Set Up a Shared IP Address for Failover Appliance Configuration
In this configuration, the hostname of the support site and IP address that is used to represent it remain constant. Both Secure Remote Access Appliances share that IP in the /appliance interface, but only the Secure Remote Access Appliance that is acting as primary has that IP enabled. The backup Secure Remote Access Appliance does not use that IP unless it becomes primary.
Configure Networking on the Appliances
Log into the /appliance administrative interface for your primary appliance, accessible from either its unique hostname or IP address (e.g., https://site1. example.com/appliance or https://184.108.40.206/appliance).
Go to the Networking > IP Configuration page, click Add New IP, and enter the IP and subnet mask for the shared IP, keeping the IP Enabled. If the appliances' hostnames or IP addresses cannot communicate, you must give each appliance a unique IP address which can reach the other. Unlike the shared IP, the unique IP of each appliance should remain enabled at all times.
Log into the /appliance administrative interface for your backup appliance, accessible from either its unique hostname or IP address (e.g., https:// site2. example.com/appliance or https://220.127.116.11/appliance).
For the backup, go to the Networking > IP Configuration page. If you have not already configured your static IP, click Add New IP and enter the static IP and subnet mask, making sure to keep this IP Enabled. Then click Save Changes. Add the shared IP to this appliance following these same steps and disable the shared IP for the backup appliance to prevent an IP conflict on the network.
From the Primary/Backup Site Instance Configuration section in the /login interface, you control the IP addresses which the site instance uses if a failover event occurs. This must be set to the shared failover IP on both the primary and the backup appliances. Once this is set, the primary site in the failover relationship will enable the IP you selected. The backup site will disable that IP when the roles change.
Because traffic from BeyondTrust security providers can flow out of any IP address on a Secure Remote Access Appliance, it is important to ensure the network firewall allows access from all BeyondTrust IP addresses on both appliances in failover to the necessary authentication systems. For example, when two appliances in shared IP failover are configured to authenticate users on an Active Directory (AD) server using LDAPS port 636, the firewall between the appliances and the AD server must allow traffic over TCP 636 to pass from any of the IP addresses on either appliance in order to insure reliable authentication performance.
Example Shared IP Configuration
|Primary Appliance||Backup Appliance|
|Definition||The appliance used during normal operations.||The appliance used during failover operations.|
|Hostname/IP Address||site1.example.com (18.104.22.168)||site2.example.com (22.214.171.124)|
|Site Name/Shared IP||support.example.com (126.96.36.199)|