Hi @lienmonden ,
There are two ways of deploying this, Lets assume you have Site A and Site B.
Type 1.
Run Site to Site VPN between the two Sites and NAT internal IP of SZ's and AP's so that their subnets are reachable across the Sites, Firewall Rules has to be configured accordingly.
Type - 2
1. Nat SZ/vSZ Internal IP on the Site 'A' Firewall's Public IP so that it could be reached on the Internet, you have to open ports for AP-Controller communication mentioned in Admin Guide.
2. Now, you should be able to access vSZ using the Public IP A.A.A.A, on the Site 'B' Firewall you have to open ports for AP-Controller Communication mentioned in Admin Guide.
3. For this to work seamlessly you should configure rules on both Site's Firewall so that there are no reachability issues.
In both these methods you don't have to configure NAT IP on the SZ/VSZ. If you have AP's deployed in the same site as vSZ/SZ you have to direct the AP to reach SZ/VSZ internal IP.
When Onboarding each site you have to configure rules on both Firewall's so there aren't any connectivity issues between each site.
There is lot of work that needs to be done on the firewall, just to hide your vSZ's internal IP on the AP and you should watch the latency too so that AP's don't lose any heart beats.
In your setup please check the connectivity of the vSZ from remote site by removing the NAT IP on the vSZ, if you don't set correct configurations on the firewall you may have connectivity issues.
I currently use Type 1 as I have few APs (less than 100) on the remote Sites.
Hope it helps!!!
May the One Force be with You!!!
Regards,
Abilash
