1. _Inclusions Library _Inclusions Content Barracuda Load Balancer ADC - Overview Deployment

Transcription

1 _Inclusions Library _Inclusions Contt Barracuda Load Balancer ADC - Overview Deploymt Deploymt Requiremts Choosing Your Deploymt Mode and Service Types One-Armed Using a TCP Proxy, UDP Proxy, or Layer 7 Service TCP Proxy, UDP Proxy, or a Layer 7 Service Two-Armed Using TCP Proxy, UDP Proxy, or a Layer 7 Service Two-Armed with Layer 4 Load Balancing Direct Server Return Deploymt Deploying DSR in a Microsoft Windows Server 2003 or 2008 Environmt Deploying DSR in a Linux Environmt Deploying DSR in Windows XP Environmt Virtual Deploymt Hypervisor Compatibility and Deploymt - OVF Package Hypervisor Compatibility and Deploymt - VMX Package Hypervisor Compatibility and Deploymt - XVA Package Barracuda Load Balancer ADC Vx Quick Start Guide Sizing CPU, RAM, and Disk for Your Barracuda Load Balancer ADC Vx Backing Up Your Virtual Machine System State Public Cloud Hosting Amazon Web Services Barracuda Load Balancer ADC Vx Deploymt and Quick Start Guide for Amazon Web Services Configuring Services on the Barracuda Load Balancer ADC Vx for Amazon Web Services Creating a Link Bond on the Barracuda Load Balancer ADC Vx for Amazon Web Services Troubleshooting the Barracuda Load Balancer ADC Vx on Amazon Web Services Getting Started Install the Barracuda Load Balancer ADC Appliance Op Firewall Ports Activate and Update the Barracuda Load Balancer ADC Configure Your Network and Services Application Deploymt Guides Microsoft Exchange Server 2010 Deploymt How to Deploy Microsoft Exchange Server 2010 in a One-Armed Configuration How to Deploy Microsoft Exchange Server 2010 in a Two-Armed Configuration How to Test the Microsoft Exchange Server 2010 Deploymt Configuration Microsoft Exchange Server 2013 Deploymt Microsoft Lync 2010 and 2013 Server Deploymt Understanding Microsoft Lync Server Deploymt Options How to Deploy with Microsoft Lync Server 2010 and IP Worksheet Microsoft Office SharePoint Server 2007, 2010 and 2013 Deploymt Remote Desktop Services in Windows Server 2008 R1 or R2 Deploymt Step 1: How to Configure Session Broker with Remote Desktop Services in Windows Server 2008 R1 or R Step 2: How to Configure the Real Server with Remote Desktop Services in Windows Server 2008 R1 or R Step 3: How to Configure Remote Desktop Services with Remote Desktop Services in Windows Server 2008 R1 or R Step 4: How to Test the Installation of Remote Desktop Services in Windows Server 2008 R1 and R Moodle Deploymt Services Services Overview Persistce Settings TCP Proxy, Secure TCP Proxy, and UDP Proxy FTP and FTP SSL Service HTTP Service and HTTPS Service Instant SSL Service SSL Offloading How to Secure Communication with Real Servers How to Select a Scheduling Policy How to Configure Adaptive Scheduling

2 5 Access Control How to Configure Authtication and Access Control (AAA) How to Configure Single Sign-On (SSO) How to Set Up a Custom Login Page for Authtication How to Configure SMS Passcode Authtication Service How to Set Up a Custom Challge Page for Authtication Technical White Papers PCI Compliance Considerations Traffic Managemt Contt Rules for HTTP and HTTPS Services How to Use Extded Match and Condition Expressions Understanding HTTP Rewrite Rules Contt Rewriting How to Use the Response Rewrite Function to Enable Web Sites for Google Analytics Understanding HTTP Caching Understanding HTTP Compression Logging How to Configure Syslog and other Logs How to Make the Clit IP Address Available to the Back-d Server Logging Actual Clit IP Address In the IIS 7 and IIS 7.5 Server Logging Actual Clit IP Address on the Apache Server How to Mask Ssitive Data in Logs Global Server Load Balancing Global Server Load Balancing Overview Implemting Global Server Load Balancing Installing Global Server Load Balancing Integrating Global Server Load Balancing with the Existing DNS Infrastructure Site Selection Algorithms Implemting Global Server Load Balancing Regions Configuring Multiple Global Server Load Balancing Controllers Application Security Security Policies Configuring Action Policy Configuring Cloaking Configuring Data Theft Protection Configuring Global ACLs Configuring Parameter Protection Configuring Request Limits Configuring URL Normalization Configuring URL Protection Securing HTTP Cookies Slow Clit Attack Prevtion Configuring Website Profiles How to Configure Antivirus Protection for File Uploads and Downloads How to Configure Data Theft Protection How to Configure Brute Force Protection How to Configure Session Tracking Allow/Dy Rules for Headers and URLs Allow/Dy Rules for Headers Allow/Dy Rules for URLs Extded Match Syntax Configuring User Defined Patterns Regular Expression Notation Networking Creating Static Routes Adding Custom Virtual Interfaces Network Address Translation NAT Multiport Link Aggregation VLANs Network Access Control Lists Configuring IP Reputation Pool

3 12 Certificate Managemt How to Add an SSL Certificate Installing SSL Certificates with Correct Chain Order How to Pass Clit Certificate Details to a Back-d Server Allowing or Dying Clit Certificates Clit Certificate Validation Using OCSP Creating a Clit Certificate Monitoring Monitoring the Health of Services and Servers How to Create Monitor Groups Understanding Testing Methods for Services and Real Servers How to Monitor the System Using SNMP How to Automate System Alert and SNMP Trap Delivery How to Configure SNMP Monitoring on the Barracuda Load Balancer ADC How to Enable or Disable Real Servers How to Remotely Administer Real Servers How to View Performance Statistics How to View System Tasks High Availability Understanding Barracuda Load Balancer ADC High Availability How to Configure the Barracuda Load Balancer ADCs for High Availability How to Manage High Availability Environmt with Two Barracuda Load Balancer ADCs How to Remove a Barracuda Load Balancer ADC from a High Availability Environmt How to Replace a Barracuda Load Balancer ADC in a High Availability Environmt How to Update the Firmware on Clustered Systems Maintance How to Back up and Restore Your System Configuration How to Update and Revert the Firmware How to Update Definitions Under Energize Updates How to Replace a Failed System How to Reload, Restart, and Shut Down the System Troubleshooting How to Reboot the System in Recovery Mode How to Use the Internet Protocol Version 6 (IPv6) with Barracuda Load Balancer ADC Barracuda Load Balancer ADC Hardware Features Limited Warranty and Licse Hardware Compliance

4 _Inclusions Library test macro. _Inclusions Contt Barracuda Load Balancer ADC - Overview The Barracuda Load Balancer ADC is a unified high-performance platform that helps organizations achieve their availability, acceleration, application control, and application security objectives. Where to Start Learn about your Deploymt Options. For installation instructions for both the Barracuda Load Balancer ADC Vx virtual machine and the Barracuda Load Balancer ADC appliance, start here: Getting Started Application Deploymt Guides Microsoft Exchange Server 2010 Deploymt Microsoft Exchange Server 2013 Deploymt Microsoft Lync 2010 and 2013 Server Deploymt Microsoft Office SharePoint Server 2007, 2010 and 2013 Deploymt Remote Desktop Services in Windows Server 2008 R1 or R2 Deploymt Moodle Deploymt Barracuda Load Balancer ADC Vx Deploymt on Amazon Web Services Key Features Load balancing with dynamic scheduling and advanced monitoring capabilities SSL offloading, TCP connection pooling and caching, and compression to help accelerate application delivery Contt-based routing to provide fine-grained application control Integrated application security to protect against application level attacks including the OWASP Top 10 risks Protection against theft of ssitive and confidtial data Deploymt You can deploy the Barracuda Load Balancer ADC either as a hardware system or as a virtual system on supported hypervisors and in the cloud. Currtly, cloud-hosted virtualization is available for Amazon Web Services. Wh deploying the Barracuda Load Balancer ADC, sure that your network meets the setup requiremts. You must also decide on: Deploying the Barracuda Load Balancer ADC in either a one-armed or two-armed mode. Creating services to load balance traffic at Layer 4 or Layer 7. A service is a combination of a virtual IP (VIP) address and one or more TCP/UDP ports. Traffic arriving at the designated ports for the specified VIP address is directed to one of the real servers that are associated with that particular service. Configuring Direct Server Return (DSR) for real servers that gerate more outbound traffic than inbound traffic. Setting up two Barracuda Load Balancer ADCs in a high availability cluster as an active-passive pair. Only the active unit processes traffic, but both units synchronize their configurations and monitor each other's health. For more information, see High Availability. In this Section Deploymt Requiremts Choosing Your Deploymt Mode and Service Types Direct Server Return Deploymt Virtual Deploymt Public Cloud Hosting 4

5 Deploymt Requiremts Wh installing the Barracuda Load Balancer ADC in your network, the following conditions must be met: The VIP addresses must be on the same subnet as the rest of the network; only the real servers are on the private, separate network. The servers need not be physically isolated and can share a switch with the rest of the network so long as the isolation condition is met. (Recommded) Each real server should be "one hop" away from the port on the Barracuda Load Balancer ADC. This means any relevant switches must be either directly connected to a port of the Barracuda Load Balancer ADC or connected to a series of switches that evtually reach the Barracuda Load Balancer ADC without going through any other machines. If you must remotely administer real servers individually, you can create new services that each load balance only a single real server (so it acts as a NAT). Multiple Network Adapters on Real Servers Real servers that are on multiple networks simultaneously may break the route path. If possible, each real server must be logically isolated. This means all traffic going to each real server must go through the Barracuda Load Balancer ADC. Each real server must have only one IP address, which is their private, isolated IP address. If a real server has more than one network adapter abled, which gives traffic an alternate route around the Barracuda Load Balancer ADC, the deploymt does not work properly ev though it may appear to work initially. If your real servers have multiple network adapters, make sure that one of the following is true: The networks that the real servers are on are isolated from each other and cannot access the WAN (the network where incoming traffic arrives) without going through the Barracuda Load Balancer ADC. No network path may exist from the real servers to the clit machines (this means if the real servers are also members of another network, this network must too be isolated and not connected in any way or through any other networks to the WAN network, including through the Internet). Static routes for incoming and outgoing traffic for each IP address of each Real Server have be defined. Choosing Your Deploymt Mode and Service Types You can deploy the Barracuda Load Balancer ADC in either one- or two-armed mode. Additionally, you select whether the Barracuda Load Balancer ADC acts as a reverse proxy for each type of traffic that is load balanced. A service is a combination of a virtual IP (VIP) address and one or more TCP/UDP ports. Traffic arriving at the designated ports for the specified VIP address is directed to one of the real servers that are associated with that particular service. Wh you create a service, you will specify whether the incoming traffic type is load balanced at Layer 4 or at Layer 7. You can configure settings such as scheduling policy and security for each service. In this article: One-Armed and Two-Armed Mode Direct Server Return Service Types Layer 4 Services Layer 7 Services Configuring Services Deploymt Examples Additional Deploymt Notes One-Armed and Two-Armed Mode You can deploy the Barracuda Load Balancer ADC in either one- or two-armed mode: One-Armed The real servers and the VIP addresses are on the same side (usually the WAN) of the Barracuda Load Balancer ADC. A 5

6 one-armed deploymt requires minimal changes to your existing infrastrucure. Two-Armed (Recommded for best performance) The VIP addresses (incoming traffic) and the real servers are on differt subnets. Traffic comes through the WAN port and the real servers communicate with the LAN port. A two-armed deploymt requires you to change the IP addresses of all real servers. If a Layer 4 - UDP or Layer 4 - TCP service is used in a two-armed deploymt, the Barracuda Load Balancer ADC must be the default gateway for all downstream real servers. For all other types of services, the real servers and VIP addresses can be positioned in a variety of ways. Direct Server Return If a real server gerates a much greater volume of outbound traffic than inbound traffic, you can configure Direct Server Return (DSR) for it. DSR increases outbound traffic throughput by directing traffic from the real server directly to the clit, bypassing the Barracuda Load Balancer ADC. For more information about this deploymt option, see Direct Server Return Deploymt. Service Types You can create Layer 4 or Layer 7 services to pass incoming traffic to the real servers. Both types of services provide differt options for handling traffic. Layer 4 Services Layer 4 services pass traffic in half-nat mode, changing the destination IP address to that of the real server and keeping the original source IP address. The Barracuda Load Balancer ADC is the default gateway for all downstream real servers. Traffic Type Deploymt Mode Layer 4 Service Type Notes TCP or UDP Two-armed. Usually the recommded deploymt for Layer 4 traffic. Layer 4 - UDP, Layer 4 - TCP Persistce is achieved using the clit IP address. TCP or UDP One-armed. Best performance if almost all traffic is outgoing. Layer 4 - TCP, Layer 4 - UDP Real servers in Direct Server Return mode. Requires a loopback adapter on each real server. Can keep the IP addresses of the real servers. SSL offloading and other Layer 7 capabilities are not supported. Persistce is achieved using the clit IP address. Layer 7 Services Layer 7 services pass traffic in full-nat mode, changing both the source and destination IP addresses. The Barracuda Load Balancer ADC acts as a proxy. Connections from the clit are terminated at the Barracuda Load Balancer ADC, and new connections are established betwe the Barracuda Load Balancer ADC and the real servers. For Layer 7 services, the topology can be one- or two-armed. Wh installing the Barracuda Load Balancer ADC, you do not need to change the gateway of the servers in the server farm. For secure Layer 7 services (Secure TCP Proxy, HTTPS, and FTP SSL), the Barracuda Load Balancer ADC inspects the crypted traffic using a certificate that is specified wh the service type is selected. The traffic can be re-crypted, or you can configure SSL offloading to sd the de-crypted traffic to the real servers. Traffic Type UDP Layer 7 Service Type UDP Proxy UDP Proxy supports persistce using both clit IP address and port. Many UDP applications involve all clit requests coming from one clit IP address. A UDP Proxy service that is configured with persistce of clit IP port number distributes traffic across all of the real servers. 6

7 TCP TCP with SSL processing offloaded to the Barracuda Load Balancer ADC HTTP (web servers) FTP (FTP servers) Remote Desktop Services TCP Proxy Secure TCP Proxy HTTP or HTTPS FTP or FTP SSL Layer 7 - RDP Configuring Services For more information on the available service types and how to configure them, see Services. Deploymt Examples The following table lists some common cases with suggested deploymts: Use Case The Barracuda Load Balancer ADC provides Layer 4 load balancing of TCP/IP traffic. The Barracuda Load Balancer ADC provides Layer 4 load balancing of UDP traffic. The Barracuda Load Balancer ADC provides SSL offloading and Layer 4 load balancing of TCP/IP traffic. Suggested Deploymt Create one or more Layer 4 - TCP services. Create one or more Layer 4 - UDP services. Create one or more Secure TCP Proxy services. If you use a one-armed topology, you do not need to reconfigure the IP addresses of the real servers. A two-armed topology provides better performance. The real servers are on the same subnet as the Barracuda Load Balancer ADC, and the configuration cannot be changed. There is an existing IT infrastructure using Windows where the web servers need to communicate with systems such as Active Directory Domain Services, ISA Servers or domain controllers. You have the following options: Use a one-armed topology, and create a TCP Proxy service (or a Secure TCP Proxy service if SSL offloading is required). If almost all of the traffic is outbound, configure Direct Server Return with a Layer 4 service. To avoid changing network settings, you have the following options: Use one-armed topology. and create a TCP Proxy service. Configure Direct Server Return with a Layer 4 service, For best performance, it is recommded that you use a two-armed topology and create a Layer 4 service. The outbound traffic is far greater than the inbound traffic. For example, if the real servers are providing streamed audio or visual media. The real servers must individually be remotely administered. Configure Direct Server Return with a Layer 4 service to increase throughput. You have the following options: Create new services, that each load balance a single real server. Deploy the real servers in a one-armed topology on the WAN side of the Barracuda Load Balancer ADC, and add them to a TCP Proxy service. Deploy the real servers on the WAN side in Direct Server Return mode, and add them to a Layer 4 service. Additional Deploymt Notes More information about differt deploymt options can be found in these articles: 7

8 One-Armed Using a TCP Proxy, UDP Proxy, or Layer 7 Service Two-Armed Using TCP Proxy, UDP Proxy, or a Layer 7 Service TCP Proxy, UDP Proxy, or a Layer 7 Service Two-Armed with Layer 4 Load Balancing One-Armed Using a TCP Proxy, UDP Proxy, or Layer 7 Service A one-armed topology has either all of the real servers and the VIP addresses on the WAN or (less commonly) all of the real servers and the VIP addresses on the LAN. Wh you create services in this topology, consider the following: In this article: For Layer 4 - TCP or UDP services, you must configure the real servers in Direct Server Return mode. See Direct Server Return deploymt. With TCP Proxy, UDP Proxy, or any of the Layer 7 service types, you can add the Barracuda Load Balancer ADC into an existing infrastructure with minimal changes to the network. No changes are required to the IP addresses of the real servers. The Barracuda Load Balancer ADC can be on the same subnet as the real servers. Alternatively, the real servers are reachable through a router from the Barracuda Load Balancer ADC. Virtual Interface Example Deploymts Related Articles Deploymt TCP Proxy, UDP Proxy, or a Layer 7 Service Two-Armed Using TCP Proxy, UDP Proxy, or a Layer 7 Service Two-Armed with Layer 4 Load Balancing Services Terminology WAN refers to interface(s) configured to access an external network. LAN refers to interface(s) configured to access an internal network. Virtual Interface If the server is in the same network as the custom virtual interface, th the custom virtual interface is used to connect to the server using the interface route/static route or the default gateway, in that order. If the server, the custom virtual interface, and the WAN IP address are all in the same network, you cannot use the custom virtual interface to connect to the server. In this scario, the WAN IP address is always used to connect to the server. The virtual interface of the service can be in any network. Example Deploymts Figure 1 shows a WAN-side deploymt using one-armed topology and TCP Proxy, UDP Proxy, or Layer 7 services. The gateway IP address of the real servers did not need to be changed wh adding the Barracuda Load Balancer ADC to the network. All of the virtual IP addresses and IP addresses of the real servers are connected to the WAN port. If required, an externally accessible IP address can be kept on a real server so that external clits can still access that address (for example, for FTP) only on that one system. 8

9 Because configuration changes are not required, traffic is only passed through the Barracuda Load Balancer ADC if it must be load balanced. Figure One-armed using TCP Proxy, UDP Proxy, or a Layer 7 service. Figure 2 shows an example of a one-armed deploymt using TCP Proxy services. In this example, services are provided by multiple Barracuda Spam Firewalls and servers. As shown in the diagram, passes through this network as follows: #1 - is st to the VIP address for the TCP Proxy service that represts the Barracuda Spam Firewalls. #2 - is directed to the appropriate Barracuda Spam Firewall for processing. #3 - After passing spam and virus checks, is st to the VIP address for the Service. #4 - The Barracuda Load Balancer ADC load balances the traffic and passes it to an server. Figure One-armed TCP Proxy service with Barracuda Spam Firewalls. 9

10 TCP Proxy, UDP Proxy, or a Layer 7 Service Choosing a TCP Proxy, UDP Proxy or one of the Layer 7 service makes the Barracuda Load Balancer ADC act as a full proxy. Connections from the clit are terminated at the Barracuda Load Balancer ADC, and new connections are established betwe the Barracuda Load Balancer ADC and the real servers. Using a TCP Proxy, UDP Proxy, or a Layer 7 service lets you place the real servers anywhere in your network, as long as they can be routed to by the Barracuda Load Balancer ADC (e.g., via the same subnet, a VLAN, or pre-configured static routes). This can be used in one-armed configurations for applications like Microsoft Exchange Server or Microsoft Lync Server, as well as for custom applications. In two-armed configurations, real servers can access the virtual IP addresses (VIPs) of any TCP Proxy, UDP Proxy, or Layer 7 services that are on the same side of the Barracuda Load Balancer ADC. There are multiple configuration options available wh using one or more TCP Proxy, UDP Proxy, or Layer 7 services: Some or all of the real servers are on the same subnet as the LAN. Some or all of the real servers are on the same subnet as the WAN. Some or all of the real servers are on the same VLAN as the Barracuda Load Balancer ADC. Some or all of the real servers are on a differt subnet than either the WAN or LAN but are accessible through static routes. Some or all of the real servers are on a differt subnet and responding to a TCP Proxy, UDP Proxy, or Layer 7 service. VIP addresses are on the same subnet as the WAN interface of the Barracuda Load Balancer ADC, and real servers are on a subnet separate from the VIPs. VIP addresses are on the same subnet as the LAN interface of the Barracuda Load Balancer ADC, and real servers are on a subnet separate from the VIPs. 10

11 Related Articles Deploymt One-Armed Using a TCP Proxy, UDP Proxy, or Layer 7 Service Two-Armed Using TCP Proxy, UDP Proxy, or a Layer 7 Service Two-Armed with Layer 4 Load Balancing Services Terminology WAN refers to interfaces configured to access an external network. LAN refers to interfaces configured to access an internal network. Two-Armed Using TCP Proxy, UDP Proxy, or a Layer 7 Service A two-armed deploymt with a Layer 7 - RDP service is the recommded configuration wh deploying the Barracuda Load Balancer ADC in a Microsoft Terminal Services vironmt. Figure 1 shows a network where there are virtual IP addresses available on both the WAN and LAN side. Clits coming from the Internet or intranet can access the database or web service. On the LAN side, the web servers can access the database service. Related Articles Deploymt One-Armed Using a TCP Proxy, UDP Proxy, or Layer 7 Service TCP Proxy, UDP Proxy, or a Layer 7 Service Two-Armed with Layer 4 Load Balancing Services Figure Two-armed TCP Proxy, UDP Proxy, or Layer 7 Service. 11

12 Two-Armed with Layer 4 Load Balancing Use this option to provide Layer 4 load balancing of TCP or UDP traffic with the Barracuda Load Balancer ADC. Secure TCP Proxy Service If you want to provide SSL offloading for TCP/IP traffic, use a Secure TCP Proxy service. Deploying the Barracuda Load Balancer ADC in a two-armed configuration provides gr eater performance but requires you to change the IP addresses of all your real servers. If a Layer 4 type of service is used, you must set the Barracuda Load Balancer ADC as the default gateway for all downstream real servers so that the Barracuda Load Balancer ADC can handle the responses that are issued by these servers to clit requests. Figure Two-armed Route-Path network with Layer 4 services. 12

13 Related Articles Deploymt One-Armed Using a TCP Proxy, UDP Proxy, or Layer 7 Service TCP Proxy, UDP Proxy, or a Layer 7 Service Services Direct Server Return Deploymt To increase outbound traffic throughput wh performing sustained uploads, such as streamed audio or visual media, you can able Direct Server Return (DSR) for each of your real servers. With DSR, connection requests and incoming traffic are passed from the Barracuda Load Balancer ADC to the real server but all outgoing traffic goes directly from the real server to the clit. DSR is ideal for high-bandwidth requiremts such as contt delivery networks and lets you keep the existing IP addresses of your real servers. In this article: Overview Requiremts Limitations Enabling DSR Deploymt Options 13

14 Terminology WAN refers to interface(s) configured to access the external network. LAN refers to interface(s) configured to access the internal network. Overview Figure 1 below illustrates how requests and responses are processed in a one-armed network where DSR is abled for the real servers. #1 - The request comes to the switch and is passed to the virtual IP (VIP) address on the Barracuda Load Balancer ADC. #2 - A real server is selected, and the data frame of the packet is modified to be the MAC address of that real server. #3 - The packet is th placed back on the network. #4 - Because the VIP address is bound to the real server s loopback interface, the real server accepts the packet. #5 - The real server responds directly to the clit using the VIP address as the source IP address. Figure Example DSR, one-armed architecture. Requiremts DSR uses a flat network topology at the Layer 2 (Switching) and Layer 3 (IP) levels, which means that the Barracuda Load Balancer ADC, VIP addresses, and real servers all must be within the same IP network and connected on the same switch. Figure 1 above shows this topology. Each real server must be one hop away from the Barracuda Load Balancer ADC and using the WAN port. The switch of the real servers must be either directly connected into the WAN port of the Barracuda Load Balancer ADC or connected to a series of switches that evtually reach the WAN port of the Barracuda Load Balancer ADC without going through any other networking devices. You can have DSR servers and non-dsr servers running the same service. Wh deploying real servers in DSR mode: The Barracuda Load Balancer ADC must have the WAN adapter plugged into the same switch or VLAN as all of the real servers. The real servers must be on the same subnet as the WAN of the Barracuda Load Balancer ADC. The WAN IP address, all VIPs, and all of the real servers that use DSR must be on the same IP subnet. 14

15 Each real server must recognize the VIP as a local address. Enable a non-arping virtual adapter such as a loopback adapter and bind it to the VIP address of the load-balanced service. Because this is not a true adapter, there should be no gateway defined in the TCP/IP settings for this adapter. Real servers that accept traffic from multiple VIPs must have a loopback adapter abled for each VIP. Additionally, the applications on each real server must be aware of both the virtual IP address and the real IP addresses. Limitations DSR has the following limitations: Layer 7 services (HTTP, FTP, UDP Proxy, TCP Proxy, and RDP) are not supported. Response headers and data cannot be handled (e.g., caching, compression, URL rewrites). SSL offloading is not supported. Only Layer 4 load balancing is supported. Only clit IP persistce can be used; cookie persistce is not supported. Enabling DSR On the BASIC > Services page, you can able DSR individually for each real server listed under each service. In the server settings, set Direct Server Return to Enable. Deploymt Options For more information on deploying DSR in a Microsoft Windows Server, Linux, or Windows XP vironmt, see: Deploying DSR in a Microsoft Windows Server 2003 or 2008 Environmt Deploying DSR in a Linux Environmt Deploying DSR in Windows XP Environmt Deploying DSR in a Microsoft Windows Server 2003 or 2008 Environmt In this article: This article refers to the Barracuda Load Balancer ADC and Microsoft Windows Server 2003 and Prepare Microsoft Windows Server 2003 and 2008 for DSR Step Disable the Windows Firewall Step Install the Loopback Adapter Windows Server 2003 Windows Server 2008 or Windows Server 2008 R2 Step Make the Windows Networking Stack Use the Weak Host Model Step 4. Add the Loopback Adapter to your Site Bindings (IIS only) Step 5. Verify Direct Server Return Deploymt Prepare Microsoft Windows Server 2003 and 2008 for DSR To make servers that are running Microsoft Windows Server 2003 or Windows Server 2008 ready for Direct Server Return (DSR), there are several steps that must be tak on each server. The following steps describe how to deploy DSR in a Windows Server 2003 or 2008 vironmt. Perform these steps for each server. Step Disable the Windows Firewall To able traffic to the loopback adapter: For Microsoft Windows Server 2003 or Windows Server 2008 you need to disable the built in firewall or manually change the rules to able traffic to and from the loopback adapter. By default, the Windows firewall blocks all connections to the loopback adapter. Step Install the Loopback Adapter Windows Server

16 To install the Microsoft loopback adapter refer to This note describes how to install the loopback adapter. Windows Server 2008 or Windows Server 2008 R Op Device Manager. On the Start mu, click Run and type dev mgmt*.msc at the prompt. Right-click on the server name and click Add legacy hardware. Wh prompted by the wizard, choose to Install the hardware that I manually select from a list (Advanced). Find Network Adapter in the list, and click Next. From the listed manufacturers select Microsoft, and th select Microsoft Loopback Adapter: This adds a new network interface to your server. Step Make the Windows Networking Stack Use the Weak Host Model This step is required to allow the modified packet to be accepted by Windows Server 2008 servers. If you are using Windows Server 2003, you can skip to Step 4 Add the Loopback Adapter to your Site Bindings. If you are using Windows Server 2008 or Windows Server 2008 R2, use the steps in this section to make the Windows networking stack use the weak host model (which is the same model used in Windows Server 2003). DSR works by modifying the destination MAC address of the incoming traffic to one of the Real Servers behind your VIP. In versions of Windows prior to 2008, the Windows networking stack used a weak host model which allowed the host to receive packets on an interface not assigned as the destination IP address of the packet being received. With Windows Server 2008, Microsoft has implemted a strong host model which breaks the method that DSR uses. Op a command prompt with elevated permissions. To determine the interface ID for both the loopback adapter and the main NIC on the server, type: 16

17 netsh interface ipv4 show interface Note the IDX for both the main network interface and the loopback adapter you created. If you have not changed the interface names for this server th usually the main NIC displays as Local Area Connection, and the loopback adapter is named Local Area Connection An try displays that includes the IDX numbers for both your loopback adapter and your Internet facing NIC. For each of these adapters ter the following commands: netsh interface ipv4 set interface <IDX number for Server NIC> weakhostreceive=abled netsh interface ipv4 set interface <IDX number for loopback> weakhostsd=abled netsh interface ipv4 set interface <IDX number for loopback> weakhostreceive=abled For example: netsh interface ipv4 set interface 23 weakhostreceive=abled netsh interface ipv4 set interface 24 weakhostsd=abled netsh interface ipv4 set interface 24 weakhostreceive=abled Step 4. Add the Loopback Adapter to your Site Bindings (IIS only) By default, IIS includes all interfaces, however, if you have configured a site to be bound to an individual IP address, you need to sure that the IP address for the loopback adapter (your VIP address) is also included in the site bindings in IIS. Use the following steps to bind the loopback adapter. 4. Op the Internet Information Services (IIS) Manager, and expand the Sites folder. Click Default Web Site or click the name of the site you are modifying. Click Bindings on the Actions panel. Click Add and click HTTP or HTTPS in the Type list. Enter the IP address of your loopback adapter and the port: 5. Click OK to add the Site Binding: 17

18 5. 6. On the Actions panel, click Restart under Manage Web Site to sure the new binding takes effect. Step 5. Verify Direct Server Return Deploymt Wh you are done adding the loopback adapters, try to ping the Real Servers and the VIP, and telnet to the Real Servers. If the ping doesn t work or if in response to the telnet you get a connection refused from the VIP, th the loopback adapter has not be configured correctly. Try to verify that the loopback adapters are non-arping. On either Linux or Windows systems, use the arp -a command. Also, check the systems evt logs to check for IP address conflicts. If, later, once the Service is set up, the clit tries to connect but is unable to access the application, th the IIS (Windows) or application has not be associated with the real IP address and the VIP. Deploying DSR in a Linux Environmt Deploy in a Linux Environmt To add a non-arping adapter to a Real Server running Linux, add an alias to the lo (loopback) adapter. The following commands are examples of how to do this for some versions of Linux. Consult your operating system vdor if you need more details about how to add a non-arping loopback adapter. Edit your rc.local file (usually located at /etc/rc.d/rc.local) and add the following: sysctl -w net.ipv4.conf.lo.arp_ignore=1 sysctl -w net.ipv4.conf.lo.arp_announce=2 sysctl -w net.ipv4.conf.all.arp_ignore=1 sysctl -w net.ipv4.conf.all.arp_announce=2 ifconfig <interface_name> <ip_address> netmask arp up where: <interface_name> is lo:<number> (e.g. lo:0, lo:1, lo:2) <ip_address> is the Virtual IP Address for the Service For example: ifconfig lo: netmask arp up httpd.conf must have a VirtualHost try for the VIPs. Edit the file to add these two lines: list <virtual_ip_address>:80 list <real_ip_address>:80 18

19 where: <virtual_ip_address> is the Virtual IP Address for the Service <real_ip_address> is the actual IP Address for the Real Server To check if the loopback adapter is working, make sure the Real Server is bound to the loopback adapter s IP address. Output from the i fconfig command should show the presce of the loopback adapter. Deploying DSR in Windows XP Environmt Deploy in a Windows/XP Environmt For information on how to add a non-arping adapter in a Microsoft Windows XP vironmt, refer to Or, check the Microsoft Support Site for your operating system. Applications running on Microsoft Real Servers must be configured to accept traffic received on the VIP addresses (the loopback IP addresses). To do this, add the VIP addresses to IIS (Internet Information Services) on each Real Server. The VIP addresses must be listed above the real IP address of the Real Server. Associate the website or application with the VIP addresses. Virtual Deploymt This virtual appliance requires a 64-bit capable host. Follow the steps in this article to deploy and set up the Barracuda Load Balancer ADC Vx. In this article: Before You Begin Deploy the Barracuda Load Balancer ADC Vx Related Articles Adding Disk Space, Drives and RAM for Your Virtual Appliance Backing Up Your Virtual Machine System State Before You Begin Verify that the host system meets the minimum storage requiremts and resource recommdations that are provided at Sizing CPU, RAM, and Disk for Your Barracuda Load Balancer ADC Vx. Deploy the Barracuda Load Balancer ADC Vx Complete the following steps to deploy your virtual appliance: Task Instructions 19

20 Step Select Your Hypervisor Deploymt and Install the Image The Barracuda Load Balancer ADC Vx is available as an image that you can import into your hypervisor. Follow the installation instructions for your hypervisor. Hypervisor Compatibility and Deploymt - OVF Package for: VMware ESX and ESXi ("vsphere Hypervisor") versions 4.0, 4.1, 5.0, 5.1 VMware ESX and ESXi version 5 Sun/Oracle VirtualBox and VirtualBox OSE version 2 Hypervisor Compatibility and Deploymt - VMX Package for: VMware Server 0+ Workstation 6.0+, Player 0+ Fusion 0 Hypervisor Compatibility and Deploymt - XVA Package for: Citrix XServer 5.5+ Step Provision the Virtual Machine and Select a Deploymt Mode Step Configure Your Network and Services Barracuda Load Balancer ADC Vx Quick Start Guide Configure Your Network and Services Hypervisor Compatibility and Deploymt - OVF Package Hypervisor Compatibility This package's virtual appliance runs under the following hypervisors: VMware ESX and ESXi ("vsphere Hypervisor") versions 4.0, 4.1, 5.0 and 5.1 VMware ESX and ESXi version 5 Sun/Oracle VirtualBox and VirtualBox OSE version 2 Deploying the Virtual Appliance with Your Hypervisor ESX(i) 5: Use the OVF file ding in: -35.ovf for this vironmt. Select Import from file: and navigate to the file BarracudaLoadBalancer-vm<version#>-fw FIRMWARE -<version#>.ovf. Clicking Next, review the appliance information, End User Licse Agreemt, and set the name of the virtual appliance to something useful to your vironmt. Click Finish. 4. Once your appliance has finished importing, right-click it and choose Op Console and th click the gre arrow to power on the virtual appliance. 5. Follow the Quick Start Guide instructions to provision your virtual appliance. From the File mu in the VMware Infrastructure clit, choose Virtual Appliance -> Import. ESX(i) 4.x and 5.x: Use the OVF file ding in: -4x.ovf for this vironmt. From the File mu in the vsphere clit, choose. Deploy OVF Template.. Select Import from file: and navigate to the file BarracudaLoadBalancer-vm0-fw FIRMWARE x.ovf. 20

21 Clicking Next, review the appliance information, End User Licse Agreemt, and set the name of the virtual appliance to something useful to your vironmt. Set the network to point to the target network for this virtual appliance. 4. Once your appliance has finished importing, right-click it and choose Op Console and th click the gre arrow to power on the virtual appliance. 5. Follow the Quick Start Guide instructions to provision your virtual appliance. VirtualBox: Use the OVF file ding in: -4x.ovf for this vironmt From the File mu in the VirtualBox clit, choose Import Appliance. Navigate to the file BarracudaLoadBalancer-vm0-fw FIRMWARE x.ovf Use the default settings for the import and click Finish. Start the appliance. Follow the Quick Start Guide instructions to provision your virtual appliance. Hypervisor Compatibility and Deploymt - VMX Package Hypervisor Compatibility This package's virtual appliance runs under the following hypervisors: VMware Server 0+ Workstation 6.0+, Player 0+ Fusion 0+ Deploying the Virtual Appliance with Your Hypervisor Server x: Put the files ding in.vmx and.vmdk into a folder in your datastore (which you can locate from the Datastores list on your server's summary page). From the VMware Infrastructure Web Access clit's Virtual Machine mu, choose Add Virtual Machine to Invtory. Navigate to the folder used in step 1 and click the file BarracudaLoadBalancer.vmx from the list under Contts. Click OK. Start the appliance. Follow the Quick Start Guide instructions to provision your virtual appliance. Player x: From the File mu, choose Op a Virtual Machine. Navigate to the file BarracudaLoadBalancer.vmx Use the default settings and click Finish. Start the appliance. Follow the Quick Start Guide instructions to provision your virtual appliance. Workstation 6.x: From the File mu, choose Op a Virtual Machine. Navigate to the file BarracudaLoadBalancer.vmx Use the default settings and click Finish. Start the appliance. Follow the Quick Start Guide instructions to provision your virtual appliance. Fusion x: From the File mu, choose Op a Virtual Machine. Navigate to the file BarracudaLoadBalancer.vmx Use the default settings and click Finish. Start the appliance. Follow the Quick Start Guide instructions to provision your virtual appliance. 21

22 Hypervisor Compatibility and Deploymt - XVA Package Hypervisor Compatibility This package's virtual appliance runs under the following hypervisors: Citrix XServer 5.5+ Deploying the Virtual Appliance with Your Hypervisor From the File mu in the XCter clit, choose Import VM... Browse to the file BarracudaLoadBalancer-<version#>-fw FIRMWARE -<version#>.xva and choose the Exported template radio button. Clicking Next >, review the template information and click Finish to import the template. Right-click the resulting template and choose New VM... Follow the Quick Start Guide instructions to provision your virtual appliance. Barracuda Load Balancer ADC Vx Quick Start Guide To setup your Barracuda Load Balancer ADC Vx, complete the following steps: Before You Begin Step Enter the Licse Code Step Configure Your Firewall Step Log Into the Web Interface Step 4. Change the Administrator Password Step 5. Deploymt Options Next Step Related Articles Adding Disk Space, Drives and RAM for Your Virtual Appliance Backing Up Your Virtual Machine System State Before You Begin Deploy the Barracuda Load Balancer ADC Vx on your hypervisor. You need only a single virtual NIC on your virtual appliance. Step Enter the Licse Code You should have received your Barracuda Vx licse tok via or from the website wh you downloaded the Barracuda Load Balancer ADC Vx package. If not, you can request an evaluation on the Barracuda Networks website at The licse tok looks similar to the following: ACEFG. Start your virtual appliance, making sure to op the console. Wh the login prompt appears, log in as admin with a password of admin. Set the IP address. Under Licsing, ter your Barracuda Licse Tok and default domain to complete provisioning. The virtual appliance will reboot at this time. Step Configure Your Firewall If your Barracuda Load Balancer ADC Vx is located behind a firewall, op the following ports: Port Direction Protocol Description 22 Out TCP Remote diagnostics and Technical Support services 53 Out TCP/UDP Domain Name Server (DNS) 22

23 80 Out TCP Firmware updates (unless configured to use a proxy) 123 Out UDP Network Time Protocol (NTP) 80 Out TCP Initial provisioning * 25 Out TCP Sding system alerts and notifications to the administrator via your mail server. This port can be changed on the BASIC > Administration page. Any ports used by Services as needed as needed As required to access the VIP address of a load-balanced Service. Be sure to configure 1:1 NATs as needed. Certain protocols, including FTP and streaming media protocols, require additional ports to be op. * The initial provisioning port can be disabled once the initial provisioning process is complete. Step Log Into the Web Interface In a browser on the managemt interface, ter the Barracuda Load Balancer ADC managemt IP address and the default HTTP port, for example, Log into the administration interface using admin for both the username and password. Step 4. Change the Administrator Password Go to BASIC > Administration to change the administrator password. Step 5. Deploymt Options Assign network interface cards (NICs) to the Barracuda Load Balancer ADC Vx. In the web administration interface, they will be numbered in the order you assign them. Choose the network layout that best suits your vironmt. A complete list of deploymt options are described in Deploymt. Common options include: One-armed deploymt, with a service with type TCP Proxy, where one network connection of the virtual Barracuda Load Balancer ADC is used for all load-balanced traffic. Figure One-armed deploymt 23

24 Two-armed deploymt, where the Barracuda Load Balancer ADC is deployed in-line, performing a NAT from the WAN network to the LAN. Figure 2: Two-armed Deploymt Next Step Continue with Configure Your Network and Services. 24

25 Sizing CPU, RAM, and Disk for Your Barracuda Load Balancer ADC Vx Barracuda Networks recommds the following sizing for initial deploymt of your virtual appliance, or upgrading existing installations. RAM, Cores, and Hard Disk Model Maximum #Cores RAM - Recommded Minimum Hard Disk Space - Recommd Minimum GB GB GB GB GB GB or more 1GB per core GB Provisioning CPUs/Cores Each Barracuda Load Balancer ADC Vx model can only make use of a certain number of cores. The virtual machine will turn off any extra cores that cannot be used. To add cores: Shut down your hypervisor. Go into hypervisor settings. Add CPUs. The number of CPUs shown that you can add will vary with your hypervisor licsing and version. In some cases, the number of CPUs you can add must be a multiple of Provisioning Hard Drives Barracuda Networks recommds a minimum of 50GB hard disk to run your Barracuda Load Balancer ADC Vx. From your hypervisor, you can edit the provisioned size of the hard drives, or you can add a hard drive. To add a hard drive: 4. Shut down your Barracuda Load Balancer ADC Vx. Take a snapshot of your virtual machine. Edit the settings in your virtual machine and either increase the size of the hard drive or add a new hard drive. Restart the virtual machine. As it is booting up, using the POPOUT CONSOLE, a blue scre pop-up displays asking if you want to use the new additional space. Answer Yes. Note that the pop-up will time out after 30 seconds if you do not respond, and the answer will default to No. Resizing may take several minutes, depding on the amount of provisioned hard drive space. Backing Up Your Virtual Machine System State Virtual machine vironmts gerally provide a "snapshot" capability, which captures the state of a system as it's running. Once a snapshot is created, you can perform additional operations on the system and "revert" to the snapshot in the case of disaster recovery (or for any other reason). Because this feature is so powerful, Barracuda Networks strongly recommds performing a snapshot at certain points in time: Before upgrading the Barracuda Networks product firmware. Before making major changes to your configuration (this makes snapshotting a convit "undo" mechanism). After completing and confirming a large set of changes, such as initial configuration. As a periodic backup mechanism. Before taking a snapshot, Barracuda Networks strongly recommds powering off the virtual machine. This step is particularly important if you are using Microsoft Hyper-V as your virtual machine vironmt. Barracuda Networks recommds that you review your virtual vironmt documtation regarding the snapshot capabilities and be familiar with their features and limitations. 25

26 Public Cloud Hosting Barracuda Networks offers the Barracuda Load Balancer ADC Vx as a cloud-hosted virtual machine, to load balance, secure, and accelerate the performance of your applications. Cloud-hosted virtualization is available for Amazon Web Services (AWS). Currtly, the Barracuda Load Balancer ADC on AWS supports flat networks (i.e., your managemt IP address and VIP address both reside in the same network). Key features include: Load balancing with dynamic scheduling and advanced monitoring capabilities SSL offloading, TCP connection pooling and caching, and compression to help accelerate application delivery Contt-based routing to provide fine-grained application control Integrated application security to protect against application level attacks including the OWASP Top 10 risks Protection against theft of ssitive and confidtial data To deploy the Barracuda Load Balancer ADC on AWS, see Amazon Web Services. Amazon Web Services To meet a variety of performance requiremts, the M1 Medium, M1 Large, and M1 Extra Large instance types are supported for deploying the Barracuda Load Balancer ADC Vx on Amazon Web Services (AWS). Depding on the instance type, you can have: Up to 4 vcpus. Up to 15 GB of memory. Up to 4 network interfaces. One interface is used for MGMT access and the remaining interfaces can be used for creating services. With multiple network interfaces, you can create a link bond to improve the throughput of the Barracuda Load Balancer ADC. Up to 16 private IP addresses per network interface. To sure that services are available over the Internet, you can allocate a public IP address, or Elastic IP address (EIP), to each private IP address. The Barracuda Load Balancer ADC is available hourly in the AWS Marketplace or you can bring your own licse (BYOL). In this article: Licsing Options Bring Your Own Licse (BYOL) Hourly / Metered Before You Begin Step Create the Amazon VPC Cloud Step Add an Internet Gateway to the VPC Step Add a Subnet to the VPC Next Step Licsing Options The Barracuda Load Balancer ADC Vx AMI is available on Amazon Web Services with the Hourly/Metered licsing option and the Bring Your Own Licse (BYOL) option. Bring Your Own Licse (BYOL) With the Bring Your Own Licse (BYOL) option, you are required to get the Barracuda Load Balancer ADC Vx licse tok, either by: 26

27 Providing the required information for a free evaluation at OR Purchasing online at From the Product list, select Barracuda Load Balancer ADC AWS under Public Cloud Solutions. Th complete the rest of the form. With this licse option, there are no Barracuda Load Balancer ADC Software charges, but Amazon Elastic Compute Cloud (Amazon EC2) usage ch arges on Amazon are applicable. BYOL Models and Instance Types For BYOL, Barracuda offers three models. The following table lists each model and their corresponding instance type to be used in AWS. The table also lists the CPU, memory, and networking capacity for each instance type. If you want to increase the performance of a licse that you have already purchased, you can buy additional cores from Barracuda and reconfigure your VM for a larger instance type. Barracuda Load Balancer ADC Vx Model Supported Instance Type in Amazon Web Services Name Default vcpu Default Memory Maximum Number of Elastic Network Interfaces (ENIs) Maximum Number of Private IP Addresses per ENI BBFCAW003a M1 Medium mmedium 1 7 GB 2 6 BBFCAW004a M1 Large mlarge GB 3 10 BBFCAW006a M1 Extra Large mxlarge 4 15 GB 4 15 Hourly / Metered With the Hourly/Metered licsing option, you complete the purchase or evaluation of the Barracuda Load Balancer ADC Vx tirely within the AWS Marketplace. After the instance is launched, it is provisioned automatically. You are charged hourly for both the Barracuda Load Balancer ADC Software and Amazon Elastic Compute Cloud (Amazon EC2) usage on Amazon. For pricing information, refer to the AWS Marketplace. Hourly/Metered Model and Instance Types For Hourly / Metered licsing, Barracuda offers only model BBFCAW000p. Three instance types are available for this model. The following table lists each instance type with its CPU, memory, and networking capacity. If you want to increase the performance of an existing VM, configure it with a larger instance type on AWS and you will be charged accordingly by Amazon. The VM will automatically be reconfigured by Amazon with the resources and capabilities of the larger instance type. Barracuda Load Balancer ADC Vx Model Supported Instance Type in Amazon Web Services Name Default vcpu Default Memory Maximum Number of Elastic Network Interfaces (ENIs) Maximum Number of Private IP Addresses per ENI BBFCAW000p M1 Medium mmedium 1 7 GB 2 6 M1 Large mlarge GB 3 10 M1 Extra Large mxlarge 4 15 GB 4 15 Before You Begin Before you deploy the Barracuda Load Balance ADC Vx on Amazon Web Services, decide whether you want to purchase it with the Hourly/Meter ed licsing option or the Bring Your Own Licse (BYOL) option. Th set up an Amazon Virtual Private Cloud (VPC). A VPC is an isolated virtual network on the Amazon Web Services (AWS) Cloud where you can launch AWS resources, such as Amazon EC2 instances. Wh you set up a VPC, specify IP addresses in the form of Classless Inter-Domain Routing (CIDR) blocks (for example, /16). In a VPC, you can select your own IP address range, create subnets, and configure routing tables and network gateways. The VPC cannot be larger than /16. 27

28 For more information about CIDR notation, refer to Classless Inter-Domain Routing on Wikipedia. For information about the number of VPCs that you can create, refer to the AWS article Amazon VPC Limits. To set up a VPC, complete the following steps. If you have already configured a VPC for the Barracuda Load Balancer ADC Vx, you can skip ahead to the Barracuda Load Balancer ADC Vx Deploymt and Quick Start Guide for Amazon Web Services. Step Create the Amazon VPC Cloud Go to the AWS Managemt Console. In the Compute & Networking section, click VPC From the VPC Dashboard, select Your VPCs under VIRTUAL PRIVATE CLOUDS. Click Create VPC. In the Create VPC window, configure the following settings: CIDR Block Enter an IP address range in CIDR format. Tancy Select Default. 6. Click Yes, Create. Step Add an Internet Gateway to the VPC Create an Internet gateway to able the instances launched in the Amazon VPC to access the Internet. 28

29 From the VPC Dashboard, select Internet Gateways under VIRTUAL PRIVATE CLOUDS. Click Create Internet Gateway. In the Create Internet Gateway window, click Yes, Create. 4. Select the new Internet gateway, and th click Attach to VPC. 5. Select the VPC that you created in Step 1, and th click Yes, Attach. Step Add a Subnet to the VPC From the VPC Dashboard, select Subnets under VIRTUAL PRIVATE CLOUDS. Click Create Subnet. In the Create Subnet window, configure the following settings: VPC Select the VPC that you created. Availability Zone Select the availability zone that your VPC resides in. CIDR Block Enter an IP address block in CIDR format. 29

30 4. Click Yes, Create. Next Step Now that you have set up a VPC for the Barracuda Load Balancer ADC Vx, you can continue with the Barracuda Load Balancer ADC Vx Deploymt and Quick Start Guide for Amazon Web Services. Barracuda Load Balancer ADC Vx Deploymt and Quick Start Guide for Amazon Web Services You can deploy the Barracuda Load Balancer ADC Vx in a flat network (i.e., your managemt IP address and VIP address both reside in the same network) on Amazon Web Services (AWS). Complete the steps in this guide to configure, launch, and licse your Barracuda Load Balancer ADC instance. Th log into the Barracuda Load Balancer ADC Vx to verify your configuration and change your password before you start creating services. In this article: Requiremts Step Create a Security Group Step Create a Network Interface Step Disable Source/Dest. check Step 4. (Optional) Assign Multiple Private IP Address(es) to the Network Interface of the Instance Step 5. Deploy the Barracuda Load Balancer ADC Vx on Amazon Web Services Step 6. Allocate and Assign an Elastic IP Address to your Instance Step 7. (BYOL Only) Licse the Barracuda Load Balancer ADC Vx Step 8. Verify your Configuration and Change the Password Next Steps Requiremts Before you deploy the Barracuda Load Balance ADC Vx on Amazon Web Services, sure that you have completed the following: Set up an Amazon Virtual Private Cloud (VPC) for the Barracuda Load Balancer ADC Vx. If you want to use the Bring Your Own Licsing (BYOL) model, get the Barracuda Load Balancer ADC Vx licse. See Bring Your Own Licse (BYOL). Step Create a Security Group Create a security group with rules that specify the protocols, ports, and source IP ranges permitted to reach the instance. Multiple security groups 30

31 can be created with differt rules and assigned to each instance. For more information on security groups, refer to the AWS article Amazon EC2 Security Groups. 4. Log into the Amazon EC2 Managemt Console. From the EC2 dashboard, select Security Groups under NETWORK & SECURITY. Click Create Security Group. In the Create Security Group window: a. b. c. d. Enter a name to idtify the security group. Specify the description for the security group. Select a VPC ID from the list. Click Yes, Create. The created group appears in the security group table. 5. Select the security group from the table, and specify the inbound and outbound traffic to be allowed for the instance. a. Add ports 8000 and 443 in the inbound rule of the security group associated with the Barracuda Load Balancer ADC Vx. By default, the Barracuda Load Balancer ADC Vx web interface lists on port 8000 for HTTP and port 443 for HTTPS. b. Add inbound rules to op the ports through which you configure the services on this instance. Layer 4 services on the Barracuda Load Balancer ADC require all ports to be op for Inbound rules, so you must op all ports if you are configuring any Layer 4 services on the Barracuda Load Balancer ADC. 6. c. Add an outbound rule to sure that all ports are op irrespective of the service type: TYPE: All Traffic Protocol: All Port Range: All Destination: /0 d. If you are configuring Layer 4 services, add an inbound rule to sure that all ports are op: TYPE: All Traffic Protocol: All Port Range: All Source: /0 After adding the inbound and outbound rules, click Apply Rule Changes. Step Create a Network Interface Create a minimum of two network interfaces (one for MGMT access and the other for creating services). Ensure that you create the network interfaces in the subnet where you want to deploy the Barracuda Load Balancer ADC Vx. The number of interfaces that can be attached to the Barracuda Load Balancer ADC Vx depds on the instance type that you selected on Amazon Web Services. For information about instance types, see Licsing Options and Models. 4. Log into the Amazon EC2 Managemt Console. From the EC2 dashboard, select Network Interfaces under NETWORK & SECURITY. Click Create Network Interface. In the Create Network Interface window, provide the following information for the network interface: Description Enter a name for the interface. Subnet Select the subnet of the VPC where you want to create the instance. Private IP It is recommded that you ter a static primary private IP address. Security Groups Select the security group that you created. 5. Click Yes, Create. Step Disable Source/Dest. check You must also disable the Source/Dest. check in the interfaces that you created for the Barracuda Load Balancer ADC instance and configured servers. Wh this check is abled, it breaks the Layer 4 services. 4. Log into the AWS EC2 Managemt Console. From the EC2 dashboard, select Network Interfaces under NETWORK & SECURITY. Right click the interface and select Change Source/Dest. Check. In the Change Source/Dest. Check window, set Source/dest. check to Disabled and th click Save. Step 4. (Optional) Assign Multiple Private IP Address(es) to the Network Interface of the Instance 31

32 Depding on the Barracuda Load Balancer ADC Vx instance type, you can add multiple secondary IP addresses on the interfaces that are used to create services on the Barracuda Load Balancer ADC Vx. Do not add secondary IP addresses on the interface that is used for managemt access of the Barracuda Load Balancer ADC Vx. For more information on multiple IP addresses, refer to the Amazon EC2 article Multiple IP Addresses. To assign a secondary private IP address: Log into the Amazon EC2 Managemt Console. From the EC2 dashboard, select Network Interfaces under NETWORK & SECURITY. Idtify the interface needing a secondary private IP address assignmt, and right-click the network interface attached to the instance. Select Manage Private IP Addresses. In the Manage Private IP Addresses window: a. b. Click Assign a secondary private address. In the Address field, ter an IP address that is within the subnet range for the instance. It is recommded that you use the static IP address instead of auto-assign. c. (Optional) To allow the secondary private IP address to be reassigned if it is already assigned to another network interface, select Allow reassignmt. d. Click Yes, Update. Click Close. Step 5. Deploy the Barracuda Load Balancer ADC Vx on Amazon Web Services In the Amazon VPC that you configured, launch an Amazon EC2 instance with the Barracuda Load Balancer ADC AMI image. Th e Amazon Launch Instance wizard guides you through the following steps: Log into the AWS Managemt Console and op the EC2 Managemt Console. In the top right corner of the page, select the region for the instance. This is important because some Amazon EC2 resources can be shared betwe regions. Click Launch Instance. 4. On the page, select and th search for and select the Step 1: Choose an Amazon Machine Image (AMI) AWS Marketplace Barracu da Load Balancer ADC AMI. 32

33 4. 5. On the Step 2: Choose an Instance Type page, select an instance type from the All Instance types or Geral purpose table and th click Next: Configure Instance Details to continue. See Licsing Options to verify the recommded instance type for your Barracuda Load Balancer ADC Vx model. Select the recommded instance type. 6. On the Step 3: Configure Instance Details page: a. Enter the Number of instances you want to launch. b. Select the appropriate Network in which you want to deploy the instance. c. Select the Subnet of the VPC where you want to create the instance. d. In the Network Interface section: i. Select the network interface for Managemt access of the Barracuda Load Balancer ADC Vx. ii. Click Add Device and select the network interface for creating services on the Barracuda Load Balancer ADC Vx. e. In the Advanced Details pane, keep the default setting for all parameters and th click Next: Add Storage. 33

34 7. On the Step 4: Add Storage page, review the storage device settings for the instance. Modify the values if required, and th click Next: Tag Instance. 8. On the Step 5: Tag Instance page, add/remove the tags for the instance (if required) and th click Next: Configure Security Group. 34

35 9. On the Step 6: Configure Security Group page, select the security groups that you created in Step 1 and th click Review and Launch. 10. On the Step 7: Review Instance Launch page, review your settings and th click Launch. 35

36 After you click Launch, Amazon Web Services begins provisioning the Barracuda Load Balancer ADC Vx. Allow a few minutes for the Amazon Web Services Agt and the Barracuda Load Balancer ADC Vx image to boot up. DO NOT restart the Barracuda Load Balancer ADC Vx while it is launching. Step 6. Allocate and Assign an Elastic IP Address to your Instance As multiple interfaces are assigned to the instance, the Barracuda Load Balancer ADC will not be accessible to the outside world via the Internet because the unit does not not yet have a public IP address. To resolve this issue, assign a persistt public IP address to the instance using Elastic IP addressing. For more information, refer to the AWS article Elastic IP Addresses. The elastic IP address associated to the first interface (eth0) will be the managemt IP address for the Barracuda Load Balancer ADC Vx, and the elastic IP address associated to the second interface (eth1) will be used to access the services created on the Primary IP Address of the interface on the Barracuda Load Balancer ADC Vx. Interface eth1 will be displayed as ge-1-1 on the Barracuda Load Balancer ADC Vx Log into the Amazon EC2 Managemt Console. From the EC2 dashboard, select Elastic IPs under NETWORK & SECURITY. Click Allocate New Address. Click Yes, Allocate to confirm and allocate a new IP address. A random public IP address is gerated and displayed in the Allocate New Address table. In the Allocate New Address table, right-click the new IP address and select Associate. In the Associate Address window: a. Either select the Instance and the Private IP Address of the instance or select a Network Interface and the Private IP Address. b. Select the Allow Reassociation check box. Click Yes, Associate. If you completed Step 4. (Optional) Assign Multiple Private IP Address(es) to the Network Interface of the Instance to assign multiple private IP address(es) to eth1 (which is displayed as ge-1-1 on the Barracuda Load Balancer ADC Vx), repeat the steps above to assign the Elastic IP address to each internal IP address so that they can be reachable from the outside world via the Internet. Step 7. (BYOL Only) Licse the Barracuda Load Balancer ADC Vx If you deployed the Barracuda Load Balancer ADC Vx with the Hourly/Metered option, you do not need to licse the system; skip ahead to Step 8. Verify your Configuration and Change the Password. If you deployed the Barracuda Load Balancer ADC Vx with BYOL, complete the licsing and provisioning of your system. Log into the Amazon EC2 Managemt Console. 36

37 From the EC2 Dashboard, select Instances under INSTANCES. In the Instances table, select the Barracuda Load Balancer ADC Vx instance that you created and note the Elastic IP address associated with eth0. 4. In a web browser, go to the Barracuda Load Balancer ADC web interface at the Elastic IP address that was assigned to eth0. Use port 8000 for HTTP. No port is required for HTTPS. For example: For HTTP: For HTTPS: 5. The Barracuda Load Balancer ADC Vx is not accessible via the HTTPS port while it is booting up. Use the HTTP port to access the unit while it is booting. This displays the status of the unit (i.e., System Booting). After the boot process completes, you are redirected to the login page. On the Licsing page, ter your Barracuda Networks Tok and Default Domain to complete licsing and th click Provision. The Barracuda Load Balancer ADC Vx connects to the Barracuda Update Server to get the required information based on your licse and th reboots automatically. Allow a few minutes for the reboot process. 37

38 Step 8. Verify your Configuration and Change the Password In a web browser, go to the Barracuda Load Balancer ADC Vx web interface at the Elastic IP address that was assigned to eth0. Use port 8000 for HTTP. No port is required for HTTPS. For example: For HTTP: For HTTPS: Log into as the administrator. Use the following credtials: Username: admin Password: The Instance ID of your Barracuda Load Balancer ADC Vx in Amazon Web Services. Go to the BASIC > Administration page and change your password. Next Steps Before you start configuring services on the Barracuda Load Balancer ADC Vx, you can attach multiple interfaces to the Barracuda Load Balancer ADC Vx, and bond those interfaces to increase the throughput of the Barracuda Load Balancer ADC Vx. It is recommded that you create the link bond before you configure your services because the Barracuda Load Balancer ADC Vx cannot have any configurations wh you create the link bond. For instructions, see Creating a Link Bond on the Barracuda Load Balancer ADC Vx for Amazon Web Services. To start configuring your services in the Barracuda Load Balancer ADC Vx, continue with Configuring Services on the Barracuda Load Balancer ADC Vx for Amazon Web Services. If you need help troubleshooting any issues with your Barracuda Load Balancer ADC Vx, see Troubleshooting the Barracuda Load Balancer ADC Vx on Amazon Web Services. Configuring Services on the Barracuda Load Balancer ADC Vx for Amazon Web Services Before you configure services on the Barracuda Load Balancer ADC Vx, you can create a link bond to increase the throughput of its interfaces. For instructions, see Creating a Link Bond on the Barracuda Load Balancer ADC Vx for Amazon Web Services. You can configure Layer 7 or Layer 4 services in the Barracuda Load Balancer ADC Vx on Amazon Web Services. For more information on the available service types, see Services. In this article: Step Get the EIP and Private IP Address of your Instance Step Create the Service Step Allocate an Elastic IP Address for the Service IP Address 38

39 Step 4. (Layer 4 Services Only) Change the Default Gateway for Servers Troubleshooting Step Get the EIP and Private IP Address of your Instance Log into the Amazon EC2 Managemt Console. From the EC2 dashboard, select Instances under INSTANCES. Select the Barracuda Load Balancer ADC Vx instance for which you want to configure a service and note the Elastic IP Address. Click the instance in the Instances table and th click the eth1 link next to Network Interfaces. Note the private IP address of eth Step Create the Service 4. In a web browser, go to the Barracuda Load Balancer ADC web interface at the Elastic IP address that was assigned to eth0. Use port 8000 for HTTP. No port is required for HTTPS. For example: For HTTP: For HTTPS: Go to the BASIC > Services page and create a service (Layer 7 or Layer 4) using the Private IP Address assigned to the eth1 network interface on Amazon Web Services (this is the ge-1-1 interface on the Barracuda Load Balancer ADC Vx). Add a server to the created service. Go to the NETWORK > Routes page and add a static route for the ge-1-1 interface to route all ge-1-1 traffic through the managemt gateway. The static route for ge-1-1 is: IP Protocol Version IPv4 IP Address Netmask Gateway Address Enter the IP address specified in IPv4 Default Gateway on the BASIC > IP Configuration page. Network Interface ge-1-1 Step Allocate an Elastic IP Address for the Service IP Address If you have assigned multiple IP addresses to the eth1 interface and have created the service using one of those IP addresses, sure that the IP address is associated with an Elastic IP address (EIP). An EIP sures that the service is reachable over the Internet. To assign and allocate an EIP for the service IP address: Log into the Amazon EC2 Managemt Console. From the EC2 dashboard, select Elastic IPs under NETWORK & SECURITY. Click Allocate New Address. Click Yes, Allocate to confirm and allocate a new IP address. A random public IP address is gerated and displayed in the Allocate New Address table. In the Allocate New Address table, right-click the new IP address and select Associate. In the Associate Address window: a. Either select the Instance and the Private IP Address of the instance or select the Network Interface and the Private IP Address. b. Select the Allow Reassociation check box. 7. Click Yes, Associate. 39

40 Step 4. (Layer 4 Services Only) Change the Default Gateway for Servers For Layer 4 services, change the default gateway for the associated servers. Log into your server using SSH. You must log into the server from the machine that resides in the same network as your server. Remove the default gateway on the server. Add the IP address which is being used to create the Layer 4 service on the Barracuda Load Balancer ADC Vx as your default gateway. If you want to configure your server in Direct Server Return mode, follow the instructions giv in Direct Server Return Deploymt. Troubleshooting If you need help troubleshooting any issues with your Barracuda Load Balancer ADC Vx, see Troubleshooting the Barracuda Load Balancer ADC Vx on Amazon Web Services. Creating a Link Bond on the Barracuda Load Balancer ADC Vx for Amazon Web Services Before you create a link bond, sure the Barracuda Load Balancer ADC Vx has NO configurations. You can attach multiple interfaces to the Barracuda Load Balancer ADC Vx, and bond those interfaces to increase the throughput of the Barracuda Load Balancer ADC Vx. The maximum number of interfaces that you can attach to the Barracuda Load Balancer ADC Vx instance depds on the instance type. For more information on instance types, see Licsing Options. Step Attach Multiple Interfaces to the Barracuda Load Balancer ADC Vx Instance Turn OFF the Barracuda Load Balancer ADC Vx. Log into the Amazon EC2 Managemt Console. From the EC2 dashboard, select Network Interfaces under NETWORK & SECURITY. Create the additional network interfaces. For each interface: a. b. c. Click Create Network Interface. In the Create Network Interface window, provide the following information for the network interface: Description Enter a name for the interface. Subnet Select the subnet of the VPC where you created the Barracuda Load Balancer ADC Vx instance. Private IP It is recommded that you ter a static IP address. Security Groups Select the security group that you created for the Barracuda Load Balancer ADC Vx instance. Click Yes, Create. In the Network Interfaces table, right-click an interface that you want to bond and th click Attach. In the Attach Network Interface window, select the Barracuda Load Balancer ADC Vx instance ID and click Attach. Repeat steps 5 and 6 to attach the additional network interfaces to the Barracuda Load Balancer ADC Vx instance. Step Create the Link Bond After you attach the network interfaces, turn ON and log into the Barracuda Load Balancer ADC Vx. On the BASIC > Status page, verify that the attached interfaces are displayed in the Interfaces section. Go to the NETWORK > Ports page and create the link bond as per your requiremt. Next Step Now, you can use this bond to create services with more throughput, as compared to services configured on a single interface. Continue with Con figuring Services on the Barracuda Load Balancer ADC Vx for Amazon Web Services. Troubleshooting the Barracuda Load Balancer ADC Vx on Amazon Web Services To troubleshoot the Barracuda Load Balancer ADC Vx on Amazon Web Services, log into the Amazon Web Services web interface, right-click the Barracuda Load Balancer ADC Vx instance and select Get System Log to view the console logs. To use the Barracuda Load Balancer ADC troubleshooting tools, log into the Barracuda Load Balancer ADC Vx web interface with your credtials and go to the ADVANCED > Troubleshooting page. The page provides various tools that you can use to resolve network connectivity issues that may impact the performance of your Barracuda Load Balancer ADC Vx: 40

41 Support Connection establishes a secure tunnel connection to Barracuda Ctral so that a Barracuda technician can help you diagnose issues. Click Establish Connection To Barracuda Support Cter to establish a connection to Barracuda Ctral. Contact Barracuda Networks Technical Support for assistance. Problem Report gerates a report of all logs (Web Firewall Logs, Access Logs, Audit Logs, Network Firewall Logs, and System Logs), backup, configuration, and temporary files as well as the internal state of the system. Network Connectivity Tests provides access to a command-line utility that includes ping, telnet, Dig/NS-lookup, traceroute, etc., which you can use to diagnose pottial network problems and issues. TCP Dump provides access to a command line-utility that includes TCP Dump, which lets you intercept and capture the TCP/IP and other packets transmitted or received over the network to which the Barracuda Load Balancer ADC Vx is connected. Session recording ables you to capture requests from and responses to the Barracuda Load Balancer ADC Vx for a specified clit IP address or user ID. The captured session is stored in an XML file. See the ADVANCED > Troubleshooting page for details and procedures. Getting Started Follow the instructions for deploying the virtual or hardware appliance: Deploy the Vx Deploy the Appliance Related Article Deploymt Deploy the Vx To install the Barracuda Load Balancer ADC Vx virtual machine, start with Virtual Deploymt. Deploy the Appliance The following instructions are an expanded version of the Barracuda Load Balancer ADC Quick Start Guide that is shipped with every Barracuda Load Balancer ADC. If you have already completed the steps in the Quick Start Guide to install and activate your appliance, go to Configure Your Network and Services. To set up the Barracuda Load Balancer ADC, complete the following steps: 4. Install the Barracuda Load Balancer ADC Appliance Op Firewall Ports Activate and Update the Barracuda Load Balancer ADC Configure Your Network and Services Install the Barracuda Load Balancer ADC Appliance Before installation, determine the best type of deploymt for your Barracuda Load Balancer ADC; refer to the Deploymt section for a list of options. Verify Equipmt Verify you have the necessary equipmt: Barracuda Load Balancer ADC AC power cord Ethernet cables Mounting rails and screws Monitor and keyboard (recommded) 41

42 Connect to the Network 4. Secure the Barracuda Load Balancer ADC in your vironmt. Connect the Barracuda Load Balancer ADC to your network: On the front of the device, connect the ports based on your deploymt Connect an Ethernet cable from the managemt port (either labeled MGMT or unlabeled on the back of the device) to the network switch for your managemt network Connect the following to your Barracuda Load Balancer ADC: Power cord; AC input voltage range is volts at 50/60 Hz Monitor and keyboard Power on the device. Configure the Managemt IP Address Once fully booted, the login prompt appears on your monitor. To configure the managemt IP address: At the barracuda login prompt, log in using admin / admin. Go to TCP/IP Configuration, and in the right pane, configure the addresses as appropriate for your network, including: Managemt IP Address/Netmask Gateway Address Managemt VLAN ID (Optional) Primary/Secondary DNS Servers Proxy Server Configuration (Optional) Select Save to save your changes, and th select Exit. Continue with Op Firewall Ports. Op Firewall Ports Before proceeding, complete Install the Barracuda Load Balancer ADC Appliance. Configure Your Corporate Firewall If your Barracuda Load Balancer ADC is located behind a corporate firewall, op the following ports: Port Direction Protocol Description 22 Out TCP Remote diagnostics and Technical Support services 53 Out TCP/UDP Domain Name Server (DNS) 80 Out TCP Firmware updates (unless configured to use a proxy) 123 Out UDP Network Time Protocol (NTP) 80 Out TCP Initial provisioning * 25 Out TCP Sding system alerts and notifications to the administrator via your mail server. This port can be changed on the BASIC > Administration page. 42

43 Any ports used by Services as needed as needed As required to access the VIP address of a load-balanced Service. Be sure to configure 1:1 NATs as needed. Certain protocols, including FTP and streaming media protocols, require additional ports to be op. * The initial provisioning port can be disabled once the initial provisioning process is complete. Next Step Continue with Activate and Update the Barracuda Load Balancer ADC. Activate and Update the Barracuda Load Balancer ADC Depding on whether your Barracuda Load Balancer ADC has Internet access, you can complete either an online or offline activation and update. Th change your administrator password. In this article: Before You Begin Online Activation and Update Offline Activation and Update Before You Begin Verify that the required firewall ports are op. For a complete list of the required ports, see Op Firewall Ports. For offline activation and updates, you must also: Contact Barracuda Networks Technical Support to get a Feature Code to able offline updates. Go to the Barracuda Product Activation page, complete the form, and get an Activation Code. Go to the Support > Downloads of the following: Firmware Attack definition Virus definition Security definition Location definition Update definition page in your Barracuda Cloud Control account, and download update packages for the latest versions Online Activation and Update If your Barracuda Load Balancer ADC is connected to the Internet, it can automatically update its activation status. Complete the following steps to initiate the online activation process and update the system. Log into the Barracuda Load Balancer ADC as the administrator. In a web browser, ter the Barracuda Load Balancer ADC managemt IP address and default HTTP port (for example, Use the default admin credtials: Username: admin a. b. Password: admin Go to the BASIC > Status page and view the Subscription Status section to verify that your Energize Update subscription status is Curr t. If the Barracuda Load Balancer ADC can access the activation servers, your Energize Update and Instant Replacemt subscriptions are most likely active. If not, a warning displays at the top of every page and you must activate your subscriptions before continuing. If the status of the Energize Updates subscription is Not Activated: Click the activation link at the top of the page and complete your subscription activation. Go back to the Subscription Status section of the BASIC > Status page, and click Refresh to automatically update the 43

44 b activation status of the Energize Updates subscription. Go to the ADVANCED > Firmware Update page and verify that the currtly installed version is the latest geral release that is available. If you have the latest firmware version already installed, the Download Now button for the latest geral release version is disabled. If there is a new Latest Geral Release available: Click Download Now and allow the update to finish downloading. a. b. After the update is completely downloaded, click Apply Now. Do not reboot or turn off the Barracuda Load Balancer ADC while the firmware is updating. After the process completes, the Barracuda Load Balancer ADC automatically reboots and you are redirected to the page to log back into the system. Go to the BASIC > Administration page, and change the administrator password in the Password Change section. After you activate and update your Barracuda Load Balancer ADC, continue with Configure Your Network and Services. Offline Activation and Update If your Barracuda Load Balancer ADC does not have Internet access, you must manually ter your Activation Code to activate the unit. Th able offline updates to apply the update packages that you downloaded from your Barracuda Cloud Control account. Activate your product. a. Go to the BASIC > Status page. b. In the Subscription Status section, ter the Activation Code that you received from the Barracuda Product Activation page an d th click Activate. Enable offline updates. a. Enable expert mode by appding the URL with: &expert=1 b. c. d. e. 4. Update your firmware. a. Go to the ADVANCED > Firmware Update page. b. c. d. 5. Update the attack, virus, security, location, and update definitions. a. Go to the ADVANCED > Energize Updates page. b. 6. Log into the Barracuda Load Balancer ADC as the administrator. In a web browser, ter the Barracuda Load Balancer ADC managemt IP address and default HTTP port (for example, Use the default admin credtials: Username: admin c. d. Password: admin Go to the ADVANCED > Offline Update page that appears. Enter the Feature Code that you received from Barracuda Networks Technical Support, and th click Activate. Wh the Enable Offline Updates setting appears, select Yes. Click Save Changes. In the Firmware Upload section, click Browse to navigate to and select the firmware package that you downloaded from your Barracuda Cloud Control account. Click Upload. After the firmware package is completely uploaded, click Apply Now. Do not reboot or turn off the Barracuda Load Balancer ADC while the firmware is updating. After the process completes, the Barracuda Load Balancer ADC automatically reboots and you are redirected to the page to log back into the system. In the Definition Update Upload section, click Browse to navigate to and select a definition package that you downloaded from your Barracuda Cloud Control account. After the definition package is completely uploaded, click Apply Now. Repeat steps 5b and 5c until you have updated all of the definitions on the page. Go to the BASIC > Administration page, and change the administrator password in the Password Change section. After you activate and update your Barracuda Load Balancer ADC, continue with Configure Your Network and Services. Configure Your Network and Services Before proceeding: If you are installing an appliance, complete Activate and Update the Barracuda Load Balancer ADC. If you are installing a virtual system, complete Barracuda Load Balancer ADC Vx Quick Start Guide This article applies to both virtual systems and appliances. In this article: 44

45 Determine Your Deploymt Ports and Interfaces Mapping Configure Network Interfaces Option 1: One-Armed With Separate Managemt Network Option 2: Two-Armed With Separate Managemt Network Option 3: One-Armed Without Separate Managemt Network Configure Services Determine Your Deploymt Read Deploymt to assist you in deciding how to deploy your network. If you hav't already, make physical connections from the data ports on the Barracuda Load Balancer ADC appliance or from your virtual system's host machine to the relevant switches. Ports and Interfaces Mapping In the web UI, the network interfaces that correspond to physical ports are referred to as gt-x-y where: g is gigabit t is the type of connection (e for Ethernet, f for fiber-optic) x is the number of the module of 8 ports, where the left-most module is number 1 y is the number of the port within the module, where the top left port is number 1 On a Barracuda Load Balancer ADC appliance with 2 modules, the mapping from physical port to network interface would be: On a Barracuda Load Balancer ADC Vx (virtual system), the network interfaces are numbered in the order you assigned the network interface cards to the virtual system. Configure Network Interfaces Earlier, you tered the managemt IP address (using the administrative console for appliances). Now you should configure your other network interfaces so that you can create services. Configuring the default gateway for an interface sures that return traffic exits the Barracuda Load Balancer ADC correctly. If the default gateway is not configured, the outgoing traffic uses the default gateway of the managemt interface. If you have multiple networks, you must specify a default gateway on the NETWORK > Routes page for every interface that accepts incoming traffic. In the following examples, ge-1-1 refers to a physical port connected into the network so that it accepts incoming traffic. Option 1: One-Armed With Separate Managemt Network In this case, incoming traffic is on the same subnet as the servers, and the managemt port is on a separate subnet. ge-1-1 is connected into the network so that it accepts incoming traffic. 45

46 Configure the IP address for ge-1-1 using the NETWORK > Interfaces page. Configure the default gateway for ge-1-1 using the NETWORK > Routes page. If you have both bonded interfaces and VLANs, configure the bonded interfaces first. For each bonded interface: Configure bonded ports using the NETWORK > Ports page. Configure the IP address for each bonded interface using the NETWORK > Interfaces page. Configure the default gateway for each bonded interface using the NETWORK > Routes page. For each VLAN: Configure VLANs using the NETWORK > VLANs page. Configure the IP address for each VLAN using the NETWORK > Interfaces page. Configure the default gateway for each VLAN using the NETWORK > Routes page. Option 2: Two-Armed With Separate Managemt Network In this vironmt, incoming traffic is on a differt subnet from the servers, and the managemt port is on a separate subnet. ge-1-1 is connected into the network so that it accepts incoming traffic, and ge-1-2 is connected to the servers. Configure the IP address for ge-1-1, ge 1-2, etc. using the NETWORK > Interfaces page. Configure the default gateway for ge-1-1 using the NETWORK > Routes page. If any other interfaces accept incoming traffic, create default gateways for those interfaces. If you have both bonded interfaces and VLANs, configure the bonded interfaces first. For each bonded interface: Configure bonded ports using the NETWORK > Ports page. Configure the IP address for each bonded interface using the NETWORK > Interfaces page. Configure the default gateway for each bonded interface using the NETWORK > Routes page. For each VLAN: Configure VLANs using the NETWORK > VLANs page. Configure the IP address for each VLAN using the NETWORK > Interfaces page. Configure the default gateway for each VLAN using the NETWORK > Routes page. Option 3: One-Armed Without Separate Managemt Network In this case, incoming traffic is on the same subnet as the real servers, and the managemt port is on that same subnet. Gerally, this describes a topology where all systems are on a flat network. No additional gateways need to be defined on the Barracuda Load Balancer ADC. It is more secure to segregate the production traffic from the managemt interface, as in Option Configure the IP address for ge-1-1 using the NETWORK > Interfaces page. Configure Services You are now ready to configure services and real servers. On the BASIC > Services page, create each service by idtifying a VIP address, port, and associating one or more real servers with it. If you have a two-armed network, you may need to create a static route for the real servers: On the NETWORK > Routes page, create a static route using the Static Routes table. For more information about services, see Services. Application Deploymt Guides These guides are provided to assist you in deploying the Barracuda Load Balancer ADC in a variety of vironmts. In this Section 46

47 Microsoft Exchange Server 2010 Deploymt Microsoft Exchange Server 2013 Deploymt Microsoft Lync 2010 and 2013 Server Deploymt Microsoft Office SharePoint Server 2007, 2010 and 2013 Deploymt Remote Desktop Services in Windows Server 2008 R1 or R2 Deploymt Moodle Deploymt Microsoft Exchange Server 2010 Deploymt Barracuda Networks has conducted interoperability tests using the Barracuda Load Balancer ADC and Microsoft Exchange Server Follow the steps in this guide to deploy the Barracuda Load Balancer ADC to increase the scalability and reliability of your Microsoft Exchange Server 2010 deploymt. Using a Barracuda Load Balancer ADC allows load balancing of a Clit Access server (CAS) array. In this article: Prerequisites Terminology Deploymt Options Deploying Exchange Services on the Barracuda Load Balancer ADC Step Configure the Clit Access Server (CAS) Array Step Prepare Your Environmt for SSL Offloading Next Step Prerequisites You must have: Microsoft Exchange Server Installed your Barracuda Load Balancer ADC(s), connected to the web interface, and activated your subscription(s). Clustered your Barracuda Load Balancer ADC(s), if you want to deploy the Microsoft Exchange Server with high availability. For more information, see High Availability. Completed the steps in the following Deploying Exchange Services on the Barracuda Load Balancer ADC section. Terminology Term Microsoft Exchange Server Fully Qualified Domain Name (FQDN) Virtual IP (VIP) Address Service Clit Access Server (CAS) Real Server Hub Transport Server (HUB) Description A Microsoft Exchange Server deploymt consists of Clit Access Servers (CAS), Hub transport Server, and Exchange Mailbox servers. The unique name for a specific computer or host that can resolve to an IP address (e.g., The IP address assigned to a service. Clits use the virtual IP address to connect to the load-balanced service. A combination of a virtual IP address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC lists on. Traffic arriving on the specified port(s) is directed to one of the real servers associated with a service. Clit Access Server supports various protocols used by d users to access their mailboxes. This includes services such as RPC Clit Access, IMAP, POP3, OWA, and ActiveSync. A server associated with a service that handles the requests forwarded to it by the Barracuda Load Balancer ADC. The Hub Transport server role handles all mail flow inside the organization and delivers messages to a recipit's mailbox. 47

48 Outlook Web App (OWA) Originally called Outlook Web Access, OWA is the Webmail compont of Microsoft Exchange Server Deploymt Options There are two configurations that are supported wh adding a Barracuda Load Balancer ADC to a Microsoft Exchange Server 2010 vironmt: If your Exchange servers are on the same subnet as the rest of your topology, choose a one-armed, Route-Path deploymt. If the Exchange servers are on a separate subnet from the rest of the topology and connected to the LAN side of the Barracuda Load Balancer ADC, choose a two-armed, Route-Path deploymt. Deploying in Direct Server Return with Microsoft Exchange 2010 is untested and unsupported. Microsoft TechNet Resources Refer to the Microsoft TechNet online library for more information on the following topics: Load Balancing Requiremts of Exchange Protocols Configure SSL Offloading for Outlook Anywhere Microsoft Exchange Network Port Referce Understanding Load Balancing in Exchange 2010 Create a New Exchange Certificate Deploying Exchange Services on the Barracuda Load Balancer ADC To deploy the Exchange servers with the Barracuda Load Balancer ADC, complete the following steps: Configuring Clustered Barracuda Load Balancer ADCs Configuring Clustered Barracuda Load Balancer ADCs If your Barracuda Load Balancer ADCs are clustered, the configuration betwe the active and passive units is synchronized; you only need to configure the active Barracuda Load Balancer ADC. Step Configure the Clit Access Server (CAS) Array To configure MAPI clit access (for example, Microsoft Outlook clits), configure the CAS array for the Exchange domain. You only need to complete this configuration on one Exchange Server. For any other options that you might want to consider, consult Microsoft documtation. Note that Microsoft only allows one CAS array per site. Clits access their mailboxes with RPC and connect to the FQDN of the RPC CAS array set on the mailbox database. The FQDN resolves to a virtual IP address on the Barracuda Load Balancer ADC. In turn, the Barracuda Load Balancer ADC connects with one of the Clit Access servers. Help for Multi-Site Exchange Environmts Help for Multi-Site Exchange Environmts The following steps assume a single-site Exchange vironmt. If you need help with configuring a CAS array in a multi-site vironmt, contact Microsoft. To configure the CAS array: On the DNS server, add an A record to the DNS zone that associates the VIP address with the FQDN (e.g., exchange.domain.local) that is used by clits to connect to the CAS Array. On one Exchange server in the array, op the Exchange Managemt Shell and create a new CAS array. a. Verify that there are no existing CAS arrays. Enter the following command: Get-ClitAccessArray In an unconfigured single-site deploymt, the command returns nothing. b. Create a new CAS array. Enter the following command: New-ClitAccessArray -Fqdn exchange.domain.local -Site Default-First-Site-Name 48

49 b. where exchange.domain.local is the FQDN of the CAS array and Default-First-Site-Name is the Active Directory site to which the CAS array belongs. Ping the FQDN (e.g. exchange.domain.local). The ping fails because the service has not yet be created on the Barracuda Load Balancer ADC, but verify that the domain name resolves correctly to the VIP address. 4. Add a mailbox database to the CAS array. In the Exchange Managemt Shell, ter the following command: Get-MailboxDatabase Set-MailboxDatabase -RpcClitAccessServer exchange.domain.local where exchange.domain.local is the FQDN of the CAS array. If you are deploying in a multiple-site Exchange vironmt, restrict the Set-MailboxDatabase cmdlet with -Idtity 'mailbox database name' to return only the databases that you want to include in the CAS Array. For the cmdlet syntax, see the Microsoft TechNet article G et-mailboxdatabase. Step Prepare Your Environmt for SSL Offloading Offload SSL processing to the Barracuda Load Balancer ADC. To maintain session persistce using HTTP cookies, SSL cryption and decryption must occur on the Barracuda Load Balancer ADC. Offloading the SSL processing to the Barracuda Load Balancer ADC also frees up processing power on your servers. Wh SSL offloading is turned on, clits access the VIP address using the SSL port 44 The decrypted traffic passes betwe the Barracuda Load Balancer ADC and the servers using the same VIP address, but on port 80. Retrieve the certificates, certificate chain, and private key for your Exchange OWA website from your CAS servers. If you do not already have a certificate in PFX form that includes the private key and intermediaries (if applicable), see the Microsoft TechNet article Export an Exchange Certificate for instructions on exporting your Exchange certificate. In the Barracuda Load Balancer ADC web interface, go to the BASIC > Certificates page and install the certificates, certificate chain, and private key. Configure the Exchange 2010 Services to be SSL offloaded. For more information on configuring OWA, Outlook Anywhere (OA), Exchange Control Panel (ECP), Exchange Web Services (EWS), and ActiveSync (EAS) for SSL offloading, see the Microsoft TechNet article How to Configure SSL Offloading in Exchange Next Step If your Exchange servers are on the same subnet as the rest of your topology, continue with: How to Deploy Microsoft Exchange Server 2010 in a One-Armed Configuration. If your Exchange servers are not on the same subnet as the rest of your topology, and are connected to the interface configured for the internal network side of the Barracuda Load Balancer ADC, continue with: How to Deploy Microsoft Exchange Server 2010 in a Two-Armed Configuration. How to Deploy Microsoft Exchange Server 2010 in a One-Armed Configuration Product Versions and Prerequisites This article applies to the Barracuda Load Balancer ADC version 5.1 and above, with Microsoft Exchange Server For a full list of the prerequisites for this deploymt, see Microsoft Exchange Server 2010 Deploymt. In a one-armed configuration, the ports that internal Outlook clits use to communicate with the Exchange 2010 server using RPC must be preconfigured on both Exchange 2010 and the Barracuda Load Balancer ADC. If you want to use a single VIP address and single FQDN for your Exchange deploymt, you must use a one-armed configuration. In this article: Step Configure Exchange 2010 to Use a Static Port Step Configure CAS Services on the Barracuda Load Balancer ADC Step Configure the Real Servers for Exchange_Web_Services Step 4. Create Contt Rules for Exchange_Web_Services Step 5. Configure Hub Transport Services on the Barracuda Load Balancer ADC Step 6. Configure an HTTP Request Rewrite Rule Next Steps 49

50 Configuring Clustered Barracuda Load Balancer ADCs Configuring Clustered Barracuda Load Balancer ADCs If your Barracuda Load Balancer ADCs are clustered, the configuration betwe the active and passive units is synchronized; you only need to configure the active Barracuda Load Balancer ADC. Step Configure Exchange 2010 to Use a Static Port By default, the Exchange 2010 RPC clit dynamically selects a port betwe 1024 and To allow for a one-armed deploymt, configure Exchange to use a static port instead. For more detailed instructions on configuring Exchange 2010 with static ports and hardware Load Balancer ADCs, see the Microsoft TechNet article Load Balancing Requiremts of Exchange Protocols. On each CAS server, complete the following: Configure the static port in the registry. a. b. c. Op the Registry Editor by typing regedit in the Start mu. Navigate to HKEY_LOCL_MACHINE\SYSTEM\CurrtControlSet\Services\MSExchangeRpc\ParametersSystem. Add a new DWORD (32-bit) Value, and name it TCP/IP Port. You might need to create the ParametersSystem key prior to adding the DWORD registry value. If prompted, change the Base to Decimal and set the value data to (or a port of your choice betwe 1024 and 65535): d. If you have Public Folders in your deploymt, repeat these steps to configure the static port in the registry of each server with the mailbox role installed that hosts a Public Folder. Change the port that clits use to connect for directory access. On each CAS server, complete the set of instructions for your Exchange version. If you are running Microsoft Exchange 2010 RTM (including RTM Rollup 1-4), click here... a. In Windows Explorer, navigate to the Microsoft.exchange.addressbook.service.exe.config file. This file is located in the \ b. c. Bin folder in the root directory of your Exchange 2010 install. Op this file in Notepad. In line 13, change the default value of 0 to (or a port of your choice within the prior specified range). The try appears as follows: <add key="rpctcpport" value="65501" /> If you are running Microsoft Exchange 2010 SP1, click here... a. b. c. Op the Registry Editor by typing regedit in the Start mu. Navigate to HKEY_LOCL_MACHINE\SYSTEM\CurrtControlSet\services\MSExchangeAB\Parameters. Add a new String Value (REG_SZ type), and name it RpcTcpPort. You might need to create the Parameters key prior to adding the REG_SZ registry value. In this case, change the Data val ue to (or a port of your choice betwe 1024 and 65535). 50

51 4. Restart the Microsoft Exchange Address Book and the Microsoft Exchange RPC Clit Access services on all the CAS and Mailbox servers that you modified. To verify that your Clit Access servers are using ports and 65501, op a Windows command prompt and run: netstat -na In the output, look for TCP tries marked as LISTENING with ports and 6550 An try is marked as LISTENING for :65500 and :6550 Step Configure CAS Services on the Barracuda Load Balancer ADC On each active Barracuda Load Balancer ADC that handles traffic for CAS services, complete the following steps. Log into the Barracuda Load Balancer ADC, and go to the BASIC > Services page. Add all of the services listed in Table For each service, add all the real servers in the CAS array. To add a service, click Add Service a nd ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Table CAS Services Name Type IP Address Port Session Timeout SSL Settings Certificate s Load Balancing Real Server Port MAPI/DCO M TCP Proxy VIP address for the FQDN that resolves to the CAS array e.g., excha nge.doma in.local N/A N/A Persis tce Type: Source IP Persis tce Time: Note: This service is helpful in cases where there is no port restriction. 51

52 MAPI/RPC _Clit_Ac cess TCP Proxy VIP address for the FQDN that resolves to the CAS array e.g., excha nge.doma in.local N/A N/A Persis tce Type: Source IP Persis tce Time: Note: This service is helpful in cases where there is no port restriction. MAPI/Glob al_address _Book TCP Proxy VIP address for the FQDN that resolves to the CAS array e.g., excha nge.doma in.local N/A N/A Persis tce Type: Source IP Persis tce Time: Note: This service is helpful in cases where there is no port restriction. Exchange_ Web_Servi ces Instant SSL VIP address for the FQDN that clits use to access the CAS array e.g., excha nge.doma in.local Note: Port: 443 HTTP Service Port: Select the certificate that you uploaded wh preparing your vironm t for SSL offloading. See Step 2 in the "Deploying Exchange Services on the Barracuda Load Balancer ADC" section of Microsoft Exchange Persis tce Type: HTTP Header Persis tce Time:1 200 Heade r Name: Authori zation 80 52

53 This service is useful wh there are port restricti ons, and traffic is allowe d only for port 44 Secur e Site Domai n Enter the domain name of your Excha nge server. If the internal and extern al domain are differe nt, you can use wildcar d charac ters. For exampl e: *.b arrac uda.c om Instant SSL Select On. Server 53

54 To create an HTTP redirec t service autom atically, you must create an Instant SSL service. Changi ng an HTTPS service to an Instant SSL service does not autom atically create a HTTP redirec t service. For more inform ation about Instant SSL, see Ins tant SSL Servic e Deploymt. If you require any of the protocols in Table 2, add the service for the protocol. Table Protocol Services. Name Type IP Address Port Real Server Port IMAP4 TCP Proxy VIP address for the FQDN that resolves to the CAS array e.g., exchange.domai n.local

55 IMAP4 SSL TCP Proxy VIP address for FQDN that resolves to CAS array e.g., exchange.domai n.local POP3 TCP Proxy VIP address for FQDN that resolves to CAS array e.g., exchange.domai n.local POP3_SSL TCP Proxy VIP address for FQDN that resolves to CAS array e.g., exchange.domai n.local Step Configure the Real Servers for Exchange_Web_Services For Exchange_Web_Services only, configure health checks for all of its real servers: On the BASIC > Services page, click Edit next to the try of the real server. Scroll to the Server Monitor section, and ter the values in the corresponding fields. Testing Method Port Test Target Test Match Additional Headers Status Code Test Delay Simple HTTPS 443 /owa/auth/logon.aspx (unless you modified the default path of logon.aspx) Microsoft Corporation User-Agt: Barracuda Load Balancer ADC Server Monitor Click Save Changes. Step 4. Create Contt Rules for Exchange_Web_Services Create contt rules for Exchange_Web_Services to maintain persistce for Outlook Web Access and the Exchange Control Panel. On the BASIC > Services page, add the rules in Table To add a rule, click Add Contt Rule under Exchange_Web_Services in the left pane. Th ter the values in the corresponding fields. Table Contt Rules for Exchange_Web_Services Name Host Match URL Match Persistce Method Persistce Time Cookie Name OWA * /owa/* Cookie Insert 1200 sessionid ECP * /ecp/* Cookie Insert 1200 sessionid If you are using Outlook Anywhere (HTTPS only, not RPC over HTTPS), you must also add the following contt rule for the Offline Address Book. Name Host Match URL Match Persistce Method Persistce Time Cookie Name OAB * /oab/* Cookie Insert 1200 sessionid Step 5. Configure Hub Transport Services on the Barracuda Load Balancer ADC On each active Barracuda Load Balancer ADC that handles traffic for Hub Transport Services, configure Hub Transport Services for Exchange

56 If your real servers are consolidated with both the CAS and HUB roles installed, add each server for each service that you create. If the Hub Transport role is installed on separate servers (other than those with the CAS role), add only the servers with the Hub role installed. The created services load balance the SMTP traffic to the Hub transport servers for incoming clit SMTP connections. Never configure the Exchange Hub Transport to communicate with other internal Microsoft Exchange Hub Servers via the Barracuda Load Balancer ADC. Only use the service on the Barracuda Load Balancer ADC for clit connections or inbound connections from other organizations. On the BASIC > Services page, add the following SMTP service and, optionally, the SMTP / SSL service. To add a service, click Add Service an d ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Name Type IP Address Port Real Server Port SMTP TCP Proxy VIP address for the FQDN that resolves to the CAS array e.g., exchange.domain.local (Optional) SMTP / SSL TCP Proxy VIP address for the FQDN that resolves to the CAS array e.g. exchange.domain.local Step 6. Configure an HTTP Request Rewrite Rule Configure a rewrite rule to add /OWA to the d of the URL. Go to the TRAFFIC > Web Translations page. From the Service list, select Exchange_Web_Services. In the HTTP Request Rewrite section, add the following rule. Click Add Rule and ter the values in the corresponding fields. Rule Name Sequce number Action Old Value Rewrite Value Rewrite Condition OWA 3 Redirect URL / /OWA * 4. Click Save. Next Steps Your installation is complete. You can now test your setup and configure access control to your applications. For instructions, see: How to Test the Microsoft Exchange Server 2010 Deploymt Configuration Access Control How to Deploy Microsoft Exchange Server 2010 in a Two-Armed Configuration Product Versions and Prerequisites This article applies to the Barracuda Load Balancer ADC version 5.1 and above, with Microsoft Exchange Server For a full list of the prerequisites for this deploymt, see Microsoft Exchange Server 2010 Deploymt. Follow the steps in this article to deploy the Microsoft Exchange Server 2010 in a two-armed configuration. In this article: Step Create Services Step Configure an HTTP Request Rewrite Rule Next Steps 56

57 Configuring Clustered Barracuda Load Balancer ADCs Configuring Clustered Barracuda Load Balancer ADCs If your Barracuda Load Balancer ADCs are clustered, the configuration betwe the active and passive units is synchronized; you only need to configure the active Barracuda Load Balancer ADC. Step Create Services On the Barracuda Load Balancer ADC, create services for the Exchange services. Log into the Barracuda Load Balancer ADC, and go to the BASIC > Services page. Add all of the services listed in Table For each service, add all the real servers in the CAS array. To add a service, click Add Service a nd ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Table Required Services Name Type IP Address Port Session Time SSL Settings Certificate s Load Balancing Real Server Port Exchange Layer 4 - TCP VIP address for the FQDN that resolves to the CAS array e.g. excha ALL N/A N/A N/A Persistc e Time: N/A nge.doma in.local Note: This service is helpful in cases where there is no port restriction. 57

58 OWA-HTT PS Instant SSL VIP address for that FQDN that clits use to access OWA e.g., owa.d omain.lo cal Port: 443 HTTP Service Port: Secur e Site Domai n Enter the domain name of your Excha nge server. If the internal and extern al domain are differe nt, you can use wildcar d charac ters. For exampl e: *.b Select the certificate that you uploaded wh preparing your vironm t for SSL offloading. See Step 2 in the "Deploying Exchange Services on the Barracuda Load Balancer ADC" section of Microsoft Exchange Server 2010 Deploymt. Persis tce Type: HTTP Header Persis tce Time: 1200 Heade r Name: Authori zation 80 arrac uda.c om Instant SSL Select On. For OWA-HTTPS a. b. only Next to the try of the real server, click Edit., able health checks for its real servers. Scroll to the Server Monitor section, and ter the values in the corresponding fields. Testing Method Port Test Target Test Match Additional Headers Status Code Test Delay Simple HTTPS 443 /owa/auth/logo n.aspx (unless you modified the default path of logon.aspx) Microsoft Corporation User-Agt: Barracuda Load Balancer ADC Server Monitor c. Click Save. If you deployed the Hub Transport Role on servers other than those in the CAS array, add the following services in Table Table (If applicable) SMTP Services Name Type IP Address Port Real Server Port Monitor Port 58

59 SMTP Layer 4 - TCP VIP address for the FQDN that resolves to HUB Services e.g., smtp.domai n.local (Optional) SMTP_SSL Layer 4 - TCP VIP address for the FQDN that resolves to HUB Services e.g., smtp.domai n.local Update the TCP timeout values on the Barracuda Load Balancer ADC. a. b. Go to the ADVANCED > System Configuration page. Set the TCP Connections Timeout and TCP Closed Connections Timeout to 1200 seconds. Step Configure an HTTP Request Rewrite Rule Configure a rewrite rule to add /OWA to the d of the URL. Go to the TRAFFIC > Web Translations page. From the Service list, select the OWA-HTTPS service. In the HTTP Request Rewrite section, add the following rule. Click Add Rule and ter the values in the corresponding fields. Rule Name Sequce number Action Old Value Rewrite Value Rewrite Condition OWA 3 Redirect URL / /OWA * 4. Click Save. Next Steps Your installation is complete. You can now test your setup and configure access control to your applications. For instructions, see: How to Test the Microsoft Exchange Server 2010 Deploymt Configuration Access Control How to Test the Microsoft Exchange Server 2010 Deploymt Configuration Before testing the configuration, verify you have completed all of the steps in How to Deploy the Barracuda Load Balancer ADC with Microsoft Exchange Server 2010, and either How to Deploy Exchange 2010 in a One-Armed Configuration or How to Deploy Exchange 2010 in a Two-Armed Configuration. Configure an Outlook Clit Use the following steps to configure an Outlook clit on your local network: If Autodiscover is abled, sure clits are connected to your CAS array and the VIP address that you just configured, and that there are no certificate errors. If Autodiscover is not abled, configure an Outlook clit to connect to the FQDN of the new CAS array you just configured. While configuring a new Exchange account, type in the FQDN of one of the Real Servers (members) of the CAS array. Enter a valid account name and click Check Name. Ensure that the Exchange Server name gets rewritt as the FQDN of the CAS array and 4. the account name is underlined. Op the Global Address book in Outlook, and make sure it behaves normally. Watch an authticated and connected Exchange clit and sure that it remains connected to Exchange while idle and does not disconnect and reconnect within one or two minutes. Test SSL Offloading Use the following steps to test SSL offloading: 59

60 Op a browser and go to the FQDN of the VIP address for your SSL-offloaded HTTPS Service (for Outlook Anywhere and Outlook Web App). Ensure the browser has no certificate errors or warnings and that the certificate prested by the browser is the same one that was assigned to the SSL-offloaded Service. Diagnostic View For a complete diagnostic view of all Clit Access Server parameters for each server in the array, from the Exchange Managemt Shell, execute the following command: Get-ClitAccessServer fl Connectivity To check the connectivity betwe the Exchange CAS array and Outlook, press Ctrl and right-click the Outlook icon in the system tray, and click Connection Status. Verify all connections are listed as established. Microsoft Exchange Server 2013 Deploymt Product Versions and Prerequisites This article applies to the Barracuda Load Balancer ADC version 5.1 and above, with Microsoft Exchange Server 201 Before continuing with this deploymt, you must have: Installed your Barracuda Load Balancer ADC(s), connected to the web interface, and activated your subscription(s). Clustered your Barracuda Load Balancer ADCs, if you want to deploy the Microsoft Exchange Server with high availability. For more information, see High Availability. Barracuda Networks has conducted interoperability tests using the Barracuda Load Balancer ADC and Microsoft Exchange Server 201 Follow the steps in this guide to deploy the Barracuda Load Balancer ADC to increase the scalability and reliability of your Microsoft Exchange Server 2013 deploymt. Using a Barracuda Load Balancer ADC allows load balancing of a Clit Access server (CAS) array. In this article: Terminology Deploying Exchange Services on the Barracuda Load Balancer ADC Step Create an Instant SSL Service Step Add the Real Servers Step Configure DNS Next Step Terminology Term Microsoft Exchange Server Fully Qualified Domain Name (FQDN) Virtual IP (VIP) Address Service Description A Microsoft Exchange Server deploymt consists of Clit Access Servers (CAS), Hub transport Server, and Exchange Mailbox servers. The unique name for a specific computer or host that can resolve to an IP address (e.g., The IP address assigned to a service. Clits use the virtual IP address to connect to the load-balanced service. A combination of a virtual IP address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC lists on. Traffic arriving on the specified port(s) is directed to one of the real servers associated with a service. 60

61 Instant SSL Clit Access Server (CAS) Real Server Hub Transport Server (HUB) Outlook Web App (OWA) Instant SSL provides SSL (HTTPS) access to contt on servers without having to modify the servers or the contt on the servers. The Barracuda Load Balancer ADC rewrites the "http" links in the response to "https". Clit Access Server supports various protocols used by d users to access their mailboxes. This includes services such as RPC Clit Access, IMAP, POP3, OWA, and ActiveSync. A server associated with a service that handles the requests forwarded to it by the Barracuda Load Balancer ADC. The Hub Transport server role handles all mail flow inside the organization and delivers messages to a recipit's mailbox. Originally called Outlook Web Access, OWA is the Webmail compont of Microsoft Exchange Server Deploying Exchange Services on the Barracuda Load Balancer ADC Configuring Clustered Barracuda Load Balancer ADCs Configuring Clustered Barracuda Load Balancer ADCs If your Barracuda Load Balancer ADCs are clustered, the configuration betwe the active and passive units is synchronized; you only need to configure the active Barracuda Load Balancer ADC. To deploy the Exchange servers with the Barracuda Load Balancer ADC, complete the following steps: Certificates Certificates Barracuda Networks recommds that you use the same certificate on the Barracuda Load Balancer ADC and the CAS arrays. Step Create an Instant SSL Service Log into the Barracuda Load Balancer ADC as the administrator. Go to the BASIC > Certificates page, and create or upload a certificate for the service. Go to the BASIC > Services page and add the following Instant SSL service. Click Add Service and ter the values in the corresponding fields. Name Type IP Address Port HTTP Service Port Session Timeout SSL Settings Certificate Load Balancing 61

62 Exchange_I nstantssl Instant SSL VIP addres s for the FQ DN that clie nts use to a ccess the following: mail.do main.lo cal autodis cover. domai n.local eas.do main.lo cal outlook.domai n.local oab.do main.lo cal ecp.do main.lo cal Secur e Site Domai n Enter the domain name of your Excha nge server. If the internal and extern al domain are differe nt, you can use wildcar d charac ters. For exampl e: *.b Select the certificate that you uploaded for the service. Persis tce Type: Cookie Insert Persis tce Time : 1200 Cooki e Name Choo se a cookie name. arrac uda.c om Instant SSL Select On. 4. Click Create. Step Add the Real Servers Add your CAS servers to your service. For each server, able SSL and configure health checks. Certificate validation can be ignored. On the BASIC > Services page, verify that the correct service for the server is displayed. Click Add Server. Enter the values in the corresponding fields. IP Address Port Server Monitor IP address of the CAS server 443 Testing Method: Simple HTTPS Port: 443 Test Target: /owa/auth/logon.aspx (unless you modified the default path of logon.aspx) Test Match: Microsoft Corporation Additional Headers: User-Agt: Barracuda Load Balancer ADC Server Monitor Status Code: 200 Test Delay: 30 62

63 Click Create. Step Configure DNS Configure the VIP address on the CAS virtual directories. Configure the DNS for the following domain names to point to the VIP address that you created for the Exchange_InstantSSL service: mail.domain.local autodiscover.domain.local eas.domain.local outlook.domain.local oab.domain.local ecp.domain.local Configure HTTPS namespace on the Exchange Admin Cter: Log into your Microsoft Exchange Admin Cter. Click Servers > Virtual Directories. Select CAS1, click Edit, and configure external access domain. 4. Add both servers to the list and configure the external domain. 63

64 5. Click Save. Next Step You can configure authtication and access control for your applications. For more information, see Access Control. Microsoft Lync 2010 and 2013 Server Deploymt Organizations can use the Barracuda Load Balancer ADC to hance the scalability and availability of their Lync Server deploymts (formerly known as Microsoft Office Communications Server). Barracuda Networks has conducted interoperability tests betwe the Barracuda Load Balancer ADC and Microsoft Lync Server. This guide describes how to deploy the Barracuda Load Balancer ADC to provide scaling in a Lync vironmt. For organizations that want a scalable solution, Microsoft recommds using a hardware load balancer to distribute the traffic among multiple Lync Servers. Prerequisites You must have: Microsoft Lync Server 2010 or 2013 Enterprise Edition. At least the minimum number of Barracuda Load Balancer ADCs required for your deploymt: Deploymt Internal Lync Server Deploymt Number of Barracuda Load Balancer ADCs Minimum: One Barracuda Load Balancer ADC Recommded: Two Barracuda Load Balancer ADCs for high availability 64

65 Internal Lync Server Deploymt and Edge Deploymt Minimum: Two Barracuda Load Balancer ADCs. Recommded: Four Barracuda Load Balancer ADCs for high availability To maintain the integrity of the edge security model, separate load balancers are required for the internal traffic and the edge traffic. Internal Lync Server Deploymt, Edge Deploymt, and non-collocated A/V Services Minimum: Three Barracuda Load Balancer ADCs Recommded: Six Barracuda Load Balancer ADCs for high availability To maintain the integrity of the edge security model, separate load balancers are required for the internal traffic, the edge traffic, and the non-collocated A/V Services. Installed your Barracuda Load Balancer ADC(s), connected to the web interface, and activated your subscription(s). If you are planning to deploy Lync Server with high availability, you must first cluster your Barracuda Load Balancer ADCs. For more information, see High Availability. Before Running Lync Topology Builder Do not run the Lync Topology Builder until instructed to do so by this deploymt guide. All of the services on the Barracuda Load Balancer ADC must be configured before running the Topology Builder. Support for Office Web Apps Server and Lync Server (for internal users only) Office Web Apps Server is a new Office server product that delivers browser-based versions of Word, PowerPoint, Excel, and OneNote. A single Office Web Apps server farm can support users who access Office files through SharePoint 2013, Lync Server 2013, Exchange Server 2013, shared folders, and websites. After the Office Web Apps server and Lync server are integrated, internal users can start sharing PowerPoint prestations without any further changes on the Barracuda Load Balancer ADC. Additional Referces Refer to the Microsoft TechNet library for the following: A description of ports and protocols used by the servers, load balancers, and clits in a Microsoft Lync deploymt vironmt Microsoft Lync Server Documtation Deploy Office Web Apps Server Configuring Integration with Office Web Apps Server and Lync Server b-5cffed6aaad8 Terminology Term Front-End Server Edge Server Fully Qualified Domain Name (FQDN) Description A Lync Server in the internal network running the Front End Lync Services. A Lync Server deployed in the perimeter network running the Edge Lync Services. The unique name for a specific computer or host that can resolve to an IP address, e.g., 65

66 Service A combination of a virtual IP (VIP) address and one or more TCP/UDP ports on which the Barracuda Load Balancer ADC lists. Traffic arriving over the specified port(s) to a service is directed to one of the real servers associated with that service. Deploying with Microsoft Lync Server Before you deploy with Microsoft Lync Server, you must understand your deploymt options. See Understanding Microsoft Lync Server Deploymt Options. Th see How to Deploy with Microsoft Lync Server 2010 and 2013 for instructions on how to deploy with the Microsoft Lync Server. Understanding Microsoft Lync Server Deploymt Options Requiremts This article refers to the Barracuda Load Balancer ADC and Microsoft Lync Server 2010 or 2013 Enterprise Edition. For a list of prerequisites, see Microsoft Lync 2010 and 2013 Server Deploymt. In this article: Lync Server Front-End Server Deploymt Options Lync Edge Server Deploymt Options Deploymt Example Next Step In your vironmt, the inbound firewall must not NAT inbound traffic addressed to the Edge deploymt. Lync Server Front-End Server Deploymt Options Because the servers in a Lync Server terprise pool communicate with each other using the VIP address of the pool, create a TCP Proxy service and associate the servers with it to facilitate this communication. The servers and the Barracuda Load Balancer ADC must be deployed using a o ne-armed topology in either a single or multiple subnet configuration. Unsupported Deploymt Option Deploying internal Lync pools using a two-armed Route-Path topology, Direct Server Return (DSR) Mode does not work and is not supported. Lync Edge Server Deploymt Options Load-balanced Edge deploymts are supported using either a one-armed Route-Path topology using a TCP Proxy service or a two-armed Rout e-path topology using a Layer 4 service. For maximum performance, a two-armed Route-Path topology is recommded. Unsupported Deploymt Option Direct Server Return deploymt does not work and is not supported. Deploymt Example The following diagram shows an example Edge deploymt. You can use this example as a referce in your next step of deploying the Barracuda Load Balancer ADC in your Lync Server vironmt. Lync Deploymt Example 66

67 Next Step Deploy the Barracuda Load Balancer ADC in your Lync Server vironmt. For instructions, see How to Deploy with Microsoft Lync Server 2010 and 201 How to Deploy with Microsoft Lync Server 2010 and 2013 Product Versions and Prerequisites This article applies to the Barracuda Load Balancer ADC 5.1 and above, with Microsoft Lync Server 2010 or 2013 Enterprise Edition For Lync Mobility, Apple iphone and ipad; Android phone; Windows Phone 7; and Nokia mobile devices For a full list of the prerequisites for this deploymt, see Microsoft Lync 2010 and 2013 Server Deploymt. Before You Begin Print or copy the IP Worksheet and use it to record your configuration. Complete this worksheet as you perform the tasks to deploy the Microsoft Lync Server. The worksheet will help you wh you run the Topology Builder. If you want additional information on deploymt requiremts and options, the following Microsoft Lync Referces are available: For a list of requiremts, see Microsoft Lync 2010 and 2013 Server Deploymt. For deploymt options, see Understanding Microsoft Lync Server Deploymt Options. For mobility deploymt details, see the Microsoft TechNet article Deploying Mobility. Before Running Lync Topology Builder Before Running Lync Topology Builder Do not run the Lync Topology Builder until instructed to do so by this deploymt guide. All of the services on the Barracuda Load Balancer ADC must be configured before running the Topology Builder. 67

68 Deploymt Tasks Configuring Clustered Barracuda Load Balancer ADCs Configuring Clustered Barracuda Load Balancer ADCs If your Barracuda Load Balancer ADCs are clustered, the configuration betwe the active and passive units is synchronized; you only need to configure the active Barracuda Load Balancer ADC. To deploy the Barracuda Load Balancer ADC in a Lync 2010 or 2013 vironmt, complete the following tasks: Deploymt Task Task Configure Enterprise Pool Services Where Do this on the internal-facing Barracuda Load Balancer ADC. If you did not collocate A/V Services on your Front End Servers, you must also do the following: Task (If applicable) Configure Internal A/V Services Do this on the A/V Pool Barracuda Load Balancer ADC. If you have an edge deploymt, you must also complete the following tasks: Task Configure Internal Edge Services Task 4. Configure External Edge Services Do this on the internal-facing Barracuda Load Balancer ADC. Do this on the external-facing Barracuda Load Balancer ADC. If you have deployed Director servers, you must also complete the following task: Task 5. Configure Director Services Do this on the Director Barracuda Load Balancer ADC. Complete the following tasks after all Services are configured on the Barracuda Load Balancer ADC: Task 6. Run Topology Builder Task 7. Configure SSL Settings Do this on the server where Topology Builder is installed. Do this on the internal-facing Barracuda Load Balancer ADC. Configure Mobility Services and configure the Barracuda Load Balancer ADC as a reverse proxy: Task 8. Configure Lync Mobility Services Task 9. Configure the Barracuda Load Balancer ADC as a Reverse Proxy for Lync Mobility Services Do this on the internal-facing Barracuda Load Balancer ADC. Do this on the external-facing Barracuda Load Balancer ADC. If you counter connectivity issues with your deploymt, you can use the Remote Connectivity Analyzer: Troubleshooting Task Configure Enterprise Pool Services Configure all services needed for an internal Lync deploymt. Perform the following steps on the internal-facing Barracuda Load Balancer ADC. Go to the BASIC > Services page in the web interface. Add all of the services listed in Table 1, along with their real servers. For each service, click Add Service and ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Table Enterprise Pool Services Persistce Settings for Lync 2013 Persistce Settings for Lync 2013 In these settings, source IP persistce is recommded. However, for Lync 2013, you can choose to use cookie persistce instead. Name Type IP Address Port Session Timeout Real Servers 68

69 MTLS_Front TCP Proxy IP address for the FQDN of the Internal Enterprise Lync Pool e.g., /24 for frontp ool.domain.loc al DCOM_WMI_Front TCP Proxy IP address for the FQDN of the Internal Enterprise Lync Pool IP addresses of yo ur front-d servers (K and L from the d eploymt example ) IP addresses of your front-d servers (K and L from the d eploymt example ) Internal_Conf_Fron t TCP Proxy IP address for the FQDN of the Internal Enterprise Lync Pool IP addresses of your front-d servers (K and L from the d eploymt example ) HTTPS_Front HTTPS IP address for the FQDN of the Internal Enterprise Lync Pool IP addresses of your front-d servers (K and L from the d eploymt example ) For the DCOM_WMI_Front service only, able TCP port monitoring for each real server associated with the service. a. b. check, ev if Lync Services are not responding. 4. For the HTTPS_Front service only, configure cookie persistce. 5. a. b. The Barracuda Load Balancer ADC is preconfigured with default settings that work with most applications. Lync 2010 requires changes to the Session Timeout setting for each service configured for Lync on the Barracuda Load Balancer ADC to sure compliance with Microsoft specifications. Next to each real server try in the Configured Servers table, click Edit. In the Edit Server window, scroll to the Server Monitor section and specify these settings: Testing Method Select TCP Port Check. Port Enter 506 Testing port 5061 for this service is recommded because port 135 always passes the TCP port In the service settings, scroll to the Load Balancing section. Configure these settings: Persistce Type Select Cookie Insert or Cookie Passive. Persistce Time Enter If you have deployed any of the features in Table 2, add the service for the feature. Table Services for Optional Features Persistce Settings for Lync 2013 Persistce Settings for Lync 2013 In these settings, source IP persistce is recommded. However, for Lync 2013, you can choose to use cookie persistce instead. Name Type IP Address Port Session Timeout Persistce Real Servers 69

70 Application_Sha ring TCP Proxy IP address for the FQDN of the Internal Enterprise Lync Pool Type: Source IP Time : 1200 IP addresses of your front-d servers (K and L from the deploymt example) Response_Gro up_service TCP Proxy IP address for the FQDN of the Internal Enterprise Lync Pool Type: Source IP Time : 1200 IP Addresses of your front-d servers (K and L from the deploymt example) Confercing_A ttdant TCP Proxy IP address for the FQDN of the Internal Enterprise Lync Pool Type: Source IP Time : 1200 IP addresses of your front-d servers (K and L from the deploymt example) Confercing_A nnouncemt TCP Proxy IP address for the FQDN of the Internal Enterprise Lync Pool Type: Source IP Time : 1200 IP addresses of your front-d servers (K and L from the deploymt example) Task (If Applicable) Configure Internal A/V Services Complete this step if you did not collocate A/V Services on your front-d servers. If you have more than 10,000 users in this pool, it is recommded that you separate the A/V Services of your Internal Lync Pool and do not collocate the A/V services on the Front End Pool. If you choose to collocate A/V Services on your Front End Pool, no further changes to the configuration are required. Separating out the A/V Services into its own pool requires two more Barracuda Load Balancer ADCs operating as a high availability pair. If your deploymt has more than 10,000 A/V users, contact Barracuda Networks Technical Support for assistance. Task Configure Internal Edge Services To configure all services needed for a load-balanced Lync Edge deploymt, perform the following steps on the internal-facing Barracuda Load Balancer ADC. Go to the BASIC > Services page in the web Interface. Add all of the services listed in Table 3, along with their real servers. For each service, click Add Service and ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Table Internal Edge Services Persistce Settings for Lync 2013 Persistce Settings for Lync 2013 In these settings, source IP persistce is recommded. However, for Lync 2013, you can choose to use cookie persistce instead. Service Name Type IP Address Port Session Timeout Persistce Real Servers 70

71 MTLS_Edge TCP Proxy IP address for the FQDN of the Internal Edge Enterprise Lync Pool e.g., /24 for edgepool. domain.local AV_Auth_Edge TCP Proxy IP address for the FQDN of the Internal Edge Enterprise Lync Pool AV_Edge HTTPS IP address for the FQDN of the Internal Edge Enterprise Lync Pool Type: Source IP Time: Type: Source IP Time: Type: Cookie Insert or Cookie Passive Time: 1200 Specify the Coo kie Name if needed. Internal IP addresses of your Edge Servers (I and J from the deploymt example) Internal IP addresses of your Edge Servers (I and J from the deploymt example) Internal IP addresses of your Edge Servers (I and J from the deploymt example) Replica_Replica tor_edge HTTPS IP address for the FQDN of the Internal Edge Enterprise Lync Pool Type: Cookie Insert or Cookie Passive Time: 1200 Specify the Coo kie Name if needed. Internal IP addresses of your Edge Servers (I and J from the deploymt example) Web_Conferc ing_edge TCP Proxy IP address for the FQDN of the Internal Edge Enterprise Lync Pool Type: Source IP Time: 1200 Internal IP addresses of your Edge Servers (I and J from the deploymt example) RDP_Media_Ed ge UDP Proxy IP address for the FQDN of the Internal Edge Enterprise Lync Pool Type: Source IP Time: 1200 Internal IP addresses of your Edge Servers (I and J from the deploymt example) Task 4. Configure External Edge Services WAN refers to interface(s) configured to access external network. LAN refers to interface(s) configured to access internal network. Ensure that the real servers are physically connected to a switch that is connected to the LAN port (for two-armed deploymt) or the WAN port (for one-armed deploymt) of the Barracuda Load Balancer ADC. 71

72 To configure all services needed for a load-balanced Edge Deploymt of Lync Server, perform the following steps on the external-facing (Internet-facing) Barracuda Load Balancer ADC. Go to the BASIC > Services page in the web interface. Add all of the services listed in Table 4, along with their real servers. For each service, click Add Service and ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Table 4. External Edge Services Persistce Settings for Lync 2013 Persistce Settings for Lync 2013 In these settings, source IP persistce is recommded. However, for Lync 2013, you can choose to use cookie persistce instead. Name Type IP Address Port Session Timeout Persistce Real Servers Access_Edge One-armed:TC P Proxy Two-armed: Layer 4 - TCP IP address for the FQDN of Access Edge e.g., IP address for lync.exam ple.com Type: Source IP Time: 1200 IP address of Access Edge NICs on each Edge Server (C and F from the deploymt example) Access_Fed_E dge One-armed:TC P Proxy Two-armed: Layer 4 - TCP IP address for the FQDN of Access Edge e.g., IP address for lync.exam ple.com Type: Source IP Time: 1200 IP address of Access Edge NICs on each Edge Server (C and F from the deploymt example) Web_Conferc ing_edge One-armed:TC P Proxy Two-armed: Layer 4 - TCP IP address for the FQDN of WebConf Edge e.g., IP address for webconf.e xample.com Type: Source IP Time: 1200 IP address of of your Edge Servers (D and G from the deploymt example) AV_Edge One-armed:TC P Proxy Two-armed: Layer 4 - TCP IP address for the FQDN of AV Edge e.g., IP address for av.exampl e.com Type: Source IP Time: 1200 IP address of your Edge Servers (E and H from the deploymt example) AV_Media_Edg e One-armed: UDP Proxy Two-armed: Layer 4 - UDP IP address for the FQDN of AV Edge e.g., IP address for av.exampl e.com default settings IP address of your Edge Servers (E and H from the deploymt example) Task 5. Configure Director Services To configure all services needed for a load-balanced Edge Deploymt of Lync Server, perform the following steps on the external-facing Barracuda Load Balancer ADC. Persistce Settings for Lync 2013 Persistce Settings for Lync

73 In these settings for the Director Services, source IP persistce is recommded. However, for Lync 2013, you can choose to use cookie persistce instead. Go to the BASIC > Services page in the web interface. Add the following Directory_MTLS service with its real servers. Click Add Service and ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Name Type IP Address Port Session Timeout Persistce Real Servers Directory_MTLS TCP Proxy IP address for the FQDN of the Directory Service Type: Source IP Time: 1200 IP address of your Directory Servers If you must support Office Communications Server prior to version 2007 R2, add the following Directory_MTLS_Legacy service. If you only have versions of Office Communications Server that are 2007 R2 or later (including Lync), do not add this service. Name Type IP Address Port Session Timeout Persistce Real Servers Directory_MTLS _Legacy TCP Proxy IP for FQDN of the Directory Service Type: Source IP Time: 1200 IP address of your Directory Servers Task 6. Run Topology Builder After you configure all services on the Barracuda Load Balancer ADC, run LyncTopology Builder. To complete the required fields, use the configuration information that you recorded in the IP Worksheet. Task 7. Configure SSL Settings Install an SSL certificate on the internal-facing Barracuda Load Balancer ADC for the HTTPS services that were configured previously. The Barracuda Load Balancer ADC uses this certificate to decrypt the SSL traffic directed to the HTTPS services, and it checks for a persistce cookie. Also, you must configure back-d SSL on the real servers to re-crypt traffic before sding it to a server in the pool. Using the Microsoft Managemt Console (MMC), export a certificate along with its private key, from one of the front-d Lync servers. Ensure the pool name is in the certificate. Perform the following steps on the internal-facing Barracuda Load Balancer ADC for the HTTPS_Front service. 4. Go to the BASIC > Certificates page, and import the certificate. Go to the BASIC > Services page and edit the service. In the Certificates section of the service settings, select the uploaded certificate. Enable SSL in the settings of the real servers. a. b. Next to each real server try in the Configured Servers table, click Edit. In the Edit Server window: i. ii. Scroll to the SSL section and turn on the Server uses SSL setting. Scroll to the Certificates section and select the certificate that you uploaded. If you deployed Edge services on the internal-facing Barracuda Load Balancer ADC, repeat these steps for the Replica_Replicator_Edge and AV_Edge services. Your installation of the Barracuda Load Balancer ADC and Microsoft Lync Server is now complete. Continue to configure the Barracuda Load Balancer ADC for Lync Mobility. Task 8. Configure Lync Mobility Services To configure the services needed for a Lync Mobility deploymt, perform the following steps on the internal-facing Barracuda Load Balancer ADC. Persistce Settings for Lync

74 Persistce Settings for Lync 2013 In these settings for the Lync Mobility Services, source IP persistce is recommded. However, for Lync 2013, you can choose to use cookie persistce instead. Go to the BASIC > Services page in the web interface. Add the following Lync_Mobility_HTTPS service with its real servers. Click Add Service and ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Name Type IP Address Session Timeout Certificate Persistce Real Servers Lync_Mobility_ HTTPS HTTPS IP address for the FQDN of the Internal Enterprise Lync pool Port is Select the certificate assigned to the Lync front-d server for external web services. For more information on creating and assigning the certificate, see Appdix A. Certificate for Lync Mobility Service. Type: Cookie Insert or Cookie Passive Time: 1200 Specify the Coo kie Name if needed. Internal IP addresses of front-d servers Port is Edit the SSL settings for the real servers of the Lync_Mobility_HTTPS service. a. b. c. d. Next to each real server try in the Configured Servers table, click Edit. In the Edit Server window, scroll to the SSL section. Set Server Uses SSL to On. Expand the settings, and set Validate Certificate to Off. If you abled Lync Mobility connections over HTTP, add the following Lync_Mobility_HTTP service. Name Type IP Address Session Timeout Persistce Real Servers Lync_Mobility_HTT P HTTP IP address for the FQDN of the Internal Enterprise Lync pool Port is default Internal IP addresses of front-d servers Port is 8080 Task 9. Configure the Barracuda Load Balancer ADC as a Reverse Proxy for Lync Mobility Services A reverse proxy is required to support Lync Mobility Services, because it lets remote users access the functionality provided by Lync Web Services. To configure the services needed to deploy the Barracuda Load Balancer ADC as a reverse proxy, perform the following steps on the external-facing Barracuda Load Balancer ADC. Persistce Settings for Lync 2013 Persistce Settings for Lync 2013 In these settings for the Lync Mobiliity Services, source IP persistce is recommded. However, for Lync 2013, you can choose to use cookie persistce instead. Go to the BASIC > Services page. Add the following Lync_RP_HTTPS service with its real servers. Click Add Service and ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. 74

75 Service Name Type IP Address Session Timeout Certificate Persistce Real Server Lync_RP_HTTP S HTTPS IP address of the FQDN of the External Web Services Port is Select the certificate assigned to the Lync front-d server for external web services. For more information on creating and assigning the certificate, see Appdix A. Certificate for Lync Mobility Service. Type: Cookie Insert or Cookie Passive Time : 1200 Cookie Name : MS_WSMAN VIP address of the Lync Mobility HTTPS service Port is Edit the SSL settings for the real servers of the Lync_RP_HTTPS service. a. b. c. d. Next to each real server try in the Configured Servers table, click Edit. In the Edit Server window, scroll to the SSL section. Set Server Uses SSL to On. Expand the settings, and set Validate Certificate to Off. If you abled Lync Mobility connections over HTTP, add the following Lync_RP_HTTP service. Service Name Type IP Address Session Timeout Persistce Real Server Lync_RP_HTTP HTTP IP address of the FQDN of the External Web Services Port is default VIP address of the Lync Mobility HTTP service Port is 8080 Troubleshooting To troubleshoot connectivity issues by simulating differt scarios, you can use the Remote Connectivity Analyzer at: Appdix A. Certificate for Lync Mobility Service Using the Lync Certificate Wizard, you can create the certificate to be assigned to the Lync Mobility Service and to the Reverse Proxy (RP) Service. The certificate's SAN must contain the autodiscover URL and your external web services URL. The Lync_RP_HTTPS service and the Lync_Mobility_HTTPS service that you create on the Barracuda Load Balancer ADC can be assigned the same certificate. For more information regarding certificate requiremts, refer to the Microsoft TechNet article called Certificate Summary - Reverse Proxy. Wh you use the Lync Certificate Wizard to request the certificate, select the Web services external check box and assign the certificate to the Barracuda Load Balancer ADC: 75

76 Next Step You can configure authtication and access control for your applications. For more information, see Access Control. IP Worksheet As you perform the deploymt tasks, record your IP Addresses on this worksheet. It will assist you wh you run the Topology Builder. Configured Barracuda Load Balancer ADC Internal-facing Barracuda Load Balancer ADC FQDN IP Address Associated Topology Builder Step(s) Front End Pool wizard Notes Pool FQDN Internal-facing Barracuda Load Balancer ADC (1) Front End Pool wizard External Base URL A/V Barracuda Load Balancer ADC (if configured) Internal-facing Barracuda Load Balancer ADC External-facing Barracuda Load Balancer ADC External-facing Barracuda Load Balancer ADC External-facing Barracuda Load Balancer ADC Front End Pool wizard Define the new A/V Confercing Server New Edge Pool wizard New Edge Pool External FQDNs New Edge Pool External FQDNs New Edge Pool External FQDNs A/V Confercing Pool Edge Pool FQDN Edge SIP Access Edge Web Confercing Edge Audio/Video Note: (1) Usually this is the same as your pool FQDN unless your organization has also implemted SIP DNS load balancing. Microsoft Office SharePoint Server 2007, 2010 and 2013 Deploymt 76

77 Requiremts This article applies to: Barracuda Load Balancer ADC version 5.1 and above Microsoft SharePoint Server 2007, 2010, or 2013 This article assumes you are logged into the Barracuda Load Balancer ADC web interface and have an activated subscription. If you are planning to deploy Lync Server with high availability, you must first cluster your Barracuda Load Balancer ADCs. For more information, see High Availability. Follow the steps in this guide to configure your Barracuda Load Balancer ADC to increase the scalability and reliability of your Microsoft Office SharePoint Server 2007, 2010, or 2013 deploymt. You can deploy SharePoint servers in clusters with two or more front-d servers, an SQL server, and an application server. The Barracuda Load Balancer ADC can provide advanced Layer 7 load balancing and Layer 7 application security for your SharePoint servers. Terminology Term Service Instant SSL Definition A combination of a virtual IP (VIP) address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC lists on. Traffic arriving over the specified port(s) is directed to one of the real servers associated with that service. The Instant SSL service redirects an HTTP connection to an HTTPS service. Wh you add an Instant SSL service, it appears as only one service in the user interface but two services are created: an HTTPS service with port 443 and a non-ssl redirect service with port 80. In the Instant SSL service settings, you must specify one secured site domain whose links must be converted from http to https. Wh the redirect service receives a request from the specified domain, it forwards the request to the service on port 443/HTTPS, which th forwards the request to the servers. In any responses, the HTTPS service rewrites the HTTP request into an HTTPS request. For example, if you specify every occurrce is rewritt to in outgoing responses. After you add the Instant SSL service, you can edit the HTTPS service to add more domains that must be rewritt in responses. Deploymt Options Microsoft recommds a three-tier system of deploying SharePoint servers. For instructions, see these Microsoft TechNet articles: (SharePoint 2013) Install SharePoint 2013 across multiple servers for a three-tier farm aspx (SharePoint 2010) Multiple servers for a three-tier farm (SharePoint 2007) Install Office SharePoint Server 2007 in a server farm vironmt 901(v=office.12).aspx Deploymt Example This example displays a three-tier SharePoint farm with a Barracuda Load Balancer ADC. The deploymt provides scalability, application acceleration, application security, and business continuity. Incoming traffic is load-balanced among the front-d servers. The Barracuda Load It also provides Layer 7 application security to the Balancer ADC monitors the server health by periodically requesting a page from each server. servers. 77

78 Barracuda Load Balancer ADC Service Options On the Barracuda Load Balancer ADC, create services for the types of traffic that are supported by your SharePoint servers. Depding on the traffic type, you can create Instant SSL, HTTP, or HTTPS services. Scario The SharePoint servers support traffic over HTTP only. The SharePoint servers support traffic over HTTPS only. The SharePoint servers support traffic over HTTP and HTTPS. Service Options If you want to redirect HTTP traffic to an HTTPS service create an Instant SSL service, otherwise create an HTTP service. Create an HTTPS service. If you want to redirect HTTP traffic to an HTTPS service, create an Instant SSL service, otherwise create a combination of an HTTP service and HTTPS service. Deploying SharePoint Services on the Barracuda Load Balancer ADC To deploy the SharePoint servers with the Barracuda Load Balancer ADC, complete the following steps: Configuring Clustered Barracuda Load Balancer ADCs If your Barracuda Load Balancer ADCs are clustered, the configuration betwe the active and passive units is synchronized; you only need to configure the active Barracuda Load Balancer ADC. Step (HTTPS and Instant SSL Services) Export and Upload a SharePoint Certificate If you are creating an HTTPS or Instant SSL service, export a certificate from your SharePoint server and upload it to the Barracuda Load Balancer ADC. Export a certificate from your SharePoint front-d server. For instructions on how to export a server certificate from your IIS server, see the Microsoft TechNet article at If the SharePoint servers are not bound to a certificate, you can create a self-signed certificate. For instructions, see How to Add an SSL Certificate. Log into the Barracuda Load Balancer ADC as an administrator. 78

79 Go to the BASIC > Certificates page and upload the certificate from your SharePoint front-d server. If you are importing a certificate from IIS, it is in PKCS12 format. Enter a password for the certificate. Step Create Services for the SharePoint Servers Add services according to the type of traffic supported by your SharePoint servers. Go to the BASIC > Services page. For each service that you add from Table 1, click Add Service and ter the values in the corresponding fields. Table Available Services Name Type IP Address Port Caching Compression SharePoint_HTTP HTTP IP address for the fully qualified domain name (FQDN) that clits use to access SharePoint 80 Select On. Th expand the caching settings, and add the types of files that are used by your servers. Select On. Th expand the compression settings, and add these contt types: SharePoint_HTTP S SharePoint_Instant SSL HTTPS Instant SSL IP address for the fully qualified domain name (FQDN) that clits use to access SharePoint IP address for the fully qualified domain name (FQDN) that clits use to access SharePoint 443 Port: 443 HTTP Service Port: 80 application /vnd.ms-pub lisher application /pdf application /xml If you have an active subscription for Application Security, able it and configure these settings: Security Mode Select the Passive mode. It is recommded that you run the service in Passive mode before going active. Security Policy For SharePoint 2007 and 2010, select SharePoint. For SharePoint 2013, select SharePoint 201 These policies are predefined for all SharePoint applications. To edit these policies, go to the SECURITY > Security Policies page. 4. For Instant SSL services only, configure these settings in the SSL Settings section: Secure Site Domain E nter the domain name of your SharePoint server. If the internal and external domain are differt, you can use wildcard characters. For example: *.barracuda.com Instant SSL Select On and th able SharePoint Rewrite Support in the settings. For HTTPS and Instant SSL services only, select the Certificate that you uploaded for your SharePoint server. If y our servers are configured in a cluster, specify these settings in the Load Balancing section: Click Create. Algorithm Select Round Robin. Persistce Type Select Cookie Insert and th configure the cookie settings that appear. Name the cookie Persistce. Step Add the Real Servers Add your SharePoint servers to your services. For each SharePoint server: On the BASIC > Services page, verify that the correct service for the server is displayed. Click Add Server. Enter the IP address and port of the front-d servers. If the server is part of a cluster, specify whether it is a Backup server and ter its Weight for the load balancing algorithm. If traffic must be crypted before being passed to the server, configure these settings in the SSL section: Servers uses SSL Select. On Settings Expand this section,and th select the SSL protocols to use. If you do not able the server to use SSL, uncrypted traffic is passed to the server because the Barracuda Load Balancer ADC decrypts incoming traffic in order to maintain session persistce using HTTP cookies

80 If you are adding the server to an HTTPS or Instant SSL service, select the Certificate that you uploaded for your SharePoint server. In the Server Monitor section, specify the method, port, login credtials, and settings for monitoring the availability of the server. For the Testing Method, select MS Sharepoint or MS Sharepoint Secure. If the server receives uncrypted traffic, use Port 80. Click Create. If the server receives crypted traffic, use Port 44 Step 4. Configure Mapping for De-crypted Traffic to Real Servers If traffic st to the back-d servers changes from crypted to uncrypted as a result of deploying the Barracuda Load Balancer ADC, you may need to configure Alternate Access Mappings through SharePoint Ctral Administration. Step 5. Change DNS and NAT for Barracuda Load Balancer ADC VIP Address Change your internal DNS and external NATs or external DNS to point to the Barracuda Load Balancer ADC VIP address. Next Step You can configure authtication and access control for your applications. For more information, see Access Control. Remote Desktop Services in Windows Server 2008 R1 or R2 Deploymt This article refers to: Product Versions and Prerequisites Barracuda Load Balancer ADC version 5.1 and above Microsoft Windows Server 2008 R1 or R2 Standard, Enterprise, or Datacter Edition The Barracuda Load Balancer ADC increases the performance and reliability of Microsoft Remote Desktop Services by load balancing among multiple terminal servers. It can also maintain session persistce by honoring the routing toks provided by the Connection Broker (called Session Broker in Windows Server 2008 R1), allowing a clit that disconnects from an active session on a terminal server to reconnect from another location and resume its session. In this article: Prerequisites Terminology Microsoft TechNet Referces Remote Desktop Services Deploymt Options Deploymt Tasks Prerequisites You must have: Microsoft Server 2008 R1/R2 Standard, Enterprise, or Datacter Edition. (Optional but highly recommded) Session Broker. For this deploymt, it is assumed that Session Broker will be installed and configured as described in this guide. For Windows Server 2008 R2, this functionality is called Remote Desktop Connection Broker. At least one Barracuda Load Balancer ADC, but two are recommded for high availability. If you plan to deploy Remote Desktop Services with high availability, you must first cluster your Barracuda Load Balancer ADCs. For more information, see High Availability. Terminology Term Remote Desktop Services Definition Known as Terminal Services in Windows Server 2008 and Windows Server 2003, this compont of Microsoft Windows allows users to remotely access applications and data. 80

81 Fully Qualified Domain Name (FQDN) Service Remote Desktop Connection Broker or Terminal Services Session Broker The unique name for a specific computer or host that can resolve to an IP address (e.g., A combination of a virtual IP (VIP) address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC lists on. Traffic arriving over the specified port(s) is directed to one of the real servers associated with that service. A compont of Remote Desktop Services. It maintains a list of active and disconnected sessions so that a disconnected user is transpartly redirected and reconnected to the server. As you can see in the Microsoft documtation, Connection Broker / Session Broker can be configured to load balance remote desktop sessions. Howeverthis guide describes load balancing provided by the Barracuda Load Balancer ADC. Routing Tok Domain Controller Remote Desktop Session Host (RD Session Host) Used to redirect users to their existing sessions on the correct terminal server. A server that responds to security authtication requests. The "terminal server" (the term used by Windows Server 2008) that runs the applications for the Remote Desktop users. Microsoft TechNet Referces For Windows Server 2008 R1: TS Session Broker Load Balancing Step-by-Step Guide For Windows Server 2008 R2: Remote Desktop Connection Broker About IP Address and Tok Redirection Remote Desktop Services Deploymt Options Deploymts of Remote Desktop Services are supported in either a onearmed or a twoarmed topology, with either a single or multiple subnet configuration. Unless users must directly access individual servers, it is recommded that the servers are placed in one or more subnets that are reachable by an internal-facing port of the Barracuda Load Balancer ADC. If clits must directly access individual servers, a onearmed deploymt is recommded. Direct Server Return (DSR) is not supported in a Remote Desktop Services deploymt. Deploymt Tasks To deploy the Barracuda Load Balancer ADC for Remote Desktop Services, complete the following tasks: Task Step Configure Session Broker Where Do this on the Session Broker for your Remote Desktop farm. Step Configure Real Servers Do this on every Real Server in the server farm. Step Configure the Remote Desktop Services Step 4. Test the Remote Desktop Services installation Do this on the active Barracuda Load Balancer ADC. Do this using a clit that can access the Virtual IP address that you create in Step Step 1: How to Configure Session Broker with Remote Desktop Services in Windows Server 2008 R1 or R2 81

82 This article refers to Barracuda Load Balancer ADC and Microsoft Server 2008 R1 or R2 Standard, Enterprise, or Datacter Edition. For prerequisites, refer to Remote Desktop Services in Windows Server 2008 R1 or R2 Deploymt. Session Broker provides a mechanism for a disconnected user to be reconnected to the server that has its disconnected session. Installing Session Broker greatly improves the overall experice for d-users; installation is optional, but highly recommded by Barracuda Networks. This article describes how to install and configure Session Broker with Remote Desktop Services in Windows; if you choose not to deploy Session Broker, sure the following: Verify the Group Policy for the domain does not allow for disconnected sessions. Verify users are limited to one connection in a Group Policy Object for your domain. Complete the installation and configuration described below on the Session Broker server to sure that its settings are correctly configured. Install Session Broker Install the Session Broker role service on a server by performing the following steps Go to Start > Server Manager. Under Server Manager (Server Name), click Roles. Under Roles Summary, click Add Roles. On the Select Server Roles page, turn on Remote Desktop Services and click Next. On the Select Role Services page, select Remote Desktop Connection Broker. Complete the Add Roles Wizard. Configure Session Broker Set up a Session Brokerage privileges list to tell the Session Broker which computers are authorized to be brokered; perform the steps that match your vironmt. If the Session Broker is on a server that is also a domain controller, use the following steps: Go to Start > Administrative Tools > Active Directory Users and Computers. Expand your domain and select Users (ev though this is a group, it is still listed under Users). Double-click the group Session Broker Computers to view its properties. Add all of the servers in your domain that are to be used for Remote Desktop Services load balancing. Important: You must add the Session Broker server to this list. Failure to do so results in the Session Broker being died RPC privileges. If the Session Broker is not on a server that is a domain controller, use the following steps: Go to Start > Server Manager. Expand Configuration, and click Local Users and Groups. Click Groups. Double-click the group Session Broker Computers to view its properties. Add all of the servers in your domain that are to be used for Remote Desktop Services load balancing. Important: You must add the Session Broker server to this list. Failure to do so results in the Session Broker being died RPC privileges. Next Step Go to Step How to Configure the Real Servers. Step 2: How to Configure the Real Server with Remote Desktop Services in Windows Server 2008 R1 or R2 This article refers to the Barracuda Load Balancer ADC and Microsoft Server 2008 R1 or R2 Standard, Enterprise, or Datacter Edition. For prerequisites, refer to Remote Desktop Services in Windows Server 2008 R1 or R2 Deploymt. Complete the following steps on each terminal server in the server farm to idtify it as a Remote Desktop Session Host. For Windows Server 2008 R2: 82

83 Go to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration. On the main scre, near the bottom of the cter pane, double-click Member of farm in RD Connection Broker. Click the RD Connection Broker tab. Select the Participate in Connection Broker Load-Balancing check box. In the RD Connection Broker field, type the FQDN for the server that is running Session Broker. In the Farm name field, ter a farm name. You must use the same farm name on every Remote Desktop Session Host. Select Use Tok Redirection from the drop-down list. Select the checkbox for the IPv4 address of your Real Server. Referce: For Windows Server 2008 R1: Start Terminal Services Configuration. To do this, click Start > Administrative Tools > Terminal Services > Terminal Services Configuration. In the Edit settings area, under TS Session Broker, double-click Member of farm in TS Session Broker. On the TS Session Broker tab, click to select the Join a farm in TS Session Broker check box. In the TS Session Broker server name or IP address box, type the name or the IP address of server that is running TS Session Broker server. In the Farm name in TS Session Broker box, type the name of the farm that you want to join in TS Session Broker. You must use the same farm name on every Remote Desktop Session Host. Clear the Participate in Session Broker Load-Balancing check box. In the Network Adapter drop down, select the IPv4 IP address of the Real Server. Clear the Use IP address redirection check box. Click OK. Referce: Next Step Go to Step How to Configure the Remote Desktop Services. Step 3: How to Configure Remote Desktop Services with Remote Desktop Services in Windows Server 2008 R1 or R2 Product Versions and Prequisites This article applies to the Barracuda Load Balancer ADC version 5.1 and Microsoft Server 2008 R1 or R2 Standard, Enterprise, or Datacter Edition. For a full list of prerequisites for this deploymt, see Remote Desktop Services in Windows Server 2008 R1 or R2 Deploymt. Add the Remote Desktop Service on the active Barracuda Load Balancer ADC: Go to the BASIC > Services page. Add the RDP service, along with the real servers that are running the Remote Desktop Host Role. Click Add Service and ter the values in the corresponding fields. To add a real server, click Add Server and ter the IP address and port for the server. Name Type IP Address Port Server Monitor Real Servers RDP Layer 7 - RDP IP address for the FQDN of your Remote Desktop Service e.g., rdp.domain.local 3389 Set Testing Method to RDP Test. Internal IP address of the server. Next Step Go to Step 4. How to Test the Remote Desktop Services. Step 4: How to Test the Installation of Remote Desktop Services in Windows Server

84 R1 and R2 This article refers to the Barracuda Load Balancer ADC and Microsoft Server 2008 R1 or R2 Standard, Enterprise, or Datacter Edition. For prerequisites, refer to Remote Desktop Services in Windows Server 2008 R1 or R2 Deploymt. Complete the following tests Create two test users that have permission to log into Remote Desktop Services (e.g., testuser1 and testuser2). Using Remote Desktop Connection, connect testuser1 to the Virtual IP Address created in Step 3: How to Configure Remote Desktop Services with Remote Desktop Services in Windows Server 2008 R1 or R Op Notepad and ter some text; do not close Notepad. Click Start > Disconnect. Connect testuser2 to the same Virtual IP Address. Once testuser2 is logged in, click Start > Disconnect. Log in testuser1 again and sure it reconnects to the session with Notepad op. Log in testuser2 again and sure the session reconnects to the testuser2 session. Your installation is now complete. Moodle Deploymt Requiremts This article describes how to deploy your Barracuda Load Balancer ADC version 5.1 and above with Moodle 6 or earlier versions. This article assumes you are connected to the Barracuda Load Balancer ADC web interface and have an activated subscription. Follow the steps in this guide to deploy the Barracuda Load Balancer ADC to increase the scalability and reliability of your Moodle deploymt. In this article: Terminology Moodle Services Deploymt Options Deploy the Barracuda Load Balancer ADC for Moodle Step Install Moodle in a Clustered Environmt Step Create Services on the Barracuda Load Balancer ADC Create an Instant SSL Service Create an HTTP Service Next Step Additional Resources untu / Terminology Before you begin deploying the Barracuda Load Balancer ADC with Moodle, familiarize yourself with these terms: Term Moodle Definition Modular Object-Orited Dynamic Learning Environmt. A free software e-learning platform or a course managemt system that provides easy-to-edit, secure, and structured course web sites. 84

85 NFS Fully Qualified Domain Name (FQDN) Service Instant SSL Network File System. Lets machines mount a disk partition on a remote machine as if it were a local disk. It allows for fast, seamless sharing of files across a network. The unique name for a specific computer or host that can resolve to an IP address (e.g., A combination of a virtual IP (VIP) address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC lists on. Traffic arriving over the specified port(s) is directed to one of the real servers associated with a particular service. Instant SSL provides SSL (HTTPS) access to contt on servers without having to modify the servers or the contt on the servers. The Barracuda Load Balancer ADC rewrites the "http" links in the response to "https". Moodle Services Deploymt Options Deploymts of Moodle services are supported in either a one-armed or a two-armed topology. This can be either a single or multiple subnet configuration. Unless the users must directly access individual servers, it is recommded that you place the servers in one or more subnets that are reachable by an internal-facing port of the Barracuda Load Balancer ADC. If users must directly access individual servers, a one-armed deploymt is recommded. Direct Server Return (DSR) is not supported in a Moodle services deploymt. You can create either an Instant SSL or HTTP service. If you want to force cryption for all connections to your Moodle servers, create an Instant SSL service. Otherwise, create an HTTP service. The following diagram shows an example of how the Barracuda Load Balancer ADC can be deployed with Moodle services in a clustered vironmt. Sample Deploymt Deploy the Barracuda Load Balancer ADC for Moodle To deploy the Barracuda Load Balancer ADC for Moodle services in a clustered vironmt, complete the following steps : Step Install Moodle in a Clustered Environmt Install the latest Moodle software on the back-d servers. It is recommded that you place the database on a separate server. You can use either NFS or Samba to share the Moodle database betwe the database server and the back-d servers. Step Create Services on the Barracuda Load Balancer ADC 85

86 You can create either an Instant SSL or HTTP service. If you want to force cryption for all connections to your Moodle servers, create an Instant SSL service. Otherwise, create an HTTP service. Create an Instant SSL Service 4. Log into the Barracuda Load Balancer ADC as the administrator. Go to the BASIC > Certificates page and create the required certificate. Go to the BASIC > Services page. Click Add Service and ter the values in the corresponding fields. Name Type IP Address Port HTTP Service Port SSL Settings Certificates Load Balancing Moodle_Insta ntssl Instant SSL The IP address of the FQDN that clits use to access. For example, Secure Site Domain Enter the domain name of your Moodle server. If the internal and external domain are differt, you can use wildcard characte rs. For example: *.barr Select the certificate that you uploaded for the service. Persiste nce Type Select S ource IP. Persiste nce Netmas k Enter: acuda. com Instant SSL Select O n. 5. Click Add Server to configure the real servers. In the server settings, sure that you: Enter the IP addresses of the back-d servers. For example, and Use port 80. If traffic must be crypted wh it is passed to the real servers, able Server uses SSL. Otherwise, non-crypted traffic is passed to the real servers because the Barracuda Load Balancer ADC decrypts the incoming traffic. 6. If the Moodle server uses compression, configure the web translations. By default, the Barracuda Load Balancer ADC does not decompress coded contt. If the Moodle servers use compression, create an HTTP Request Rewrite condition to remove the Accept-Encoding header. a. b. Go to the TRAFFIC > Web Translations page. In the HTTP Request Rewrite section, create the following rule: Rule Name Sequce Number Action Header Name Old Value Rewrite Condition 86

87 Remove_Encodin g 2 Remove Header Accept-Encoding * * Create an HTTP Service Log into the Barracuda Load Balancer ADC as the administrator. Go to the BASIC > Services page. Click Add Service and ter the values in the corresponding fields. Name Type IP Address Port Load Balancing Moodle_HTTP HTTP The IP address of the FQDN that clits use to access. 80 Persistce Type Select Source IP. Persistce Netmask Enter: Click Add Server to configure the real servers. In the server settings, sure that you: Enter the IP addresses of the back-d servers. For example, and Use port 80. Next Step You can configure authtication and access control for your applications. For more information, see Access Control. Services A Service is a combination of a Virtual IP (VIP) address and one or more TCP/UDP ports. Traffic arriving at the designated port(s) for the specified VIP address is directed to one of the Real Servers that are associated with that particular Service. The Barracuda Load Balancer ADC determines which connections or requests are distributed to each Real Server based on the scheduling policy selected for the Service. In this Section Services Overview Persistce Settings TCP Proxy, Secure TCP Proxy, and UDP Proxy FTP and FTP SSL Service HTTP Service and HTTPS Service Instant SSL Service SSL Offloading How to Secure Communication with Real Servers How to Select a Scheduling Policy How to Configure Adaptive Scheduling Services Overview In this article: Configuring Your First Service Associating Real Servers with a Service A Service is a combination of a Virtual IP (VIP) address and one or more TCP/UDP ports. Traffic arriving at the designated port(s) for the specified VIP address is directed to one of the Real Servers that are associated with that particular Service. The Barracuda Load Balancer ADC 87

88 determines which connections or requests are distributed to each Real Server based on the scheduling policy selected for the Service. Configuring Your First Service After you have determined your network configuration and installed your Barracuda Load Balancer ADC, including clustering if required, you can configure services on the BASIC > Services page. You create a Service by idtifying a VIP address, port, and one or more Real Servers. You can also associate a security policy with the Service and specify a load balancing algorithm and persistce method to be used to load balance the traffic. Once you have created a Service, you can configure advanced settings (including Service type) by clicking the Edit next to the Service. If the creation of the Service is successful, the Service name appears on the BASIC > Services > Configured Virtual Services section with a gre, orange, or red health indicator next to it. Editing a Service There are many additional settings associated with a Service; click the Edit icon on the Service try in the table to view and modify these settings, including: Service name and type Security policies Scheduling policy Service monitor Persistce Settings Contt rules SSL offloading Notifications if number of functioning Real Servers drops below threshold Inbound firewall rules Associating Real Servers with a Service You can idtify the real servers that handle the traffic for a service wh you create the service, or later using the BASIC > Services page. To edit advanced server settings, click Edit next to the real server in the Configured Virtual Services section. This is a partial list of the tasks you can do from this page: Change the server name, hostname, IP address and port. Set the operating status of the server, including terminating all existing connections immediately or allowing them to terminate naturally. If the real server is associated with a HTTP/HTTPS service, specify whether the real server accepts only HTTP/HTTPS requests that match a contt rule. Change the static weight of the real server. Specify if the real server is using Direct Server Return. Require all communication betwe the real server and the Barracuda Load Balancer be crypted using SSL. Change or execute the Testing Method for the real server. Specify whether the source IP address of traffic st to the real server is set to the clit IP address (clit impersonation) or the IP address of the Barracuda Load Balancer ADC. Related Articles: How to Configure Adaptive Scheduling Understanding Testing Methods for Services and Real Servers Persistce Settings The Barracuda Load Balancer ADC supports multiple options to direct clits back to the same Real Server, depding on the Service type. HTTP/HTTPS There are a variety of supported persistce methods for HTTP/HTTPS sessions: 88

89 Cookie Insert - Routes the first request from a clit to one of the servers based on the load balancing algorithm. At the same time, it inserts a cookie to idtify the clit. Subsequt requests from the clit include the persistce cookie, so they can be routed to the same server as the first request was. Cookie Passive - Similar to Cookie Insert, only the server inserts the cookie if needed. This provides additional optimization because requests are load-balanced normally unless there is a requiremt to persist a session, which is indicated by the presce of a cookie. Source IP Address - Subsequt requests from a clit with a recurring IP address or systems from the same subnet go to the same Real Server. HTTP Header - All incoming HTTP requests are directed to the same Real Server based on the value of a header. The application (e.g., Microsoft Exchange) specifies the name of the header to be examined. URL Parameter - All incoming HTTP requests are directed to the same Real Server based on the value of the specified parameter in the URL. Layer 4 -TCP, TCP Proxy, Secure TCP Proxy, Layer 4 UDP, FTP or FTP SSL Only Source IP Address persistce is supported. An individual source IP address can be used or you can specify a subnet mask so that subsequt TCP connections or UDP datagrams from systems from the same subnet go to the same Real Server. UDP Proxy A UDP Proxy Service supports persistce using both Source IP Address and Clit IP Port to distribute the traffic across all of the Real Servers. This helps mitigate the fact that many UDP applications involve all clit requests coming from one clit IP address. Layer 7 - RDP Session persistce is achieved by querying Windows Server 2003 Terminal Services Session Directory, Windows Server 2008 Terminal Services Session Broker or Windows Server 2008 R2 Session Broker. See Remote Desktop Services Load Balancing. TCP Proxy, Secure TCP Proxy, and UDP Proxy You can create a TCP Proxy Service, a Secure TCP Proxy Service or a UDP Proxy Service to make the Barracuda Load Balancer ADC act as a full TCP or UDP proxy. Using these Service types allows the Real Servers to be located anywhere, as long as they are reachable by the Barracuda Load Balancer ADC. See Deploymt for examples of deploymts using TCP and UDP Proxy Services. A Secure TCP Proxy Service provides SSL offloading. FTP and FTP SSL Service FTP Service You can create a Service with type FTP to allow the Barracuda Load Balancer ADC to process FTP traffic from the clits to the servers. An FTP clit connects to an FTP server to manipulate files on that server. Both passive and active FTP are supported. If passive FTP is to be used, and if the Barracuda Load Balancer ADC is behind a NAT ing firewall, you should specify an IP address and one or more ports that are st in the response to a PASV request from a clit. The clit connects to the specified IP address and port to receive the data. Usually this address is the external IP address that is translated by the firewall to the Virtual IP address of the FTP Service. The port(s) are those allowed by the firewall. Enter the IP address and port(s) on the Service Detail page. FTP SSL Service A Service with type FTP SSL supports crypted FTP traffic. It only supports passive and not active FTP. HTTP Service and HTTPS Service In this article: Introduction Direct HTTP Requests Based on Contt Rules 89

90 Contt Rule Execution Contt Rule Caching and Compression Modify HTTP Requests and Responses Rule Execution Order Configure Caching Configure Compression Host Multiple Domains with one Service Server Name Indication (SNI) Wildcard Certificates Subject Alternative Name (SAN) Certificates Introduction HTTP or HTTPS traffic can be handled to a varying degree by the Barracuda Load Balancer ADC before it is directed to a web server. The handling differs based on the type of the Service that receives the traffic. Choose a Layer 4 - TCP Service type if you want the traffic simply redirected to the web servers and using only source IP based persistce. This requires a two-armed deploymt. If you only need source IP based persistce but want to use a one-armed deploymt, choose a TCP Proxy Service type. To take advantage of Layer 7 handling such as directing requests based on contt rules, inspecting and modifying HTTP headers, SSL offloading, or persistce based on cookies, choose either HTTP (for HTTP traffic) or HTTPS (for HTTPS traffic). The rest of this section describes the processing options. Direct HTTP Requests Based on Contt Rules Contt rules are used to direct HTTP requests to specific Real Servers associated with a HTTP/HTTPS Service. This functionality is also known as contt switching or URL switching. A contt rule includes: One or more expressions that specify a pattern in the host, URL or header fields of the request The Real Server or Servers that handle the matching request The load balancing algorithm used to direct requests to the Real Servers Persistce: None, Cookie Insert, Cookie Passive, HTTP Header, URL Parameter or Source IP address Use these rules to partition requests to Real Servers that deliver differt types of data, such as: Contt optimized for a mobile device Contt in a particular language Images or video Data that is maintained on differt servers but you want to make it appear to have come from one source. Create a contt rule by clicking Rule next to a HTTP/HTTPS Service on the BASIC > Services page. This option only appears next to a Service that has at least one Real Server associated with it. Click Edit next to the rule name on the BASIC > Services to edit an existing contt rule. You can edit one or more Real Servers from the BASIC > Services page to accept only HTTP requests that match a contt rule. Requests that fail to match any rule are directed to the Real Servers for the Service that are not configured to exclusively handle requests that match a contt rule. For example, a Real Server which only delivers images can be configured to accept only HTTP requests that match a contt rule. Contt Rule Execution There are up to three types of patterns in each contt rule: host match, URL match, and extded match. Extded matches are compared to values in the HTTP header. If there are multiple rules for a Service, the most specific host and URL match will be executed. For example, if a Service has these two rules: Rule A - host URL /images/* Rule B - host URL /images/*.png and if the incoming request is for th the most specific matching rule, which is Rule B, is executed. If a rule has the most specific host and URL for a request, any extded match expressions for that rule are evaluated in the order established by the Extded Match Order field. If the request does not match any extded match expression for the rule th the request is considered to have failed to match any rule. 90

91 The possible values for the contt rules can be found in the online help. A detailed description of the extded match syntax can be found in Ho w to Use Extded Match and Condition Expressions. Contt Rule Caching and Compression You can able caching and compression on the data that matches a contt rule using the TRAFFIC > HTTP Caching and the TRAFFIC > HTTP Compression pages. Modify HTTP Requests and Responses You can set up rules to modify HTTP requests and responses that pass through the Barracuda Load Balancer ADC. These rules, which are associated with a HTTP/HTTPS Service, are listed on the TRAFFIC > Web Translations page. One HTTP request rewrite rule is created automatically. It sets the X-Forwarded-For header to the IP address of the clit. The Real Server can examine the X-Forwarded-For header to discover the true idtity of the requestor, rather than using the sding IP address, which is the IP address of the Barracuda Load Balancer ADC. You can create response rewrite rules to remove server banners or other header or body information which you do not want the clits to see. The actions which can be performed by the request rewrite rules are: Insert Header - Inserts a header in the request. Remove Header - Removes the header from the request. Rewrite Header - Rewrites the value of the header in the request Rewrite URL - Rewrites the request URL to the URL specified in the rule. Redirect URL - Redirects the request to the URL specified in the rule and sds that redirect back to the clit. Only the first three actions are valid for response header rewrite rules. Response body rules allow any text string (contt-type must begin with text/) in an outbound HTTP response body to be rewritt. The online help for the TRAFFIC > Web Translations page lists the syntax for the rules. In addition, a detailed description of the condition expressions, which specify wh the rewrite should occur, is found in Extded Match and Condition Expressions. Rule Execution Order Contt rules are evaluated first on incoming HTTP traffic. The rules on the TRAFFIC > Web Translations page are evaluated second. Configure Caching Caching is a process of storing commonly used information in local memory for quick retrieval rather than sding repeated requests to the web server for the same information. This can improve performance (sometimes dramatically) and reliability. It also reduces the resource utilization on the web servers. Caching can store web pages and commonly used objects such as graphics files. Caching provides the following befits: Reduced latcy wh retrieving web contt. An overall reduction in bandwidth and server load. Automatic idtification and replication of site contt. By default, caching is disabled, but you can able caching on any HTTP/HTTPS Service or contt rule on the TRAFFIC > HTTP Caching page. For each Service or contt rule you can specify a set of parameters that determine what is cached. Configure Compression Compression improves the response time for clits accessing the service through slow methods. Enabling this feature compresses web pages that use HTML, JavaScript, Java and other text-based languages, resulting in a reduction in download time. By default, compression is disabled, but you can able compression on any HTTP/HTTPS Service or contt rule on the TRAFFIC > HTTP Compression page. For each Service or contt rule you can specify the contt types and minimum response size to be compressed. Barracuda Networks recommds abling compression for text based contt-types like text/plain, text/html, etc. Host Multiple Domains with one Service Hosting multiple SSL-abled sites on a single server usually requires a unique IP address for each domain, but the Barracuda Load Balancer ADC supports three alternative ways to host multiple domains on one Service. This is particularly useful in a virtual hosting scario, where you may have several domains hosted on a single Real Server, using the same IP address. These methods are: 91

92 Server Name Indication (SNI) Wildcard certificates Subject Alternative Name (SAN) certificates Server Name Indication (SNI) SNI extds the SSL/TLS protocol to solve the issue of hosting multiple domains on the same IP address. If each domain has a distinct SSL certificate, there needs to be a way for the Real Server to select the proper certificate for a particular domain. The virtual domain information is st as part of the SSL/TLS negotiation betwe the clit and server. Clits supporting this extsion sd the domain name wh initializing a secure SSL session. The server side compont will look at the domain name and sd the corresponding certificate to the clit. For SNI to work properly, both the clit browser and the web servers must support the SNI extsion. SNI is already supported on most major browser platforms, and on both Apache and IIS. With SNI, you can use the Barracuda Load Balancer ADC to assign any number and any type of certificates (single, wildcard or SAN) to a single Barracuda Load Balancer ADC Service. SNI support applies only to Services with type HTTPS. To able SNI, edit the Service and change the setting on the Service Detail page. On the same page, you can ter multiple domain names and associate a certificate with each one. Clit requests for domains that are not associated with any certificate will get the default certificate. You can add as many certificates to the Service as needed. Wildcard Certificates Another alternative is to use wildcard certificates. This allows you to use a single certificate for sub-domains within a domain. If you use a wildcard certificate, you only have to set up a single Service on the Barracuda Load Balancer ADC to serve multiple sub-domains. For example, you can configure a single HTTP/HTTPS Service using a wildcard certificate, such as *.example.com, for or example.com. On the negative side, wildcard certificates: Are more expsive (typically 3-5x more expsive than single domain certificates). Cannot support multi-domains that are distinct from each other, such as and Multi-domain support is especially critical for web hosting providers or Managed Service Providers (MSP) who may have multiple virtual web servers represting numerous domains on a single physical server using a single IP address. Cannot secure host names on differt base domains, such as and Subject Alternative Name (SAN) Certificates SAN certificates fall betwe a wildcard certificate and a single domain certificate, as each certificate allows you to specify a list of domain names to be protected. A SAN certificate for could have the domains and listed as alternative names for the same Service. On the negative side, SAN certificates are more expsive than single domain certificates and are oft limited to 3-5 domains. More importantly, not all Certificate Authorities sell SAN abled certificates. Instant SSL Service Product Version This article applies to the Barracuda Load Balancer ADC version 5.1 and above. The Instant SSL service redirects an HTTP connection to an HTTPS service. Wh you add an Instant SSL service, it appears as only one service in the user interface but two services are created: an HTTPS service with port 443 and a non-ssl redirect service with port 80. In the Instant SSL service settings, you must specify at least one secured site domain whose links must be converted from http to https. Wh the redirect service receives a request for the specified domain, it forwards the request to the service on port 443/HTTPS, which th forwards the request to the servers. In any responses, the HTTPS service rewrites HTTP requests to HTTPS requests. For example, a.com/ is rewritt in outgoing responses. The service also provides an additional rewrite option named SharePoint Rewrite Support for Microsoft SharePoint applications. Normally, an Instant SSL Service rewrites the HTTP links in the responses to HTTPS using HTML tags, like href. However, SharePoint applications also insert hyperlinks outside the basic HTML tags. You can able SharePoint Rewrite Support to sure that HTTP links outside HTML tags are also properly rewritt to HTTPS. SSL Offloading 92

93 Go to the BASIC > Certificates page and sure that a certificate has be uploaded to the Barracuda Load Balancer ADC for the service. Upload one SSL certificate for each service. A certificate can be ordered from a trusted Certificate Authority such as VeriSign. If SSL processing was previously done on the server, th retrieve the certificate from that server. Go to the BASIC > Services page and either create or edit the secure service with its real servers: a. b. Product Version This article applies to the Barracuda Load Balancer ADC version 5.1 and above. The Barracuda Load Balancer ADC can decrypt incoming SSL traffic to reduce the load on the real servers. Traffic coming from the real servers is also crypted and st to the clit. No SSL configuration on the real servers is necessary; all SSL certificates are stored on the Barracuda Load Balancer ADC. Web applications and any TCP application using a TCP Proxy service type can take advantage of SSL offloading. SSL offloading is not compatible with Direct Server Return. You can configure SSL offloading wh creating or editing any secure service type (e.g., Secure TCP Proxy, HTTPS). To configure SSL offloading, configure the real servers for the service to use port 80 and disable SSL. In the SSL Settings section of the service settings, sure that the SSL certificate has be selected. In the settings of the servers that you add for the service, use Port 80 and set Server Uses SSL to No. How to Secure Communication with Real Servers If you want all communication betwe the Barracuda Load Balancer ADC and the real servers to be crypted using SSL, you can configure this on a per-server basis. This is also known as back-d SSL. To configure the Barracuda Load Balancer ADC to crypt the data st to a server: Copy the certificate from each server, and upload the certificate to the BASIC > Certificates page as a back-d certificate. On the BASIC > Services page, edit each real server for the secure service and specify that the server uses SSL. Select the certificate that you uploaded. If necessary, change the port used by the real server. How to Select a Scheduling Policy In this article: Adaptive Scheduling Pre-Assigned Weight Scheduling Policies Scheduling for a Service with type Layer 7 - RDP Viewing Currt Connections The Barracuda Load Balancer ADC supports multiple scheduling methods to determine which Real Server that is associated with a Service gets the next new connection. On an ongoing basis each Real Server is assigned a weight, which indicates the proportion of the load that this Real Server will bear relative to other Real Servers. Weights are either calculated dynamically using Adaptive Scheduling, or they are pre-assigned. These Real Server weights are th used by the scheduling algorithm, which is either Weighted Round-Robin or Weighted Least Connections, to determine which Real Server gets the next connection. Adaptive Scheduling The Adaptive Scheduling feature polls the Real Servers frequtly and assigns weights to those Real Servers using the information gathered. The parameter polled may be: CPU Load, determined by an SNMP query. If you wish to use this and you have Real Servers running a version of Windows, refer to How to Configure Adaptive Scheduling. Number of Windows Terminal Server sessions, determined by an SNMP query. In order to use this option, Real Servers must allow the Barracuda Load Balancer ADC SNMP access to the community specified in the SNMP Community String box. This option is not available 93

94 if the Service type is Layer 7 - RDP. A URL provided by each Real Server which specifies a load value. If this option is selected, the Barracuda Load Balancer ADC will poll the URL Server IP Address]/barracuda_load/ and expect the output to look like LOAD=23 (showing the load as an integer betwe 0 and 100). Weights are assigned to each Real Server using the formula (100LOAD). For example, if the Load URL value is 23, the Real Server is assigned a weight of 77. In order for the URL query to work, you must create a load determination script and make the results available by running a web server on the Real Server that responds to the poll at the Real Server s IP address and port 80. If, for example, all Real Servers have the same value for CPU load, th the Real Servers will be assigned the same weight. These weights will change as the value of the CPU Load for each Real Server varies. Configure adaptive scheduling for a Service by editing it using the BASIC > Services page. On the Service page, select the adaptive scheduling algorithm to use wh making weight adjustmts. Pre-Assigned Weight As an alternative to adaptive scheduling, static weights for each Real Server can be used. If some of the Real Servers are faster or have more capacity than others, you can tell the Barracuda Load Balancer ADC to direct more traffic to them by increasing their weight relative to the other Real Servers. Configure the static weight for a Real Server by editing it on the BASIC > Services page. On the Server Configuration page, ter a weight value to be compared against the weights of all other Real Servers for this Service. For example, a Real Server with a weight of 50 will get half the amount of traffic as a Real Server with a weight of 100, but will get twice that of a Real Server with a weight of 25. If the Service is configured to use adaptive scheduling, these static weight values are ignored. Scheduling Policies The Barracuda Load Balancer ADC considers the weight values for the Real Servers and th applies a scheduling algorithm, either Weighted Round-Robin or Weighted Least Connections, to determine which Real Server gets the next connection. In Weighted Round-Robin, Real Servers with higher weights get more connections than those with lower weights and Real Servers with equal weights get equal connections. The scheduling sequce is gerated according to the Real Server weights. New connections are directed to the differt Real Servers based on the scheduling sequce in a round-robin manner. The shortcoming with this method is that a majority of long-lived connections may go to the same Real Server. In Weighted Least Connections, the Barracuda Load Balancer ADC considers the number of live connections that each Real Server has, as well as the weight values. The Real Servers with higher weight values will receive a larger perctage of live connections at any one time. The Barracuda Load Balancer ADC dynamically checks the number of live connections for each Real Server. Weighted Least Connections is the recommded choice. To configure whether Weighted Round-Robin or Weighted Least Connections will be used for a Service, edit the Service on the BASIC > Services page. Scheduling for a Service with type Layer 7 - RDP If the Service type is Layer 7 - RDP, the Barracuda Load Balancer ADC keeps track of the number of RDP sessions on each Real Server. This number is used in conjunction with Real Server weights wh selecting which Real Server gets the next new session. The Real Server weights are determined by either one of these adaptive scheduling methods: Executing an SNMP GET for the CPU load on the Real Servers; Polling a URL provided by each Real Server which specifies a load value; or by retrieving pre-configured static weights (from the Real Server Detail page). The number of active RDP sessions and the Real Server weights are used as input to the Weighted Round Robin or Weighted Least Connections algorithm. On the Service page the Terminal Sessions adaptive scheduling option is disabled for Layer 7 - RDP Services. Because the number of RDP sessions on each Real Server is maintained internally, there is no need for the adaptive scheduling algorithm to issue an SNMP query to get the number of active Windows Terminal Sessions. Viewing Currt Connections To see the number of currt op connections/requests/sessions with each Service and each Real Server, navigate to the BASIC > Server 94

95 Health page. The bars on the page display the approximate perctage of all traffic that is currtly connected to each Service or Real Server. Sometimes it may appear that a Real Server is handling more traffic than it should be based on its calculated weight. This is caused by persistce. If clits that were previously connected reconnect within a short period of time, they are directed to the same Real Server regardless of its currt load. How to Configure Adaptive Scheduling The Barracuda Load Balancer ADC provides a method for dynamic weighting based on the load of each Real Server called Adaptive Scheduling. Wh abled, the Barracuda Load Balancer ADC polls the Real Servers frequtly and assigns weights to those Real Servers using the information gathered. Select from the following options: None SNMP CPU About the Windows SNMP Agt About SNMP on Linux Systems Load URL Terminal Sessions None None is the default value for Adaptive Scheduling. Wh set to None, disables Adaptive Scheduling. SNMP CPU This scheduling method polls the SNMP OID for CPU load and manipulates the Real Server weights accordingly. Weights are assigned to each Real Server using the formula (100load). For example, if the CPU load is 23, the Real Server is assigned a weight of 77. The Real Servers must have an SNMP agt installed that supports the SNMP OID for CPU load. You may need to install an SNMP agt and possibly an agt extsion on your Real Servers. The default OID for Linux is and for Windows is , but you can customize these by editing the Service. Additionally, the Real Servers must: Allow access using the community name specified in the SNMP Community String field on the Service Detail page. Note: The Real Servers must use a community string of public. Make SNMP available on the standard SNMP port of 16 Allow SNMP read access by the corresponding custom virtual interface IP address of the Barracuda Load Balancer ADC. About the Windows SNMP Agt The Windows SNMP Agt that comes with Microsoft Windows 2003 or higher does not support the required OID for CPU load. Because of this, you need to install either an extsion to the Windows SNMP agt or a new SNMP agt that supports the CPU load OID on the Windows servers Some administrators have successfully installed the SNMP Informant Standard agt, which is a free SNMP extsion agt available from Informant Systems, Inc. It runs in conjunction with the Windows SNMP agt and supports the OID for CPU load. About SNMP on Linux Systems If you have Linux servers, make sure that you have an SNMP agt installed and running. Several Barracuda customers have reported successful use of Net-SNMP which supports the OID for CPU load. Load URL This scheduling method polls a URL which returns a load value. Wh selected, the Barracuda Load Balancer ADC polls the URL l Server IP Address]/ loadpage where loadpage is the directory or page name specified in the Load URL box. The result from the poll should look like LOAD=23 (showing the load as an integer betwe 0 and 100). Weights are assigned to each Real Server using the formula (100load). For example, if the Load URL value is 23, the Real Server is assigned a weight of 77. In order for the URL request to work, each Real Server must be running a web server that responds to the poll at the Real Server s IP address and port

96 Terminal Sessions This scheduling method dynamically redistributes connections betwe Windows Terminal Servers based on the number of sessions per server determined by an SNMP query. The Real Servers must: Allow access using the community name specified in the SNMP Community String field on the Service Detail page. Make SNMP available on the standard SNMP port of 16 Allow SNMP read access by the corresponding custom virtual interface IP address of the Barracuda Load Balancer ADC. Access Control Feature Availability Access control is only available for the Barracuda Load Balancer ADC 540 and above, version 5.1 and above. On the Barracuda Load Balancer ADC 540 and above, you can integrate external authtication servers and configure authorization policies to control the access of d users to your web applications. LDAP, RADIUS, and Kerberos authtication protocols are supported. Overview of Access Control Configuring Access Control Overview of Access Control To access resources from an application, users must: Provide a username and password for validation by an authtication server that has be integrated for the application's service. Have access privileges from an authorization policy that has be configured for the application's service. After a user's initial request to the application, the user must complete and sd a login form with a valid username and password. The Barracuda Load Balancer ADC compares the submitted information with information from the external authtication server. If two-factor authtication is configured, the user is also redirected to a challge page to ter the additional credtials (e.g., PIN or passcode). If the user fails authtication, the user is redirected to a failed authorization page. If the user is successfully authticated, the user receives a cookie and is redirected to a success page. Any requests from the authticated user must th be allowed by an authorization policy. Wh the Barracuda Load Balancer ADC receives a request, it compares the request to all authorization policies. Policies are matched to requests by URL, host, and other expressions. Policies also contain lists of allowed and restricted users and groups. If a matching policy allows the user access to the requested resource, the Barracuda Load Balancer ADC forwards the request to the application server. If a matching policy dies the user access to the requested resource, the user is redirected to a died authorization page. 96

97 Configuring Access Control For instructions on configuring access control and options such as single sign-on, custom login pages, and two-factor clit authtication with SMS PASSCODE, see these articles: How to Configure Authtication and Access Control (AAA) How to Configure Single Sign-On (SSO) How to Set Up a Custom Login Page for Authtication How to Configure SMS Passcode Authtication Service How to Set Up a Custom Challge Page for Authtication How to Configure Authtication and Access Control (AAA) Required Product Model and Version This article applies to the Barracuda Load Balancer ADC 540 and above, version 5.1 and above. On the Barracuda Load Balancer ADC, integrate an external authtication server and associate it with a service to authticate d users of a web application. LDAP, RADIUS, and Kerberos authtication protocols are supported. Th create authorization policies to allow or dy requests from authticated users. In the policies, specify the URL, host, and other expressions which match requests to be handled, as well as a list of allowed and restricted users. In this article: Step Integrate the External Authtication Server Step Assign the Authtication Service to a Web Service Step Configure an Authorization Policy for the Service Additional Authtication Options Step Integrate the External Authtication Server Create an authtication service to connect with and get information about users from your existing external authtication server. LDAP Lightweight Directory Access Protocol (LDAP) is used for storing and managing distributed information services in a network. LDAP is mainly used to provide a single sign-on solution. It follows the same X.500 directory structure as MSAD. To add an LDAP authtication service, idtify a user who can query the LDAP directory, and specify the parameters for looking up information about users. For instructions on how to integrate the Barracuda Load Balancer ADC with an LDAP server, click here... Go to the ACCESS CONTROL > Authtication Services page, and click the LDAP tab. In the settings, specify: An alias for the server. The IP address, port, and connection type for connecting to the LDAP server. The Bind DN, Bind password, and login attribute for a user who has read access to all users in the LDAP directory. The attributes and filters used to look up and authticate d users. Click Test LDAP to verify that a connection can be established with the LDAP server. The test results display at the bottom of the page. If the test fails, re-ter and re-test the LDAP settings. 4. Click LDAP Discovery to verify that users can be found with the attributes and filters that you tered. If you want to view detailed query results, select the Verbose check box. In the test results: A gre dot displays next to verified information. A red dot displays next to information that must be corrected. If any information is incorrect or missing, edit the field and click LDAP Discovery. 5. After your settings have be validated, click Add. The LDAP service appears in the Existing Authtication Services section. RADIUS 97

98 Remote Access Dial In User Service (RADIUS) is a networking protocol which provides authtication, authorization, and accounting. To add a RADIUS authtication service, specify the shared key that is used by the Barracuda Load Balancer ADC and RADIUS server to verify each other's idtity. Also set a limit to how long the Barracuda Load Balancer ADC waits for a response from the RADIUS server and a limit to the number of times it can sd a request packet. You can also add a secondary RADIUS server for authticating users. If the primary RADIUS server fails, the secondary RADIUS server takes over as the primary RADIUS server for authticating users. For instructions on how to integrate the Barracuda Load Balancer ADC with a RADIUS server, click here... To integrate the Barracuda Load Balancer ADC with a RADIUS authtication server: Go to the ACCESS CONTROL > Authtication Services page, and click the RADIUS tab. In the settings, specify: An alias for the RADIUS server. The IP address, port, and secret key for the RADIUS server. The maximum Timeout and Retries for sding packets to the RADIUS server. Click Add. The RADIUS service appears in the Existing Authtication Services section. If you want to configure a secondary RADIUS server: Click Add next to the RADIUS authtication service for which you want to add the secondary server. In the Add Secondary Radius Server window, ter the IP address and port of the secondary RADIUS server. All settings for the secondary RADIUS server, except the IP address and port, must be idtical to those for the primary RADIUS server. Click Add. Kerberos Kerberos is the native authtication method used by Windows 2000 and later platforms. This authtication protocol provides mutual authtication (i.e., both the user and the server verify the other's idtity). Kerberos uses a trusted third party known as Key Distribution Cter (KDC). The Key Distribution Cter must be a part of the Windows Domain Controller Active Directory. The Key Distribution Cter provides two services: an Authtication Service (AS) that authticates a user and a Ticket Granting Service (TGS) that issues a session ticket to a clit. Kerberos relies on Service Principal Names (SPNs) to uniquely idtify an instance of a service (which runs on a host) by a clit. Wh you add a Kerberos authtication service, you must also configure an SPN for your web service. The SPN must be registered in Active Directory. SPNs can be formatted as follows: <service type>/<instance/host name> <service type>/<instance/host name>:<port number>/<service name> The port and service name are optional. The port is only required wh a non-default service type is used. If you have multiple servers configured for a service, verify that a single SPN is registered in Active Directory for the service. For example, if you have a service for webdomain.com with two servers that are configured for load balancing, create an SPN for webdomain.com and register the SPN in Active Directory under the user. Both servers must provide required permissions for the user. Requiremts for Kerberos Before continuing with the steps for integrating Kerberos, verify that the following requiremts are met: The Barracuda Load Balancer ADC has proper DNS servers configured. The DNS IP address configured in the BASIC > IP Configuration > DNS Configuration section must be reachable by the Active Directory domain (the domain where the KDC is installed). All host machine clocks are synchronized within 5 minutes of the Kerberos server clock. For instructions on how to integrate the Barracuda Load Balancer ADC with a Kerberos server, click here... Step. 1 Add the Kerberos Server To integrate the Barracuda Load Balancer ADC with a Kerberos server: Go to the ACCESS CONTROL > Authtication Services page, and click the Kerberos tab. In the settings, specify: An alias for the server. The KDC realm name. The IP address or name, and port for the Kerberos server. Click Add. 98

99 Step Create a New User in Active Directory In the Active Directory Users and Computers window, click Users > New > User. In the New Object User window, specify the name and login credtials for the user. 99

100 Click Next, specify values for other fields as required, and click Finish. Step Create the SPN for the User Set the SPN under the user account that you just created in Active Directory. Op a command prompt, and execute the The SPN can be any name. In the following example, the SPN is HTTP/krbspn.barracuda.com: setspn command. Step 4. Create a DNS Entry for your Web Server Add the following tries to the DNS server in the domain: A host A record for the SPN that you created. Point the record to one of the servers that you configured for the service. A reverse PTR record pointing to same name and server. Step 5. Configure the Web Server Application Pool to Run for the User In the IIS Manager, click Application Pools in the left pane. All running applications th appear in the right pane. 100

101 Idtify the application to associate with the user. Right-click the application, and select Advanced Settings. In the Advanced Settings window, click the button next to Idtity In the Application Pool Idtity window, select Custom account and click Set. 101

102 5. Enter the username and password for the user that you created in Active Directory, and click OK. 6. In the IIS server's Applicationhost.config file, set useapppoolcredtial to true. The file is located at: /windows/system32/inetsrv/config/applicationhost.config For example: <location path="default Web Site"> <system.webserver> <security> <authtication> <anonymousauthtication abled="false" /> <windowsauthtication abled="true" usekernelmode="true" useapppoolcredtials="true"> <extdedprotection tokchecking="none" /> </windowsauthtication> </authtication> </security> </system.webserver> </location> Step Assign the Authtication Service to a Web Service Assign the authtication service to the service for your website. 102

103 Go to the ACCESS CONTROL > Authtication page. Next to the service, click Edit. In the Edit Authtication Policy section: a. b. Set the Status to On. From the Authtication Service list, select the alias of the server for authticating users of the service. Password Reset Page for LDAP Wh LDAP is selected as an authtication database server, the Auth Password Expired URL field is displayed. In this field, specify the URL where users are redirected if their authtication fails because their passwords expired. Users are redirected to reset their passwords. This feature only is supported wh the authtication database is Microsoft Active Directory-LDAP. The expired password on the OpLDAP server is not detected by the Barracuda Load Balancer ADC. c. Specify the remaining settings. Kerberos SPN Kerberos SPN If you are assigning a Kerberos authtication service, sure that you ter the Kerberos SPN. 4. Click Save. In the Authtication Policies section, the name of the authtication service displays in the row for the service. Step Configure an Authorization Policy for the Service Configure an authorization policy to control the access of authticated users to your website. You can configure access by user and/or group. In the policy, specify the URL, host, and extded match patterns for requests that must be handled by the policy. Go to the ACCESS CONTROL > Authorization page. In the Add Authorization Policy section: From the Service list, select the service that you are configuring the authorization policy for. Enter a name for the policy. a. b. c. d. e. Set the Status to On. Specify the URL, host, and other expressions that must match requests. Specify the Login Method. If you want to create a custom login or challge page, select HTML Form If you are using a custom challge page, it does not support the HTTP Basic Authtication login method. Click Add. The authorization policy appears in the Existing Authorization Policies section. Next to the policy, click Edit. In the Edit Authorization Policy window, specify if you want to allow or dy the request to all authticated users or only to specific users and groups. Kerberos Authtication for Exchange 2010 and 2013 If you are using Kerberos authtication for Exchange 2010 or 2013, use the CAS server login page. Specify these settings in your authorization policy: URL Match: /* Auth Not Done URL: /owa/auth.owa 6. Click Save. Additional Authtication Options If you also want to configure single-sign on or a custom login page, see these articles: How to Configure Single Sign-On (SSO) How to Set Up a Custom Login Page for Authtication With RADIUS servers, you can configure SMS PASSCODE for two-factor clit authtication with passcodes that are st to users' mobile phones. See How to Configure SMS Passcode Authtication Service. 103

104 How to Configure Single Sign-On (SSO) Required Product Model and Version This article applies to the Barracuda Load Balancer ADC 540 and above, version 5.1 and above. On the Barracuda Load Balancer ADC, you can configure Single Sign-On (SSO) to let d users access multiple applications across differt web servers protected by the Barracuda Load Balancer ADC, without requiring them to reauthticate. Successfully authticated users with proper access privileges are giv an SSO User Session Cookie, authticating them for a period of time. If the login fails, the authtication request is rejected. The Barracuda Load Balancer ADC supports both single domain and multi-domain SSO. In this article: Prerequisite Single Domain SSO Configure Single Domain SSO Multi-domain SSO Configure Multi-Domain SSO Step Configure the Master and Slave Domains Step Create an Authorization Policy for the Master Service Prerequisite Verify that an authtication service and an authorization policy have be created for the services of your web applications. For instructions, see How to Configure Authtication and Access Control (AAA). Single Domain SSO Single domain SSO takes place within a single domain. For example, bc.com hosts several restricted websites on several hosts. You can configure single sign-on for this domain, so that authticated users can access all or a subset of the restricted resources by authticating once. Wh a user logs out of a domain, the Barracuda Load Balancer ADC removes the user session cookie from the browser by expiring it, so that the user is automatically logged out of other corresponding domains. For example, a user is logged into hostbc.com, hostbc.com, and h ostbc.com using bc.com as the cookie domain. Wh the user logs out of hostbc.com, the user session cookie is removed from the browser and the user is automatically logged out of hostbc.com and hostbc.com. Configure Single Domain SSO In the authtication policy for the service, specify the SSO domain. 4. Go to the ACCESS CONTROL > Authtication page. Click Edit next to the policy. In the Edit Authtication Policy window, sure that the policy is abled and that an authtication service has be selected for the service. In the Session-Cookie Domain field, ter the domain name of the service (e.g., bc.com ). 5. In the Idle Timeout field, ter the maximum lgth of time that a user can remain idle in the domain before being logged out automatically. 6. Click Save. Multi-domain SSO With multi-domain SSO, your users are authticated for multiple domains after logging into one domain. Wh you configure multi-domain SSO, you must designate a master domain with one or more slave domains. The master domain acts as a ctralized authtication server that authticates the users and transfers the SSO User Session Cookie to the slave domains. Users must be initially authticated by the master domain. If a user tries to access the master domain before a slave domain, the user is prompted to provide login credtials. If a user tries to visit a slave domain before the master domain, the user is redirected to the master service URL for authtication and prompted to provide login credtials. After being successfully authticated and authorized, the user is granted 104

105 access to the master domain and slave domains. For example, is the master domain and is the slave domain. If a user first tries to access the user is prompted to provide login credtials. If the user first tries to access the user is redirected to for authtication and prompted to provide login credtials. After being successfully authticated and authorized, the user receives SSO User Session Cookies to access both domains. Wh users log out of a domain, they are not automatically logged out of all domains; they must manually log out of each domain. Configure Multi-Domain SSO To set up multi-domain SSO, configure the authtication policies for the services of your master and slave domains. You must also create an authorization policy for the master domain. Step Configure the Master and Slave Domains Complete the following steps for the services of your master and slave domains. Go to the ACCESS CONTROL > Authtication page. Click Edit next to the policy. In the Edit Authtication Policy window, sure that the policy is abled and that an authtication service has be selected for the service. 4. In the Single Sign On section, specify if the domain is the master or a slave. If the domain is the master, set Master Service to Yes and ter its URL path in the Master Service URL field. The URL must be a virtual URL (internal URL). For example: /ncsso.process 5. Click Save. If the domain is a slave, set Master Service to No and ter the URL of the master domain in the Master Service URL field. In the master service URL, you must specify the protocol, host, master domain, and URL path. For example: om/ncsso.process Step Create an Authorization Policy for the Master Service Create an authorization policy with the URL of the master service. Go to the ACCESS CONTROL > Authorization page. In the Add Authorization Policy section: From the Service list, select the service. Enter a name for the policy. a. b. c. d. e. f. Set the Status to Off. In the URL Match field, ter the URL of the master service. For example: /ncsso.process Specify the host and any other expressions that must be matched in the requests. Specify the Login Method. If you want to create a custom login or challge page, select HTML Form Click Add. The authorization policy appears in the Existing Authorization Policies section. Next to the policy, click Edit. In the Edit Authorization Policy window, specify if you want to allow or dy the request to all authticated users or only specific users and groups. Click Save. If you are using a custom challge page, it does not support the HTTP Basic Authtication login method. How to Set Up a Custom Login Page for Authtication Required Product Model and Version This article applies to the Barracuda Load Balancer ADC 540 and above, version 5.1 and above. With the Barracuda Load Balancer ADC, you can use a custom login page to prompt users for their login credtials wh they try to access a protected web application. After you create and deploy the custom login page, configure the application authorization policy to use the page. If you abled authorization for the tire website (i.e., the URL Match setting of the authorization policy is /*), you must also create an authorization policy for the custom login page. 105

106 In this article: Prerequisite Step Create and Deploy the Custom Login Page Step Edit the Authorization Policy to Use the Custom Login Page Step Create an Authorization Policy for the Login Page Prerequisite Verify that an authtication service and an authorization policy have be created for the service of the web application. For instructions, see How to Configure Authtication and Access Control (AAA). Step Create and Deploy the Custom Login Page Create and deploy the custom login page on the web server for the application. Create a custom login page named login.html. The page must contain the following parameters and values: form id="nclogin" name="login" action="/nclogin.submit" method=post User name field named f_username Password field named f_passwd An additional hidd parameter named f_method that is specified with value "LOGIN" The form will look something like this: <form id="nclogin" name="login" action="/nclogin.submit" method=post> <p>user Name: <input TYPE="text" name="f_username"> <p>password: <input TYPE="password" name="f_passwd"> <p><input type=hidd name="f_method" value="login"><input TYPE="submit" Value="Login"><input TYPE="reset" Value="Reset"> </form> Deploy the custom login page on the web server for the application. For example, if the IP address of the web server is , make the page available at Step Edit the Authorization Policy to Use the Custom Login Page Edit the authorization policy of the service to display the custom login page to unauthticated users. 4. Go to the ACCESS CONTROL > Authorization page. Click Edit next to the policy. In the Edit Authtication Policy window, configure these settings: Auth Not done URL Enter /login.html. Login Method Select HTML Form. Sd Basic Authtication Select Yes. Sd Domain in Basic Authtication If you want the Basic Authtication Header to include information on the clit domain wh it is forwarded to the server, s elect Yes. This is applicable only wh Sd Basic Authtication is abled. Click Save. Step Create an Authorization Policy for the Login Page Create an authorization policy with the URL of the login page. Go to the ACCESS CONTROL > Authorization page. In the Add Authorization Policy section: From the Service list, select the service that you are configuring the authorization policy for. Enter a name for the policy. a. b. c. d. Set the Status to Off. In the URL Match field, ter the URL of the login page. For example: /login.html e. 106

107 e. f. Specify the host and any other expressions that must match requests. Specify the Login Method. If you want to create a custom login or challge page, select HTML Form Click Add. The authorization policy appears in the Existing Authorization Policies section. Next to the policy, click Edit. In the Edit Authorization Policy window, specify if you want to allow or dy the request to all authticated users or only specific users and groups. Click Save. If you are using a custom challge page, it does not support the HTTP Basic Authtication login method. How to Configure SMS Passcode Authtication Service Required Product Model and Version This article applies to the Barracuda Load Balancer ADC 540 and above, version 5.1 and above. On the Barracuda Load Balancer ADC, you can use SMS PASSCODE with a RADIUS server to configure two-factor clit authtication for your web applications. With SMS Passcode, users go through the following authtication process: The user ters a username and password. After the login credtials are verified, a passcode is st to the user's mobile phone. The user is redirected to a challge page to ter the passcode. After submitting the passcode, the user can access the application if the authorization policy allows it. To set up SMS PASSCODE for a service, install it on a RADIUS server that you have integrated with the Barracuda Load Balancer ADC. In this article: Prerequisites Step Set Up SMS Passcode Step Verify that SMS Passcode Works Properly Prerequisites Verify that a RADIUS authtication service and an authorization policy have be created for the service of the web application. For instructions, see How to Configure Authtication and Access Control (AAA). If you do not want to use the default challge page that is provided by the Barracuda Load Balancer ADC, you can also create a custom challge page. See How to Set Up a Custom Challge Page for Authtication. Step Set Up SMS Passcode Install and configure the SMS Passcode on the RADIUS server that you have integrated with the Barracuda Load Balancer ADC. For details, see your SMS PASSCODE Administrator's Guide. Step Verify that SMS Passcode Works Properly As an d user, go through the followings steps to verify that SMS Passcode has be properly configured: In a web browser, go to the URL of the web application. On the default authtication page, or the custom login page, ter your username and password and click passcode via SMS on your mobile phone. Enter the passcode and click Login. You should be redirected to the page that you initially tried to access. How to Set Up a Custom Challge Page for Authtication Login. You should receive a Required Product Model and Version This article applies to the Barracuda Load Balancer ADC 540 and above, version 5.1 and above. 107

108 If you are using two-factor authtication (e.g., SMS PASSCODE) for a web application, you can use a custom challge page to prompt users for additional credtials after authticating the username and password. After you create and deploy the custom challge page, configure the application's authtication and authorization policies to use the page. In this article: Prerequisite Step Create and Deploy the Custom Challge Page Step Edit the Authtication Policy to Specify the Page URL and Query String Fields Step Edit the Authorization Policy to Use the Custom Challge Page Step Create an Authorization Policy for the Challge Page Prerequisite Verify that an authtication service and an authorization policy have be created for the service of the web application. For instructions, see How to Configure Authtication and Access Control (AAA). Step Create and Deploy the Custom Challge Page Create and deploy the custom challge page on the web server for the application. Using a script that the back-d server supports (e.g., CGI Perl, PHP, or Java), c reate a custom challge page named challge.fi leextsion. For example, if you use PHP, the page name is challge.php. The page must contain the following parameters and values: form id="nclogin" name="login" action="/nclogin.submit" method=post Form fields named Challge User Field and Challge Prompt Field. Deploy the custom login page on the web server for the application. For example, if the IP address of the web server is , make the page available at Step Edit the Authtication Policy to Specify the Page URL and Query String Fields Edit the authtication policy of the service to display the custom login page to unauthticated users. 4. Go to the ACCESS CONTROL > Authtication page. Click Edit next to the service. In the Edit Authtication Policy window, configure these settings: Auth Challge URL Enter the URL of the challge page (e.g., /challge.php). Challge User Field Use the default value of challge_user, unless you used a differt query string field to pass the username to the challge page. Challge Prompt Field Use the default value of challge_prompt, unless you used a differt query string field to pass the prompt string to the challge page. Click Save. Step Edit the Authorization Policy to Use the Custom Challge Page Edit the authorization policy of the service to use the HTML Form login method. Go to the ACCESS CONTROL > Authorization page. Click Edit next to the policy. In the Edit Authorization Policy window, verify that Login Method is set to HTML Form. With a custom challge page, the HTTP Basic Authtication login method is not supported. 4. Click Save. Step Create an Authorization Policy for the Challge Page 108

109 Create an authorization policy with the URL of the challge page. Go to the ACCESS CONTROL > Authorization page. In the Add Authorization Policy section: From the Service list, select the service that you are configuring the authorization policy for. Enter a name for the policy. a. b. c. d. e. f. Set the Status to Off. In the URL Match field, ter the URL of the challge page. For example: challge.php Specify the host and any other expressions that must be matched in the requests. Specify the Login Method. If you want to create a custom login or challge page, select HTML Form Click Add. The authorization policy appears in the Existing Authorization Policies section. Next to the policy, click Edit. In the Edit Authorization Policy window, specify if you want to allow or dy the request to all authticated users or only specific users and groups. Click Save. Technical White Papers In this Section If you are using a custom challge page, it does not support the HTTP Basic Authtication login method. PCI Compliance Considerations PCI Compliance Considerations This article outlines implemtation considerations wh deploying the Barracuda Load Balancer ADC in an vironmt subject to PCI Data Security Standard (PCI DSS) compliance. This article focuses on the requiremts placed on the Barracuda Load Balancer ADC for achieving PCI compliance, in an vironmt that includes the following: Barracuda Load Balancer ADC Application Server Database Server For PCI DSS Requiremt 6.6 compliance and added application security, consider purchasing an Application Security licse for the Barracuda Load Balancer ADC. Efficit PCI Compliance PCI Compliance applies to tities that process, store, or transmit cardholder data. The Barracuda Load Balancer ADC intelligtly distributes traffic among servers for efficit use of server resources, and provides server fail-over for High Availability. The Barracuda Load Balancer ADC, as an underlying technology infrastructure in your network, does not directly manage or store cardholder data. However, it provides a secure vironmt for the transmission of all application data including cardholder data. For merchants subject to PCI DSS, this facilitates certification attainmt. According to section 4.1 of the Paymt Card Industry (PCI) Data Security Standard v2, merchants handling credit card data are required to "... use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard ssitive cardholder data during transmission over op, public networks. Deploying services behind the Barracuda Load Balancer ADC simplifies your PCI compliance by relying on a secure, up-to-date PCI-compliant stack front-d for back-d servers. Additionally, the Barracuda Load Balancer ADC provides risk mitigation and business continuity by relieving your certification process from full scanning, and operating system, middle-ware, and application update and patching on all your Internet-facing production servers which can result in downtime and administrator overhead. An information supplemt to the PCI DSS notes that as long as the servers behind a load Balancer ADC are configured similarly, they are exempt from an internal scan. For more information, refer to Account for Load Balancer ADCs (page 14 of the PCI Approved Scanning Vdors Program Guide). 109

110 Configure Front-End SSL Front-d SSL refers to the SSL implemted betwe the Barracuda Load Balancer ADC and the clit connecting to the Barracuda Load Balancer ADC from the Internet. Configure SSL for each Service that requires compliance. The use of SSL has the following security implications under PCI DSS compliance: Disables Secure Sockets Layer version 2 (SSLv2); Disallows "weak" cryptography; Quarterly PCI security vulnerability scans conducted against your external-facing PCI systems. Without the first two measures, the scans are likely to fail, leading to falling out of compliance and the associated risks and consequces. Barracuda Load Balancer ADC provides secure SSL Offloading for your services. To able this, log into the Barracuda Load Balancer ADC web interface, go to the BASIC > Services page, and click Edit following the Service you wish to modify. In the edit scre, scroll to the SSL Offloading section: By default the Barracuda Load Balancer ADC disables the deprecated ciphers and protocols, and is therefore "secure by default". As shown in the screshot above, the Barracuda Load Balancer ADC ables only: Secure Protocols SSL v3, TLS v0/1/2 Secure Ciphers all weak and medium ciphers are disabled Additionally, security researchers have rectly idtified new vulnerabilities in the SSL protocol; these are mitigated by the secure SSL stack in the Barracuda Load Balancer ADC as shown in Table Table SSL Protocol Vulnerabilities Vulnerability Impact Remediation Insecure Regotiation High Barracuda Load Balancer ADC only supports secure regotiation initiated by the Server. BEAST Attack Low SSL v3 and TLS 0 may be vulnerable to this attack ev wh block ciphers are used; configure the Barracuda Load Balancer ADC to prioritize or force stream (RC4) cipher suites. CRIME Attack Low This attack exploits the protocol compression feature. By default, SSL compression is disabled in the Barracuda Load Balancer ADC. Configuring Back-End SSL Back-d SSL refers to the use of the SSL protocol to re-crypt traffic betwe the Barracuda Load Balancer ADC and the back-d servers. 110

111 PCI mandates SSL wh transmitting data over "op, public" networks; see Requiremt 4: Encrypt transmission of cardholder data across op, public networks (page 35 of the PCI Data Security Standard). Wh the path betwe the Barracuda Load Balancer ADC and the servers is within a secure zone, organizations are not mandated to re-crypt the traffic assuming the privacy of the path can be demonstrated for compliance. If your network architecture, vironmt, or the associated risk necessitates back-d SSL, go to the BASIC > Services page, click Edit followin g the Service you wish to modify, and update the SSL section as shown in the following image: Back-d SSL uses the same secure SSL protocols and ciphers as front-d SSL. Secure Certificates Though PCI does not specify minimum certificate key sizes, Barracuda Network recommds a minimum of 2048 bit key strgth wh rewing certificates or deploying new services. Note that the National Institute for Standards and Technology (NIST) has mandated moving to 2048 bit certificates, which the Barracuda Load Balancer ADC fully supports. Ensure that all SSL services, as well as the Managemt UI, employ strong certificates. Secure the Web-based Managemt UI To allow Web Interface access by HTTPS/SSL only, able HTTPS/SSL Access Only to Yes on the ADVANCED > Secure Administration pag e. You can select a Private certificate if you have restricted access to a private network as in the screshot shown above. Secure SNMP Access To secure the SNMP access for compliance, go to the ADVANCED > SNMP Configuration page, and complete the following steps: 4. In the SNMP Manager section, select the SNMP Version as v Provide a secure password for the admin user. Select SHA and AES as the Authtication Method and Encryption Method respectively; these are more secure than MD5 and DES. Restrict SNMP Access to an internal network via the Allowed SNMP IP/Range control: 111

112 4. 5. If you choose to use SNMP v2c to support legacy SNMP clits, sure that you change the default SNMP Community String: For details on scanner false positives with respect to SNMP, refer to PCI-DSS Requiremt 4 later in this article. Enable Syslog for Audit Compliance Continuous activity log monitoring alerts you to any unusual activity on the Barracuda Load Balancer ADC. To able Syslog: 4. Go to the ADVANCED > Export Logs page. In the Syslog section, click Add Syslog Server. The Add Syslog Server window appears. Specify values for the following fields: a. b. c. d. e. Name - Enter a name to idtify this syslog server. IP Address - Enter the IP address of the syslog server. Port - Enter the port associated with the IP address of the syslog server. Connection Type - Select the connection type to transmit the logs from the Barracuda Load Balancer ADC to the Syslog server. Validate Server Certificate - Set to Yes to validate the syslog server certificate using the internal bundle of Certificate Authority's (CAs) certificates packaged with the system. If set to No, any certificate from the syslog server is accepted. f. Clit Certificate - Wh set to Yes, the Barracuda Load Balancer ADC prests the certificate while connecting to the syslog server. Click Add. 112

113 Ensure Password Security Before you install and deploy one or more Barracuda Load Balancer ADCs, sure that you have changed the default password on all devices. It is recommded that you have an organizational policy in place for setting passwords with a minimum strgth that are distinct from personal passwords used by employees on the public Internet. Enabling HTTPS/SSL only access to the web-based interface, as noted earlier in this article, further hances credtial security over public and private networks. The console and web-based interface use separate passwords; be sure to change both passwords. Encrypt All Configuration Backups Ensure that all manual and automated backups are crypted so that configuration and ssitive information is not compromised in the evt the backup file is compromised. To configure cryption on all configuration backups, go to the ADVANCED > Backups page, and set Encrypt Backup to Yes. Specify a strong Backup Encryption Key using the same principals used for strong passwords. This key is required to decrypt or restore the backup configuration. Additional PCI Compliance Barracuda Networks is committed to security of its devices and helping customers achieve compliance. Barracuda Networks has additional best-of-breed security product offerings that can help you achieve additional PCI compliance cost effectively, especially for web application security, cryption, anti-virus, and web filtering. 113

114 Customers evaluating Barracuda Networks products can be assured of security and compliance commitmt throughout the product s life cycles. For any issues or questions related to PCI compliance, contact Barracuda Networks Technical Support or your sales represtative. Scanner False Positives Following are two false positives that some scanners have reported during PCI evaluations. SNMP vulnerability Some scanners incorrectly report that the Barracuda Load Balancer ADC is susceptible to CVE CVE CVE Barracuda Load Balancer ADC includes a customized port of NET-SNMP version: 5.4.1, which is not susceptible to the vulnerabilities mtioned in the reports. Only versions of NET-SNMP prior to 4.2 are susceptible to these. For additional information refer to CERT Advisory CA Multiple Vulnerabilities in Many Implemtations of the Simple Network Managemt Protocol (SNMP) available at If you counter this false positive, submit the report to the scanning organization for validation. Additionally, Barracuda Networks has implemted the following additional security measures as recommded by the security advisory: Ability to filter SNMP traffic from non-authorized internal hosts Ability to change default community strings Ability to disable SNMP service if not explicitly required Insecure Cookies The Barracuda Load Balancer ADC inserts cookies for a service wh the Persistce type is HTTP Cookies. Some scanners confuse these with application cookies and report them as insecure if the HTTP only or secure attribute is not set. You can configure both of these from the Persistce properties of a Service to avoid this false positive. Traffic Managemt In this Section Contt Rules for HTTP and HTTPS Services How to Use Extded Match and Condition Expressions Understanding HTTP Rewrite Rules Contt Rewriting How to Use the Response Rewrite Function to Enable Web Sites for Google Analytics Understanding HTTP Caching Understanding HTTP Compression Contt Rules for HTTP and HTTPS Services You can create contt rules to specify how an incoming HTTP request is directed to one or more Real Servers based on the host, URL or other HTTP header fields of an incoming request. If a request does not match any contt rule, it is directed to the Service's Real Servers. Once you define a HTTP or HTTPS Service on the BASIC > Services page, click Rule in the Add field to op the Contt Rule page. A contt rule consists of three patterns: host match, URL match, and extded match. The extded match pattern is one or more expressions that consists of a combination of HTTP headers and/or query string parameters. If there are multiple rules for a Service, the most specific host and URL match is executed. For example, if a Service has these two rules: Rule A - host URL /images/* Rule B - host URL /images/*.png and if the incoming request is for th the most specific matching rule, which is Rule B, is executed. If a rule has the most specific host and URL for a request, any Extded Match expressions for that rule are evaluated in the order established by the 114

115 Extded Match Sequce field. If the request does not match any Extded Match expression for the rule th the request is considered to have failed to match any rule. Additional Information For details on Extded Match and Condition expressions, refer to the article How to Use Extded Match and Condition Expressions. How to Use Extded Match and Condition Expressions You can use Extded Match and Condition expressions in contt rules, HTTP request rewrite rules, and HTTP response rewrite rules. This article documts the syntax of the extded match and condition expressions. For example: Header Host co example.com - match a request whose Host header contains example.com Parameter userid ex - match any request in which the parameter 'userid' is prest (Header Host eq && (Clit-IP eq /24)- match a request whose host header is le.com and the requesting clit's IP address is in the * subnet. In this article: Structure Operators Elemts Combining Escaping Macro Definitions No Name Parameters Quick Referce Expressions Elemt Match (Expression) [Join (Expression)...] Joins &&, Elemts Operators Request Elemts: Method, HTTP-Version, Clit-IP, URI, URI-Path, Header Request Parameters: Parameter, Pathinfo Response Elemts: Status-code, Response-Header Matching: eq, neq, req, nreq Containing: co, nco, rco, nrco Existce: ex, nex Structure The following explains the componts of an Extded Match or Condition expression. An expression consists of one or more Elemt Matches, combined using Join operators to indicate AND and OR operations to combine the Elemt Matches. Partheses must be used to delimit individual Elemt Matches wh using join operators. Partheses can be nested. An Elemt Match consists of an Elemt, an optional Elemt Name, an Operator followed by an optional Value. Some elemts like Header require an Elemt Name like User-Agt, whereas some elemts like HTTP-Version require no further qualification. Also, some operators like eq (stands for equals ) require a value, whereas some operators like ex (stands for exists ) require no value. Toks are delimited by space and the parthesis characters. Double quotes (") can be used to close single toks which contain parthesis 115

116 characters or spaces. The back-slash character can also be used to escape, that is, remove the special meaning of the special characters (space and partheses). Operators The following are the possible operators in an Elemt Match. The operators are case inssitive; for example, eq, Eq and EQ are all treated the same. eq neq co nco rco nrco req nreq ex nex True if the operand is equal to the giv value. A case inssitive string comparison is performed. Thus, a value of 01 is not the same as a value of 1, whereas values one and ONE are treated the same. True if the operand is not equal to the giv value. A case inssitive string comparison is performed. True if the operand contains the giv value. True if the operand does not contain the giv value. True if the operand contains the giv value, which is treated as a regular expression. True if the operand does not contain the giv value, which is treated as a regular expression. True if the operand matches the giv value, which is treated as a regular expression. True if the operand does not match the giv value, which is treated as a regular expression. True if the operand exists. A value is not required. True if the operand does not exist. A value is not required. Elemts The following are the differt Elemts allowed in the expression. Elemts and Elemt Names are case inssitive, so Method and METHOD are treated the same. Method The HTTP Method that was received in the request. Example: ( Method eq GET) HTTP-Version This refers to the version of the HTTP protocol of the request. Example: ( HTTP-Version eq HTTP/1) Header An HTTP header in the request. An Elemt Name to idtify which header is required to follow the word Header. Example: ( Header Accept co gzip). This checks if the Accept: header contains the string gzip. Clit-IP This refers to the IP address of the clit sding the request. The IP address can be either host IP address or subnet IP address specified by a mask. Only eq and neq operations are possible for this elemt. Examples: ( clit-ip eq /24), ( Clit-I P eq ) 116

117 URI The URI is the Uniform Resource Idtifier in the request. This includes any query parameters in the request. Example: ( URI rco /abc.*html?userid=b) URI-path This refers to the path portion of the URI, which excludes any query parameters. Example: ( URI-path req \/.*copy%20[^/]*) Pathinfo This refers to the portion of URL which is interpreted as PATH_INFO on the server. The Barracuda Load Balancer ADC uses a set of known extsions to determine whether a portion of the URL is a Pathinfo or not. For example, if the request URL is /twiki/view.c gi/engineering, th, /Engineering is considered to be the p athinfo rather than part of the URL. Example: ( PathInfo rco abc* ) Parameter This refers to a parameter in the query string part of the URL. the servers as a name-value pair. The special parameter $NONAME_PAR AM is used to refer to the case where the parameter name is abst. Examples: ( Parameter sid eq 1234), ( Parameter $NONAME_PARAM co abcd) Status-code This refers to the status code of the response returned by the servers. Example: ( status-code eq 302) Response-header This refers to the HTTP response header in the response. The term Response-header should be followed by the name of the header on which the action is to be applied. Example: (Response-Header Set-Cookie co sessionid) Restrictions Each expression may use only some of these elemts. The following restrictions apply: The Extded Match expression in the Contt Rules can use these elemts: Method, HTTP-Version, Header, Clit-IP, URI, URI-Path, Pathinfo, and Parameters. Request Rewrite Condition allows these elemts: Method, HTTP-Version, Header, Clit-IP, Parameter, Pathinfo and URI. Response Rewrite Condition allows these elemts: Header, Status-code and Response-Header. Joins Each expression can be joined with another expression by one of the following: True if either of the expressions are true. && True only if both the expressions are true. Combining More than one Elemt Match can be combined together by using the join operators and && provided the Elemt Matches are closed in partheses. Combining Elemt Matches without partheses is not allowed. Example: (Header cookie ex) && (URI rco.*\.html) && (Method eq GET) Nested sub-expressions can be created by closing partheses within expressions. This makes the expression more readable as well as unambiguous. 117

118 Example: (HTTP-Version eq HTTP/1) && ((Header Host eq (Header Host eq website.example.com)) Escaping The space character and the partheses characters are special characters since they cause the parser to split the string into toks at these separators. In some cases, it is required to specify these characters as part of the value itself. For example, the User-Agt header typically contains both spaces and partheses, as in: User-Agt: Mozilla/5.0 (Linux i686; -US; rv:8.3) Firefox/0.0.3 The spaces and parthesis characters in such cases must be escaped by prefixing these characters with a back-slash (\), or the tire value can be closed in double-quotes ( ). Examples: Header User-Agt eq Mozilla/5.0 (Linux i686; -US; rv:8.3) Firefox/0.0.3 Header User-Agt eq Mozilla/5.0\ \(Linux\ i686;\ -US;\ rv:8.3\)\ Firefox/0.0.3 To specify the double-quote character itself, it must be escaped with a back-slash. This is true inside a quoted string, or a non-quoted string. Note that the single quote character has no special meaning, and is treated as any other character. To specify the back-slash character itself, it must be escaped as \\. This is true within both quoted strings and non-quoted strings. The back-slash character escapes all characters, not just the special characters. Thus, \c stands for the character c etc. In other words, back-slash followed by any character stands for the character, whether or not that character has a special meaning in the syntax. Macro Definitions The Barracuda Load Balancer ADC supports several macros to assist in configuring policies. The following table describes these macros arranged by the areas where they can be used. The URI in these cases does not include the host. $SRC_ADDR $URI Inserts the source (clit) IP address. You can use it for the new value (Rewrite Value parameter) wh inserting or rewriting a header. Should be specified in the new value, if you are rewriting or redirecting the URI. $URI specifies the complete request URI including the query string. $AUTH_USER Adds the username. (1) (2) (3) $AUTH_PASSWD Adds the password. (1) (2) (3) $AUTH_GROUPS Adds the user roles. (1) (2) (3) URL ACLs $NONAME_PARAM Inserts a parameter with no name (see No Name Parameters) Notes: (1) The URL is not protected, i.e. access-control or authtication is off. The value substituted for the macro is the special string NCURLNotPro tected. (2) The clit has not logged in. The value substituted for the macros is the special string NCNoUserSession. (3) The user does not belong to any groups. The value substituted for $AUTH_GROUPS is the special string NCNOUserRoles. No Name Parameters There might be times wh you want to configure a parameter without a name. For example, consider a site that pops up an advertising window wh a user lands there. A Javascript adds a query string that results in the following GET request: GET /ad?xyz The Barracuda Load Balancer ADC does not learn no name parameters such as query strings like " GET /ad?0" added by a Javascript. Workaround: Add a null value URL ACL. 118

119 The Barracuda Load Balancer ADC treats xyz as the value of a parameter. In this case, you cannot create an exception rule based on the xyz va lue because there is no way to associate it with a named parameter. To address such situations (that is, requests with parameter name-value pairs of the type?xyz or?=xyz where xyz is the value), you can use a special tok: $NONAME_PARAM (case inssitive). This tok allows you to create an expression for a parameter without a name as in the following examples: set = parameter $NONAME_PARAM ex set = parameter $NONAME_PARAM eq 0 set = parameter $noname_param co xyz Understanding HTTP Rewrite Rules Website translation is used to set a variety of address translation rules for application-specific packets st through the Barracuda Load Balancer ADC. It translates the internal codes, headers, and cookies so that the actual message is concealed from external users. Using website translation, you can accomplish website cloaking and translation of URLs and headers in requests or responses. Use the TRAFFIC > Web Translations page to create rules to modify inbound HTTP requests and outbound responses for HTTP/HTTPS Services. From this page you can: Create rewrite rules to modify incoming HTTP request headers and URLs Create rewrite rules to modify outbound HTTP response headers Create rules to rewrite any text string in an outbound HTTP response body HTTP Request Rewrite Conditions An HTTP request rewrite is applied to the HTTP request coming from the clit to the Barracuda Load Balancer ADC. A request rewrite condition is made up of one or more expressions. An expression consists of an operand, an operator, and a matching value. Table HTTP Request Rewrite Operators Table 1 describes the operators you can use in the request rewrite condition expression: Click here to expand... Operator Values contains, CONTAINS, co, CO ncontains, ncontains, nco, nco rcontains, rcontains, rco, rc equals, EQUALS, eq, E nequals, nequals, neq, neq requals, requals, req, re Description Checks if the operand contains the matching value. Checks if the operand does not contain the matching value. Checks if the operand contains the matching value, where the matching value is interpreted as a regular expression. Checks if the operand is equal to the matching value. Checks if the operand is not equal to the matching value. Checks if the operand is equal to the matching value, where the matching value is interpreted as a regular expression. exists, EXISTS, ex, EX Checks if the operand exists. No matching value is required. nexists, nexists, nex, nex Checks if the operand does not exist. No matching value is required. 119

120 Table HTTP Response Rewrite Expression Toks Table 2 describes the toks available for joining expressions: Click here to expand... Tok or, OR, and, AND, & Description Checks if either of the expressions is true. Checks if both the expressions are true. ( ) Use partheses to group together multiple expressions. Table HTTP Response Rewrite Expression Operands Table 3 describes the possible operands for the expression; all keywords are case inssitive: Click here to expand... Operands Description Example Header Examine the request header. You can search for a header field name, which is a string followed by a colon (:), or for any string. To search for HTTP or custom header field names, type Header followed by the header field name. The header field name to be examined may be a string (e.g. user-agt, accept) or a wildcard (to examine all headers). To search for any string in the header area, ter that string without the keyword. In all of these cases, the matching value may be a regular expression. Header Accept co soap Header Soap-Action ex AnyString EX Clit IP Check the IP address of the clit that st the request. The IP address can be either the host IP address or subnet IP address specified by a mask. Only the EQUAL and N OT EQUAL operators may be used with this operand Clit-IP eq /24 (s ubnet IP address containing the mask) Clit-IP eq (hos t IP address) URI The Uniform Resource Idtifier (URI) idtifies the resource upon which to apply the request. The matching value may be a regular expression. URI rco /abc*html Method HTTP method in the request. Method eq GET HTTP-Version HTTP protocol version of the request. HTTP-Version eq HTTP/1 Parameter The query portion of the URL which is passed to the server as a name-value pair. $NONAME_PARAM may be used to refer to the case where the parameter name is abst. The matching value may be a regular expression. Parameter sid eq 1234 Parameter $NONAME_PARAM co ab cd 120

121 Pathinfo The portion of URL containing extra information about the path of the resource on the server. The matching value may be a regular expression. pathinfo rco abc* HTTP Response Rewrite Conditions A response rewrite condition is made up of one or more expressions consisting of an operand, an operator, and a matching value. HTTP Response Rewrite An HTTP Response rewrite is applied to the HTTP response going out from the servers to the clit through the Barracuda Load Balancer ADC. Table 4. HTTP Response Rewrite Expression Operators Table 4 describes the operators you can use in the response rewrite condition expression: Click here to expand... Operator Values contains, CONTAINS, co, CO ncontains, ncontains, nco, nco rcontains, rcontains, rco, rc equals, EQUALS, eq, E nequals, nequals, neq, neq requals, requals, req, re Description Checks if the operand contains the matching value. Checks if the operand does not contain the matching value. Checks if the operand contains the matching value, where the matching value is interpreted as a regular expression. Checks if the operand is equal to the matching value. Checks if the operand is not equal to the matching value. Checks if the operand is equal to the matching value, where the matching value is interpreted as a regular expression. exists, EXISTS, ex, EX Checks if the operand exists. No matching value is required. nexists, nexists, nex, nex Checks if the operand does not exist. No matching value is required. Table 5. HTTP Response Rewrite Expression Toks Table 5 describes the expressions available for joining expressions: Click here to expand... Tok or, OR, and, AND, & Description Checks if either of the expressions is true. Checks if both the expressions are true. ( ) Use partheses to group together multiple expressions. Table 6. HTTP Response Rewrite Expression Operands Table 6 describes the possible operands for the expression; all keywords are case inssitive: 121

122 Click here to expand... Operands Description Example Header Examine the request header. You can search for a header field name, which is a string followed by a colon (:), or for any string. To search for HTTP or custom header field names, type Header followed by the header field name. The header field name to be examined may be a string (e.g. user-agt, accept) or a wildcard (to examine all headers). To search for any string in the header area, ter that string without the keyword. In all of these cases, the matching value may be a regular expression. Header Accept co soap Header Soap-Action ex AnyString EX Response-Header Examine the header of the response. You can search for a header field name, which is a string followed by a colon (:), or for any string. Response-Header Set-Cookie co sessionid To search for HTTP or custom header field names, type Response-Header followed by the header field name. The header field name to be examined may be a string (e.g. user-agt, accept) or a wildcard (to examine all headers). To search for any string in the header area, ter that string without the keyword. In all of these cases, the matching value may be a regular expression. Status-Code Checks the status code of the response returned by the server. Status-Code eq 200 Response Body Rewrite You can create rules for searching and replacing any string in the body of outbound responses. Only responses where the contt-type begins with text/ (text/html, text/plain, text/javascript, text/css, text/xml) are searched, not flash or applet contt. Table 7 lists the response body rewrite values. Search and replace strings must be text; regular expressions cannot be used. Additionally, because meta-characters such as \r or \n cannot be used, you cannot search and replace any multi-byte character set strings. Table 7. Response Body Rewrite Values Table 7 describes the Response Body Rewrite Rule fields: Click here to expand... Field Name Rule Name Rule Order Description Enter a name to idtify the rule. If there is more than one rule, ter the order of execution; the range is 1 to 128 with '1' executed first. 122

123 Host Match Enter a value matching the Hostname field in the request header. This value can idtify a specific host or it can be a wildcard match with a single asterisk (*) anywhere in the hostname, for example: * *.abc.com URL Match Enter a value matching the URL field in the request header. The URL Match must start with a slash (/) and can have only one asterisk (*) anywhere in the URL. A value of /* means that the ACL applies for all URLs in that domain. For example: /* /index.html /public/index.html Search String Replace String Enter the text string on which to search in the response body. Enter the replacemt text string. Additional Information For a Response Body Rewrite example, refer to the article How to Use the Response Rewrite Function to Enable Web Sites for Google Analytics. Contt Rewriting The Barracuda Load Balancer ADC allows you to rewrite selected contt of requests and responses. This feature can be used to implemt website cloaking and translation of URLs and headers in requests and responses. It can translate the internal codes, headers, and cookies so they are concealed from external users. Contt rewriting allows you to configure address translation rules for application specific packets st through the Barracuda Load Balancer ADC. Configuring URL Translation Wh a web server returns a URL, ssitive information about the web server may be revealed, which could be used to launch a variety of web attacks against the server. URL translation modifies the prefix, domain, and response body of an internal URL to an externally viewable URL, thus prevting pottial attacks. URL translation can externalize internal applications, which link to internal servers (not defined in the external DNS name space). For example, Company ABC has an internal application registered in the internal DNS as finance.abc. URL translation can make this application available to external partners behind a common public domain such as without exposing the internal name space. Through URL translation, Company ABC can map differt internal and external prefixes so the internal application is available on the public Internet as To configure URL Translation, use TRAFFIC > Website Translations > URL Translations. Click Help on that page for detailed configuration instructions. Configuring HTTP Request Rewrite HTTP Request Rewrite allows incoming requests to be rewritt or redirected. Headers can be added, removed, or edited on the Barracuda Load Balancer ADC before the request is forwarded to the back-d server. The URL can be rewritt to map to a differt resource. A redirect response can also be issued to the clits to point them to an updated location or resource. For example, Request Rewrite is used by default to relay the clit IP address to the back-d server (in Proxy mode), by inserting the header X-Forwarded-For with the value of the clit IP. The back-d server can extract and use this value. Similarly authtication parameters (such as certificate details or user name) could be forwarded by inserting request headers and using macros. See How to Pass Clit Certificate Details to a Back-d Server for more details. To configure HTTP Request Rewrite, use TRAFFIC > Website Translations > HTTP Request Rewrite. For detailed configuration instructions, click Help on that page. To format a Request Rewrite Condition refer to Rewrite Condition Format below. 123

124 Configuring HTTP Response Rewrite This policy sets rewrite rules for outbound responses. It allows you to add, delete, or rewrite headers. Response Rewrites are used for many purposes. For example, if a response included a header listing the source IP address, response rewrite could delete that header prevting external users from seeing the actual IP address of the server. To configure HTTP Response Rewrite, use TRAFFIC > Website Translations > HTTP Response Rewrite. For detailed configuration instructions, click Help on that page. Configuring Request Rewrite and Response Rewrite To configure a request rewrite rule, perform the following steps: Go to the TRAFFIC > Website Translations page, and in the HTTP Request Rewrite section or HTTP Response Rewrite section, specify values for the following fields: a. b. Rule Name Enter a name for the request or response rewrite rule. Sequce Number Set the sequce number for the request or response rewrite policy. This number determines the order of execution for multiple configured policies from highest (1) to lowest (1500). c. Action Set the action to: Insert Header Inserts a header to the request; Remove Header Removes the header from the request; Rewrite Header Rewrites the value of the existing header in the request. d. Header Name Enter the relevant Header Name, for example X-Forwarded-For. e. Old Value Enter the initial request header to be rewritt if the Action is Rewrite Header. An asterisk (*) rewrites all named headers, or specify the value or expression to be rewritt. f. Rewrite Value Enter the new value of the header to be rewritt wh the Action is set to Insert Header or Rewrite Header. Use the macros listed below to specify parameters from the clit. Wh rewriting a header you can specify one or more fields using the separators such as colon (:), semicolon (;), space ( ) and comma (,). In Rewrite Value, the fields can be defined for example: "Name=abc_cookie; Domain=example.com:Path=/". The rewrite-value supports substring addressing of matches, i.e. the matching sub strings can be referced using $1,$2,...$n. See Supported Macros below for a list of macros supported for rewrite values. g. Rewrite Condition Set the condition under which a rewrite should occur. An asterisk (*) indicates there are no conditions (applies to all). Details on the format of the Rewrite Condition are explained below in Rewrite Condition Format. Click Add to add the above settings. Note: Wh multiple policies are configured, the request continues to be processed by other (higher sequce number) policies. If you wish to stop processing after a particular rule is matched, click Edit next to the rule and set Continue Processing to No. Rewrite Condition Format The request Rewrite Condition specifies wh a rewrite should occur. The Rewrite Condition is made up of expressions combining Request Rewrite Toks and Operations on those toks for Request Rewrites. The Rewrite Condition is made up of expressions combining Respons e Rewrite Toks and Operations on those toks for Response Rewrites.These expressions can th be joined with each other using logical or (or, OR, ) or logical and (and, AND, &&). Examples of Rewrite Conditions: (Header User-Agt co mozilla), (URI rco /abc*html), (Clit-IP eq )&&(Method eq POST). An asterisk indicates there are no conditions for rewrite, so the rewrite is done in every case. Request Rewrite Toks These toks can be used in a request Rewrite Condition: Header The HTTP header in the request. The word Header precedes the name of the relevant header or * to indicate all headers. Examples: Header Accept co soap, Header Soap-Action ex. Clit-IP The IP address of the clit sding the request. The IP address can be either a host IP address or a subnet specified by a subnet mask. Only operations EQ and NEQ can be combined with this tok. Examples: Clit-IP eq /24 (subnet qualified by a netmask) Clit-IP eq (host IP address) Uri The Uniform Resource Idtifier of the resource on which to apply the rule. Example: URI rco /abc*html Method The HTTP method in the request. Example: Method eq GET Http-Version The HTTP protocol version of the request. Example: HTTP-Version eq HTTP/1 Parameter The query part of the URL which is passed to the servers as a name-value pair. In addition, the word "$NONAME_PARAM" can be used wh the parameter name is abst. Examples: Parameter sid eq 1234, Parameter $NONAME_PARAM co abcd Pathinfo The portion of URL which contains extra information about the path of the resource on the server. Example: pathinfo rco abc* Response Rewrite Toks 124

125 These toks can be used in a response Rewrite Condition: Header The HTTP header in the request. The word Header precedes the name of the relevant header or * to indicate all headers. Examples: Header Accept co soap, Header Soap-Action ex. Response-Header An HTTP header on the response path. The term "Response-Header" should be followed by the name of the header on which the action is to be applied. Example: Response-Header Set-Cookie co sessionid. Status-Code The status code of the response returned by the servers. Example: Status-Code eq 200 Operations for Request Rewrite and Response Rewrite Conditions These operations can be combined with Request Rewrite Toks and Response Rewrite Toks in a request or response Rewrite Condition: contains, CONTAINS, co, CO Tok contains the giv value. ncontains, ncontains, nco, nco Tok does not contain the giv value. rcontains, rcontains, rco, rco Tok contains the giv value which is interpreted as a regular expression. equals, EQUALS, eq, EQ Tok equals the giv value. nequals, nequals, neq, neq Tok does not equal the giv value. requals, requals, req, req Tok equals the giv value interpreted as a regular expression. exists, EXISTS, ex, EX Tok exists. nexists, nexists, nex, nex Tok does not exist. Configuring Response Body Rewrite This policy sets the rule for searching and replacing any text string in the response body. Only responses whose contt-type begins with text/ can be searched, including text/html, text/plain, text/javascript, text/css, text/xml. Neither flash nor applet contt can be searched. The search and replace strings should be text rather than regular expressions. Metacharacters cannot be used, such as \r or \n in either search or replace, which means you cannot search and replace any multi-byte charset strings. To configure Response Body Rewrite, use TRAFFIC > Website Translations > Response Body Rewrite. For detailed configuration instructions, click Help on that page. Supported Macros For Request Rewrites $SRC_ADDR Inserts the source (clit) IP address. You can use it for the new value (Rewrite Value parameter) wh inserting or rewriting a header $URI Should be specified in the new value, if you are rewriting or redirecting the URI. $URI specifies the complete request URI including the query string. $X509_VERSION The clit certificate's X509 version string. $X509_SERIAL_NUMBER The serial number of the clit certificate. $X509_SIGNATURE_ALGORITHM The Signature Algorithm used in the clit certificate. $X509_ISSUER The clit certificate's issuer string. $X509_NOT_VALID_BEFORE Time from which the clit certificate is valid. $X509_NOT_VALID_AFTER Time after which the clit certificate is invalid. $X509_SUBJECT The clit certificate's Subject string. $X509_SUBJECT_PUBLIC_KEY_TYPE The X509 Certificate Subject Key Idtifier String of the clit certificate. $X509_SUBJECT_PUBLIC_KEY Public Key modulus of the clit certificate. $X509_SUBJECT_PUBLIC_KEY_RSA_BITS Size of the clit certificate's public key, in bits. $X509_EXTENSIONS The clit certificate's X509 Extsions String. $X509_HASH The X509 Hash string of the clit certificate. $X509_WHOLE The X509 clit certificate represted as a string in PEM format. $AUTH_USER Adds the username.* $AUTH_PASSWD Adds the password.* $AUTH_GROUPS Adds the user roles.* The URL is not protected, i.e. access-control or authtication is off. The value substituted for the above three macros will be the special string NCURLNotProtected. The clit has not logged in. The value substituted for the above three macros will be the special string NCNoUserSession. The user does not belong to any groups. The value substituted for $AUTH_GROUPS will be the special string NCNOUserRole s. 125

126 For Response Page %action-id The attack id of the violation which resulted in this response page being displayed. %host The host which st this request. %s The URL of the request which caused this violation. %clit-ip The Clit IP address of the request which caused the violation. %attack-time The time at which the violation occurred. %attack-name The attack name of the violation which resulted in the response page to be displayed. How to Use the Response Rewrite Function to Enable Web Sites for Google Analytics Response Body Rewrite rules apply to Layer 7 - HTTP Services only. This article assumes you have a Google Analytics account to obtain the code for use in the response body. Response Body Rewrite Rules The Response Body Rewrite option provides a single point for managing response rewrites to offload Google indexing to the Barracuda Load Balancer ADC. Create rules to search and replace any string in the body of outbound responses to remove server banners or other header or body information you do not wish clits to see, to eliminate extra code in web site pages. Only responses where the contt-type begins with "te xt/ " ( text/html, text/plain, text/javascript, text/css, text/xml) are searched, flash and applet contt are not supported. The search and replace strings must be text; regular expressions cannot be used. Google Analytics Example This example describes how to offload Google indexing by inserting Google Analytics code into the responses by looking for a unique text string, for example, </html> or Copyright, guaranteed to appear in a page only once, for search and replace to avoid duplication. In this example, for the response body rewrite, the Google Analytics code is inserted into the responses by the ' string' guaranteed to be prest in every page, which is th replaced with the ' string' + ' Google Analytics code'. To create the rule, complete the following steps: Log into the Barracuda Load Balancer ADC as the administrator, and go to the TRAFFIC > Web Translations page. Go to the Response Body Rewrite section. In the Rule Name field ter a name for the rule, for example: Google In the Sequce Number field, ter the order of execution if there is more than one rule. Range: 1 to 128, where 1 is executed first. In the Host Match field, Enter * which will be used to match the hostname field in the request header. In the URL Match field, ter /* which will be used to match the URL field in the request header. This value means that the ACL applies for all URLs in that domain. In the Search String field, ter the unique text string to be searched, for example: </html> In the Replace String field, ter the Google Analytics code followed by the search string, for example: 8. Click Add. Related Articles Understanding HTTP Rewrite Rules 126

127 Understanding HTTP Caching Use the TRAFFIC > HTTP Caching page to edit caching parameters for a Service or Rule: From this page you can set the following parameters: Enable/disable caching for the Service or Rule Specify response file extsions that can be cached Specify maximum and minimum object size for caching Specify whether to ignore request headers, response headers, and negative responses Enter the default cached object expiration age Additional Information For more information on editing caching parameters for a HTTP or HTTPS Service or Rule, log into the Barracuda Load Balancer ADC web interface, go to the TRAFFIC > HTTP Caching page, click the Edit icon next to the Service or Rule you wish to change, and th click the Help button. Understanding HTTP Compression This article applies to Services with type HTTP/HTTPS. You can create a compression policy including applicable response contt types for a Rule or Service with HTTP/HTTPS Services on the TRAF FIC > HTTP Compression page in the web interface. All configured Services and Rules display in the Compression table. To edit HTTP compression, go to the TRAFFIC > HTTP Compression page, and click the Edit icon following the Service or Rule you wish to modify; the edit page displays: Modify the compression settings, and th click Save Changes. Logging 127

128 In this Section How to Configure Syslog and other Logs How to Make the Clit IP Address Available to the Back-d Server Logging Actual Clit IP Address In the IIS 7 and IIS 7.5 Server Logging Actual Clit IP Address on the Apache Server How to Mask Ssitive Data in Logs How to Configure Syslog and other Logs Overview Enabling Syslog Steps To Add a Syslog Server Syslog Facility To configure facilities for differt log types To configure log levels for differt modules Log Formats Custom Log Format Log Format Separators Steps To Configure Logs Format System Logs Detailed Description Web Firewall Logs Detailed Description Attack Groups Access Logs Detailed Description Audit Logs Detailed Description Network Firewall Logs Detailed Description Table of Log Formats Overview The Barracuda Load Balancer ADC gerates five types of logs which can be exported to configured remote servers using the syslog mechanism. These logs also reside on the Barracuda Load Balancer ADC log database, viewable on the GUI on various tabs. In addition, logs can be exported in CSV format to external files. This article describes each elemt of syslog messages so an administrator can analyze evts and understand how the Barracuda Load Balancer ADC handled each logged evt. The syslog format details can help you use external parsers or other agts to process the syslog messages st from the Barracuda Load Balancer ADC,. The following logs are explained briefly below. These logs can be segregated and distributed using the LOCAL 0 through LOCAL 7 facilities, making managemt of these logs on the external syslog servers easier. System Logs: These are the evts gerated by the system and show the geral activity of the system. Web Firewall Logs: These are the evts which indicate the web firewall activity in terms of allowing, blocking or modifying the incoming requests and responses as defined in the Barracuda Load Balancer ADC rules and policies. Access Logs: These evts pertain to the traffic activity and log various elemts of the incoming HTTP request and the responses from the back-d servers. Audit Logs: These evts pertain to the auditing evts gerated by the system which log the configuration and UI activity by users like admin. Network Firewall Logs: These evts are gerated whever network traffic passing through the interfaces (MGMT and configured interfaces) matches with the configured Network ACL rule. If you have any questions after reading this documt, please contact Barracuda Networks Technical Support. 128

129 Enabling Syslog To export logs to remote syslog servers, navigate to the ADVANCED > Export Logs page. In the Syslog section, ter the name and IP addresses of up to 3 syslog servers where you want to direct the System logs, Web Firewall logs, Access logs, Audit logs and Network Firewall logs. See Steps To Add a Syslog Server. If you are running syslog on a UNIX machine, be sure to start the syslog daemon process with the -r option so it can receive messages from external sources. Windows users require additional software to utilize syslog since the Windows OS does not include the syslog capability. Kiwi Syslog is a popular solution, but there are many others to choose from, both free and commercial. Syslog messages are st over UDP/TCP/SSL ports. If there are any firewalls betwe the Barracuda Load Balancer ADC and the configured external servers, sure that the respective port is op on the firewalls. Steps To Add a Syslog Server Go to the ADVANCED > Export Logs page. In the Syslog section, click Add Syslog Server. The Add Syslog Server window appears, specify values for the following: a. b. c. d. Name - Enter a name for the syslog server. IP Address - Enter the IP address of the syslog server. Port - Enter the port associated with the IP address of the syslog server. Connection Type - Select the connection type to transmit the logs from the Barracuda Load Balancer ADC to the Syslog server. UDP is the default port for Syslog communication. UDP, TCP or SSL can be used in case of NG Syslog server. e. Validate Server Certificate - Set to Yes to validate the syslog server certificate using the internal bundle of Certificate Authority's (CAs) certificates packaged with the system. If set to No, any certificate from the syslog server is accepted. f. Clit Certificate - Wh set to Yes, the Barracuda Load Balancer ADC prests the certificate while connecting to the syslog server. g. Certificate - Select a certificate to be prested by the Barracuda Load Balancer ADC while connecting to the syslog server. Certificates can be uploaded on the BASIC > Certificates page. For more information on how to upload a certificate, see How to Add an SSL Certificate. Click Add. Syslog Facility Syslog receives differt types of log messages. In order to differtiate and store them in distinct log files, log messages contain a logging priority and a logging facility in addition to the actual message and IP address. All log messages are marked with one of the following facilities: local0 local1 ocal2 local3 local4 local5 local6 local7 For each configured syslog server, you can associate a specific facility (default = local0) with each log type, so your syslog server can segregate the log of each type into a differt file. To configure facilities for differt log types Navigate to the ADVANCED > Export Logs page. In the Syslog section, click Syslog Settings. The Syslog Settings dialog box appears. Select the appropriate facility (Local0 to Local7) from the drop-down list for each log type and click Save Changes. You could set the same facility for all the log types. For example, you could set Local0 for System Logs, Web Firewall Logs, Access Logs, Audit Logs and Network Firewall Logs. To configure log levels for differt modules Go to the ADVANCED > Export Logs page. In the Module Log Levels section, specify values for the following fields: a. Name - Enter a name for the new setting. b. 129

130 b. c. Module - Select a module name from the drop-down list. Log Level - Select a log level for the module from the drop-down list. By default, the log level is set to 0-Emergcy. Note that the lower the level, the higher the priority and the more atttion the log try demands. For example, log levels 0-Emergcy and 1-Alert are the highest priority situations, demanding more immediate response than 5-Notice or 6-Information. d. Commt - (Optional). Enter commt about the new setting. Click Add to add the above settings. Module Log Level is an advanced feature, and available only wh Advanced Settings is set to Yes on the ADVANCED > System Configuration page. Log Formats You can customize the Web Firewall Logs, Access Logs, and Audit Logs formats st to the syslog sever. You can choose from the predefined log formats (Common Log Format, NCSA Extded Format, W3C Extded Format, or Default), or you can create a Custom Format. Giv below are the steps to specify the Custom Format. Depding upon the configuration, an IP address of a Service, Clit IP or Server IP can either be IPv4 or IPv6. Custom Log Format To customize the log format for any Log Type (except System Logs) Navigate to ADVANCED > Export Logs page. In the Logs Format section, select Custom Format for any of the log types. The Custom Format can be defined in two ways: a. b. Specify "%" followed by the alphabet. The alphabets and its meaning are giv in the Table of Log Formats for differt log types. For example, if you configure "%h %u %t %r %ua %ci" as the custom format, the output will be " Jan 13 16:19:22 wsf /cgi-bin/process.cgi :49: "-" "Wget/10.2 (Red Hat modified)" ". OR, Specify "name=value" format. For example, if you configure " host=%h url=%u time=%t ref=%r uagt=%ua src=%ci" as the custom format, the output will be "Jan 13 16:19:22 wsf host= url=/cgi-bin/process.cgi time= :49: ref="-" uagt="wget/10.2 (Red Hat modified)" src= ". This format is used by some SEIM vdors such as ArchSight. Click Save Changes to save the settings. Log Format Separators Wh defining log formats you can use space as a separator betwe each log format for Web Firewall Logs Format, Access Logs Format an d Audit Logs Format. For Access Logs Format, you could also use pipe ( ) or semicolon (;) separators. Log formats can be separated by a single separator or a combination of space, pipe and semicolon separators. Log formats can use only one separator in each place i.e. space (" "), pipe ( ) or semicolon. For example: %h %id %u;%t %r %s For information on how to manage these logs please see the documtation available for your syslog server. Steps To Configure Logs Format Go to the ADVANCED > Export Logs page. In the Logs Format section, specify values for the following fields: a. Syslog Header Specify a header format, which will be displayed wh %header is used in the logs format. For example, consider the header format is "Barracuda", and the defined custom format is "%header %h %u %t %r %ua %ci". The output will be "Barracuda Jan 13 16:19:22 wsf /cgi-bin/process.cgi :49: "-" "Wget/10.2 (Red Hat modified)" ". Values: i. ii. iii. b. Web Firewall Logs Format Select the format in which the Web firewall logs should be st to the syslog server. Values: i. Default - The default Web firewall log format defined by the Barracuda Load Balancer ADC. ii. ArcSight Log Header - Uses this header format in the logs format. QRadar Log Header - Uses this header format in the logs format. Custom Header - Define a custom header format to be used in the logs format. 130

131 b. c. ii. iii. iv. v. vi. vii. i. ii. iii. iv. v. vi. vii. viii. ix. x. d. Audit Logs Format Select the format in which the audit logs should be st to the syslog server. Values: i. ii. iii. iv. v. vi. vii. CEF:0 (ArcSight) - The Common Evt Format (CEF) log used by ArcSight. LEEF0 (QRadar) - The Log Evt Enhanced Format (LEEF) log used by QRadar. Symantec SIM The default log format used by Symantec SIM. RSA Vision - The default log format used by RSA vision. Splunk The default log format used by Splunk. Custom Format - Define a custom log format using the values displayed under Web Firewall Logs in the Table of Log Formats. Access Logs Format Select the format in which the access logs should be st to the syslog server. Values: Click Save Changes. Default - The default access log format defined by the Barracuda Load Balancer ADC. Common Log Format - The default format for logged HTTP information. NCSA Extded Format - The Common Log Format appded with referer and agt information. W3C Extded Format - The default log format used by Microsoft Internet Information Server (IIS). CEF:0 (ArcSight) - The Common Evt Format (CEF) log used by ArcSight. LEEF0 (QRadar) - The Log Evt Enhanced Format (LEEF) log used by QRadar. Symantec SIM - The default log format used by Symantec SIM. RSA Vision - The default log format used by RSA Vision. Splunk The default log format used by Splunk. Custom Format - Define a custom log format using the values displayed under Access Logs in the Table of Log Formats. Default - The default audit logs format defined by the Barracuda Load Balancer ADC. CEF:0 (ArcSight) - The Common Evt Format (CEF) log used by ArcSight. LEEF0 (QRadar) - The Log Evt Enhanced Format (LEEF) log used by QRadar. Symantec SIM The default log format used by Symantec SIM. RSA vision The default log format used by RSA vision. Splunk The default log format used by Splunk Custom Format - Define a custom log format using the values displayed under Audit Logs in the Table of Log Formats. The sections below describe the formats of the logs and elemts st over in each type of the evt gerated by the Barracuda Load Balancer ADC. Please be aware that syslog implemtations vary, and may not display the messages in this exact format. However, these sections should be prest in the syslog lines. System Logs The default log format for the evts gerated by the Barracuda Load Balancer ADC system is as follows: %t %md %ll %ei %ms You cannot customize the format of System Logs. For information on default log formats and their meanings, see Table Example: Feb 3 15:09:02 wsf STM: LB LookupServerCtx = 0xab0bb600 Detailed Description The following table describes each elemt of a system log with respect to the above example: Field Name Example Description Time Stamp Feb 3 15:09:02 wsf STM: The date and time at which the evt occurred. Module Name LB Dotes the name of the module that gerated the logs. For example: STM, SAPD, LB, etc. 131

132 Log Level 5 The log level number. Values: 0-Emergcy System is unusable (highest priority). 1-Alert Response must be tak immediately. 2-Critical Critical conditions. 3-Error Error conditions. 4-Warning Warning conditions. 5-Notice Normal but significant condition. 6-Information Informational message (on ACL configuration changes). 7-Debug Debug-level message (lowest priority). Evt ID The evt ID of the module. Message LookupServerCtx = 0xab0bb600 Dotes the log message for the evt that occurred. Web Firewall Logs All the actions/evts on the web firewall are logged under Web Firewall Logs. These logs help the administrator to analyze the traffic for suspicious activity and also fine tune the web firewall policies. Navigate to the BASIC > Web Firewall Logs page to view the gerated log messages. This log data is obtained from the log database on the Barracuda Load Balancer ADC itself. As noted above, the external syslog server IP for these logs is specified under ADVANCED > Export Logs > Syslog. Over syslog, every log in the Barracuda Load Balancer ADC has a level associated with it, which indicates the severity of the logs. An administrator can configure what level of logs should be recorded for each service by editing the Service under the BASIC > Services page. The default log format for Web Firewall Logs: %t %un %lt %sl %ad %ci %cp %ai %ap %ri %rt %at %fa %adl %m %u %p %sid %ua %px %pp %au %r %aid %ag Unit Name, Log Type, and Log ID are not displayed on the BASIC > Web Firewall Logs page. IPv4 Example: :49: lbadcbox1 WF ALER SQL_INJECTION_IN_PARAM webapp1:dy_ban_dir GLOBAL LOG NONE "[type=""sql-injection-medium"" pattern=""sql-quote"" tok=""' or "" Parameter=""address"" value=""hi' or 1=1--""]" POST /cgi-bin/process.cgi HTTP REQ-0+RES-0 "Mozilla/5.0 (X11; U; Linux i686 (x86_64); -US; rv:8.20) Gecko/ Firefox/0.0.20" Kevin ATTACK_CATEGORY_INJECTION IPv6 Example: :49: lbadcbox1 WF ALER SQL_INJECTION_IN_PARAM fe80::202: b3ff:fe1e: : db8:85a3::8a2e:370: webapp1:dy_ban_dir GLOBAL LOG NONE "[type=""sql-injection-medium"" pattern=""sql-quote"" tok=""' or "" Parameter=""address"" value=""hi' or 1=1--""]" POST /cgi-bin/process.cgi HTTP REQ-0+RES-0 "Mozilla/5.0 (X11; U; Linux i686 (x86_64); -US; rv:8.20) Gecko/ Firefox/0.0.20" fe80::202: b3ff:fe1e: Kevin : db8:85a3::8a2e:370:7334/cgi-bin/pl ATTACK_CATEGORY_INJECTION Detailed Description 132

133 The following table describes each elemt of a web firewall log with respect to the above example: Field Name Example Description Time Stamp :49: The time recorded in the following format: yyyy-mm-dd hh:mm:ss.s (one or more digits represting a decimal fraction of a second)tzd(time zone designator which is either Z or +hh:mm or -hh:mm) Unit Name lbadcbox1 Specifies the name of the unit which is same as the Default Hostname on the BASIC > IP Configuration page. Log Type WF Specifies whether it is of type Web Firewall Log, Access Log, Audit Log or Network Firewall Logs. Values: WF, TR, AUDIT, NF Severity Level ALER Defines the seriousness of the attack. Values: Emergcy - System is unusable (highest priority). Alert - Response must be tak immediately. Critical - Critical conditions. Error - Error conditions. Warning - Warning conditions Notice - Normal but significant condition. Information - Informational message (on ACL configuration changes). Debug Debug-level message (lowest priority). Attack Description SQL_INJECTION_IN_PARAM The name of the attack triggered by the request. Clit IP OR fe80::202:b3ff:fe1e:8329 The IP address of the clit sding the request. Note that an intermediate proxy or gateway may have overwritt the actual source IP of the clit with it s own. To retrieve the actual clit IP for logging you should configure the Header Name For Actual Clit IP under the Edit actions for a service on the BASIC > Services page. If the above is configured, the actual clit IP is extracted from the header, e.g. X-Forwarded-For and used to populate this field and used in security policy checks involving the clit IP as well. See related Proxy IP field below as well. Clit Port The port relevant to the clit IP address. Application IP OR 2001:db8:85a3::8a2e:370:7334 The IP address of the application that receives the traffic. 133

134 Application Port 80 The port relevant to the IP address of the application. Rule ID webapp1:dy_ban_dir The path of the URL ACL that matched with the request. Here "webapp1" is the web application and "dy_ban_dir" is the name of the URL ACL created on the SECURITY > Allow/Dy Rules page. Rule Type GLOBAL This indicates the type of rule that was hit by the request that caused the attack. The following is the list of expected values for Rule Type: Global - indicates that the request matched one of the global rules configured under Security Policies. Global URL ACL - indicates that the request matched one of the global URL ACL rules configured under Security Policies. URL ACL - indicates that the request matched one of the Allow/Dy rules configured specifically for the giv website. URL Policy - indicates that the request matched one of the Advanced Security rules configured specifically for the giv website. URL Profile - indicates that the request matched one of the rules configured on the URL Profile. Parameter Profile - indicates that the request matched one of the rules configured on the Parameter Profile. Header Profile - indicates that the request matched one of the rules configured on the Header Profile. Action Tak LOG The appropriate action applied on the traffic. DENY dotes that the traffic is died. LOG dotes monitoring of the traffic with the assigned rule. WARNING warns about the traffic. Follow-up Action NONE The follow-up action as specified by the action policy. It could be either None or Lock ed in case the lockout is chos. Attack Details [type=""sql-injection-medium"" pattern=""sql-quote"" tok=""' or "" Parameter=""address"" value=""hi' or 1=1--""] The details of the attack triggered by the request. Method POST The HTTP method used by the request. Values: GET, POST, HEAD, etc. 134

135 URL /cgi-bin/process.cgi OR 2001:db8:85a3::8a2e:370:7334/cgi-bin/proce ss.cgi The URL specified in the request. Protocol HTTP The protocol used for the request. Session ID REQ-0+RES-0 The value of the session toks found in the request if session tracking is abled. Session Tracking is configured on the SECU RITY > Advanced Security page. User Agt Mozilla/5.0 (X11; U; Linux i686 (x86_64); -US; rv:8.20) Gecko/ Firefox/ The value contained in the User-Agt request header. Normally, this information is submitted by the clits which details the browser, operating system, software vdor or software revision, in an idtification string. Proxy IP OR fe80::202:b3ff:fe1e:8329 If the clit requests are coming through a proxy or gateway, th this field provides the IP address of the proxy. A clit side proxy or gateway changes the source IP of the request to its own and embeds the actual clit s IP in an HTTP header such as X-Forwarded-For or X-Clit-IP. The Barracuda Load Balancer ADC, if configured, will ignore the proxy IP and extract the actual clit IP from the appropriate header to apply security policies as well as for logging the Clit IP field above. This field preserves the proxy IP address for cases where it is required, e.g. forsics and analytics Note: The actual clit IP header configuration is done using the Header Name For Actual Clit IP under the Edit actions for a service on the BASIC > Services page. Proxy Port The port of the proxy server whose IP address has be logged in the Proxy IP field above. Authticated User Kevin The username of the currtly authticated clit requesting the web page. This is available only wh the request is for a service that is using the AAA (User Access Control) module. Referrer OR :db8:85a3::8a2e:370:7334/cgi-bin /pl The value contained in the Referrer HTTP request header. It idtifies the Web resource from which the clit was referred to the requested URL. 135

136 Attack ID Dotes an internally stored attack idtification number. Attack Group ATTACK_CATEGORY_INJECTION The attack group under which some of the attacks are defined. See Attack Groups Attack Groups The table below provides a list of Attack Names under each Attack Group: Evt ID Attack Name Description Severity Attack Type Advanced Policy Violations INVALID_URL_CHARSE T The request contained the character that is not valid in the character set. To determine the character set of the request, the Barracuda Load Balancer ADC relies on several configuration elemts like Default Character Set, Detect Response Charset and Response Charset. Warning Attack Obfuscation BRUTE_FORCE_FROM _IP The number of accesses to the resource by the clit IP exceeded the number defined in the bruteforce prevtion policy for this application. Alert DOS Attack BRUTE_FORCE_FROM _ALL_SOURCES The cumulative number of accesses to the resource by all the sources exceeded the number defined in the bruteforce prevtion policy for this application. Alert DOS Attack Application Profile Violations NO_DOMAIN_MATCH_I N_PROFILE The request st by the browser corresponds to a domain which is not found in the application profile. Alert Forceful Browsing NO_URL_PROFILE_MA TCH The request st by the browser contained an URL for which, a matching URL Profile is not found in the application profile. Alert Forceful Browsing Header Violations 136

137 29007 HEADER_META_VIOLA TION The header contained a metacharacter which is part of the Died Metacharacters configured in the Header ACL for this application. Alert Command Injection CUSTOM_ATTACK_PAT TERN_IN_HEADER The header contained an attack pattern that matched an attack pattern configured as a part of Custom Blocked Attack Types for this header in the Header ACL. Alert Command Injection SQL_INJECTION_IN_HE ADERSQL The header contained SQL injection attack which matched an attack pattern configured as a Blocked Attack Types for this header in the Header ACL. Alert SQL Injection CROSS_SITE_SCRIPTI NG_IN_HEADER The header contained cross-site scripting attack which matched an attack pattern configured as a Blocked Attack Types for this header in the Header ACL. Alert Cross-site Scripting OS_CMD_INJECTION_I N_PARAM The header contained OS command injection attack which matched an attack pattern configured as a Blocked Attack Types for this header in the Header ACL. Alert Command Injection DIRECTORY_TRAVERS AL_IN_HEADER The header contained directory traversal attack which matched an attack pattern configured as a Blocked Attack Types for this header in the Header ACL. Alert Directory Traversal Param Profile Violations READ_ONLY_PARAM_T AMPERED The read-only parameter had a value, which was differt from what was learned by Barracuda Load Balancer ADC based on the form that was st to the browser. Alert Form Tampering 137

138 29135 SESSION_INVARIANT_ PARAM_TAMPERED The session-invariant parameter had a value, which was differt from what was learned by Barracuda Load Balancer ADC based on the form that was st to the browser for this session. Alert Form Tampering SESSION_CHOICE_PA RAM_TAMPERED The session choice parameter had a value, which was differt from what was learned by Barracuda Load Balancer ADC based on the form that was st to the browser for this session. Alert Form Tampering TOO_MANY_PARAM_IN STANCES The URL st by the browser contained more instances of the parameter than what is learned to be allowed in the Parameter Profile. Alert Form Tampering MISSING_MANDATORY _PARAM The URL st by the browser contained no instances of the parameter, which is learned to be mandatory in the Parameter Profile. Alert Form Tampering PARAM_VAL_NOT_ALL OWED The Global Choice parameter had a value, which is differt from the values configured for this parameter in the Parameter Profile. Alert Form Tampering FILE_EXTENSION_NOT _ALLOWED The extsion of the filame of a file-upload parameter does not match any one of the configured File Upload Extsions for the parameter profile. Alert Form Tampering FILE_UPLOAD_SIZE_EX CEEDED The size of the file-upload parameter is greater than the maximum configured value in the Default Parameter Protection. Alert Form Tampering METACHARACTER_IN_ PARAMETER The parameter contained a metacharacter, which matched an attack pattern configured as a Parameter Class in the parameter profile. Alert Command Injection 138

139 29154 PARAM_NAME_LENGT H_EXCEEDED The lgth of the parameter exceeded the Max Lgth configured in the parameter profile. Alert Buffer Overflow CUSTOM_ATTACK_PAT TERN_IN_PARAM The parameter contained custom attack pattern, which matched an attack pattern configured as a Parameter Class in the parameter profile. Alert Command Injection PARAM_INPUT_VALIDA TION_FAILED The parameter does not match the input type validation configured in the Parameter Profile. Alert Form Tampering SQL_INJECTION_IN_PA RAM The parameter contained SQL injection pattern, which matched an attack pattern configured as a Parameter Class in the parameter profile. Alert SQL Injection CROSS_SITE_SCRIPTI NG_IN_PARAM The parameter contained cross-site scripting pattern, which matched an attack pattern configured as a Parameter Class in the parameter profile. Alert Cross-site Scripting OS_CMD_INJECTION_I N_HEADER The parameter contained OS command injection pattern, which matched an attack pattern configured as a Parameter Class in the parameter profile. Alert Command Injection DIRECTORY_TRAVERS AL_IN_PARAM The parameter contained directory traversal pattern which matched an attack pattern configured as a Parameter Class in the parameter profile. Alert Directory Traversal SESSION_CONTEXT_N OT_FOUND The session parameter (parameter type=read-only, session-choice or session-invariant) value does not match with the learned value in the parameter profile. This is a possible tampering of the session parameter value. Alert Form Tampering 139

140 29164 REMOTE_FILE_INCLUSI ON_IN_URL The parameter contained remote file inclusion pattern which matched an attack pattern configured as a Parameter Class in the parameter profile. Alert Malicious-File-Execution CROSS_SITE_REQUES T_FORGERY The Barracuda Load Balancer ADC inserted state parameter ' ncforminfo', is either not found or found tampered in the form that matched the URL profile. Alert Forceful Browsing Protocol Violations DIRECTORY_TRAVERS AL_BEYOND_ROOT The request attempted to traverse the directory using multiple../ or..\ elemts, resulting in a directory beyond the documt root, and this is disallowed by the Barracuda Load Balancer ADC. Alert Directory Traversal POST_WITHOUT_CONT ENT_LENGTH The POST request does not have a 'Contt-Lgth' header. The Contt-Lgth header must be prest for the POST to be processed correctly. Alert Protocol Exploit PRE_1_0_REQUEST The request st by the browser did not contain the HTTP Version string. Alert Protocol Exploit INVALID_OR_MALFOR MED_REQUEST The request st by the browser is either not conforming to the HTTP RFC or is malformed or disallowed by Barracuda Load Balancer ADC for violating basic HTTP conformance checks. Alert Protocol Exploit METHOD_NOT_ALLOW ED The request st by the browser contained a method which is not conforming to the HTTP RFC. Alert Protocol Exploit MALFORMED_VERSION The request st by the browser contained a HTTP version which is not conforming to the HTTP RFC. Alert Protocol Exploit 140

141 29120 MALFORMED_REQUES T_LINE The request st by the browser contained a request line with no CRLF termination. Alert Protocol Exploit MALFORMED_HEADER _LINE The request st by the browser contained a header field which is not conforming to the HTTP RFC. Alert Protocol Exploit INVALID_HEADER The request st by the browser contained a header field with no CRLF termination. Alert Protocol Exploit MALFORMED_CONTEN T_LEN The request st by the browser contained a contt lgth header with a non numeric value. Alert Protocol Exploit MALFORMED_COOKIE The request st by the browser contained a cookie whose name value attributes were not conforming to HTTP RFC. Alert Protocol Exploit GET_REQUEST_WITH_ CONTENT_LENGTH The request st by the browser was a GET method but had a contt lgth header which may indicate a HTTP request smuggling attack attempt. Alert Protocol Exploit MISSING_HOST_HEAD ER The request st by the browser was a HTTP/1 request but there was no host header which is necessary for HTTP/1 requests. Alert Protocol Exploit MULTIPLE_CONTENT_L ENGTH The request st by the browser contained multiple contt lgth headers which may indicate a HTTP request smuggling attempt. Alert Protocol Exploit MALFORMED_PARAM The syntax of the request parameters does not comply with the contt type for them or the normalization of the parameters failed PARAM_TOO_LARGE The value of the parameter is larger than the internal maximum limit of 1 MB. Request Policy Violations Alert Alert Protocol Exploit Protocol Exploit 141

142 29000 REQUEST_LINE_LENG TH_EXCEEDED The HTTP request lgth exceeded the Max Request Lgth configured in the Web Firewall Policy. Alert Buffer Overflow HEADER_VALUE_LENG TH_EXCEEDED The lgth of the header-value of header exceeded the "Max Header Lgth" configured. Alert Buffer Overflow INVALID_URL_ENCODI NG The request contained the string, which is an invalid URL coded sequce. A valid URL coded sequce is a % followed by two hexadecimal digits, that is, 0-9, a-f, A-F. Alert Attack Obfuscation SLASH_DOT_IN_URL The request URL contains a forward-slash (/) or a backward-slash (\) followed by a dot (.) and is disallowed by the Barracuda Load Balancer ADC. A URL with a \. OR /. may be an attempt to view hidd files TILDE_IN_URL The URL in the request contained a tilde (~) character, and is disallowed by the Barracuda Load Balancer ADC. The tilde usually depicts user's home directories, and allowing tilde can give access ev to files owned by root. Alert Alert Directory Traversal Directory Traversal UNRECOGNIZED_COO KIE The cookie prest in the request could not be decrypted by the Barracuda Load Balancer ADC. Warning Cookie Poisoning COOKIE_TAMPERED The verification of the signature of the cookie in the request has failed COOKIE_EXPIRED The browser returned a stale cookie. Warning Warning Cookie Poisoning Cookie Poisoning COOKIE_LENGTH_EXC EEDED The lgth of the cookie exceeded the Max Cookie Lgth configured in the Web Firewall Policy. Alert Buffer Overflow 142

143 29042 URL_LENGTH_EXCEED ED The URL lgth exceeded the Max URL Lgth configured in the Web Firewall Policy. Alert Buffer Overflow QUERY_LENGTH_EXCE EDED URL The lgth of query string exceeded the Max Query Lgth configured in the Web Firewall Policy. Alert Buffer Overflow HEADER_COUNT_EXC EEDED The number of headers received exceeded the "Max Number of Headers" configured in Request Limits. The number of headers includes any Cookie headers. Alert Buffer Overflow COOKIE_REPLAY_MIS MATCHED_HEADER Warning Cookie Poisoning COOKIE_REPLAY_MIS MATCHED_IP Warning Cookie Poisoning REQUEST_LENGTH_EX CEEDED The lgth of request line, including Method, URI and Protocol exceeds the maximum configured limit in the Web Firewall Policy. Alert Buffer Overflow COOKIE_COUNT_EXCE EDED The number of cookies exceeded the "Max Number of Cookies" configured in the Web Firewall Policy. Alert Buffer Overflow COOKIE_NAME_LENGT H_EXCEEDED The lgth of the cookie name exceeded the Max Cookie Name Lgth configured in the Web Firewall Policy. Alert Buffer Overflow HEADER_NAME_LENG TH_EXCEEDED The lgth of the header-name of header exceeded the "Max Header Name Lgth" configured. Alert Buffer Overflow TOO_MANY_SESSIONS _FOR_IP The number of new sessions being giv out to the Clit IP in an interval exceeds the number defined for this web application. Alert DOS Attack Response Violations 143

144 29017 ERROR_RESPONSE_S UPPRESSED The response page contains the HTTP error status code, which is suppressed by the configuration in website Cloaking. The request is not died. Notice Error Message Interception RESPONSE_HEADER_ SUPPRESSED The response page contained the header, which is configured to be suppressed in website Cloaking. The Server header exposes the OS and/or server version, and known vulnerabilities can be exploited by an attacker based on this knowledge. The request is not died, so it is safe to suppress any header. Note: It is recommded not to create an exception, if the header is "Server". Create the exception only if the browser or other User Agts require this header to be prest for normal behavior. Information Error Message Interception IDENTITY_THEFT_PATT ERN_MATCHED The response contained idtity theft pattern, which matched an attack pattern configured as a "Data Theft Elemt" and the "Data Theft Protection" status in the URL Policy is "On". Error Authtication Hijacking URL Profile Violations INVALID_METHOD The request st by the browser contained a method which is not allowed by the Barracuda Load Balancer ADC. Alert Application Platform Exploit UNKNOWN_CONTENT_ TYPE The Contt-Type of the POST request was not recognized by the Barracuda Load Balancer ADC. Alert Attack Obfuscation CONTENT_LENGTH_EX CEEDED The lgth of the contt (typically the body of POST or PUT methods), exceeded the "Max Contt Lgth" configured. Alert Buffer Overflow 144

145 29132 QUERY_STR_NOT_ALL OWED The request st by the browser contained a query string, ev though query strings have be disallowed by the URL Profile. Alert Forceful Browsing PARAM_LENGTH_EXCE EDED The name of the parameter is longer than the max name lgth allowed. Alert Form Tampering TOO_MANY_UPLOADE D_FILES The number of parameters of type "file-upload" st by the browser exceeds the maximum configured limit for the parameter profile. Alert Form Tampering TOO_MANY_PARAMS The number of parameters in the request exceeds the limit of parameters allowed by the default URL protection SESSION_NOT_FOUND Either the Barracuda Load Balancer ADC inserted session cookie is not in the request header or the Barracuda Load Balancer ADC inserted hidd parameter is missing. Alert Alert Form Tampering Forceful Browsing NO_PARAM_PROFILE_ MATCH The request st by the browser contained a parameter, which is not found in the application profile. Alert Forceful Browsing Access Violations ACCESS_CONTROL_C OOKIE_EXPIRED The cookie idtifying the user has expired due to idle time. The default idle time is 15 minutes, after which, a user login is invalidated. The user must login again to continue accessing the website. Warning Forceful Browsing ACCESS_CONTROL_C OOKIE_INVALID The authtication cookie submitted by the user agt is invalid. Warning Forceful Browsing 145

146 29080 ACCESS_CONTROL_A CCESS_DENIED The requested URL is protected by Access Control, and the logged in user is not part of the Allowed Groups or Allowed Users who are authorized to access this URL. Warning Forceful Browsing ACCESS_CONTROL_N O_COOKIE The requested URL is protected by Access Control, and there is no cookie idtifying the user. The cookie is gerated only on a login, and the user has not logged in. Warning Forceful Browsing ACL Violations DENY_ACL_ MATCHED The value of "Action" is configured to "Dy" for the URL in the ADR. Alert Forceful Browsing REDIRECT_ACL_MATC HED The request is redirected because it matched the ADR with a "Redirect" in the "Action" parameter. Information Information Access Logs All web traffic activities are logged under the Access Logs. These logs help the administrator to obtain information about the website traffic and performance. The BASIC > Access Logs page allows you to view the gerated log messages stored on the Barracuda Load Balancer ADC in a log database. The default log format for Access Logs: %t %un %lt %ai %ap %ci %cp %id %cu %m %p %h %v %s %bs %br %ch %tt %si %sp %st %sid %rtf %pmf %pf %wmf %u %q %r %c %ua %px %pp %au %cs1 %cs2 %cs3 Unit Name, Log Type, and Log ID are not displayed on the BASIC > Access Logs page. IPv4 Example: :16: lbadcbox1 TR "-" "-" POST HTTP HTTP/ SERVER DEFAULT PASSIVE VALID /cgi-bin/process.cgi "-" ys-grid_firewall_log-grid=o%3acolumns%3da%253a o%25253aid%25253ds% aiso_timestamp%25255ewidth%25253dn% a38%255eo%252 "Mozilla/5.0 (X11; U; Linux i686 (x86_64);-us; rv:8.20) Gecko/ Firefox/0.0.20" John -us,or;q=0.5 gzip,deflate ISO ,utf-8;q=0.7,*;q=0.7 IPv6 Example: :16: lbadcbox1 TR 2001: db8:85a3::8a2e:370: fe80::202: b3ff:fe1e: "-" "-" POST HTTP 2001: db8:85a3::8a2e:370:7334 HTTP/ fe80::202: b3ff:fe1e: SERVER DEFAULT PASSIVE VALID /cgi-bin/process.cgi "-" : db8:85a3::8a2e:370:7334/cgi-bin/pl ys- grid_firewall_log-grid=o%3acolumns%3da%253ao%25253aid%25253ds% aiso_timestamp%25255ewidth%25253dn%

147 5253A38%255Eo%252 "Mozilla/5.0 (X11; U; Linux i686 (x86_64);-us; rv:8.20) Gecko/ Firefox/0.0.20" fe80::202: b3ff:fe1e: John -us,or;q=0.5 gzip,deflate ISO ,utf-8;q=0.7,*;q=0.7 Detailed Description The table below describes each elemt of an access log with respect to the above example: Field Name Example Description Time Stamp :16: The time recorded in the following format: yyyy-mm-dd hh:mm:ss.s (one or more digits represting a decimal fraction of a second)tzd(time zone designator which is either Z or +hh:mm or -hh:mm) Unit Name lbadcbox1 The name of the unit specified as Default Hostname on the BASIC > IP Configuration page. Log Type TR Dotes the type of log (Web Firewall Log, Access Log, Audit Log or Network Firewall Log). Values:WF, TR, AUDIT, NF Application IP OR 2001:db8:85a3::8a2e:370:7334 The IP address of the application that receives the traffic. Application Port 80 The port relevant to the IP address of the application. Clit IP OR fe80::202:b3ff:fe1e:8329 The IP address of the clit sding the request. Note that an intermediate proxy or gateway may have overwritt the actual source IP of the clit with it s own. To retrieve the actual clit IP for logging you should configure the Header Name For Actual Clit IP under the Edit actions for a service on the BASIC > Services page. If the above is configured, the actual clit IP is extracted from the header, e.g. X-Forwarded-For and used to populate this field and used in security policy checks involving the clit IP as well. See related Pr oxy IP field below as well. Clit Port The port relevant to the clit IP address. Login ID - The login ID used by the clit for the request. This is available only wh authtication is set to ON for the Service whose URL was requested. Certificate User - The username as found in the SSL certificate wh Clit Authtication is forced by the Barracuda Load Balancer ADC. Method POST The request method of the traffic. 147

148 Protocol (HTTP or HTTPS) HTTP The protocol used for communication with the web server, either HTTP or HTTPS. Host OR 2001:db8:85a3::8a2e:370:7334 The IP address of the host or website accessed by the user. Version HTTP/1 The HTTP version used by the request. HTTP status 200 The standard response code which helps idtify the cause of the problem wh a web page or other resource does not load properly. Bytes St 812 The bytes st as response by the Barracuda Load Balancer ADC to the clit. Bytes Received 6401 The bytes received from the clit as a part of the request. Cache Hit 0 Specifies whether the response is served out of Barracuda Load Balancer ADC cache or from the back-d. Possible values are: 0 if the request is fetched from the back-d and giv to the user. 1 if the request is fetched from the cache and giv to the user. Time Tak (sec) 230 The total time tak to serve the request from the time the request landed on the Barracuda Load Balancer ADC till the last byte giv out to the clit. Server IP The IP address of the back-d web server. OR fe80::202:b3ff:fe1e:8329 Server Port 80 The port relevant to the back-d web server. Server Time (ms) 0 The total time tak by the back-d server to serve the request forwarded to it by the Barracuda Load Balancer ADC. Session ID - The value of the session toks found in the request if session tracking is abled. Session Tracking is configured on the SECU RITY > Advanced Security page. Response Type Field SERVER Specifies whether the response came from the back-d or from the Barracuda Load Balancer ADC. Possible values are: INTERNAL, SERVER. Profile Matched Field DEFAULT Specifies whether the request matched a defined URL or Parameter Profile. Possible values are: DEFAULT, PROFILED. 148

149 Protected Field PASSIVE Specifies whether the request wt through the Barracuda Load Balancer ADC rules and policy checks. Possible values are: PASSIVE, PROTECTED, UNPROTECTED. WF Matched Field VALID Specifies whether the request is valid or not. Possible values are: INVALID, VALID. URL /cgi-bin/process.cgi The URL of the request without the query part. Query - The query part of the request. Referrer Cookie User Agt OR :db8:85a3::8a2e:370:7334/cgi-bin /pl ys-grid_firewall_log-grid=o%3acolumns%3d a%253ao%25253aid%25253ds% Aiso_timestamp%25255Ewidth%25253Dn% A38%255Eo%252 Mozilla/5.0 (X11; U; Linux i686 (x86_64);-us; rv:8.20) Gecko/ Firefox/ The value contained in the Referrer HTTP request header. It idtifies the web resource from which the clit was referred to the requested URL. The cookie as found in the HTTP request headers. The value contained in the User-Agt request header. Normally, this information is submitted by the clits which details the browser, operating system, software vdor or software revision, in an idtification string. Proxy IP OR fe80::202:b3ff:fe1e:8329 If the clit requests are coming through a proxy or gateway, th this field provides the IP address of the proxy. A clit side proxy or gateway changes the source IP of the request to its own and embeds the actual clit s IP in an HTTP header such as X-Forwarded-For or X-Clit-IP. The Barracuda Load Balancer ADC, if configured, will ignore the proxy IP and extract the actual clit IP from the appropriate header to apply security policies as well as for logging the Clit IP field above. This field preserves the proxy IP address for cases where it is required, e.g. forsics and analytics. Note: The actual clit IP header configuration is done using the Header Name For Actual Clit IP under the Edit actions for a service on the BASIC > Services page. Proxy Port The port of the proxy server whose IP address has be logged in the Proxy IP field above. 149

150 Authticated User John The username of the currtly authticated clit requesting the web page. This is available only wh the request is for a service that is using the AAA (User Access Control) module. Custom Header 1 -us,or;q=0.5 The header name for which you want to see the value in the Access Logs. Custom Header 2 gzip,deflate The header name for which you want to see the value in the Access Logs. Custom Header 3 ISO ,utf-8;q=0.7,*;q=0.7 The header name for which you want to see the value in the Access Logs. Audit Logs The audit logs record the activity of the users logged in to the GUI of the Barracuda Load Balancer ADC for the purpose of administration. These logs are visible on the BASIC > Audit Logs page and are also stored on the Barracuda Load Balancer ADC in its native database. Additionally, wh the administrator chooses an external remote syslog server through the configuration available at ADVANCED > Export Logs, these logs are streamed to the remote syslog servers with the priority as INFO. The default log format for Audit Logs: %t %un %lt %an %ct %li %lp %trt %tri %cn %cht %ot %on %var %ov %nv %add Unit Name, Log Type, and Log ID are not displayed on the BASIC > Audit Logs page. IPv4 Example: :08: lbadcbox1 AUDIT Adam GUI CONFIG 17 - SET web_firewall_policy default url_protection_max_upload_files "5" "6" "[]" IPv6 Example: :08: lbadcbox1 AUDIT Adam GUI fe80::202: b3ff:fe1e: CONFIG 17 - SET web_firewall_policy default url_protection_max_upload_files "5" "6" "[]" Detailed Description The table below describes each elemt of an audit log with respect to the above example: Field Name Example Description Time Stamp :08: The time recorded in the following format: yyyy-mm-dd hh:mm:ss.s (one or more digits represting a decimal fraction of a second)tzd(time zone designator which is either Z or +hh:mm or -hh:mm) Unit Name lbadcbox1 The name of the unit specified in the Default Hostname field on the BASIC > IP Configuration page. Log Type AUDIT Specifies whether it is of type Web Firewall Log, Access Log, Audit Log or Network Firewall Log. Values: WF, TR, AUDIT, NF Admin Name Adam The name of the logged in user. 150

151 Clit Type GUI This indicates that GUI is used as clit to access the Barracuda Load Balancer ADC. Login IP OR fe80::202:b3ff:fe1e:8329 The IP address from which the activity happed. Login Port 0 The port from which the activity happed. Transaction Type CONFIG Dotes the type of transaction done by the system administrator. Possible values are: LOGIN, LOGOUT, CONFIG, COMMAND, ROLLBACK, RESTORE, REBOOT, SHUTDOWN, FIRMWARE UPDATE, ENERGIZE UPDATE, SUPPORT TUNNEL OPEN, SUPPORT TUNNEL CLOSED, FIRMWARE APPLY, FIRMWARE REVERT, TRANSPARENT MODE, UNSUCCESSFUL LOGIN, ADMIN ACCESS VIOLATION. Transaction ID 17 Specifies the transaction ID for the transaction that makes the persistt change. Note: Evts that do not change anything do not have a transaction ID. This is indicated by transaction ID of - Command Name - The name of the command that was executed on the Barracuda Load Balancer ADC. Change Type SET Dotes the type of change made to the configuration. Possible values are: NONE, ADD, DELETE, SET. Object Type web_firewall_policy The type of the object which is being modified. Object Name Default The name of the object type that is being modified. Variable url_protection_max_upload_files The internal name of the parameter which is under modification. Old Value 5 The value before modification. New Value 6 The value to which the parameter is modified. Additional Data [] Provides more information on the parameter changed. Network Firewall Logs The network traffic passing through the interfaces (WAN, LAN and MGMT) that matches the configured Network ACL rule are logged under Network Firewall Logs. The log tries provide information about every packet that the Barracuda Load Balancer ADC has allowed or died based on the Action specified in the ACL rule. Using this information, you can idtify where the network traffic was originated and destined for, and the action applied. These log tries can be viewed on the NETWORK > Network Firewall Logs page. IPv4 Example: 151

152 lbadcbox :28: NF INFO TCP DENY testacl MGMT/LAN/WAN interface traffic:dy policy TCP IPv6 Example: lbadcbox :28: NF INFO ICMP fe80::e6ce:8fff:fe31:941c 0 :f948:ddb3:71b3:ef5b 0 DENY testacl MGMT interface traffic:dy policy ICMP Detailed Description The table below describes each elemt of an network firewall log with respect to the above example: Field Name Example Description Unit Name lbadcbox1 Specifies the name of the unit which is same as the Default Hostname on the BASIC > IP Configuration page. Time Stamp :28: The date and time at which the evt occurred. It dotes date in the form of Year-Month-Day, and time in the form of Hours: Minutes:Seconds:Milliseconds. Log Type NF Specifies whether it is of type Web Firewall Log, Access Log, Audit Log or Network Firewall Log. Values: WF, TR, AUDIT, NF Severity Level INFO Defines the seriousness of the attack. Values: Emergcy - System is unusable (highest priority). Alert - Response must be tak immediately. Critical - Critical conditions. Error - Error conditions. Warning - Warning conditions Notice - Normal but significant condition. Information - Informational message (on ACL configuration changes). Debug Debug-level message (lowest priority). Protocol TCP OR ICMP The layer 3 protocol type of the corresponding packet. Source IP Source Port OR fe80::e6ce:8fff:fe31:941c OR 0 The IP address of the source that originated the network traffic. The port number of source that originated the network traffic. 152

153 Destination IP OR f948:ddb3:71b3:ef5b The IP address of the network or host to which the packet was destined. Action DENY The action (Allow or Dy) applied to this ACL rule. ACL Name testacl The name of the corresponding ACL rule. Interface ACL Details MGMT/LAN/WAN interface OR MGMT interface traffic:dy policy TCP OR traffic:dy policy ICMP The incoming network interface from which the traffic passes through. The details of the ACL rule. Table of Log Formats The following table describes the names and values for each logs: System Logs Web Firewall Logs Access Logs Audit Logs %ei - Evt ID %ai - Application IP %ai - Application IP %add - Additional Data %ll - Log Level %ap - Application Port %ap - Application Port %an - Admin Name %ms - Message %at - Action Tak %au - Authticated User %cht - Change Type %md - Module Name %ad - Attack Description %br - Bytes Received %ct - Clit Type %t - Time Stamp %adl - Attack Details %bs - Bytes St %cn - Command Name %ag - Attack Group %ch - Cache Hit %seq - Log ID %aid - Attack ID %cu - Certificate User %li - Login IP %au - Authticated User %ci - Clit IP %lp - Login Port %ci - Clit IP %cp - Clit Port %lt - Login Type %cp - Clit Port %c - Cookie %nv - New Value %fa - Follow-up Action %ct - Contt Type %on - Object Name %seq - Log ID %cs1 - Custom Header 1 %ot - Object Type %lt - Log Type %cs2 - Custom Header 2 %ov - Old Value %m - Method %cs3 - Custom Header 3 %t - Time Stamp %p - Protocol %h - Host %tri - Transaction ID %px - Proxy IP %s - HTTP Status %trt - Transaction Type %pp - Proxy Port %id - Login ID %un - Unit Name %r - Referer %seq - Log ID %var - Variable %ri - Rule ID %lt - Log Type %rt - Rule Type %m - Method %sid - Session ID %p - Protocol 153

154 %sl - Severity Level %pf - Protected Field %t - Time Stamp %px - Proxy IP %u - URL %pmf - Profile Matched Field %ua - User Agt %pp - Proxy Port %un - Unit Name %q - Query %r - Referer %rr - Request Referer %rtf - Response Type Field %sid - Session ID %si - Server IP %sp - Server Port %st - Server Time %t - Time Stamp %tt - Time Tak %u - URL %ua - User Agt %un - Unit Name %v - Version %wmf - WF Matched Field How to Make the Clit IP Address Available to the Back-d Server For Layer 4 - UDP and Layer 4 - TCP services, the actual clit IP address is passed to the server in the TCP header. No further configuration is necessary for Layer 4 services. For all other service types (i.e., wh deployed in proxy mode), the default behavior is that the outgoing interface of the Barracuda Load Balancer ADC is used for connections with the real servers. In certain cases, you may want the Barracuda Load Balancer ADC to connect to the server using the clit IP address. If you have servers on the back-d that need to access the actual clit IP address, there are two ways to provide it to the servers: Clit Impersonation X-Forwarded-For Header Consider the following before deciding which option to configure: Clit Impersonation Provides the clit IP address as the source IP address of the request. Requires a networking change. Performance impact. X-Forwarded-For Header Provides the clit IP address in the X-Forwarded-For header of every request. Requires a logging change. Layer 7 HTTP and HTTPS services only Configuring Clit Impersonation You can configure the Barracuda Load Balancer ADC to connect to a server using the clit IP address. Wh the server responds to a message 154

155 using that original clit IP address, the traffic will go directly to the clit. However, the clit is expecting the response from the Barracuda Load Balancer ADC. In order for the return traffic to pass through the Barracuda Load Balancer ADC, you must change the default gateway of each real server in the pool to a custom virtual interface on the Barracuda Load Balancer ADC. The custom virtual interface should associate an externally-accessible IP address with the Internet-facing port. To use the clit IP address for connections: On the web interface of the Barracuda Load Balancer ADC: Enable the Clit Impersonation option for each server. Edit the server (from the BASIC > Services page). On the S erver Configuration page, set Clit Impersonation to Yes. On the server: Change the default gateway to the corresponding custom virtual interface on the Barracuda Load Balancer ADC. To Use the Clit IP address from the X-Forwarded-For Header By default, the clit IP address is inserted by the Barracuda Load Balancer ADC in the X-Forwarded-For header wh the request is forwarded to the back-d server. To use the embedded IP address with Apache servers or with IIS 7 or IIS 7.5 servers, refer to the following articles: Logging Actual Clit IP Address on the Apache Server Logging Actual Clit IP Address In the IIS 7 and IIS 7.5 Server How to Log Clit IP Address wh there is a Proxy Server betwe the Clits and the Barracuda Load Balancer ADC If the Barracuda Load Balancer ADC or the clit is deployed behind a proxy server, the clit IP address of incoming requests is the address of the proxy server. You can see this address in the Clit IP column on the BASIC > Access Logs page. To log the actual clit IP address instead, edit the service, and specify the name of the header containing the actual clit IP address that the proxy server inserts in each request. To Configure the Header Name: Edit the service from the BASIC > Services page. Specify the header name in the Clit IP Header box. Usually the header that stores the actual clit IP address is either X-Forwarded-F or or X-Clit-IP. Wh a request is received, the Barracuda Load Balancer ADC examines the specified header, retrieves the actual clit IP address, and logs it. For example, consider the clit IP addresses and , and proxy IP address Wh the clit sds a request, the proxy receives the request and stores the IP address of the clit in the X-Forwarded-For or X-Clit-IP header, and forwards the request to the Barracuda Load Balancer ADC. The Barracuda Load Balancer ADC extracts the clit IP address from the specified header and logs it. It can also be configured to forward the address to the back-d server. Scario 1 - Clits behind Proxy Server 155

156 Scario 2 - Barracuda Load Balancer ADC behind Proxy Server 156

157 Logging Actual Clit IP Address In the IIS 7 and IIS 7.5 Server By default, the Barracuda Load Balancer ADC forwards the clit IP address in the X-Forwarded-For header. To record the actual clit IP address instead of the Barracuda Load Balancer ADC's custom virtual interface IP address in the IIS logs, do the 157

158 following: Select the server root and th Advanced Logging. Select the individual website if you wish to able and configure advanced logging options at the site level instead of server level. 4. In the Advanced Logging window, select the default log definition (%COMPUTERNAME%-Server) and select the Enable Advanced Download and Install the Microsoft Advanced Logging extsion on the IIS 7.5 server. Alternatively, download the 64bit MSI Package. Once advanced logging is installed, restart the IIS manager. Logging and Enable Clit Logging options in the Actions pane. You can also create a new log definition and apply it to the server. Click the Edit Logging Fields option. In the Edit Logging Fields window, note that the default Clit IP uses the TCP clit IP address to log the IP address in log files. Select the Clit IP field and click Remove. Click Add Field to define the custom Clit IP field. In the Add Logging Field window, specify values for all parameters and click OK. In the Advanced Logging page, double-click log definition. The Log Definition window appears. Select the field you created from the S elected Fields section and click Edit. In the Edit Field window, ter the Log header name, select the Required check box and click OK. Toggle advanced logging by disabling and abling it in the Actions pane. Access the website and th click View Log Files in the Actions pane to view the actual source IP address in the log file. Logging Actual Clit IP Address on the Apache Server To extract and log the actual clit IP address from the X-Forwarded-For header of a request using an Apache server, make the following changes to the server: Log into the Apache server. Go to /etc/httpd/conf or /usr/local/apache2/conf path and op the file httpd.conf. Search for the string: LogFormat %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agt}i\"" combined Change the %h to %{X-Forwarded-For}i. The string now appears as LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agt}i\"" combined Save the file and restart apache or httpd. How to Mask Ssitive Data in Logs Data masking security of the Barracuda Load Balancer ADC obscures ssitive data elemts before logging them. Configured parameters like social security numbers, credit card information, or other proprietary data in the URL parameters of a request can be protected from unauthorized exposure in the logs. Data masking is configured for an application using parameter names to specify ssitive data. Logged data appears in BA SIC > Access Logs, with the ssitive data overwritt by 'X' es. Masking cannot be applied to ssitive data in custom parameters or custom headers. Once masked, the original data cannot be retrieved, recovered, or restored. To configure Data Masking, use the Mask Ssitive Data section of the SECURITY > Advanced Security page. Edit the service for which masking is necessary. In the Mask Ssitive Data window, ter the names of ssitive parameters. You can provide multiple parameter names separated by commas with no spaces betwe (e.g.cardid,securitynumber,password). Save Changes. Global Server Load Balancing In this Section Global Server Load Balancing Overview Implemting Global Server Load Balancing Installing Global Server Load Balancing Integrating Global Server Load Balancing with the Existing DNS Infrastructure Site Selection Algorithms Implemting Global Server Load Balancing Regions Configuring Multiple Global Server Load Balancing Controllers 158

159 Global Server Load Balancing Overview In this article: Overview GSLB Examples GSLB Definitions Site Selection Criteria How GSLB Works Failover Overview Global Server Load Balancing (GSLB) allows you to coordinate how traffic is processed among multiple data cters. A Barracuda Load Balancer ADC acts as a controller, selecting the location to which traffic is directed based on the parameters that you configure and the health of the data cters. This allows you to allocate the work among multiple data cters and to sure that if one data cter fails th traffic is redirected automatically to a functioning data cter. GSLB Examples GSLB can be useful wh: You have a number of server farms that are physically located around the world and you want incoming connections to be directed to the closest healthy server farm. You have two data cters and you want one of them to be reserved for use in the evt of a disaster. You can assign the first with a high priority and have all traffic directed to it, while the other is used only if the first data cter fails. You have multiple data cters and each has region-specific contt. Depding on the location of the clit, requests can be directed to the data cter most appropriate for that region. GSLB Definitions A site is a network location that hosts data. It may be a Service on a Barracuda Load Balancer ADC with a server farm or one Real Server. A GSLB Controller is the Barracuda Load Balancer ADC which determines where traffic is directed. It contains configuration information about the sites and it performs health checks on all sites in regular intervals. Only one GSLB Controller is active at a time. It is recommded that you configure one or more backup GSLB Controllers. A region defines a geographical area, usually composed of one or more countries. You can define custom regions or use the predefined regions. Site Selection Criteria The GSLB Service allows you to specify traffic to be directed to a site based on one of three parameters: Proximity of the system making the request to a site that can serve the request; The region of the system making the request; or The priority order of the sites. How GSLB Works The GSLB Controller controls which IP address for a sub-domain is giv to a clit. These steps illustrate the process: A clit tries to connect to a domain name such as It asks its local DNS server for the IP address of the domain name, and the server issues a DNS request on its behalf. This request is evtually directed to the GSLB Controller (Barracuda Load Balancer ADC) that acts as an authoritative DNS server for the delegated sub-domain www. The GSLB Controller considers the site selection algorithm and the health of the sites and issues a DNS response that contains a list of one or more IP addresses of valid sites. The clit tries to connect to the first address in the list. In the following figure, the selection algorithm is based on the region of the clit. The GSLB Controller determines the region where the request originated. The US clit is returned the address of the site which handles clits from the US region ( ) while the clit from 159

160 Europe is giv the address of the site which supports contt for the European region ( ). Figure How GSLB Works. Failover The record that is returned by the GSLB Controller in response to a DNS query has a time to live (TTL) value of 10 seconds, meaning that the DNS servers across the Internet need to request the IP address of the site again if the record is older than 10 seconds. If a site becomes unavailable, it is removed from the list of returned IP addresses, the caches update quickly, and traffic is directed to a healthy site. Implemting Global Server Load Balancing Following are some sample situations and how to configure the site selection algorithm for each one on the Barracuda Load Balancer ADC that acts as the Global Server Load Balancing (GSLB) Controller. Disaster Recovery - Two Sites in the World You have two sites and you want all traffic directed to one of the sites while the other is on standby and used only in the case of the failure of the first site. Create an try for each site giving the primary site priority 1 (highest) and the backup priority Make the Response Policy By Priority so that only priority is considered wh directing traffic. Wh a query for the address of the domain name is received, a response containing one or more IP addresses is returned. If it is operational, the primary site s IP address will be returned first in the list and the backup site s IP address will be second. If the primary site becomes unavailable, only the second site's IP address will be returned. The primary site will be monitored, ev after failure, so that wh it becomes available th its IP address will once again be first in the returned list. Direct Clits to Closest Data Cter You have a number of server farms that are physically located around the world, and you want clits to be directed to the closest healthy server farm. Make the Response Policy Geo IP to sd clit requests to the geographically nearest site. If you have a backup site, set the Failover IP address to its IP address. Direct Clits to Specific Region You have multiple data cters, each with region-specific contt, and you want clit requests from a certain region to be directed to the data cter that supports that region. Make the Response Policy Region Only to associate requests with a region based on the location of the clit and direct traffic to the appropriate data cter. If you have a backup site, set the Failover IP address to its IP address. Contt switching rules can be used to direct HTTP traffic within the backup data cter. 160

161 Installing Global Server Load Balancing Execute these tasks to design your Global Server Load Balancing (GSLB) network and to configure one or more GSLB Controllers. Step Step Define the layout of your GSLB network Step Location-based Response Policy Notes Enable traffic to the loopback adapter. If you plan to use a location-based Response Policy: Define Regions (Region Only) Turn on Location Definitions updates Step Set the DNS Service IP Address On each active GSLB Controller, complete Step Step 4. Delegate a Sub-Domain to the GSLB Controller For each sub-domain to be hosted, complete Step 4. Step 5. Configure the DNS records on the GSLB Controller to idtify the sub-domains that are being hosted For each GSLB Controller that may receive traffic for a giv sub-domain and which is not the passive system for a cluster, complete Steps 5-7. Step 6. Choose the Response Policy Step 7. Enter the Failover IP address Step 8. Idtify the rest of the sites that serve this sub-domain Step Define the GSLB network layout Click here to expand... Decide which Barracuda Load Balancer ADCs is to act as your active and which is to acct as your passive GSLB Controllers. GSLB Controllers must be externally accessible. They may also act as the load Balancer ADC for a server farm. Decide whether the site selection should be based on region, geographical proximity or by pre-configured priority. Determine what will happ in the case of a site failure. Gather the IP addresses (IP addresses of Real Servers or VIP addresses of Services) of the sites. Step Location-based Response Policy Click here to expand... Skip the tasks in this step if you do not intd to use a geographically-based Response Policy ( Geo IP or Region Only). If the Response Policy is Region Only, decide which site or sites are associated with each region where requests originate. In either case, make sure the Location Definitions are set to automatically update on every GSLB Controller. This setting is on the Ad vanced > Energize Updates page. Step Set the DNS Service IP Address Click here to expand... For each active GSLB Controller, select the IP address to be used as the DNS Service IP address. DNS requests will be sd to this IP address. It must be reachable from the WAN, LAN or VLAN of the GSLB Controller. If the GSLB Controller is in HA mode and a system failover occurs, the passive system will assume this address and handle the requests directed to it. If the GSLB Controller is not in HA mode, this address could be the externally reachable IP address of the GSLB Controller. On each active GSLB Controller, go to the TRAFFIC > GSLB Services page and ter the DNS Service IP Address. If this is a clustered system, the passive system will be updated automatically. Step 4. Delegate a Sub-Domain to the GSLB Controller Click here to expand... This step needs to be done at your domain registrar or wherever your domains are hosted. 161

162 In order to delegate a sub-domain to be resolved by the GSLB Controller, records must be added to the zone file of the domain so that DNS requests for the sub-domain will be forwarded to the GSLB Controller for resolution. For example, if the domain is example.com, and you want to host behind the GSLB Controller, you will need to add a DNS NS (nameserver) record to associate with each GSLB Controller. If there are two GSLB Controllers (one active, one passive) there is one record for the clustered pair: IN NS nswww.example.com. Add an A (host) record for the GSLB Controller with its IP address and the domain www: nswww.example.com. IN A <DNS Service IP address of first cluster> where <DNS Service IP address...> is the DNS Service IP address assigned to the clustered pair. Do not ter the brackets (< >). Do add the dot (.) at the d of the nameserver. The remainder of the steps are performed on the Barracuda Load Balancer ADC(s) that may act as the GSLB Controller. If you have a clustered GSLB Controller, you only need to do these steps on the active system because the configuration betwe two clustered Barracuda Load Balancer ADCs are synchronized automatically. Step 5. Create the Host DNS Record on each GSLB Controller Click here to expand... This step must be done on each GSLB Controller that is not a passive system in the cluster. Using the web interface of the Barracuda Load Balancer ADC, create the records that describe the domain or domains that are available to the GSLB Controller. The following example gerates the A (host) record for on the GSLB Controller. The domain name is example. com and the host is www. This A record is initially associated with one site IP address but more site IP addresses can be added later. To create the DNS records on the GSLB Controller, 5a. Navigate to the TRAFFIC > GSLB Services page. 5b. In the Add New GSLB Service section, supply the following information: Zone Name the zone maintained by your existing DNS server, e.g., example.com Host The host name (or sub-domain) to be resolved, e.g., www Site IP The IP address that is to receive the traffic. This may be the VIP address of Service on a Barracuda Load Balancer ADC, or the IP address of a server Region This associates a region with the Site IP address. If you want the GSLB Controller to select the site based on region, select the region from the list. If the region you want is not already defined, add a custom region using the TRAFFIC > GSLB Settings page Otherwise, select All Countries from the list A DNS record is created for Some of the fields in the record will contain default values for settings such as the Response Policy, which you can customize by editing the try in the table. Step 6. Choose the Response Policy Click here to expand... Response Policies are described in the section Response Policy Options. The Response Policy is defined for a host e.g., Edit the Host record on the TRAFFIC > GSLB Services page to modify the Response Policy. Step 7. Set the Failover IP Address Click here to expand... If you have a site that can handle the traffic in the case of failure of all sites that match the Response Policy, ter its IP address as the Failover IP address in the Host record on the TRAFFIC > GSLB Services page. Step 8. Idtify the rest of the sites that serve this host Click here to expand... To configure all of the sites that can process the traffic for this host (e.g., go to the TRAFFIC > GSLB Services 162

163 page and click Add New Site. You may want to associate a new site with a region or assign a priority to it. Remember that regions are only relevant if the Response Policy is Region Only. Similarly, priority is only considered by the By Priority Response Policy. Integrating Global Server Load Balancing with the Existing DNS Infrastructure In a typical GSLB deploymt of the Barracuda Load Balancer ADC, the existing DNS domain nameserver continues as the authoritative nameserver for the zone or domain, e.g. barracuda.com. But a hostname or sub-domain, e.g. www, is delegated to the Barracuda Load Balancer ADC that acts as the GSLB Controller. Wh a DNS query for is received, it is forwarded to the GSLB Controller. The GSLB Controller acts as the authoritative DNS server for delegated sub-domains, returning definitive answers to DNS queries about domain names installed in its configuration. On the GSLB Controller you can idtify one or more IP addresses of sites that serve a single domain name. Wh asked to resolve a host, the GSLB Controller returns a list of IP addresses of the sites that are both available and that match the site selection algorithm. Site Selection Algorithms Wh the Global Server Load Balancing (GSLB) Controller receives a DNS request to resolve a sub-domain, it replies with a list of one or more IP addresses of valid sites that are both available and that match the site selection algorithm. This site selection algorithm is also called the Response Policy. Three Response Policies are available: one is based on site priority and the other two are based on location. Failover IP Address If no sites match the Response Policy or if all sites that match the Response Policy fail the health check, a pre-configured Failover IP address for the sub-domain is returned. This is the IP address of a site that can accept the traffic if the other systems become unavailable. The health of the site at the Failover IP address is not monitored. IP Address and Location Database In order to provide location-based Response Policies, the Barracuda Load Balancer ADC uses a database of IP addresses and geographical locations. This database is updated by the Location Definitions which are part of the Energize Updates maintained by Barracuda Ctral. Response Policy Options Three Response Policies are supported: Geo IP, Region Only and By Priority. Geo IP and Region Only are based on the location of the clit. By Priority is based only on the configured priority of the site. Geo IP The GSLB Controller determines the location of the system making the request based on the Location Definitions and compares that to the location of each site. It returns a list of site IP addresses ordered from closest to furthest. Geo IP does not consider site priority. Region Only The GSLB Controller determines the region of the system making the request based on the Location Definitions. If the originating system is in a region that is associated with one or more sites, a list of the healthy site IP address(es) is returned. The most specific matches appear first in the list; any sites that are associated with All Countries are last in the list. If the location of the originating system cannot be determined th any healthy sites that are associated with All Countries are returned. If neither of the preceding cases idtifies at least one site IP address, the Failover IP address is returned. Region Only does not consider site priority. By Priority The GSLB Controller returns a list of site IP addresses ordered from lowest to highest priority value. Location is not considered. Implemting Global Server Load Balancing Regions Global Server Load Balancing (GSLB) regions are used only if the Response Policy is Region Only, to direct traffic to data cters with region-specific contt. Add a region to a host on the TRAFFIC > GSLB Services page so that traffic that originates in that region is directed to the Site IP address. 163

164 A number of predefined regions are listed on the TRAFFIC > GSLB Settings page. You can also create a custom region by specifying a region name and th adding one or more regions from a list. Configuring Multiple Global Server Load Balancing Controllers Only one Global Server Load Balancing (GSLB) Controller is active at any one time. However, you can configure multiple GSLB Controllers to increase the availability of your infrastructure in these two ways: Operate in High Availability mode, in which case all of the GSLB information is copied to the passive system. Configure one or more other Barracuda Load Balancer ADCs (or clustered pairs) as GSLB Controllers where: Each system or clustered pair has a DNS try pointing to it. The first available try is used by a clit. The GSLB configuration is synchronized manually betwe all GSLB Controllers unless they are passive systems in a cluster. The following figure shows three clustered pairs of Barracuda Load Balancer ADCs, all in differt locations. Each of these six Barracuda Load Balancer ADCs can act as GSLB Controllers and they share the same GSLB-specific configuration. The GSLB Controllers are listed in the order they are to be used as name servers in the DNS try for the domain (see Steps to Install GSLB). Figure Multiple GSLB Controllers. As shown in the diagram, if #1 becomes unavailable, #2 takes over as the GSLB Controller. If both #1 and #2 become unavailable, #3 takes over operation as the GSLB Controller, and so on. See Installation of Global Server Load Balancing for instructions on how to install multiple GSLB Controllers. Application Security Feature Availability Application Security is now available at no charge on the Barracuda Load Balancer ADC 540 and above, starting from version 5. The Barracuda Load Balancer ADC protects your application from OWASP Top 10 attacks against both HTTP and HTTPS application traffic. It provides a variety of security policies to protect the websites. Security Policies define matching criteria for requests, and specify what actions to take wh a request matches. All policies are global and they can be shared among multiple services configured on the Barracuda Load Balancer ADC. 164

165 Wh a Service requires customized settings, the provided security policies can be tuned, or customized policies can be created. Each policy is a collection of nine sub-policies. Modify a policy by editing the value of the parameter(s) on the sub-policy page. In this Section Security Policies Slow Clit Attack Prevtion Configuring Website Profiles How to Configure Antivirus Protection for File Uploads and Downloads How to Configure Data Theft Protection How to Configure Brute Force Protection How to Configure Session Tracking Allow/Dy Rules for Headers and URLs Extded Match Syntax Configuring User Defined Patterns Security Policies The Barracuda Load Balancer ADC associates security policies with HTTP and HTTPS Services. A security policy has preset configured security settings which apply to any associated Service. Security policies are shareable, so once a policy is created, it can be assigned to more than one Service. The security policy rules specify inspection criteria for input or output data, idtifying malicious or vulnerable data. Security policies include mostly negative and some positive elemts. For most websites, security policies sufficitly implemt good web application security. Wh is a security policy associated with the Service? Wh a Service is created, it is associated with the default security policy and log levels. The Barracuda Load Balancer ADC includes the following pre-configured security policies: Default Sharepoint OWA OWA2010 Oracle Wh needed, the security policy associated with the Service can be changed or refined. Security policies define matching criteria to compare to requests, and rules for matching requests. All security policies are global, that is, they can be shared by multiple Services configured on the Barracuda Load Balancer ADC. Wh a Service needs refined security settings, the provided security policies can be adjusted, or customized policies can be created. To create a customized security policy, see Steps to Create a New Policy. Each policy is a collection of nine sub-policies. Modify the following sub-policies by editing the corresponding sub-policy page. The sub-policies include: Request Limits Cookie Security URL Protection Parameter Protection Cloaking Data Theft Protection URL Normalization Global ACLs Action Policy Steps to Create a New Policy Go to the SECURITY > Security Policies page. In the Security Policies section, click the More Actions drop-down list, and select Add. The Create New Policy window appears. Enter a name in the Policy Name text box and click the Add button. This creates a new policy with the default values. Steps to Modify a Policy 165

166 Select the policy from the Policy Name list. The Security Policies section displays all the sub-policies with the configured values. Click Configure... in the desired sub-policy section to view and modify the settings. Change the values of the parameter(s) and click Save Changes to save and activate the new setting. Configuring Action Policy Action policy is a collection of settings that decide what action to be tak wh a violation occurs. It consists of a set of attack groups and associated attack actions with it. The following attack groups are available: advanced-policy-violations application-profile-violations param-profile-violations protocol-violations request-policy-violations response-violations url-profile-violations The attack action specifies the action to be tak for a particular type of Web attack. The attack action can be modified by clicking Configuring Cloaking Edit next to it. Cloaking prevts hackers from obtaining information that could be used to launch a successful subsequt attack. HTTP headers and return codes are masked before sding a response to a clit. The response headers are filtered based on the headers defined in the Headers to Filte r field. Cloaking features include: Removing banner headers such as "Server" etc from responses. Blocking clit error (status code 4xx) and server error (status code 5xx) responses. To configure cloaking, select a policy from the Policy Name list and click Configure under Cloaking in the Security Policies section. Configuring Data Theft Protection Data theft protection prevts unauthorized disclosure of confidtial information. Configuring data theft protection requires two steps: Specify any at risk data elemts handled by the web application using Security Policy. Enable protection of these elemts where needed, using URL Policy. Ssitive data elemts may require masking to prevt their unauthorized disclosure, or requests containing ssitive data may be blocked altogether. Using Security Policy, you can configure any ssitive data elemts which may need protection, along with the desired way to handle them. These settings can th be used by any service associated with the security policy. URL policies applied to narrowly defined URL spaces requiring this protection can individually able it as needed. Other URL spaces operate without unnecessarily incurring the processing hit. To optimize performance, able data theft protection only for parts of the site known to carry ssitive information. The SECURITY > Security Policies > Data Theft Protection page allows configuration of Idtity Theft data types for a Security Policy. You can able protection for specific URLs using the SECURITY > Advanced Security page. Security Policy Data Theft settings are th forced only for configured URLs. While, Barracuda Energize Updates provides a set of default protected patterns such as credit card and social security numbers, these can be expanded or customized, using SECURITY > Libraries, to include other web application specific data patterns needing protection from disclosure. Any configured pattern can be masked, or the response blocked altogether, if a protected pattern occurs in the server response. Wh Data Theft Protection is abled, the Barracuda Load Balancer ADC intercepts the response from the server and matches with the pattern listed in the SECURITY > View Internal Patterns page and SECURITY > Libraries page (if any custom idtity theft patterns). If the response matches any of the defined patterns, it is blocked or cloaked based on the Action ( Block or Cloak) set. If action is set to Block, the response st by the server is blocked. If set to Cloak, a part of the data is cloaked that is, overwritt with "X"s. The default idtity theft elemts provided by the Barracuda Load Balancer ADC are: Credit Cards Directory Indexing Social Security Number (SSN) 166

167 Credit Cards and SSN To prevt exposure of personal data such as Credit Card number and Social Security Number (SSN), select Block to block the response from the server, Cloak to overwrite the characters based on values defined in the Initial Characters to Keep and Trailing Characters to Keep parameters. By default, credit-card and ssn are set to Cloak. Directory Indexing If a web server is configured to display the list of all files within a requested directory, it may expose ssitive information. The Barracuda Load Balancer ADC prevts exposure of valuable data by blocking the response from the server. By default, directory indexing is set to Block. To configure data theft protection, select a policy from the Policy Name list and click Configure under Data Theft Protection in the Security Policies section. Configuring Global ACLs Global ACLs (URL ACLs) are strict allow/dy rules shareable among multiple services configured on the Barracuda Load Balancer ADC. You can add a new URL ACL or modify the existing URL ACL. To edit an existing URL ACL, click Edit next to the URL ACL in the Existing Global ACLs section. They are associated with the configured Security Policies. To configure global ACLs, select a policy from the Policy Name list and click Configure under Global ACLs in the Security Policies section. Configuring Parameter Protection To protect a service from attacks which employ the parameters of a URL query string or parameters of the form POST parameters, use SECURIT Y > Parameter Protection. Parameter Protection defds web applications from Parameter based attacks wh parameter profiles are not used. Parameters that contain special characters may have SQL or HTML tagging expressions embedded in them. Embedded SQL keywords like "OR," "SELECT," or "UNION" in a parameter, or system commands such as "xp_cmdshell" can exploit web application vulnerabilities. These attack patterns can be configured in Parameter Protection, and compared to requests and responses. If a parameter matches, the corresponding request or response is not processed. To configure parameter protection, select a policy from the Policy Name list and click Configure under Parameter Protection in the Security Policies section. Configuring Request Limits Request limits define the validation criterion for incoming requests by forcing size limits on HTTP request header fields. The requests that have fields larger than the specified maximums are dropped. Properly configured limits mitigate buffer overflow exploits, prevting Dial of Service (DoS) attacks. Request Limits are abled by default, requests that exceed the specified lgth are assumed buffer overflow attacks. The defaults are normally appropriate, but you might choose to change one or more of the default values under certain conditions. Wh to change default values: Defaults can be modified if the Service or the server may have problems lgths smaller than the defaults. Wh Action is set to Dy and Log or Dy with no Log for a Service under URL : Allow/Dy Rules on the SECURITY > Allow/Dy page, the Barracuda Load Balancer ADC continues to examine the request till it hits the default lgth configured. Smaller limits therefore lead to a slight performance improvemt since a smaller number of bytes are parsed before dying requests. The defaults can be changed to bigger values if the original defaults result in false alarms. To configure Request Limits, select a policy from the Policy Name list and click Configure under Request Limits in the Security Policies sec tion. Configuring URL Normalization The Barracuda Load Balancer ADC normalizes all traffic before applying any security policy string matches. For HTTP data, this requires decoding Unicode, UTF, or Hex to base text, to prevt disguised attacks using coding formats for which string matches are not effective. Normalization is always abled if the Barracuda Load Balancer ADC is active. The Default Character set parameter specifies the character set coding type for incoming requests. ASCII is the default. In some cases multiple character set coding is needed, as for a Japanese language site which might need both Shift-JIS and EUC-JP coding. To add character set coding, set the Detect Response Charset parameter to Yes. All response headers will be searched for a META 167

168 tag specifying the character set coding type and any supported types will be added dynamically. Double coding is the re-coding of the coded data. For example: The UTF-8 escape for the backslash character is %5C, which is a combination of three characters i.e. %, 5, and C. So the Double coding is the re-coding either one or all the 3 characters by using their corresponding UTF-8 escapes as %25, %35, and %6 To configure URL normalization, select a policy from the Policy Name list and click Configure under URL Normalization in the Security Policies section. Configuring URL Protection URL requests and embedded parameters in them can contain malicious script. Attacks embedded in URL requests or their parameters are executed with the permissions of the executing compont. Injection of operating system or database commands into the parameters of a URL request, cross site scripting, remote file inclusion attacks, and buffer overflow attacks can all be perpetrated through unchecked URL requests or their parameters. Here is an example of malicious script within a URL Request: Defse from these attacks is achieved by restricting the allowed methods in headers and contt for invoked URL requests, restricting the number of request parameters and their lgths, limiting file uploads, and specifying attack types to explicitly detect and block. (Attack types are configured on SECURITY > Libraries or SECURITY > View Internal Patterns.) URL Protection uses a combination of these techniques to protect against various URL attack types. URL Protection defds the Service from URL request attacks wh no URL Profile is configured to do it. For information URL Profiles, see Configuring Website Profiles. To configure URL protection, select a policy from the Policy Name list and click Configure under URL Protection in the Security Policies sec tion. Securing HTTP Cookies Overview Cookies provide a mechanism to store service state information on clit's navigation platforms such as browsers and other user agts. Cookies can store user preferces or shopping cart items, and can include ssitive information like registration or login credtials. If a cookie can be viewed or changed, the system is vulnerable to attack and any ssitive information can be stol. How Cookie Security Works The Barracuda Load Balancer ADC cookie security is transpart to back-d servers. Wh a server inserts a cookie, the Barracuda Load Balancer ADC intercepts the response and crypts or signs the cookie before delivering it to the clit. Wh a subsequt request from the clit returns this cookie, the Barracuda Load Balancer ADC intercepts the request and decrypts it or verifies its signature. If the cookie is unaltered, the Barracuda Load Balancer forwards the original cookie to the server. Altered cookies are removed before the Barracuda Load Balancer ADC forwards the request to the server. Encryption prevts both viewing and tampering with cookies, so it prevts the clit from accessing cookie values. For clits who need to access cookie values, use signing to allow it. Wh signing cookies, the Barracuda Load Balancer actually forwards two cookies to the clit browser, one plain text cookie and one signed cookie. Wh a subsequt request from the clit returns the cookies, if either cookie is altered signature verification fails, and the Barracuda Load Balancer ADC removes the cookies before forwarding the request to the server. Cookie Security Interaction With Other Security Features Wh a cookie is crypted it may change the lgth of the cookie, but the number of headers in the message remains unchanged. Wh a cookie is signed, it changes the lgth of the cookie and appds one or more headers to the forwarded message. If the SECURITY > Security Policies > Request Limits configuration specifies constraints on the number or lgth of HTTP headers, a signed or crypted cookie may violate the request limits and result in unwanted rejection of messages. Messages thus rejected are logged as Cloak under Action on the BASIC > Web Firewall Logs page. To configure cookie security, select a policy from the Policy Name list and click Configure under Cookie Security in the Security Policies se ction. Slow Clit Attack Prevtion 168

169 In this article: Overview How does Slow Clit Attack Prevtion Work? Data Transfer Rate Max Request Timeout Max Response Timeout Incremtal Request Timeout Incremtal Response Timeout Exception Clits Steps to Configure Slow Clit Attack Prevtion Overview In a slow clit attack, an attacker deliberately sds multiple partial HTTP requests to the server to carry out an HTTP DoS attack on the server. The clit attempts to slow the request or response so much that it holds connections and memory resources op on the server for a long time, but without triggering session time-outs. Common ways to carry out this attack include: Slow HTTP Headers Vulnerability (Slowloris) - As described in Slowloris HTTP DoS ( ), using this technique the clit never completes sding the headers. It sds headers one-by-one at regular intervals to keep sockets from closing and the web servers thereby tied up. In particular, threading servers td to be vulnerable wh they try to limit the amount of allowed threading. Slowloris must wait for all of the sockets to become available before successfully consuming them, so for high traffic websites, it may take awhile for the site to free up its sockets. Slow HTTP POST Vulnerability (R-U-Dead-Yet or RUDY) - Using this technique, the clit attempts to DoS the server using long form field submissions. The clit sds all of the HTTP headers, one of which is a legitimate Contt-Lgth header with a large value. The clit th iteratively injects data into the form's post field at a very slow rate, so the web application keeps waiting for the full data to arrive. Once multiple threads are tied up by waiting, the server evtually runs out of resources and gets DoS'ed. More technical details about layer-7 DDoS attacks can be found in the OWASP lecture: OWASP-Universal-HTTP-DoS ( SP-Universal-HTTP-DoS.ppt). Slow Read DoS Attack - Using this attack technique, the clit request completes fully. Wh the server responds, the clit advertises very small windows for accepting response data. For a large response (a file download, for example) the clit's slow reception rate ties up server resources for a long time. Multiple requests of this type can evtually take the server down. These requests are layer 7 DoS attacks. They are typically legitimate from a protocol compliance point of view and are therefore not detected by network layer DDoS devices, by IPS/IDS, or ev by your ISP. Clits can DoS the server stealthily and slowly, without consuming any significant bandwidth on the network, so they remain otherwise undetected. The SECURITY > DDoS Prevtion page allows you to configure slow clit attack prevtion for HTTP and HTTPS Services. How does Slow Clit Attack Prevtion Work? The following settings allow the idtification of prevtion of a slow clit request or response attack: Data Transfer Rate The minimum data transfer rate the Barracuda Load Balancer ADC expects for requests from the clit and responses to the clit. Data transfer rates slower than this are considered slow. Max Request Timeout The maximum time allowed to receive a request from a clit. If a request does not complete in this time, the connection is terminated, FIN is st to the clit, and further requests are blocked. Max Response Timeout The maximum time allowed to sd a response to the clit. If the response transfer is not complete in this time, the connection is terminated, Fin is st to the clit, and further responses to the clit are not st. Incremtal Request Timeout This value specifies the initial timeout window a clit has in which to complete a request. The system th progressively shrinks the window using an adaptive algorithm. If the clit repeatedly fails to complete a request in the shrinking window, the request timeout window converges to zero and the connection is dropped. If the clit begins to sd data at a healthy rate, the window is progressively expanded. 169

170 This adaptive algorithm sures that temporary network delays do not affect guine clits, but persistt slow clits are detected and died. Incremtal Response Timeout This value specifies the initial timeout window a clit has in which to receive a response. The system th progressively shrinks the window using an adaptive algorithm. If the clit repeatedly fails to receive the response in the shrinking window, the response timeout window converges to zero and the connection is dropped. If the clit begins to receive data at a healthy rate, the window is progressively expanded. This adaptive algorithm sures that temporary network delays do not affect guine clits, but persistt slow clits are detected and died. Exception Clits The IP addresses that should be exempted from slow clit attack prevtion. Specify a single IP address or range of IP addresses, or a combination of both using a comma delimiter with no spaces. Steps to Configure Slow Clit Attack Prevtion To view or edit Slow Clit Attack Prevtion for a Service, perform the following steps: From the SECURITY > DDoS Prevtion > Slow Clit Attack Prevtion section Edit the Service requiring the protection. In the Edit Slow Clit Attack Prevtion page, you can view or edit the configured values. Click Save Changes after modifying values. For more information, click Help on the web interface. Configuring Website Profiles In this article: Overview URL Profiles How to Add a URL Profile Parameter Profiles How to Add a Parameter Profile Overview The intricate structure of an application is called a profile of the website. Website profiles are made up of profiles for URLs and profiles for parameters of those URLs. A URL profile lists allowed fields like HTTP methods, names and types of each parameter, query strings, lgth based restrictions, etc. A Parameter profile defines the allowed format for each parameter using either a negative or positive security model and includes lgth restrictions. Website Profiles allow you to create specific rules to fine tune the security settings of a Service. They do not modify the default security policy settings, but fine tune security settings specific to a Service. For a Service, a Website Profile is applied if Use Profile is set to Yes, meaning the request must be validated against configured URL and Parameter profiles of that Service. Initially no URL and Parameter Profiles exist for a Service. To use Website Profiles, the administrator must manually create URL and Parameter profiles for the Service. Wh a Service is added on the BASIC > Services page, a website profile is created and Use Profile is set to "Yes" for the Service. To modify the default settings for a Service, perform the following steps: Go to the SECURITY > Website Profiles page. In the Service section, select the Service from the Website drop-down list whose settings you want to modify. Click the Edit button. The Edit Website Profile window appears. Specify values for the following fields if required: a. b. Use Profile Set to Yes to use URL profiles and parameter profiles for validating the requests coming for this Service. Strict Profile Set to Yes to force strict profile checks thereby dying requests which do not match any profile. If set to " No", th the Service's default web firewall policy will be applied to those requests which do not have a profile. c. Mode Set the mode for the service: i. Passive Validates the requests against the URL Profiles and Parameter Profiles settings and logs request errors/violations on the BASIC > Web Firewall Logs page. ii. Active Validates the requests against the URL Profiles and Parameter Profiles settings, blocks request violations and logs the corresponding violations on the BASIC > Web Firewall Logs page. d. Allowed Domains Enter the domain or IP address of the Service whose requests/responses should be validated against the URL and Parameter Profiles. If you wish to allow multiple sub domains under a main domain, th you can configure it as 170

171 d. 4. domain=maindomain. For example, " world.com" might have pages at " india.world.com," " america.world.com," and " japan.wo rld.com." By default, if a web page on " india.world.com" is configured under Allowed Domains, only pages on " india.world.co m" are allowed. If the user wants all subdomains in the " world.com" domain to be allowed, th specify " domain=world.com". e. Exclude URL Patterns Enter the list of URL patterns to be excluded from the URL Profile validations. These URLs are exempted from learning ev if the Learning is On. Examples: *.html,*.htm,*.jpg, *.gif,*.css,*.js f. Include URL Patterns Enter the list of URL patterns to be included in the URL profile validations in spite of being listed in Excl ude URL Patterns. Click Save Changes to save the settings. URL Profiles URL Profiles are validated against the requests for the Service based on the Mode setting of the URL profile. How to Add a URL Profile Go to the SECURITY > Website Profiles page. In the Service section, select the Service from the Website drop-down list to which you want to add a URL profile. In the URL Profiles section, click Add URL. The Create URL Profile window appears. Specify values for the following fields: a. b. c. d. e. f. i. Passive Validates the requests comparing them to the URL profile and corresponding Parameter profile(s) settings and logging request errors/violations on the BASIC > Web Firewall Logs page. ii. Active Validates the requests comparing them to the URL profile and corresponding Parameter profile(s) settings, blocking request violations and logging the corresponding violation on the BASIC > Web Firewall Logs page. g. Allow Query String Set to Yes to allow parameters and its values along with the URL. h. Hidd Parameter Protection Specify whether or not to protect hidd parameters in the forms and URLs. i. j. k. l. m. n. URL Profile Name Enter a name for the URL profile. Status Set to On if you want to force checks on requests/responses for the Service using this profile. URL Enter a URL to be compared to the URL in the request. The URL should start with a "/" and can have at most one " * " anywhere in the URL. The value of /* means all URLs in the Service are matched against the URL in the request. Extded Match Specify an expression, a combination of HTTP headers and/or query string parameters, you want used to match the special attributes in the HTTP headers or query string parameters in the requests. Use '*' to dote "any request", that is, do not apply the Extded Match condition. For information on how to write extded match expression, see Extded Match Syntax. Extded Match Sequce Enter a number to indicate the order in which the extded match rule will be evaluated in for requests. Mode Set the mode for this URL profile. i. ii. iii. Forms Protects the hidd parameters in the post body of forms. Forms and URLs Protects the hidd parameters in the post body of forms and query string of the URLs. None No protection to hidd parameters in forms and URLs. CSRF Prevtion Specify whether or not to prevt cross-site request forgery attack on the forms and URLs. Max Contt Lgth Enter the maximum contt lgth to be allowed for POST request body. Maximum Parameter Name Lgth Enter the maximum lgth of the parameter name. The allowed lgth is 1 to 1024 bytes. No value (empty) implies unlimited. Maximum Upload Files Enter the maximum number of files that can be uploaded in one request. If the value is set to two (2), th the third (3) file upload is died. The Passive mode logs every uploaded file that exceeds the max count. Blocked Attack Types By default, all attack types are selected. Attack Types are specifications of malicious patterns. If the value of a parameter matches one of the specified Attack Types, an intrusion is detected and logged on the BASIC > Web Firewall Logs page. Attack Types are defined with groups of Regular expression patterns. Attack Types for SQL Injection, Cross Site scripting and System Command Injection attacks are provided by default, and one or more of these can be abled for matching against request parameters. Custom Blocked Attack Types By default, all custom attack types are selected. Clear the checkbox to allow any of the patterns. Click Save to add the URL profile. Click Edit next to the created URL profile to specify values for the following fields: a. Allowed Methods Enter the methods to be allowed in the request. The Barracuda Load Balancer ADC uses this to decide whether to allow or disallow the methods. b. Allowed Contt Types Enter the contt types to be allowed for this URL profile. c. Referrers for the URL Profile Enter the address (URI) of the resource from which the Request URI was obtained. In case of adaptive profiling, the referrers are learned as the profile sources. This referrer is not same as the Referrer in CSRF protection. Note: This is used only for information purpose, and no security checks are forced by the Barracuda Load Balancer. d. Exception Patterns Enter the patterns to be allowed as exceptions ev if part of a malicious pattern group. The configuration should be the exact "Pattern Name" as found on the SECURITY > View Internal Patterns page, or as defined during the 171

172 d. 6. creation of a "New Group" through the SECURITY > Libraries page. The pattern name can also be found in a Web firewall log wh a false positive occurs due to a pottial exception pattern. For example, if the parameter value matched "sql-commts" regex pattern under "sql-injection medium" attacks on the SECURITY > View Internal Patterns page, th adding "sql-commts" to this list will allow "sql-commts" in future. Click Save Changes to save the above settings. Parameter Profiles Parameter profiles are compared to the requests for the Service based on the Mode setting of the corresponding URL profile. How to Add a Parameter Profile 4. Go to the SECURITY > Website Profiles page. In the Service section, select the Service from the Website drop-down list. In the URL Profiles section, select the desired URL profile where you want to add the Parameter profile. Click Add Param in the Parameter Profiles section. The Create Parameter Profile window appears. Specify values for the following fields: a. b. c. d. Parameter Profile Name Enter a name for the parameter. Status Set to On to validate the requests coming to the Service using this Parameter Profile. Parameter Enter the name of the parameter to be validated in requests/responses. The parameter names with the special characters like &pathinfo and &sessionid and wildcard (*) should be manually specified, they are not learned automatically. Type Select the type of parameter to be validated in requests/responses. If two or more parameters of differt type have the same name, th parameters would be considered as Input type and be bound to one of standard parameter classes and the value of the parameter Max Instances would be updated. The types of parameters e. f. g. h. i. j. k. l. i. Input The parameter other than File Upload, Global Choice, Read Only, Session Choice, and Session Invariant type is treated as Input type. ii. Read Only All hidd parameters in the form and query parameters in the URL is learned as Read Only type. If an exception occurs while learning, th the type is updated to Input. This type makes the parameter session specific. iii. Session Choice The parameter from a response form and the drop-down list is differt across differt sessions or same session, th it is treated as Session Choice. iv. Global Choice The input type parameters like check boxes, radio buttons and mu parameters in a form is treated as Global Choice type. v. Session Invariant Select this if the parameter value is same across multiple requests from the same session, th it can be set as Session Invariant, for example; session-id. This type of parameter is not learned automatically. vi. File Upload The parameter of the type file upload in forms is treated as File Upload type. Values Define a fixed set of strings to match against the parameter's value, if the parameter Type is to Global Choice. Parameter Class Select a parameter class to be compared to the parameters st in the requests/responses. Custom Parameter Class Select the custom parameter class to be compared to the parameters st in the requests/responses. This is applicable only wh Parameter Class is set to CUSTOM. Max Value Lgth Set the maximum allowable lgth for the value of the parameter. Example: The parameter "param" set to 0, which means: p1=v1&param=&p2=v2 : allowed p1=v1&param=v&p2=v2 : not allowed Required Set to Yes if the parameter must always be prest in the request. Ignore Set to Yes if the parameter must be ignored completely, that is, never validate the value of the parameter at all. Maximum Instances Specify the maximum number of times the parameter should be allowed in the request/response. File Upload Extsions Define the extsions to be allowed in file upload..' is a special extsion which indicates no extsion, and * is a wildcard which indicates any extsion is allowed. Click Add to add the Parameter profile. Click Editnext to the created parameter profile to specify values for the following fields: a. Allowed Metacharacters Define the list of meta-characters to be allowed in spite of it being marked as died in the parameter class. Click the Edit icon, select the meta-characters and click Apply to populate the selected meta-characters. b. Exception Patterns Define a list of patterns to be allowed as exceptions in spite of them being part of a malicious pattern group. The configuration should be the exact "Pattern Name" as found on the SECURITY > View Internal Patterns page or as defined during the creation of a "New Group" through the SECURITY > Libraries page. The pattern name can also be found in a Web firewall log wh a false positive occurs due to such a pottially "exception" pattern. For example, if the parameter value 172

173 b. 7. matched "sql-commts" regex pattern under "sql-injection medium" attacks on the SECURITY > View Internal Patterns page, th adding "sql-commts" to this list will allow "sql-commts" in future. Click Save Changes to save the above settings. How to Configure Antivirus Protection for File Uploads and Downloads Virus scanning is abled on a per URL basis. It should only be abled for URLs which allow file uploads and downloads because virus checking is a performance intsive task. To able Antivirus for file uploads/downloads 4. From the SECURITY > Advanced Security page in the Advanced Security section, idtify the service for which you want to able Antivirus checking. Click Edit next to that Service. The Edit URL Policy window appears. In the Edit URL Policy section: a. b. c. Set Enable Virus Scan to Yes. Set Status to On. Set Mode to Active. Click Save Changes. Wh Virus Scan is abled for a Service, all requests passing through the Barracuda Load Balancer ADC for that Service are scanned for viruses, and any traffic containing viruses is blocked. Antivirus Details The Barracuda Load Balancer ADC uses the Clam AV integrated Antivirus gine to scan files for embedded viruses and malware. Barracuda Networks does its own research to create the AV signatures and push them out to all units with active Energize Updates subscriptions. The Barracuda Load Balancer ADC Antivirus gine supports all file types the Clam AV gine supports. Integration with the Antivirus gine uses streaming, so chunks of data are st to the AV gine as they are received. Once the AV gine returns scanned data, the data is pushed to the back-d server. The file size limitation for Antivirus scanning is currtly set to 25Mb, set in the Clam gine so it knows what file size it should expect. Barracuda Networks Technical Support can change the file size limit, however, customers do not have access to this configuration setting. The Clam gine rejects the connection request for files that are too large. Files larger than the configured limit result in a log try indicating the scan failed because the file size was too large. How to Configure Data Theft Protection Data theft protection prevts unauthorized disclosure of confidtial information. Configuring data theft protection requires two steps: Specify any at risk data elemts handled by the web application using Security Policy. Enable protection of these elemts where needed, using URL Policy. Ssitive data elemts may require masking to prevt their unauthorized disclosure, or requests containing ssitive data may be blocked altogether. Using Security Policy, you can configure any ssitive data elemts which may need protection, along with the desired way to handle them. These settings can th be used by any service associated with the security policy. URL policies applied to narrowly defined URL spaces requiring this protection can individually able it as needed. Other URL spaces operate without unnecessarily incurring the processing hit. To optimize performance, able data theft protection only for parts of the site known to carry ssitive information. The SECURITY > Security Policies page, Data Theft Protection section allows configuration of Idtity Theft data types for a Security Policy. You can able protection for specific URLs using the SECURITY > Advanced Security page. Security Policy Data Theft settings are th forced only for configured URLs. While, Barracuda Energize Updates provides a set of default protected patterns such as credit card and social security numbers, these can be expanded or customized, using SECURITY > Libraries, to include other web application specific data patterns needing protection from disclosure. Any configured pattern can be masked, or the response blocked altogether, if a protected pattern occurs in the server response. Wh Data Theft Protection is abled, the Barracuda Load Balancer ADC intercepts the response from the server and matches with the pattern listed in the SECURITY > View Internal Patterns page and SECURITY > Libraries page (if any custom idtity theft patterns). If the response matches any of the defined patterns, it is blocked or cloaked based on the Action (Block or Cloak) set. If action is set to Block, the response st by the server is blocked. If set to Cloak, a part of the data is cloaked that is, overwritt with "X"s. 173

174 Wh set to Block, the response is blocked according to the configured action for Idtity-theft-pattern-matched-in-response in SECU RITY > Security Policies > Action Policy. The default idtity theft elemts provided by the Barracuda Load Balancer are: Credit Cards Directory Indexing Social Security Number (SSN) Credit Cards and SSN To prevt exposure of personal data such as Credit Card number and Social Security Number (SSN), select Block to block the response from the server, Cloak to overwrite the characters based on values defined in the Initial Characters to Keep and Trailing Characters to Keep parameters. By default, credit-card and ssn are set to Cloak. Directory Indexing If a web server is configured to display the list of all files within a requested directory, it may expose ssitive information. The Barracuda Load Balancer ADC prevts exposure of valuable data by blocking the response from the server. By default, directory indexing is set to Block. Steps to Configure Data Theft Protection: From the SECURITY > Security Policies page select a policy from the Policy Name list to which you want to able data theft protection. Click Configure under Data Theft Protection in the Security Policies section. The Data Theft Protection page appears. In the Configure Data Theft Protection section, specify values for the following fields: a. Data Theft Elemt Name Enter a name for the data theft elemt. b. Enabled Select Yes to use this data elemt to be matched in the server response pages. This data elemt is used for matching server response pages only wh Enable Data Theft Protection is also set to Yes on the SECURITY > Advanced Security page. c. Idtity Theft Type Select the data type from the drop-down list that the elemt mtioned in Data Theft Elemt Name belongs to. The default idtity theft patterns (Credit Card, SSN and Directory Indexing) are associated to data types defined under SECURITY > View Internal Patterns > Idtity Theft Patterns. If you want to associate a custom idtity theft pattern created on the SECURITY > Libraries page, select CUSTOM from the drop-down list and th select customized idtity theft type from the Custom Idtity Theft Type field below. d. Custom Idtity Theft Type Select the customized idtity theft type to be used from the drop-down list. e. Action If set to Block, the response st by the server containing this data type is blocked. The Block mode should be used if the server should never expose this information. In the Cloak mode, a part of the data is cloaked, that is, overwritt with X s based on Initial Characters to Keep and Trailing Characters to Keep. f. Initial Characters to Keep Enter the number of initial characters to be displayed to the user wh the data of this data type is idtified in a server page. For example, an online shopping service displays a user s credit card number If Initial Characters to Keep is set to 4, the credit card number is displayed as 1234 XXXX XXXX XXXX. g. Trailing Characters to Keep Enter the number of trailing characters to be displayed to the user wh the data of this data type is idtified in a server page. For example, an online shopping service displays a user s credit card number as If Trailing Characters to Keep is set to 4, the credit card number is displayed as XXXX XXXX XXXX Click Add to add the above settings. Custom Idtity Theft Patterns The default data theft types are displayed under Protected Data Types in the SECURITY > Security Policies > Data Theft Protection page. You can also create custom idtity theft data types on the SECURITY > Libraries page to use. Creating a Custom Idtity Theft Pattern Go to the SECURITY > Libraries page, Idtity Theft section, ter a name in the New Group field and click Add. Click Add Pattern next to the created idtify theft pattern group. The Idtity Theft Patterns window appears. Specify values for the following fields: Pattern Name Enter a name to idtify the pattern. Status Set to On if you wish to use this pattern for pattern matching in the responses. a. b. c. d. e. f. Pattern Regex Define the regular expression of the pattern or click the Edit icon to select and insert the pattern. Pattern Algorithm Select the algorithm to associate with the pattern from the drop-down list. Case Ssitive Select Yes if you wish the pattern defined to be treated as case ssitive. 174

175 f. Pattern Description (Optional). Enter the description for the pattern defined. Example, Visa credit card pattern. This indicates the pattern used here is the visa credit card pattern. Click Add. Using a Custom Idtity Theft Pattern Go to the SECURITY > Security Policies > Data Theft Protection page. Select a policy from the Policy Name list. In the Configure Data Theft Protection section, ter a name in the Data Theft Elemt Name text field. Set Enabled to Yes to use this data elemt to be matched in the server response pages. This data elemt is used for matching server response pages only wh Enable Data Theft Protection is also set to Yes on the SECURITY > Advanced Security page. Select CUSTOM from the Idtity Theft Type drop-down list. Select the Idtity theft pattern you created from the Custom Idtity Theft Type drop-down list. Set the Action to Block or Cloak. If set to Block, the response st by the server containing this data type is blocked. The Block mode should be used if the server is never expected to expose such information. In the Cloak mode, a part of the data is cloaked, that is, overwritt with X s based on Initial Characters to Keep and Trailing Characters to Keep. If required, change the values of Initial Characters to Keep and Trailing Characters to Keep and click Add. Now, you should bind this policy to a Service, so that any request coming to that service is matched with the pattern and th processed. Turning on Data Theft Protection using URL Policy To use Data Theft Protection for a requested URL, from the SECURITY > Advanced Security page you must set Enable Data Theft Protection to Yes for the appropriate URL Policy, either a URL policy matching the requested URL, or if the URL has no matching policy, for the default URL Policy. Wh Enable Data Theft Protection is set to Yes for a requested URL, the Data Theft Protection settings from the Service's Security Policy will be forced for this request. How to Configure Brute Force Protection Brute Force Protection To able Brute Force protection, edit the default URL policy on the SECURITY > Advanced Security page. Brute Force attacks attempt unauthorized access by repeatedly bombarding the system with guessed parameters. Prevting Brute Force Attacks Brute Force protection sets a maximum number of requests (all requests or only invalid requests) to a URL space from a single clit, or from all sources, within a configured time interval. It blocks offding clits from making further requests. You can specify exception clits for which no maximum is forced. Bruteforce protection prevts the following types of rate based attacks: Brute force attempts to gain access Repetitive login failures in quick succession may be an attempt to gain unauthorized access using guessed credtials. Brute force attempts to steal session toks Session toks, authtication mechanisms for requests by already authticated users, can be guessed and stol through repeated requests. Distributed Dial of Service attacks (DDoS) Repeated requests for the same resource can impair critical functionality by exhausting server resources. Vulnerability scanning tools High rates of requests can probe web applications for weaknesses. Typically these tools execute a database of commonly known and unknown (blind) attacks which are executed in quick succession. Other Brute Force Attack Prevtion To detect brute force attacks against session managemt (too many sessions giv out to a single IP address or range), use session tracking. On the SECURITY > Advanced Security page, locate the desired URL policy and click Edit in the Options column next to it. Configure the following values to configure protection from Brute Force attacks: Enable Bruteforce Prevtion Set to Yes to able bruteforce attack prevtion for this URL policy. Enable Invalid status code only Set to Yes to monitor and count only invalid requests from a single clit or all sources. If set to No, both valid and invalid requests from a single clit or all sources are counted. Requests exceeding the configured Max Allowed Accesses Per IP and Max Allowed Accesses From All Sources are blocked. Count Window Specifies the time interval in seconds to which the Max Allowed Accesses Per IP or Max Allowed Accesses From 175

176 All Sources applies. Range: ; Default: 60 (one minute). Max Allowed Accesses Per IP Specifies the maximum number of requests allowed to this web application per IP address. Range: ; Default: 10. Max Allowed Accesses From All Sources Specifies the maximum number of requests allowed to this web application from all sources. Range: ; Default: 100. Counting Criterion Specifies whether requests from all sources, or requests per IP are counted. Values: Per IP, All Sources; Default: Per IP. Exception Clits: Specifies IP addresses for which no maximum number of accesses is forced. You can ter a single, or a range of IP addresses, or a combination of both with a comma (,) as a delimiter. The range of IP addresses must be separated with a hyph (-). This makes an exception list of clit IPs (unlimited access users). This list should not have any overlapping IP ranges. Values: Suitable IP Range; Click Save Changes to save the above settings. How to Configure Session Tracking Session Tracking A Session refers to all requests a single clit makes to a server. A session is specific to the user and for each user a new session is created to track all requests from that user. Every user has a unique session idtified by a unique session idtifier. Session Tracking ables the Barracuda Load Balancer ADC to limit the number of sessions originating from a particular clit IP address in a giv interval of time. Limiting the session geration rate by clit IP address helps prevt session-based Dial of Service (DoS) attacks. To configure Session Tracking use SECURITY > Advanced Security and choose Edit from Options. Specify the desired session protection fields: New Session Count Maximum number of new sessions allowed per IP address; Range: ; Default: 10. Interval The time in seconds for which the number of sessions cannot exceed the New Session Count setting; Range: seconds; Default: 60. Session Idtifiers The tok type used to recognize sessions. Choose from the list, or see Configuration of Session Idtifiers add a Session Idtifier. Exception Clits List clits which are exempted from this protection. IP address ranges should be separated by a "-" (hyph). Multiple ranges or IP addresses can be listed with "," (comma) separation. The list should not contain overlapping IP address ranges. Status Set to On to able session tracking. After configuring the above fields, click Save Changes. to Configuration of Session Idtifiers Configuring session idtifiers allows the Barracuda Load Balancer ADC to recognize session information in requests and responses.to create a new session idtifier, perform the following steps: Go to the SECURITY > Libraries > Session Idtifiers section. Locate the desired idtifier and click Edit, or to add a new idtifier, click Add Session Idtifiers. Enter or modify the session Idtifier Name. This name will appear in the list of Session Idtifiers from which you choose wh you configure Session Tracking. 4. Enter or modify the following session tok parameters: Tok Name, Tok Type, Start Delimiter, End Delimiter. For example, JSESSIONID=12345; would be configured with session Tok Name: JSESSIONID, Tok Type : Parameter, Start Delimiter: = and E nd Delimiter: ; to allow Barracuda Load Balancer to successfully extract the Session ID Newly added or edited Session Idtifiers appear in the Session Idtifiers list on the Edit Session Tracking page wh you choose the Edit option on the SECURITY > Advanced Security > Session Tracking section. Allow/Dy Rules for Headers and URLs The SECURITY > Allow/Dy page allows you to define strict access control rules for the Services. Further a request with any violation is allowed or died based on the settings in this URL ACL and Header ACL. These controls include location checks, form checks, size checks, and contt checks both to and from the servers. They can also set landing page and try controls, and they can provide custom error responses and request redirection. 176

177 In this Section Allow/Dy Rules for Headers Allow/Dy Rules for URLs Allow/Dy Rules for Headers You can force strict limitations on incoming headers intded for a service using SECURITY > Allow/Dy Rules > Header : Allow/Dy Rules section. It is used to sanitize HTTP headers that carry ssitive information idtifying the clit and some application-specific state information passed as one or more HTTP headers. A header ACL can be configured to protect against attack types and pottially malicious metacharacters and keywords that are placed in a header. To create a Header ACL rule: 4. Go to the SECURITY > Allow/Dy Rules page. In the Header : Allow/Dy Rules section, idtify the Service to which you want to add the header ACL rule. Click Add next to the Service. The Create Header ACL window appears. Specify appropriate values for the giv fields and click Save. For more information, click Help in the web interface. Related Articles: Allow/Dy Rules for URLs Allow/Dy Rules for URLs Strict allow/dy rules for a web application can be configured on the SECURITY > Allow/Dy Rules page. Allow/Dy rules allow you to customize access to the web application based on a set of matching criteria. An administrator can configure the rule to control access to certain portions of the web application as per the business requiremt without changing any configuration on the web application itself. A rule can be configured for a URL match, a Host header match and a set of optional extded match criteria (example: clit IP address or the HTTP method). Once a match is found, the request will be processed as per the configured action. The rule action can be configured to either redirect the incoming request to another absolute URL, or to continue the processing of the request using the other security layers of the Barracuda Web Application Firewall, apart from allowing or dying a request explicitly. To configure a specific match, click Add or Edit next to the Service and use the Extded Match widget. For rule matching and subsequt evaluation, URL match and Host header matches are prioritized over extded matches. If more than one rule with the same URL match/host header match is configured, they are evaluated based on the specified extded match sequce. There are two ways of redirecting a request using the URL ACL: Set the Action parameter to Redirect, and specify the Redirect URL. Set the Action parameter to Dy and Log, set the Dy Response to Redirect and specify the Redirect URL. The first case is not considered an attack, therefore: It is logged at a lesser severity. Passive mode has no effect on it. The second case is a suspected attack, therefore: It is logged at a higher severity. Passive mode is applied so that the request is not died. To create a URL ACL rule: 4. Go to the SECURITY > Allow/Dy Rules page. In the URL : Allow/Dy Rules section, idtify the Service to which you want to add the URL ACL rule. Click Add next to the Service. The Create ACL window appears. Specify appropriate values for the giv fields and click Save. For more information, click Help in the web interface. Related Articles: 177

178 Allow/Dy Rules for Headers Extded Match Syntax Extded Match and Condition Expression Extded Match and Condition Expressions can be configured for various rule types, allowing you to specifically define which requests/responses need the rule applied. You can configure conditions based on parameters or elemts of a request/response, combining them in a very flexible manner, and applying the rule security settings only to those that match the defined expression. A few examples: Header Host co example.com - match a request whose Host header contains example.com Parameter userid ex - match any request in which the parameter userid is prest (Header Host eq && (Clit-IP eq /24) - match a request whose host header is and whose clit IP address is in the * subnet. Quick referce Extded Match Expression: Elemt Match (Expression) [Join (Expression)...] Join: &&, Elemt Match: Elemt [Elemt Name] Operator [Value] Elemt: Request Elemts: Method, HTTP-Version, Clit-IP, URI, URI-Path, Header Request Parameters: Parameter, Pathinfo Response Elemts: Status-code, Response-Header Operator: Matching: eq, neq, req, nreq Containing: co, nco, rco, nrco Existce: ex, nex Structure of an Extded Match Expression An Extded Match expression consists of one or more Elemt Matches, combined using Join operators AND and OR. Partheses delimit individual Elemt Matches wh using join operators. Partheses can be nested. An Elemt Match consists of an Elemt, an optional Elemt Name, an Operator followed by an optional Value. Some elemts (like Header ) require an Elemt Name (like User-Agt) whereas some elemts (like HTTP-Version) require no further qualification. Also, some operators (like eq) require a value, whereas some don't (like ex). Toks are delimited by space and the parthesis characters. Double quotes (") can be used to close single toks which contain parthesis characters or spaces. The back-slash character can also be used to escape, that is, remove the special meaning of the special characters (space and parthesis). Operators The following are the possible operators in an Elemt Match. The operators are case inssitive so, for example, eq, Eq and EQ all behave the same. eq - true if the operand is equal to the giv value. A case inssitive string comparison is performed, so a value of "01" does not equal the value "1", whereas the values "one" and "ONE" are equal. neq - true if the operand is not equal to the giv value. A case inssitive string comparison is performed. co - true if the operand contains the giv value. nco - true if the operand does not contain the giv value. rco - true if the operand contains the giv value, specified as a regular expression. nrco - true if the operand does not contain the giv value, specified as a regular expression. req - true if the operand matches the giv value, specified as a regular expression. 178

179 nreq - true if the operand does not match the giv value, specified as a regular expression. ex - true if the operand exists. A value is not required. nex - true if the operand does not exist. A value is not required. Elemts The following Elemts are allowed in an expression. Elemts and Elemt Names are case inssitive, so Method and METHOD behave the same. Clit-IP - The IP address of the clit sding the request. The IP address can be either host IP address or subnet IP address specified by a mask. Only eq and neq operations can be used with this elemt. Examples: (Clit-IP eq /24), (Clit-IP eq ) Method - The HTTP Method specified in the request. Example: (Method eq GET) HTTP-Version - The version of the HTTP protocol of the request. Example: (HTTP-Version eq HTTP/1) URI - The Uniform Resource Idtifier in the request. This includes any query parameters in the request. Example: (URI rco /abc.*html?userid=b) URI-path - The path portion of the URI, excluding any query parameters. Example: (URI-path req \/.*copy%20[^/]*) Parameter - A parameter in the query string part of the URL and serves as a name-value pair. The special parameter "$NONAME_PARAM" allows referce to a parameter wh the parameter name is abst. Examples: (Parameter sid eq 1234), (Parameter $NONAME_PARAM co abcd) Pathinfo - The portion of the URL considered the PATH_INFO on the server. The Barracuda Web Application Firewall uses a set of known extsions to determine whether a portion of the URL is the Pathinfo or not. For example, if the request URL is /twiki/view.cg i/engineering, th, /Engineering is considered to be the pathinfo rather than part of the URL. Example: (PathInfo rco abc*) Header - An HTTP header in the request. Requires an Elemt Name to idtify which header, following the word Header. Example: (Header Accept co gzip). This will check if the "Accept:" header contains the string "gzip". X509_OU - The Organizational Unit (OU) stated in the X.509 certificate. Example: (X509_OU eq Engineering Division). Wh Clit Authtication is abled for a HTTPS service, the certificate prested by the clit is matched with the elemt value. If the request matches the rule, the Barracuda Web Application Firewall executes the specified action. To Enable Clit Authtication, click Edit in the Options column next to the service on the BASIC > Services page in the Configured Virtual Services section. Not all elemts are allowed in every expression. The following restrictions apply: Request rules (ACLs, URL Policy, URL Profiles) allow only the elemts Method, HTTP-Version, Header, Clit-IP, URI, URI-Path, Pat hinfo, and Parameter. Request Rewrite Condition allows only the elemts Method, HTTP-Version, Header, Clit-IP, and URI. Response Rewrite Condition allows only the elemts Method, HTTP-Version, Header, Clit-IP, URI, Status-code and Response-He ader. Joins Expressions can be joined using: - Or, checks if either expression is true. && - And, checks if both expressions are true. Elemt Matches can be combined as long as the Elemt Matches are closed in partheses. You cannot combine Elemt Matches without partheses. Example: (Header cookie ex) && (URI rco.*\.html) && (Method eq GET) Nested sub-expressions can be created by closing expressions in partheses, making the expression more readable as well as unambiguous. Example: (HTTP-Version eq HTTP/1) && ((Header Host eq (Header Host eq website.example.com)) Escaping The space character and the partheses characters are special characters which cause the parser to split the string into toks at these separators. In some cases, you must specify these characters as part of the value itself. For example, the User-Agt header typically contains both spaces and partheses, as in: User-Agt: Mozilla/5.0 (Linux i686; -US; rv:8.3) Firefox/0.0.3 Wh a value contains space or parthesis characters, they must be escaped by prefixing them with a back-slash (\), or by closing the tire value in double-quotes ("). Examples: 179

180 Header User-Agt eq "Mozilla/5.0 (Linux i686; -US; rv:8.3) Firefox/0.0.3" Header User-Agt eq Mozilla/5.0\ \(Linux\ i686;\ -US;\ rv:8.3\)\ Firefox/0.0.3 The double-quote character itself must be escaped with a back-slash. This is true whether or not it is inside a quoted string. Note that the single quote character has no special meaning, and is treated as any other character. To specify the back-slash character itself, it must be escaped as "\\". This is true whether or not it is within a quoted string. The back-slash character escapes all characters, not just special characters. Thus, "\c" stands for the character "c" etc. In other words, back-slash followed by any character stands for the character, whether or not that character has a special meaning in the extded match syntax. Configuring User Defined Patterns The Barracuda Load Balancer ADC allows you to create customized data patterns which can be detected and handled according to the configured security settings. The Barracuda Load Balancer ADC uses regular expressions (regex) to define data type patterns. Custom data types can be defined using regex patterns to implemt advanced data type forcemt on input parameters. For guidelines on how to write regular expressions, see Extded Match Syntax. The pattern-match gine recognizes the lexical patterns in text and compares inputs to defined data type patterns. For example, the following is the default regex pattern for a Visa credit card: 4[[:digit:]]{12} 4[[:digit:]]{15} A pattern can also be associated with an algorithm, for example, an algorithm to validate a credit card number can be associated with a credit card pattern. The algorithm runs on all strings matching the regular expression to decide whether they actually conform to this pattern. Internal Patterns The SECURITY > View Internal Patterns page includes Idtity Theft Patterns, Attack Types, Input Types, and Parameter Class. Each data type exhibits a unique pattern. These patterns can be bound to a policy or to profiles of an web application to validate the incoming requests. The patterns displayed by default under each pattern group cannot be modified. To create a modified pattern, use the Copy function to copy a pattern, th modify it as required. The copied pattern group can be found on the SECURITY > Libraries page under the corresponding group. You can modify or delete patterns as required, and th apply them to a service security policy. For more information on how to copy a pattern group, refer to Steps to Copy a Pattern Group. The following provides a brief description about the internal patterns. Idtity Theft Patterns Idtity theft is the loss of personal data resulting in fraud. Disclosure of ssitive information such as credit card numbers, banking information, passwords, or usernames in service communication might able idtity theft. The Barracuda Load Balancer ADC prevts unauthorized exposure of at risk data. The Idtity Theft container includes Credit Cards, Social Security Numbers, and Directory Indexing data types. In addition, customized idtity theft patterns can be created and used. For more information, see How to Configure Data Theft Protection. Attack Types An attack is a technique used to exploit vulnerabilities in web applications. Attacks can insert or modify code in requests. If a request contains an attack pattern, it is dropped. The attack data type container includes patterns for idtifying Cross-site Scripting, Remote-file Inclusion, SQL Injection, Directory Traversal, and OS Command Injection attacks. In addition customized attack data types can be created and used. Input Types Input data types are used to validate the HTTP request parameters. Inputs come from web forms, applications and Services, custom clit applications, or file based records. This validation sures that the data conforms to the correct syntax, is within lgth boundaries, and contains only permitted characters or numbers. Requests failing validation are assumed intrusions and are blocked. Input types are defined using reg-ex patterns. Default Input Types including credit cards, numeric, hex-number, alpha, alphanumeric, string, name, and date are provided. In addition, customized Input Types can be defined and used. Parameter Class Parameter class defines acceptable values for parameters. Parameter classes are bound to Parameter Profiles using SECURITY > Website 180

181 Profiles > Parameter Profiles and specify validation criteria for parameters in a request. In addition to the internal parameter classes, customized parameter classes can be created and used. Steps to Copy a Pattern Group Do the following to copy a pattern group: From the SECURITY > View Internal Patterns page idtify the group you want to copy. Click Copy next to that group. The Copy window appears. In the New Group field, specify a new name for the group and click Paste. Navigate to the SECURITY > Libraries page. The new pattern group appears under the group to which it belongs. Click Edit Pattern to edit a particular pattern. Click Delete to delete a particular pattern. Creating and Using Custom Attack Types The SECURITY > Libraries > Attack Types section allows creation of custom attack data types which, wh detected in a request, idtify the request as an attack. One or more patterns which define the format of the attack type can be added to each group. Creating a Custom Attack Type Pattern 4. Go to the SECURITY > Libraries > Attack Types section. Enter a name in the New Group text box and click Add. The new attack type group created appears in the Attack Types section. Click Add Pattern next to that group. The Attack Types window appears. Specify values for the following fields: a. b. c. d. e. f. Click Add. Pattern Name Enter a name for the pattern. Status Set to On if you wish to use this pattern for pattern matching in the responses. Pattern Regex Define the regular expression of the pattern or click the Edit icon to select and insert the pattern. Pattern Algorithm Select the algorithm to be associated with the pattern from the list. Case Ssitive Select Yes if you wish the pattern defined to be treated as case ssitive. Pattern Description Optional. Enter a description for the defined pattern. Example, Visa credit card pattern would indicate the pattern matches a visa credit card. Using a Custom Attack Type The added attack type pattern becomes available under Custom Blocked Attack Types on the following pages and sections: SECURITY > Libraries > Custom Parameter Class SECURITY > Website Profiles > URL Profiles SECURITY > Security Policies > URL Protection SECURITY > Security Policies > Parameter Protection The Custom Blocked Attack Types are abled by default under the SECURITY > Libraries > Custom Parameter Class section and the SEC URITY > Website Profiles > URL Profiles section. Whereas in the SECURITY > Security Policies > URL Protection and SECURITY > Security Policies > Parameter Protection pages you have to manually select the custom attack types. Creating and Using Custom Input Types The Barracuda Load Balancer ADC includes a collection of predefined and custom input data types, which can be used to validate HTTP Request parameters. Input data types are used to validate that request parameters conform to expected formats. Most attacks can be prevted by properly validating input parameter values against expected input data types. Input Type validation forces the expected formats rather than trying to idtify malicious values. Requests failing validation are idtified as intrusions and blocked. Default Input Types including alpha-numeric strings, credit card, date and positive-long-integer are provided. Custom Input Data Types can also be added. The SECURITY > Libraries > Input Types section allows you to create customized input data types. One or more patterns which define the format of the input type can be added to each group. Creating a Custom Input Type Pattern Go to the SECURITY > Libraries > Input Types section. Enter a name in the New Group text box and click Add. The new input type group created appears in the Input Types section. Click Add Pattern next to that group. The Input Types window appears. Specify values for the fields and click Add to save the pattern. Using a Custom Input Type 181

182 Perform the following steps to use a custom input data type: Go to the SECURITY > Libraries > Custom Parameter Class section. Click Add Custom Parameter Class. The Add Custom Parameter Class window appears. In the Name text box, ter a name for the custom parameter class. Select CUSTOM from the Input Type Validation drop-down list. Select the custom input type you created from the Custom Input Type Validation drop-down list. In the Died Metacharacters text box, ter the metacharacters or click the Edit icon to select and apply the metacharacters to be died in this parameter value. Select the required check box(es) of Blocked Attack Types and Custom Blocked Attack Types and click Add. Bind this custom parameter class to a parameter profile. Creating and Using Custom Parameter Class The SECURITY > Libraries > Custom Parameter Class section allows creation of custom parameter classes which force expected input formats and block attack formats for request parameters. One or more patterns which define the format of the data type can be added to each group. Bind the custom parameter class to a parameter profile by adding a new parameter profile or editing an existing parameter profile using SE CURITY > Website Profiles. Creating a Custom Parameter Class Go to the SECURITY > Libraries > Custom Parameter Class section. Click Add Custom Parameter Class. The Add Custom Parameter Class window appears. Specify values for the following fields: a. b. c. d. Name Enter a name for the custom parameter class. Input Type Validation Select the expected type of value for the configured parameter on the SECURITY > Website Profiles. Most of the attacks could be prevted by properly validating input parameter values against the expected input. Input Type validation forces the expected value type as opposed to looking for malicious values. Values of configured parameters are validated against the specified Input Type and requests with failed validations are detected as intrusions and blocked. Custom Input Type Validation Select the expected custom input data type for the configured parameter. Died Metacharacters Enter the metacharacters to be died in the parameter value, or click the Edit icon to select and apply the metacharacters. e. Blocked Attack Types Select the check box(es) to detect malicious patterns in the configured parameter. An intrusion is detected wh the value of the configured parameter matches one of the specified Attack Types and the request is blocked. f. Custom Blocked Attack Types Select the custom attack type check box(es) to be used to detect the intrusions. Click Add to add the above configuration. Using a Custom Parameter Class Perform the following steps to use a custom parameter class: Go to the SECURITY > Website Profiles page In the Service section, click the Website drop-down list and select the Service for which you wish to add the parameter profile. In the URL Profiles section, select the check box next to the URL profile to which you want to add the Parameter profile. In the Parameter Profiles section, click Add Param. The Create Parameter Profile window appears. In the Parameter Profile Name text box, specify a name for the parameter profile. Ensure the Status is set to On. Select CUSTOM from the Parameter Class drop-down list. Select the custom parameter class you created from the Custom Parameter Class drop-down list and click Add. Now, the parameter profile is used to validate the requests coming for the Service you selected depding on the Mode you configured in the URL profile. For more information on URL and Parameter Profiles. See Configuring Website Profiles. Creating and Using Custom Response Page The SECURITY > Libraries > Response Pages section allows creation of customized HTML response pages for HTTP requests that violate security policies on the Barracuda Load Balancer ADC. Either Edit an existing default response page or use Add Response Page to add customized response pages that can be shared among multiple Services. Creating a Custom Response Page Go to the SECURITY > Libraries > Response Page section. Click Add Response Page. The Add Response Page window appears. Specify values for the following fields: a. b. Response Page Name Enter a name for the response page. Status Code- Enter the HTTP status for the response page. Examples: i. 182

183 b. i. ii. iii. c. Headers- Enter the response headers for the response page. Examples: i. ii. iii. iv. v. d. Body- Enter the response body for the response page. The following macros are supported: i. ii. iii. iv. v. vi. 403 Forbidd 405 Method Not Allowed 406 Not Acceptable Allow What request methods (GET, POST, etc.) does the server support? Contt-type Contt type of the resource (such as text/html). Connection Options that are specified for a particular connection and must not be communicated by proxies over further connections. Location Where should clit go to get documt? Refresh How soon should browser ask for an updated page (in seconds)? %action-id This will be replaced by the attack ID of the violation which resulted in the response page to be displayed. %host This will be replaced by the host header which st the request. %s This will be replaced by the URL of the request which caused the violation. %clit-ip This will be replaced by the Clit IP of the request which caused the violation. %attack-time This will be replaced by the time at which the violation occurred. %attack-name This will be replaced by the attack name of the violation which resulted in the response page to be displayed. Click Add to add the new custom page. Example of a custom response: The request from %clit-ip at %attack-time for the URL %s cannot be served due to attack %action-id on the host %host. An image can also be embedded in the response page. Here are the steps to do so: Convert the image to base64 using opssl or any other utility. Example: opssl base64 -in barracuda.jpg -out barracuda-jpg.b64 Embed the base64 coded image into html with the "img" tag. Example: <html><img src="data:image/jpeg;base64,[base64 ENCODED IMAGE] alt="test"/></html> Using a Custom Response Page The added response page is listed under the following pages and sections: SECURITY > Security Policies > Global ACLs > Existing Global ACLs SECURITY > Security Policies > Action Policy > Action Policy SECURITY > Allow/Dy > URL : Allow/Dy Rules Perform the following steps to use a custom response page: Steps to Use a Custom Response Page in the URL : Allow/Dy Rules Go to the SECURITY > Allow/Dy > URL : Allow/Dy Rules section. Click Add next to the Service for which you want to configure the response page. The Create ACL window appears. In the URL ACL Name text box, ter a name for the URL ACL. Select Response Page from the Dy Response drop-down list. Select the response page you created from the Response Page drop-down list. If required change values of other parameter(s) and click Add. Steps to Use a Custom Response Page in the Action Policy Go to the SECURITY > Security Policies > Action Policy > Action Policy section. Click Edit next to the action policy for which you want to add the response page. The Edit Attack Action window appears. Select the response page you created from the Response Page drop-down list, and click Save Changes. Steps to Use a Custom Response Page in the Existing Global ACLs Go to the SECURITY > Security Policies > Global ACLs > Existing Global ACLs section. Click Edit next to the URL ACL for which you want to add the response page. The Edit Global ACL window appears. Select the response page you created from the Response Page drop-down list, and click Save Changes. Regular Expression Notation 183

184 The Barracuda Load Balancer ADC employs a regular expression (regex) gine to evaluate regular expressions (as defined in POSIX 1002) used as values in various parameters. Regular expressions allow you to specify complex relationships. The following table describes syntax rules that apply wh creating a regular expression for a parameter value. Regular expressions use raw bytes/characters for everything except for NUL(0x00 that gets escaped to %00) and LF(0x0a that gets escaped to %0a). Value Meaning x Match the character x.. Match any character (byte) except newline. [xyz] [abj-oz] [^A-Z] [^A-Z\n] Match the pattern (character class) among x, y, or z. Matching is case depdt. Match the pattern (character class with a range) among a, b, any letter from j through o, or Z. Matching is case depdt. Match anything except the pattern (negated character class), that is, any character but those in the class, which in this case is any character except an uppercase letter. Match anything except the pattern (negated character class), which in this case is any character except an uppercase letter or a newline. r+ Match zero or more of r, where r is any regular expression. r? Match zero or one of r (that is, an optional r), where r is any regular expression. r{2,5} Match two to five of r. r{2,} Match two or more of r. r{4} Match exactly 4 of r. "[xyz]\"foo" Match the literal string: [xyz]"foo \X If X is an a, b, f, n, r, t, or v, th match the ANSI-C interpretation of \x applies. Otherwise, it is a literal X (used to escape operators such as an asterisk [*]). \0 Match a NULL character (ASCII code 0). \123 Match the character with octal value 12 \x2a Match the character with hexadecimal value 2a. (r) Match the r. Partheses are used to override precedce; expressions in partheses are evaluated first. rs Match the regular expression r followed by the regular expression s. This type of pattern is called concatation. r s Match either an r or an s. This type of pattern is called alternation. r/s Match an r if it is followed by an s. The text matched by s is included wh determining whether this rule is the "longest match," but it is th returned to the input before the action is executed, so the action only sees the text matched by r. This type of pattern is called trailing context. 184

185 ^r Match an r at the beginning of a line (that is, wh starting to scan or immediately after a newline has be scanned). Note: The circumflex (^) character means beginning of the input string wh it appear at the beginning of a pattern. If it appears elsewhere, it is treated as a character. r$ Match an r at the d of a line (that is, just before a newline). This is equivalt to r/\n. Note: The dollar sign ($) character means d of the input string wh it appear at the d of a pattern. If it appears elsewhere, it is treated as a character. The following are special characters (that is, have special meaning as described in the above table) and must be escaped by prefixing a back-slash (\) in order to be recognized as the character itself:. [ ] ( ) ^ $ / * +? { } \ The following characters must be escaped or quoted during header rule configuration for proper rule matching: White spaces[' ', '\t', '\n'], the brackets '[' '(' and ')' ']] and ';' Precede each character with the "\" character to escape it, or quote the tire string. The regular expressions listed in Regular Expression Values table are grouped according to precedce, from highest precedce at the top to lowest at the bottom. For example, the following two expressions are idtical because the asterisk (*) operator has higher precedce than concatation, and concatation has higher precedce than alternation ( ): foo bar* (foo) (ba(r*)) This pattern matches either the string foo or the string ba followed by zero or more r strings. Inside a character class, all regular expression operators lose their special meaning except escape (\) and the character class operators dash (-), right bracket (]), and circumflex (^) at the beginning of the class. Valid character class expressions are the following: [:alnum:] [:alpha:] [:blank:] [:cntrl:] [:digit:] [:graph:] [:lower:] [:print:] [:punct:] [:space:] [:upper:] [:xdigit:] These expressions are equivalt to the corresponding standard C is XXX function. If used in case-inssitive mode, [:upper:] and [:lower:] are equivalt to [:alpha:]. A rule can have at most one instance of the / or $ operators. The start condition (^) can only occur at the beginning of a pattern, none of these operators can be grouped inside partheses. A ^ character that does not occur at the beginning of a rule or a $ character that does not occur at the d of a rule loses its special properties and is treated as a normal character. If more than one match is found, the rule matching the most text is used. If two or more matches are of the same lgth, the first rule is chos. Usage Examples: ^r: Match the beginning of an input string only. For example, ^[a-z]+ matches foo but does not match 1foo because the latter does not begin with an alphabetic character. [^a-z]: Negate character class. This form matches anything other than a lower case alphabetic character. For example, ^[^a-z] matches 1foo but does not match foo. ^ anywhere else: Literal character. For example, ^(^ [a-z]) matches foo and ^1foo but does not match 1foo. Usage Examples: $ r$: Match the d of an input string only. For example, [a-z]+$ matches foo and 1foo but does not match foo $ anywhere else: Literal character. For example, ([a-z]+ $) matches foo, 1foo, foo1, and foo$. Usage Examples: Combinations 185

186 ^r$: Match the pattern exactly. There can be no additional characters. (r1 r2$): The dollar sign is treated as a literal character. (^r1 r2): The circumflex is treated as a literal character. Networking In this Section Creating Static Routes Adding Custom Virtual Interfaces Network Address Translation NAT Multiport Link Aggregation VLANs Network Access Control Lists Creating Static Routes You can configure static routes that specify the paths that traffic will use to get to remote systems that cannot be reached through the default route for an interface. Go to the NETWORK > Routes page to configure static routes. Adding Custom Virtual Interfaces A configured interface is a logical exit point that allows traffic to flow betwe servers and the Barracuda Load Balancer ADC. To configure interfaces, from the NETWORK > Interfaces page, go to the Add Custom Virtual Interface section, and add virtual interface(s) to the physical port used to communicate with the servers. Use the Add Custom Virtual Interface table to add new virtual interfaces to the Barracuda Load Balancer ADC, or to change the port used by an existing Service or virtual interface. If an IPv6 address is assigned to the Barracuda Load Balancer ADC, and if IPv6 addresses are abled on the BASIC > IP Configuration page, you can add or change a Service or virtual interface for an IPv6 address. To configure Custom Virtual Interfaces, you specify the following values: Name: Enter a name to idtify this custom virtual interface. IP Protocol Version: Select the Internet protocol version from the drop-down list. IP Address: Enter an IP address to communicate with the servers. Netmask: Enter an associated Netmask for this interface. Network Interface: Select the port over which communication needs to be transmitted. For additional information, log into the web interface, go to the NETWORK > Interfaces page, and click the Help button. Network Address Translation NAT Network Address Translation (NAT) maps outbound IP addresses to prevt exposing internal IP addresses. NAT allows you to: Conceal the internal IP address from external exposure or access. Reduce the demand for registered IP addresses because internal IP addresses are not revealed to the outside world. Incoming IP addresses can be translated to correct internal IP addresses. Source Network Address Translation (SNAT) Source Network Address Translation (SNAT) maps internal IP (private IP) addresses to an external IP (public IP) address. SNAT re-writes the IP 186

187 address of the computer that originated the packet. SNAT is composed of two steps: The process of translating an internal IP address into an external IP address; The process of undoing the translation for returning traffic, that is, rewriting the IP address of the computer that originated the packet. In the NETWORK > NAT page, you can define a SNAT rule to allow the Real Servers to forward traffic to the Internet if they are on a private network and the WAN is on a public network. Create a Source NAT Rule Use the following steps to create a source NAT rule: Log into the Barracuda Load Balancer ADC as the administrator, and go to the NETWORK > NAT page. In the Add NAT Rule section, ter values for the following: Pre SNAT Source - Enter the internal IP address or source network that is to be translated Pre SNAT Source Mask - Enter the subnet for the tered network; you can use a 32-bit netmask if required for single IP NAT Protocol - Select the traffic to be used for the networks. Destination Port - Enter the destination port. You can either specify an individual port number (example: 80) or range of port numbers (example: ). The default value of allows all the ports. Post SNAT Source - Depding on your network configuration, this may be an external IP address or some other IP address on the WAN side of the Barracuda Load Balancer ADC that is translated by your firewall to an external IP address. Outgoing Interface - Select the outgoing network connection from which the traffic needs to pass through. Click Add to save your try. High Availability Wh setting up High Availability (HA) betwe two Barracuda Load Balancer ADCs, you can create a custom virtual interface that associates an externally-accessible IP address with the WAN port, and th use this IP address to create a SNAT rule. This interface is used by the backup system if failover occurs. For more information, log into the web interface, go to ADVANCED > High Availability a nd click the Help button. Multiport Link Aggregation Multiport link aggregation, or link bonding, allows you to aggregate multiple physical network links into a single logical link.you can use link aggregation to achieve multi-gigabit capacity to services and servers. Caution Multiport link aggregation is an advanced feature; before completing this deploymt, confirm that this configuration is necessary to meet the needs of your organization. Use multiport link aggregation to: Load balance multiple NICs; Combine multiple network connections; Incorporate redundancy in case one of the links fails; Increase bandwidth beyond what is available through one port. Link Aggregation Requiremts Physical links must be at least 1 Gbps operating in full duplex mode. If you intd to use Dynamic Link Aggregation Control Protocol (IEEE 803ad), the corresponding switch must support it. The configured speed of all ports of a bonded interface should be same or set to Automatic. You can configure this setting for each port by editing the port on the NETWORK > Ports page. Configuring Link Aggregation To create a link bond, go to the NETWORK > Ports page. Enter a bond name, assign the bond mode, and th select the ports. It is recommded that you select an ev number of ports to bond. Bond Modes 187

188 Three bond modes are supported: Round Robin The round robin mode transmits packets in sequtial order from the first available network port through the last. This mode provides load balancing and fault tolerance. Outgoing traffic is spread across all of the ports in the bond. While round-robin distribution is the only mode that allows a single TCP/IP stream to use more than one network port worth of throughput, this mode also introduces the pottial for out-of-order packets and retransmitted segmts. Example: Consider a bond configured with 4 ports [ge-1-1, ge-1-2, ge-1-3 and ge-1-4], and mode as Round Robin. In this case all packets for outgoing traffic during a connection will be routed through all the ports configured in the bond. If there are four TCP segmts to be st via the example bond, th each port will carry one segmt. Active-Backup Only one port in the bond is active; a differt port becomes active if, and only if, the active port fails. This mode provides fault tolerance only. All the packets are routed through the active port. Example: Consider a bond configured with 2 ports [ge-1-1 and ge-1-2], and mode as Active-Backup. All outgoing traffic will be routed through the active port ge-1-1 on the bond. The backup port ge-1-2 becomes active if, and only if, the active port fails. Dynamic Link Aggregation Control Protocol (LACP) / IEEE 803ad Dynamic Link Aggregation This mode creates aggregation groups that share the same speed and duplex settings, and utilizes all ports in the group according to the IEEE 803ad specification. This does not increase the bandwidth for a single conversation; it achieves high utilization only wh carrying multiple simultaneous conversations. Verify that IEEE 803ad/LACP is abled on the switch. Existing IP Addresses Wh adding a port to a link, at most one of them may have an IP address configured. If an IP address/custom Virtual Interfaces/Static Routes/SNAT IP address exists on one of the ports, it is automatically moved to the newly created bond. However, if you attempt to add multiple ports with IP addresses configured, you cannot create the bond until you delete these extra IP addresses. Using a Bonded Interface Once you create a bonded interface, it appears in the user interface and can be used in the same way as any physical interface. For example, you will find it in the Interfaces list wh you add a service on the BASIC > Services page. Example - Creating Two Bonded Links To create two bonded links, one for the service, one for the servers: On the NETWORK > Ports page: a. b. c. a. b. Create WANbond0 with ports 1-4 Create LANbond1 with ports 5-8. If you selected Dynamic Link Aggregation as the mode, verify that IEEE 803ad is abled on the switches. On the NETWORK > Interfaces page: Add a custom virtual interface that associates the network address of the services subnet with WANbond0. Add a custom virtual interface that associates the network address of the real server subnet with LANbond Create a service on the WANbond0 interface on the BASIC > Services page. High Availability If you are clustering two Barracuda Load Balancer ADC systems, make sure that each system has similar cabling. If failover occurs, any link bonds are created on the newly-active system using the corresponding ports. For example, if port ge-1-2 and port ge-1-3 form a bond on the active system, on failover, the newly-active system will attempt to use these same ports for the bond. 188

189 VLANs The Barracuda Load Balancer ADC supports Layer 2 VLANs to segmt traffic. In this article: Configuring VLANs Route to Multiple VLANs over an Interface Related Article How to Configure the Network Configuring VLANs On the NETWORK > VLANs page in the Barracuda Load Balancer ADC web interface, idtify your VLANs using the Add VLAN section. You must specify the VLAN name and ID, and select the interface to use. Once idtified, the VLANs are available for selection wh completing the following tasks: Associating a server or service with a VLAN Creating a static route Changing the managemt IP address to a VLAN (tagged) network on the BASIC > IP Configuration page. Route to Multiple VLANs over an Interface If any interface on the Barracuda Load Balancer ADC has to route to multiple VLANs, it must be connected to the VLAN switch via a trunk (or hybrid) link, since traffic for multiple VLANs can only be transported over trunk links. Network Access Control Lists Network Access Control Lists (ACLs) are used for creating matching criteria for IP packets for which a corresponding firewall action can be specified. The specified action is performed if there is a rule match. ACLs can be created by matching a source network/host, or by designating an IP Reputation pool as the source. An ACL can be configured to fall under the following types: Global Start Global Network ACL Global Geo ACL Service Service Network ACL Service Geo ACL Default ACL Global End Global Network ACL Global Geo ACL The ACLs under global_start are system rules associated with all configured Services. The global ACL (global_start) rules override ACLs configured under the Service (if configured). To perform a rule action, incoming packets are first checked for a match with the global_start ACLs. If matched the corresponding action (allow/dy) is applied. If not, the packets are th matched with the ACLs configured under the Service (if any). If the packet does not match global_start ACLs (Network/Geo) and Service ACLs (Network/Geo), th the packet is matched with the Services Default ACL rule and the corresponding firewall action is performed. If the packet does not match any of these ACLs, the packet is matched with the global_d Network ACL rules (if configured). If no ACL rules are configured under global_d as well, th the packets are allowed to pass through. Multiple Network and Geo ACLs can be configured for a Service. Each created ACL is prioritized in ascding order and defines the permission 189

190 rights for clits or servers attempting to access contts of a Service. IP addresses set within any created ACL should be unique and not derived from any other created ACLs. To create a Network/Geo ACL rule: Go to the NETWORK > Network Firewall page. In the Network ACLs section, click Network/Geo next to global_start or global_d (if you want to add a global ACL rule that will be matched with all incoming packets). Click Network/Geo next to a Service to add a Service specific ACL rule. Specify values for the giv fields and click Save. For more information, click Help on the relevant page of the web interface. ACLs for Forwarded Traffic Access Control Lists (ACLs) can allow traffic from designated clits to pass through the Barracuda Load Balancer ADC to the back-d servers without any security validations. To add ACLs for Forwarded Traffic: Go to the NETWORK > Network Firewall page. In the ACLs for Forwarded Traffic section, click Add ACL. The Add ACL for Forwarded Traffic window appears. Specify values for the giv fields and click Save. For more information, click Help on the relevant page of the web interface. Configuring IP Reputation Pool An IP Reputation Pool is a pool of IP addresses from the selected geographical regions, anonymizers and/or satellite providers. The NETWORK S > IP Reputation page allows you to create an IP reputation pool which can later be associated with a Service to allow/dy traffic based on the specified action. Multiple pools with differt geographical regions can be created. A single IP Reputation pool can be associated with multiple Services. An IP Reputation pool can be associated with a Service on the NETWORKS > Network Firewall > Network ACLs section. IP Reputation Pool is categorized into three types: Geo Pool - The list of geographical regions. Anonymous Proxy - The IP addresses of anonymizers that hide the idtity of clit's IP address. Satellite Provider - The IP addresses of Satellite Internet Service Providers (ISPs) that provide Internet service. Refer Network Access Control Lists for information on how to associate an IP reputation pool with a Service. To create an IP reputation pool: 4. Go to NETWORK > IP Reputation page. In the Add IP Reputation Pool section, specify a name for the pool in the New IP Reputation Pool Name field. Select the desired check box(es) next to Available Categories. a. Geo Pool - By default, NO geographical region is selected. Click Expand to view and select the desired geographical regions under a contint. b. c. Click Add. Click Select All to select all regions under a contint. To select specific regions, click Deselect All and select the check box(es) next to the regions you desire. Anonymous Proxy - Select to filter the IP addresses of anonymous proxy servers. Satellite Provider - Select to filter the IP addresses of Satellite ISPs. Created IP reputation pool gets displayed under the IP Reputation Pools section. Click the Edit icon to modify the settings of an IP reputation pool. Click the delete icon to delete a redundant IP reputation pool. Certificate Managemt In an SSL transmission betwe a clit and a server, the clit requests a secure connection, and the server responds with a certificate, idtifying the certificate authority (CA) and the server s public cryption key. This allows the clit to verify the server idtity. If satisfied with the authticity of the server, the clit sds a test 190

191 transmission which can only be decrypted with the private key of the server. This transmission allows both parties to gerate cryption and decryption for the impding transaction. A server may refuse to communicate with clits that fail to provide a certificate for authtication. The Barracuda Load Balancer ADC acts as a server on the front-d (Internet facing), receiving clit requests. On the back d, the Barracuda Load Balancer ADC acts as a clit to the web servers, forwarding safe requests to them. In each case, data can be secured using SSL, providing d-to-d secure data for requests and responses. Certificates can be obtained from a trusted CA or be self-signed. The Barracuda Load Balancer supports SSL certificates in PKCS #12 and PEM formats. The certificates can be uploaded on the BASIC > Certificates page. In this Section How to Add an SSL Certificate Installing SSL Certificates with Correct Chain Order How to Pass Clit Certificate Details to a Back-d Server Allowing or Dying Clit Certificates Clit Certificate Validation Using OCSP Creating a Clit Certificate How to Add an SSL Certificate You can create a self-signed certificate, or upload a trusted certificate. Uploading a Signed Certificate Signed Certificate Format You can upload a signed certificate in either PKCS #12 Tok Format or PEM format. Adding a PKCS #12 Tok Format Certificate Use the following steps to upload a signed certificate obtained from a trusted Certificate Authority (CA) in PKCS #12 Tok Format. Log into the Barracuda Load Balancer ADC web interface, and go to the BASIC > Certificates page. In the Upload Certificate section, select the Certificate Type as PKCS12 Tok. Set Allow Private Key Export to Yes to export the private key corresponding to the certificate. Important Certificates are downloaded in PKCS #12 format including both the private key and certificate. If Allow Private Key Export is set to No, the private key is locked and the certificate can be downloaded only in PEM format and the system configuration backup cannot be tak. Allow Private Key Export is valid for gerated and imported certificates only. 4. Enter an idtifying name in the Certificate Name field. 5. In the Certificate Password field, specify a password that will be used to gerate the PKCS #12 tok for the signed certificate to be uploaded. 6. Click Browse next to the Signed Certificate field, and select the PKCS #12 format signed certificate file. Important Wh uploading a signed certificate as a PKCS #12 tok, sure that the file uses a.pfx extsion; otherwise the file is treated as a PEM file. Wh uploading a certificate in.pfx format, verify that any intermediary certificates are bundled in the.pfx file. 7. Click Upload to upload the certificate. Adding a PEM Format Certificate 191

192 Use the following steps to upload a signed certificate obtained from a trusted CA in PEM Format. Log into the Barracuda Load Balancer ADC web interface, and go to the BASIC > Certificates page. In the Upload Certificate section, select the Certificate Type as PEM Certificate. Set Allow Private Key Export to Yes to export the private key corresponding to the certificate Important Certificates are downloaded in PKCS #12 format including both the private key and certificate. If Allow Private Key Export is set to No, the private key is locked and the certificate can be download only in PEM format and the system configuration backup cannot be tak. Allow Private Key Export is valid for gerated and imported certificates only. If the certificate signing request (CSR) for this certificate was gerated on the Barracuda Load Balancer ADC, set Assign the associated key to Yes, otherwise, select No, and upload the private key in the Certificate Key field. Enter an idtifying name in the Certificate Name field. If the Assign the associated key field is set to No, click Browse next to the Certificate Key field to select the corresponding private key for the signed certificate Important The key must be uncrypted and in PEM format. Click Browse next to the Signed Certificate field, and select the PEM format signed certificate file. Click Browse next to the Intermediary Certificates field, and select the intermediary CA certificate. To add additional intermediary CA certificates, click the plus ( + ) button. 9. Click Upload to upload the certificate. Certificate Upload Order If your certificate is signed by a trusted CA, upload the certificate in the following order: 1 - Leaf Certificate 2 - Intermediate Certificates 3 - Root CA Certificate Additional Information For additional information, go to the BASIC > Certificates page in the Barracuda Load Balancer ADC web interface, and click the Help button. Related Articles: Installing SSL Certificates with Correct Chain Order Installing SSL Certificates with Correct Chain Order A browser running on a desktop system is capable of building the certificate chain in the correct order regardless of the order in which the certificates are prested. However, a browser running on a mobile device, such as Android, may not be capable of building the certificate chain properly if the certificates are not prested in the correct order. This article describes how to resolve this issue by uploading the certificate chain so that the certificate is "digested" in the correct order, and thus prested to the clit in the correct order. Step 1 - Downloading the Certificate Use the following steps to download the certificate from the Barracuda Load Balancer ADC: Log into the Barracuda Load Balancer ADC web interface, and go to the BASIC > Certificates page. In the Saved Certificates table, locate the certificate, and click Certificate in the Download column. 192

193 4. In the Save Tok page, ter a passphrase in the Encryption Password field, and click Save. The certificate is exported as a PKCS #12 tok which includes the private key. Private Key If you already have the private key, sure that it is decrypted before uploading it to the Barracuda Load Balancer ADC. You can obtain the private key from the device on which the Certificate Signing Request (CSR) was gerated, or you can extract it from a previously uploaded certificate. Op the private key file in a text editor such as WordPad or Notepad++ (do not use Notepad), and look for the word ENCRYPTED. If this word is prest, the private key is crypted. Refer to Step 2 - Extracting the Private Key point 5 for the private key decryption process. Step 2 - Extracting the Private Key This section describes how to extract the private key from the certificate using OpSSL. If the private key is crypted, use the following steps to extract the private key from the PKCS #12 tok and decrypt the private key on either a Linux system or a Windows system. OpSSL Linux gerally comes with OpSSL preinstalled. You can download OpSSL for Windows from If you are using a Windows system, change the working directory so that you can run OpSSL from the command line: C:\OpSSL-Win32\bin\> Enter the following command to simultaneously extract and crypt the private key: opssl pkcs12 -nocerts -in certificate.pfx -out private_key_crypted.pem Wh prompted, ter the password you assigned wh downloading the.pfx file from the Barracuda Load Balancer ADC in point 3 in the section Step 1 - Downloading the Certificate. Wh prompted again, ter a password to crypt the private key. This is necessary as the private key must be secured at all times, including wh it is displayed onscre. Enter the following command to decrypt the crypted private key: opssl rsa -in private_key_crypted.pem -out private_key_decrypted.pem 6. Wh prompted, ter the password you created in point 4 of this section. Step 3 - Getting the Intermediate and Root Certificates You can download the intermediate and root certificates of most certificate authorities (CAs) using Microsoft Internet Explorer. However, you may need to follow the support link on the CA site to obtain the correct intermediate and root certificates. On the system where you downloaded the certificate, double-click the downloaded certificate, for example, mycertificate.cer, and click the Certificate Path tab. Double-click each CA in the issuer hierarchy, and note the details including the name of the issuer and the certificate expiry date. These details are helpful in idtifying the intermediate and root certificates in the steps that follow. Op Internet Explorer, and go to Tools > Internet Options > Contt > Certificates Click the Intermediate Certification Authorities tab, and select the relevant certificate. Click Export. Follow the instructions in the Wizard, exporting the certificate as Base-64 coded X.509 (.CER), and saving the export with the appropriate name. In the Certificates page, click the Trusted Root Certification Authorities tab, and select the root certificate. Click Export. Follow the instructions in the Wizard, exporting the certificate as a Base-64 coded X.509 (.CER), and saving the export with an appropriate name. Because Internet Explorer adds trailing line breaks to files, op each exported file in a basic editing program such as WordPad or Notepad++ (do not use Notepad), and remove any trailing line breaks. Step 4 - Uploading the Certificate Use the following steps to upload the certificate chain in the correct order, using the screshot for referce: In the Barracuda Load Balancer ADC web interface, go to the BASIC > Certificates page. In the Upload Certificate section, ter a name for the certificate in the Certificate Name field. 193

194 Select the Certificate Type as PEM Certificate. Select Yes for Allow Private Key Export, and set Assign Associated Key to No. In the Signed Certificate field, click Browse, and navigate to and select the Server Certificate. In the Certificate Key field, click Browse, and navigate to and select the Private Key. In the intermediary Certificates field, click Browse, and navigate to and select the Intermediate Certificate. Click the plus ( + ) symbol following the Intermediary Certificates field. In the new intermediary Certificates field, click Browse, and navigate to and select the Root Certificate. Click Upload Now to upload the certificate. 1 The uploaded certificate displays in the Upload Certificates section of the Saved Certificates table. Warning Message If a warning message such as Unable to verify issuer certificate displays wh uploading the certificates, this means that the Barracuda Load Balancer ADC is unable to verify the issuer from the Barracuda Load Balancer ADC's issuer information internal bundle. This Barracuda Load Balancer ADC internal bundle contains issuer information updated with each firmware release, and therefore may be incomplete. Conversely, clit browsers update issue information dynamically and are able to verify the issuer from the information prested and so this warning can be ignored. How to Pass Clit Certificate Details to a Back-d Server You can configure the Barracuda Load Balancer ADC to pass information from a clit to the back-d server through the Barracuda Load Balancer ADC. Using this feature web servers can access clit authtication information like Clit Certificate parameters or authticated username and password. On the Barracuda Load Balancer ADC, you can add clit information to a request by configuring a Request Rewrite. Headers can be inserted into the request, or existing headers can be rewritt or deleted before passing the request to the web server, which can th extract the added information. The Barracuda Load Balancer ADC provides macros you can use to communicate request parameters like clit certificate details or authticated user information through headers. Configuring Request Rewrite to Pass Clit Information to a Web Application To configure a request rewrite rule, perform the following steps: Go to the TRAFFIC > Web Translations page, and in the HTTP Request Rewrite section specify values for the following fields: a. b. c. d. e. Rule Name Enter a name for the request rewrite rule. Sequce Number - Set the sequce number for the request rewrite policy. The sequce number determines the order of execution for multiple configured policies from highest (1) to lowest (1500). Action - Select the action. To modify clit information st to the web application, the request rewrite action should be set to In sert Header or Rewrite Header. Header Name Enter the relevant Header Name, for example X-Forwarded-For. Old Value Enter the initial request header to be rewritt if the Action is Rewrite Header. An asterisk (*) rewrites all named headers, or specify the value or expression to be rewritt. f. 194

195 f. Rewrite Value Enter the new value of the header to be rewritt wh the Action is set to Insert Header or Rewrite Header. Use the macros listed below to specify parameters from the clit. Wh rewriting a header you can specify one or more fields using the separators such as colon (:), semicolon (;), space ( ) and comma (,). In Rewrite Value, the fields can be defined for example: "Name=abc_cookie; Domain=example.com:Path=/". The rewrite-value supports substring addressing of matches, i.e. the matching substrings can be referced using $1,$2,...$n. The following macros are supported for rewrite values: $X509_ORGANIZATION, $X509_LOCALITY, $X509_CN, $X509_COUNTRY, $X509_OU, $X509_STATE, $X509_EM AIL, $X509_SUBJECT, $X509_WHOLE: Fields in the X509 clit certificate wh clit authtication is On. $SRC_ADDR: The clit IP from which the request originated. $DST_ADDR: The destination address. $URI: URI. $AUTH_USER: Username of the authticating user. $AUTH_PASSWD: Password of the authticating user. $AUTH_GROUPS: Group associated to the authticating user. g. Rewrite Condition Set the condition under which a rewrite should occur. An asterisk (*) indicates there are no conditions (applies to all). Details on the format of the Rewrite Condition are explained below in Rewrite Condition Format. Click Add to add the above settings. Note: Wh multiple policies are configured, the request continues to be processed by other (higher sequce number) policies. If you wish to stop processing after a particular rule is matched, click Edit next to the rule and set Continue Processing to No. Rewrite Condition Format The request Rewrite Condition specifies wh a rewrite should occur. The Rewrite Condition is made up of expressions combining Request Rewrite Toks and Operations on those toks. These expressions can th be joined with each other using logical or (or, OR, ) or logical and (and, AND, &&). Examples of Rewrite Conditions: (Header User-Agt co mozilla), (URI rco /abc*html), (Clit-IP eq )&&(Method eq POST). An asterisk indicates there are no conditions for rewrite, so the rewrite is done in every case. Request Rewrite Toks These toks can be used in a request Rewrite Condition: Header: The HTTP header in the request. The word Header precedes the name of the relevant header or * to indicate all headers. Examples: Header Accept co soap, Header Soap-Action ex. Clit-IP:The IP address of the clit sding the request. The IP address can be either a host IP address or a subnet specified by a subnet mask. Only operations EQ and NEQ can be combined with this tok. Examples: Clit-IP eq /24 (subnet qualified by a netmask) Clit-IP eq (host IP address) Uri: The Uniform Resource Idtifier of the resource on which to apply the rule. Example: URI rco /abc*html Method: The HTTP method in the request. Example: Method eq GET Http-Version: The HTTP protocol version of the request. Example: HTTP-Version eq HTTP/1 Parameter: The query part of the URL which is passed to the servers as a name-value pair. In addition, the word "$NONAME_PARAM" can be used wh the parameter name is abst. Examples: Parameter sid eq 1234, Parameter $NONAME_PARAM co abcd Pathinfo: The portion of URL which contains extra information about the path of the resource on the server. Example: pathinfo rco abc* Operations for Request Rewrite These operations can be combined with Request Rewrite Toks in a request Rewrite Condition: contains, CONTAINS, co, CO - Tok contains the giv value. ncontains, ncontains, nco, nco - Tok does not contain the giv value. rcontains, rcontains, rco, rco - Tok contains the giv value which is interpreted as a regular expression. equals, EQUALS, eq, EQ - Tok equals the giv value. nequals, nequals, neq, neq - Tok does not equal the giv value. requals, requals, req, req - Tok equals the giv value interpreted as a regular expression. exists, EXISTS, ex, EX - Tok exists. nexists, nexists, nex, nex - Tok does not exist. Allowing or Dying Clit Certificates The TRAFFIC > Clit Certificates page allows you to define allow/dy rules based on Clit Certificates. These settings are not used unless E nable Clit Authtication is Yes for the Service on the BASIC > Services page. Wh Clit Authtication is turned on for a service, all clits are required to prest a certificate to access the website. The certificate is first 195

196 checked for validity. A valid certificate cannot have expired, and must be signed by a certificate authority (CA) listed under Trusted Certificates for the service. Ev a valid certificate signed by a trusted CA can be rejected based on the certificate attributes. This is useful wh you wish to revoke an issued valid certificate. How it works: Each Allow/Dy rule has the following important attributes: A sequce number specifying the order in which to evaluate the rule. A set of attribute matches (like Certificate Serial number). The attribute can either be a wildcard match (*, to indicate match any value), or it can be a specific value, matching the certificate's corresponding attribute exactly. An action to take wh the prested clit certificate matches this rule. Wh a request is received, the Clit certificate is compared to all Allow/Dy rules in sequce number order, starting from the lowest sequce number. Each attribute in the rule is compared, and if all attributes match a rule, the corresponding action (Allow or Dy) is tak and no further rules are compared. Wh no rule matches the Clit Certificate in the request, the request is allowed by default. To allow only requests whose Clit Certificates match a rule, create a Dy rule with a high sequce number (10000, for example) which matches all rules (has * for all attributes) and the action Dy. Every request with a clit certificate which fails to match a rule will be died. Each allowed certificate must have a corresponding Allow rule with a lower sequce number. If you create a high sequce number Dy rule to dy all except explicitly allowed Certificates, a request will be allowed only if its Certificate and all Certificates in its chain match an Allow Rule. If its intermediate or Trusted Certificate does not match any rule, th the request will be died. Complex rules can be built using Allow/Dy rules. For example, to dy all certificates from the Sales departmt except one that is idtified by its serial number, create the following two rules: Sequce = 1; Action = Allow; Organizational Unit = Sales; Serial Number = Sequce = 2; Action = Dy; Organizational Unit = Sales While complex rules can be built if needed, the recommded configuration allows all certificates signed by a trusted CA and uses the Allow/Dy list only to revoke access for issued certificates that are no longer valid. The Certificate serial number can uniquely idtify a Certificate issued by a single CA in the evt that it must be revoked. The Common Name can also be used to idtify a revoked Certificate. Configuring Allow/Dy Certificate Rules Detailed instructions for configuring Allow/Dy Certificate rules are available on the TRAFFIC > Clit Certificates page by clicking Help on that page. In order for a certificate to be allowed via an Allow Rule, sure that Allow Rules also exist for all Certificates in its chain. If the Certificate itself matches an Allow Rule, but its intermediate or Trusted Certificate does not match any rule, th the request will be died. Clit Certificate Validation Using OCSP The Barracuda Load Balancer ADC supports Online Certificate Status Protocol (OCSP) to determine updated status of a digital certificate. While Certificate Revocation Lists (CRLs) provide periodically updated certificate status, OCSP provides more currt revocation status information for certificates. A ctral OCSP server (aka OCSP Responder), a trusted Certificate Authority (CA) itself, collects and updates CRLs from various Certificate Authority (CA) servers. Wh OCSP is abled, the Barracuda Load Balancer ADC communicates with the OCSP server to validate the revocation status of clit certificates before allowing or dying SSL connections from the respective clits. Functioning of OCSP Validation Wh a clit attempts to access a server, an OCSP status request for the clit certificate is st to an OCSP Responder. The OCSP Responder validates whether the status request contains the information required to idtify the certificate and th returns a signed response message indicating the status as one of the following: " GOOD" indicates a positive response that the certificate is not revoked. 196

197 " REVOKED" indicates that the certificate has be revoked. " UNKNOWN" indicates that the OCSP Responder has no information about the requested certificate. For any error or failure, the Responder may return an unsigned message indicating a failed communication, logged under System Logs. Errors can occur because of a malformed request, an internal error, or an unauthorized request. To view system logs, navigate to the ADVANCED > System Logs page. If you want system evts st to the syslog servers, configure one or more (maximum of three) syslog servers using Add Syslog Server on the ADVANCED > Export Logs > Syslog section. For more information on configuring syslog, see the Online help. Enforce Clit Certificate must be set to for a service on the page if you want to authticate clit certificates Yes BASIC > Services using OCSP. Configuring OCSP Validation To able OCSP validation, do the following: Go to the TRAFFIC > Clit Certificates page. In the Clit Certificate Validation - OCSP section idtify the Service for which you want to able clit certificate validation, and click Edit next to that Service. The Clit Certificate Validation - OCSP window appears. Specify values for the following fields: a. Enabled - Set to Yes to able OCSP validation. b. OCSP Responder URL - Specify the OCSP Responder URL. This is the URL issued by the trusted Certificate Authority (CA) where the Barracuda Load Balancer ADC will sd the OCSP requests. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. For example, c. Certificate - Click the drop-down list and select the certificate to verify the signature on the OCSP response. 4. Click Save Changes. Creating a Clit Certificate Before creating a clit certificate you should create a CA certificate which can be used as the root CA certificate to sign the clit certificates. To create a CA certificate for the server designated as SSL CA server, perform the following steps: Gerate a Private Key for the CA Certificate Create a CA Certificate using the Private Key Import the CA Certificate to the Barracuda Load Balancer ADC Enable Clit Authtication on the Barracuda Load Balancer ADC Create a Clit Certificate Converting PEM File to PKCS #12 Format Import the Clit Certificate to the Browser Step 1 - Gerate a Private Key for the CA Certificate To gerate a key for a CA certificate, run the following opssl command on your server: opssl grsa 2048 > ca-key.pem This gerates a private key ca-key in PEM format. Step 2 - Create a CA Certificate using the Private Key Use the private key gerated in Step 1 to create the CA certificate for the server. The opssl command to gerate a CA certificate is as follows: opssl req -new -x509 -nodes -days key ca-key.pem > ca-cert.pem You will be prompted to provide certain information which will be tered into the certificate. See the example below: 197

198 Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: California Locality Name (eg, city) []: Campbell Organization Name (eg, company) [Internet Widgits Pty Ltd]: Barracuda Networks Organizational Unit Name (eg, section) []: Engineering Common Name (eg, YOUR name) []: barracuda.yourdomain.com Address []: This creates the CA certificate with the values above. This certificate acts as a root CA certificate for authticating the clit certificates. Step 3 - Import the CA Certificate to the Barracuda Load Balancer ADC The created certificate needs to be uploaded in the BASIC > Certificates > Upload Trusted (CA) Certificate section. Step 4 - Enable Clit Authtication on the Barracuda Load Balancer ADC To be able to use the CA certificate for validating clit certificates, clit authtication should first be abled. Steps to able clit authtication: Go to the BASIC > Services page. In the Configured Virtual Services section, idtify the service for which you want to able clit authtication. Click Edit next to the service. In the Service edit page, scroll down to the SSL section. Set Enable Clit Authtication and Enforce Clit Certificate to Yes. Select the check box(es) next to the Trusted Certificates parameter. Specify values for other parameters as required, and click Save Changes. Step 5 - Create a Clit Certificate To create a clit certificate, use the following example: opssl req -newkey rsa:2048 -days nodes -keyout clit-keypem > clit-req.pem Gerating a 2048 bit RSA private key writing new private key to 'clit-keypem' You are about to be asked to ter information that will be incorporated into your certificate request. What you are about to ter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you ter '.', the field will be left blank Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: California Locality Name (eg, city) []: Campbell Organization Name (eg, company) [Internet Widgits Pty Ltd]: Barracuda Networks Organizational Unit Name (eg, section) []: Tech Support 198

199 Common Name (eg, YOUR name) []: barracuda.mydomain.com Address []: Please ter the following 'extra' attributes to be st with your certificate request A challge password []: Secret123 An optional company name []: - This creates the private key clit-key1 in PEM format. Now, use the following example to create a clit certificate that will be signed by the CA certificate created in Step opssl x509 -req -in clit-req.pem -days CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > clit-certpem Signature ok subject=/c=us/st=california/l=campbell/o=barracuda Networks/OU=Tech Support/CN=barracuda.mydomain.com/ Address=test@your .com Getting CA Private Key Step 6 - Converting PEM File to PKCS #12 Format Use the following command to convert the clit-certpem certificate along with clit-keypem to a Personal Information Exchange file (pfx tok). opssl pkcs12 -export -in clit-certpem -inkey clit-keypem -out clit-certpfx Enter Export Password:secret Verifying - Enter Export Password: secret Step 7 - Import the Clit Certificate to the Browser The clit certificate created above should be st to the clit to be imported on their browser. Monitoring In this Section Monitoring the Health of Services and Servers How to Monitor the System Using SNMP How to Automate System Alert and SNMP Trap Delivery How to Configure SNMP Monitoring on the Barracuda Load Balancer ADC How to Enable or Disable Real Servers How to Remotely Administer Real Servers How to View Performance Statistics How to View System Tasks Monitoring the Health of Services and Servers 199

200 Use the Service Monitor to check the health of your services and servers on an ongoing basis. A visual indicator appears next to the service or server if it is not available. You can able notifications on a per-service basis to have an st to the system alerts address(es) recorded in the BASIC > Administration page if the number of operating real servers for a service falls below a preset threshold. Also, you can configure SNMP traps to be gerated on certain conditions using the ADVAN CED > SNMP Configuration page. In this article: Service Status Real Server Status Service Monitor Monitor Groups Related Articles How to Create Monitor Groups Understanding Testing Methods for Services and Real Servers Service Status Following is the list of Service status indicators: - The Service is up and all Real Servers are responding to requests. - The Service is up, but at least one Real Server is not responding. - The Service is down. No Real Servers are responding. A Real Server may not respond because it was removed from the Service by an administrator or because of a system failure. Real Server Status Following is the list of Real Server status indicators: - The Real Server is up and responding to requests. - The Real Server is not abled; click the Edit icon to change its status. - The Real Server is not responding but its state is abled. Service Monitor The Service Monitor checks the health of each Service and Real Server on an ongoing basis. Specify which test to perform and how frequtly to do the test by editing the Service or Real Server on the BASIC > Services page. The BASIC > Services and BASIC > Server Health pages display the health of all load-balanced Services and associated Real Servers. There are many differt methods available to establish the availability of a Service or Real Server. These include TCP port check, HTTP GET request, DNS query and RADIUS test. The various tests are fully documted in the online help. The tests always use the configured Real Server port for the Service unless the Real Server port is set to ALL. In that case, the tests use the default port for the test type (e.g. SMTP = 25, HTTP = 80, DNS = 53, HTTPS = 443, IMAP = 143, POP = 110 and SNMP = 161). If a Real Server is associated with more than one Service, but with the same test and test interval for each Service, it will be tested once per test interval. Otherwise, it may be checked more frequtly. Unless the tests are idtical, the Service Monitor performs its health checks for each Service s set of Real Servers indepdtly. Monitor Groups Monitor groups are sets of tests that are conducted on Real Servers. Use them wh one test does not give a complete picture of the health of a Real Server. You can specify a monitoring group with two or more tests and the Service Monitor will perform all the tests in the group. The failure 200

201 of any one test means the Real Server is considered to be unavailable and it will be removed from the load-balancing pool. Create monitor groups that contain one or more tests on the TRAFFIC > Monitor Groups page. Th edit the Real Server or Service. The monitor groups appear in the Testing Methods for the Service or Server Configuration page. How to Create Monitor Groups Use the TRAFFIC > Monitor Groups page to create and associate a monitoring group with each Service and Real Server. Each monitoring group contains one or more tests. The results of those tests determine the status of the Real Server and the Service. The failure of any one test means the Real Server is considered to be unavailable. For example, you can specify a monitoring group with two tests and use that group as the Testing Method for a Real Server. Th, if either one of the tests fails, the Real Server is th removed from the load-balancing pool. Each group contains one or more monitors, and each monitor includes a testing method, an IP address, and a test delay: Testing Method - Select from the list of all testing methods that are supported by the Barracuda Load Balancer ADC. See Understanding Testing Methods for Services and Real Servers for a description of each test. IP Address - Optional. This is the IP address of a Real Server. If left blank and this group is used as the Testing Method for a Service, th this test is applied to every Real Server associated with the Service. If left blank and this group is used as the Testing Method for a Real Server, th that Real Server is tested. Other parameters, if any, as required by the Testing Method. Test Delay - This is how oft, in seconds, this test within this monitor is run. It is also the lgth of time that this test is allowed to complete; minimum value is 5 seconds. To add a group, ter the group name and the details for the first monitor, and click Add Group. To add another monitor to an existing group, click Monitor on the try for the group in the Existing Monitor Groups table. Existing Monitor Groups The Existing Monitor Groups table displays all of the monitoring groups that have be added. To add a monitor to an existing group, click Moni tor on the try for the group in the table. Edit the monitor by clicking the Edit icon. The groups listed in this table appear in the Testing Methods drop-down that is on the Service page and the Server Configuration page. Click Preferces to specify the number of groups shown on each page of this table. Understanding Testing Methods for Services and Real Servers Testing Methods are used by the Barracuda Load Balancer ADC Service Monitor to check the health of the Real Servers that provide a Service. The Testing Method configured at the Service level is executed on every Real Server that provides that Service unless a differt test is configured at the Real Server level. To specify a test on a Service basis, go to the BASIC > Services page, and click Edit next to the Service you wish to modify. To specify a test on a Real Server basis, click Edit next to the IP address of the Real Server on the BASIC > Services page to display the Server Configuration pag e. The tests use the Real Server port configured on the Server Configuration page for the Service except in the following cases: The Real Server port is set to ALL. The tests use the default port for the test type (e.g., SMTP = 25, HTTP = 80, DNS = 53, HTTPS = 443, IMAP = 143, POP = 110, FTP = 21 and SNMP = 161). The Specific HTTP Port test and the RDP test allow you to idtify the port to use. The minimum value for the test interval, meaning the time betwe test start times, is 5 seconds, and the default is 30 seconds. The test interval is also the lgth of time the test is allowed to complete before it is considered to have failed. Table Monitor Group Testing Methods. Test Name Description Test Target Test Match 201

202 TCP Port Check For Services specified with TCP-based ports, the Service Monitor validates that the port is op. For UDP-based Services and Services defined with "ALL" ports, the Service Monitor performs a PING test. n/a n/a UDP Port Check Check if the UDP port is op by sding a 0 byte datagram to the Real Server IP address and port. This test depds on receiving an "ICMP Port Unreachable" message to determine the result. If there is a firewall that prevts outbound ICMP messages, the test assumes that the port is op. n/a n/a HTTP Performs an HTTP GET request to the specified URL. The Real Server is used as a proxy server to retrieve the page, so the forward proxy setting on the Real Server must be abled. Enter the complete URL starting with " Enter a pattern expected in the resulting HTML. Simple HTTP Performs an HTTP GET request to the specified relative URL on the Real Server being tested. Th e actual URL used is _server_ip]:[port][url]. You can also specify additional headers to be st with the HTTP request in the format Header1:Value1, Header2:Value2, etc. Make sure to specify the expected HTTP response status code wh accessing the URL as any other status code will be considered an error. Recommded: 200 Enter the root relative URL (such as /cgi-bin/index.cgi). Enter a pattern expected in the resulting HTML. Simple HTTPS Same as Simple HTTP test but using SSL. The actual URL used will be port][url]. Enter the root relative URL (such as /cgi-bin/index.cgi) in the Test Target box. Enter a pattern expected in the resulting HTML. HTTPS Test Performs an HTTPS GET request to the specified URL. The Real Server is used as a proxy server to retrieve the page, so the forward proxy setting on the Real Server must be abled. Enter the complete URL starting with " Enter a pattern expected in the resulting HTML. DNS Sds a DNS query to retrieve the IP address of the specified hostname. This value is compared to the IP address in Enter a fully qualified hostname in the Test Target box. To validate resolution to a specific IP address, ter that IP in the Test Match box. the Test Match box. 202

203 IMAP Simple Test for IMAP service. If no username and password are provided, this test verifies availability of the IMAP service on the Real Server. Optional. Username to log in as. Optional. Password to use. POP Simple Test for POP service. If no username and password are provided, this test verifies availability of the POP service on the Real Server. Optional. Username to log in as. Optional. Password to use. SMTP Simple Test for SMTP service. Enter the domain for the mail server to be tested. Optional. Enter a pattern that is expected in the banner of the SMTP Server. SNMP Do an SNMP GET using the OID in the Test Target box, and match the response to the pattern in the Test Match box. If the Test Target box is empty, the test checks if the SNMP is available on the Real Server. Optional. Enter a valid SNMP OID in the Test Target box. Optional. Enter a pattern to match in the response. SIP Simple Test for SIP service. This n/a n/a test sds an OPTIONS packet to the SIP server to check availability of the SIP service. LDAP/AD Bind Test for LDAP/AD service. If no username and password are provided, the LDAP/AD test verifies availability of the anonymous user. Optional. Username with full LDAP schema. Optional. Password to use. LDAPS/AD Bind Test for LDAPS/AD service. If no username and password are provided, the LDAPS/AD test verifies availability of the anonymous user. Optional. Username with full LDAP schema. Optional. Password to use. Barracuda Spam Firewall The Barracuda Load Balancer IP address must be exempted from any Rate Control settings on the Barracuda Spam Firewall. Enter the domain for the mail server to be tested. Optional. Enter a pattern that is expected in the banner of the SMTP Server. Always Pass This test is used for troubleshooting or for services used for managemt access to Real Servers. This test always passes regardless of the condition of the Real Server. n/a n/a Specific HTTP Port Performs an HTTP GET request using a specified port to a relative URL on the Real Server being tested. The URL used is ht tp://[real_server_ip]:[port][url ]. Enter the TCP port followed by a ":" and the root relative URL (e.g. 8080:/cgi-bin/index.cgi)). Enter a pattern expected in the resulting HTML. 203

204 RADIUS Auth Tests the availability of a RADIUS server. Enter the secret to use with the RADIUS server. Enter a username and password separated by " ". Example: username password RADIUS Acct Tests the availability of a RADIUS server by making an accounting request. Enter the secret to use with the RADIUS server. Enter a username and password separated by " ". Example: username password RDP Test Attempts an RDP connection to each Real Server to check the availability of the Terminal Service. Enter the port on the Real Server to use, if differt than the port specified on the Server Configuration page. n/a FTP Test Attempts a TCP connection to each Real Server to check FTP availability. Optional. Username. Optional. Password. FTPS Test Attempts a TCP connection to each Real Server to check FTPS availability. Optional. Username. Optional. Password. How to Monitor the System Using SNMP Using the Barracuda Load Balancer SNMP agt, you can use an SNMP monitor to query the system for a variety of statistics such as the number of currt connections, bandwidth, and system CPU temperature. SNMP v2c and SNMP v3 are both supported by the SNMP agt. SNMP v2c queries and responses are not crypted, so it is less secure. Wh using SNMP v3, traffic is crypted and you can allow access only by specified users with passwords. How to Automate System Alert and SNMP Trap Delivery The BASIC > Administration page allows you to configure the Barracuda Load Balancer ADC to automatically notifications to the addresses you specify. To ter multiple addresses, separate each address with a comma. An notification is gerated if the number of operating Real Servers for a Service falls below a preset threshold. You can also configure SNMP traps to be gerated wh certain evts occur. Go to the ADVANCED > SNMP Configuration page to see the list of possible traps. How to Configure SNMP Monitoring on the Barracuda Load Balancer ADC Configuring the Barracuda Load Balancer ADC To use your SNMP monitor with the Barracuda Load Balancer ADC, you must idtify the Barracuda Load Balancer ADC as a system which is allowed SNMP access. To do so, use the following steps Log into the Barracuda Load Balancer ADC web interface as the administrator. On the ADVANCED > SNMP Configuration page, in the SNMP Manager section, select the SNMP version. Note: If you select SNMP version v3, you must ter the SNMP user name and password; the SNMP password must be a minimum of 12 alphanumeric characters in lgth. Enter the IP address of SNMP monitor in the Allowed SNMP IP/Range fields, and click Add. Repeat step 3 for any additional SNMP monitors you wish to include. Update the other SNMP-related settings as necessary, and click Save Changes. 204

205 If the Barracuda Load Balancer ADC is in high availability (HA) mode, all SNMP settings are propagated to the other system in the cluster. Use the following steps to configure SNMP traps. On the ADVANCED > SNMP Configuration page in the SNMP Traps section, ter the IP address and port number to which SNMP traps are to be st, and click Add. Repeat step 1 for each additional IP address to which you wish to sd SNMP traps, and th click Save Changes. In the SNMP Trap Evts section, select the SNMP traps you wish to gerate, and click Save Changes. Importing the Barracuda Load Balancer ADC MIBs In order to use an SNMP monitor or other program to query for system information using SNMP, you must obtain and import the following MIB files into your SNMP monitor: Barracuda Load Balancer MIB Barracuda Referce MIB The MIB files are located on the Barracuda Load Balancer ADC, and can be obtained by replacing the [LB IP] in the following URLs with a managemt IP address from your Barracuda Load Balancer ADC: IP]:8000/Barracuda-LB-MIB.txt IP]:8000/Barracuda-REF-MIB.txt Syntax If you are using an SNMP monitoring tool, import the MIBs into the SNMP monitor. Refer to the MIBs for the Object IDs (OIDs) that correspond to the type of status you wish to monitor as to view gerated traps. If you are querying the Barracuda Load Balancer ADC from code, use the following syntax, where [LBM IP] is the managemt IP address of your Barracuda Load Balancer ADC. If you are using the snmpwalk command and do not include an OID, a list of all OIDs in the MIB is returned. snmpget -v 2c -c public [LB IP] Objects The following table lists the objects available in the Barracuda Load Balancer ADC MIB. OID Object Description systemactiveservices Number of active Services on the Barracuda Load Balancer ADC systemoperatingservers Number of operating Real Servers L4TCPConnections Number of Layer 4 TCP connections L7HTTPRequests Number of requests to each Layer - 7 HTTP Service configured on the device RDPUserSessions Number of Layer 7 - RDP user sessions ServiceBandwidth Currt bandwidth to each Service TotalBandwidthToLB Total bandwidth RealServerBandwidth Currt bandwidth to each Real Server ClusterStatus If this Barracuda Load Balancer ADC is in a c luster or is standalone SystemLoad System load as a perctage CPUTemperature CPU temperature in degrees Celsius. 205

206 FirmwareStorage The space occupied by the firmware, as a perctage of the space allocated to it MailLogStorage The space occupied by the mail/log, as a perctage of the space allocated to it OperationMode The operating mode of the Barracuda Load Balancer ADC is Route-Path. How to Enable or Disable Real Servers You can change the state of a Real Server to either Enable, Disable, Sticky or Maintance. Enable a Real Server to make it accept new requests, connections or sessions. Disable a Real Server to terminate all existing connections immediately. Sticky mode sures requests st as part of persistt connections are handled by the Real Server until it exceeds the time specified in Persistce Time (Seconds) on the BASI C > Services page. Maintance mode sures that existing connections are maintained on the same Real Server, but new requests are st to other servers that are configured for the Service. Sticky mode is available only for Layer 7 Services. Disabling your Real Servers allows you to perform maintance or to temporarily disassociate them from a Service. A Real Server that is in disabled or maintance mode will not accept any new connections or requests until it is abled. There are two ways to change the status of a Real Server: Use the Disable/Maintance/Enable/Sticky actions on the BASIC > Server Health page. Edit the Real Server on the BASIC > Services page. How to Remotely Administer Real Servers To remotely administer Real Servers that are located behind the Barracuda Load Balancer ADC, for each Real Server, create a Service which load balances only that one Real Server. Use the Virtual IP address for that Service whever you need to use Secure Shell (SSH) to access the Real Server or perform Remote Desktop Protocol (RDP) administration on the Real Server How to View Performance Statistics The BASIC > Status page provides an overview of the health and performance of your Barracuda Load Balancer ADC, including: Traffic statistics, which shows the number of connections or requests for various types of traffic since the last system reset for up to five Services. The subscription status of Energize Updates. Performance statistics, such as CPU temperature and system load. Performance statistics displayed in red signify that the value exceeds the normal threshold. Hourly, daily or monthly traffic statistics. How to View System Tasks The ADVANCED > Task Manager page provides a list of tasks that are in the process of being performed and also displays any errors countered wh performing these tasks. Some of the tasks that the Barracuda Load Balancer ADC tracks include: Cluster setup Configuration restoration 206

207 If a task takes a long time to complete, you can click the Cancel link next to the task name and th run the task at a later time wh the system is less busy. The Task Errors section lists an error until you manually remove it from the list. High Availability In this Section Understanding Barracuda Load Balancer ADC High Availability How to Configure the Barracuda Load Balancer ADCs for High Availability How to Manage High Availability Environmt with Two Barracuda Load Balancer ADCs How to Remove a Barracuda Load Balancer ADC from a High Availability Environmt How to Replace a Barracuda Load Balancer ADC in a High Availability Environmt How to Update the Firmware on Clustered Systems Understanding Barracuda Load Balancer ADC High Availability High Availability Operation Use High Availability (HA) to cluster two Barracuda Load Balancer ADCs as an Active-Passive pair. Only one system actively processes traffic at any one time, but the two systems continuously share almost all configurations and monitor each other's health. The active system in a clustered pair handles all of the traffic until one of the following conditions is countered: Passive system detects that the Primary (Active) system is no longer responsive on the MGMT; Active system detects that any of the monitored interface/link is down; Administrator manually forces fail over using the web interface; Active system counters a hardware failure (including a power failure) or a failure in one of its critical software modules. Data path crash on Active unit. If any of these conditions is countered, the Backup (Passive) Barracuda Load Balancer ADC th: becomes Active; assumes all of the Services and; performs the load balancing and security validation (if abled). Clustered Barracuda Load Balancer ADCs negotiate which is the Active one according to the Virtual Router Redundancy Protocol (VRRP) specification. The two systems must be configured with the same Cluster Shared Secret and Cluster Group ID. If other systems on the same subnet are also using VRRP, the Cluster Group ID must be unique. The Passive Barracuda Load Balancer ADC does not do any load-balancing or monitoring of Services or Real Servers. For example, in the web interface of the Passive system, all of the Services and Real Servers on the BASIC > Services have gre health indicators. Requiremts Before joining two systems, each Barracuda Load Balancer ADC must meet the following requiremts: Both Barracuda Load Balancer ADCs must be the same model; Activated and on the same version of firmware; Able to access all Real Servers; On the same physical network segmt; Able to reach the other Barracuda Load Balancer ADC on the MGMT interface. In addition, the active system should be fully configured; see Services and Configuring the Load Balancer Network for a complete list of service and network configuration tasks. It is recommded NOT to configure Services on the Backup (Passive) unit 207

208 Wh the Barracuda Load Balancer ADC becomes Active it sds out a gratuitous address resolution protocol (GARP). It continues to sd a gratuitous ARP every minute; the Passive system does not issue any ARPs. Related Articles How to Configure the Barracuda Load Balancer ADCs for High Availability How to Manage High Availability Environmt with Two Barracuda Load Balancer ADCs How to Remove a Barracuda Load Balancer ADC from a High Availability Environmt How to Configure the Barracuda Load Balancer ADCs for High Availability For an overview of High Availability and a list of requiremts, see the article Understanding Barracuda Load Balancer ADC High Availability. Configuring the Unit for Clustering Go to the ADVANCED > High Availability page. In the Cluster Settings section, specify values for the following: a. Enable High Availability - Set Enable High Availability to Yes on both the Barracuda Load Balancer ADCs before clustering. If set to No, the Join Cluster will fail with an error. b. c. Cluster Shared Secret - The passcode that the clustered units use wh communicating with one another. It must be the same on both systems. Cluster Group ID - This must be same on both the Barracuda Load Balancer ADCs that are to be clustered. If other network componts on the local network, such as firewalls, are clustered using VRRP th they must use a differt ID than this one. Maximum value is 255. d. Failback Mode - Set to Automatic if you want the Primary (Active) system to resume Service(s) upon its recovery. Wh set to Manual, you will need to interve to return the Service(s) from the Backup unit to the Primary unit upon its recovery. e. Failover on Link down - Select the interface(s) to be monitored. If it appears to be unavailable, Failover will occur. Click Save Changes to save the settings. To Cluster Two Barracuda Load Balancer ADCs To cluster two Barracuda Load Balancer ADCs together, where the primary/active system is designated as Barracuda Load Balancer ADC 1, and the backup/passive system is designated as Barracuda Load Balancer ADC 2: Complete the installation process for each system. On the ADVANCED > High Availability page of the Barracuda Load Balancer ADC 1, in the Cluster Settings section: a. b. a. b. Set Enable High Availability to Yes. Specify values for Cluster Shared Secret, Cluster Group ID, Failback Mode and Failover on Link Down and click Save Changes. On the ADVANCED > High Availability page of the Barracuda Load Balancer ADC 2: Set Enable High Availability to Yes. Specify values for Cluster Shared Secret, Cluster Group ID and Failback Mode and click Save Changes.These values should be same as the Barracuda Load Balancer ADC c. In the Clustered Systems section, ter the managemt IP address of the Barracuda Load Balancer ADC 1 and click Join Cluster. d. The clustering will run as a background task and may take a few minutes to complete. Do not do any other configuration changes while the clustering task is running. 4. After a few minutes, refresh the ADVANCED > High Availability page on both systems and verify the following: a. Each system's MGMT IP address appears in the Clustered Systems table. b. The status of the Primary (Active) system should be. c. The status of the Backup (Passive) system should be. Configuration Synchronization Join Cluster clears any existing configuration on the backup system and copies the configuration settings from the primary system. Wh the systems are clustered, the configuration continues to be synchronized once every 2 minutes. Related Articles: 208

209 How to Manage High Availability Environmt with Two Barracuda Load Balancer ADCs How to Remove a Barracuda Load Balancer ADC from a High Availability Environmt How to Update the Firmware on Clustered Systems How to Manage High Availability Environmt with Two Barracuda Load Balancer ADCs For an overview of High Availability, and a list of requiremts, see the article Understanding Barracuda Load Balancer ADC High Availability. In this article: Failover if Monitored Link Goes Down Forceful or Manual Failover Primary and Backup Roles Failback Synchronize Data betwe Clustered Systems Failover if Monitored Link Goes Down There is an option to fail over to the Backup unit if the Primary unit cannot detect all monitored links. Forceful or Manual Failover You can force failover to the Backup unit using the web interface. This transfers the load to the Backup unit without bringing down any of the interfaces of the Primary unit. Wh the Backup unit has become Active, interface cables can be removed or other maintance performed on the now-backup unit (i.e. failed Primary unit). Primary and Backup Roles Wh two units are joined in a cluster, the unit from where the Join Cluster operation is performed is the Backup unit. The other one has the role of Primary unit. Initially, the Primary unit is the Active system that serves the traffic. Either of the systems in a cluster is capable of being the Active system. Failback There is an automatic failback option that can be configured if you want the originally Active (Primary) unit to take over the Virtual IP addresses and resume load balancing upon its recovery after a failover. This option can be found on the ADVANCED > High Availability page. You can manually switch to the Primary unit using the Failback command that is available on the same page. It may be better to opt for manual failback, as it can minimize the number of times that service is interrupted. For example, if the Primary unit suffers an outage, the Backup unit takes over. Wh the Primary unit recovers, if automatic failback is selected, th it will once again become the Active unit. This means two interruptions of service. If manual failback is selected, th the Backup unit will continue processing traffic ev after the recovery of the Primary unit. Synchronize Data betwe Clustered Systems Wh two Barracuda Load Balancer ADCs are initially joined, most configuration settings are copied from the primary system in the cluster to the backup system (the system that joins the cluster). These settings are synchronized betwe the systems on an ongoing basis. The following data is shared betwe the clustered systems: Global system settings configured through the web interface Any installed SSL Certificates All static routes and VLANs, etc., configured on the ADVANCED > Advanced IP Config The following data is unique betwe the clustered systems: The Managemt IP address configuration (DNS servers and domain) configured on the BASIC > IP Configuration page. page 209

210 System password, time zone, and web interface HTTP port as configured on the BASIC > Administration page Parameters on the ADVANCED > Appearance page The HTTPS port and SSL certificate used to access the web interface as configured on the ADVANCED > Secure Administration page. Related Articles: How to Configure the Barracuda Load Balancer ADCs for High Availability How to Remove a Barracuda Load Balancer ADC from a High Availability Environmt How to Update the Firmware on Clustered Systems How to Remove a Barracuda Load Balancer ADC from a High Availability Environmt Remove a System from a Cluster A Barracuda Load Balancer ADC can be removed from the cluster at any time. Perform the following steps to remove a unit from the cluster: 4. On the ADVANCED > High Availability page of the Backup unit perform the following: Clear the Cluster Shared Secret in the Cluster Settings section, and click Save Changes. Click the delete icon under Clustered Systems to remove the other unit from the cluster. On the ADVANCED > High Availability page of the Primary unit which is in cluster with this unit, click the delete icon under Clustered S ystems. Removing the unit from the cluster clears all configuration including Services from the Backup unit, and retains all configuration on the Primary unit. In case if you have removed the failed unit from the cluster and want to put it back in cluster, do the following: Make sure the failed unit is removed from the network. On the removed unit, navigate to the ADVANCED > System Configuration page and perform the Clear Configuration operation before putting the unit back into the network. Related Articles: Understanding Barracuda Load Balancer ADC High Availability How to Configure the Barracuda Load Balancer ADCs for High Availability How to Manage High Availability Environmt with Two Barracuda Load Balancer ADCs How to Update the Firmware on Clustered Systems How to Replace a Barracuda Load Balancer ADC in a High Availability Environmt Caution High availability (HA) is an advanced feature; contact Barracuda Networks Technical Support before replacing a Barracuda Load Balancer ADC in a cluster. The steps for replacing a Barracuda Load Balancer ADC differ based on whether the system is the Primary or the Secondary device in the cluster. Note that both Barracuda Load Balancer ADCs in HA must be the same model and on the same firmware. In this article: 210

211 Replace the Primary System in a High Availability Environmt Scario New Replacemt Primary Device Scario Activate the New Primary Device in an Isolated Network Replace the Secondary System in a High Availability Environmt Replace the Primary System in a High Availability Environmt This section describes the most common scarios for replacing the Primary system in HA. Because the Primary system is offline during replacemt, you must schedule downtime wh replacing the Primary system in HA. Select the scario that best fits your use case, and complete the associated steps wh replacing the Primary system in an HA vironmt. Scario New Replacemt Primary Device Important Follow the steps in this procedure carefully, it is necessary to perform a hot swap and delete the Primary device from the Secondary de vice configuration at the d of this procedure to avoid wiping out the configuration of the Secondary device. Figure New Primary Device Replacemt. Back up the system configuration on the Secondary device. Complete the following steps on the Secondary device: a. b. Note that the Secondary device must remain active since the Primary device is down during this replacemt procedure. Log in to the Secondary device, and navigate to the ADVANCED > Backups page. In the Manual Backups section, click Backup Now to download a backup to your desktop. Install the new replacemt Primary device and set the MGMT IP address of your old Primary device to the new Primary device. Verify the new Primary device is on the same firmware version as the existing devices. 4. Once the new device is installed, log in to the Primary System, go to the ADVANCED > Backups page, and complete the following steps: a. In the Restore Backups section, click Browse next to Restore From; navigate to and select the configuration backup saved on your desktop. b. Click Op or Choose to download the file to your system. The downloaded backup file gets displayed on the top with the details such as Backup Time, Serial#, Model, Firmware and Type. c. Click Restore Now to restore the configuration backup file to the Primary device. Warning Connections on the primary and secondary devices may go down intermitttly during this procedure On the Primary device, go to the ADVANCED > High Availability page, and configure all attributes in the exact same manner as those on the Secondary device; the Cluster Shared Secret must match exactly. On the Secondary device, navigate to the ADVANCED > High Availability page, and complete the following steps: a. In the Clustered Systems section, delete the IP address of the old Primary device; the system refreshes and wipes out all of the configuration settings. b. Once the device is back online, go to the BASIC > IP Configuration page and set the Default Domain name under Domain Configuration. c. Navigate to the ADVANCED > High Availability page, and under Clustered Systems, set the IP address of the Primary device, and click Join Cluster. Scario Activate the New Primary Device in an Isolated Network Figure Isolated Network Environmt. 211

212 Back up the system configuration on the Secondary device Log in to the Secondary device, and navigate to the ADVANCED > Backups page. In the Manual Backups section, click Backup Now to download a backup to your desktop. Install the new replacemt Primary device in an isolated network, and complete the following steps: a. Go to the ADVANCED > Backups page on the Primary device, and in the Restore Backups section, click Browse next to Rest ore From. Navigate to and select the configuration backup saved on your desktop in step 3 above. b. c. d. e. Note that the Secondary device must remain active until step 6 in this procedure. Click Op or Choose to download the file to the Primary device. The downloaded backup file gets displayed on the top with the details such as Backup Time, Serial#, Model, Firmware and Type. Click Restore Now to restore the configuration backup file to the Primary device. Set the MGMT IP address of the old Primary device to the new Primary device. Verify the configuration on the new Primary device. After verifying the configuration, complete the following at the same time: Shutdown the Secondary device, and Connect and power up the new Primary device to the production network. Put the Secondary device in an isolated network. On the Primary device, go to the ADVANCED > High Availability page, and configure all attributes in the exact same manner as those on the Secondary device; the Cluster Shared Secret must match exactly. 9. Remove the Secondary device from the cluster by deleting the IP address of the old Primary device from the Clustered Systems section. 10. Put the Secondary device back in the production network. Replace the Secondary System in a High Availability Environmt Figure Secondary System Replacemt. Remove the old Secondary device using the instructions in the article How to Remove a Barracuda Load Balancer ADC from a High Availability Environmt. Once the new device is installed, follow the steps in the article How to Configure the Barracuda Load Balancer ADCs for High Availability to complete the system replacemt in the HA configuration. Wh replacing a system in a cluster, both systems must be on the same firmware version. Related Articles Understanding Barracuda Load Balancer ADC High Availability How to Manage High Availability Environmt with Two Barracuda Load Balancer ADCs How to Update the Firmware on Clustered Systems How Barracuda Networks Manages Returned Device Drives How to Update the Firmware on Clustered Systems To update the firmware with a minimal disruption of service: 212

213 Download the new version of the firmware on both units. Go to the ADVANCED > High Availability page of the Primary unit and set Failback Mode to Manual in the Cluster Settings section. Go to the ADVANCED > High Availability page of the Backup (Passive) unit and sure Failback Mode is Manual. On the Backup unit, go to the ADVANCED > Firmware Update page and click on the Apply Now button next to the downloaded firmware version. This reboots the unit. Wait until the Backup unit comes up. On the Primary unit, go to the ADVANCED > High Availability page and click the Failover button under Clustered Systems. This operation fails over all Service(s) from the Primary unit to the Backup unit. The Backup unit assumes the Service(s) and continues to process the traffic. On the Primary unit, go to the ADVANCED > Firmware Update page and click on the Apply Now button next to the downloaded firmware version. This reboots the unit. Now, go to the ADVANCED > High Availability page of the Primary unit and click on the Failback button under Clustered Systems. This operation fails back all Service(s) from the Backup unit to the Primary unit. The Primary unit assumes the Service(s) and continues to process the traffic. On the Primary unit, change the Failback Mode to Automatic if you want the Primary (Active) system to resume Service(s) upon its recovery automatically. Related Articles: Understanding Barracuda Load Balancer ADC High Availability How to Configure the Barracuda Load Balancer ADCs for High Availability How to Manage High Availability Environmt with Two Barracuda Load Balancer ADCs How to Remove a Barracuda Load Balancer ADC from a High Availability Environmt Maintance In this Section How to Back up and Restore Your System Configuration How to Update and Revert the Firmware How to Update Definitions Under Energize Updates How to Replace a Failed System How to Reload, Restart, and Shut Down the System Troubleshooting How to Reboot the System in Recovery Mode How to Use the Internet Protocol Version 6 (IPv6) with Barracuda Load Balancer ADC How to Back up and Restore Your System Configuration Use the ADVANCED > Backups page to back up and restore Barracuda Load Balancer ADC configuration. You should back up your system on a regular basis in case you need to restore this information on a replacemt Barracuda Load Balancer ADC or in the evt your currt system data becomes corrupt. If you are restoring a backup file on a new Barracuda Load Balancer ADC that is not configured, you need to assign your new system an IP address and DNS information on the BASIC > IP Configuration page. Backup File Do not edit backup files. Any configuration changes you want to make need to be done through the web interface. The configuration backup file contains a checksum that prevts the file from being uploaded to the system if any changes are made. You can safely view a backup file in Windows WordPad or Microsoft Word. You should avoid viewing backup files in Windows Notepad because the file can become corrupted if you save the file from this application. The following information is not included in the backup file: System password 213

214 System IP information DNS information How to Update and Revert the Firmware Updating the Firmware for a High Availability Cluster This article provides instructions on updating the firmware for standalone Barracuda Load Balancer ADCs. If you want to update the firmware for two Barracuda Load Balancer ADCs configured in high availability cluster, see How to Update the Firmware on Clustered Systems. On the ADVANCED > Firmware Update page, you can update or revert the firmware version of the Barracuda Load Balancer ADC. If offline updates are abled, you can complete an offline firmware update. Because the Barracuda Load Balancer ADC reboots during the firmware update, it is recommded that you update the firmware in a planned maintance window. In this article: Before You Update the Firmware Online Firmware Update Offline Firmware Update Firmware Revert Before You Update the Firmware Before you update the firmware version of the Barracuda Load Balancer ADC, it is strongly recommded that you: Go to the ADVANCED > Backups page and back up your currt configuration. Read all release notes that apply to versions that are more rect than the one currtly running on your system. You can view the release notes on the ADVANCED > Firmware Update page. if you are performing an offline firmware update, the release notes appear after you upload the firmware update package with the steps in the Offline Firmware Update section below. Online Firmware Update To update the firmware for the Barracuda Load Balancer ADC: 4. Go to the ADVANCED > Firmware Update page. Compare the installed version in the Currt Firmware Version section to the latest geral release version available in the Firmware Download section. If you have the latest firmware version already installed, the Download Now button for the latest geral release version is disabled. If there is a new Latest Geral Release available, c lick Download Now and allow the update to finish downloading. After the update is completely downloaded, click Apply Now. Do not reboot or turn off the Barracuda Load Balancer ADC while the firmware is updating. The process can take several minutes to complete, depding on your configuration. After the firmware finishes updating, the Barracuda Load Balancer ADC automatically reboots and you are redirected to the login scre. Offline Firmware Update To update the firmware for the Barracuda Load Balancer ADC without Internet access, you must able offline updates. You can th download the latest firmware package from your Barracuda Cloud Control account and upload the package to the Barracuda Load Balancer ADC. 4. Contact Barracuda Networks Technical Support for a Feature Code to able offline updates. Go to the Support > Downloads Log into the Barracuda Load Balancer ADC. Enable expert mode by appding the URL with: &expert=1 5. Go to the ADVANCED > Offline Update page that appears and able offline updates. a. b. c. page in your Barracuda Cloud Control account, and download the latest firmware package. Enter the Feature Code that you received from Barracuda Networks Technical Support, and th click Activate. Wh the Enable Offline Updates setting appears, select Yes. 214

215 c. Click Save. Go to the ADVANCED > Firmware Update page. In the Firmware Upload section, click Browse to navigate to and select the firmware package that you downloaded from your Barracuda Cloud Control account in step Click Upload. After the firmware package is completely uploaded, click Apply Now. Do not reboot or turn off the Barracuda Load Balancer ADC while the firmware is updating. The process can take several minutes to complete, depding on your configuration. After the firmware finishes updating, the Barracuda Load Balancer ADC automatically reboots and you are redirected to the login scre. Firmware Revert If you are reverting the firmware to a major release, the configuration that you had for that release version is loaded after the revert process completes. You can revert the firmware to the previously installed version or to the factory installed version at any time. However, it is strongly recommded that you contact Barracuda Networks Technical Support before reverting the firmware. To revert the firwmare, go to the ADVANCED > Firmware Update page and revert to either the previously installed version or to the factory installed version in the Firmware Revert section. Do not reboot or turn off the Barracuda Load Balancer ADC while the firmware is reverting. The process can take several minutes to complete, depding on your configuration. After the firmware finishes reverting, the Barracuda Load Balancer ADC automatically reboots and you are redirected to the login scre. How to Update Definitions Under Energize Updates Energize Updates delivers the latest attack, virus, security, update, and location definitions from Barracuda Ctral to protect your Barracuda Load Balancer ADC. On the ADVANCED > Energize Updates page, you can choose to automatically or manually update each definition: To let a definition sync automatically whever a new version is available, able the Automatic Updates setting for it. If you want to manually update a definition, disable the Automatic Updates setting for it. You can manually update a definition online at any time. If offline updates are abled, you can complete offline updates of the definitions. For maximum protection, Barracuda Networks recommds that you able Automatic Updates for each set of definitions, so that you receive the latest versions as soon as they are available from Barracuda Ctral. Activating the Attack Definition Activating the Attack Definition After you update the Attack Definition (automatically or manually), you must activate it by clicking the Activation link that displays on the BASIC > Status or ADVANCED > Energize Updates page. During the activation of the Attack Definition, the data path traffic may be interrupted, possibly dropping incoming packets for a few seconds. For the updates of all other definitions, traffic is processed normally. In this article: Configure Automatic Definition Updates Manually Update Definitions Online Manually Update Definitions Offline Configure Automatic Definition Updates To able and disable automatic updates: Go to the ADVANCED > Energize Updates page. In the section for each definition that you want to automatically update, set Automatic Updates to On. The definition will automatically update whever a new version is available. In the section for each definition that you do not want to automatically update, set Automatic Updates to Off. You must th manually 215

216 4. If there is a new version available, click Update to update the definition immediately Enable offline updates. a. Go to the ADVANCED > Offline Update page that appears. b. Enter the Feature Code on the page, and th click Activate. c. Next to the Enable Offline Updates setting that appears, select Yes. d. Click Save update the definition whever a new version is available. You can update definitions online and offline. Click Save. Manually Update Definitions Online To manually update definitions online: Go to the ADVANCED > Energize Updates page. In the section for each definition, compare the installed version to the latest geral release version available. If you have the latest definition version already installed, the Update button for the latest version is disabled. Manually Update Definitions Offline To update definitions for the Barracuda Load Balancer ADC without Internet access, you must able offline updates. You can th manually download the latest definition packages from your Barracuda Cloud Control account and th upload the packages to the Barracuda Load Balancer ADC. Contact Barracuda Networks Technical Support for a Feature Code to able offline updates. Go to the Support > Downloads of the following: Attack definition Virus definition Security definition Location definition Update definition Log into the Barracuda Load Balancer ADC. Enable expert mode by appding the URL with: &expert=1 Go to the ADVANCED > Energize Updates page. page in your Barracuda Cloud Control account, and download update packages for the latest versions In the Definition Update Upload section, click Browse to navigate to and select a definition package that you downloaded from your Barracuda Cloud Control account in step After the definition package is completely uploaded, click Apply Now. Repeat steps 7 and 8 until you have updated all of the definitions on the page. How to Replace a Failed System Related Articles How Barracuda Networks Manages Returned Device Drives Before you replace your Barracuda Load Balancer ADC, use the tools provided on the ADVANCED > Troubleshooting page to try to resolve the problem. In the evt that a Barracuda Load Balancer ADC fails and you cannot resolve the issue, customers that have purchased the Instant Replacemt service can call Technical Support and arrange for a new unit to be shipped out within 24 hours. After receiving the new system, ship the old Barracuda Load Balancer ADC back to Barracuda Networks at the address below with an RMA number marked clearly on the package. Barracuda Networks Technical Support can provide details on the best way to return the unit. Barracuda Networks 3175 S. Winchester Blvd Campbell, CA To set up the new Barracuda Load Balancer ADC so it has the same configuration as your old failed system, restore the backup file from the old system onto the new system, and th manually configure the new system s IP information on the BASIC > IP 216

217 Configuration page. For information on restoring data, refer to How to Back up and Restore Your System Configuration. How to Reload, Restart, and Shut Down the System The System Reload/Shutdown section on the BASIC > Administration page allows you to shutdown, restart, and reload system configuration on the Barracuda Load Balancer. Shutting down the system powers off the unit. Restarting the system reboots the unit. Reloading the system re-applies the system configuration. You can also reboot the Barracuda Load Balancer 240, 340, and 440 by pressing RESET on the front panel of the Barracuda Load Balancer. Do not press and hold the RESET button for more than a couple of seconds. Holding it for five seconds or longer changes the IP address of the system. Pressing RESET for five seconds sets the WAN IP address to Pressing RESET eight seconds changes the WAN IP address to Pressing the button for 12 seconds changes the WAN IP address to Troubleshooting The ADVANCED > Troubleshooting page provides various tools that help troubleshoot network connectivity issues that may be impacting the performance of your Barracuda Load Balancer ADC. From this page you can op a secure troubleshooting connection from your Barracuda Load Balancer ADC to Barracuda Ctral, allowing a Barracuda Networks technician to diagnose and troubleshoot an issue with your system. To op a troubleshooting connection: Click Establish Connection to Barracuda Support Servers. Provide the support gineer with the displayed serial number. After the issue is resolved, click Terminate connection to Barracuda Ctral to close the connection betwe your Barracuda Load Balancer ADC and Barracuda Ctral. Network Connectivity Tests You can use the tools in this section to diagnose pottial network problems on the Barracuda Load Balancer ADC: Ping Device An interface to the ping command on the Barracuda Load Balancer ADC. To verify connectivity with any network host, ter the IP address or hostname to ping, and th click Begin Ping. Telnet Device An interface to the telnet command on the Barracuda Load Balancer ADC. To verify connectivity and initial response from the remote server, ter the IP address or hostname of the remote server, and th click Begin Telnet. This session is non-interactive. Dig/NS-lookup Device An interface to the dig command on the Barracuda Load Balancer ADC. To look up any type of DNS record (such as A, MX, SOA, TXT, or NS), ter the IP address or hostname of the device in the Dig/NS-lookup Device field, and th click Be gin Dig. TCP Dump An interface to the TCP dump command on the Barracuda Load Balancer ADC. To monitor network traffic packets, ter the TCP dump command options, and th click Begin TCP Dump. Traceroute Device An interface to the traceroute command on the Barracuda Load Balancer ADC. To determine the path tak by traffic to its destination, ter the destination and click Begin Traceroute. Wget Web Page Execute the Wget command with spider option. Enter a URL and click Begin Wget. Wget will not download the pages; it only checks that they are there. Pages are not returned or cached. You can use a host name or an IP address in the URL. Wget supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies. Advanced TCP Dump The Advanced TCP Dump option allows you to execute a TCP dump command on the Barracuda Load Balancer ADC and write the results to a file for downloading. The maximum number of packets that can be captured for each run is limited to 10,000. The IP Address and Port fields are optional. Network Information 217

218 These commands are primarily for use by Barracuda Networks Technical Support. Show ARPs This command displays the ARP (Address Resolution Protocol) tries for this Barracuda Load Balancer ADC. It shows the MAC address and the corresponding IP address of each interface. Show Routes This command displays the IP routing table on the Barracuda Load Balancer ADC. It shows the network address and subnet information for the LAN and WAN, and the default gateway. Show Interfaces This command displays the MAC address for each interface used by the Barracuda Load Balancer ADC. How to Reboot the System in Recovery Mode If your Barracuda Load Balancer ADC experices a serious issue that impacts its core functionality, you can use diagnostic and recovery tools that are available at the reboot mu to return your system to an operational state. Before you use the diagnostic and recovery tools, do the following: 4. Use the built-in troubleshooting tools on the ADVANCED > Troubleshooting page to help diagnose the problem. Perform a system restore from the last known good backup file. Contact Barracuda Networks Technical Support for additional troubleshooting tips. As a last resort, you can reboot your Barracuda Load Balancer ADC and run a memory test or perform a complete system recovery, as described in this section. To perform a system recovery or hardware test: Connect a monitor and keyboard directly to your Barracuda Load Balancer ADC. Reboot the system by doing one of the following: Click Restart on the BASIC > Administration page. Press the Power button on the front panel to turn off the system, and th press the Power button again to turn the system back on. The Barracuda splash scre displays with the following three boot options: Barracuda Recovery Hardware_Test Use your keyboard to select the desired boot option, and click Enter. You must select the boot option within three seconds of the splash scre appearing. If you do not select an option within three seconds, the Barracuda Load Balancer ADC defaults to starting up in the normal mode (first option). Reboot Options Reboot Options Barracuda Description Starts the Barracuda Load Balancer ADC in the normal (default) mode. This option is automatically selected if no other option is specified within the first three (3) seconds of the splash scre appearing. 218

219 Recovery Displays the Recovery Console where you can select the following options: Perform file system repair Repairs the file system on the Barracuda Load Balancer ADC. Perform full system re-image Restores the factory settings on your Barracuda Load Balancer ADC and clears out all configuration information. Enable remote administration Initiates a connection to Barracuda Ctral that allows Barracuda Networks Technical Support to access the system. Another method for abling this troubleshooting connection is to click Establish Connection to Barracuda Ctral on the ADVANCED >Troubleshooting pag e. Run diagnostic memory test Runs a diagnostic memory test from the operating system. If problems are reported wh running this option, run the Hardware_Test option next. Hardware_Test Performs a thorough memory test that shows most memory related errors within a two-hour time period. The memory test is performed outside of the operating system and can take a long time to complete. Reboot your Barracuda Load Balancer ADC to stop the hardware test. You may do this by pressing Ctrl-Alt-Del on the keyboard. How to Use the Internet Protocol Version 6 (IPv6) with Barracuda Load Balancer ADC The Barracuda Load Balancer ADC supports IPv6 as well as IPv4; this article describes how to use IPv6. To able IPv6 support, go to the BASIC > IP Configuration page and able it. Using the same page, assign IPv6 addresses to the relevant interfaces. Only th can you connect to an IPv6 network. The following table lists the combinations of IPv6 and IPv4 interfaces to Services and Real Servers that can be used wh IPv6 is abled: VIP Address Real Server Addresses Use Case IPv6 IPv6 Used wh the complete network setup is being migrated to support IPv6 based addressing. IPv6 IPv4 Used wh you wish to publish IPv6 addresses for web applications without changing the addressing in your internal network. IPv4 IPv6 Used wh third party applications connecting to your applications are not yet ready to communicate via IPv6. IPv4 IPv4 Used in currt deploymts without any IPv6 support. IPv6 is not supported in these two areas: Connecting to the Barracuda Networks Technical Support Cter via a support tunnel is not possible using IPv6 addresses. If you need to do this, make sure you have IPv4 addresses configured for the WAN and LAN IP addresses on the BASIC > IP Configuration page. IPv6 addresses cannot be configured on the Administrative Console. Barracuda Load Balancer ADC Hardware Features 219

220 Front Panel Barracuda Load Balancer ADC 340 and 440 Barracuda Load Balancer ADC 540 Barracuda Load Balancer ADC 640 Barracuda Load Balancer ADC 641 and 642 Barracuda Load Balancer ADC 840 Barracuda Load Balancer ADC 841 and 842 Back Panel Barracuda Load Balancer ADC 340, 440, and 540 Barracuda Load Balancer ADC 640, 641, and 642 Barracuda Load Balancer ADC 840, 841, and 842 Front Panel Barracuda Load Balancer ADC 340 and 440 Barracuda Load Balancer ADC 340 and 440 front panel features. Label Disk Light LAN Port Power Button Power Indicator Reset Button WAN Port Description Displays a blinking blue light during disk activity. 1 Gigabit Ethernet copper port. Turns the appliance on and off. Displays a solid blue light while the appliance is turned on. Resets the appliance. 1 Gigabit copper Ethernet port. Barracuda Load Balancer ADC 540 Barracuda Load Balancer ADC 540 front panel features. Label Disk Light Ports Power Button Power Indicator Reset Button Description Displays a blinking blue light during disk activity. 4 X 1 Gigabit copper Ethernet ports for WAN and LAN connections. Turns the appliance on and off. Displays a solid blue light while the appliance is turned on. Resets the appliance. 220

221 Barracuda Load Balancer ADC 640 Barracuda Load Balancer ADC 640 front panel features. Label Description 1 Gb Ethernet Ports 8 X 1 Gigabit Ethernet copper ports for WAN and LAN connections. Disk Light Managemt Port Activity Power Button Power Indicator Reset Button Unused Port Unused Port LED Displays a blinking yellow light during disk activity. Displays a blinking gre light during network activity over the managemt port on the back panel. Turns the appliance on and off. Displays a solid gre light while the appliance is turned on. Resets the appliance. This LED does not currtly have a function. LED for the unused port on the back panel. Barracuda Load Balancer ADC 641 and 642 Barracuda Load Balancer ADC 641 and 642 front panel features. Label Description 1 Gb Ethernet Ports 8 X 1 Gigabit Ethernet copper ports for WAN and LAN connections. 10 Gb Ethernet Ports 2 X 10 Gigabit Ethernet ports for WAN and LAN connections. Model 641: Ethernet copper ports Model 642: Ethernet fiber ports Disk Light Managemt Port Activity Power Button Power Indicator Reset Button Displays a blinking yellow light during disk activity. Displays a blinking gre light during network activity over the managemt port on the back panel. Turns the appliance on and off. Displays a solid gre light while the appliance is turned on. Resets the appliance. 221

222 Unused LED Unused Port LED This LED does not currtly have a function. LED for the unused port on the back panel. Barracuda Load Balancer ADC 840 Barracuda Load Balancer ADC 840 front panel features. Label Description 1 Gb Ethernet Ports 8 X 1 Gigabit Ethernet copper ports for WAN and LAN connections. Disk Light Failed System State Managemt Port Activity Power Button Power Indicator Reset Button Unused LED Unused Port LED Displays a blinking yellow light during disk activity. Displays a red light during a appliance failure. Displays a blinking gre light during network activity over the managemt port on the back panel. Turns the appliance on and off. Displays a solid gre light while the appliance is turned on. Resets the appliance. This LED does not currtly have a function. LED for the unused port on the back panel. Barracuda Load Balancer ADC 841 and 842 Barracuda Load Balancer ADC 841 and 842 front panel features. Label Description 1 Gb Ethernet Ports 8 X 1 Gigabit Ethernet copper ports for WAN and LAN connections. 222

223 10 Gb Ethernet Ports 4 X 10 Gigabit Ethernet ports for WAN and LAN connections. Model 841: Ethernet copper ports Model 842: Ethernet fiber ports Disk Light Failed System State Managemt Port Activity Power Button Power Indicator Reset Button Unused LED Unused Port LED Displays a blinking yellow light during disk activity. Displays a red light during a appliance failure. Displays a blinking gre light during network activity over the managemt port on the back panel. Turns the appliance on and off. Displays a solid gre light while the appliance is turned on. Resets the appliance. This LED does not currtly have a function. LED for the unused port on the back panel. Back Panel Barracuda Load Balancer ADC 340, 440, and 540 Barracuda Load Balancer ADC 340, 440, and 540 back panel features. Label DVI-D (Dual Link) Port Keyboard Port Mouse Port Managemt Port Power Supply USB Ports VGA Port Description DVI-D connection for a monitor. Connection for the keyboard. Connection for the mouse. Ethernet port that is used as the managemt port. Socket for the AC power cord; standard power supply. Connections for USB devices. VGA connection for a monitor. Barracuda Load Balancer ADC 640, 641, and