After creating a customer, configure the feature options and settings that the customer can access. As a Partner Super User, you can choose the settings the partner customer can modify.
When you create a new customer, you are redirected to the Customer Configuration page, where you can configure the customer settings.
You can also navigate to the Configuration page from the Manage Customers page in the Partner portal. Select the customer and click or click the link to the customer.
In the customer or Enterprise portal, click, and you can configure the following settings.
Customer Capabilities – Only an Operator can enable or disable the capabilities. You can view the status of the following capabilities. If you want to enable or disable any of the capabilities, contact your Operator.
- Enable Enterprise Auth
- Enable Firewall logging to Orchestrator
- Enable Legacy Networks
- Enable Premium Service
- Enable Role Customization
- Enable Segmentation
- Enable Stateful Firewall.
- Show Configuration section in the New Orchestrator UI
- CoS Mapping
- Service Rate Limiting
Security Policy – When creating Edge-to-Edge IPSec tunnels, you can modify the security policy configuration settings at the Customer Configuration level.
- Hash - By default, there is no authentication algorithm configured for the VPN header. When you select the Disable GCM checkbox, you can select one of the following as the authentication algorithm for the VPN header, from the drop-down list:
- SHA 1
- SHA 256
- SHA 384
- SHA 512
- Encryption - AES 128-Galois/Counter Mode (GCM), AES 256-GCM, AES 128-Cipher Block Chaining (CBC) and AES 256-CBC are the encryption algorithms modes used to provide confidentiality. Select either AES 128 or AES 256 as the AES algorithms key size to encrypt data. The default encryption algorithm mode is AES 128-GCM, when the Disable GCM checkbox is not selected.
- DH Group - Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, and 16. It is recommended to use DH Group 14.
- PFS - Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. By default, PFS is disabled.
- Disable GCM - By default, AES 128-GCM is enabled. If required, select the checkbox to disable this mode. Disabling the checkbox will enable AES 128-CBC mode.
- IPsec SA Lifetime - Time when Internet Security Protocol (IPSec) rekeying is initiated for Edges. The minimum IPsec life time is 3 minutes and maximum is 480 minutes. The default value is 480 minutes.
- IKE SA Lifetime - Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE life time is 10 minutes and maximum is 1440 minutes. The default value is 1440 minutes.
Note: It is recommended not to configure low life time values for IPsec (less than 10 minutes) and IKE (less than 30 minutes) as it can cause traffic interruption in some deployments due to rekeys. The low life time values can be used only for debugging purposes.
- Secure Default Route Override – Select the checkbox to ensure that the traffic from the Edge is routed based on the Network Service configured for the Business Policy rule, even when secure routing (either Static Route or BGP Route) is enabled on the Edge.
Service Access – Choose the services the customer can access along with the roles and permissions available for the selected service. See Configure Service Access.
Gateway Pool – The current Gateway pool associated with the selected customer is displayed. If required, you can choose a different Gateway pool from the available list.
If the Gateways available in the Gateway pool have been assigned with Partner Gateway role, you can handoff the Gateways to partners. Select the Enable Partner Handoff to configure the handoff options for the segments and Gateways. For more information, see Configure Partner Handoff.
Maximum Segments – Displays the maximum number of segments configured by the Operator.
OFC Cost Calculation – Displays whether Distributed Cost Calculation is enabled or not by the Operator. By default, the Orchestrator is actively involved in learning the dynamic routes. Edges and Gateways rely on the Orchestrator to calculate initial route preferences and return them to the Edge and Gateway. The Distributed Cost Calculation feature enables to distribute the route cost calculation to the Edges and Gateways.
For more information on Distributed Cost Calculation, refer to the Configure Distributed Cost Calculation section in the VMware SD-WAN Operator Guide available at: https://docs.vmware.com/en/VMware-SD-WAN/index.html.
Edge NFV – Displays whether the customers are allowed to deploy third party Virtual Network Functions (VNF) on service ready Edge platforms.
Edge Image Management – Displays the current Software Image associated with the selected Partner Customer. As a Partner Super User, you can select and assign a different Software Image from the available list of software images for the customer, if needed.
For more information, see the Edge Software Image Management section in the VMware SD-WAN Administration Guide available at https://docs.vmware.com/en/VMware-SD-WAN/index.html.
After making changes to the configurations, click Save Changes.