Methods of Network Configuration for B Series Appliance Failover
BeyondTrust customer clients and representative consoles are built to attempt connection to the B Series Appliance at a specific address. In order to stop the clients from connecting to the normal primary B Series Appliance and instead connect to the backup B Series Appliance, a network change must be made in order to reroute the traffic to its new destination. There are currently three methods supported to achieve this goal, each with advantages and disadvantages.
| Method | Description | Pros | Cons |
|---|---|---|---|
| Shared IP | In this configuration, the hostname of the support site and IP address that is used to represent it remain constant. Both B Series Appliances share that IP in the /appliance interface, but only the B Series Appliance that is acting as primary has that IP enabled. The backup B Series Appliance will not use that IP unless it becomes primary. | No network equipment configuration change. Links and processes referencing your support site domain or IP address will be adjusted properly based on roles and will be served by the backup B Series Appliance. Once the backup B Series Appliance is redefined as the primary and the shared IP is enabled, the backup B Series Appliance will take the place of the primary. Does not suffer from the propagation time lag as a DNS entry change would. | Potential for IP conflict if the shared IP is enabled on both B Series Appliances. If both B Series Appliances are online and conflicted, go back to /login > Management > Failover and reconfigure the settings so that the roles are accurately set. |
| DNS Swing | Change the DNS entry for your support site from the IP address for the primary B Series Appliance to the IP address of the backup B Series Appliance. Since DNS changes must propagate through your network, this change might require some time. | Links and processes referencing your support site domain do not need to be changed and are served by the backup B Series Appliance. Can be used in sites that are on different subnets. | Requires a change to networking equipment configuration that coordinates with changes to the failover roles in the /login interface. The DNS entry change takes some time to propagate depending on the DNS record time to live. Until the new DNS entry is propagated, users may not be able to reach the site. |
| NAT Swing | Change the routing of requests for the support site at the NAT device from the primary B Series Appliance to the backup B Series Appliance. | Links and processes referencing your support site domain or IP address do not need to be changed and are served by the backup B Series Appliance. Does not suffer from the propagation time as a DNS entry change would. Can be used in sites that are on different subnets. | Requires a change to networking equipment configuration that coordinates with changes to the failover roles in the /login interface. |
When the primary B Series Appliance in a failover cluster fails and the backup B Series Appliance takes the primary role, any connection agents for the primary B Series Appliance dynamically connect with the new primary, regardless of the failover method. No restart of the client or its host is needed; however, it is important that DNS, network, and firewall systems allow traffic from the connection agent to the backup B Series Appliance in addition to the primary. These agents use the HTTPS protocol over TCP 443 to make their connections.
To configure a valid connection, both B Series Appliances must have identical Inter-Appliance keys. Go to /login > Management > Security to verify the key for each B Series Appliance.
