• Secure Mobile Access 12.4
• About This Guide
• CMS Configuration
  • Introduction to CMS
    • Overview
    • CMS Deployment Options
    • What’s New in This Release
      • Global Policy Settings
      • CMS Alerts Logging
    • Central Management Server
    • Central Management Console
    • Managed Appliances
    • Licensing CMS
    • Central User Licenses
    • Global Traffic Optimizer
    • FIPS and CMS
    • Getting Started in Five Steps
  • Installing and Configuring the Central Management Server
    • Overview
    • Kernel based Virtual Machine
    • Supported Platforms for CMS with Global HA
    • Hardware Resource Requirements
    • Installation Files
    • Setting Up a CMS
  • Configuring Appliances for Central Management
    • Overview
    • Firmware Compatibility with the CMS
    • Enabling Central Management on SMA Appliance
    • Registering an SMA Appliance with the CMS
    • Previously Configured Appliances
  • Using the Management Console Menus
    • Overview
    • Dashboard
      • Alerts
      • Appliances Pane
      • Appliance Load
      • Central License Usage Pane
      • About Pane
    • Management Server
      • Alerts
        • View Alerts
        • Configure Alerts
        • Notification
      • Configure
        • Central Management Settings
        • CMS Address Pool
        • Licensing
        • Administrators
          • General Settings
        • Network Settings
        • SSL Settings
        • Services
          • Manage SSH settings from CMS
      • Monitor
        • Configure the logging setting for Managed appliances
      • Maintain
    • Managed Appliances
      • Add/Remove
      • Configure
        • Overview
        • Configuring the Managed Appliances
          • Define Policy
          • Synchronize
        • Support multiple policies with CMS and shared licensing
          • Applying authentication servers to specific appliance
          • Applying SMTP configuration service to specific appliance
          • Applying SMS service to specific appliance
          • Applying realms to a subset of appliance
          • Assign rules to a subset of appliances
          • Support multiple GTO services
      • Monitor
        • User Sessions
        • Reports
        • Health
      • Maintain
  • Central User Licensing
    • Overview
    • How Central User Licenses Work
      • Central Spike User Licenses
      • Central Email Licenses
      • Perpetual Pooled Licenses
    • Enabling Central User Licensing
    • Getting Started with Central User Licensing
      • Setting Up CMS to Use Central User Licenses
      • Setting up CMS for Centralized Appliance Configuration and Management
      • Resetting a CMS License
  • Global High Availability
    • High Availability of the VPN Service
    • High Availability of the CMS
    • Disaster Recovery for the VPN Service
  • Alerts and SNMP
    • Overview
    • Pre-Configured Alerts
    • Configuring SNMP
  • Capture Advanced Threat Protection
    • Enabling Capture ATP
    • File Options
    • Web Services
    • Advanced Settings
  • Central FIPS Licensing
• Global High Availablity
  • Introduction to Global HA and GTO
  • Planning GTO Deployment
    • Choosing a Deployment Model
    • Minimizing Configuration Differences
    • GTO Service Names and DNS Delegations
    • Provisioning Certificates
      • Let's Encrypt
      • Adding Certificates to SMA Appliances
      • Generating a Certificate Signing Request (CSR)
      • Importing SSL Certificates
  • Setting up GTO
    • Setting up the CMS and SMA appliances
    • Enabling GTO service for managed appliances with the CMS
    • Setting up a Basic GTO Service
    • Monitoring and Configuring GTO
    • Defining the Central Policy
  • Extending GTO Deployment
    • Enabling Cached Credentials
    • Additional Deployment Notes
• SonicWall Support
  • About This Document

Introduction to Global HA and GTO

Global High Availability (Global HA) is a set of SMA features that come together to deliver a highly available VPN service. Global HA presents a collection of SMA appliances to end users through a single service name (for example access.example.com). Global Traffic Optimizer (GTO) is the underlying service that is enabled from the CMS console.

Previously, the benefits provided by GTO could only be achieved by deploying and coordinating an array of separate third-party appliances and services, such as content-distribution-network DNS redirectors, local traffic managers, and load balancers often under separate administrative control. GTO replaces this scenario with a single external DNS delegation, which manages all aspects of user traffic distribution automatically, including license provisioning and leveling.

Remember to keep the DNS port open on the firewall.

Users has consistent sign-on procedure with multiple GTO services name that connects them with the appropriate SMA appliance for their current location and circumstances, and gives them a similar experience every time they use the system anywhere in the world.

GTO makes intelligent routing decisions based on real-time data such as appliance availability, health, load, and geographic location. For example, it will be limit the availability of appliances with heavy utilization in order to optimize the performance of your entire GTO environment. GTO directs user connection requests to an available appliance.

This guide provides instructions on how to deploy CMS with GTO, including DNS configuration and certificate requirements.

Administrators can now better see and understand how GTO selects which appliances are chosen to manage user connections. The DNS TXT annotations will have all the information includes A records, NS records, descriptive text, and SOA records.

The TXT interpreter tool can be invoked by running the following query in any GTO enabled appliance as well as CMS “gtodnstxt --name gto_service_name”.

CMS with GTO

CMS with GTO supports the following services and features:

• Exchange ActiveSync and Outlook Anywhere
• Custom FQDN for access to resources and Workplace sites
• Administration visibility into GTO status from the CMS console
• IPv6

Exchange ActiveSync and Outlook Anywhere

From the CMS console, you can configure Exchange ActiveSync and Outlook Anywhere across all appliances in the GTO service. For example, if the GTO service name is access.example.com the custom FQDN could be mail.example.com.

Mail clients using Exchange ActiveSync or Outlook Anywhere protocol can connect to the GTO service, using a custom FQDN, and experience global traffic Optimizer, such connection to a proximate appliance, improved availability, and load distribution.

Public DNS must be configured for the ActiveSync and Outlook Anywhere FQDN, and the names must similar to the GTO service names.

CMS with GTO supports roaming as follows:

• When an Exchange ActiveSync client connects to a GTO service it may get directed to a different appliance from the last time it connected.
• Exchange ActiveSync clients send credentials with each request and after they get authenticated, they can access the ActiveSync server.
• A new pooled license is issued for each connection.
• The license is released after the ActiveSync connection is terminated.

Custom FQDN for Mapped Resources

You can configure custom FQDNs to backend resources across all appliances in a GTO service, and you can access those resources through the appliances that are part of the GTO service.

Users connecting to custom FQDNs can experience the benefits of GTO:

• GTO connection to a proximate appliance
• Improved availability
• Load distribution

Resources should be accessed with the FQDN name rather than with the IP address.

The public DNS must be configured appropriately for each custom FQDN, in that each custom FQDN name must be similar to the GTO service name. For example, if the GTO service name is access.example.com, the custom FQDN name for Email should be mail.example.com.

The maximum number of custom FQDNs that can be configured for all appliances is the same as that of a standalone SMA appliance. If you are already authenticated to a GTO service, you will need to re-authenticate if you enter a custom FQDN into a Web browser.

You can deploy configurations with the following types custom FQDNs to appliances that are configured for GTO:

• Custom FQDNs that are currently supported on a single appliance.
• Custom FQDN Mapped Resource Access where the backend resource or server is mapped to an external fully qualified domain name (host and domain).
• Workplace site with a domain name that is different from the GTO service domain name.

Viewing GTO Status from the CMS Console

You can view and monitor the following capabilities on the CMC dashboard:

• Appliances successfully enabled for GTO
• Appliances not functioning correctly with GTO
• Appliances that have the recommended certificate SANs for the primary GTO service
• Appliances that do not have the recommended certificate SANs for the primary GTO service
• DNS status of appliances delegated as authoritative servers

GTO and IPv6

• End users on IPv6-only networks can reach SMA appliances with IPv6 addresses through GTO.
• SMA appliances serving as authoritative DNS servers include IPv6 AAAA records in their responses where appropriate.

Deployment Notes

• You should configure a minimum of two SMA appliances and delegate them in DNS as authoritative servers. This minimizes the likelihood that your users ever lose DNS resolution of the GTO service.
• You must enable UDP 53 on your firewall for all traffic that is sent to CMS-managed appliances that are configured as authoritative servers.