We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Load Balancer ADC

How do I configure SSL offloading on my Barracuda Load Balancer?

  • Type: Knowledgebase
  • Date changed: 5 months ago
Solution #00004406

All Barracuda Load Balancers, firmware version 3.0 or higher configured in Route-Path or Bridge-Path mode.

To configure SSL offloading on the Barracuda Load Balancer, you must first upload the certificate(s) you intend to use on the Basic > Certificate Management page of the Barracuda Load Balancer's web interface. To avoid domain mismatch errors when users access your load-balanced services, you should make sure your certificate has been generated with the hostname of the Barracuda Load Balancer. Alternatively, you can upload wildcard certificates for your domain (see Solution #00000990 for more information on wildcard certificates). You can even create your own certificates on the Barracuda Load Balancer, but if they aren't signed, users may have difficulty using the service configured to perform SSL offloading.

To upload a certificate on the Basic > Certificate Management page, enter a Certificate Name and, if needed, the Certificate Password. Then, specify the Certificate Key, the Signed Certificate, and, if necessary, any Intermediate Certificates. To reveal additional Intermediate Certificates fields, click the + button next to the Upload Signed Certificate field. After all relevant certificates and the certificate key have been specified, click the Upload button to upload all of the certificate files. You can also combine all of these files into a single file by copying and pasting them into that file, as you would when uploading a certificate for secure administration. If all of the pieces of the certificate are in a single file, private key first, specify that file with the Upload Signed Certificate field and then click the Upload button. If the certificate fails to upload with an Invalid Certificate error, see Solution #00000945.

Once you have uploaded the certificate, you must create a service on the Basic > Services page. This service must specify a specific TCP Port (it must not be configured as UDP, or as an ALL port service).The SSL Offloading service must be separate from all other services, meaning if you want to load balance HTTP traffic there must be a separate service configured HTTP traffic on port 80.  Once the service is created with the desired SSL port (typically 443) it can now be configured for SSL Offloading.  Next, click the blue Edit link next to the Virtual IP of the service to access the SSL Offloading option. Choose 'Yes' for the 'Enable HTTPS/SSL' option, and choose the SSL Certificate you wish to use for offloading in the drop-down menu.

Finally, for the SSL Offloaded service, change each real server listening port to an un-encrypted port, this can be any HTTP port other than the default SSL port (443).  For example, the Virtual IP will typically be configured for port 443, and the Server ports will be on port 80. To change the Real Server ports click on the Edit icon next to each Real Server IP, and change the Port number in the Real Server Detail window. Encrypted traffic received on the configured SSL Port by the Virtual IP will be decrypted before reaching the Real Servers, and traffic coming from the Real Servers will be encrypted before it leaves the Barracuda Load Balancer. Since the Real Servers send and receive decrypted traffic, no SSL configuration on any of the real servers is necessary.

Additional Notes:
Because the Barracuda Load Balancer only sees incoming traffic in the Direct Server Return (DSR) deployment mode, SSL offloading will not work with DSR.

Link to This Page: