Barracuda Icon
Chat
Live Chat

Hi, I'm Rosa.
How may I help you?

How may I help you?

Click below to send us a Message

Support

A global support network of experts.
At your service.

Back to Knowledgebase

How do I set up a cluster of Email Security Gateways or Web Filters?

Solution #00001492

Scope:
This applies to all Email Security Gateway or Web Filters models 400 and higher using firmware version 3.5 and above.

NOTE: Spam boxes must be the same model.Web filters do not have to be ..but it is recommended in a HA setup

Answer:
To cluster two Email Security Gateways together, follow this solution. To make things easier, the two Email Security Gateways will be referred to The New Barracuda and The Existing Barracuda below. If both Barracudas are new, you should first configure one and then treat that one as The Existing Barracuda when following this guide. You should not need to configure much on The New Barracuda beyond network, timezone, and password information, as it will pull the other settings from The Existing Barracuda when they are clustered. For a list of settings that do not sync across a cluster, see Solution #00003248.

Before configuring the cluster, remember to check these things:

  • All Email Security Gateways in a cluster must be the same model number and have the same version of firmware installed.
  • Make sure that The New Barracuda has the same Cluster Shared Secret as The Existing Barracuda (configured on the Advanced > Clustering or Linked management page).
  • Make sure that ports 443, 8000, and 8002 are open between the two Email Security Gateways. This is not usually a problem because most clustered Email Security Gateways are on the same subnet. If they are in different physical locations, make sure any machines between them (routers, firewalls, etc.) allow traffic to travel through these ports.
  • Assuming The Existing Barracuda has been configured, it can accept and process mail both before and after it has been clustered. Do not direct any mail traffic to The New Barracuda until after it has been clustered.
Once these conditions have been met, follow these instructions to cluster the two Email Security Gateways:
  1. Add the IP address (or fully qualified domain name, but IP address is strongly recommended) of The Existing Barracuda into the Join Cluster field on the Advanced > Clustering or Linked management page of The New Barracuda's web interface, and click the Join Cluster button. This will wipe out all configuration settings on The New Barracuda (except for those values listed in Solution #00003248) and copy over the configuration settings from The Existing Barracuda. At this point, the clustering task should be visible at the top of the page, and it should look like this:

    Running Tasks:
    Clustering

    The total clustering time depends on the number of users, domains, and the load on each Email Security Gateway. Once the task has finished, the notification should disappear from the top of each page the web interface on both Email Security Gateways (user-initiated processes are displayed on the Advanced > Task Manager page).
  2. Once the two Barracudas are done synchronizing, you should check that configuration changes on either Barracuda will replicate to the other. On a Spam firewall cluster, this can be safely done by changing the Rate Control threshold on the Advanced > Rate Control page because incrementing or decrementing that value by one or two will have a minimal impact on either Email Security Gateway. For example, if the Maximum Connections Per Client / 30 Minutes value on the Advanced > Rate Control page is set to 50, change it to 51 on The New Barracuda and check that page on The Existing Barracuda (refreshing if necessary) to see if the change replicated across the cluster after a second or two. Then, change it back to 50 on The Existing Barracuda to see whether The New Barracuda will recognize changes made on The Existing Barracuda. On a Web Filter cluster you can do a similar test in Block/Accept > Content Filter.
  3. If the tests worked, all that remains to be done is to direct some of the incoming mail to The New Barracuda. The Email Security Gateways will not load balance incoming mail between them, so you will need to distribute the incoming mail traffic to each Email Security Gateway some other way. You can use a load balancer or multiple DNS MX records of equal priority to accomplish this, though generally MX record load balancing will not distribute the traffic as evenly as a dedicated load balancer.
Additional Notes:
For a list of settings that do not sync across a cluster of Email Security Gateways, see Solution #00003248.

Link to This Page:
http://www.barracuda.com/kb?id=50160000000GSgV