Establish the Primary/Backup Failover Relationship Between Two Appliances
BeyondTrust failover enables automatic synchronization of data between two appliances, creating a simplified, two-way process. To start automatically synchronizing site data between two appliances, you must first establish a trusted relationship between them. On the appliance you intend to be primary, go to /login > Management > Failover.
To configure a valid connection, both appliances must have identical Inter-Appliance keys. Please see the /login > Management > Security page to verify the key for each appliance.
Establishing the relationship between the two appliances occurs on the Failover page of the appliance intended to be the primary appliance. The addresses that are entered here will establish the relationship and allow either appliance to connect to each other at any time. The New Backup Site Connection Details tell the primary appliance how to connect to the appliance that will become the backup appliance. The Reverse Connection Details to this Primary Site are given to the backup appliance and tell it how to connect back to this primary appliance. You must use a valid hostname or IP address and TLS port number for these fields. When all of these fields are set, click the Establish Relationship button to attempt to establish the relationship.
Whenever possible, BeyondTrust recommends using the unique IP address of each appliance when configuring these settings.
Once the relationship has been established, extraneous tabs are removed from the backup site.
If you are on the primary appliance, you will see Failover page sections indicating Primary Site Instance. If you are on the backup appliance, you will only see Failover page sections indicating Backup Site Instance. The Backup Settings section refers to settings enabled only when the site instance you are on is the backup site instance.
On the primary appliance's Failover page, the top of the page displays the address and status of the host/primary site and the peer/backup site, as well as the date and time of the last status check. Select Status History to expand or collapse a table of status events that have occurred.
When you establish a new failover relationship, an initial data synchronization automatically occurs. It takes about 60 seconds for the first data sync to begin.
Failover synchronization syncs all user accounts, all /login configuration settings, files in the file store, logs, and recordings. All of this information which exists on the backup appliance will be overwritten by that which resides on the primary appliance.
If the primary appliance is the master node in an Atlas cluster, the backup appliance will automatically become the new backup master node in this cluster.
Synchronization itself may take anywhere from a few seconds to a few hours, depending on the amount of data that needs to be synchronized. The Failover page will list the last date and time of data synchronization when synchronization is completed.
Later, you will set up a schedule for automatic data syncs. However, you may also click the Sync Now button to force synchronization and pull the most current information from the primary appliance into the memory of the backup appliance.
To manually switch appliance roles, click Become Backup from the primary site or Become Primary from the backup site.
If you want to synchronize data from the peer appliance prior to swapping roles, select the checkbox next to the Become Primary or Become Backup button. If this option is selected, all users on the existing primary appliance will be disconnected during the data sync, and no other operations will be available until the swap is complete.
On the primary site instance, you also have the option to become the backup even if the peer appliance cannot be contacted. If this option is unchecked, failover will be canceled if both appliances cannot be kept in sync in terms of their failover roles (one primary and one backup).
For example, if you know the current backup appliance is online but cannot be reached by the primary due to a network connection issue, you may wish to check this option to make the primary the backup before the network connection is restored. In this example, you would also need to access the current backup and make it the primary.
If you want to break the relationship so that the primary appliance is no longer linked to the backup appliance, click the Break Failover Relationship button. Data will no longer be synchronized between the two, and if the primary appliance goes offline, the other appliance will not take over.
This will not remove configuration settings and session data that has already been copied from the primary to the backup.
From Primary Site Instance Configuration, control the shared IP address the site instance uses in the event of a failover by selecting the checkbox for the failover IP address. If you change the relationship between the sites, the checked IP addresses will disable when a primary site becomes a backup, and will enable when a backup becomes a primary site. You should manually mirror the setting on the peer site, as the setting is not shared. Select Save Changes when finished.
From Backup Settings, configure how the appliance should behave when in the backup role. These settings must be configured on both the primary and backup appliances.
Enable or disable backup operations, such as data-syncs and automatic failovers.
Set how long the primary site must be unreachable before failover occurs.
Set how often data should automatically synchronize, as well as the maximum bandwidth that can be used for data syncs.
Enable or disable automatic failover. If disabled, failover must be performed manually.
In order to use BeyondTrust's built-in automatic failover, your two appliances must be on the same subnet. If you wish to use automatic failover with appliances on different networks, you must use the failover API.
You also may enter IP addresses for the backup site to check to determine whether the backup's inability to reach the primary is because the primary is offline or because the backup has lost its network connection.
For more information about failover settings, please see Best Practices for Primary and Backup Environments.
After failover is configured, the primary appliance will send an email alert if no backup appliance pulls its data for a given length of time. This allows you to be aware if relationships have been disrupted. To activate this alert email, enter connection parameters for a working SMTP server on the primary appliance's /login > Management > Email Configuration page. The next synchronization will copy the settings to the backup.
If the backup appliance determines that the primary appliance is down, it will send a series of emails to the Secure Remote Access Appliance administrator notifying them of the failure and counting down the time until automatic failover will occur. The backup appliance will attempt to reach the primary for the length of time specified by the Primary Site Instance Timeout. If it is unable to reach the primary during this time, then the backup will enable the shared IP and will assume the role of primary if automatic shared IP failover is configured; otherwise, you must configure failover manually. As soon as the switch is made, you can resume normal support activity. All requests to your support site will be served by the backup appliance.