Methods to Configure Failover Between BeyondTrust PRA Appliances
BeyondTrust endpoint clients and access consoles are built to attempt connection to the BeyondTrust PRA Appliance at a specific address. In order to stop the clients from connecting to the normal primary BeyondTrust PRA Appliance and instead connect to the backup BeyondTrust PRA Appliance, a network change must be made in order to reroute the traffic to its new destination. There are currently three methods supported to achieve this goal, each with advantages and disadvantages.
|Shared IP||In this configuration, the hostname of the PRA site and IP address that is used to represent it remain constant. Both BeyondTrust PRA Appliances share that IP in the /appliance interface, but only the appliance that is acting as primary has that IP enabled. The backup appliance will not use that IP unless it becomes primary.||No network equipment configuration change. Links and processes referencing your site domain or IP address will be adjusted properly based on roles and will be served by the backup BeyondTrust PRA Appliance. Once the backup appliance is redefined as the primary and the shared IP is enabled, the backup appliance will take the place of the primary. Does not suffer from the propagation time lag as a DNS entry change would.||Potential for IP conflict if the shared IP is enabled on both BeyondTrust PRA Appliances. If both appliances are online and conflicted, go back to /login > Management > Failover and reconfigure the settings so that the roles are accurately set.|
|DNS Swing||Change the DNS entry for your Privileged Remote Access site from the IP address for the primary BeyondTrust PRA Appliance to the IP address of the backup BeyondTrust PRA Appliance. Since DNS changes must propagate through your network, this change might require some time.||Links and processes referencing your site domain do not need to be changed and are served by the backup BeyondTrust Appliance. Can be used in sites that are on different subnets.||Requires a change to networking equipment configuration that coordinates with changes to the failover roles in the /login interface. The DNS entry change takes some time to propagate depending on the DNS record time to live. Until the new DNS entry is propagated, users may not be able to reach the site.|
|NAT Swing||Change the routing of requests for the Privileged Remote Access site at the NAT device from the primary BeyondTrust PRA Appliance to the backup BeyondTrust PRA Appliance.||Links and processes referencing your site domain or IP address do not need to be changed and are served by the backup BeyondTrust Appliance. Does not suffer from the propagation time as a DNS entry change would. Can be used in sites that are on different subnets.||Requires a change to networking equipment configuration that coordinates with changes to the failover roles in the /login interface.|
When the primary BeyondTrust Appliance in a failover cluster fails and the backup appliance takes the primary role, any connection agents for the primary appliance dynamically connect with the new primary, regardless of the failover method. No restart of the client or its host is needed; however, it is important that DNS, network, and firewall systems allow traffic from the connection agent to the backup appliance in addition to the primary. These agents use the HTTPS protocol over TCP 443 to make their connections.
To configure a valid connection, both appliances must have identical Inter-Appliance keys. Go to /login > Management > Security to verify the key for each appliance.