The Barracuda Load Balancer can perform decryption and encryption of SSL traffic to reduce the load on the Real Servers. The encrypted traffic received on the VIP address is decrypted before it is passed to the Real Servers, and traffic coming from the Real Servers is encrypted before it leaves the Barracuda Load Balancer. No SSL configuration on the Real Servers is necessary; all SSL certificates are stored on the Barracuda Load Balancer.
If the Barracuda Load Balancers and the Real Servers are on a trusted network, such as within the same datacenter, enabling SSL offloading does not compromise security. If this is not the case, the Barracuda Load Balancer can re-encrypt the traffic before directing it to the Real Servers.
SSL offloading is not compatible with Direct Server Return. It is also not available for Layer 4, UDP Proxy or Layer 7 - RDP Service types.
To set up SSL offloading, complete the following tasks:
- Upload one SSL certificate for each Service to the Barracuda Load Balancer.
- Identify the Services that are using SSL offloading as secure Service types.
- Change the port used by the Real Servers, if necessary.
Upload SSL Certificates
One SSL certificate for each Service to be offloaded must be stored on the Barracuda Load Balancer. A certificate can be ordered from a trusted Certificate Authority such as VeriSign. Or, if SSL processing was previously done on the server, then retrieve the certificate from that server.
To view, edit or add SSL certificates to the Barracuda Load Balancer, go to the BASIC > Certificates page.
Specify SSL Offloading for a Service
To configure SSL offloading for a Service, go to the BASIC > Services page and edit the Service. On the Service Detail page, change the Service type to the secure Service type (e.g., TCP Proxy to Secure TCP Proxy). Select the SSL certificate you wish to use from the SSL Certificate list.
Update Ports on the Real Servers
If the Real Servers were using port 443 before, update their port setting on the Barracuda Load Balancer. Go to BASIC > Services page and click Edit for each Real Server for the Service. On the Real Server Detail page update the port. For example, the Service may use port 443 while the Real Servers use port 80.