Hi Ahmed,
In a controller based solution tunneled mode is recommend. For redundancy add a second controller.
RAP operational mode "presistent" is only supported in bridge mode so the client traffic is route directly into the LAN on the access point interface and not passing the central firewall of the controller, therefore less secure. Bridge mode don't work if you use a captive-portal on your SSID.
If you have instant (or unify) access points you can run without a pysical controller, also known as a instant solution that run a virtual controller on the AP.