In a GTO service, users can get directed to different SMA appliances frequently, and users expect the same experience, regardless. You can minimize configuration differences between SMA appliances in a GTO service by observing the following guidelines:
Maintain the same resource set and access rules on each SMA appliance in the GTO service. The best way to do this is to define one central policy on the CMS and synchronize it with all the managed SMA appliances.
Use only DHCP tunnel address pools at each SMA deployment site. Other types of address pools can be used, but managing SMA appliances with different configurations is difficult. However, this can be done and is described inVarying Tunnel Address Pools.
Use a single authentication server configuration for all SMA appliances. If necessary, use transparently-distributed authentication services. CMS policy replication does include support for varying the authentication server configurations at each SMA appliance. You can do this by configuring locally-replicated authentication servers at the SMA appliance console. See Using Distributed Authentication Servers
Use wildcard certificates for user access. GTO makes all of its SMA appliances available under a variety of names, each of which must match the certificate. It is possible to identify all such names each time the configuration changes and generate certificates without wildcards. It is recommended that you use wildcard certificates instead.