Secure Mobile Access 12.0 CMS with GTO Admin Guide

GTO Configuration


Introduction to GTO



The Global Traffic Optimizer (GTO) is a feature of SMA and CMS that presents a collection of SMA appliances to end users through a single GTO service name (for example access.example.com), which allows users to access their organization's network through an appropriate SMA appliance depending on their global location and other factors.

Secure Mobile Access (SMA) appliances provide SSL VPN access to an organization's Intranet resources from virtually any endpoint on the Internet—including desktops, laptops, tablets, and smart phones. The Central Management Server (CMS) provides a single console for managing, maintaining, and monitoring a collection of similarly-configured SMA appliances that may be hosted in one data center or in multiple locations.

Previously, the benefits provided by GTO could only be achieved by deploying and coordinating an array of separate third-party appliances and services, such as content-distribution-network DNS redirectors, local traffic managers, and load balancers often under separate administrative control. GTO replaces this scenario with a single external DNS delegation, which manages all aspects of user traffic distribution automatically, including license provisioning and leveling.

NOTE: Remember to keep the DNS port open on the firewall. Refer to Additional Deployment Notes for more details.

Users have one consistent sign-on procedure with one GTO service name that connects them with the appropriate SMA appliance for their current location and circumstances, and gives them a similar experience every time they use the system anywhere in the world.

GTO makes intelligent routing decisions based on real-time data such as appliance availability, health, load, Internet and Intranet conditions. GTO redirects user connection requests to the most appropriate SMA appliance using the best possible route for the user at that moment.

This guide provides instructions on how to deploy CMS with GTO, including DNS configuration and certificate requirements.

CMS with GTO

CMS with GTO supports the following services and features:

Exchange ActiveSync and Outlook Anywhere
Custom FQDN for access to resources and Workplace sites
Administration visibility into GTO status from the CMS console

GTO is a superior model over the fallback server model, and fallback is not supported with GTO. When an appliance is in GTO mode, it does not send fallback information to the clients.

When a client interacts with a GTO service, it does not receive fallback information. Consequently, GTO does not attempt to do fallback.

NOTE: An SMA appliance must be dual homed to participate in GTO.

Exchange ActiveSync and Outlook Anywhere

From the CMS console, you can configure Exchange ActiveSync and Outlook Anywhere across all appliances in the GTO service. For example, if the GTO service name is access.example.com the custom FQDN could be mail.example.com.

Mail clients using Exchange ActiveSync or Outlook Anywhere protocol can connect to the GTO service, using a custom FQDN, and experience global traffic Optimizer, such connection to a proximate appliance, improved availability, and load distribution.

NOTE: Public DNS must be configured for the ActiveSync and Outlook Anywhere FQDN, and the names must similar to the GTO service names.

CMS with GTO supports roaming as follows:

When an Exchange ActiveSync client connects to a GTO service it may get directed to a different appliance from the last time it connected.
Exchange ActiveSync clients send credentials with each request and after they get authenticated, they can access the ActiveSync server.
A new pooled license is issued for each connection.
The license is released after the ActiveSync connection is terminated.

Custom FQDN for Mapped Resources

You can configure custom FQDNs to backend resources across all appliances in a GTO service, and you can access those resources through the appliances that are part of the GTO service.

Users connecting to custom FQDNs can experience the benefits of GTO:

GTO connection to a proximate appliance
Improved availability
Load distribution

Resources should be accessed with the FQDN name rather than with the IP address.

The public DNS must be configured appropriately for each custom FQDN, in that each custom FQDN name must be similar to the GTO service name. For example, if the GTO service name is access.example.com, the custom FQDN name for Email should be mail.example.com.

In Workplace, all links must point to the same appliance.

The maximum number of custom FQDNs that can be configured for all appliances is the same as that of a standalone SMA appliance. If you are already authenticated to a GTO service, you will need to re-authenticate if you enter a Vanity FQDN into a Web browser.

You can deploy configurations with the following types custom FQDNs to appliances that are configured for GTO:

Vanity FQDNs that are currently supported on a single appliance.
Custom FQDN Mapped Resource Access where the backend resource or server is mapped to an external fully qualified domain name (host and domain).
Workplace site with a domain name that is different from the GTO service domain name.

Viewing GTO Status from the CMS Console

You can view and monitor the following capabilities on the CMC dashboard:

Appliances successfully enabled for GTO
Appliances not functioning correctly with GTO
Appliances that have the recommended certificate SANs for the primary GTO service
Appliances that do not have the recommended certificate SANs for the primary GTO service
DNS status of appliances delegated as authoritative servers

GTO and IPv6

End users on IPv6-only networks can reach SMA appliances with IPv6 addresses through GTO.

SMA appliances serving as authoritative DNS servers include IPv6 AAAA records in their responses where appropriate.

IPv6 is not supported on the internal interfaces of SMA appliances.

Deployment Notes

You should configure a minimum of two SMA appliances and delegate them in DNS as authoritative servers. This minimizes the likelihood that your users ever lose DNS resolution of the GTO service.

You must enable UDP 53 on your firewall for all traffic that is sent to CMS-managed appliances that are configured as authoritative servers.

Planning GTO Deployment

This section describes how to make deploying GTO easier by planning and adhering to a few guidelines as described below:


Choosing a Deployment Model

Before you set up your equipment, you need to choose a deployment model that meets your organization's needs. There are several ways you can set up the network hierarchy of your GTO deployment:

SMA Appliances Located in One Data Center

This model is typically employed by mid-sized organizations with major operations in a single location. All their SMA appliances are located in the organization's primary data center. Users have a single GTO service name (such as access.example.com) to access the network.

GTO eliminates the need for a load balancer in the data center for VPN traffic. User connections are automatically directed to an available appliance in the data center. The CMS and SMA appliances are all located in the data center. If any one of the appliances fails, the CMS detects the failure, and GTO automatically redirects the VPN connections to another appliance.

SMA Appliances Geo-Distributed across Multiple Data Centers

This model is typically employed by mid-sized organizations with operations in more than one geographic location, and their SMA appliances are located in different geographic locations. For example, an organization deploys two SMA appliances, one located in their New York City data center and the second appliance located in their London branch office. The employees in the Americas connect to the appliance in New York City, while the employees in Europe connect to the appliance in London.

The CMS and one of their SMA appliances is located in New York City. The other SMA appliance is located in London and is also managed by the CMS. All the employees in the Americas and in Europe use a single service name: access.example.com, which directs all connections to an available and proximate appliance.

Mixed Mode

This model is typically employed by larger sized organizations with a global workforce. Their SMA appliances are located in multiple geographic locations, and they may have more than one SMA appliance in the data center. For example, an organization has six SMA appliances: three in New York City, two in London, and one in Tokyo. Employees globally use the same service name: access.example.com.

GTO automatically directs connections from employees in the Americas to the SMA appliances in New York City, connections from employees in Europe to the SMA appliances in London, and connections from employees in Asia to the SMA appliance in Tokyo. GTO eliminates the need for a global traffic manager or load balancer in the data center.

Minimizing Configuration Differences

In a GTO service, users can get directed to different SMA appliances frequently, and users expect the same experience, regardless. You can minimize configuration differences between SMA appliances in a GTO service by observing the following guidelines:

Maintain the same resource set and access rules on each SMA appliance in the GTO service. The best way to do this is to define one central policy on the CMS and synchronize it with all the managed SMA appliances.
Use only DHCP tunnel address pools at each SMA deployment site. Other types of address pools can be used, but managing SMA appliances with different configurations is difficult. However, this can be done and is described in Varying Tunnel Address Pools.
Use a single authentication server configuration for all SMA appliances. If necessary, use transparently-distributed authentication services. CMS policy replication does include support for varying the authentication server configurations at each SMA appliance. You can do this by configuring locally-replicated authentication servers at the SMA appliance console. See Using Distributed Authentication Servers.
Use wildcard certificates for user access. GTO makes all of its SMA appliances available under a variety of names, each of which must match the certificate. It is possible to identify all such names each time the configuration changes and generate certificates without wildcards, but the process is tricky and error-prone. It is recommended that you use wildcard certificates.

GTO Service Names and DNS Delegations

To establish a GTO service, you must choose a GTO service name and establish DNS delegations.


Choosing a GTO Service Name

The GTO service name is a delegated DNS zone, which means you must control the parent zone and make a delegation from it to one or more SMA appliances under the GTO service.

If your organization controls the example.com DNS zone, the access.example.com or vpn.example.com could be appropriate GTO service names.

Establishing the GTO Service Name Delegations in DNS

A GTO service name delegation is a DNS subzone delegation. It requires NS records that identify the authoritative server names for the subzone, and corresponding glue-A record that provides IP addresses for those authoritative server names.

DNS delegations must be created for the following components on each of the managed appliances:

Primary GTO service
Custom FQDN
Custom Workplace Sites
Outlook Anywhere
Active Sync

The authoritative servers themselves are SMA appliances that are part of the GTO service and are identified by their public IP addresses and the NS record names in the following format:


For example, the following two DNS records in the zone configuration of example.com could establish a delegation for the GTO service and SMA appliance described above:

access.example.com. 86400 IN NS node1.ns.access.example.com.

node1.ns.access.example.com. 86400 IN A

In a typical GTO deployment with multiple SMA appliances, it is important to establish at least two such delegations. This ensures that the GTO service remains available if any one the SMA appliances is brought down for maintenance (or a network outage).

At least one authoritative server (SMA appliance) must be running at any given moment. Otherwise, users are not be able to connect.

Additional authoritative servers can provide redundancy and improved performance for some users. You should limit GTO service delegations to about three. Ideally, they should be geographically distributed.

Provisioning Certificates

You must provision certificates on the GTO-enabled SMA appliances to facilitate the GTO service. Provisioning certificates must be created for the following components on each of the managed appliances:

Primary GTO service
Custom FQDN
Custom Workplace Sites
Outlook Anywhere
Active Sync

Certificates, which give connecting users proof of SMA authenticity before they submit credentials, must be configured on each individual SMA appliance. A single wildcard certificate naming both the GTO service name and all names underneath it (such as access.example.com and *.access.example.com) can be copied onto every SMA appliance.

The CMS console Dashboard provides convenient links to the management consoles of each SMA appliance, where certificates are uploaded under SSL Settings.

You can generate a CSR for a certificate that is appropriate for all the SMA appliances in the GTO service.

To generate a CSR for a certificate that is appropriate for all the SMA appliances in the GTO service:
Go to the Certificate Signing Requests page.
In the Fully Qualified Domain Name field, enter the GTO service name.
In the Alternate Names field, enter the corresponding wildcard name (such as *.access.example.com).


Setting up GTO

This section describes how to configure a basic GTO deployment, consisting of a CMS that manages at least one SMA appliance.


Setting up the CMS and SMA appliances

Before you can configure the GTO, you must first set up a CMS and at least one SMA appliance.

Set up a CMS by following the instructions in Installing and Configuring the Central Management Server for establishing a CMS virtual machine to control the GTO service and manage the configuration of its component SMA appliances.

Set Up at least one SMA appliance by following the instructions in Configuring Appliances for Central Management. Follow the initial Setup Wizard configuration steps for cabling, administrator password, internal and external interface addresses, routing mode, and gateways, etc.

NOTE: GTO deployments do not support single-homed appliances.

Setting up a Basic GTO deployment

After you set up the Central Management Server (CMS) and at least one SMA appliance, you can set up a basic GTO deployment.

To set up a basic GTO deployment:
On the CMS, navigate to the Management Server > Configure.

Select the Central Management Settings option.
The Central Management Settings dialog appears.

Under Central User Licensing, check box for Enable managing appliance user licensing with one central license. The current license will support 500 concurrent user sessions across all appliances.
Under Global Traffic Optimizer Service, check the box for Users connect to a service from anywhere in the world and are routed to the nearest managed appliance.
NOTE: The Global Traffic Optimizer Service check box is grayed out if Central User Licensing is not enabled. You must enable Central User Licensing before you can enable the Global Traffic Optimizer Service.

After you enable the Global Traffic Optimizer Service, the following message is displayed:

The service name must be delegated in public DNS, see the admin guide for details.

In the Service name field, enter the name of your service. For example, access.example.com.
Under Policy Synchronization, check the box for Enable pushing policy configuration from this server to managed appliances. This feature is recommended so that users will have a consistent experience on all GTO-enabled appliances.
Under Authentication servers, select Nodes in the collection share centralized authentication servers.

Registering an SMA Appliance with the CMS

After you configure GTO on the CMS, you must register the SMA appliance with the CMS.

To register the SMA appliance with the CMS:
On the CMS, go to Managed Appliances > Add/Remove.

Click the New button.

In the Name field, enter a name for the new appliance. For example, Seattle-01.
In the Internal IP or host field, enter the IP address for the new appliance.
In the One Time Password field, enter the one time password obtained from the Maintenance > Central Management page of the SMA appliance.
Click OK. This registers the appliance with the CMS and adds it to the CMS list.
The dialog changes with more options.

From the Country menu, select the country where the appliance is located.
In the Location field, enter the city, state, or province where the appliance is located.
Select the checkbox for Enable Global Traffic Optimizer Service.
In the DNS name field, enter a unique DNS-legal name for this appliance, for example seattle01.
In the Public IP field, enter the internet-visible, public IP address for this appliance.

This should be the address by which remote users will access this appliance. The default IP address is the external IP address of the appliance. The public IP address may be different from its external IP address if the public WAN addresses are using NAT at the DMZ.

NOTE: The client certificate warning, DNS name field, and Public IP field are only visible when CMS is enabled for GTO.
Check the box for Send user connections to this appliance, so that users connecting to access.example.com may be routed to this appliance.
Click Save.

Monitoring and Configuring GTO

The CMC dashboard shows which appliances are participating in GTO. A GTO participant appliance’s nominal status is GTO with a green globe icon. A non-participant appliance's nominal status is Managed. The top of the dashboard displays GTO service warnings and errors, if any.

GTO services can be managed on the Managed Appliances > Configure > Global Traffic Optimizer page.

From this page, you can manage the following items:

Global Traffic Optimizer (GTO)
Central policies for managed appliances
Synchronize appliance policies with the central policy

The GTO Services page shows a table of all GTO services and their statuses. GTO services are colored green, yellow, or red to reflect their health status. On the lower part of the page is a guide for creating a GTO service with a Custom FQDN, Exchange, or Workplace Site.

The Appliance Certificates page shows which Certificate Subject Alternative Names (SANs) must be included in each appliance certificate, and notifies the administrator which SANs are missing.

The DNS Delegations page describes the additional steps an administrator must take to configure the public DNS system for GTO, and provides a helper tool to generate DNS records in BIND format.

Defining the Central Policy

From the Central Management Console (CMS), you can define the central policy for a single-appliance SMA deployment. You can define the policies for your authentication servers and realms, resources and access rules, web and tunnel access methods, end-point control, and so on.

NOTE: The steps in this section are optional.
To define the central policy:
On the CMS, go to the Managed Appliances > Configure > Define policy page.

Define the policies you want.
See the following sections for instructions on defining server certificates, authentication servers, and tunnel address pools:
When you have finished defining your policy, click Apply Pending Changes and follow the link in the results dialog to synchronize this new policy with the managed SMA appliance.

On the Synchronize policy page, select the checkbox for the SMA appliance you want to synchronize.

Click Synchronize.

The message, “Synchronizing data, please wait...” appears as the policy is overwritten by the central policy.

When policy synchronization has completed, the screen displays the Status as Synchronization finished.

You can now type the GTO service name into the address bar of any standard Internet Web browser, anywhere in the world, and sign in to securely access the configured resources.

Extending GTO Deployment


Adding Additional SMA Appliances

Additional SMA appliances can be added to the basic GTO configuration by following the steps in Setting up GTO. Each SMA appliance that is added automatically begins serving new requests for GTO user connections.

When a new SMA appliance is added to a different location than the existing appliances, it becomes available to GTO. When GTO evaluates a new user relative to the available SMA appliances, it includes the new appliance at the different location, and directs the new connection to the appropriate SMA appliance. This evaluation is repeated each time a user connects. GTO may connect users to different SMA appliances in different circumstances.

Enabling Cached Credentials

If your security settings allow cached credentials on end-user devices, you can assign nearly-seamless failover and high-availability capabilities to Connect Tunnel clients and Mobile Connect SSL VPN Tunnel clients. You can do this even if the SMA appliances are in different locations (and therefore do not share an internal network).

To enable cached credentials:
Go to the Managed Appliances > Configure page.
Go to Realms > Community > Access Methods > Tunnel.
Click the Configure button.

Using Distributed Authentication Servers

The latency and reliability of authentication services can be improved in some situations by replicating authentication servers in widely-distributed locations, and configuring specific SMA appliances to use a nearby replicated authentication server instead of the central instance, which might be on another continent.

To accomplish this, first establish the authentication server settings in the central policy and then synchronize the central policy with all the managed SMA appliances. See Setting up a Basic GTO deployment.

Then, on the Management Server > Configure > Central Management Settings page, change the Policy synchronization settings so that the Each node has its own authentication server option is selected.

Click Save and Apply Pending Changes.

Now the central authentication server settings will only be pushed to appliances during policy synchronization if an authentication server of the same name does not already exist at the SMA managed appliance. Stated another way, if an SMA appliance already has an authentication server setting whose name matches a name configured at the CMS, that setting will not be touched during policy synchronization.

For each SMA appliance that needs local modifications to authentication server settings, log onto the management console at that appliance and adjust the configuration of the existing authentication server(s).

As long as each central policy authentication server has a corresponding SMA policy authentication server with the same name, your local changes will be preserved. Don't create or delete authentication servers from the SMA policy as you cannot modify other parts of the local configuration that reference these servers. Those changes will be overwritten the next time CMS synchronizes the central policy with this SMA.

Varying Tunnel Address Pools

The preferred tunnel address pool policy for GTO deployments is a single DHCP pool replicated to all SMA appliances, with no specific DHCP server mentioned in the policy. This is done using the Routed address pool - dynamic setting and not specifying a DHCP server (as shown below), so that appliances send broadcast requests to locate DHCP servers that can allocate addresses. This requires DHCP services to be available on the internal network that the appliances are on. Other policies are possible, but CMS does not help maintain them.

A tunnel address pool in the SMA policy will not be overwritten during policy synchronization if there is a corresponding tunnel address pool in the central policy with the same name. Be aware though, that the CMS will not synchronize with an SMA appliance at all if a tunnel address pool exists at the SMA appliance, but not in the CMS configuration. So the trick here is to create a tunnel address pool at the CMS, synchronize the central policy to all SMA appliances (to create the pool there), then adjust the configuration of that pool at each individual SMA appliance.

NOTE: You can adjust the parameters of pools (such as the address ranges in static pools or the NAT-from address in a NAT pool), but you cannot change the pool's type.

Additional Deployment Notes

Notes on SMA Appliances

It is recommended that you configure a minimum of two SMA appliances, and that you delegate them in DNS as authoritative servers to minimize the likelihood that your users ever lose DNS resolution of the GTO service.

You must enable UDP 53 on your firewall for all traffic that is sent to CMS-managed appliances that are configured as authoritative servers.

Web Limitations if an Appliance Fails

Web users may face some limitations with GTO if an appliance fails. GTO services should DNS-resolve to more than one MA node, and web browsers given a multi-address DNS response should connect to the first address that works. When CMS finds an MA unresponsive for a minute, it instructs the DNS authoritative server nodes to reconfigure around the broken MA, but during that reconfiguration time, the broken MA node can still appear in DNS responses. If this situation occurs and the user’s Workplace session fails, the user sees what looks like a typical failure of a website. The user needs to reconnect by retyping the GTO service name. They are redirected through a different node and can access that web site again.


SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract and to customers who have trial versions.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://support.sonicwall.com.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, the Support Portal provides direct access to product support engineers through an online Service Request system.

The Support Portal enables you to:

View knowledge base articles and technical documentation
Download software
View video tutorials
Collaborate with peers and experts in user forums
Get licensing assistance
Access MySonicWall
Learn about SonicWall professional services
Register for training and certification

To contact SonicWall Support, refer to https://support.sonicwall.com/contact-support.

To view the SonicWall End User Product Agreement (EUPA), see https://www.sonicwall.com/legal/eupa.aspx. Select the language based on your geographic location to see the EUPA that applies to your region.