Set Up the Primary/Backup Failover Relation Between Two PRA Appliances

Failover Page Configuation Entries

BeyondTrust failover enables synchronization of data between two appliances, creating a simplified, two-way process, regardless of which failover configuration you choose. Automatic synchronization of data can be enabled for any of the three supported failover configuration methods. To start automatically synchronizing site data between two appliances, you must first establish a trusted relationship between them. On the appliance you intend to be primary, go to /login > Management > Failover.


To configure a valid connection, both appliances must have identical Inter-Appliance keys. See the /login > Management > Security page to verify the key for each appliance.

Establishing the relationship between the two appliances occurs on the Failover page of the appliance intended to be the primary appliance. The addresses that are entered here will establish the relationship and allow either appliance to connect to each other at any time. The New Backup Site Connection Details tell the primary appliance how to connect to the appliance that will become the backup appliance. The Reverse Connection Details to this Primary Site fields are given to the backup appliance and tell it how to connect back to this primary appliance. You must use a valid hostname or IP address and TLS port number for these fields. When all of these fields are set, click the Establish Relationship button to attempt to establish the relationship.

Whenever possible, BeyondTrust recommends using the unique IP address of each appliance when configuring these settings.

Management > Failover
Failover :: Status
Failover :: Backup Site Instance Status
Failover :: Backup Site Instance Configuration
Failover :: Backup Settings

Once the relationship has been established, extraneous tabs are removed from the backup site. It takes about 60 seconds for the first data synchronization to initiate, but you may also click the Sync Now button to force synchronization and pull the most current information from the primary appliance into the memory of the backup appliance. Synchronization itself may take anywhere from a few seconds to a few hours, depending on the amount of data that needs to be synchronized. The Failover page lists the last date and time of data synchronization when synchronization is completed.

You can disable synchronization, although this is recommended only in rare cases. See the best practices section Establish Failover Settings for Primary and Backup PRA Environments.

If you want to break the relationship so that this appliance no longer backs up any primary appliances, click the Break Failover Relationships button. This removes configuration settings and session data already synchronized.

After failover is configured, the primary appliance can send an email alert if no backup appliance pulls its data for a given length of time. This allows you to be aware if relationships have been disrupted. To activate this alert email, enter connection parameters for a working SMTP server on the primary appliance's /login > Management > Email Configuration page. The next synchronization will copy the settings to the backup.

If the backup appliance determines that the primary appliance is down, it sends a series of emails to the BeyondTrust PRA Appliance administrator notifying them of the failure and counting down the time until automatic failover will occur. The backup appliance will attempt to reach the primary for the length of time specified by the Primary Site Instance Timeout. If it is unable to reach the primary during this time, then the backup enables the shared IP and assumes the role of primary if automatic shared IP failover is configured; otherwise, you must configure failover manually. As soon as the switch is made, you can resume normal activity. All requests to your support site will be served by the backup appliance.

In order to use BeyondTrust's built-in automatic failover, your two appliances must be on the same subnet. If you wish to use automatic failover with appliances on different networks, you must use the failover API.

In the Failover :: Backup Settings section, set how often the backup appliance should pull data from the primary appliance. Remember to set the backup frequency on the primary and backup since these settings are independent. See Establish Failover Settings for Primary and Backup PRA Environments.