After creating a Customer, configure the feature options and settings that the Customer can access. As a Partner Super User, you can choose the settings the Partner Customer can modify.

When you create a new Customer, you are redirected to the Customer Configuration page, where you can configure the Customer settings. You can also navigate to the Configuration page by following the below steps:

Procedure

  1. Login to the SASE Orchestrator as a Partner.
  2. In the Partner portal, select a Partner Customer, and from the top header, click SD-WAN > Global Settings.
  3. From the left menu, click Customer Configuration. The following page is displayed:
    The Service Configuration section includes the following services:
    • SD-WAN
    • Edge Network Intelligence
    • Cloud Web Security
    • Secure Access
    • Cloud Hub

    Click the Turn On button to activate each service. Click the vertical ellipsis present at the top right corner of each tile to turn off or configure that service. You can also use the Configure option present at the bottom right corner of each tile to configure the respective service. Each tile displays the configuration summary.

    Note: When you select Turn off option, a pop-up window appears asking for your confirmation. Select the check box and click Turn Off Service.
    1. SD-WAN: Clicking the Configure option displays the following pop-up window. Configure the settings, and then click Update.
      Option Description
      Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for the Orchestrator. This is also required to activate Edge Network Intelligence for the Customer.
      Default Edge Authentication

      Choose the default option to authenticate the Edges associated to the Customer, from the drop-down menu.

      • Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
      • Certificate Acquire: This option is selected by default and instructs the Edge to acquire a certificate from the certificate authority of the SASE Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the SASE Orchestrator and for establishment of VCMP tunnels.
        Note: After acquiring the certificate, the option can be updated to Certificate Required.
      • Certificate Required: Edge uses the PKI certificate. You can change the certificate renewal time window for Edges using the system property edge.certificate.renewal.window.
      Edge Licensing The existing Edge Licenses are displayed. Click Add to add or remove the licenses.
      Note: The license types can be used on multiple Edges. It is recommended to provide your Customers with access to all types of licenses to match their edition and region. For more information, see Edge Licensing.
      Allow Customer to Manage Software Select the check box if you want to allow an Enterprise Super User to manage the software images available for the Enterprise. For more information, see the topic Edge Image Management in the VMware SD-WAN Administration Guide.
      Operator Profile Select an Operator profile to be associated with the Customer from the available drop-down menu. This field is not available if Allow Customer to Manage Software is selected. For more information on Operator profiles, see the "Manage Operator Profiles" section in the VMware SD-WAN Operator Guide available at VMware SD-WAN Documentation.
      Maximum Number of Segments Enter the maximum number of segments that can be configured. The valid range is 1 to 16.The default value is 16.
    2. Edge Network Intelligence: Clicking the Configure option displays the following pop-up window. Configure the settings, and then click Update.
      Note: You can select this option only when SD-WAN service is turned on.
      Option Description
      Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for the Orchestrator. This is also required to activate Edge Network Intelligence for the Customer.
      Analytics Nodes Enter the maximum number of Edges that can be provisioned as Analytics Nodes. By default, Unlimited is selected.
      Feature Access Select the Self Healing check box to allow the Edge Network Intelligence to provide recommendations to improve performance.
    3. Cloud Web Security: This service is available only when you select a Gateway Pool with an activated Cloud Web Security role. Cloud Web Security is a cloud hosted service that protects users and infrastructure accessing SaaS and Internet applications. For more information, see the VMware Cloud Web Security Configuration Guide. Clicking the Configure option displays the following pop-up window:

      Select the required edition, and then click Update. Standard Edition includes URL filtering, SSL inspection, Anti-virus, Authentication, Basic Sandbox, Inline CASB Visibility. Advanced Edition includes URL filtering, SSL inspection, Anti-virus, Authentication, Basic Sandbox, Inline CASB Visibility and Controls, Inline DLP Visibility and Controls

    4. Secure Access: This service is available only when you select a Gateway Pool with an activated Cloud Web Security role. Secure Access solution combines the VMware SD-WAN and Workspace ONE services to provide a consistent, optimal, and secure cloud application access through a network of worldwide managed service nodes. For more information, see the VMware Secure Access Configuration Guide. Clicking the Configure option displays the following pop-up window:

      Enter the maximum number of PoPs, and then click Update.

  4. Following are the additional configuration settings available on the Customer Configuration page:
    Option Description
    Global
    User Agreement Display Select either of the following from the drop-down menu:
    • Inherit
    • Override to Hide
    • Override to Show
    Note:
    This field is available only when the system property session.options.enableUserAgreements is set to True.
    Feature Access Provides access to the selected features. Select one or more check boxes from the below list to activate these features for the Partner Customer:
    • Enterprise Auth: By default, only the Operator can activate or deactivate two-factor authentication for an Enterprise. When you select this check box, the Enterprise Admins can configure the two-factor authentication on their own.
    • Enable Premium Service: Provides access to the available premium services. This option is selected by default.
    • Role Customization: Allows an Enterprise Super user to customize the role privileges for other Enterprise users.
    • Route Backtracking: Allows the device to choose the best route in the order of prefix length.
    • In-product Contextual Help Panel: Provides access to the Help Panel integrated with the Orchestrator. This feature is deactivated by default. A Partner Admin must activate this option for the Partner Customers.
    • Enable Firewall Logging to Orchestrator: By default, Edges cannot send their Firewall logs to the Orchestrator. Select this check box to allow an Edge to send the Firewall logs to the Orchestrator.
    • Customizable QoE: Allows the Customer to configure the minimum and maximum latency threshold values for Voice, Video, and Transactional application categories of an Edge.
    • Enable Classic Orchestrator UI: Allows the Customer to switch from the Angular Orchestrator UI to the Classic Orchestrator UI. This option is available only when the system property session.options.enableClassicOrchestrator is set to True.
    Delegate Management To Customer Allows the Partner Customer to modify the settings of the selected property. Following two properties are always visible to the Partner Customers:
    • Enable CoS Mapping: Allows to configure CoS mapping while configuring a business policy.
    • Enable Service Rate Limiting: Allows to rate limit services in a business policy.
    Gateway Pool
    Current Gateway Pool Select the Gateway pool from the drop-down menu.
    Gateways in this Pool Displays the Gateway details in the current pool.
    Partner Hand Off Activating this option displays the Configure Hand Off section. For details, see Configure Partner Handoff.
    Security Policy
    Hash By default, there is no authentication algorithm configured for the VPN header as AES-GCM is an authenticated encryption algorithm. When you select the Turn off GCM check box, you can select one of the following as the authentication algorithm for the VPN header, from the drop-down menu:
    • SHA 1
    • SHA 256
    • SHA 384
    • SHA 512
    Encryption Select either AES 128 or AES 256 as the AES algorithm's key size to encrypt data. The default encryption algorithm mode is AES 128.
    DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, 16, 19, 20, and 21.
    Note:
    • DH Groups 19, 20, and 21 are available starting from Release 5.2.0.
    • It is recommended to use DH Group 14, which is the default value.
    PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS levels are 2, 5, 14, 15, and 16. By default, PFS is deactivated.
    Turn off GCM Select this check box to activate Hash and select an authentication algorithm for the VPN header.
    IPSec SA Lifetime Time(min) Time when Internet Security Protocol (IPSec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum IPsec lifetime is 480 minutes. The default value is 480 minutes.
    Note: It is not recommended to configure low lifetime value for IPsec (less than 10 minutes), as it can cause traffic interruption in some deployments due to rekeys. The low lifetime values are for debugging purposes only.
    IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum IKE lifetime is 1440 minutes. The default value is 1440 minutes.
    Note: It is not recommended to configure low lifetime values IKE (less than 30 minutes), as it can cause traffic interruption in some deployments due to rekeys. The low lifetime values are for debugging purposes only.
    Secure Default Route Override Select the check box so that the destination of traffic matching a secure default route (either Static Route or BGP Route) from a Partner Gateway can be overridden using Business Policy.
    Note: For instructions on how to activate secure routing on an Edge, refer to Configure Partner Handoff. For more information about configuring a Network Service for Business Policy rule, refer to the "Configure Network Service for Business Policy Rule" in the VMware SD-WAN Administration Guide available at VMware SD-WAN Documentation.
    Edge Network Function Virtualization
    Edge NFV Select this option to activate the ability to deploy VNFs on Edges. After deploying one or more VNFs on Edges, you cannot deactivate this option.
    Security VNFs Select the relevant check boxes, to deploy the corresponding security VNFs on Edges.
    SD-WAN Settings
    OFC Cost Calculation Select the required check box:
    • Distributed Cost Calculation: Select this check box to delegate route cost calculation to Edges/Gateways.
      Note: This option is available only for the Edges/Gateways with version 3.4.0 and later.
    • Use NSD Policy: Select this check box to use NSD policy for route cost calculation to Edges/Gateways.
      Note: This option is available only for the Edges/Gateways with version 4.2.0 and later.
    Multiple-DSCP tags per Flow Path Calculation Select the check box to include the DSCP value as part of flow look-up.
    Note: This field is available only when the system property session.options.enableFlowParametersConfig is set to True.
    Feature Access Select Stateful Firewall or Advanced Threat Protection check box to override the corresponding settings activated on the Enterprise Edge.
  5. Click Save Changes.
    Note: When you modify the Security Policy settings, the changes may cause interruptions to the current services. In addition, these settings may reduce overall throughput and increase the time required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel setup times and recovery from Edge failure in a cluster.