Varying Tunnel Address Pools
The preferred tunnel address pool policy for GTO deployments is a single DHCP pool replicated to all SMA appliances, with no specific DHCP server mentioned in the policy. This is done using the Routed address pool - dynamic setting after clicking New in the IP address pools section on the Managed Appliances > Configure > Define Policy > User Access > Network Tunnel Service page and not specifying a DHCP server, so that appliances send broadcast requests to locate DHCP servers that can allocate addresses. This requires DHCP services to be available on the internal network that the appliances are on. Other policies are possible, but CMS does not help maintain them.
A tunnel address pool in the SMA policy will not be overwritten during policy synchronization if there is a corresponding tunnel address pool in the central policy with the same name. Be aware though, that the CMS will not synchronize with an SMA appliance at all if a tunnel address pool exists at the SMA appliance, but not in the CMS configuration. So the trick here is to create a tunnel address pool at the CMS, synchronize the central policy to all SMA appliances (to create the pool there), then adjust the configuration of that pool at each individual SMA appliance.
You can adjust the parameters of pools (such as the address ranges in static pools or the NAT-from address in a NAT pool), but you cannot change the pool's type.
Administrators can use DHCP option 118 (as specified in RFC 3011) to allocate VPN client addresses on a specific subnet under Advanced section.
Was This Article Helpful?
Help us to improve our support portal