Imprivata Agent Failover
If all servers in the home site become unavailable, then agents switch to using a failover site (if specified). After a failover has been completed, the session preserves the connection to the appliance in the failover site for the duration of the session lifetime.
After appliances in the home site become available again, new sessions authenticated on computers that belong to this site start connecting to the home site again. However, active sessions do not automatically switch back. To force active sessions to reconnect to their agent home sites, users must lock and unlock their session, or log out and log back in.
Designating Primary and Secondary Failover Sites
For each site in your Imprivata enterprise, you can designate:
- a primary failover site and a secondary failover site
- a primary failover site but not a secondary failover site
- no failover sites
NOTE: For G4 (fourth generation) enterprises, more than two sites are not needed, so secondary failover sites are also not needed, as explained in Imprivata Sites for G4 Enterprises. Therefore, for G4 enterprises with two sites, you typically specify a only primary failover site, and for G4 enterprises with only one site, you specify no failover sites.
Go to the Sites page in the Imprivata Admin Console (gear icon > Sites) and click on the site name to open the site record, where you can set the site’s failover sites.
You do not specify failover rules at an appliance level. Imprivata agents automatically fail over to appliances within the same site first, and only if unable to connect to any appliance in the same site, then fail over to an appliance within any failover sites specified.
Users may have to reauthenticate when failing over to an appliance in another site. The user experience depends on how the user policy is configured for challenges when the Imprivata agent transitions from offline mode to online mode:
- If a challenge is always required, users must reauthenticate when failing over to an appliance in another site.
- If a challenge is not required within the specified grace period, and the grace period has not expired, users do not have to reauthenticate when failing over to an appliance in another site.
NOTE: For complete details, see "Challenging Users Coming Online" in User Challenges.
Agent Connection/Failover within a Site
Each Imprivata site includes a range of IP addresses for the computers that it services. Computers within that range always connect to the appliances in that site as long as any appliance within that site is active.
Connection and failover are random.
- When an Imprivata agent comes online, it connects randomly to any appliance within that site.
- If a connection cannot be made to the selected appliance, or if an appliance fails in a site that includes multiple appliances, then the agent fails over randomly to other appliances within that site. Failover is seamless to the user. No agent switches to another appliance during an active session unless it loses the connection to its assigned appliance.
For both connection and failover connection, there is no difference if an appliance is a database appliance or service appliance in a G4 (fourth generation) enterprise. Agents connect equally to database appliances and service appliances in a G4 enterprise.
Agent Failover Between Sites
If all appliances in a site fail, then agents in that site fail over to the designated failover site.
The following table represents a potential agent connectivity/failure in a distributed environment for a G4 enterprise. Disaster recovery (hot standby) sites are not needed and are not optimal for G4 enterprises, as explained in Imprivata Sites for G4 Enterprises, so that site is omitted.
|
Site Name |
IP Address Ranges |
Appliances |
Failover Rules |
|---|---|---|---|
|
Dallas |
172.16.8.0-172.16.10.255 |
dal1.yourco.com dal2.yourco.com |
Primary-Chicago Secondary-None |
|
Chicago |
172.16.11.0-172.16.11.127 172.16.12.0-172.16.12.255 |
chi1.yourco.com |
Primary-Dallas Secondary-None |
Agent Secondary Failover
For G4 enterprises, secondary failover sites are not needed, as described above in
Agent Connection Examples
Example 1
Workstation 1 (207.46.100.105) will establish a connection with Site 1 (randomly selecting one of the servers) while Workstation 2 (207.46.200.12) will connect to Site 2 according to IP addresses assigned to the workstation.
|
Site Name |
IP Address Ranges |
Appliances |
Failover Rules |
|---|---|---|---|
|
Site 1 |
207.46.100.1 – 207.46.100.255 | Server 1-1: 207.46.100.1 Server 1-2: 207.46.100.2 |
Failover Disabled |
| Site 2 | 207.46.200.1 – 207.46.200.255 | Server 2-1: 207.46.200.1 |
Primary Failover to Site 1 No Secondary Failover Site |
If Server 1-1 becomes unavailable, the agent on Workstation 1 will switch to the other server in Site 1.
If Server 1-2 goes down as well, the agent goes offline, because:
- there are no failover sites defined for Site 1, and
- the agent's IPTXPrimServer server and Server 1-2 are in fact the same appliance, and
- the agent already tried to connect to it once.
If all servers are up again, and Workstation 2 is connected to Server 2-1. If Server 2-1 goes offline, a failover occurs to one of the servers in Site 1: Site 1 is designated as the failover site for Site 2.
After Server 2-1 becomes available again, the existing session on Workstation 2 does not immediately fail back. Once the user locks and unlocks, or logs out and logs back in, a new connection is established within Site 2, as it is the home site for Workstation 2.
Example 2
Although the workstation’s IP address (10.10.1.1) does not fall into the ranges of any of the sites, the route table contains a non-default route to 207.46.100.255: that covers the IP range for Site 1. Site 1 is considered to be the home site.
|
Site Name |
IP Address Ranges |
Appliances |
Failover Rules |
|---|---|---|---|
|
Site 1 |
207.46.100.1 – 207.46.100.255 | Server 1-1: 207.46.100.1 Server 1-2: 207.46.100.2 |
Failover Disabled |
| Site 2 | 207.46.200.1 – 207.46.200.255 | Server 2-1: 207.46.200.1 | Failover to Site 1 |
Example 3
NOTE: This example applies mainly to G3 enterprises. Although it can also apply to G4 enterprises, the use of more than two sites for a G4 enterprise is not needed, as described in Imprivata Sites for G4 Enterprises.
If the single server in Site 1 is available, the agent will establish a connection to this site.
|
Site Name |
IP Address Ranges |
Appliances |
Failover Rules |
|---|---|---|---|
|
Site 1 |
207.46.100.1 – 207.46.100.255 | Server 1-1: 207.46.100.1 | Failover to Site 2 |
| Site 2 | 207.46.200.1 – 207.46.200.255 | Server 2-1: 207.46.200.1 |
Primary Failover to Site 1 No Secondary Failover Site |
| Site 3 | 207.46.300.1 – 207.46.300.255 | Server 3-1: 207.46.300.1 Server 3-2: 207.46.300.2 |
Failover to Site 1 |
If Server 1-1 in Site 1 becomes unavailable, there are no available servers in the home site. In this case failover occurs and the agent tries to connect to a server in Site 2, which is designated the failover site for Site 1.
If Server 2-1 becomes unavailable as well, the final connection attempt is to this agent's designated IPTXPrimServer.
Failover site(s) for Site 2 (its only failover site is Site 1) are disregarded in this example, as the agent does not belong to Site 2 according to its IP configuration. If the final attempt to connect to its IPTXPrimServer succeeds, and the agent establishes a connection, the agent considers itself to be temporarily connected to a server in Site 3. If, for some server-related reason, the agent fails to send data to the original server in this site (Server 3-1), it attempts to switch to another server within Site 3. This is only valid for a failure that occurs on behalf of an existing session running on Server 3-1.
If a new session is about to be created, the agent effectively goes offline (or fails to authenticate if there is no offline authentication data), exhausting the connection choices in the following order:
- servers in home site;
- servers in failover site(s);
- the agent's designated IPTXPrimServer.
