FAQ: DNS and SAN certificate requirements for CMS/GTO deployment
10/22/2020 
18 
3948
DESCRIPTION:
This Knowledgebase article provides you the necessary information on how to setup DNS and what type of certificate is required for the GTO (Global Traffic Optimizer) service
CAUSE:
This Knowledgebase article provides you the necessary information on how to setup DNS and what type of certificate is required for the GTO (Global Traffic Optimizer) service.
RESOLUTION:
FAQ: DNS and SAN cert requirements for CMS/GTO deployment
Below is an example guide for the DNS and SAN setup,
DNS Requirements:
GTO name: remote.example.com (FQDN an end-user is going to use to connect to the device)
If there are two SMA devices under the CMS, then we need to add below name server (NS) records and A records to customer's public DNS servers,
remote.example.com NS sma1.ns.remote.example.com
remote.example.com NS sma2.ns.remote.example.com
sma1.ns.remote.example.com A 15.2.2.2
sma2.ns.remote.example.com A 11.1.2.4
Note: You should configure a minimum of two SMA appliances and delegate them in DNS as authoritative servers.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SAN Certificate:
Subject Name: remote.example.com
Alternative name: sma1.remote.example.com; remote.example.com; sma2.remote.example.com
Why a SAN certificate?
If your organization has multiple domains, a single SSL SAN certificate can help you secure multiple domains along with their respective subdomains. Unlike Wildcard certificate, which allows us to add only one level of subdomain, In a SAN certificate, It allows encrypting multiple levels of subdomains.
Note: We do support both wildcard and SAN certificate but a SAN is highly recommended.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Note: sma1 and sma2 are the name of each appliance. This could be found on each appliance dashboard.
Click the below link for SMA 1000 series default assigned ports,
https://www.sonicwall.com/support/knowledge-base/what-are-the-sma-1000-series-default-assigned-ports/180524191604517/
Refer the CMS/GTO Admin Guide for more detailed setup,
https://www.sonicwall.com/support/technical-documentation/?language=English&category=Secure%20Remote%20Access&product=SMA%201000%20Series&resources=Administration%20Guide
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
