Client configuration, Client access, Authentication – Google Networking Best Practices for Large Deployments User Manual
Page 11: Client access authentication
Network Action Checklist
11
If it’s not feasible to use a DNS resolver that’s close to the user, use a DNS server that
supports the edns-client-subnet extension (
such as
or
—which allows the resolver to pass part of the client’s IP
address.
Adhere to the advertised TTL value for all DNS record types.
Set up firewall rules to allow unrestricted outbound HTTPS traffic to Google Apps. You do
not need to set up special rules for inbound traffic; Google Apps does not generally initiate
inbound traffic to users.
Avoid routing inbound and outbound mail through a gateway inside your network. If
inbound and outbound mail is routed to a gateway inside your network, mail traffic will
consume unnecessary network resources.
For more information on network services, see “Other Network Services” on page 28.
Client Configuration
After your network is configured, prepare your user environment to work with Google Apps.
This can include setting up clients, SSO authentication, and user data migration.
Client Access
When planning for clients that will connect to Google Apps, consider the following:
Suggested browsers include Google Chrome, Mozilla Firefox, Microsoft Internet Explorer,
or Apple Safari for your Google Apps users. Install and enable one of these browsers if
your users currently have legacy browsers. Modern browsers provide a better user
experience by improving the speed in which web pages are rendered.
Consider the use of Android or ActiveSync mobile devices instead of BlackBerry devices.
BlackBerry Enterprise Services can consume resources on your network.
For more information on setting up client environments, see “Client Access” on page 33.
Authentication
If you plan to set up Single Sign-On (SSO) authentication, consider the following:
Set up SSO servers in distributed network locations, rather than a central location.
Implement your SSO server together with your VPN servers, to avoid routing
authentication traffic of VPN connected users to a different location.
Set up internal DNS servers to redirect SSO traffic to the nearest SSO server, and ensure
that alternate SSO servers are in place for redundant service in case of disruptions that
prevent users from accessing the SSO server in a particular location.
For more information on SSO Authentication, see “Authentication” on page 36.