Set Up a Shared IP Address for Failover Appliance Configuration
In this configuration, the hostname of the support site and IP address that is used to represent it remain constant. Both Secure Remote Access Appliances share that IP in the /appliance interface, but only the Secure Remote Access Appliance that is acting as primary has that IP enabled. The backup Secure Remote Access Appliance will not use that IP unless it becomes primary.
Configure Networking on the Appliances
Log into the /appliance administrative interface for your primary appliance, accessible from either its unique hostname or IP address (e.g., https://site1. example.com/appliance or https://188.8.131.52/appliance).
Go to the Networking > IP Configuration page, click Add New IP and enter the IP and subnet mask for the shared IP, keeping the IP Enabled. If the unique hostname or IP address of the appliances cannot communicate, you will need to add a unique IP address to each appliance which is reachable from the other. Unlike the shared IP, the unique IP of each appliance should remain enabled at all times.
Log into the /appliance administrative interface for your backup appliance, accessible from either its unique hostname or IP address (e.g., https:// site2. example.com/appliance or https://184.108.40.206/appliance).
For the backup, go to the Networking > IP Configuration page. If you have not already configured your static IP, click Add New IP and enter the static IP and subnet mask, making sure to keep this IP Enabled. Then click Save Changes. Add the shared IP to this appliance following these same steps and disable the shared IP for the backup appliance to prevent an IP conflict on the network.
From the /login interface section Failover :: Primary/Backup Site Instance Configuration, you control via checkbox the IP addresses which the site instance uses if a failover event occurs. This must be set to the shared failover IP on both the primary and the backup appliances. Once this is set, the primary site in the failover relationship will enable the IP you selected. The backup site will disable that IP when the roles change.
Because traffic from BeyondTrust Security Providers can flow out of any IP address on a Secure Remote Access Appliance, it is important to ensure the network firewall allows access from all BeyondTrust IP addresses on both appliances in failover to the necessary authentication systems. For example, when two appliances in shared IP failover are configured to authenticate users on an Active Directory (AD) server using LDAPS port 636, the firewall between the Secure Remote Access Appliances and the AD server must allow traffic over TCP 636 to pass from any of the IP addresses on either Secure Remote Access Appliance in order to ensure reliable authentication performance.
Example Shared IP Configuration
|Primary Appliance||Backup Appliance|
|Definition||The appliance used during normal operations.||The appliance used during failover operations.|
|Hostname/IP Address||site1.example.com (220.127.116.11)||site2.example.com (18.104.22.168)|
|Site Name/Shared IP||support.example.com (22.214.171.124)|