overview This article provides an overview on the main features and functionalities of the Barracuda Barracuda Link Balancer. It is recommded that you understand the following concepts before deploying the Barracuda Link Balancer: In this article: Link Managemt Aggregating Link Bandwidth Link Failover Outbound Link Load Balancing Inbound Link Balancing and Failover VLAN Support High Availability Persistce Bandwidth Managemt and Quality of Service (QoS) Traditional Firewall Site-to-Site VPN and Link Failover Ability to Deploy with Your Network Firewall Local Network Services Reporting Web Interface Link Managemt The Barracuda Link Balancer can manage links that have static or dynamic (DHCP) IP addresses and can authticate using PPPoE. Aggregating Link Bandwidth The Barracuda Link Balancer automatically aggregates Internet bandwidth from multiple links to the same or diverse sources. Administrators can choose multiple links to the same or differt ISPs for the purposes of consolidating access to affordable Internet bandwidth. Any single session (e.g. a TCP stream) has at most only the bandwidth from any one WAN link. One computer may have more than one session if it is connected to more than one remote site. Link Failover The Barracuda Link Balancer regularly checks the health of each Internet link and only uses the available links. If it detects a link failure, the failed link is removed from link balancing. Wh the failed link becomes available again, the Barracuda Link Balancer will resume using that link. All of this happs without administrator intervtion. If a link fails, existing sessions on that link will be disconnected. Clits who were using the failed link will be able to reconnect quickly to their destination using another available link rather than having to wait for the original link to be restored. Outbound Link Load Balancing Wh traffic from a clit IP address going to a new destination IP address is detected, the Barracuda Link Balancer selects which link to use. It 3

4 calculates the available capacity for each link based on uplink speed and currt usage and uses the link with the largest available capacity. If needed, you can create outbound routing rules to override this behavior. Inbound Link Balancing and Failover The Barracuda Link Balancer uses authoritative DNS to direct incoming connections to a WAN link. Wh an external user accesses a web site, for example, that is hosted behind the Barracuda Link Balancer, a DNS request is st to the Barracuda Link Balancer for the IP address of the site. The Barracuda Link Balancer returns the IP address of the site which directs the traffic to a WAN link. Wh determining which IP address to return, the available capacity for each link based on configured speed and currt usage is calculated. The link with the largest available capacity is returned so that adaptive inbound load balancing is achieved. Also, if a link is found to have failed, the address for that link is not returned until it becomes available again. In order to accomplish this, the Barracuda Link Balancer acts as an authoritative DNS server for the domains or sub-domains that you host. You can create DNS records on the Barracuda Link Balancer to idtify your domain and to map that domain to multiple externally accessible IP addresses. VLAN Support The Barracuda Link Balancer supports Layer 2 VLANs. High Availability The Barracuda Link Balancer supports High Availability configurations where two Barracuda Link Balancers are deployed as an active-passive pair. Persistce The Barracuda Link Balancer automatically tracks the IP addresses of each clit / source and corresponding server / destination. As long as the source and destination IP address pair are the same, traffic betwe them will use the same link. In addition, any one source and destination IP address pair will be tied to a specific link through about 15 minutes of inactivity. If traffic from an already tracked source IP address is detected, it may be st on a differt link if the destination IP address is unique. Bandwidth Managemt and Quality of Service (QoS) The Barracuda Link Balancer includes software that can automatically prioritize critical Internet applications. For example, you can assign priority to web browsing and while giving peer-to peer applications and media streaming a lower priority. In this way, you can sure that bandwidth-intsive applications do not interfere with business-critical operations. Traditional Firewall The Barracuda Link Balancer incorporates standard firewall functionality, including: Network Address Translation (NAT). IP masquerading - Clits in the internal network are protected from the Internet. All Internet services appear to be provided by the Barracuda Link Balancer firewall, while the internal clits remain invisible. 1:1 NAT - You can directly assign external addresses to internal servers. Ideal for hosting internal applications or services requiring regular outbound requests such as SMTP, 1:1 NAT provides a secure method to match additional external addresses with a single internal server for inbound and outbound traffic. Port forwarding (or Port Address Translation) - The traffic to the same port across one or more multiple links is directed to an internal clit. Many to 1 NAT - One internal server may receive traffic from more than one WAN link. You can achieve this by creating 1:1 NAT rules or port forwarding rules. IP access lists - Use IP access lists to allow or dy access, either inbound or outbound, to remote networks, clits, applications, services and ports. Port blocking. Assistance in prevting and mitigating distributed dial of service attacks (DDoS). Site-to-Site VPN and Link Failover You can create a site-to-site VPN tunnel betwe two Barracuda Link Balancers or betwe a Barracuda Link Balancer and another device that supports IPsec. Networks connected via a tunnel will communicate as if they are on the same network, ev though they are separated by the Internet. Using this functionality allows your site-to-site VPN tunnel to automatically failover to a secondary link in the case of the failure of a primary link. 4

5 Ability to Deploy with Your Network Firewall If you already have a firewall that meets your requiremts, you can use the link balancing, failover and bandwidth managemt capabilities of the Barracuda Link Balancer and disable its firewall functionality. As you can see in the figure below, adding the Barracuda Link Balancer to your network without removing your firewall can be done with minimal disruption to your existing network. Local Network Services The Barracuda Link Balancer includes the following local network services: DHCP server - The Barracuda Link Balancer can automatically provision clit IP addresses using the DHCP protocol. Along with defining traditional DHCP options, administrators may view active leases in real time. DNS caching server - The Barracuda Link Balancer caches responses to DNS queries so that repetitive DNS requests are served quickly and locally. Reporting A variety of trd and activity reports for the WAN links, VPNs and other system componts can be gerated on-demand or scheduled. Reporting is only available on models 330 and above. Web Interface The Barracuda Link Balancer configuration can be administered through an SSL-secured web interface. Access can be through the LAN or, if configured, any of the WAN interfaces. The web interface can also be used for viewing traffic statistics, monitoring the health of network componts, and troubleshooting. Deploymt Options The Barracuda Link Balancer can operate in two differt modes. Deploymt in front of your firewall, with the Barracuda Link 5

6 Balancer in betwe your firewall and the Internet, or Deploymt replacing your firewall. One important factor in deciding which deploymt mode to choose is whether you want to replace your firewall or keep your existing firewall. The Barracuda Link Balancer firewall provides full firewall functionality. If, however, you already have a firewall that meets your needs, you can disable the Barracuda Link Balancer firewall while still making use of the Barracuda Link Balancer s link balancing, failover, and bandwidth managemt capabilities. In this article: Deploymt In Front of Your Firewall Deploymt Replacing Your Firewall Overview of the Installation Steps The following table describes factors to consider wh choosing a deploymt method. Network Location Criterion Barracuda Link Balancer LAN IP Address Barracuda Link Balancer In Front of Your Firewall The Barracuda Link Balancer is deployed betwe your existing firewall and the Internet. Used only for managemt. Can be any internal or public address that is reachable through your existing firewall from the LAN. Barracuda Link Balancer Replacing Your Firewall The Barracuda Link Balancer acts as your firewall. The default gateway for your network. Firewall Rules No changes to your existing firewall. You will need to recreate any existing firewall rules on the Barracuda Link Balancer. WAN Link Site to Site VPN If you are abling inbound access to resources behind the Barracuda Link Balancer, such as a web server, at least one WAN link must have a static IP address. If you already have a site-to-site VPN, it should be terminated on your existing firewall. VPN traffic has one source IP address so it goes out on only one WAN link. It is recognized as VPN traffic so it will not be NAT d by the Barracuda Link Balancer. No failover or failback is available. Alternatively, make the Barracuda Link Balancer a VPN dpoint to achieve failover and failback to and from a secondary link. The Barracuda Link Balancer may use the same IP address that had be used by your firewall. Failover and failback to and from a secondary link. Deploymt In Front of Your Firewall Figure 1: Example network that has both clit and server traffic. 6

7 The next figure shows the same network with a Barracuda Link Balancer that was installed with no changes to the configuration of the existing firewall. A new WAN link has be added. In this network: The Barracuda Link Balancer has a static IP address on WAN1 that is on the same network as the firewall and the externally visible servers. The clits are on a differt subnet than all WAN links. The external IP address and gateway of the firewall remain the same. The gateway IP addresses of the Barracuda Link Balancer and the firewall are provided by the ISPs. The gateway of the LAN devices is provided by the firewall. The Barracuda Link Balancer LAN IP address can be any internal or public address that is reachable through your existing firewall from the LAN. You may allocate an external IP address for it, or choose a non-routable IP address. If the latter, it should be on a differt subnet than the LAN devices already on the network. Remember that if the firewall does not recognize an address as being on the local network, it will pass it to the Barracuda Link Balancer. Figure 2: Barracuda Link Balancer installed with no changes to the configuration of the existing firewall. For detailed instructions on how to setup your Barracuda Link Balancer in front of your firewall, see: Installation in Front of Your Firewall. Deploymt Replacing Your Firewall 7

8 Figure 3: Another example of a network that has both clit and server traffic. The next figure shows the example network with a Barracuda Link Balancer installed and acting as a firewall, replacing the customer firewall. A new WAN link has be added. In this network: The Barracuda Link Balancer uses the same IP address for WAN1 that the firewall had used. The LAN devices and the LAN interface of the Barracuda Link Balancer must be on a differt subnet than all WAN links. The Barracuda Link Balancer gateway IP addresses are provided by the ISPs. The gateway of the LAN devices is the LAN IP address of the Barracuda Link Balancer. Traffic to the servers is passed using port forwarding rules on the Barracuda Link Balancer. If your servers are externally accessible, reconfigure those servers with private IP addresses. Th create 1:1 NAT rules to map the external IP addresses to the respective private IP addresses of the servers. Figure 4: Example network with a Barracuda Link Balancer installed and acting as a firewall, replacing the existing firewall. For detailed instructions on how to setup your Barracuda Link Balancer to replace your firewall, see: Installation Replacing Your Firewall. Overview of the Installation Steps The following table provides an overview of the steps required to deploy the Barracuda Link Balancer in your network. 8

9 In Front of Your Firewall Replacing Your Firewall Prepare to install, including getting a WAN link with a static IP address. Activate the Barracuda Link Balancer with Temporary Network Settings. Get Latest Firmware Version. Disable the Barracuda Link Balancer Firewall. Configure WAN and LAN Permant Settings. Permantly Install the Barracuda Link Balancer. Test Connectivity. Continue with: Installation in Front of Your Firewall. Prepare to install. Activate the Barracuda Link Balancer with Temporary Network Settings. Get Latest Firmware Version. Configure Permant WAN Settings. Configure the Barracuda Link Balancer Firewall. Configure Permant LAN IP Address. Permantly Install the Barracuda Link Balancer. Continue with Installation in Front of Your Firewall In transpart mode (Firewall disabled mode, " In Front of your Firewall"), the IP addresses of LAN (Ethernet) and WAN1 ports must NOT reside within the same subnet in order to allow transpart mode to work as intded. Installation in Front of Your Firewall These detailed instructions describe how to deploy the Barracuda Link Balancer betwe the Internet and your firewall. They provide a method to configure the Barracuda Link Balancer completely before connecting it to your production system. In this mode, with the Barracuda Link Balancer s firewall disabled, it is necessary to use an additional static IP address in order to deploy the Barracuda Link Balancer. If you do not have an extra static IP address, you may need to order one from your ISP. In this article: Step Prepare for the Installation Step Activate the Barracuda Link Balancer with Temporary Network Settings Step Update Firmware Step Disable the Barracuda Link Balancer Firewall Step 5. Configure WAN and LAN Permant Settings Step 6. Install in the Production Network Step 7. Test Connectivity Step 8. Configure your Local Network Step Prepare for the Installation Before installing your Barracuda Link Balancer, complete the following tasks: Verify that you have the necessary equipmt: Barracuda Link Balancer, AC power cord (included), Ethernet cables, a PC with a web browser. Plug in the Barracuda Link Balancer and power it on. If you are abling inbound access to resources behind the Barracuda Link Balancer, such as a web server, you must provide at least one WAN link with a static IP address for receiving the incoming traffic. Step Activate the Barracuda Link Balancer with Temporary Network Settings Follow these steps to configure the Barracuda Link Balancer with temporary settings and activate it: Change the network settings of a PC with a web browser installed to use an IP address of , subnet mask of , and gateway of

10 Depding on the model, there may be a LAN port on the front or back side of the Barracuda Link Balancer. Connect an Ethernet cable from the PC to that port Start the web browser and access the web interface by typing Login with the default username admin and the default password admin. Go to the BASIC > Links page and click on one of the WAN ports displayed in the graphic. In the Links Configuration section, set the Type of the WAN link to DHCP to acquire an address in the office network. Alternatively, set the link Type to Static and ter a specific IP address. Click Save Changes. Connect an Ethernet cable from the corresponding WAN port on the front of the Barracuda Link Balancer into your office network. You should now have Internet connectivity from your PC. At the top of every page, you may see an activation warning message. Click on the link in the warning message or use the link on the BASIC > Status page to op up the Barracuda Networks Product Activation page in a new browser window. Fill in the required fields and click Activate. A confirmation page ops to display the terms of your subscription. On the BASIC > Status page, you may need to ter the activation code from the Barracu da Networks Product Activation page to activate your Barracuda Link Balancer. If your subscription status does not change to Currt, or if you have trouble filling out the Product Activation page, call your Barracuda Networks sales represtative. Step Update Firmware Barracuda Networks recommds that you read the release notes to learn about the features of a firmware update before applying it. 5. Go to the ADVANCED > Firmware Update page. If there is a new Latest Geral Release available (the Download Now function is abled), perform the following steps to update the system firmware: Click Download Now next to the Latest Geral Release firmware version. Click OK to acknowledge the download duration message. To avoid damaging the Barracuda Link Balancer, do not power off during an update or download. To view the progress of the download, click Refresh. You will be notified wh the download is complete. Click Apply Now to apply the firmware. Click OK to acknowledge the reboot message. Applying the firmware takes a few minutes to complete. After the firmware has be applied, the Barracuda Link Balancer automatically reboots. Wh the system comes back up, the login page is displayed. Log in again. Step Disable the Barracuda Link Balancer Firewall Because you are going to use your existing firewall, you must disable the Barracuda Link Balancer firewall: Go to the BASIC > IP Configuration page and disable the Network Firewall. Click OK to acknowledge the reboot message. The Barracuda Link Balancer will reboot. Step 5. Configure WAN and LAN Permant Settings 10

11 Configure the permant settings for the WAN links that will be connected to the Barracuda Link Balancer. Some of the configuration information for the WAN links is provided by your ISP. Be sure to ter these values correctly. Unplug the Ethernet cable connecting the WAN port to your office network. After the Barracuda Link Balancer has rebooted, log into the web interface and go to the BASIC > Links page. For each link that will be connected to this unit: a. b. c. Click the relevant WAN port displayed in the graphic. In the Links Configuration section, ter the details for the link to be connected to the WAN port. If the interface uses a static IP address, th you will see the Additional IP Addresses list. These are the public IP addresses reachable via the Internet behind the Barracuda Link Balancer, including the address of your firewall. These need to be idtified so that traffic can be accepted and directed to them. The Barracuda Link Balancer is able to locate these addresses automatically, so creating this list is optional but may cause a slight increase in efficicy. To manually create the list, ter the IP addresses or click Discover to populate a list of IP addresses of live systems that are on the same Class C network as this WAN interface. The Discover button is only visible if there are no tries in the Additional IP Addresses list and if the built-in firewall is disabled. 5. If you are abling inbound access to resources behind the Barracuda Link Balancer, such as a web server, you must provide at least one WAN link with a static IP address for receiving the incoming traffic. Click Save Changes. If desired, change the LAN/Managemt IP address of the Barracuda Link Balancer to its permant setting. The LAN IP address is only used for managemt of the Barracuda Link Balancer. (The WAN IP addresses can also be used to access the managemt interface). The LAN IP address can be any private or public address that is reachable through your existing firewall from the LAN. If the default address of meets this criteria, there is no need to change it. To change the LAN/Managemt IP address, a. Go to the BASIC > IP Configuration page. b. Change the IP Address and Subnet Mask. c. Click Save Changes. If the address is on a differt subnet, your connection will terminate. In Firewall disabled mode, the IP addresses of LAN (Ethernet) and WAN1 ports must NOT reside within the same subnet. 6. Power down your Barracuda Link Balancer using the power button on the front of the unit. If you connect more than one ISP link to your Barracuda Link Balancer, you have to perform a few additional configuration steps. Please refer to How to Add an Additional ISP Link in Firewall Disabled Mode. Step 6. Install in the Production Network Now that the Barracuda Link Balancer is configured, install it in its permant location and connect it to your WAN links: Mount the Barracuda Link Balancer in a 19-inch rack or place it in a stable location. To sure proper vtilation, do not block the cooling vts on the front and back of the unit. Connect each of the cables from the Internet links into a WAN port on the front of the Barracuda Link Balancer. The ports are labeled WAN1, WAN2, etc. These ports correspond to the WAN ports that you configured in the web interface. Be sure to connect them according to your configuration. If there is a LAN port on the front of the Barracuda Link Balancer, connect an Ethernet cable from the outside interface of your existing network firewall to that LAN port. If there is no LAN port on the front, connect the outside interface of your existing network firewall to the LAN Ethernet port on the back panel of the Barracuda Link Balancer. You should see some activity on both the yellow and gre lights on the LAN port. If not, you may need to use a crossover cable. 11

12 Step 7. Test Connectivity Now you are ready to test the connectivity to your existing firewall and the systems connected to it. There is no need to change your firewall network configuration - your network firewall should continue to use the ISP-provided gateway address. 5. Confirm that you can access the Internet from a clit computer on your LAN. If this works, continue. On the test system, log into the web interface using the permant LAN IP address. Go to the BASIC > Links page. The status of each link should appear as Connected. You can see the utilization of each link by moving the mouse over the graphic. On the test system, gerate some traffic, by, for example, oping more tabs in the browser of the test system and downloading files from the internet. You can FTP files from a number of differt sites or use torrt to get the traffic to flow on multiple links. Go to the BASIC > Status page to view graphs that show the incoming and outgoing traffic for each link. If you have connectivity issues, clear the ARP caches of your existing network componts such as the firewall, routers and modems. In some cases, you may need to reboot these devices. You do not need to update your existing firewall configuration unless you want to make it aware of the new WAN link(s). To do so: Add firewall rules so that traffic from the new links is handled correctly. If you want to be able to manage your existing firewall remotely, add an alias on your firewall for the other links in case the first link is unavailable. Your Barracuda Link Balancer should be ready for operation. There are a number of other configuration options available. Please refer to the next page to review these options. Step 8. Configure your Local Network If you have disabled the firewall for the Barracuda Link Balancer, you must configure your local network to meet certain prerequisites before adding new ISP links in addition to your existing ISP. To do so, follow the instructions giv in How to Add an Additional ISP Link in Firewall Disabled Mode. After completing all installation instructions, continue with the basic configuration Step 1: Configure Administrative Settings. How to Add an Additional ISP Link in Firewall Disabled Mode This article provides step-by-step instructions on how to add one additional ISP link (ISP #2) that will be connected to WAN2, while the existing ISP (ISP #1) remains connected to WAN Adding more than one additional ISP works idtically. To add a secondary ISP link, complete the following steps: Step 1: Add the DNS of the Secondary ISP to the Local Network Configuration Step 2: Assign a New IP Address from ISP #2 to WAN2 Step 3: Clear the ARP Cache on the Router for ISP #2 Step 1: Add the DNS of the Secondary ISP to the Local Network Configuration You must make the DNS settings of the new ISP available to hosts within the local network. Otherwise, DNS queries will be routed to ISP #1 where they will be rejected due to access and flood control protection. DNS resolution would not be possible and the Internet will be unreachable from the local network. Add the DNS servers for ISP #2 to the configuration of your internal network. For backup, you may also add the IP addresses of op domain name servers at the d of the list. Step 2: Assign a New IP Address from ISP #2 to WAN2 Do not change the network configuration for the existing firewall. Assign an additional IP address from ISP #2 to WAN The Barracuda Link Balancer does not perform any address translations on this link. At the IP layer, the firewall and the ISP devices ignore the Barracuda Link Balancer. However, at the MAC layer, this may not be the case. 12

13 Step 3: Clear the ARP Cache on the Router for ISP #2 The Barracuda Link Balancer will use the MAC address of WAN2 for packets st to the router (while using the respective source IP address of the firewall) and packets going to the into local network. To make sure that neighboring devices use the correct MAC address, you must reboot the router for ISP #2 to clear its ARP cache. For help with rebooting the router, contact Barracuda Networks Technical Support to help you configure the Barracuda Link Balancer to use the MAC address for the firewall interface wh communicating with the router for PoC situations. Configuring the Barracuda Link Balancer for Two Indepdt ISP Links and Firewalls This article provides steps for inserting a Barracuda Link Balancer into an existing setup so that the LAN is fed by two indepdt Internet links through two indepdt firewalls. In this article: Example Setup and IP Addresses Step Connect and Configure the WAN Links on the Barracuda Link Balancer Step Connect and Configure the Firewalls Usage Modes Example Setup and IP Addresses The following diagram shows the example setup used in this article: The example setup uses these IP addresses and subnets: 13

14 WAN 1 1 Internet Router # Internet Router # Firewall #1 external Firewall #1 internal Firewall #2 external Firewall #2 internal Core Switch Step Connect and Configure the WAN Links on the Barracuda Link Balancer On the Barracuda Link Balancer, connect router #1 to the WAN1 port, and router #2 to the WAN2 port. Go to the BASIC > Links page, and configure the IP address, netmask, gateway, DNS, and health check settings for both links. Step Connect and Configure the Firewalls Connect switch #1 to firewall #1 and firewall # In the example setup, the external IP addresses are for firewall #1 and for firewall # The internal IP addresses are for firewall #1 and 10.9 for firewall # Usage Modes This setup provides the following gateway IP addresses: for clits to access a cumulated Internet uplink using both ISPs filtered separately through both firewalls for clits to access ISP #1 filtered by firewall # 10.9 for clits to access ISP #2 filtered by firewall # Installation Replacing Your Firewall These instructions describe how to deploy the Barracuda Link Balancer as the default gateway for your network, replacing your existing firewall or router. The steps documted here provide a method to configure the Barracuda Link Balancer completely before connecting it to your production system. This method allows you to copy the firewall configuration of your existing firewall to the Barracuda Link Balancer. (A similar process is described in the Barracuda Link Balancer Quick Start Guide.) In this article: Step Prepare for the Installation Step Activate the Barracuda Link Balancer with Temporary Network Settings Step Update the Firmware Step Configure Permant WAN Settings Step 5. Configure the Barracuda Link Balancer Firewall Step 6. Configure Permant LAN IP Address Step 7. Install in the Production Network Step 8. Test Connectivity Step Prepare for the Installation Before installing your Barracuda Link Balancer, verify that you have the necessary equipmt: 14

15 Barracuda Link Balancer and AC power cord (included) Ethernet cables PC with a web browser Plug in the Barracuda Link Balancer and power it on. Step Activate the Barracuda Link Balancer with Temporary Network Settings Follow these steps to configure the Barracuda Link Balancer with temporary settings and activate it: Change the network settings of a PC with a web browser installed to use an IP address of , subnet mask of and gateway of Depding on the model, there may be a LAN port on the front or back side of the Barracuda Link Balancer. Connect an Ethernet cable from the PC to that LAN port Start the web browser and access the web interface by typing Login with the default username is admin and the default password admin. Go to the Basic > Links page and double-click one of the WAN ports in the graphic. In the Links Configuration section, set the Type of the WAN link to DHCP to acquire an address in the office network. Alternatively, set the link Type to Static and ter a specific IP address. Click Save Changes. Connect an Ethernet cable from the corresponding WAN port on the front of the Barracuda Link Balancer into your office network. You should now have Internet connectivity from your PC. At the top of every page, you may see an activation warning message. Click the link in that message or use the link on the Basic > Status page to op up the Barracuda Networks Product Activation page in a new browser window. Fill in the required fields and click Activate. A confirmation page ops to display the terms of your subscription. On the Basic > Status page, you may need to ter the activation code from the Barracu da Networks Product Activation page to activate your Barracuda Link Balancer. If your subscription status does not change to Currt, or if you have trouble filling out the Product Activation page, call your Barracuda Networks sales represtative. Step Update the Firmware Go to the Advanced > Firmware Update page. If there is a new Latest Geral Release available (the Download Now funcion is abled), perform the following steps to update the system firmware: 5. Read the release notes to learn about the features of this firmware update. Click Download Now next to the Latest Geral Release firmware version. Click OK to acknowledge the download duration message. To avoid damaging the Barracuda Link Balancer, do not power off during an update or download. To view the progress of the download, click Refresh. You will be notified wh the download is complete. Click Apply Now to apply the firmware. Click OK to acknowledge the reboot message. Applying the firmware takes a few minutes to complete. After the firmware has be applied, the Barracuda Link Balancer automatically reboots. Wh the system comes back up, the login page is displayed. Log in again. Step Configure Permant WAN Settings 15

16 After the Barracuda Link Balancer has rebooted, login to the web interface and go to the Basic > Links page. For each link that will be connected to this unit: Click the relevant WAN port in the graphic. In the Links Configuration section, ter the details for the link to be connected to the WAN port. Some of the configuration information is provided by your ISP - be sure to ter it correctly. Wh done, click Save Changes. For each WAN interface that has a static IP address, ter all of your externally accessible servers in the Additional IP Addresses fiel d. These need to be idtified so that traffic can be accepted for them. You will also need to reconfigure the servers with private IP addresses. In the next step, you can create firewall 1:1 NAT rules to direct traffic to those systems. Step 5. Configure the Barracuda Link Balancer Firewall Create firewall rules on the Barracuda Link Balancer to match the settings of your currt firewall. Go to the Firewall > Access Rules page to add incoming and outgoing rules. Go to the Firewall > NAT page to add 1:1 NAT and port forwarding rules. Step 6. Configure Permant LAN IP Address Change the LAN IP address of the Barracuda Link Balancer to its permant setting as the default gateway for your network. To change the LAN IP address, go to the Basic > IP Configuration page and change IP address and subnet mask. Click Save Changes. The connection to the PC that you were using will terminate. Unplug the cable connecting your PC to the Barracuda Link Balancer. Power down your Barracuda Link Balancer using the power button on the front of the unit. Step 7. Install in the Production Network Now that the Barracuda Link Balancer is configured, install it in its permant location and make it part of your production network: Mount the Barracuda Link Balancer in a 19-inch rack or place it in a stable location. To sure proper vtilation, do not block the cooling vts on the front and back of the unit. Connect each of the cables from the Internet links into a WAN port on the front of the Barracuda Link Balancer. The ports are labeled WAN1, WAN2, etc. These ports correspond to the WAN ports that you configured in the web interface. Be sure to connect them according to your configuration. Unplug your firewall from the network and plug its LAN connection into the LAN port on the front of the Barracuda Link Balancer, if there is one. If there is no LAN port on the front, plug that connection into the LAN ethernet port on the back panel of the Barracuda Link Balancer. You should see some activity on both the yellow and gre lights on the LAN port. If not, you may need to use a crossover cable. If the IP address of the Barracuda Link Balancer is the same as the IP address of the firewall that you removed, you can ignore this step. Otherwise, make the Barracuda Link Balancer the default gateway for the clits by updating the configuration of the DHCP server for the clits to give out the LAN IP address of the Barracuda Link Balancer as the default gateway. As the leases are rewed, each clit will gain access to the new Internet links. Furthermore, change the default gateway of any clits with static IP addresses to the LAN IP address of the Barracuda Link Balancer. Step 8. Test Connectivity Test the connectivity to a clit system: If needed, change the gateway IP address of a test system to the LAN IP address of the Barracuda Link Balancer. Confirm that you can access the Internet from the test system. If this works, continue. On the test system, log into the web interface using the permant LAN IP address and go to the Basic > Links page. The status of each link should display as Connected. You can see the utilization of each link by moving the mouse over the graphic. On the test system, gerate some traffic, by, for example, oping more tabs in the browser of the test system and downloading files from the Internet. FTP files from a number of differt sites or use BitTorrt to get the traffic to flow on multiple links. 5. Go to the Basic > Status page to view graphs that show the incoming and outgoing traffic for each link. If you have connectivity issues, clear the ARP caches of your existing network componts such as routers and modems. In some cases, you may need to reboot these devices. 16

17 Continue with Step 1: Configure Administrative Settings. Hardware Compliance Hardware Compliance This section contains compliance information for the appliance. Notice for the USA Compliance Information Statemt (Declaration of Conformity Procedure) DoC FCC Part 15: This device complies with part 15 of the FCC Rules. Operation is subject to the following conditions: This device may not cause harmful interferce, and This device must accept any interferce received including interferce that may cause undesired operation. If this equipmt does cause harmful interferce to radio or television reception, which can be determined by turning the equipmt off and on, the user in couraged to try one or more of the following measures: Reorit or relocate the receiving antna. Increase the separation betwe the equipmt and the receiver. Plug the equipmt into an outlet on a circuit differt from that of the receiver. Consult the dealer or an expericed radio/television technician for help Notice for Canada This apparatus complies with the Class B limits for radio interferce as specified in the Canadian Departmt of Communication Radio Interferce Regulations. Notice for Europe (CE Mark) This product is in conformity with the Council Directive 89/336/EEC, 92/31/EEC (EMC). Power Requiremts AC input voltage volts; frequcy 50/60 Hz. Getting Started After successful deploymt, Barracuda Networks recommds that you start with the following steps wh configuring your Barracuda Link Balancer. In this Section: Step 1: Configure Administrative Settings Step 2: Configure Networking Settings 17

18 Step 1: Configure Administrative Settings The BASIC > Administration page allows you to perform the following tasks to control access to the web interface: In this article: Allow or dy administration access using the WAN interfaces. Dying access from the WAN interfaces is one way to prevt brute force login attacks on your system. (You cannot disable administration access via the LAN.) Specify the IP addresses or subnet masks of the systems that can access the web interface. Attempts to log in from other systems will be died. Change the HTTP port used to access the web interface (default is port 8000). Change the lgth of time of inactivity allowed until the administrator is logged out of the web interface. Change the Default Password Set the Time Zone of the System Specify Addresses for Alerts Customize the Appearance of the Web Interface Enabling SSL for Administration Change the Default Password To prevt unauthorized use, change the default administrator password for the web interface to a more secure password. Log into the Barracuda Link Balancer interface. Navigate to the BASIC > Administration page. In the Password Change section, change the default administrator password. Click Save Password. Set the Time Zone of the System The currt time on the system is automatically updated via Network Time Protocol (NTP). It is important that the time zone is set correctly because this information is used to coordinate traffic distribution and in all logs and reports. If two Barracuda Link Balancers are to be clustered, the time zone must be the same on both before the cluster can be created. Op the BASIC > Administration page. In the Time section, set the time zone of your Barracuda Link Balancer. Click Save Changes. The Barracuda Link Balancer automatically reboots wh you change the timezone. Specify Addresses for Alerts Alert s are gerated automatically by the Barracuda Link Balancer to notify you wh, for example, a link is down or if your system is low on disk space. If gerated, alert s are st hourly. Every SNMP trap (except for the WANx saturated trap) gerated causes an to be st. To specify addresses for alerts, Navigate to the BASIC > Administration page. In the Notifications section, ter the address that sds alerts from the Barracuda Link Balancer. To ter multiple addresses, separate each address with a comma. Click Save Changes. Op the BASIC > IP Configuration page. Enter the Default Host Name and Default Domain of the Barracuda Link Balancer. Click Save Changes. The default hostname and the default domain name are displayed in all alert s st by the Barracuda Link Balancer. 18

19 Customize the Appearance of the Web Interface Use the ADVANCED > Appearance page to customize the default images used on the web interface. This tab is only displayed on certain Barracuda Link Balancer models. Enabling SSL for Administration You can choose to require that only secure SSL connections can access the web interface. SSL sures that your passwords and the rest of the data transmitted to and received from the web interface are crypted. The ADVANCED > Secure Administration page allows you to configure SSL. In order to only allow secured connections wh accessing the web interface, you need to supply a digital SSL certificate which will be stored on the Barracuda Link Balancer. This certificate is used as part of the connection process betwe clit and server (in this case, a browser and the web interface on the Barracuda Link Balancer). The certificate contains the server name, the trusted certificate authority, and the server s public cryption key. The SSL certificate which you supply may be either private or trusted. A private, or self-signed, certificate provides strong cryption without the cost of purchasing a certificate from a trusted certificate authority (CA). However, the clit web browser will be unable to verify the authticity of the certificate and a warning will be st about the unverified certificate. To avoid this warning, download the private root certificate and import it into each browser that accesses the Barracuda Link Balancer web interface. You may create your own private certificate using the ADVANCED > Secure Administration page. Instead of a private certification, you may also use the default pre-loaded Barracuda Networks certificate. The clit web browser will display a warning because the hostname of this certificate is barracuda.barracudanetworks.com and it is not a trusted certificate. Because of this, access to the web interface using the default certificate may be less secure. A trusted certificate is a certificate signed by a trusted certificate authority (CA). The befit of this certificate type is that the signed certificate is recognized by the browser as trusted, thus prevting the need for manual download of the private root certificate. Use the ADVANCED > Secure Administration page to create a Certificate Signing Request which you can submit to a certificate authority to purchase a trusted certificate. Step 2: Configure Networking Settings The following article describes the main networking settings that you can configure using the Barracuda Link Balancer web interface. In this article: Viewing and Updating the WAN Link Configuration Adding a New WAN Link WAN IP Impersonation Authoritative DNS Adding Static Routes Configuring VLANs Creating IP Aliases Configuring DNS Servers Configuring Per Interface Health Checks Configuring the DHCP Server Viewing and Updating the WAN Link Configuration Every WAN link that ters the Barracuda Link Balancer needs to be manually idtified. The information is provided by your internet service provider. Log into the Barracuda Link Balancer Web Interface. Go to the BASIC > Links page. To idtify the links, move the mouse over the corresponding WAN port displayed in the upper section of the page. To change or add configuration information, click on the port or expand the link in the Configure column under the Links Configuration section. Adding a New WAN Link There are a few things to remember if you are adding one or more new WAN links to an already configured Barracuda Link Balancer. As already mtioned, all links must be configured on the BASIC > Links page. New WAN links that are configured correctly are automatically used for 19

20 outbound link balancing. For inbound traffic, if the Barracuda Link Balancer firewall is abled, you can add a NAT rule on the FIREWALL > NAT page to map the destination IP address of the traffic on the new link to an internal service. WAN IP Impersonation If the Barracuda Link Balancer firewall is disabled, you can avoid having to update rules on your network firewall to include the new WAN link by choosing to map the destination IP address of traffic on the new link to an existing WAN IP address (usually, an address on WAN1). To do this: Select the NAT/Port Forwarding option on the BASIC > Links page. Click Save Changes. The Barracuda Link Balancer will automatically perform a system Reload. After the reload is complete, log back into the Barracuda Link Balancer. Make sure to ter all IP addresses you own under their respective WAN links in the Additional IPs section of the BASIC > Links page. These IP addresses will be used to create NAT or Port Forward rules for WAN IP impersonation. 5. Create a NAT or Port Forward rule on the Firewall > NAT page to map the destination IP address of the traffic on the new link to an external IP address on an existing link. Authoritative DNS The Barracuda Link Balancer can act as an authoritative DNS server, returning definitive answers to DNS queries about domain names installed in its configuration. This allows you to define one or more domains that are accessible via more than one WAN link. Wh asked to resolve a host, the Barracuda Link Balancer will return one of the IP addresses of the available WAN links. However, before your servers can be accessed from the Internet by name, you have to: Register your domains with a domain name registrar. Without this, the domain names will fail to resolve wh accessed from the Internet. Once your domains are registered, you can configure authoritative DNS on the SERVICES > Authoritative DNS page. Also, see If You Add a WAN Link After the Domains are Created for more information. Adding Static Routes If you have a separate subnet that needs to be able to use the Internet links that are accessible only through the Barracuda Link Balancer, add a static route to specify a gateway for the subnet so that the return traffic can take the correct path. If you have disabled the Barracuda Link Balancer firewall, th static routes can be added to your network firewall. Otherwise, follow these instructions to add static routes to the Barracuda Link Balancer: 5. On the Barracuda Link Balancer web interface, go to ADVANCED > Advanced Networking. Add the static routes. Test connectivity from each internal network by changing the gateway IP address of a computer on each subnet to the LAN IP address of the Barracuda Link Balancer. Check that you can access the internet from each subnet. Wh testing is complete, update the configuration of the DHCP server for the clits to give out the LAN IP address of the Barracuda Link Balancer as the default gateway. As the leases are rewed, each clit will have access to all of the new Internet links. Change the default gateway of any clits with static IP addresses to the LAN IP address of the Barracuda Link Balancer. Configuring VLANs The Barracuda Link Balancer supports the IEEE 801Q standard for explicitly tagging Ethernet frames with VLAN information. To configure VLANS, proceed as follows: On the ADVANCED > Advanced Networking page, idtify your VLANs. Th create a virtual interface that associates an IP address and netmask with a VLAN. Traffic st to a virtual interface associated with a VLAN will be tagged with the VLAN ID and delivered correctly. VLANs may not be on the same subnet. Starting from firmware version 5, you can configure VLAN ID tagging for each link on the BASIC > Links page. Creating IP Aliases You can create virtual interfaces or IP aliases by associating an IP address or subnet with a WAN, LAN or VLAN. Each IP address and netmask can only be associated with one WAN, LAN or VLAN. Virtual interfaces are used: To associate an IP address range with a VLAN 20

21 To associate an externally accessible IP address that is on a differt subnet than any WAN link with a WAN link. Create IP aliases on the ADVANCED > Advanced Networking page. Configuring DNS Servers On the BASIC > Links page, set the primary and secondary DNS servers for each WAN link. Your ISP should provide you with these settings. Configuring Per Interface Health Checks On the BASIC > Links page, configure health checks for each link. Multiple methods are supported. You can ter more than one test target (e.g. resolve the DNS domain names of multiple Web sites) to be sure that the link is actually down. Link failure is shown on this page and on the BASI C > Status page. Also, if a link fails an SNMP trap will be gerated, an will be st, and an evt will be logged. Configuring the DHCP Server The Barracuda Link Balancer can act as a DHCP server. On the SERVICES > DHCP Server page, able the DHCP server and configure it. Configuration The following section contains articles explaining how to configure the Barracuda Link Balancer for inbound load balancing, networking and firewalling. In this Section DNS Networking Firewall VPN DNS Configure your Barracuda Link Balancer to act as an authoritative DNS server. The following article section provides an overview on the DNS functionalities and explains how to set up the DNS server for inbound load balancing. In this Section: DNS Overview How to Configure the DNS Server DNS Overview The Barracuda Link Balancer can act as an authoritative DNS server, returning definitive answers to DNS queries about domain names installed in its configuration. This allows you to define one or more domains that are accessible via more than one WAN link. Wh asked to resolve a host, the Barracuda Link Balancer will return one of the IP addresses of the available WAN links. This provides two befits: Failover - If one WAN link goes down, the domain is still available via one of the other WAN links. Incoming link balancing - Incoming traffic to the domain will be spread across all links that you configure for that domain. Only WAN links with static IP addresses can be advertised to respond to DNS queries. However, you can accept traffic on any of your WAN links for a domain configured on the Barracuda Link Balancer. DNS resource records describe the hosts and name servers and other attributes of the domain. Following the instructions provided here and using the web interface of the Barracuda Link Balancer, you can create the records that describe the domain or domains that are hosted on the LAN side of the Barracuda Link Balancer. The supported DNS resource records are described in How to Configure the DNS Server. DNS Records Time to Live As already mtioned, making the Barracuda Link Balancer the authoritative DNS server for the domains that are behind it increases the 21

22 availability of your hosted servers. Wh asked for the IP address of a hostname, the Barracuda Link Balancer returns a DNS A record that contains the IP address of one of your WAN links. Every DNS record has a Time to Live (TTL) value. TTL is the lgth of time that the DNS record may be cached. For most DNS records, two days is a typical and acceptable value. However, A records should have a very short TTL, such as 30 seconds. If a WAN link fails, its address will no longer be returned, so the inbound traffic to this host will not be disrupted. A short TTL value for this record sures that the cached address for the failed link times out quickly. Specifying a short TTL for A records also assists in link balancing. Because the address for a host that is returned varies among the available links, the short TTL guarantees that the link used for incoming traffic directed to that host also varies frequtly. Recommded Deploymt Use this feature if you are hosting services such as web servers, VPNs and that are name-based. This increases the availability of your services and provides a way to do inbound link balancing. Split DNS The Barracuda Link Balancer supports a split DNS infrastructure. If the same hostname is used for a resource that is accessible both internally and externally, internal network clits receive the internal IP address and external clits receive the external IP address wh they ask for the address of that hostname. Specifically, the A record for the hostname includes two views, one with the internal IP address and one with the external IP address. In this way, clits only see the address that they should use. The split DNS infrastructure handles accessing resources using a hostname. What about accessing externally accessible resources using an IP address? If local clits use external IP addresses to access internal servers, the Barracuda Link Balancer translates the address and properly forwards those requests back to internal servers. DNS Zone Transfer Blocking The Barracuda Link Balancer can be configured to block zone transfers on some or all of the domains that it hosts. An AXFR/IXFR query that is st from another DNS server to the Barracuda Link Balancer (to request a copy of the DNS records) is rejected if zone transfers are disabled for that domain. By default, zone transfers are abled for all domains created. How to Configure the DNS Server Make the Barracuda Link Balancer an Authoritative DNS host and configure the DNS Server for inbound load balancing. In this article: Step Enable Authoritative DNS Step Create One or More Domains Step Set up DNS for Internal Clits Step Add More DNS Records Step 5. Update Your Domain Registrar Step 6. Test External Access Adding a New WAN Link Zones and Domains DNS Records Step Enable Authoritative DNS Enable Authoritative DNS on the Barracuda Link Balancer, to idtify which WAN links are to be used as name servers. Log into the Barracuda Link Balancer Web Interface. Go to the Services > Authoritative DNS page. Select Enabled for Authoritative DNS and for each of the WAN links in the table of DNS Server list links. This table includes all WAN links with static IP addresses (configured on the Basic > Links page). You can change the value for the Name Server for each link or keep the default. The Name Server value is used as a label for NS records for all the domains. Enter an unqualified name, for example, ns Click Save Changes. Step Create One or More Domains To define one or more domains on the Barracuda Link Balancer, 22

23 Check that the value for Default Domain specified on the Basic > IP Configuration page is accurate. If the built-in firewall is abled, and if you have created 1:1 NAT rules and/or port forwarding rules, make sure that they use the correct hostname. You can look at those rules on the Firewall page. Go to the Services > Authoritative DNS page. In the Domain section, ter the domain and click Create. Wh you have done this, you should see that the following records are created: Start of Authority (SOA) Name Server (NS) - One NS record for each name server in the DNS Server List Links table is gerated. Address (A) - One A record is created for each name server in the DNS Server List Links table. An A record is also created for each matching hostname found in 1:1 NAT and Port Forwarding rules, as described in the next section. If the Barracuda Link Balancer has the firewall abled: Wh you create a new domain, the Barracuda Link Balancer looks for existing 1:1 NAT and port forwarding rules that include names in the Hostname field that have a domain suffix that is the same as the newly created domain name. Or, if you create a domain that is the same as your default domain (as specified on the Basic > IP Configuration page), the Barracuda Link Balancer looks for rules that have hostnames that do not appear to be fully qualified domain names. In either case, an A record for each matching rule, including both external and internal addresses, will be automatically created for each hostname. The DNS records are created with typical default values. You can see all of the values for each record and change them by clicking Edit next to the record in the DNS Records section. Step Set up DNS for Internal Clits If you have an internal DNS server, configure it to forward queries to the LAN IP address of the Barracuda Link Balancer. If the built-in firewall of the Barracuda Link Balancer is abled: As already described, wh you create a new domain, the Barracuda Link Balancer looks for existing 1:1 NAT and port forwarding rules that include names in the Hostname field that have to appear to be relevant and creates an A record for each matching rule, including both external and internal addresses. In some cases, this mapping will not reflect your configuration. Using an internal network clit, try to access a hostname for a resource that is available both internally and externally. If the test fails, edit the A record for the unresolved hostname. The DNS Record page ops. In the IP Addresses table, add addresses to the Local Network column to be used in response to internal DNS queries. If the built-in firewall of the Barracuda Link Balancer is disabled: The Barracuda Link Balancer is not able to derive internal a mapping betwe external and internal addresses if the firewall is disabled. If you want internal addresses to be served, Edit the A record for the hostname of each resource that is available both internally and externally. The DNS Record page ops. In the IP Addresses table, add addresses to the Local Network column to be used in response to internal DNS queries. Using an internal network clit, test your changes by trying to access the resource using its hostname. Step Add More DNS Records Add more DNS records to your domain(s) to match your configuration. For example, each server needs an MX record and a corresponding A record. Each web server needs an A record. If you have externally reachable IP addresses that are not tied to any interface, such as ARIN networks, create an A record for each one: If the address is not routed through the Barracuda Link Balancer, select CUSTOM in the Links list. If the address is routed through the Barracuda Link Balancer, select ANY in the Links list. Step 5. Update Your Domain Registrar If you hav't already registered your domain name, register it with a domain name registrar like or. Make the NS GoDaddy.com register.com records of the domain point to your static WAN IP addresses. If your domain name is already registered, contact your registrar to update the NS 23

24 records of the domain to point to your static WAN IP addresses. Remove records that referce the domain or domains that are now delegated to the Barracuda Link Balancer. Hosting a Sub-Domain If your domain is hosted at your ISP or elsewhere and you want to delegate a sub-domain to be resolved by the Barracuda Link Balancer, you will have to add some records to the zone file of the domain where it is stored at the registrar. If the domain is example.com, and you want to host my. example.com and you have two name servers ns1 and ns2, add these lines, using the actual IP addresses of your name servers: my IN NS ns1 my IN NS ns2 ns1 IN A ns2 IN A Th you can create the my.example.com domain on the Barracuda Link Balancer. Step 6. Test External Access From a host on the Internet, run nslookup on your domain name(s). The returned IP addresses should be the IP addresses of your WAN list links. Depding on the change, it may take some time for your changes to be noted throughout the Internet, depding on how long the various resolvers cache DNS responses. For example, it may take a day before a new domain name is accessible via the Internet. If a domain name was previously registered and the DNS record is modified, any server on the Internet that has the previous information will not get the update until the TTL of the original record has passed. Adding a New WAN Link If, after creating your domains, you add a new WAN link, complete these steps to use the new link for DNS queries (static links only) and inbound link balancing: Go to the Services > Authoritative DNS page. If this is a static link and you want it to be used to respond to DNS queries: a. b. Idtify the new link as a DNS Server List Link and assign it a Name Server label. For each domain that is already defined, add a new NS record and a new A record to each domain for the new link. Edit the A records for your servers to able inbound traffic to be received on the new link for the corresponding internal servers. Specifically, wh you edit the A record, on the DNS Record page you can select the new WAN link from the Links list and add it to the A record. Zones and Domains A domain name server stores information about part of the domain name space called a zone. All names in a giv zone share the same domain suffix. For example, if barracuda.com is the domain suffix, mail.barracuda.com and g.barracuda.com are possible sub-domains. These may be all served by one domain name server or some of the sub-domains may be delegated to other domain name servers. Every domain or sub-domain is in exactly one zone. Rather than make a distinction betwe a zone and a domain, the web interface of the Barracuda Link Balancer simply asks you to create a domain. Zone transfers serve to replicate DNS databases across a set of DNS servers. On the Barracuda Link Balancer, zone transfers can be abled or disabled per domain. Also, the TTL (Time To Live) for clits to cache DNS records can as of Barracuda Link Balancer firmware version 5 be defined per domain. DNS Records DNS Records Gerated wh Creating a Domain Wh you create a domain on the Barracuda Link Balancer the following records are automatically gerated: Start of Authority (SOA) - The SOA record defines the global parameters for the hosted domain or zone. Only one SOA record is allowed per hosted domain or zone. Name Server (NS) - NS records specify the authoritative name servers for this domain. One NS record for each name server in the DNS Server List Links table is gerated. Address (A) - A records map a hostname to an IP address. Each host inside the domain should be represted by an A record. One A record is created for each name server in the DNS Server List Links table. An A record is also created for each matching domain name found in 1:1 NAT and Port Forwarding rules. Additional DNS Records 24

25 Once a zone has be created, you can edit the above records or add NS, A, and any of the following records to a zone: Mail Exchanger (MX) - MX records point to the servers that are responsible for handling for a giv domain. There should be an MX record for each server, including backup servers if they exist. If an server lies within the domain it requires an A record for each name server. If the server is outside the domain, specify the FQDN of the server, ding with a dot. Example: mail.my-isp.net. Text (TXT) - Text records allow text to be associated with a name. This can be used to specify Sder Policy Framework (SPF) or DomainKeys records for the domain. Canonical Name (CNAME) - A CNAME record provides a mapping betwe this alias and the true, or canonical, hostname of the computer. It is commonly used to hide changes to the internal DNS structure. External users can use an unchanging alias while the internal names are updated. If the real server is outside the domain, specify the FQDN of the server, ding with a dot. Example: servermy-isp.net. If a domain name has a CNAME record associated with it, th it can not have any other record types. Do not use CNAME defined hostnames in MX records. Service (SRV) - Service records are used to store the location of newer protocols, such as SIP, LDAP, IMAP and HTTP. Pointer (PTR) - PTR records point to a canonical name. The most common use is to provide a way to associate a domain name with an IP address. Other (OTHER) - Use an OTHER record to add a type of DNS record that is not supported, such as NAPTR. Networking The following article section describes how to configure networking settings including the application of routing rules, and explains how to manage traffic shaping on the Barracuda Link Balancer. In this Section: Routing Outbound Traffic How To Create IP/Application Routing Rules How to Create Outbound Source NAT Rules Traffic Shaping Routing Outbound Traffic By default, all outgoing traffic is link balanced and NAT'd. Also, the source IP address of outgoing traffic is the WAN link that is used by the traffic. You can create outbound routing rules to modify these defaults. In this article: Specifying the Link Used by Outgoing Traffic Ping Traffic VPN and Rules Externally Accessible IP Addresses Changing the Source IP Address of Outgoing Traffic Related Articles How To Create IP/Application Routing Rules How to Create Outbound Source NAT Rules How to Create Custom Applications Specifying the Link Used by Outgoing Traffic To exempt outgoing traffic from link balancing and/or NAT'ing, create IP/application rules on the Policy > Outbound Routing page. IP/application routing rules are based on source IP address, application, and/or destination IP address. The IP/application routing rules are executed before the link load balancing algorithm. Traffic that matches no rule is both link balanced and NAT'd. These rules are executed regardless of the firewall operating mode. Examples where IP/application routing rules may be useful include: 25

26 If you are an ISP with externally accessible IP addresses (ARIN networks) behind the Barracuda Link Balancer that are not on the same subnet as your WAN interfaces. If you have subnets that you want to exempt from link balancing. If you have systems such as mail servers or VPN dpoints that sd traffic that must maintain the original source IP address. If you have applications that you want to exclude from outgoing link balancing and NAT'ing. Ping Traffic To direct ping (ICMP) traffic that originates from behind the Barracuda Link Balancer to use a specific WAN link: Create a ping application on the POLICY > Applications page (select ICMP as the protocol, no port range). Create one or more IP/application routing rules for the ping application. As an example, if WAN1 is a private link to an office and WAN2 is a primary link used for other Internet traffic, make two rules: one that directs ping traffic to the office to use WAN1 and one that allows all other ping traffic to use WAN (Remember that private links are only used if the link is explicitly referced). VPN and Rules During installation, sample disabled IP/application routing rules are automatically created for outgoing VPN and traffic to prevt it from being link balanced or NAT'd. To able those rules, select the WAN link to be used for the traffic. If you would like to link balance outgoing or VPN traffic because you have created a way to make that acceptable to the receiver, you can leave the rules in their disabled state or delete them. (For example, you may have created multiple SPF or DNS records for the WAN IP addresses). Externally Accessible IP Addresses If you would like to direct traffic from externally accessible IP addresses behind the Barracuda Link Balancer to the WAN link that is on the same subnet, create one or more rules where those addresses are the source IP addresses, link balancing and NAT are turned off, and Primary Link is set to Auto. If you have a network where the externally accessible IP addresses (ARIN networks that are not in any WAN subnets) can sd their traffic on any WAN link, you can create rules so that traffic originating from those addresses can go out without being NAT'ed. Depding on how the ISP's routers are set up, traffic from these networks can either be link balanced or be bound to one WAN link. For the latter case, select specific primary and backup links. Changing the Source IP Address of Outgoing Traffic To set the source IP address of outgoing traffic to a masquerade IP address, rather than the IP address of the WAN link, create outbound source NAT rules on the POLICY > Outbound Routing page. Outbound source NAT rules consider source IP address (or range) and, optionally, application and WAN link. If a rule match occurs, the specified external IP address is used as the source IP address of the traffic. The outbound source NAT rules are executed after the WAN link has be determined by the link load balancing algorithm. They are executed regardless of the firewall operating mode. The rules are arranged in a table on the POLICY > Outbound Routing page in order of precedce from top to bottom. Only the first rule that matches the profile of the traffic is executed. If the traffic matches a 1:1 NAT rule the outbound source NAT rules are ignored. How To Create IP/Application Routing Rules The IP/Application Routing section lets you create rules based on source IP address, application, and/or destination IP address that exempt outgoing traffic from link balancing and/or NAT'ing. Traffic that matches no rule will continue to be both link balanced and NAT'd. These rules are executed regardless of the firewall operating mode. Create an IP/Application Routing Rule Log into the Barracuda Link Balancer Interface. Go to the POLICY > Outbound Routing page. In the IP/Application Routing section, ter a unique Rule Name. 5. In the Source IP Address field, ter the IP address (e.g ) to be NAT'd. In the Source Netmask field, ter a netmask (e.g ) or leave this field blank. Application drop down list, select * for any protocol or port combination or select an application. 6. From the 7. Complete the action fields to specify what happs if the traffic matches the condition: 26

27 7. 8. Link Balance - Select Yes to link balance outgoing traffic across any available WAN interfaces. Or, select No and th select a Primary and a Backup link: Primary Link: Default - Outgoing traffic is directed to the WAN link that is on the same subnet. Or, select a specific link from the list to bind the traffic to that link. Backup Link: None - Drop this traffic if the primary link is not available. Or, select a specific link from the list to bind the traffic to that link. Clear the NAT check box to maintain the original source IP address. Click Add. The new rule is now added to the bottom of the IP/Application Routing table. Rules in the IP/Application Routing table appear in execution order, from top to bottom. Only the first rule that matches the profile of the traffic is executed. To change the order of rules, drag them towards the top or bottom of the list. How to Create Outbound Source NAT Rules Create outbound source NAT rules to set the source IP address of outgoing traffic to an address other than that of the WAN link or the original source IP address. This policy is applied after the WAN link has be determined by the link balancing algorithm. These rules are executed regardless of the firewall operating mode. Create an Outbound Source NAT Rule In the Source IP Address field, ter the IP address (e.g ) to be NAT'd. Alternatively, ter an IP address range (e.g ) where the two IP addresses that define the range are separated by a hyph "-". 5. In the Source Netmask field, ter a netmask (e.g ) or leave this field blank. 6. From the Application drop down list, select * for any protocol or port combination or select an application. 7. From the Link drop down list, s Log into the Barracuda Link Balancer Interface. Go to the POLICY > Outbound Routing page. In the Outbound Source NAT section, ter a unique Rule Name. elect a specific link to apply the rule only to the traffic that is directed to that link. Or, select ANY to apply the rule regardless of the WAN link. In the Masquerade IP Address/Range field, ter the address or range to be used as the source IP address. Click Add. The new rule is now added to the bottom of the Outbound Source NAT table. Rules in the Outbound Source NAT table appear in execution order, from top to bottom. Only the first rule that matches the profile of the traffic is executed. To change the order of rules, drag them towards the top or bottom of the list. Traffic Shaping The Barracuda Link Balancer allows you to shape incoming and outgoing traffic and link usage in a variety of ways. In order for bandwidth managemt to work as intded, sure that the configuration of your WAN links matches your ISP's specifications, e.g. concerning upstream and downstream speeds. The links can be configured in BASIC > Links > Link Configuration (see Step 2: Configure Networking Settings). In this article: Link Usage for Inbound and Outbound Traffic Grouping WAN Links for Inbound and Outbound Traffic Creating Quality of Service (QoS) Pipes, Subpipes and Rules Link Usage for Inbound and Outbound Traffic 27

28 Outbound Link Balancing By default, wh outbound traffic from a clit IP address going to a new destination IP address is detected, the weights of the links are compared and the link with the highest weight is used. The weight of a link is the available capacity based on configured link speed and currt usage. The weight for each primary and backup WAN link is calculated on an ongoing and frequt basis. Inbound Link Balancing Inbound link balancing and failover are available only if the Barracuda Link Balancer acts as an authoritative DNS server for domains behind it. Wh the Barracuda Link Balancer receives a DNS query for a hosted domain, it returns the IP address of a WAN link which the clit th uses to reach the hosted domain. The algorithm used to select the returned WAN link is the same as the algorithm used for outbound link balancing. Grouping WAN Links for Inbound and Outbound Traffic You can change how frequtly WAN links are used by assigning each link to one of three groups for both inbound and outbound traffic. This feature allows you to reserve links for certain types of traffic or to use higher cost links only if the lower cost links fail or become saturated. The supported usage groups are: Primary links - Used first for link balancing. Backup links - Used only if the primary links are down or if they become saturated. If all primary links are down or saturated, th traffic is distributed across all available backup links until the primary links become available. Private links - Used only for traffic that matches IP/Application routing rules or if specified explicitly in the configuration of a VPN. Private links are not used at all for default outbound or inbound link balancing. They are used only if explicitly referced. If you want to employ default link balancing policy, where the link with the greatest available capacity is used, set the usage group for each link to Primary. To assign each link a usage group, edit the link on the Basic > Links page. Specifying WAN Link for Outbound Traffic You can override the link balancing algorithm by creating rules that determine which WAN link that certain kinds of outbound traffic will use. See S pecifying the Link Used by Outgoing Traffic. Creating Quality of Service (QoS) Pipes, Subpipes and Rules You can control traffic shaping in hierarchical structures of pipes, subpipes and rules. Traffic shaping is executed after it has be determined which WAN link the traffic will use. These rules apply to all traffic, including VPN traffic, regardless of whether the Barracuda Link Balancer firewall is abled or not. Each rule describes a set of traffic based on one or more parameters: source IP address or range, destination IP address or range, application or applications, time, day of the week, and WAN link. The three differt hierarchy levels control differt aspects of the traffic. If the defined conditions are met, the pipe, subpipe or rule assigns bandwidth shaping and conttion shaping. If the amount of traffic on the network is more than what can be st, traffic from high priority applications is allocated a greater share of the bandwidth. The conttion shaping subdivides traffic that has the same bandwidth shaping level. Some examples of traffic shaping: Give higher priority to traffic originating from a set of IP addresses. Assign lower priority to FTP traffic so that uploading and downloading of files does not impac other applications. Increase the priority of SIP traffic so that calls are not dropped. Give VPN traffic a high priority. You can do this by creating a rule where the source IP address is the local VPN dpoint and the destination IP address is the remote VPN dpoint. Configure QoS on the POLICY > Bandwidth Mgmt page. Firewall The Barracuda Link Balancer can act as a firewall, inspecting network traffic as it arrives and allowing or dying passage, based on a rule set which includes inbound, outbound, 1:1 NAT, and port forwarding rules. Some of these functionalities are available ev if the firewall function is disabled. Using 1:1 NAT and port forwarding rules, the Barracuda Link Balancer can perform: 1:1 NAT - Assign external addresses to internal clits. Port forwarding (or Port Address Translation) - The traffic to a port across one or multiple links is directed to an internal clit. Many to 1 NAT - One internal server may receive traffic from more than one WAN link. You can achieve this by creating 1:1 NAT rules or port forwarding rules. 28

29 Port blocking and unblocking. Inbound and outbound firewall rules are executed regardless of firewall status. 1:1 NAT and port forwarding rules are executed only if the Barracuda Link Balancer firewall is abled or, if not, for any WAN link with the NAT/Port Forwarding option abled. Ev if the rules are not able to be executed, you can always create rules and save them. This may assist you in configuring the built-in firewall with minimal disruption to your network. In this Section: Firewall Rules Overview How to Create Inbound Firewall Rules How to Create Outbound Firewall Rules How to Create Custom Applications How to Create NAT Rules How to Create Port Forwarding Rules Firewall Rules Overview Inbound and outbound firewall rules allow or dy access to remote networks, clits, services and ports. The Barracuda Link Balancer firewall also assists in prevting and mitigating distributed dial of service attacks by rate limiting the number of requests that come in to your network. Firewall rules are arranged in tables from top to bottom in order of precedce. Only the first rule that matches the profile of the traffic is executed. In this article: Inbound Firewall Rules Inbound 1:1 NAT Rules Port Forwarding Rules Outbound Firewall Rules Firewall Logging Inbound Firewall Rules By default, all connections that are initiated from outside are died. Add inbound firewall rules to allow exceptions for specific IP addresses, ports and applications. Applications let you define rules that apply to more than one port. Use the FIREWALL > Access Rules page to create firewall rules for incoming packets. If you want to create an inbound rule for an application that is not in the list prested wh you add the rule, first go to the POLICY > Applications page and define a new application. Inbound 1:1 NAT Rules Wh the Barracuda Link Balancer firewall is abled, externally reachable servers cannot have public IP addresses. You will need to reconfigure these servers with private IP addresses. Idtify the public IP addresses as the Additional IP Addresses for a WAN interface that has a static IP address. Th you can create 1:1 NAT rules to direct traffic to your servers. You can add the public IP addresses as Additional IP Addresses to more than one WAN interface that has a static IP address. All incoming traffic will be forwarded according to the rules you create. This allows traffic to be received by the same internal server from more than one WAN link. 1:1 NAT applies to the IP address only, leaving ports the same on both IP addresses. 1:1 NAT is bidirectional outbound traffic will include the servers' public IP addresses. If the Barracuda Link Balancer firewall is disabled, you can create a NAT rule to map the destination IP address of the inbound traffic on one WAN link to another WAN link's IP address. This allows you to add a new WAN link without having to update rules on your network firewall. See Adding, Updating or Viewing WAN Link Configuration for more details. Wh a 1:1 NAT rule is created, an inbound firewall rule to accept traffic for the external IP address is automatically gerated. Without this rule, all connections that are initiated from outside are died. You can view and change this rule it has a similar Rule Name on the FIREWALL > Access Rules page. You may want to modify that rule to limit access to only those ports or applications that you want to be publicly accessible. On the FIREWALL > NAT page, create 1:1 NAT rules and port forwarding rules. If you create a 1:1 NAT rule for an address, there is no need to also create a port forwarding rule. Port Forwarding Rules Create port forwarding rules to direct traffic on an external port to a port on an internal IP address. You must specify which WAN link to be used to list for incoming packets on the port. The return path is handled automatically. The list IP address on a specific WAN interface could either be the WAN IP address or any additional IP address on the same WAN interface. A WAN IP address that is used in any port forwarding rule can not 29

30 also be used in a 1:1 NAT rule. You can forward the traffic from a port on multiple WAN links to a port on one internal IP address by creating a rule for each WAN link. Wh you add a port forwarding rule, an inbound firewall rule is created automatically to accept traffic on the list link and port for the private IP address of the server. Without this rule, all connections that are initiated from outside are died. You can view and change this rule it has a similar Rule Name on the FIREWALL > Access Rules page. To add a new port forwarding rule, go to the FIREWALL > NAT page. Outbound Firewall Rules By default, all outbound connections are allowed. You can create outbound firewall rules to dy outbound connectivity. For example, you may want to block access to certain online gaming sites that use specific ports. On the FIREWALL > Access Rules page, create, modify, or delete outbound firewall rules. The rules are arranged in the table from top to bottom in order of precedce. Only the first rule that matches the profile of the traffic is executed. If you want to create an outbound rule for an application that is not in the list prested wh you add the rule, go to the P OLICY > Applications page and define a Custom Application. Firewall Logging You can view the firewall log displayed on the LOGS > Firewall Log page to see rules that have be executed and whether the traffic was dropped or allowed. Only rules that have the Log check box selected in their rule try (under the Firewall tab) are logged in this way. How to Create Inbound Firewall Rules The Access Rules page allows you to create and edit firewall rules on the Barracuda Link Balancer. By default, all connections that are initiated from outside are died. Add inbound firewall rules to allow exceptions for specific IP addresses, ports and applications. Create an Inbound Firewall Rule Related Article Firewall Rules Overview Log into the Barracuda Link Balancer Web Interface. Go to the FIREWALL > Access Rules page. To create a new firewall rule, click Add Access Rule. Enter a descriptive name in the Name field. To better idtify a certain rule in the list, ter a commt if desired. Select Allow as the Action to allow traffic that matches this rule. From the Source drop down field, select Internet. From the Destination drop down field, select the destination, for example: LAN You may also select Explicit for both or for one of them allowing you to configure explicit IP addresses for which the rule is valid. From the Link drop down field, select whether this rule applies to any link or only one. From the Protocol drop down field, select whether this rule should apply to any protocol or only one. Select either an application or a port for the rule: a. Wh chosing the application option, select whether this rule should apply to any (*) application or only one from the Applicatio n list. Applications let you define rules that apply to more than one port. You can define an application using the Policy > Applications page (see How to Create Custom Applications). b. Wh chosing the port option, ter one port, a list of comma-separated values, or a hyphated range in the Port field. 1 In the Start Time and End Time fields, define a repeating time span in HH:MM (24 hour format) within which the rule is active. Use the checkboxes below the time fields to narrow that time span down to certain days of the week. 1 Click Add Rule. The inbound firewall rule is now created and appears in the Inbound/Outbound Firewall Rules list. To change an existing firewall rule, click the Edit icon under the Actions column, modify the rule and click Save Changes. How to Create Outbound Firewall Rules 30

31 By default, all connections that are initiated from addresses inside the Barracuda Link Balancer are allowed. You can define firewall rules that will dy outbound connectivity based on protocol, port, application, destination and/or source IP address. Create an Outbound Firewall Rule Related Article Firewall Rules Overview Log into the Barracuda Link Balancer Web Interface. Go to the FIREWALL > Access Rules page. To create a new firewall rule, click Add Access Rule. Enter a descriptive name in the Name field. To better idtify a certain rule in the list, ter a commt if desired. Select Block as the Action to block traffic that matches this rule. From the Source drop down field, select LAN. From the Destination drop down field, select the destination, for example: Internet You may also select Explicit for both or for one of them allowing you to configure explicit IP addresses for which the rule is valid. From the Link drop down field, select whether this rule applies to any link or only one. From the Protocol drop down field, select whether this rule should apply to any protocol or only one. From the Protocol drop down field, select whether this rule should apply to any protocol or only one. Select either an application or a port for the rule: a. Wh chosing the application option, select whether this rule should apply to any (*) application or only one from the Applicatio n list. 1 1 Applications let you define rules that apply to more than one port. You can define an application using the Policy > Applications page (see How to Create Custom Applications). b. Wh chosing the port option, ter one port, a list of comma-separated values, or a hyphated range in the Port field. In the Start Time and End Time fields, define a repeating time span in HH:MM (24 hour format) within which the rule is active. Use the checkboxes below the time fields to narrow that time span down to certain days of the week. Click Add Rule. The outbound firewall rule is now created and appears in the Inbound/Outbound Firewall Rules list. To change an existing firewall rule, click the Edit icon under the Actions column, modify the rule and click Save Changes. How to Create Custom Applications On the Applications page, view and define applications that can be used in firewall and Quality of Service rules. An application is a combination of a protocol and one or more ports. You can create new applications or use the predefined ones, such as DNS, , and HTTP. The Custom Applications table displays any applications that you have defined. Create an Application To create an application, complete the following steps: Log into the Barracuda Link Balancer Interface. Go to the POLICY > Applications page. In the Application field, ter a descriptive name for the application. Select your desired protocol from the Protocol list. In the Port Range field, ter one port, a list of comma-separated values or a hyphated range. Click Add. Click Save Changes. As soon as the application is created it will show up in the Application drop down list wh creating or editing firewall rules. How to Create NAT Rules 31

32 1:1 NAT rules are executed only if the Barracuda Link Balancer firewall is abled or if a WAN link has the NAT setting abled (see section: Wh the Firewall is Disabled). If an internal server needs to receive traffic from more than one WAN link, create a 1:1 NAT or port forwarding rule (see: How to Create Port Forwarding Rules) for each WAN link. If you th create a DNS domain, the Barracuda Link Balancer will automatically gerate A records based on the Port Forwarding and 1:1 NAT rules. In this article: Before you Begin: Create a 1:1 NAT Rule Wh the Firewall is Disabled Before you Begin: The WAN IP address is the IP address used for geral purpose NAT. If necessary, add the publicly accessible IP addresses to the configuration. 5. Log into the Barracuda Link Balancer Web Interface. Go to the Basic > Links page. Click the + sign to expand and edit the WAN link. Add Additional IP Addresses which are the external IP addresses that are eligible to be used for 1:1 NAT. Click Save Changes. Create a 1:1 NAT Rule Go to the FIREWALL > NAT page. Enter a descriptive name in the Rule Name field. From the List Link drop down field, select the WAN link to use. If desired, ter the hostname or the fully qualified domain name associated with the IP addresses in the Hostname field. If you create a domain on the Services > Authoritative DNS page the Barracuda Link Balancer searches for matching domain names in the Port Forwarding and 1:1 NAT rules. For every match, a DNS A record is created linking this hostname to its external and internal IP addresses. You can ter a fully qualified domain name (e.g. with or without the ding dot) or a hostname (e.g. If a hostname is tered, it is considered to be part of the default domain that is specified on the Basic > IP Configuration page. 5. In the Forward IP field, type the private static IP address of the server which must be reachable from the LAN of the Barracuda Link Balancer. Or, if creating a DNAT rule for a link, type a static IP address reachable through a WAN link (usually, the firewall IP address reachable through WAN1). 6. Make sure that you clear the Disable check box to able the rule. 7. To write an try in the Firewall Log whever this rule is executed, select the Log check box. 8. Select the Auto-create firewall rule check box to automatically create an inbound firewall rule to accept traffic for the external IP address. 9. Click Add. Wh the Firewall is Disabled If the Barracuda Link Balancer firewall is disabled, you can create a NAT rule to map the destination IP address of the inbound traffic on one WAN link to an IP address on another WAN link. This option is also known as WAN IP impersonation. It is not available for WAN The NAT/Port Forwarding feature allows you to add a new link without having to update rules on your network firewall. Go to the Basic > Links page. Click the WAN link to op the configuration. Select Yes to able the NAT/Port Forwarding setting. 32

33 Click Save Changes. After saving your changes here, create a NAT rule using the Firewall > NAT page. How to Create Port Forwarding Rules Port forwarding rules are executed only if the Barracuda Link Balancer firewall is abled or if a WAN link has the Port Forwarding sett ing abled (see section: Wh the Firewall is Disabled). Create port forwarding rules to direct traffic on an external port to a port on a private IP address. The return path is handled automatically. The list IP address on a specific WAN interface could either be the WAN IP address or one of the Additional IP Addresses on the same WAN interface. If an internal server needs to receive traffic from more than one WAN link, create a 1:1 NAT or port forwarding rule for each WAN link. If you th create a DNS domain, the Barracuda Link Balancer will automatically gerate A records based on the Port Forwarding and 1:1 NAT rules. In this article: Before you Begin: Create an Inbound Port Forwarding Rule Wh the Firewall is Disabled Before you Begin: The WAN IP address is the IP address used for geral purpose NAT. If necessary, add the publicly accessible IP addresses to the configuration. Log into the Barracuda Link Balancer Web Interface. Go to the Basic > Links page. Click the + sign to expand and edit the WAN link. Add Additional IP Addresses which are the external IP addresses that are eligible to be used. An Additional IP Address that is used for port forwarding rules can NOT be used for 1:1 NAT rules. 5. Click Save Changes. Create an Inbound Port Forwarding Rule 5. Log into the Barracuda Link Balancer Web Interface. Go to the FIREWALL > NAT page. In the Port Forwarding Rules table, ter a descriptive name in the Rule Name field. From the List Link drop down field, select the WAN link to be used to list for incoming packets on the port. If desired, ter the hostname or the fully qualified domain name associated with the IP addresses in the Hostname field. If you create a domain on the Services > Authoritative DNS page the Barracuda Link Balancer searches for matching domain names in the Port Forwarding and 1:1 NAT rules. For every match, a DNS A record is created linking this hostname to its external and internal IP addresses. You can ter a fully qualified domain name (e.g. with or without the ding dot) or a hostname (e.g. www). If a hostname is tered, it is considered to be part of the default domain that is specified on the Basic > IP Configuration page. 6. In the List IP field, type the WAN IP address of this link and all of the Additional IP Addresses on the same WAN interface from the Ba sic > Links page. Select the address to use. 7. Select either an application or a port for the rule: a. Wh chosing the application option, select whether this rule should apply to any (*) application or only one from the Applicatio n list, Applications let you define rules that apply to more than one port. You can define an application using the Policy > Applications page (see How to Create Custom Applications). b. Wh chosing the port option, ter one port, a list of comma-separated values, or a hyphated range in the Port field. If multiple ports are being forwarded th each port in the List IP Ports box corresponds one-to-one with the tries 33

34 b. in the Forward IP Ports box. If there are no tries in this box, traffic is forwarded to the same port as the one on which it was received. 8. Specify one or any protocol from the Protocol list. 9. In the Forward IP field, type the private static IP address of the server which must be reachable from the LAN of the Barracuda Link Balancer. Or, if creating a DNAT rule for a link, type a static IP address reachable through a WAN link (usually, the firewall IP address reachable through WAN1). 10. In the Ports field, ter one port, a list of comma-separated values, or a hyphated range. If multiple ports are being forwarded th each port in the List IP Ports box corresponds one-to-one with the tries in the Forward IP Ports box. If there are no tries in this box, traffic is forwarded to the same port as the one on which it was received. 1 Make sure that you clear the Disable check box to able the rule. 1 To write an try in the Firewall Log whever this rule is executed, select the Log check box. 1 Select the Auto-create firewall rule check box to able auto-creating an accompanying inbound Access Firewall Rule to accept traffic on the list link and port for the private IP address of the server. 1 Click Add. Wh the Firewall is Disabled If the Barracuda Link Balancer firewall is disabled, you can create a NAT rule to map the destination IP address of the inbound traffic on one WAN link to an IP address on another WAN link. This option is also known as WAN IP impersonation. It is not available for WAN The NAT/Port Forwarding feature allows you to add a new link without having to update rules on your network firewall. Go to the Basic > Links page. Click the WAN link to op the configuration. Select Yes to able the NAT/Port Forwarding setting. Click Save Changes. After saving your changes here, create a Port Forwarding rule using the Firewall > NAT page. VPN This article section shows how to configure Site-to-Site VPN on the Barracuda Link Balancer. The configuration example provided explains the deploymt of the Barracuda Link Balancer in context with the configuration of Cisco ASA VPN tunnels. In this Section: Site-to-Site VPN Overview How to Create a Site-to-Site VPN Tunnel Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels Site-to-Site VPN Overview The Barracuda Link Balancer can act as an dpoint in a site-to-site VPN tunnel. The following sections describe the VPN functionalities and explain the configuration steps. In this article: Site-to-Site VPN Tunnels Creating VPN Tunnels Creating a VPN in a NAT'd Environmt Failover and Failback VPN Tunnel as Failover Link for a Brok Site-to-Site WAN Link Troubleshooting a VPN Tunnel Site-to-Site VPN Tunnels You can create a site-to-site VPN tunnel betwe two Barracuda Link Balancers or betwe a Barracuda Link Balancer and another device that supports IPsec. Networks connected via a tunnel will communicate as if they are on the same network, ev though they are separated by the 34

35 Internet. The Services > VPN page displays all tunnels and their status. You can add, disable, edit or delete a tunnel from this page. Creating VPN Tunnels Wh creating a tunnel, make sure that the relevant tunnel parameters on both ds are in sync. If needed, record the settings on the other dpoint and compare them to the local dpoint. Not matching the settings betwe the tunnel dpoints is a common cause of failing to establish a tunnel successfully. Many of the tunnel security parameters are advanced settings and have be giv reasonable defaults. If both dpoints are Barracuda Link Balancers use the defaults provided unless you have a specific reason for changing these settings. For testing purposes, you may choose to start with a shared secret on both dpoints, but using SSL certificates is recommded in a production vironmt. On the ADVANCED > Certificates page, upload the local and remote certificates Creating a VPN in a NAT'd Environmt If either the Barracuda Link Balancer or the remote dpoint is behind a device such as a firewall which is NAT'ing traffic, you must able the NAT-Traversal (NAT-T) option wh creating the VPN tunnel. NAT-T is required to make IPsec and NAT work together. If the option is not abled, packets will be dropped by the receiving d. If the remote dpoint for the VPN is behind a NAT ing device, ter the IP address for the remote dpoint in the Remote NAT-T IP field. In this case, the Primary Remote Gateway IP address is the NAT ing device. If only the local Barracuda Link Balancer is behind a NAT ing device, the Primary Remote Gateway IP address is the remote dpoint and the Remote NAT-T IP field should be left blank. In order for NAT-T to work, op UDP port 4500 on the firewall.the VPN log (on the LOGS > VPN Log page) will display which VPN dpoint is NAT d. Failover and Failback Wh configuring a tunnel you can specify a primary and a backup link. If the primary link fails, the tunnel will be re-established using the backup link. Wh the primary link is restored, the tunnel will automatically fail back to use the primary link. To configure VPN failover: In the New/Edit VPN Tunnel dialog, select a working secondary WAN link in the Backup Local Link field. This WAN link must not be idtical with the Primary Local Link. Enter a hostname or external IP address of a secondary WAN link on the remote VPN gateway into the Backup Remote Gateway field. Note that like with the backup local link, the backup remote link must be an indepdt second Internet connection on the remote gateway. VPN failover will not work if either one of the dpoints uses the same WAN link for primary and backup. VPN Tunnel as Failover Link for a Brok Site-to-Site WAN Link A VPN tunnel can be configured to act as a failover link replacing a temporarily brok WAN link. To make use of this feature, it is required to have two Barracuda Link Balancers with disabled firewalls in both networks which are to be connected through the failover tunnel. Both Barracuda Link Balancers need to be configured to act as failover WAN dpoints. To activate the WAN failover, you must select the respective option in the VPN Status configuration item of a VPN connection on both Barracuda Link Balancers in order to able the failover tunnel for WAN1 (or, respectively, one of the other interfaces). If the WAN link fails, the VPN connection will th be activated. Wh the WAN link is restored, the VPN connection will no longer be used. External firewalls must be configured properly to allow the VPN failover tunnel. To make use this feature, please perform the following configuration tasks: 35

36 Add an IP/APP rule to sd all site-to-site traffic via the WAN link and use the VPN as failover for this traffic. Add an IP/APP rule to sd all remaining traffic via any WAN link but not expect this traffic to failover to the VPN. IP/APP rules should be configured as described below to allow this to happ: IP/APP rule #1: Src /24, App *, Dst /24, LB No, use MPLS, no Backup, no NAT IP/APP rule #2: Src /24, App Ping, Dst /24, LB No, use MPLS, no Backup, no NAT IP/APP rule #3: Src /0, App *, Dst /0, LB No, use DSL, no Backup, NAT yes IP/APP rule #4: Src /0, App Ping, Dst /0, LB No, use DSL, no Backup, NAT yes Troubleshooting a VPN Tunnel If the Barracuda Link Balancer is unable to establish a tunnel th you may be able to discover the problem by checking the following: On the LOGS > VPN Log page, check the VPN Log to see if anything has be logged about the cause of the failure. On the SERVICES > VPN page, click Edit next to the tunnel try to view the tunnel parameters. Check that the security and authtication values match the tunnel parameters of the other d of the tunnel. Check the link status using the BASIC > Status page. External firewalls must be configured properly to allow the VPN failover tunnel. Use the tools on the Advanced > Troubleshooting page, ping the remote gateway and perform other diagnostics on the network connection. (For more information, see Troubleshooting.) How to Create a Site-to-Site VPN Tunnel You can create a VPN tunnel betwe two Barracuda Link Balancers or betwe a Barracuda Link Balancer and another device that supports IPsec. Wh creating the tunnel or modifying its parameters, sure that the settings are correct and in sync on both ds. If possible, display the configuration settings of the remote dpoint in another browser window so that you can sure that you ter them correctly here. Related Article Site-to-Site VPN Overview In this article: Step Create the VPN Tunnel Step Specify the Security Policies Step Verify the IPsec Key Exchange Policy Step Create the VPN Tunnel To configure the VPN tunnel settings on the Barracuda Link Balancer, Log into the Barracuda Link Balancer Web Interface. Go to the SERVICES > VPN page. To create a new VPN tunnel, click ADD New VPN Tunnel. Enter a descriptive Name for the tunnel. (The tunnel name does not have to match the name of the dpoint. From the Primary Local Link list, select the link that this tunnel will use. From the Backup Local Link list, select a backup link. If the primary link fails, the tunnel will be reestablished using the backup link on both ds. Thus, you must specify a backup link on both ds of the tunnel. In the Primary Remote Gateway field, ter the hostname or IP address for the remote gateway. In the Backup Remote Gateway field, ter the hostname or IP address for the backup remote gateway. If there is a failover, this remote gateway will be used. If either this Barracuda Link Balancer or the remote dpoint is behind a device such as a firewall which is NATting traffic, set Enable NAT-Traversal Yes Remote NAT-T IP to and ter the IP address of the remote dpoint in the field. 10. In the Local Network section, select the local subnets that can communicate using this VPN. This list includes the subnet local to the Barracuda Link Balancer and the static routes listed on the Advanced > Advanced Networking page. 1 In the Remote Network field, ter the network addresses and subnet masks of the remote subnets that you want the clits local to this 36

37 1 Barracuda Link Balancer to be able to communicate with. These addresses must exactly match the addresses as they are specified on the remote dpoint. If the remote dpoint is a Barracuda Link Balancer, the local subnets are on this same page in the Local Network list. You do not need to include all of the possible remote subnets in this list. 1 Set Enable VPN to Yes to cause the tunnel to be oped. ( No closes the tunnel.) Step Specify the Security Policies For testing purposes, start with a shared secret on both dpoints. Using certificates is recommded in a production vironmt. In the Security Policies section, select the IPsec Keying Mode used for crypting data: If you choose Shared Secret, ter a password in the Shared Secret field. Be sure to ter this same password on the device on the other d of the tunnel. If you choose Trusted Certificates because you want to use SSL certificates for authtication, proceed as follows: a. If you have not already uploaded the local and remote certificates to the Barracuda Link Balancer using the Advanced > VPN Certificates page: i. Save your changes here first. ii. Navigate to the Advanced > VPN Certificates page. iii. Upload local and remote certificates. iv. Navigate back to this page. b. Uploaded signed certificates appear in the Local Certificate list box. Select the correct one. i. Saved CA certificates appear in the Remote Certificate list box. Select the uploaded certificate for the remote dpoint. ii. Enter the distinguished name (e.g. my.domain.com) for the remote dpoint. Step Verify the IPsec Key Exchange Policy IPsec Key Exchange is a protocol that allows devices to exchange information required for secure communication. If the dpoint is also a Barracuda Link Balancer, th unless you have a specific reason for changing these settings, use the defaults provided. Otherwise, make sure the settings here are in sync with those on the other d of the tunnel. Any matches whatever the dpoint uses. If you choose one of the other options, make sure the dpoint is using the same options. Do not choose Any on both dpoints for any of the values here because the negotiation required slows the creation of the tunnel. Specify the following settings for Phase 1 and Phase 2: uses 1536-bit cryption. DH Group 14 (2,048 bits of keying strgth) may be used for maximum security. In the Lifetime fields, ter how long, in seconds, this key exchange policy exists before it needs to be regotiated. In the Encryption and Authtication field, choose the cryption and authtication algorithms. Select the Diffie-Hellman group to use from the DH Group list. Recommded: DH Group 2 (1,024 bits of keying strgth). DH Group 5 Perfect Forward Secrecy or PFS (IPsec Key Exchange Policy Phase 2 only) sures that ev if your currt private key is compromised, all past and future communication cannot be decrypted with this private key. This setting must match the PFS setting on the remote dpoint. Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels This article provides a referce for deploying a Barracuda Link Balancer under the following conditions: In transpart (firewall-disabled) mode in front of a Cisco ASA firewall that is an dpoint for a site-to-site VPN tunnel. In firewall-abled mode as a remote VPN dpoint with the Cisco ASA on the 37

38 other d. Related Article Site-to-Site VPN Overview How to Create a Site-to-Site VPN Tunnel In this example, both of the above are combined. That is, assume a corporate headquarters having an existing Cisco ASA device and a branch office in Michigan. To improve the network's uptime and resilice, the company has decided to introduce a Barracuda Link Balancer at both sites. The one at the headquarters is deployed in transpart (firewall-disabled) mode upstream of the Cisco ASA device and the one in Michigan is deployed in firewall-abled mode. In this article: Before You Begin Configuring Cisco ASA Configuring the Barracuda Link Balancer (at Corporate Headquarters) for VPN Passthrough Configuring the Remote Barracuda Link Balancer (at Michigan) Verify Whether the Tunnel Works Troubleshooting Please note that both the Barracuda and the Cisco devices must have static WAN IP addresses in order to set up a VPN tunnel betwe them. Barracuda Labs has tested and validated the settings described in this documt. All settings and screshots contained within this documt are tak from a Barracuda Link Balancer version 1, and a Cisco device running Cisco Adaptive Security Appliance Software version 8.2 and Cisco Device Manager version 6. Before You Begin Barracuda recommds using release version 1 or newer on the Barracuda Link Balancer. To update your Barracuda Link Balancer units, you can install the newest firmware from the ADVANCED > Firmware Updates page. For more information, see How to Update the Firmware. Before proceeding, please collect all the information in the table below that is valid for your setup. The example values in the table are used in this article. Corporate Headquarters (uses Cisco ASA) 38

39 1 Unused Public IP from ISP* 11100/24 2 Local network behind Cisco ASA /24 3 Managemt IP of the Cisco ASA Outside interface for VPN dpoint on Cisco ASA 5 Mgmt IP of Barracuda Link Balancer at Headquarters 11100/ Mgmt IP of Cisco ASA Remote Site Michigan 7 Mgmt IP of Barracuda Link Balancer (Michigan branch) Remote network /16 9 WAN IP for Barracuda Link Balancer for tunnel dpoint 109.1/24 * To avoid changing the existing configuration on the Cisco ASA, provision an additional public IP address from your ISP on the WAN port of the Barracuda Link Balancer and retain the WAN IP address on the Cisco ASA. If necessary, contact your ISP in order to obtain a new IP address. The network diagram below shows the headquarters on the left and the Michigan branch office on the right. The headquarters has an existing Cisco ASA firewall which forms an IPsec tunnel with a Barracuda Link Balancer at the branch office. A Barracuda Link Balancer is deployed at the headquarters in front of the Cisco ASA in transpart mode. In this mode, it does not terminate the VPN but just passes the VPN traffic through to the Cisco ASA. Configuring Cisco ASA To configure an IPsec VPN on the Cisco device, complete the following major steps: Configure Interfaces and ACL for the Tunnel Configure Phase 1 Configure Phase 2 Step Configure Interfaces and ACL for the Tunnel 39

40 interface Ethernet0/0 description WAN Interface nameif Outside security-level 0 ip address interface Ethernet0/1 description LAN Interface nameif Inside security-level 0 ip address # this will be the tunnel dpoint This access list (MI_Tunnel) is used with the crypto map (MI_Map) in order to determine which traffic needs to be crypted and st across the tunnel: access-list MI_Tunnel extded permit ip Step Configure Phase 1 The following configuration commands define the Phase 1 policy parameters to be used. Created is a policy with priority=1 used for negotiating the IKE SA. crypto isakmp policy 1 # Priority = 1 authtication pre-share # Use pre-shared keys cryption 3des # 3des is more secure for cryption than des hash md5 # use sha-1 for max protection (though less throughput) group 2 # group 2 provides adequate security; avoid group 1 lifetime Now, able ISAKMP on the interface that terminates the VPN tunnel: crypto isakmp able outside Step Configure Phase 2 Configure the IPsec transform set ESP-3DES-MD5 to be used with the crypto map try: crypto map MI_Map 1 set transform-set ESP-3DES-MD Define the transformation set for Phase It will be used in the crypto map try. crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac Define a crypto map and specify which traffic should be st to the IPsec peer with the access list defined above. crypto map MI_Map 1 match address MI_Tunnel Set the IPsec peer (remote dpoint) to the appropriate WAN port on the Barracuda Link Balancer: crypto map MI_Map 1 set peer Specify the interface to be used with the settings defined in this configuration: crypto map MI_Map interface Outside Disable NAT-T and set the Phase 2 lifetime: crypto map MI_Map 1 set nat-t-disable crypto map MI_Map 1 set security-association lifetime seconds 3600 Create the tunnel group and assign the preshared key for authtication: tunnel-group type ipsec-l2l tunnel-group ipsec-attributes pre-shared-key my_secret_key # must be idtical to the key on the remote peer ICMP must be abled on the IP address of the Cisco device in order to allow the Barracuda Link Balancer at headquarters to perform health checks for the remote VPN dpoint. Configuring the Barracuda Link Balancer (at Corporate Headquarters) for VPN Passthrough To configure the Barracuda Link Balancer at the headquarters, complete the following major steps: Add Missing Applications Configure the IP / Application Routing 40

41 Define Actions to be Tak To allow the VPN traffic to pass through, outbound routing rules for the following applications must be configured: ESP IKE NAT-T GRE PPTP AH GRE, PPTP, AH and NAT-T are not really required in this deploymt. However, they are mtioned here for completess, or in case you want to allow other tunnels to pass through the Barracuda Link Balancer. Step Add Missing Applications IKE, GRE, and PPTP are included in the Predefined Applications by default. Navigate to POLICY > Applications > Custom Applications and create custom applications for ESP, AH, and NAT-T with the following settings: Application ESP AH NAT-T Settings Application Name: ESP Protocol Type: ESP Application Name: AH Protocol Type: AH Application Name: NAT-T Protocol Type: UDP Port Number: 4500 Step Create a New IP / Application Routing Rule Navigate to POLICY > Outbound Routing > IP/Application Routing and add a new rule with a unique Rule Name. Configure the following condition fields: Setting Description 41

42 Source IP Address The IP address (e.g ) being NAT d on the Cisco ASA Source Netmask The netmask (e.g if it is a single host, or, if it is a set of IP addresses, the subnet mask must be mtioned accordingly). Application Create rules here for each protocol. Destination IP Address The IP address of the VPN remote gateway (e.g. 1121). Destination Netmask The netmask (e.g if it is a single host, or, if it is a set of IP addresses, the subnet mask must be mtioned accordingly). Link Balance Select No and th select a Primary and a Backup link: Primary Link Select Default to direct the outgoing traffic to the WAN link that is on the same subnet. Alternatively, select a specific link from the list to bind the traffic to that link. Backup Link Select None to drop this traffic if the primary link is not available. Or, select a specific link from the list to bind the traffic to that link. NAT To maintain the original source IP address if there is no backup link, clear this check box. If there is a backup link, select the NAT check box and th add Source Network Translation rules to retain the original source IP address which is the NAT'd IP address on the firewall behind the Barracuda Link Balancer for the five applications. The rules in the IP/Application Routing table are processed from top to bottom, in the order that they are listed in the table. Only the first matching rule is executed. New rules are added to the bottom of the table. To change the order of rules, use the arrows on the right side of the table. Also, if you have a large number of tunnels with varying peer addresses, it might be more convit to relax the Sour ce and Destination fields and use only the Application field for the rules. Configuring the Remote Barracuda Link Balancer (at Michigan) Create a new tunnel at the remote Barracuda Link Balancer (running in firewall-abled mode) to connect with the Cisco ASA. Make sure that the Security Policies > Phase 1 and Phase 2 settings are idtical to the Cisco settings. The following table provides the referce settings for adding the new VPN tunnel: Section Settings 42

43 Edit VPN Tunnel Security Policies IPsec Key Exchange Policy Phase 1 IPsec Key Exchange Policy Phase 2 Enable NAT-Traversal: No Remote NAT-T IP: No IPsec Keying Mode: Shared Secret Shared Secret: my_secret_key Encryption: 3DES Authtication: MD5 DH Group: Group 2 Lifetime: Encryption: 3DES Authtication: MD5 Enable Perfect Forward Secrecy: No DH Group: Group 2 Lifetime: 3600 Verify Whether the Tunnel Works After the tunnel has be established successfully, a gre check mark is displayed next to it on the VPN page on the Barracuda Link Balancer at the corporate headquarters as well as the Barracuda Link Balancer at Michigan. Both private IP addresses should now be reachable using the ping command. Troubleshooting A yellow triangle next to the VPN tunnel on the VPN page of the Barracuda Link Balancer indicates that something does not work as intded. To troubleshoot: Check the LOGS > VPN Log page on the Barracuda Link Balancer. You can also refer to the logs gerated by the Cisco ASDM Web interface. Make sure that routing is correctly configured on the clit networks and on the Cisco device. Cisco ASDM provides network logs. You may also use the command on the page on the Barracuda Link Balancer. TCP Dump ADVANCED > Troubleshooting High Availability 43

44 The High Availability option allows you to link two Barracuda Link Balancers as a clustered active/passive pair. Both systems are connected to the WAN links, but only one is actively processing traffic at any time. The two systems continuously share almost all configuration settings and monitor each other s health. If clustering two Barracuda Link Balancers is not a viable option, as an alternative, consider configuring Ethernet Passthrough. (This feature is only available on certain models.) In this Section High Availability Overview Planning Your High Availability Deploymt How to Create a High Availability Cluster How to Remove a System from a Cluster How to Update the Firmware on Clustered Systems High Availability Overview The sections described in this article provide a geral overview on the requiremts for High Availabilty setup betwe two Barracuda Link Balancer systems and explains the available deploymt options. In this article: Operation of High Availability (HA) Requiremts for Clustered Systems Ethernet Passthrough Physical Connectivity of Clustered Systems Synchronization of Data Betwe Clustered Systems Failover and Failback Operation of High Availability (HA) The active system in a clustered pair handles all of the traffic until one of the following componts experices a failure or an outage: Its connection to the LAN. All of its WAN links (administrator configurable option). The Barracuda Link Balancer itself. If one of these conditions is detected, the passive system becomes active and link balances the traffic from the WAN links. Clustered Barracuda Link Balancers communicate according to the Virtual Router Redundancy Protocol (VRRP) specification. Both are configured with a single virtual IP address called the VRRP virtual IP address. This address is serviced only by the active system. If the Barracuda Link Balancer firewall is abled, th the VRRP virtual IP address is the default gateway for devices on the LAN. In the evt of a system failure, the other system in the cluster will assume the VRRP virtual IP address and take on the role of the active system in the cluster. An alert message will be st to the administrator. It is recommded that you use the VRRP virtual IP address to manage the Barracuda Link Balancer since that always points to the active system. Changes will automatically be propagated to the passive system. Requiremts for Clustered Systems Before joining two systems together, each Barracuda Link Balancer must meet the following requiremts: Be model 330 or higher. Be the same model as the other Barracuda Link Balancer. Be activated and on the same version of firmware. The High Availability capability is only available on firmware x and later. Be able to reach the other Barracuda Link Balancer on the LAN interface. This last requiremt applies only if you do not plan to use the LAN2 port for clustering. Ethernet Passthrough If clustering two Barracuda Link Balancers is not a viable option, as an alternative, consider configuring. Ethernet Passthrough If Ethernet Passthrough is configured and if the Barracuda Link Balancer fails, all traffic from WAN1 will be passed directly to the LAN. Do NOT able this 44

45 feature: If your network is relying on the Barracuda Link Balancer firewall to perform IP or port address translation for internal IP addresses. If you have clustered systems, because the passive system will take over if this system fails. Physical Connectivity of Clustered Systems All Barracuda Link Balancer cluster pairs may be linked using the LAN interface. Certain models also support a LAN2 interface: if there is a physical LAN port on the front panel, the Ethernet port on the back is the LAN2 port. Linking the two systems using the LAN2 port sures that communication betwe the two systems will not be delayed or compromised by other traffic on the LAN. It increases the reliability of the connection betwe the two systems and may reduce the time required for failover to occur. Use a crossover cable betwe the LAN2 ports to connect the two systems. The LAN2 IP addresses must be on the same subnet. Synchronization of Data Betwe Clustered Systems Wh two Barracuda Link Balancers are initially joined, most configuration data, such as WAN settings, firewall rules, VPN settings and operating mode, is copied from the primary system in the cluster to the backup system (the system that joins the cluster). This configuration data is synchronized betwe the systems on an ongoing basis. However, the following configuration data are unique and are not synchronized betwe the two systems: LAN IP address, LAN2 IP address, DNS servers, default domain and time zone. System password, time zone and web interface HTTP port, as configured on the BASIC > Administration page. All parameters on the ADVANCED > Appearance page. The HTTPS port and SSL certificate used to access the web interface, as configured on the ADVANCED > Secure Administration. Failover and Failback There is an automatic failback option that can be configured if you want the originally active (primary) system to resume link balancing upon its recovery after a failover. This option can be found on the ADVANCED > High Availability page. Alternatively, you can manually switch to the primary system using the Failback command that is available on the same page. Planning Your High Availability Deploymt page Extra equipmt may be needed to support the clustered Barracuda Link Balancers.You may need to add switches so that the WAN links can connect to two systems. If deploying in front of an existing firewall, you will need to add a switch betwe the Barracuda Link Balancers and the firewall (or two switches for dual firewalls). In this article: In Front of a Single Network Firewall In Front of Dual Network Firewalls No External Firewalls Best Practices for Setting Up HA on Models 330 and 430 The following figures show examples of deploymts of a pair of clustered Barracuda Link Balancers with two clustered firewalls, with one firewall and with no external firewall. In Front of a Single Network Firewall The figure below shows two Barracuda Link Balancers deployed with one network firewall. The LAN IP addresses of the two Barracuda Link 45

46 Balancers and the VRRP virtual IP address must all be on the same subnet. In Front of Dual Network Firewalls The next figure shows two Barracuda Link Balancers and two clustered firewalls. The LAN IP addresses of the two Barracuda Link Balancers and the VRRP virtual IP address must all be on the same subnet. No External Firewalls The next figure shows two Barracuda Link Balancers with the firewall abled. As in the other deploymt examples, the LAN IP addresses of the two Barracuda Link Balancers and the VRRP virtual IP address must all be on the same subnet. Note that only in this example, the VRRP virtual IP address is the default gateway for devices on the LAN. If you are adding a second Barracuda Link Balancer to a network where the gateway of the clit devices were already configured to use the LAN IP address of the first Barracuda Link Balancer, you can assign a new LAN IP address to that Barracuda Link Balancer and use its original LAN IP address as the VRRP virtual IP address. 46

47 Best Practices for Setting Up HA on Models 330 and 430 Use switches (resulting in multiple collision domains) instead of hubs (resulting in one single collision domain). Make sure the ARP cache timeout on the switches is not set to a value too high. Typically, 60 to 180 seconds are good values. You should use differt switches for the various WAN links instead of one common switch for all of them. However, if only one single common switch is used, make sure you use a manageable switch and your VLANs are configured to create multiple broadcast domains for each WAN link respectively. Make sure your network architecture logically matches the respective diagrams on this page. How to Create a High Availability Cluster The following instructions describe how to deploy a pair of Barracuda Link Balancers in a cluster. Prior to clustering the Barracuda Link Balancers, you should first place the systems into their production IP address range. This will allow you to avoid having to reconfigure the cluster later because of an IP address change. In this article: Step Complete the Installation Process for Both Systems Step Create the Cluster Step Connect WAN Links and Test Step Put in Production Step Complete the Installation Process for Both Systems To prepare the Barracuda Link Balancers for clustering, put both systems in the production location on the network. Complete the following steps: If the primary system is a brand new, unconfigured system, th you will need to completely install, configure and test the primary system as described in the installation articles. If the primary system is already configured and operational, update its firmware. If the firewall is abled, change its LAN IP address to a new value. The original LAN IP address will be used as the VRRP virtual IP address. On the backup system, configure a WAN link, connect to the Internet, and activate the system ( BASIC > Status). Th configure the LAN IP address, LAN2 IP address (optional), and the default domain ( BASIC > IP Configuration). Th set the time zone to be the same as that of the primary system ( BASIC > Administration). Th update the firmware ( ADVANCED > Firmware Update). Th connect to the LAN. If using the LAN2 ports, connect them using a crossover cable. Step Create the Cluster Navigate to the ADVANCED > High Availability page on both systems and perform the following steps: 47

48 On the primary system, ter values into the fields in the Cluster Settings section, and save your changes. On the backup system, ter the same values for the cluster settings and save your changes. In the Clustered Systems section, ter the LAN2 IP address of the primary system (if it is to be used) or the LAN IP address of the primary system and click Join Cluster. The backup system will reboot. Wh the backup system comes back up, refresh the Advanced > High Availability page on both systems and verify that each system s LAN or LAN2 IP address appears in the Clustered Systems table and the Status of each system is gre. The systems are now joined. The shared configuration settings of the primary system (as listed in Synchronization of Data Betwe Clustered Systems) will be copied to the secondary system, and each system will begin monitoring the health of the other system. Step Connect WAN Links and Test Connect all WAN links to the backup Barracuda Link Balancer. To test the clustering capability, power off the active system. The backup system should take over the link balancing function. Power the system back on to test automatic failback. If you chose the option to failover if all WAN links are down, th test this by removing the WAN links from the active system. You can also configure specific WAN links to trigger the failover. Step Put in Production From now on, always use the VRRP virtual IP address to manage the Barracuda Link Balancer so that you can be sure that any changes that you make will occur immediately on the active system. How to Remove a System from a Cluster Wh removing a Barracuda Link Balancer system from a High Availability cluster you must erase its cluster settings and disconnect its network links. If no other system is taking its place in the cluster, the remaining system should have its cluster settings removed, and possibly also have its LAN IP address changed to what had be the VRRP virtual IP address. Use the LAN IP addresses of the Barracuda Link Balancers to access their web interfaces while separating them. As soon as one system is removed from the cluster the VRRP virtual IP address will not be usable. Remove a Barracuda Link Balancer from a Cluster On the Barracuda Link Balancer that is being deleted from the cluster, perform the following steps: Navigate to the Advanced > High Availability page. Click the garbage can icon to delete the other system from the Clustered Systems table. Remove the WAN, LAN and LAN2 links connected to this system. Review this system's other settings and make changes as necessary. If you want to replace the removed system with another Barracuda Link Balancer, go to the Advanced > High Availability page on the remaining system and click the garbage can icon to delete the removed system from the Clustered Systems table. Th add the new system to the cluster. Remove Cluster Parameters To remove all cluster parameters from the remaining system: Go to the Advanced > High Availability page. Clear the Cluster Shared Secret password. Click Save Changes. The login scre will appear. Sign in and navigate to the Advanced > High Availability page. Click the garbage can icon to delete the other system from the Clustered Systems table. Set Enable Ethernet Passthrough to Enable if applicable. If the Barracuda Link Balancer firewall is abled, the VRRP virtual IP address is the default gateway for devices on the LAN. Make that address the LAN IP address of this system on the Basic > IP Configuration page. This will cause this system to reboot. How to Update the Firmware on Clustered Systems In order to sure that the transfer of control from one system to the other does not happ while a firmware update is in process, you must disable automatic failback on the High Availability page before attempting to update the firmware on either system. 48

49 Do not manually power-cycle the Barracuda Link Balancer at any time during the upgrade process, as doing so can cause firmware corruption. Update the Firmware Barracuda Networks recommds that you update the firmware on the passive system first, and th update the firmware on the active system. On both systems, perform the following steps: Go to the ADVANCED > High Availability page. In the Cluster Settings section, set the Failback Mode to Manual. Click Save Changes. Go to the ADVANCED > Firmware Update page. If there is a more rect firmware version available than what is already installed, the Download Now button will be abled. Click Download Now. You can update the download progress displayed by the bar at any time by clicking Refresh. To update the firmware, click Apply Now. Enable automatic failback again, if desired, after both systems have be updated and are back online. Go to the ADVANCED > High Availability page. In the Cluster Settings section, set the Failback Mode back to Automatic. Click Save Changes. Revert the Firmware The Firmware Update page allows you also to revert to a previous version. The only time you should revert back to an old firmware version is if your rectly downloaded new version is causing unexpected problems. In this case, contact Barracuda Networks Technical Support before reverting back to a previous firmware version. Monitoring The following article section explains the monitoring processes of the Barracuda Link Balancer. Models 330 and above provide a variety of reporting features for WAN links, VPNs and other system componts. In this Section Basic Monitoring SNMP Monitoring System Reports Viewing Logs Basic Monitoring On the basic monitoring pages you can access information about system performance and traffic throughput on your Barracuda Link Balancer. In this article: Status Overview Live Report Status Overview The Basic > Status page provides an overview on the health and performance of your Barracuda Link Balancer, including utilization and status of the links, the subscription status of Energize Updates and system and hardware statistics including CPU temperature and system load. Performance statistics displayed in red signify that the value exceeds the normal threshold. 49

50 The Status page shows incoming and outgoing traffic statistics for each WAN link. You can also view WAN link utilization and connection status by scrolling over the WAN port graphic on the BASIC > Links page. View the status of VPN tunnels on the SERVICES > VPN page. Live Report To view real-time traffic throughput on your Barracuda Link Balancer, go to the BASIC > Live Report page. The Dashboard section is the main display for live traffic throughput. By default, it shows all traffic passing the WAN ports in both directions. You can also filter the information by Lin k, Direction, and Time. The Top T Users section limits the displayed real-time data to the top t IP addresses. By default, data reflecting all WAN ports within the last 30 seconds is displayed. You can filter this data by Link and Time. In transpart mode, all traffic comes from the firewall's IP address. Therefore, this diagram has no informative value in this mode. The Top T Application section limits the displayed real-time data to the top t applications. By default, data reflecting all WAN ports within the last 30 seconds is displayed. You can filter this data by Link and Time. Only the following applications are displayed in the Top T Application diagram: HTTP FTP SSH Telnet SIP Skype BitTorrt Kazaa AIM MSN Messger More applications are known and available on the POLICY > Bandwidth Mgmt page in the Quality of Service section. SNMP Monitoring Your SNMP monitor or other network managemt program can query the Barracuda Link Balancer SNMP agt for WAN link traffic statistics, amount of traffic going to and from the LAN, and hardware status. You can also receive SNMP traps that are gerated if the WAN links become 50