Prerequisites for Setting Up Multiple B Series Appliances in Atlas Clusters
You must meet certain prerequisites before you can set up your BeyondTrust cluster.
- Two B300, B400, or PRA Virtual Appliances
These B Series Appliances act as the primary nodes. One is designated the primary node and the other is a backup primary node. Both primary nodes must match same B Series Appliance type: B300 to B300, B400 to B400, or PRA Virtual Appliance to PRA Virtual Appliance. Your need for scalability, capacity, and redundancy determines B Series Appliance needs.
- One B300/B400/PRA Virtual Appliance traffic node per geographic region in a minimum of two regions
Traffic nodes can be a mix of B300, B400, and PRA Virtual Appliances. However, mixing B Series Appliance types yields unbalanced capabilities and potential workflow conflicts. Therefore, we recommend that all B Series Appliances be the same model or type.
- Site hostname
This is the hostname that customers visit to initiate support. This hostname must route to the primary node in the cluster.
- Canonical node hostnames
You must have a unique and unchanging hostname for each primary and traffic node. For geographic deployments, consider using the geographic region as part of the hostname. These hostnames should be registered in both the internal and external DNS. Here is an example:
- Primary : primary1.access.example.com
- Backup Primary: primary2.access.example.com
- Traffic Node 1: us-traffic1.access.example.com
- Traffic Node 2: us-traffic2.access.example.com
- Traffic Node 3: asia-traffic1.access.example.com
- Valid SSL certificate for the BeyondTrust support site and for each traffic node
It is recommended you use a valid third-party wildcard certificate that covers both your BeyondTrust support site name and each traffic node hostname. If a wildcard certificate is not used, adding additional traffic nodes that use different certificates may require a rebuild of the BeyondTrust software in order to provide support for mobile and Linux platforms.
You must send BeyondTrust Technical Support a copy of the SSL root certificate and/or B Series Appliance DNS address.
If a self-signed certificate is used, the certificate serves as its own root certificate, and therefore, the self-signed certificate should be sent to BeyondTrust Technical Support. If a CA-signed certificate is used, contact the CA for a copy of their root certificate. If you have trouble contacting the CA, articles to assist with obtaining your root certificate can be found at beyondtrustcorp.service-now.com/csm. In either case, BeyondTrust Technical Support needs to know the DNS address of the B Series Appliance.
- TCP port 443 open bi-directionally on all B Series Appliances
All B Series Appliances must be able to communicate over TCP port 443.