Secure Mobile Access 12.4 CMS Administration Guide
- Secure Mobile Access 12.4
- About This Guide
- CMS Configuration
- Introduction to CMS
- Installing and Configuring the Central Management Server
- Configuring Appliances for Central Management
- Using the Management Console Menus
- Central User Licensing
- Global High Availability
- Alerts and SNMP
- Capture Advanced Threat Protection
- Central FIPS Licensing
- Global High Availablity
- SonicWall Support
Introduction to Global HA and GTO
Global High Availability (Global HA) is a set of SMA features that come together to deliver a highly available VPN service. Global HA presents a collection of SMA appliances to end users through a single service name (for example access.example.com). Global Traffic Optimizer (GTO) is the underlying service that is enabled from the CMS console.
Previously, the benefits provided by GTO could only be achieved by deploying and coordinating an array of separate third-party appliances and services, such as content-distribution-network DNS redirectors, local traffic managers, and load balancers often under separate administrative control. GTO replaces this scenario with a single external DNS delegation, which manages all aspects of user traffic distribution automatically, including license provisioning and leveling.
Remember to keep the DNS port open on the firewall.
Users has consistent sign-on procedure with multiple GTO services name that connects them with the appropriate SMA appliance for their current location and circumstances, and gives them a similar experience every time they use the system anywhere in the world.
GTO makes intelligent routing decisions based on real-time data such as appliance availability, health, load, and geographic location. For example, it will be limit the availability of appliances with heavy utilization in order to optimize the performance of your entire GTO environment. GTO directs user connection requests to an available appliance.
This guide provides instructions on how to deploy CMS with GTO, including DNS configuration and certificate requirements.
Administrators can now better see and understand how GTO selects which appliances are chosen to manage user connections. The DNS TXT annotations will have all the information includes A records, NS records, descriptive text, and SOA records.
The TXT interpreter tool can be invoked by running the following query in any GTO enabled appliance as well as CMS “gtodnstxt --name gto_service_name
”.
CMS with GTO
CMS with GTO supports the following services and features:
- Exchange ActiveSync and Outlook Anywhere
- Custom FQDN for access to resources and Workplace sites
- Administration visibility into GTO status from the CMS console
- IPv6
Exchange ActiveSync and Outlook Anywhere
From the CMS console, you can configure Exchange ActiveSync and Outlook Anywhere across all appliances in the GTO service. For example, if the GTO service name is access.example.com the custom FQDN could be mail.example.com.
Mail clients using Exchange ActiveSync or Outlook Anywhere protocol can connect to the GTO service, using a custom FQDN, and experience global traffic Optimizer, such connection to a proximate appliance, improved availability, and load distribution.
Public DNS must be configured for the ActiveSync and Outlook Anywhere FQDN, and the names must similar to the GTO service names.
CMS with GTO supports roaming as follows:
- When an Exchange ActiveSync client connects to a GTO service it may get directed to a different appliance from the last time it connected.
- Exchange ActiveSync clients send credentials with each request and after they get authenticated, they can access the ActiveSync server.
- A new pooled license is issued for each connection.
- The license is released after the ActiveSync connection is terminated.
Custom FQDN for Mapped Resources
You can configure custom FQDNs to backend resources across all appliances in a GTO service, and you can access those resources through the appliances that are part of the GTO service.
Users connecting to custom FQDNs can experience the benefits of GTO:
- GTO connection to a proximate appliance
- Improved availability
- Load distribution
Resources should be accessed with the FQDN name rather than with the IP address.
The public DNS must be configured appropriately for each custom FQDN, in that each custom FQDN name must be similar to the GTO service name. For example, if the GTO service name is access.example.com, the custom FQDN name for Email should be mail.example.com.
The maximum number of custom FQDNs that can be configured for all appliances is the same as that of a standalone SMA appliance. If you are already authenticated to a GTO service, you will need to re-authenticate if you enter a custom FQDN into a Web browser.
You can deploy configurations with the following types custom FQDNs to appliances that are configured for GTO:
- Custom FQDNs that are currently supported on a single appliance.
- Custom FQDN Mapped Resource Access where the backend resource or server is mapped to an external fully qualified domain name (host and domain).
- Workplace site with a domain name that is different from the GTO service domain name.
Viewing GTO Status from the CMS Console
You can view and monitor the following capabilities on the CMC dashboard:
- Appliances successfully enabled for GTO
- Appliances not functioning correctly with GTO
- Appliances that have the recommended certificate SANs for the primary GTO service
- Appliances that do not have the recommended certificate SANs for the primary GTO service
- DNS status of appliances delegated as authoritative servers
GTO and IPv6
- End users on IPv6-only networks can reach SMA appliances with IPv6 addresses through GTO.
- SMA appliances serving as authoritative DNS servers include IPv6 AAAA records in their responses where appropriate.
Deployment Notes
- You should configure a minimum of two SMA appliances and delegate them in DNS as authoritative servers. This minimizes the likelihood that your users ever lose DNS resolution of the GTO service.
- You must enable UDP 53 on your firewall for all traffic that is sent to CMS-managed appliances that are configured as authoritative servers.
Was This Article Helpful?
Help us to improve our support portal