Set Up a Shared IP Address for PRA Failover Appliance Configuration
In this configuration, the hostname of the Privileged Remote Access site and IP address that is used to represent it remain constant. Both BeyondTrust Appliances share that IP in the /appliance interface, but only the BeyondTrust Appliance that is acting as primary has that IP enabled. The backup BeyondTrust Appliance does not use that IP unless it becomes primary.
Configure Networking on the Appliances
Log into the /appliance administrative interface for your primary appliance, accessible from either its unique hostname or IP address (e.g., https://site1. example.com/appliance or https://184.108.40.206/appliance).
Go to the Networking > IP Configuration page, click Add New IP, and enter the IP and subnet mask for the shared IP, keeping the IP Enabled. If the unique hostname or IP address of the appliances cannot communicate, you must add a unique IP address to each appliance which is reachable from the other. Unlike the shared IP, the unique IP of each appliance should remain enabled at all times.
Log into the /appliance administrative interface for your backup appliance, accessible from either its unique hostname or IP address (e.g., https:// site2. example.com/appliance or https://220.127.116.11/appliance).
For the backup, go to the Networking > IP Configuration page. If you have not already configured your static IP, click Add New IP and enter the static IP and subnet mask, making sure to keep this IP Enabled. Then click Save Changes. Add the shared IP to this appliance following these same steps and disable the shared IP for the backup appliance to prevent an IP conflict on the network.
From the Failover :: Primary/Backup Site Instance Configuration section in the /login interface, you control via checkbox the IP addresses which the site instance uses if a failover event occurs. This must be set to the shared failover IP on both the primary and the backup appliances. Once this is set, the primary site in the failover relationship will enable the IP you selected. The backup site will disable that IP when the roles change.
Because traffic from BeyondTrust security providers can flow out of any IP address on a BeyondTrust PRA Appliance, it is important to ensure the network firewall allows access from all BeyondTrust IP addresses on both appliances in failover to the necessary authentication systems. For example, when two appliances in shared IP failover are configured to authenticate users on an Active Directory (AD) server using LDAPS port 636, the firewall between the BeyondTrust PRA Appliances and the AD server must allow traffic over TCP 636 to pass from any of the IP addresses on either BeyondTrust appliance in order to insure reliable authentication performance.
Example Shared IP Configuration
|Primary Appliance||Backup Appliance|
|Definition||The appliance used during normal operations.||The appliance used during failover operations.|
|Hostname/IP Address||site1.example.com (18.104.22.168)||site2.example.com (22.214.171.124)|
|Site Name/Shared IP||access.example.com (126.96.36.199)|