After creating a Customer, configure the feature options and settings that the Customer can access. As an Operator, you can choose the settings the Customer can modify.
When you create a new Customer, you are redirected to the Customer Configuration page, where you can configure the Customer settings. You can also navigate to the Customer Configuration page directly from the Operator portal, by following the steps below:
Procedure
- In the monitoring and configuration options page, select a Customer, and from the top header, click SD-WAN > Global Settings.
- From the left menu, click Customer Configuration. The following page is displayed:
The Service Configuration section includes the following services:
- SD-WAN
- Edge Intelligence
- Cloud Web Security
- Secure Access
- Cloud Hub
Click the Turn On button to activate each service. Click the vertical ellipsis present at the top right corner of each tile to turn off or configure that service. You can also use the Configure option present at the bottom right corner of each tile to configure the respective service. Each tile displays the configuration summary.
Note: When you select Turn off option, a pop-up window appears asking for your confirmation. Select the check box and click Turn Off Service.- SD-WAN: Clicking the Configure option displays the following pop-up window. Configure the settings, and then click Update.
Option Description Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for the Orchestrator. This is also required to activate VMware Edge Intelligence for the Customer. Default Edge Authentication Choose the default option to authenticate the Edges associated to the Customer, from the drop-down menu.
- Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
- Certificate Acquire: This option is selected by default and instructs the Edge to acquire a certificate from the certificate authority of the SASE Orchestrator, by generating a key pair and sending a certificate signing request to the Orchestrator. Once acquired, the Edge uses the certificate for authentication to the SASE Orchestrator and for establishment of VCMP tunnels.
Note: After acquiring the certificate, the option can be updated to Certificate Required.
- Certificate Required: Edge uses the PKI certificate. Operators can change the certificate renewal time window for Edges using the system property
edge.certificate.renewal.window
.
Edge Licensing The existing Edge Licenses are displayed. Click Add to add or remove the licenses. Note: The license types can be used on multiple Edges. It is recommended to provide your Customers with access to all types of licenses to match their edition and region. For more information, see Edge Licensing.Allow Customer to Manage Software Select the check box if you want to allow an Enterprise Superuser to manage the software images available for the Enterprise. For more information, see the topic Edge Image Management in the VMware SD-WAN Administration Guide. Operator Profile Select an Operator profile to be associated with the Customer from the available drop-down menu. This field is not available if Allow Customer to Manage Software is selected. For more information on Operator profiles, see Manage Operator Profiles Maximum Number of Segments Enter the maximum number of segments that can be configured. The valid range is 1 to 16.The default value is 16. - Edge Intelligence: Clicking the Configure option displays the following pop-up window. Configure the settings, and then click Update.
Note: You can select this option only when SD-WAN service is turned on.
Option Description Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for the Orchestrator. This is also required to activate VMware Edge Intelligence for the Customer. Analytics Nodes Enter the maximum number of Edges that can be provisioned as Analytics Nodes. By default, Unlimited is selected. Feature Access Select the Self Healing check box to allow the VMware Edge Intelligence to provide recommendations to improve performance. - Cloud Web Security: This service is available only when you select a Gateway Pool with an activated Cloud Web Security role. Cloud Web Security is a cloud hosted service that protects users and infrastructure accessing SaaS and Internet applications. For more information, see the VMware Cloud Web Security Configuration Guide. Clicking the Configure option displays the following pop-up window:
Select the required edition, and then click Update. Standard Edition includes URL filtering, SSL inspection, Anti-virus, Authentication, Basic Sandbox, Inline CASB Visibility. Advanced Edition includes URL filtering, SSL inspection, Anti-virus, Authentication, Basic Sandbox, Inline CASB Visibility and Controls, Inline DLP Visibility and Controls
- Secure Access: This service is available only when you select a Gateway Pool with an activated Cloud Web Security role. Secure Access solution combines the VMware SD-WAN and Workspace ONE services to provide a consistent, optimal, and secure cloud application access through a network of worldwide managed service nodes. For more information, see the VMware Secure Access Configuration Guide. Clicking the Configure option displays the following pop-up window:
Enter the maximum number of PoPs, and then click Update.
- Cloud Hub: This service allows you to access the MCS (Multi-Cloud Service) account. For more information, see the topic CloudHub Automated Deployment of NVA in Azure vWAN Hub in the VMware SD-WAN Administration Guide.
- Following are the additional configuration settings available on the Customer Configuration page:
Option Description Global User Agreement Display Select either of the following from the drop-down menu: - Inherit
- Override to Hide
- Override to Show
Note:This field is available only when the system propertysession.options.enableUserAgreements
is set to True.Feature Access Provides access to the selected features. Select one or more check boxes from the below list to activate these features for the Customer: - Enterprise Auth: By default, only the Operator can activate or deactivate two-factor authentication for an Enterprise. When you select this check box, the Enterprise Admins can configure the two-factor authentication on their own. This option also controls the activation and deactivation of Single Sign On (SSO).
- Enable Premium Service: This option is selected by default. Premium Service refers to the On-Demand Remediation feature that is a core part of SD-WAN's Dynamic Multipath Optimization (DMPO). DMPO is used for all traffic that traverses a VMware SD-WAN Gateway. When Premium Service is selected, the Gateway uses Forward Error Correction (FEC) for customer traffic impacted by high levels of WAN link jitter or loss, and which cannot be steered to a better quality WAN link. When Premium Service is not selected, traffic still traverses the VeloCloud Gateway and benefit from other components of DMPO like Continuous Monitoring, Dynamic Application Steering, and Secure Traffic Transmission. However, traffic impacted by high levels of WAN link jitter or loss does not benefit from error correction by the Gateway. For more information, see the topic Dynamic Multipath Optimization (DMPO) in the VMware SD-WAN Administration Guide.
- Role Customization: Allows an Enterprise Super user to customize the role privileges for other Enterprise users.
- Route Backtracking: Allows the device to choose the best route in the order of prefix length.
- In-product Contextual Help Panel: Provides access to the 'In Product Help' panel integrated within the Orchestrator. This feature is deactivated by default. An Operator must activate this option for the Enterprise Customers.
- Enable Firewall Logging to Orchestrator: By default, Edges cannot send their Firewall logs to the Orchestrator. Select this check box to allow an Edge to send the Firewall logs to the Orchestrator.
- Customizable QoE: Allows the Customer to configure the minimum and maximum latency threshold values for Voice, Video, and Transactional application categories of an Edge.
- Enable Classic Orchestrator UI: Allows the Customer to switch from the Angular Orchestrator UI to the Classic Orchestrator UI. This option is available only when the system property
session.options.enableClassicOrchestrator
is set to True.
Delegate Management To Customer Allows the Customer to modify the settings of the selected property. Following two properties are always visible to the Customers: - Enable CoS Mapping: Allows to configure CoS mapping while configuring a business policy.
- Enable Service Rate Limiting: Allows to rate limit services in a business policy.
Gateway Pool Current Gateway Pool Displays the current Gateway pool associated with the selected Customer. If required, you can choose a different Gateway pool available in the drop-down menu and click Save Changes. Gateways in this Pool Displays the Gateway details in the current pool. Partner Hand Off Activating the Gateway Pool option displays the Configure Hand Off section. If the Gateways available in the Gateway pool have been assigned with Partner Gateway role, you can handoff the Gateways to Partners. For details, see Configure Partner Handoff. Security Policy Hash By default, there is no authentication algorithm configured for the VPN header as AES-GCM is an authenticated encryption algorithm. When you select the Turn off GCM check box, you can select one of the following as the authentication algorithm for the VPN header, from the drop-down menu: - SHA 1
- SHA 256
- SHA 384
- SHA 512
Encryption Select either AES 128 or AES 256 as the AES algorithm's key size to encrypt data. The default encryption algorithm mode is AES 128. DH Group Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH Groups are 2, 5, 14, 15, 16, 19, 20, and 21. Note:- DH Groups 19, 20, and 21 are available starting from Release 5.2.0.
- It is recommended to use DH Group 14, which is the default value.
PFS Select the Perfect Forward Secrecy (PFS) level for additional security. The supported PFS Groups are 2, 5, 14, 15, 16, 19, 20, and 21. PFS Groups 19, 20, and 21 are available starting in Relase 5.2.0. By default, PFS is deactivated. Turn off GCM Select this check box to activate Hash and select an authentication algorithm for the VPN header. IPSec SA Lifetime Time(min) Time when Internet Security Protocol (IPSec) rekeying is initiated for Edges. The minimum IPsec lifetime is 3 minutes and maximum IPsec lifetime is 480 minutes. The default value is 480 minutes. Note: It is not recommended to configure low lifetime value for IPsec (less than 10 minutes), as it can cause traffic interruption in some deployments due to rekeys. The low lifetime values are for debugging purposes only.IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The minimum IKE lifetime is 10 minutes and maximum IKE lifetime is 1440 minutes. The default value is 1440 minutes. Note: It is not recommended to configure low lifetime values IKE (less than 30 minutes), as it can cause traffic interruption in some deployments due to rekeys. The low lifetime values are for debugging purposes only.Secure Default Route Override Select the check box so that the destination of traffic matching a secure default route (either Static Route or BGP Route) from a Partner Gateway can be overridden using Business Policy. Edge Network Function Virtualization: Allows to activate NFV on the Edges and allows Customers to deploy third party VNFs on service ready Edge platforms. Currently, the service ready Edge platform models are 520v and 840. As an Operator User, when you activate the Edge NFV, the Customers can configure and deploy VNFs and VNF licenses from their network services. Edge NFV Select this option to activate the ability to deploy VNFs on Edges. After deploying one or more VNFs on Edges, you cannot deactivate this option. Security VNFs Select the relevant check boxes, to deploy the corresponding security VNFs on Edges. For more information, see the topic Security VNFs in the VMware SD-WAN Administration Guide. SD-WAN Settings OFC Cost Calculation Select the required check box: - Distributed Cost Calculation: Select this check box to delegate route cost calculation to Edges/Gateways.
Note: This option is available only for the Edges/Gateways with version 3.4.0 and later. After activating Distributed Cost Calculation, it is recommended to refresh the routes by navigating to Configure > Overlay Flow Control in the SD-WAN service of the Enterprise portal. For more information, see Configure Distributed Cost Calculation.
- Use NSD Policy: Select this check box to use NSD policy for route cost calculation to Edges/Gateways.
Note: This option is available only for the Edges/Gateways with version 4.2.0 and later.
Multiple-DSCP tags per Flow Path Calculation This feature is used when the original user traffic is encapsulated in another tunnel (GRE/IPsec) and the DSCP labels are saved in the new IP header. The feature activates path calculation for a single flow (same source/destination) with multiple DSCP tags and offers path differentiations based on the DSCP values in the flow. Select the Include DSCP value as part of flow lookup check box to include DSCP values as part of flow look-up and path calculation. For more information, see Configure Path Calculation with Multiple DSCP Labels per Flow.
Note: This field is available only when the system propertysession.options.enableFlowParametersConfig
is set to True.Feature Access Stateful Firewall Select the Stateful Firewall check box to override the Stateful Firewall settings activated on the Enterprise Edge. Enhanced Firewall Services Select the Enhanced Firewall Services check box to activate the Enhanced Firewall Services using the Firewall functionality in VMware SASE Orchestrator. Note: For Enhanced Firewall Services (EFS) to work, ensure the Edge version is upgraded to 5.2.0.0.Note: Unselecting this option will only deactivate the EFS feature in the UI. To deactivate the EFS feature for an existing customer, you must first deactivate the EFS feature in the SD-WAN service of the Enterprise portal by navigating to Configure > Profiles/Edges > Firewall > Firewall Feature Control > Enhanced Security and then by unselecting this check box in Global Settings.For more information about configuring the various Enhanced Security Services and associating to a Firewall rule, see the topic Configure Enhanced Security Services in the VMware SD-WAN Administration Guide. - Click Save Changes.
Note: When you modify the Security Policy settings, the changes may cause interruptions to the current services. In addition, these settings may reduce overall throughput and increase the time required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel setup times and recovery from Edge failure in a cluster.