Contact addresses, Location elements, and NAT

Contact Addresses represent the translated address of a component. Location elements group components together, so that there is no NAT between them.

You can specify an IP address or Fully Qualified Domain Name (FQDN) as the contact address to enable Secure SD-WAN to contact SMC management server or log server. If FQDN is specified, then you must also specify a DNS server in the engine configuration. The DNS server is used to match server host names to their corresponding IP addresses.
Note: FQDN resolves to IPv4 or IPv6 address. If FQDN resolves to multiple addresses, then all the addresses are attempted and the first IP address that works is used.

Contact Addresses are defined for each Location element. The Location element is a way to group components together, in effect telling them that there is no NAT device between them.

The SMC components on each side of a NAT device are grouped into two separate Location elements (if necessary, more Location elements can be used). The Contact Address is defined in each element’s properties for the other Location. When contacting some other component in their own Location, the components always use the untranslated address. When contacting some component outside their own Location, the contacting component checks if the other component has a Contact Address defined for the contacting element’s Location. If it finds one, it uses the Contact Address. If there is no Location-specific Contact Address defined, the contacting component checks if the element has a Default Contact Address that components belonging to any other Location use for contacting the element. If the element does not have a Default Contact Address, the connection is attempted using the element’s untranslated address.

For example, when a Management Server contacts a engine node through NAT, the Management Server uses the translated Contact Address instead of the engine node’s real Control IP address. The NAT device in between translates the NAT address to the engine’s real IP address as usual.

We recommend dividing elements into different Locations based on NAT and the communications the components have, and not just based on actual physical sites. For example, you might have one central site and several remote sites, and the system communications take place only from each remote site to the central site (not between the remote sites). In this case only two Locations are needed no matter how many of the engines use a translated address.
Note: If NAT is performed between a Log Server and a Management Client, you might need to select the correct Location for the Management Client as well.