Set Up a Shared IP Address for PRA Failover B Series Appliance Configuration
In this configuration, the hostname of the Privileged Remote Access site and IP address that is used to represent it remain constant. Both B Series Appliances share that IP in the /appliance interface, but only the B Series Appliance that is acting as primary has that IP enabled. The backup B Series Appliance does not use that IP unless it becomes primary.
Configure Networking on the B Series Appliances
Log into the /appliance administrative interface for your primary B Series Appliance, accessible from either its unique hostname or IP address (e.g., https://site1. example.com/appliance or https://220.127.116.11/appliance).
Go to the Networking > IP Configuration page, click Add New IP, and enter the IP and subnet mask for the shared IP, keeping the IP Enabled. If the B Series Appliances' hostnames or IP addresses cannot communicate, you must give each B Series Appliance a unique IP address which can reach the other. Unlike the shared IP, the unique IP of each B Series Appliance should remain enabled at all times.
Log into the /appliance administrative interface for your backup B Series Appliance, accessible from either its unique hostname or IP address (e.g., https:// site2. example.com/appliance or https://18.104.22.168/appliance).
For the backup, go to the Networking > IP Configuration page. If you have not already configured your static IP, click Add New IP and enter the static IP and subnet mask, making sure to keep this IP Enabled. Then click Save Changes. Add the shared IP to this B Series Appliance following these same steps and disable the shared IP for the backup B Series Appliance to prevent an IP conflict on the network.
From the Primary/Backup Site Instance Configuration section in the /login interface, you control the IP addresses which the site instance uses if a failover event occurs. This must be set to the shared failover IP on both the primary and the backup B Series Appliances. Once this is set, the primary site in the failover relationship will enable the IP you selected. The backup site will disable that IP when the roles change.
Because traffic from BeyondTrust security providers can flow out of any IP address on a B Series Appliance, it is important to ensure the network firewall allows access from all BeyondTrust IP addresses on both B Series Appliances in failover to the necessary authentication systems. For example, when two B Series Appliances in shared IP failover are configured to authenticate users on an Active Directory (AD) server using LDAPS port 636, the firewall between the B Series Appliances and the AD server must allow traffic over TCP 636 to pass from any of the IP addresses on either B Series Appliance in order to insure reliable authentication performance.
Example Shared IP Configuration
|Primary B Series Appliance||Backup B Series Appliance|
|Definition||The B Series Appliance used during normal operations.||The B Series Appliance used during failover operations.|
|Hostname/IP Address||site1.example.com (22.214.171.124)||site2.example.com (126.96.36.199)|
|Site Name/Shared IP||access.example.com (188.8.131.52)|