en-US
search-icon

Secure Mobile Access 12.0 CMS with GTO Admin Guide

CMS Configuration

 

Introduction to CMS

Topics

Overview

This section is an introduction to the SonicWall™ Central Management Server (CMS) with Global Traffic Optimizer (GTO) and provides important concepts associated with it.

CMS with GTO is an add-on product for managing multiple Secure Mobile Access (SMA) VPN appliances. It gives companies with multiple appliances a single administrative user interface from where they can manage all their VPN appliances. CMS is a virtual machine used to interact with all their managed VPN appliances. CMS reduces the total cost of operation and simplifies the management of multiple VPN appliances for enterprise companies.

Global Traffic Optimizer enables a global, highly availability VPN service with multiple SMA appliances that are accessed through a single service name (e.g. access.example.com). GTO also facilitates global high availability with load distribution and disaster recovery capabilities across the SMA appliances in the GTO service.

The VPN administrator uses the Central Management Console (CMC) of the CMS to manage all the VPN appliances regardless of location in the world. CMS and managed appliances are closely integrated through native communications secured with TLS.

CMS with GTO is a virtual machine, requiring no dedicated appliance or hardware, and provides the following features:

Global Traffic Optimizer (GTO) and load balancing.
Dashboard for managing a distributed VPN infrastructure.
Total Cost of Operation (TCO) reduction.
Reduction of operator errors associated with managing multiple appliances.
Central Management Console (CMC) to configure, maintain, and monitor appliances.
Simplified license management with a centralized license that eliminates the need for separate appliance licenses.
Optimized license usage, licenses are dynamically allocated to appliances based on user load.
Centralized alerts via the console dashboard and SNMP traps.

This dashboard view in the CMC gives the administrator a summarized view of all managed appliances.

Administrators can apply a common configuration to managed appliances from the CMC. Consolidated monitoring and reporting gives the administrator an overview of all the appliances that are being managed.

An administrator can click on a single appliance in the CMC to launch the Appliance Management Console (AMC) for that appliance because of a single-sign on system.

CMS Deployment Options

Depending on your operational needs, CMS can be deployed in four phases:

Phase 1: Deploy CMS to only monitor and maintain standalone SMA appliances

This gives you a dashboard view and a single console from which to monitor and maintain all your SMA appliances.

Phase 2: Enable Central User Licenses on CMS

Central user licenses allows you to optimize user licenses across all your SMA appliances.

Phase 3: Use CMS to manage configurations

A centralized policy on the CMS, that is normalized across all your SMA appliances, simplifies configuration management, and gives users a consistent experience when they get connected to any appliance in your VPN infrastructure.

Phase 4: Enable Global Traffic Optimizer

GTO provides a highly available VPN infrastructure where users connect to a single domain name (such as access.example.com) and get redirected to an available and proximate appliance. Central User Licensing and centralized policies are prerequisites for enabling GTO.

What’s New and Deprecated in This Release

Version 12.0 of the Secure Mobile Access (SMA) Central Management Server (CMS) with Global Traffic Optimizer (GTO) includes the following new features and changes:

Central Reports and Analysis

The Central Reports and Analysis (CRA) feature allows you to view a near real time analysis of what is happening on the CMS managed appliances. You can examine summary information for the entire CMS cluster via charts and graphs on the Central Management Console (CMC).

Global High Availability

GTO facilitates global high availability with load distribution and disaster recovery capabilities across the SMA appliances in the GTO service. The high availability can be deployed in a single datacenter or across dispersed datacenters. The GTO is used to balance network traffic loads, and user licenses can be distributed and reallocated dynamically among the managed appliances.

GMS Deprecation

SMA 12 does not support the SonicWall Global Management System (GMS).

SMA 12 devices must be managed by the Secure Mobile Access (SMA) Central Management Server with Global Traffic Optimizer.

Central Management Server

CMS is only available as a virtual machine. Details about the supported platforms is listed in Supported Platforms for CMS with GTO.

CMS can manage up to 100 appliances (physical and virtual appliances), but before an appliance can be managed it must be registered with CMS. CMS registration is secured with encryption using a one time password. Its purpose is to bootstrap TLS communication by exchanging public keys. Following registration all CMS/appliance communication is secured with TLS.

The CMS communicates with each managed appliance to receive:

Data on the Control channel for configuring, licensing, maintaining appliances.
Periodic health and status information from managed appliances.

CMS periodically communicates with MySonicWall for license validation. This ensures correct system wide timing and use of licenses.

CMS also requires access to the following two online services:

 

 

SonicWall Licensing Server

SonicWall Geo Server

FQDN

software.sonicwall.com

geows.global.sonicwall.com

IP addresses

204.212.170.115

217.149.45.76

208.17.117.116

Ports

80

443

80

443

 
* 
NOTE: CMS must also be able to communicate with the internal IP address on Port 8444 for each SMA appliance.

Central Management Console

The Central Management Console (CMC) provides the user with a single screen (called the Dashboard) to show Active alerts, Appliance status, License status, and Geographic View of all appliances on a map of the world. The Dashboard also allows you, from a single point to:

Configure appliances (using push configuration settings).
Maintain appliances, that is, Upgrade/hotfix, EPC update, and Restart.
Use a one-click (single sign-on) to the AMC of managed appliance.
View health history and reports for all appliances.
Configure alerts, manage alert notifications for appliances or CMS.
Install a central user license. Licenses are automatically distributed to appliances as user demand changes.

Managed Appliances

Managed appliances are SMA 1000 series appliances that are registered with the CMS so that they can be centrally managed.

Each managed appliance must be an SMA Version 12.0 (or later) SMA appliance. A group of managed appliances may consist of physical and/or virtual appliances.

In this document, the term SMA 1000 series appliance refers to the EX6000, EX7000, EX9000, SMA 6200,
SMA 7200, and SMA 8200v appliances.

 
* 
NOTE: The Virtual Appliance name has been changed to the SMA 8200v virtual appliance.

Managed appliances send health and status information to the CMS. They accept policy configuration, user licenses, and maintenance commands from the CMS. Managed appliance communication with a CMS is secured with TLS.

* 
NOTE: CMS must be able to communicate with appliances on port 8444.

Licensing CMS

CMS has the ability to manage appliances licensed with different feature sets. Unlike SMA appliances, the CMS contacts the online SonicWall License Manager service to obtain its license.

 
* 
NOTE: SMA appliances download and import a license file from the MySonicWall portal.

To license the CMS initially, you enter the serial number and authentication code into the CMS console. The CMS then contacts the License Manager service and obtains its license. After that, the CMS periodically contacts the License Manager service to refresh its license.

A CMS Base License is available at no cost from MySonicWall. You enable a CMS Base License by entering the serial number and the authentication code. A CMS Base License allows you to manage three appliances. A CMS Base license comes with a trial for pooled licenses for a limited period of time. A CMS Base License enables you to use the CMS without pooled licensing. A CMS Base License enables you to manage and monitor licensed SMA appliances. You can upgrade from a Trial License to a Base License.

Central User Licenses (Pooled Licenses) are distributed by the CMS to the managed appliances. To use pooled licensing, you must add Central User Licenses to the CMS Base License. Central User Licenses are subscription licenses that are valid for specific periods of time, such as 1 year or 3 years. Central User Licenses can be purchased in different bundles, such as 500 users for 3 years, or 50,000 users for 1 year.

The CMS has the following license restrictions:

CMS-based Spike licenses are NOT supported.
CMS has no SUPPORT SKUs. CMS user licenses include support costs.

Central User Licenses

CMS supports an optional pooled licensing model that allows user licenses to be centralized on the CMS and distributed and reallocated dynamically among the managed appliances, based on demand. Central User Licenses do not need to be applied to individual VPN appliances. Companies with appliances that are globally distributed can benefit from the fluctuating demands for user licenses due to time differences. The CMS reallocates licenses to managed appliances where user demands have peaked from appliances where usage has fallen due to off-work/night hours. Companies with appliances that are behind load balancers can also benefit from the dynamic distribution of licenses across managed appliances since the load balancer distributes connection requests across the managed appliances. For more information, refer to Central User Licensing.

Global Traffic Optimizer

GTO allows customers to deploy a VPN infrastructure without the need for load balancers or global traffic management using a CMS and SMA 1000 series appliances. The SMA appliances may be located in a datacenter or globally distributed.

GTO allows customers to deploy the SonicWall GTO service. A GTO service is an online VPN service that is enabled by a cluster of SMA appliances working in concert to provide users with a highly available and optimized VPN infrastructure.

The GTO service distributes VPN connection requests from users to the appropriate SMA appliances. Load distribution is done using heuristics based on system parameters that are known and monitored by the GTO service. These parameters include appliance availability, appliance proximity to the user, user load, and appliance capacity.

 
* 
NOTE: To use GTO with Connect Tunnel, Connect Tunnel must be upgraded to 11.4.0 or above.

FIPS and CMS

CMS can manage a FIPS appliance provided Central User Licensing is disabled.

A FIPS appliance configuration cannot be imported into the CMS.

Getting Started in Five Steps

1
Install and configure the CMS and apply the CMS license.
Refer to
Installing and Configuring the Central Management Server.
2
Configure GTO.
Refer to
Configuring GTO
3
Setup the VPN appliances to be managed.
Refer to
Configuring Appliances for Central Management.
4
Define the collection of managed appliances.
Refer to
Add/Remove.
5
Monitor and manage appliances from the CMS Dashboard.
Refer to
Dashboard.
 
* 
NOTE: When updating an SMA infrastructure that is already in place with upgrades and hotfixes, the managed SMA appliances are updated first, and then CMS is updated last.

Installing and Configuring the Central Management Server

Topics

Overview

The Central Management Server with Global Traffic Optimizer (CMS with GTO) is located inside a corporation’s intranet. CMS requires a new type of license called a CMS License that is issued by SonicWall.

The CMS runs as a virtual machine that can be hosted on VMware ESX/ESXi or Microsoft Hyper-V. CMS is not designed to run on custom hardware such as VPN appliances.

CMS with GTO provides the following features:

Central Management Console (CMC) to monitor, maintain, and configure SMA appliances
Simplified license management with a centralized license that eliminates the need for individual appliance licenses
Centralized alerts via the console dashboard and SNMP traps
Global Traffic Optimizer (GTO)

Supported Platforms for CMS with GTO

CMS with GTO runs as a virtual machine on the following hypervisor platforms:

 

Supported Platforms

VMWare

Microsoft

ESXi 5 and newer

Windows Server 2012 R2 Hyper-V

ESXi 4.0 Update 1 (Build 208167) and newer

Windows Server 2016 Hyper-V

ESX 4.0 Update 1 (Build 208167) and newer

 

CMS with GTO is supported on the following SMA 1000 series appliances:

EX9000
EX7000
EX6000
SMA 6200
SMA 7200
SMA 8200v (ESX/Hyper-V)

Hardware Resource Requirements

The virtual instance of CMS requires the following hardware resources:

8 GB RAM
4 CPU

Installation Files

The Central Management Server should run the same firmware version as the appliances it manages.

To install on VMware hypervisors, the Open Virtualization Archive (.OVA) file with the following file name format is available for import and deployment to your ESX/ESXi server: ex_sra_vm_12.x.x-xxx.ova
To install in a Microsoft Hyper-V environment, use an International Organization for Standardization (.ISO) file such as: 12.x.x-xxx.iso.

The 12.x.x indicates the SMA release version and xxx represent a build number.

 
* 
NOTE: The same firmware is used for both the CMS and the SMA 8200v. The Central Management feature is enabled during the setup process.

For information on installing the SMA 8200v, refer to the SMA 8200v Getting Started Guide.

Setting Up a CMS

To setup a Centrally Managed VPN infrastructure:
1
Setup a virtual instance (ESX or Hyper-V) of the release firmware.
2
Start the virtual machine and wait for a login prompt to appear.
3
Login as root (no password is required).
4
Press any key to continue.
5
Enter the network settings for the internal interface (labeled 2 on the appliance).
IP Address
Subnet mask
Gateway
 
* 
NOTE: If you are on the same network as the appliance, press Enter when prompted for the gateway.
6
Identify whether the appliance is being used as a stand-alone unit or in a cluster.
 
* 
NOTE: If the appliance is being installed in a cluster, it must be given the standby or active role.
7
Continue until instructed to access the console from a browser at https://<Internal-IP-Address>:8443.

8
Click Next to view the License Agreement.

9
Read the agreement and if you agree, select I accept the terms of the license agreement.
10
Click Next to select Basic Settings.

11
Select Install this appliance as the central management server for a pool of appliances.
12
Under Administrator password, enter the password you want for the administrator and confirm it.
* 
IMPORTANT: Be sure to save or write this password down in a secure location. It is encrypted and is difficult to recover if you forget it.
13
Under Date and time, select the time zone from the Time Zone menu.
14
Click Next.

15
Enter a descriptive name in the Appliance name field.
16
Select the Single interface option.
 
* 
IMPORTANT: CMS should not be set up with a dual interface. HA Pairs are no longer supported.
17
Enter the Internal Interface IP address and Subnet mask.
18
Click Next.

19
From the Routing mode menu, select Default gateway.
20
In the Default gateway IP address field, enter the gateway IP address.
21
Click Next.

22
Enter your domain in the Default domain field.
23
Enter the IP address of the primary DNS server into the DNS Server field.
24
Click Next.

25
Under Locale, enter the Country and the Location.
26
Select Enable pushing policy configuration from this server to managed appliances.
27
Click Next.

28
Click Finish. The configuration changes are applied and a Logon screen appears.

29
Login with username admin and the password that you just configured. The Central Management Console (CMC) Dashboard Page appears.

You can now download and install a CMS license from MySonicWall.com. Refer to Licensing Pages.

 

Configuring Appliances for Central Management

Topics

Overview

This section describes how to configure SMA appliances for CMS with GTO, so that they become Managed Appliances.

A CMS can manage up to 100 appliances. Managed Appliances can be any combination of physical and virtual appliances (for example, EX6000, EX7000, EX9000, SMA 6200, SMA 7200, and SMA 8200v).

Firmware Compatibility with the CMS

CMS can only manage appliances running compatible firmware versions. It must be at the same firmware version as the managed appliances for features like Global High Availability to work across the cluster of appliances.

CMS can be used to manage appliance that have been upgraded to a new release that is one version above the CMS version. However, newer features on the managed appliances may not work until the CMS is upgraded to the same version as all the managed appliances.

 
* 
NOTE: CMS cannot manage an appliance that exceeds one major version ahead of the CMS.

For more information about upgrading CMS and its managed appliances, refer to the SMA 12.0 Upgrade Guide.

Enabling Central Management and Registering an SMA Appliance with the CMS

Before an appliance can be registered with the CMS, it must first be enabled for Central Management. In addition, the CMS must have an unused appliance license (obtained from the CMS license) before an SMA Appliance can be registered. The administrator must enable Central Management and type the One-Time Password into the console of the SMA appliance. In addition the administrator must register the appliance with the CMS.

The One-Time Password is used to establish a secure channel, and all subsequent communications go through the secure channel. The appliance uploads its information (model, version, serial#) to the CMS. The CMS pushes a Leased License to the appliance, and then (if configured), pushes the configuration settings to the appliance.

The managed appliance is now online and ready to accept VPN connections.

To enable central management:
1
Go to the System Configuration > Maintenance page.

2
Click Configure under Central Management in the System Configuration section.

3
Verify that Enable central management is selected.
4
Choose Save.

5
Click on the link to Apply Pending Changes.

6
Click Apply Changes.

7
Click Save .

Previously Configured Appliances

Standalone appliances that were originally configured from their AMC can be registered with a CMS without affecting the appliance's policy settings.

For information on how to synchronize (or not) policy on an appliance from the CMS, refer to Configure.

 

Using the Management Console Menus

Topics

Overview

The Central Management Console is the interface you use to manage all the registered VPN appliances. The menu is listed on the left and the content of the window varies depending on the option selected. When you first login to the console, the Dashboard page is the default screen that appears.

The menu has two sections: Management Server and Managed Appliance. Management Server has the commands for central management, licensing and so forth. Managed Appliances have the commands for managing the registered VPN appliances in your infrastructure.

Management Server

This section provides information about the Management Server commands:

Dashboard

The Dashboard page is the first screen that appears after you log in. You can also access it anytime by clicking Management Server > Dashboard from the menus.

The Dashboard is divided into the sections illustrated and explained below.

Menus - Contains the commands for central management of your devices.
Alerts - Contains a list of currently active alerts. Select an Alert to view information about it.
Current Users - Displays the activity on current users.
Appliances - Shows all online appliances. Select a managed appliance to view information about it Appliances are sorted starting with the appliance with the most users.
Central License Usage - Displays information about license usage.
About - Displays CMS Information consisting of Model, Hypervisor platform, Version, Hotfixes, System Time, Uptime, License.

Each pane is independently refreshed with updated information/status.

The Dashboard panes use the following color codes:

Green (OKAY)
Yellow (WARNING)
Red (ERROR)

Dashboard/Alerts Pane

The Alerts pane on the Dashboard shows a consolidated view of all currently active alerts that have not been acknowledged by the administrator. These alerts appear when specific thresholds are met. Warnings and Errors are shown on the CMC Dashboard.

Red icons represent critical alerts and yellow icons represent warnings. Errors are listed first, followed by warnings with the most recent being listed at the top of each category.

Alerts can be acknowledged by the administrator by clicking on the X to the right of the it. An acknowledged alert no longer appear in the dashboard, but it re-appears if the state changes. Alerts are automatically removed if the cause of the alert ceases. Click on an individual alert to see the details.

All alerts can be seen when you chose the Alert command. Refer to Alerts for more details.

Dashboard/Appliances Pane

The Appliances pane displays a quick overview of the appliances being managed. It provide real-time data for online, managed appliances and includes:

Name
Status
Users
CPU usage
Memory usage
Mbps, Uptime.

The drop down menu on the top, right side provides toggling views of the appliances

The Appliance Table is the default view.

The Geographic View shows the geographic location of each appliance on a world map.

The Geographic View shows a visual location of the appliance based on its city and country obtained during configuration. You can reposition the icon for an appliance by dragging and dropping the icon to another location. You may need to do this if the icon for an appliance is not correctly positioned on the map, or if multiple appliance icons are positioned too closely to each other.

By moving your cursor across the colored icons on the map, details about that appliance appears. In addition, the color of the icon has meaning:

A blue icon represent the CMS Server and displays Host name and address.
A green icon represents a selected managed appliance that is online. The interface displays Host, Status, Users, CPU, Memory, Bandwidth information.
A red icon represents an appliance that is offline.

Zoom (+) and UnZoom (-) buttons allow the map view to be changed. The last map viewed is saved.

Dashboard/Current Users Pane

The Current users pane displays the current distribution of all the connected users across the managed appliances. It also indicates how appliances are loaded relative to their maximum configured license settings.

The drop-down menu at the top of this pane lets you choose to display the data in either of the following two ways: Per appliance view and the Pie chart view. The number for each appliance represents the number of users connect to it, and the colors indicate the following:

Green indicates the license usage on that appliance is okay.
Yellow is a warning that the appliance is starting to get.
Red indicates that the managed appliance license usage is close to the maximum configured license setting for the appliance.

Dashboard/Central License Usage Pane

This Central License Usage pane displays the history of CMS user license consumption relative to the maximum license capacity. The drop-down menu allows you to change the display to different time periods, such as Now, Hourly, Daily, Weekly, Monthly, and Quarterly.

 

The graph displays the number of users as a function of time and colors are use to indicate the status of the licensing:

Green indicates that the CMS license usage is running within the Central User Licensed capacity.
Yellow indicates that the license capacity has reached 75%, the default threshold for a CMS license usage warning.
Red indicates that the license capacity has reached 90% threshold, default threshold for the a CMS license usage alert.

Dashboard/About Pane

The About pane display the following information about an Individual Appliance when highlighted in the Appliances list.

Alerts

CMS generates alerts that are either Warnings or Errors. Alerts are displayed prominently on the CMS dashboard and can also be accessed by selecting the Alerts menu option. Alerts typically originate from a condition that occurs on the CMS or on a managed appliance.

For detailed information about alerts and using alerts with SNMP, refer to Alerts and SNMP.

To view and configure alerts:
1
Select Management Server > Alerts. This page has two tabs: View Alerts and Configure Alerts.

The View Alerts tab is the default view and shows all the alerts in table form. You can sort the table by clicking on the table headings to sort the data.

2
At the bottom of the page, click alert notification.

3
Select the alerts for which you want to be notified:
Critical alerts
Warning alerts
Acknowledged alerts
Cleared alerts
4
Under Email Settings, enter the Email address from which alert notifications is sent.
5
To add an Email address to send alert notifications to, click the New button.
6
Enter the Name and Email Address of the recipient to be notified and click OK. Repeat to add more recipients.
 
* 
NOTE: The OK option is location next to the email address field. You may need to expand the window to see it.
7
Click Save.

Adding an Alert Trigger

To add an alert trigger:
1
Select to the Configure Alerts option.

2
Click New.

3
In the Name field, enter a name for the alert.
4
Select Add trigger is enabled.
5
Select the Priority.
6
Select the other conditions and options that you want.
7
Click Save.

Configure

The Configure option allows you to set various options for the Central Management Console. Select Managed Server > Configure to see the options.

Topics:  

Central Management Settings

Use the Central Management Settings option to configure CMS location, central user licensing, Global Traffic Optimizer, and policy synchronization.

To configure the Central Management Settings:
1
Select Management Server > Configure > Central Management Settings.

2
Under Locale, enter your Country and Location.
3
Under Central User Licensing, select Enable managing appliance user licensing with one central license.
4
Under Global Traffic Optimizer Service, select Users connect to this global high availability service from anywhere in the world and are routed to a nearby appliance.
 
* 
NOTE: Central User Licensing must be enabled to activate the Global Traffic Optimizer service.
5
Under Policy Synchronization, select Enable pushing policy configuration from this server to managed appliances.
6
Under Authentication servers, select one of the following:
Nodes in the collection share centralized authentication servers
Each node has its own authentication server
7
Click Save.

Licensing Pages

Use the Licensing option to review and manage the software licenses for CMS.

To manage the licenses:
1
Go to the Management Server > Configure > Licensing page. The default view is the Manage Licenses view.

2
Review your license information.
3
Under Online licensing, choose Manage to activate, upgrade or renew services.

 
* 
NOTE: If you choose Synchronize, this appliance synchronizes with the licensed services on MySonicWall.
4
Login to MySonicWall with your MySonicWall credentials.
5
Follow the prompts to manage or create a license.
6
Click the License Distribution tab.

This page allows you to set the minimum and maximum number of leased licenses that should be distributed to each managed appliance. The default settings for Max Licenses are based on the appliance model.

7
Click Save, Cancel, or Reset Defaults.

CMS attempts to distribute all user licenses between the managed appliances and does not hold onto any user licenses. It uses criteria like Min and Max settings and number of users connected to determine how to distribute the licenses.

You can also see the actual number of leased licenses that have been distributed at any time to each appliance on this screen.

General Options

Use the General Options to control security settings for users and set the date and time.

To configure the General Options:
1
Select Management Server > Configure > General Options.

2
Set the credential lifetime in minutes. This refers to he length of a user session. If it exceeds the time specified the user is asked to re-authenticate.
3
Set the date and time, if needed.
4
Click Save.

Administration

Use the Administration option to define who the administrators are and what authentication server are used for managing the Central Management Server.

To configure the Administration settings:
1
Select Management Server > Configure > Administration.

2
Select any of the three items: Administrators, Authentication servers, and Users & Groups.
3
Make the changes you want.
4
When finished, click Save.

Network Settings

Use Network Settings to modify server IP address, routing and name resolution.

To configure the network settings:
1
Select Management Server > Configure > Network Settings.

2
Click Edit to configure any of the Basic, Routing, or Name resolution settings.
3
When finished, click Save.

Network Services

Use the Network Services option to modify the settings for server services like NTP, SSH, SNMP and SMTP.

To configure Network Services:
1
Select Management Server > Configure > Network Services.
The Network Services page appears.

2
Click Configure for the item you want to configure: NTP, SSH, SNMP, or SMTP.
3
Make the desired changes.
4
When finished, click Save.

SSL Settings

Use the SSL Settings option to modify the management console certificate and SSL settings.

To configure SSL settings:
1
Select Management Server > Configure > SSL Settings.

2
Click Edit for the item you want to edit: SSL certificates or SSL encryption.
3
Make the desired changes.
4
When finished, click Save and Apply Pending Changes.

Monitor

The Monitor option allows you to set various options for monitoring. Select Managed Server > Monitor to see the options.

To view or edit logging settings for the CMS, click Logging. Make the changes and click Save.
To view health metrics and system information for the CMS, click System Status. Make the changes and click Save.
To ping, lookup, view network traffic or use snapshot troubleshooting tools, click Troubleshooting. Make the changes and click Save.

Maintain

The Maintain option allows you to set various options for monitoring. Select Managed Server > Maintain to see the options. The default view is Maintain Server.

To maintain the CMS:
1
Select Management Server > Maintain.

2
Do any of the following:
To restart the CMS, click Restart.
To shutdown the CMS, click Shutdown.
To reset the CMS, click Reset.
3
To import or export a system configuration file, click Import/Export. Provide additional information on the next window.
4
To update the system software to a newer version, click the Update button.
5
To rollback the system software to a previous version, click the Rollback button.
6
Click the Maintenance Tasks button. In the Task log panel, you can view the tasks that are scheduled.

7
Filter the Task log table by setting a Start Date and End Date and clicking Refresh.
 
* 
NOTE: If the Start Date and End Date fields aren’t visible, click on the plus sign (+) by Filters.
8
In the Scheduled Tasks panel, you can select a task and Delete, Run now, or Reschedule.

Managed Appliances

This section provides information about the Managed Appliances commands:

Add/Remove

The Add/Remove option allows you to manage the licensing and configuration for collection of appliances from a central location. Select Managed Appliances > Add/Remove to see the Appliance Collection.

To add a new appliance:
1
Click the New button.

2
Enter the display Name for the appliance.
3
Enter the Internal IP or host name for the appliance.
4
Enter the One Time Password obtained from the appliance’s management console.
5
Select OK.
To delete a managed appliance:
1
Select the appliance you want to delete.
2
Click the Delete button.
3
Click OK.

Configure

Topics:  

Overview

An administrator can import policies from an existing appliance and define configurations. Policies can be applied to all appliances or just a subset. An existing managed appliance configuration may be partially imported into the CMS to startup the CMS global configuration.

Services do not need to be restarted after this configuration.

The first time the CMS synchronizes a policy with an appliance, it overwrites the policy on the appliance. This is equivalent to the appliance partially importing the CMS configuration. After the initial policy synchronization, further policy synchronizations replicate the CMS configuration onto the appliance.

Also, after the initial policy synchronization, the administrator can manually modify the address pools of the appliance and the authentication servers. The administrator changes are not overwritten during subsequent CMS policy synchronizations.

The policy settings that are replicated during synchronization are:

Security policy, including access control rules and EPC configuration
Network resources
Users and groups
Realms
Authentication servers (the authentication server names should match those on the sending node, even if the IP addresses do not).
 
* 
NOTE: When you define a collection of appliances, you have the option of either overwriting authentication server settings (which would be typical in a deployment where there is a shared, central server), or excluding server settings from being overwritten during replication.
WorkPlace shortcuts
CA certificates
Certificate revocation lists downloaded from a remote CDP (CRL distribution point)
Agent configuration, including graphical terminal agents (Citrix and Windows Terminal Server) and Web browser profiles
Local user accounts
Single sign-on profiles

The policy settings that are not replicated during synchronization are:

Network settings, including IP addresses, routing information, name resolution settings (DNS and WINS), and the settings for the network services (NTP, SSH and SNMP)
The unique list of fallback servers configured for your Connect Tunnel users
License files
SSL certificates
WorkPlace configuration data (customized templates)
Administrator user accounts and role definitions
 
* 
NOTE: You can optionally exclude authentication server settings from being overwritten during replication, which is typical for a deployment where each appliance has its own authentication server.

Configuring the Managed Appliances

Select Managed Appliances > Configure to see the configuration options.

The Define Policy option provides access to the Security Administration, User Access, and System Configuration policy pages.
The Synchronize Policy option allows you to view and schedule policy synchronization events.
Define Policies
To define policies:
1
Go to Managed Appliance > Configure > Define Policy.

2
Under Security Administration, define
Access Control
Resources (web, file, group and variables)
Users & Groups.
3
Under User Access, define:
Realms
Network Tunnel Service
Web Proxy Service
WorkPlace
Agent Configuration
End Point Control.
4
Under System Configuration, define:
Administrators
Authentication Servers
CA certificates
OSCP (Online Certificate Status Protocol)
5
When you are finished defining a policy, click Save or OK.
Synchronize Policy
To synchronize a policy:
1
Go to Managed Appliance > Configure > Synchronize Policy.

2
Click Advanced to open the Advanced panel.
3
Select the Force selected appliance to import the CMS policy checkbox.This triggers the next synchronization (or scheduled sync) to overwrite the policies of the selected appliances with the CMS policy (just as the initial policy synchronization would). This is a way to reset appliance policy to the baseline CMS policy.
4
Select Now if you want to synchronize immediately, or select At and choose the time and date from the drop-down menus to schedule the synchronization.
5
Click Synchronize.

Synchronizing a policy does not usually terminate existing user sessions. If a synchronization does terminate any user sessions, a warning message is displayed for that appliance on the Sync Policy page.

Monitor for Managed Appliances

The Monitor option for Managed appliances provides detailed information on User Sessions, Reports and Health. Select Managed Appliances > Monitor to see the options.

User Sessions

On the User Sessions page, you can view current and past user sessions and terminate current sessions.

If you select a session and then select the Terminate session-restrict logins option, it temporarily disables the user’s access for up to 10 minutes.

To monitor user sessions:
1
Go to the Managed Appliances > Monitor> User Sessions.

2
Define the how the data appears in the table:
a
In the View field, select the number of users to show per page.
b
In the sessions field select the type of session to view: Licensed, All open, or All.
c
From the drop-down menus under Filters, select the items you want to view or manage.
3
If you want to filter the data further, select options from the drop down lists under Appliance, Login status, Realm, Community, Zone, Agent, and Platform.

Reports

On the Reports page, you can view reports about Users, Access, Devices, and the Network.

User — View reports that show the number of user sessions on appliances or realms, for example, the number of user sessions currently on selected appliances, or the count for each of the top five realms of licensed users for the last day.
Access — View reports that show the policy rules matched and destinations accessed by users on managed appliances, for example, the top five permit rules and how many times they have been enforced over the last hour, or the count for each of the top five most accessed destinations over the last day.
Devices — View reports that show the platforms and zones in use by users, for example, a user's platform distribution for the last week, or a user’s zone placement count for the last month.
Network — View reports on the bandwidth consumption of appliances and the data transferred to users. For example, the top five users who transferred the most data and how much they transferred over the last hour or over the last three months, or view the top five appliances that consume the most bandwidth and how much they are currently consuming.
To view the reports:
1
Select the category: Users, Access, Devices, or the Network.
2
From the drop down lists, select the options for View.
 
* 
NOTE: The option for the View fields vary according to the type of report selected.
3
Select an option from the Time drop down list.

The display adjusts according to the selections made. Select Refresh to refresh the data in the report. Select Export to export the data to a CSV file.

Health

On the Health page, you can set up and monitor various health metrics on a graph that charts users against time. The data is downloadable to a CSV file.

To monitor health metrics:
1
Go to the Managed Appliances > Monitor> Health.

2
From the Appliances menu, select the appliance you want to graph.
3
From the Time period menu, select the time period you want the graph to display.
4
From the Data item menu, select the data you want the graph to display.
5
From the Plot type menu, select the type of graph you want to plot.
6
Select Refresh to refresh the data or select Download to download the data to a CSV file.

Maintain for Managed Appliances

To maintain a managed appliance:
1
Go to the Managed Appliances > Maintain page. This page has two options: Maintain Appliances and Maintenance Tasks.

2
Under the Maintain Appliances tab, check the box for an appliance and use the buttons across the top to perform any of the following tasks: Restart, EPC Update, Upgrade/Hotfix.
3
Select the Maintenance Tasks tab.

4
In the Task log panel, you can view the tasks that are scheduled.
5
In the Scheduled Tasks panel, you can select a task and Delete, Run now, or Reschedule that task.

 

Central User Licensing

Topics

Overview

Appliances that are globally located have fluctuating demands for user licenses due to time differences.

A Central Management Server (CMS) can manage a pool of user licenses and dynamically allocate them among managed appliances. Managed appliances do not have their own user licenses and use the allocated licenses. The CMS distributes the pool of licenses between the managed appliances based on demand. The CMS requires a CMS license in order to be functional.

Each CMS license permits the management of up to 3 managed appliances (default). Customers may choose to purchase additional licenses for managed appliances.

Central User Licensing is an optional feature. When Central User Licensing is not enabled, individual appliances must have their own licenses.

The administrator is responsible for ensuring that licenses across all managed appliances have the same features. CMS cannot manage configurations on appliances with a heterogeneous set of licensed features.

How Central User Licenses Work

User licenses no longer have to be applied to individual VPN appliances. A new central licensing model allows CMS licenses for users to be distributed and reallocated dynamically among the managed appliances based on user demand. Customers with appliances that are globally distributed can benefit from the fluctuating demands for user licenses due to time differences. The CMS reallocates licenses to managed appliances where user demands have peaked from appliances in a different geographic area where usage has fallen due to off-work/night hours. Customers with appliances that are behind load balancers can benefit from the dynamic distribution of licenses across managed appliances as the load balancer distributes connection requests across the managed appliances.

The following drawing illustrates centrally managed licenses for globally located VPN appliances.

CMS creates "leased licenses" for a number of users based upon usage demand. The administrator defines the maximum and minimum for each managed appliance. CMS redistributes the leased license periodically based on usage, thereby changing the number of licensed users allowed for each managed appliance.

* 
NOTE: The configured maximum number of user licenses is not a hard limit. A small percentage of additional connections to a managed appliance are allowed. When the number of connections to a managed appliance exceeds the configured maximum, the number of consumed licenses that is shown on the CMC license distribution page can be up to 10% higher than the number of distributed licenses. Alerts may also report license usage up to 110%.

CMS attempts to allocate all available user licenses. Leased licenses have a validity of 7 days.

In the event of a communication loss between CMS and a Managed Appliance:

Appliance: Continues with a leased license until the lease expires (7 days) or comminications are re-established.
CMS: Recovers lost licenses after 24 hours.

In the event of a communications loss between the CMS and MySonicWall: The CMS continues to generate leased licenses for up to 30 days.

The following drawing shows centrally managed licenses for VPN appliances behind a load balancer.

Enabling Central User Licensing

To enable Central User Licensing on the CMS:
1
Go to the Management Server > Configure > Central Management Settings page.

2
Under Central User Licensing, select Enable managing appliance user licensing with one central license.
3
Click Save.

Getting Started with Central User Licensing

This section describes how to migrate from a standalone appliance to CMS with GTO and Central User Licenses.

Topics

Setting Up CMS to Use Central User Licenses

Once you have SMA appliances registered with CMS, you can transition to Central User Licensing.

 
* 
NOTE: If you have an HA Pair, you need to engage with SonicWall Sales to exchange your HA pair licenses for CMS-based Central User Licenses.
To transition standalone SMA appliances to use the Central User License model:
1
Log into the Central Management Console.
2
Navigate to Management Server > Configure > Licensing.

3
Select Register.

4
Enter the MySonicWall credentials of the MySonicWall account who owns the licenses for the Central Management Server.

5
Enter the serial number and authentication code that match the license in MySonicWall.
6
Enter a friendly name to identify this CMS in your MySonicWall account.
7
Select Submit. You see the MySonicWall view of your license. You can get back to this at any time after are registered by choosing Manage Licenses > Manage and re-entering your MySonicWall credentials.

8
Select Return. This is the normal view of a registered CMS license. It shows the licensing mode as online and how long since it was last synchronized. It should never be more than 24 hours since was last synchronized.

 
* 
NOTE: You can also select Synchronize to force an immediate synchronization with the backend.

Setting up CMS for Centralized Appliance Configuration and Management

Once you have a cluster of SMA appliances that share a central license pool and you can monitor and maintain them from a single console.

If your appliances have very different configurations, you should normalize the differences so that you can take full advantage of CMS, GTO, and Global HA.

To use CMS to centralize appliance configuration management:
1
Normalize the appliance configurations.
2
Export the configuration from your SMA appliance.
3
Import the configuration to CMS.
4
Synchronize the CMS policy with the managed appliances.
5
Configure the CMS as described in Configure.

Resetting a CMS License

The license state on a Central Management Server can be reset or undone.

1
Navigate to the Licensing page.
2
Add ?troubleshoot=1.
3
Select Reset.

This reboots the CMS with no license and it can be registered again with MySonicWall.

 

Global High Availability

Topics
 
* 
NOTE: GMS 11.4.0 is the last version of GMS that supports HA (High Availability) Pairs. This feature has been replaced with the Global High Availability (GHA) features described in this chapter.

High Availability for VPN

When a Global Traffic Optimizer (GTO) service is configured on the CMS, the global Highly Available (HA) online VPN service is enabled for users. Users access this VPN service using the GTO service name (such as access.example.com) from tunnel clients (Connect Tunnel or Mobile Connect) or web clients (supported web browsers).

All the SMA appliances that are configured for the GTO service participate in the highly available VPN service.

If an appliance that is part of the service fails due to hardware, power or network issues:

New connection requests (by tunnel or web clients) will get directed to other available appliances.
Tunnel clients with cached credentials (that were connected to the appliance that failed) are automatically reconnected to another available appliance. Users do not need to re-enter their credentials.
Tunnel clients without cached credentials (that were connected to the appliance that failed) will connect to a different appliance. Users must enter their credentials when prompted.
Web users (that were connected to the appliance that failed) must retype the GTO service name in their browser and enter their credentials when prompted.
 

CMS High Availability and Disaster Recovery Features

CMS GHA and Disaster Recovery Scenarios

VMware ESXi 5.5

Microsoft Hyper-V 2012 R2

Comments

Clustering/HA

Yes

Yes

Seamless transition of CMS and SMAs from host 1 to host 2, when host 1 is rebooted or shutdown

Cloning

Yes

Yes

CMS could be successfully cloned followed by resumption of communication with managed appliances and license manager.

Export/Import

Yes

Yes

CMS could be successfully exported from host 1 and imported to host 2 followed by resumption of communication with managed appliances and license manager.

Snapshot/Checkpoint

Yes

Yes

Successful preservation and transition between multiple states/configurations of CMS

Disaster Recovery for VPN

Customers can setup Disaster Recovery (DR) for VPN by locating appliances that are in a Global Traffic Optimizer (GTO) service at different data centers.

Disaster recovery of the VPN service enables the continuation of remote access capabilities when a disaster or failure occurs to a major location. Users use the same GTO service name (such as access.example.com) and SMA appliances that are located at other locations that are part of the global VPN service accepts the connection requests.

Planning the Disaster Recovery (DR) for the VPN service is done in conjunction with DR planning of other essential IT services. SMA appliances (that are part of the GTO service) must be located at alternate data centers along with other key infrastructure components.

If a disaster destroys a data center that has SMA appliances, the remaining appliances continue to provide service.

Global High Availability Versus HA Pair

Global Traffic Optimizer (GTO) with Global High Availability (GHA) is a new solution for SMA 12.0 and later that facilitates high availability and disaster recovery for SMA products.

The High Availability (HA) Pair product is not supported as of SMA 12.0.

The following table compares the features of an HA Pair with the features of GTO with global HA.

 

Comparison of HA Pair and GTO with GHA

 

HA Pair

GTO with GHA

High availability model

Active-Standby

All appliances in the cluster are active.

Number of appliances in HA cluster

Always 2

2 to 100

Licensing model

Two separate appliance-based license files

CMS-based pooled user license obtained from the License Manager Service

Location of appliances

Appliances must be in a single data center less than 3 feet apart.

Globally distributed locations

SMA appliances supported

All physical appliances.

Virtual appliances are not supported.

All SMA physical and virtual appliances are supported.

Virtual infrastructure

Not needed

Required. CMS is a virtual machine and must be hosted on virtual infrastructure (VMWare ESX/i or Microsoft Hyper-V)

Mix of appliances

Both appliances in the HA Pair must be identical (for example two SMA EX-7200s)

The cluster can have any combination of physical and virtual SMA appliances.

Release versions supported

SMA 10.7.2 and 11.4.0

Not supported after 11.4.0 support expires

SMA 12.0 and higher

No plans to back port to 11.4

End of Life

April 2019 (3 years after release of 11.4)

This is the next generation of SMA HA

Disaster Recovery

Not Supported. Appliances in an HA Pair must be in the same data center.

Supported. Appliances in the cluster can be globally distributed.

Redirection model

Uses a VIP

DNS-based redirection

Requires customers to configure DNS for Global Traffic Optimizer.

Session restoration

Session is automatically restored on the paired appliance.

VPN reconnection is supported. Session restoration is not supported.

Data persistence

Personal Bookmarks, Local User accounts, Device Registration.

Per-app VPN data persists across a failover.

User lock out persists across a failover.

Not supported in SMA 12

 

Single Points of Failure

HA Pair is installed in one datacenter which is susceptible to power, network or other disasters

CMS server failure.

A CMS outage for a few minutes has little or no adverse affect on HA.

CMS is a virtual appliance and relies on the HA model of the IT department for it virtual infrastructure.

CMS has a relatively low MTTR if a full clone is instantiated or the HA Cluster model is used.

License Manager Service.

CMS queries the License Manager every 24 hours and continues to operate for 30 days without access to the License Manager.

Tunnel clients with cached credentials

Cached credentials are not needed to restore session if an appliance fails.

Client will automatically reconnect and establish a new user session on a proximate appliance in the cluster.

 

Alerts and SNMP

It consists of the following topics:

Overview

This section contains detailed information about alerts and the use of SNMP in the CMS.

The CMS generates alerts that are either Warnings or Errors. Alerts are displayed prominently on the CMS dashboard. Alerts can originate from a condition that occurs on the CMS, or from a managed appliance.

Alerts can be configured to generate SNMP traps that are monitored by any IT infrastructure Network Management System (NMS).

Pre-Configured Alerts

The Table of Pre-Configured Alerts below has a fixed set of conditions that can trigger alerts.

* 
NOTE: The Priority symbols represent a Warning or an Error.
 

Table of Pre-Configured Alerts

Priority

Name

Measurment

Condition

Unable to communicate with License Manager

CMS connection to MySonicWall

Connection is lost for 10080 minutes

Unable to communicate with License Manager

CMS connection to MySonicWall

Connection is lost for 10080 minutes

Unable to communicate with MySonicWall

CMS connection to MySonicWall

Connection is lost for 10080 minutes

Unable to communicate with MySonicWall

CMS connection to MySonicWall

Connection is lost for 4320 minutes

Temporary communication loss

Manage appliance connection to CMS

Connection is temporarily lost

Pertmanent communication loss

Managed appliance connection to CMS

Connection is permanently lost

License has expired

CMS license expiration date

Expiration date is past

License expires soon

CMS license expiration date

Expiration date is a certain number of days away

High user license usage

CMS license usage

Value is over 95 percent

High user license usage

CMS license usage

Value is over 75 percent

High swap usage

Swap usage

Value is over 5 percent

High memory usage

Memory usage

Value is over 85 percent for 5 minutes

High disk usage

Disk usage

Value is over 95 percent

High CPU usage

CPU usage

Value is over 85 percent for 5 minutes

High appliance license usage

Appliance license usage

Value is over 89 percent

Critically high memory usage

Memory usage

Value is over 95 percent for 5 minutes

Critically high CPU usage

CPU usage

Value is over 95 percent for 5 minutes

Critically high appliance license usage

Appliance license usage

Value is over 98 percent

Certificate expired

Time until certificate expires

Value is under 0 days

Certificate about to expire

Time until certificate expires

Value is under 30 days

The administrator can edit the pre-configured alerts as follows:

Modify or customize these pre-configured default alerts.
Disable them
Make changes to the threshold, duration and message.
Configure additional alerts. The Table of Alerts lists all the conditions that can be used to configure Alerts.
Configure the priority of an alert to either Critical or Warning.
SNMP traps are generated for all Critical alerts.

For these activities, use the following guidelines:

When an appliance-related alert is configured, it applies to all the managed appliance, that is, alerts cannot be individually configured/tailored for a specific appliance.
The maximum number of alerts that can be configured by the administrator on a CMS is 100.

Alerts shown on the dashboard can be dismissed by the administrator. Dismissed alerts will no longer be displayed in the dashboard view, but can be seen in the Alerts page. If the alert condition toggles (ON->OFF->ON), a new alert for the same condition will be raised in the dashboard.

All alerts are stored in the Alerts Database. A rolling history of 90 days worth of alerts are retained in the Alerts Database. An Alerts View allows the administrator to see all Alerts in the past Day, Week, Month or Quarter.

Configuring SNMP

To enable SNMP:
1
Click Management Server > Configure > Network Services.
2
Under SNMP, click Configure.

3
Enter the information you want in the appropriate fields.
4
Click Save and Apply Pending Changes.