Skip to main content

Hello,

I am currently implementing PRA failover using the guide available at BeyondTrust PRA Failover Documentation, and I have a few questions that I hope you can help with:

  1. I’ve attached our network diagram. Based on the failover guide, it seems that the only applicable method for our setup is DNS Swing. This is because the two appliances are located in separate data centers with different IP schemas, making the Shared IP method unfeasible. Additionally, since the data centers have different public IP addresses, NAT Swing would not work either. Could you please confirm if my understanding is correct?

  2. Regarding DNS Swing:

    • When the primary PRA fails, do I need to manually log in to the DNS server and update the domain name to point to the backup PRA's public IP address?

    • Do I also need to log in to the backup PRA to change its role to primary, and conversely, log in to the original primary PRA (once recovered) to switch its role to backup?

  3. The guide mentions the following note:
    "In order to use BeyondTrust's built-in automatic failover, your two B Series Appliances must be on the same subnet. If you wish to use automatic failover with B Series Appliances on different networks, you must use the failover API."
    However, I was unable to locate any documentation regarding the use of the failover API. Could you please share a link or resource for configuring failover using this API?

Thank you very much for your help!

 

Andy, thanks for the failover questions.  Regarding FO, DNS swing looks to be the method you’ll need to configure.

  • DNS should always follow your PRA deployment.  Example, if your primary appliance is down and automatic failover is configured in /login, a failover event will occur and the secondary appliance will become the primary.  You will then need to update or “swing” DNS to resolve to teh IP address of the newly promoted appliance.  Once DNS has propigated the changed, traffic should be resolving to the newly promoted master appliance.
  • If you do not have automatic failover enabled, then you would need to log into the secondary appliance and perform the failover function manually.  Once completed, you’ll need to update DNS as above.  Also, be sure to look at our failover best practices, this should help you as well - https://docs.beyondtrust.com/pra/docs/failover
  • Reagrding the failover API, see https://docs.beyondtrust.com/pra/reference/command-api#set_failover_role

 

Regards,

Todd

Thanks, ​@tdearman. When do I need to use failover API? If the automatic failover is configured in /login, do I still need to use failover API? Thanks,

Andy, the API is simply an option to manual and automatic failover.

If auto failover is enabled, there’s no action needed from you in the event the primary goes down.  The software will do the process, you simply need to update DNS to follow the software.

If auto failover is not configured, you will need to manually failover by using the option in /login > Failover or use the API.

 

Hope this clarifies.

Reply


Badge Earners

  • BCA: Endpoint Privilege Management - Windows
    Hakasehas earned the badge BCA: Endpoint Privilege Management - Windows
  • BCA: Endpoint Privilege Management - Mac
    Hakasehas earned the badge BCA: Endpoint Privilege Management - Mac
  • BCA: Remote Support
    Hakasehas earned the badge BCA: Remote Support
  • BCA: Endpoint Privilege Management - Mac
    joselopezhas earned the badge BCA: Endpoint Privilege Management - Mac
  • BCA: Password Safe
    gnajerahas earned the badge BCA: Password Safe
Show all badges
Terms & ConditionsCookie settings