Failover Dynamics and Options with BeyondTrust Privileged Remote Access

BeyondTrust failover enables synchronization of data between two peer appliances, creating a simplified process for secure swap from a failed appliance. Two appliances host the same installed software package for a single site. You can check this from the /login admin web interface. If the Product Version and Product Build match, the same site software package is installed. DNS directs support traffic of the site to one of these peer appliances, the primary appliance, where all settings are configured. The backup appliance synchronizes with the primary, according to your settings configured in the /login interface.

This document describes how to use a second BeyondTrust Secure Remote Access Appliance as a backup and failover device for a PRA site and how to switch operations to the backup appliance in a disaster recovery situation. There are three network configuration methods available with PRA failover for redirecting network traffic so that your support site remains available:

  1. Shared IP
  2. DNS Swing
  3. NAT Swing

Configuration details regarding each of these methods follow in this document, and detailed failover steps are also covered. Your BeyondTrust Secure Remote Access Appliances have a peer relationship, so implementing the Shared IP failover configuration with automatic data synchronization enabled is recommended. Both appliances must be on the same IP subnet to support Shared IP failover; therefore, it may be necessary to use DNS or NAT swing failover methods. Failover can be further managed and automated using the BeyondTrust API. The pros and cons of each option are covered in more detail later in the best practices.