Customer Portal Getting Started

Congratulations on choosing CSO for Contrail SD-WAN, Hybrid WAN, SD-LAN, and NFV lifecycle management. This guide is designed to help you quickly learn the basics of the Contrail Service Orchestration Customer Portal (CP).

1Customer Portal Capabilities

The CP is designed to perform a number of tasks, including:

  • Add, manage, and maintain individual tenant sites in the service provider cloud and on-premise.

  • Monitor alerts, alarms, device events, security events, link-switch events, and more.

  • Manage existing CPE devices and software images.

  • Add, manage and maintain device policies and virtual network services.

  • Add security and SD-WAN reports.

  • Manage tenant-level and site-level users.

With these capabilities you can add and manage all elements of CSO tenant sites and the devices dedicated to those sites. With RBAC control, sites and devices belonging to one tenant cannot be seen by other tenants or customers.

2Administration in the Customer Portal

The following tasks describe administration-related functions that can be performed in the Customer Portal.

1Add Users

A Tenant Administrator can add Tenant Users to the tenant. These users can be Operator or Administrator users for this tenant. The following task describes the procedure.

  1. Click Administration > Users

    The Add Tenant User page appears as shown in Figure 1.

    Figure 1: Add Tenant User Workflow

    Add Tenant User Workflow
  2. Fill out the required information including whether the new user is an Operator or an Administrator.
  3. Click OK when finished.

    If you leave the user status as Enabled, an email is sent from CSO to the user informing them that their account was created and giving them a Set your password link that they can click to set their own password on CSO.

2Roles

CSO uses Role-Based Access Control (RBAC) to isolate control of certain features to specific roles (groups of users). The following task describes how to add a custom role to your tenant.

  1. Click Administration > Roles.

    The Roles page appears as shown in Figure 2.

    Figure 2: Roles Page

    Roles Page
  2. Click the add icon (+).

    The Add Role page appears

    Figure 3: Add Role

    Add Role
  3. Specify the details for the role.

    Pay particular attention to the Access Privileges. There are six sections of access privileges:

    • Monitor

    • Resources

    • Configuration

    • Sites

    • Reports

    • Administration

    All sections appear collapsed at first. You can expand the sections by clicking the > next to the desired section. This expands the capabilities within that section as shown in Figure 3. For more information regarding Roles and their abilities, see Adding User-Defined Roles for Tenant Users

  4. Click OK.

    A status message appears about the new role.

3Upload Device Licenses

To upload a license:

  1. Click Administration > Licenses > Device Licences.

    The License Files page appears.

  2. Click the add button (+).

    The Add License page appears as shown in Figure 4

    Figure 4: Add-License

    Add-License
  3. Click the Browse button and locate the license file.

    (Optional) Add a description for this particular license file.

  4. Click OK.
  5. The newly added license appears in the list of device licenses.

4Push Device Licenses

To push a license to a device:

  1. Click Administration > Licenses > Device Licences.

    The License Files page appears.

  2. Click the checkbox next to the license file you want to push to the device(s).
  3. Click the Push License pull-down menu and select Push.

    The Push License window appears as shown in Figure 5.

    Figure 5: Push Device License

    Push Device License

    This window shows all devices on which the license is already deployed. If it is not installed on any devices, an X is shown in the installed column.

  4. Select the checkboxes next to the device or devices to which you want to push the license.

    A job status notification appears. Another notification will alert you when the job is complete.

3Resource Management in the Customer Portal

The following tasks describe the resource management functions that can be performed in the Customer Portal.

1Add Provider Hub Device

Note In cloud-hosted versions of CSO, tenant administrators can add data-only provider hubs to their sites from a list of provider hubs assigned to a particular POP. For tenants assigned directly to Juniper (the cspadmin), the provider hub devices must first be added to a POP by Juniper. For tenants of an OpCo, the provider hub devices can be added either by Juniper or by the OpCo administrator.

To add a provider hub site:

  1. Select Resources > Site Management
  2. Click the Add pull-down menu and select Add Provider Hub

    The Add Provider Hub for Site Name page appears as shown in Figure 6.

    Figure 6: Add Provider Hub

    Add Provider Hub
  3. Select a POP

    Selecting a POP populates the Hub Device Name pull-down menu with the names of provider hub devices available in that POP.

  4. Select a Provider Hub device

    Note If no devices are shown on the pull-down menu, contact your Juniper account manager or your OpCo administrator.

  5. Click OK when finished.

    An add job message appears followed by a success or failure message for the device add job.

2Add an On-Premise Spoke Site (Manual)

This task describes how to add an on-premise site. You can add two types of on-premise sites—On-Premise Spoke and Enterprise Hub. An On-premise spoke site can be added manually or with the use of a template that was previously added from the Site Templates page.

To add an on-premise site:

  1. Click Resources > Site Management.

    The Sites page appears. Any sites that already exist are listed on this page.

  2. Click Add > On-Premise Spoke (Manual).

    The Add On-Premise Spoke Site for Tenant-Name page appears.

  3. Specify the configuration for the on-premise site until you reach the configuration summary.

    As shown in Figure 7, the summary page shows all of the configuration that was entered for the on-premise site.

    Figure 7: Add On-Premise Spoke Summary Page

    Add On-Premise Spoke Summary Page
  4. Click OK.

    The status of the add operation is displayed.

3Add a Site Template

The following task describes how to add a site template.

  1. Click Resources > Site Templates

    The Site Templates page appears.

  2. Click the large Add icon (+)

    The Add Site Template for Tenant Name appears and starts the process at the General tab.

  3. Fill out the information on the General part of the form as shown in Figure 8

    Figure 8: Add Site Template - General

    Add Site Template - General
  4. Click Next

    The page advances to WAN configuration form as shown in Figure 9.

    Figure 9: Add Site Template - WAN

    Add Site Template - WAN
  5. Fill out the information on the WAN form

    Required field names are marked with an asterisk (*). You must select at least one item from the Site Capabilities section.

  6. Click Next

    The page advances to LAN configuration form, as shown in Figure 10, if your tenant has LAN services available. If not, the LAN configuration section is automatically bypassed and the page advances to the Summary form.

    Figure 10: Add Site Template - LAN

    Add Site Template - LAN
  7. (Optional) Fill out the LAN form
  8. Click Next

    The page advances to Summary

  9. Review the summary page
  10. Click Save

4Add an On-premise Spoke Site using a Site Template

The following task describes how to add an on-premise spoke site by using a previously-defined site template.

  1. Click Resources > Site Management

    The Site page appears. Any sites that already exist are listed on this page.

  2. Click on the Add pull-down menu and select On-premise Spoke Site (Using Template)

    The Add On-Premise Spoke Site page appears with large icons depicting the available templates as shown in Figure 11.

    Figure 11: Add Site Using Template

    Add Site Using Template
  3. Click the desired template icon or icons.
  4. Click Continue

    The page changes and requests Site Data

    You can upload the site data from a JSON file or add the site data manually by filling in the fields that were left blank in the template.

  5. Click the Add Manually radio button

    The page changes to reveal site configuration information.

  6. Complete the required fields (marked by *)
  7. Click Save

    Site add job notifications appear as the job is started and when completed (success or failure).

5Add a Cloud Spoke Site

The following task describes how to add a cloud spoke site.

Note Adding a cloud spoke site requires that you have an Amazon Web Services (AWS) virtual private cloud (VPC) in place with the following elements:

  • 2 available elastic IP addresses in the AWS VPC.

  • 4 available subnets in the AWS VPC.

  1. Navigate to Resources > Site Management

    The Sites page appears. Any sites that already exist are listed on this page

  2. From the Add pull-down menu, select Add Cloud Spoke

    The Add On-Premise Spoke Site for Tenant-Name window appears.

  3. Complete the configuration settings.

    Note Fields marked with an asterisk (*) are mandatory and include configuration information regarding the AWS VPC.

  4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
  5. Click OK.

    The status of the add operation is displayed.

6Add Enterprise Hub

This task describes how to add an Enterprise Hub

To add an Enterprise Hub:

Note You can add Enterprise Hub sites only for tenants with real-time optimized SD-WAN mode.

  1. Click Resources > Site Management.

    The Sites page appears. Any sites that already exist are listed on this page.

  2. Click the Add pull-down menu and select Enterprise Hub.

    The Add Enterprise Hub for Tenant-Name page appears as shown in Figure 12.

    Figure 12: Add Enterprise Hub

    Add Enterprise Hub
  3. Complete the configuration settings.

    Note Fields marked with an asterisk (*) are mandatory.

  4. (Optional) You can review the configuration in the Summary tab and modify the settings, if required.
  5. Click OK.

    You are returned to the Sites page and a message indicating that the site creation job was triggered is displayed. You can click the job ID link to view the progress of the job. After the job is completed successfully, a confirmation message is displayed and the site that you added is displayed on the Sites page.

7Deploy and Start Network Services

To deploy network services:

  1. Click Resources > Site Management.

    The Sites page appears.

  2. Click the name of the site for which you want to deploy network services.

    Note The site must have an NFX Series device as a CPE so that network services can be deployed.

    The Site-Name page appears.

  3. In the Services tab, click View Services.

    The Deploy Network Services pane appears on the right side of the page.

  4. Select a service and an attachment point. Alternatively, drag and drop a service on to an attachment point.

    The Deploy Network Service: Site-Name page appears.

  5. Specify the parameters for the service that you want to deploy.
  6. Click Deploy to deploy the service.

    The status of the deploy operation is displayed.

  7. Select the deployed service and click Start Service.

    The status of the service is displayed.

4Power on the CPE Device (On-Premise Sites)

Power on the new CPE device and then enter the activation code. You can enter the activation code either from the Customer Portal or on the device.

5Add and Deploy Policies

The following tasks describe how to add, view, manage, and deploy policies.

1Add and Deploy an Intent-based Firewall Policy

Intent-based firewall policies can control traffic in a number of ways:

  • Between security zones such as trust and untrust.

  • Between departments such as marketing and accounting.

  • Between specific addresses or address groups

  • Between sites or site groups belonging to the same tenant

  • Combinations of the above options

Additional options for the sources and destinations

To add an intent-based firewall policy:

  1. Prepare the endpoints that you want to use in the firewall policy:
    • Source endpoints can be IP addresses, IP address groups, sites, site groups, or departments

    • Destination endpoints can be IP addresses, IP address groups, sites, site groups, departments, Layer 7 (L7) applications, or services.

  2. Add one or more firewall intents (by using the available endpoints):
    1. Click Configuration > Firewall > Firewall Policy.

      The Firewall Policy page is displayed.

    2. Click the add (+) icon.
    3. Specify the parameters for the firewall intent.

      Best Practice In order for CSO to receive security monitoring data, we recommend that you enable Logging on all firewall policies.

    4. Click Save.

      The status of the save operation is displayed.

  3. Deploy the firewall policy:
    1. Click Configuration > Firewall > Firewall Policy.

      The Firewall Policy page is displayed.

    2. Click the Deploy button to deploy the firewall policy.

      The Deploy page is displayed.

    3. Specify whether you want to deploy the policy immediately or schedule the deployment for later.
    4. Click Deploy.

      The status of the deployment operation is displayed.

      The Deployments page (Configuration > Deployments) displays the information about all deployments.

2Add and Deploy an SD-WAN Policy

To add and deploy an SD-WAN policy intent:

  1. Prepare the endpoints that you want to use in the SD-WAN policy:
    • Source endpoints can be sites, site groups, or departments

    • Destination endpoints can be applications or application groups

  2. Add an SD-WAN policy intent and associate it with the SLA profile:
    1. Click Configuration > SD-WAN > SD-WAN Policy.

      The SD-WAN Policy page appears.

    2. Click the add (+) icon.
    3. Specify the parameters for the SD-WAN policy intent.
    4. Click Save.

      The status of the save operation is displayed.

  3. Deploy the SD-WAN policy intent:
    1. Click Configuration > SD-WAN > SD-WAN Policy.

      The SD-WAN Policy page appears.

    2. Click the Deploy button to deploy the policy intent.

      The Deploy page is displayed.

    3. Specify whether you want to deploy the policy immediately or schedule the deployment for later.
    4. Click Deploy.

      The status of the deployment operation is displayed.

      The Deployments page (Configuration > Deployments) displays the information about all deployments.

3Add a Breakout Profile

To Add a Breakout Profile:

  1. Click Configuration > SD-WAN > Breakout Profiles.

    The Breakout Profiles page appears

    Note You must have at least one Traffic Type Profile in the enabled state to complete the rest of this procedure. Traffic type profiles are managed by the SP administrator in the Administration Portal.

  2. Click the + button.

    The Add Breakout Profile page appears

  3. Specify the parameters for the Breakout Profile.
  4. (Optional) Set Advanced Configuration Parameters for Rate Limiting
  5. Click OK

4Create NAT Policy

  1. Click Configuration > NAT > NAT Policies.

    The NAT Policies page appears.

  2. Click the + button.

    The Create NAT Policy page appears.

  3. Give the policy a name
  4. In the Sites Applied On section, select the check-box next to all sites on which you want to apply this policy.

    Note The Sites Applied On list only shows active sites for this tenant. You must activate at least one site in order to create a NAT policy.

  5. Click the Right Arrow button between the Available and Selected sites lists.

    Any site checked in the available list moves to the selected list.

  6. Click OK

    The new policy now shows in the list of policies.

5Create and Deploy a NAT Policy Rule

To view and manage a NAT policy:

  1. Prepare the endpoints that you want to use in the NAT policy:
    • Source endpoints can be IPv4/IPv6 addresses, or port numbers

    • Destination endpoints can be IPv4/IPv6 addresses, or port numbers

  2. Create a NAT policy rule:
    1. Select Configuration > NAT > NAT Policies.

      The NAT Policies page appears, displaying the existing NAT policies.

    2. Click the name of the NAT policy for which you want to create rules. Alternately, you can click on the number or the Add Rule link listed under Rules against a NAT policy.

      The Single NAT Policy page appears.

    3. Click Create and select either Source, Static, or Destination. The page displays fields for creating a NAT rule.
    4. Specify the parameters for NAT rules.
    5. Click OK

      The status of the create operation is displayed.

  3. Create NAT pools:
    1. Select Configuration > NAT > Pools.

      The NAT Pools page appears.

    2. Click the add icon (+).

      The Create NAT Pool page displays fields required for creating and configuring a NAT pool.

    3. Specify the parameters for NAT pools.
    4. Click OK.

      The status of the create operation is displayed.

  4. Deploy the NAT policy:
    1. Select Configuration > NAT > NAT Policies.

      The NAT Policies page appears.

    2. Click on the NAT policy that you want to deploy.

      The NAT policy rules page appears.

    3. Select one or more NAT policy rules, and click Deploy.

      Note Even though you select one or more NAT policy rules, when you click Deploy, all NAT policy rules that are associated with the NAT policy are deployed.

      The status of the deployment operation is displayed.

Previous TaskNext Task