This section covers the Secure Access Service option found at either the Profile or Edge level: where the option is located, what the option does, and which customers should turn it on or leave it off.
Secure Access Service
The Secure Access Service option can be turned on at either the Profile or Edge level by navigating to Configure > Device > Configure Segments. When Secure Access Service is set to On, the Edge builds tunnels to all Secure Access Gateways.
By default, the Edge only builds tunnels to the Primary, Secondary, and Super Gateways based on the geolocation of the Edge. These Gateways can be different from the Gateways in use for Secure Access. For example, if an Edge located in Japan builds a tunnel to the Tokyo PoP, by default it does not build a tunnel to the New York PoP even though the New York PoP is where VMware Secure Access is being used.
The Secure Access Service option is recommended for customer sites with two exceptions:
- A customer site has no applications on their premises that need to be accessed by users at other locations.
- Turning on the Secure Access Service option incurs an additional five tunnels to be built which could exceed the tunnel capacity for entry level Edge models like the 510, 610, and 620. Usually a site with a lower-end Edge will have no applications that need to be accessed by other users and the option can safely be left off. The primary use case for this option is Hub Edge locations where on-premises applications usually reside. Hub Edges are usually higher-end models that can handle the additional five tunnels that are built when this option is on.
